Hide Forgot
Description of problem: The command line openconnect client permits using a hardware pkcs11 token. It would be nice the GUI for NetworkManager permitted setting this as well. My example use is with a Yubikey. Version-Release number of selected component (if applicable): NetworkManager-openconnect-1.2.4-11.fc30 How reproducible: 100% Steps to Reproduce: 1.Try to configure NetworkManager-openconnect to use a hardware pkcs11 tokent 2. 3. Actual results: No way to set usage of a hardware token Expected results: Able to set hardware token. Additional info: openconnect -c 'pkcs11:manufacturer=piv_II' myvpn.example.com
NetworkManager-openconnect already works fine, if a PKCS#11 URI is given as the certificate/key. But last time I looked, you needed to set that manually by editing the config file — even nmcli didn't work right for using PKCS#11 URIs as keys, as it wrongly filtered for *filenames*. Assigning to NetworkManager. Not sure of the current status but here are some older upstream bugs which are/were relevant, and I think nmcli has at least been fixed for 802.1x if not for all connection types: https://bugzilla.gnome.org/show_bug.cgi?id=719982 https://bugzilla.gnome.org/show_bug.cgi?id=679860
It does seem to work with nmcli now, although it's slightly non-trivial as it's part of the 'vpn.data' field. You can see the current settings with 'nmcli con show MyVpn' then add the usercert field: nmcli con modify MyVpn vpn.data 'usercert = pkcs11:manufacturer=piv_II;id=%01, authtype = cert, gateway = xxxx:xxxx:xxxx:xxxx::1, protocol = pulse, cookie-flags = 2, certsigs-flags = 0, xmlconfig-flags = 0, stoken_source = disabled, prevent_invalid_cert = no, autoconnect-flags = 0, gateway-flags = 2, gwcert-flags = 2, pem_passphrase_fsid = no, enable_csd_trojan = no, lasthost-flags = 0'