Bug 1730027
Summary: | [RFE] Provide Option to use PKCS11 hardware token (Yubikey) for authentication | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Pat Riehecky <riehecky> |
Component: | NetworkManager | Assignee: | Lubomir Rintel <lkundrak> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | bgalvani, code, dcbw, dwmw2, fedoraproject, fgiudici, gnome-sig, john.j5live, joshua.kenward, lkundrak, mclasen, rdieter, rhughes, riehecky, rstrode, sandmann, thaller |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pat Riehecky
2019-07-15 15:47:18 UTC
NetworkManager-openconnect already works fine, if a PKCS#11 URI is given as the certificate/key. But last time I looked, you needed to set that manually by editing the config file — even nmcli didn't work right for using PKCS#11 URIs as keys, as it wrongly filtered for *filenames*. Assigning to NetworkManager. Not sure of the current status but here are some older upstream bugs which are/were relevant, and I think nmcli has at least been fixed for 802.1x if not for all connection types: https://bugzilla.gnome.org/show_bug.cgi?id=719982 https://bugzilla.gnome.org/show_bug.cgi?id=679860 It does seem to work with nmcli now, although it's slightly non-trivial as it's part of the 'vpn.data' field. You can see the current settings with 'nmcli con show MyVpn' then add the usercert field: nmcli con modify MyVpn vpn.data 'usercert = pkcs11:manufacturer=piv_II;id=%01, authtype = cert, gateway = xxxx:xxxx:xxxx:xxxx::1, protocol = pulse, cookie-flags = 2, certsigs-flags = 0, xmlconfig-flags = 0, stoken_source = disabled, prevent_invalid_cert = no, autoconnect-flags = 0, gateway-flags = 2, gwcert-flags = 2, pem_passphrase_fsid = no, enable_csd_trojan = no, lasthost-flags = 0' |