Authgroup, PKCS#11 and nm-openconnect...
Sean
smalder73 at gmail.com
Wed Apr 19 08:37:53 PDT 2017
On Wed, Apr 19, 2017 at 5:49 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2017-04-18 at 09:09 -0400, Sean wrote:
>> Hi,
>>
>> Is there a way to configure the network-manager connection file to
>> pass the authgroup into openconnect?
>
> It ought to remember the authgroup that you last used, just as it
> remembers usernames.
>
Yes, I see that it does that on subsquent connections. It looks like
that's under the [vpn-secrets] section, so I guess that's good.
>> I'm interested in switching from using a shell-script wrapper to run
>> openconnect as an unprivileged user to using the
>> NetworkManager-Openconnect hack discussed here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1218335, with PKCS#11
>> authentication.
>>
>> It seems that when connecting to the vpn this way, the PKCS#11 card is
>> authenticated, then the GUI returns to a normal login page with an
>> Auth Group drop down. If we select the group for smart card users,
>> and click login the things seem to work, but it's very confusing to
>> end-users. (I manage a lot of linux desktops and laptops for
>> semi-linux saavy scientists).
>
> What happens when you select the 'smart card' authgroup? Does the
> username/password prompt go away, and leave you with *only* a login
> button?
>
Yes, it is as you describe.
> I suspect there are two problems here. Firstly, perhaps it isn't
> automatically switching to the remembered authgroup when initialising
> the dialog... and then you're probably going to complain about the fact
> that we don't auto-submit, and the user needs to manually press the
> 'login' button even when all the required information is present.
> There's an RFE bug for that somewhere in GNOME bugzilla already...
I'm not sure "complain" is the right word for what I would do, I
apologize if that's how my query came off. I do expect some of the
end-users I support will require training, to ensure they're not
confused the first few times they use it. That's manageable, which is
good enough for me, no complaints necessary :)
More information about the openconnect-devel
mailing list