Authgroup, PKCS#11 and nm-openconnect...
Sean
smalder73 at gmail.com
Tue Apr 18 06:09:22 PDT 2017
Hi,
Is there a way to configure the network-manager connection file to
pass the authgroup into openconnect?
I'm interested in switching from using a shell-script wrapper to run
openconnect as an unprivileged user to using the
NetworkManager-Openconnect hack discussed here:
https://bugzilla.redhat.com/show_bug.cgi?id=1218335, with PKCS#11
authentication.
It seems that when connecting to the vpn this way, the PKCS#11 card is
authenticated, then the GUI returns to a normal login page with an
Auth Group drop down. If we select the group for smart card users,
and click login the things seem to work, but it's very confusing to
end-users. (I manage a lot of linux desktops and laptops for
semi-linux saavy scientists).
We're running CentOS, Scientific Linux and RHEL 7. The script
solution causes us two issues:
1. Security - sudo makes it difficult to specify the exact command
line args required to use PKCS#11 certificate string with -c. If I
wildcard the sudo rule, then someone could manually run the command
and get access to root through manipulating the -s/S argument.
2. Using CTRL-C close the VPN connection after running openconnect on
the command line results in leaving behind vpn0 still with an active
IP address, this messes up DNS and routing.
If there are any suggestions to resolve the scripted method's issues
those would be welcome too :)
Many thanks!
--Sean
More information about the openconnect-devel
mailing list