Bug 1730027 - [RFE] Provide Option to use PKCS11 hardware token (Yubikey) for authentication
Summary: [RFE] Provide Option to use PKCS11 hardware token (Yubikey) for authentication
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: rawhide
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-15 15:47 UTC by Pat Riehecky
Modified: 2019-07-26 20:53 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pat Riehecky 2019-07-15 15:47:18 UTC
Description of problem:
The command line openconnect client permits using a hardware pkcs11 token.

It would be nice the GUI for NetworkManager permitted setting this as well.

My example use is with a Yubikey.

Version-Release number of selected component (if applicable):
NetworkManager-openconnect-1.2.4-11.fc30

How reproducible:
100%

Steps to Reproduce:
1.Try to configure NetworkManager-openconnect to use a hardware pkcs11 tokent
2.
3.

Actual results:
No way to set usage of a hardware token

Expected results:
Able to set hardware token.

Additional info:
openconnect -c 'pkcs11:manufacturer=piv_II' myvpn.example.com

Comment 1 David Woodhouse 2019-07-15 17:23:18 UTC
NetworkManager-openconnect already works fine, if a PKCS#11 URI is given as the certificate/key. But last time I looked, you needed to set that manually by editing the config file — even nmcli didn't work right for using PKCS#11 URIs as keys, as it wrongly filtered for *filenames*.

Assigning to NetworkManager. Not sure of the current status but here are some older upstream bugs which are/were relevant, and I think nmcli has at least been fixed for 802.1x if not for all connection types:

https://bugzilla.gnome.org/show_bug.cgi?id=719982
https://bugzilla.gnome.org/show_bug.cgi?id=679860

Comment 2 David Woodhouse 2019-07-15 17:29:58 UTC
It does seem to work with nmcli now, although it's slightly non-trivial as it's part of the 'vpn.data' field. You can see the current settings with 'nmcli con show MyVpn' then add the usercert field:

 nmcli con modify MyVpn vpn.data 'usercert = pkcs11:manufacturer=piv_II;id=%01, authtype = cert, gateway = xxxx:xxxx:xxxx:xxxx::1, protocol = pulse, cookie-flags = 2, certsigs-flags = 0, xmlconfig-flags = 0, stoken_source = disabled, prevent_invalid_cert = no, autoconnect-flags = 0, gateway-flags = 2, gwcert-flags = 2, pem_passphrase_fsid = no, enable_csd_trojan = no, lasthost-flags = 0'


Note You need to log in before you can comment on or make changes to this bug.