Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH] ntp: add detailed error msg on adjtimex failure
(Eliott Dumeix)
2. Re: How to use OpenConnect and Cisco Secure Desktop with
ConnMan (instead of NetworkManager)? (David Woodhouse)
3. Re: How to use OpenConnect and Cisco Secure Desktop with
ConnMan (instead of NetworkManager)? (Daniel Wagner)
4. Re: How to use OpenConnect and Cisco Secure Desktop with
ConnMan (instead of NetworkManager)? (David Woodhouse)
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Jun 2018 09:46:10 +0200
From: Eliott Dumeix <[email protected]>
To: [email protected]
Subject: [PATCH] ntp: add detailed error msg on adjtimex failure
Message-ID: <[email protected]>
---
src/ntp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ntp.c b/src/ntp.c
index 51ba9aac..44320fcc 100644
--- a/src/ntp.c
+++ b/src/ntp.c
@@ -392,7 +392,7 @@ static void decode_msg(struct ntp_data *nd, void *base,
size_t len,
tmx.status |= STA_DEL;
if (adjtimex(&tmx) < 0) {
- connman_error("Failed to adjust time");
+ connman_error("Failed to adjust time: %s (%d)",
strerror(errno), errno);
nd->cb(false, nd->user_data);
return;
}
--
2.13.6
------------------------------
Message: 2
Date: Tue, 12 Jun 2018 17:33:47 +0100
From: David Woodhouse <[email protected]>
To: [email protected], [email protected]
Cc: connman <[email protected]>
Subject: Re: How to use OpenConnect and Cisco Secure Desktop with
ConnMan (instead of NetworkManager)?
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
On Tue, 2018-06-12 at 18:07 +0200, [email protected] wrote:
> Hello together,
>
> in the past I was using NetworkManager and got OpenConnect including
> Cisco's Secure Desktop (CSD) working easily.
>
> Now I switched to the more lightweight ConnMan and have some trouble to
> set up OpenConnect correctly.
>
> --------------------------------------------------------------------------
>
> The first question is: ConnMan's CMST-GUI provides several options for
> possible OpenConnect-VPN types to build the necessary config file. In
> detail these are:
>
> -??? Provider OpenConnect
> -??? OpenConnect.ServerCert
> -??? OpenConnect.CACert
> -??? OpenConnect.ClientCert
> -??? OpenConnect.MTU
> -??? OpenConnect.Cookie
> -??? OpenConnect.VPNHost
>
> Which type do I have to choose to get OpenConnect working together with CSD?
It's been a while since I paid much attention to ConnMan so I'm not
entirely sure of the current state of the authentication agents.
The way the VPN works is that you *first* authenticate (using the CSD
trojan and your cert and password and anything else), and you are
rewarded with a cookie ? literally, an HTTP cookie called "webvpn".
You then take that cookie, along with the IP address of the VPN server
you were talking to (after any load balancing and other redirects), and
its certificate fingerprint (because it might not have been trusted;
you might have accepted it manually).
So there are three pieces of information which are needed to actually
make the connection:
?? VPN server address
?? Certificate fingerprint
?? Cookie
When you compare with your NetworkManager configuration, you are
comparing apples and oranges. That contains the information that you
*start* with ? the first server you start authenticating to, things
like usernames and passwords. ConnMan doesn't care about any of that,
or didn't when I last looked. It just needs those three fields listed
above (which are precisely what the NM auth-dialog actually hands off
to NetworkManager itself, behind the scenes).
Somewhere there was a script which runs 'openconnect --authenticate' to
obtain the three relevant fields, and then poke ConnMan to connect
using them. Isn't that still in the ConnMan repo somewhere?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL:
<http://lists.01.org/pipermail/connman/attachments/20180612/49db26a9/attachment-0001.bin>
------------------------------
Message: 3
Date: Wed, 13 Jun 2018 13:47:42 +0200
From: Daniel Wagner <[email protected]>
To: David Woodhouse <[email protected]>
Cc: [email protected], [email protected], connman
<[email protected]>
Subject: Re: How to use OpenConnect and Cisco Secure Desktop with
ConnMan (instead of NetworkManager)?
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
Hi,
On 12.06.2018 18:33, David Woodhouse wrote:> So there are three pieces
of information which are needed to actually
> make the connection:
>
> ? VPN server address
> ? Certificate fingerprint
> ? Cookie
>
> When you compare with your NetworkManager configuration, you are
> comparing apples and oranges. That contains the information that you
> *start* with ? the first server you start authenticating to, things
> like usernames and passwords. ConnMan doesn't care about any of that,
> or didn't when I last looked. It just needs those three fields listed
> above (which are precisely what the NM auth-dialog actually hands off
> to NetworkManager itself, behind the scenes).
Nothing has changed for ConnMan so far. Wouldn't mind if ConnMan would
learn to do be more user friendly.
> Somewhere there was a script which runs 'openconnect --authenticate' to
> obtain the three relevant fields, and then poke ConnMan to connect
> using them. Isn't that still in the ConnMan repo somewhere?
Just checked the repo and there is no such script :/ And my google-foo
didn't find anything related.
Thanks,
Daniel
------------------------------
Message: 4
Date: Wed, 13 Jun 2018 13:14:46 +0100
From: David Woodhouse <[email protected]>
To: Daniel Wagner <[email protected]>
Cc: connman <[email protected]>, [email protected],
[email protected]
Subject: Re: How to use OpenConnect and Cisco Secure Desktop with
ConnMan (instead of NetworkManager)?
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
On Wed, 2018-06-13 at 13:47 +0200, Daniel Wagner wrote:
>
> > Somewhere there was a script which runs 'openconnect --authenticate' to
> > obtain the three relevant fields, and then poke ConnMan to connect
> > using them. Isn't that still in the ConnMan repo somewhere?
>
> Just checked the repo and there is no such script :/ And my google-foo
> didn't find anything related.
Here's the equivalent for NetworkManager. Obviously the hostname and
other arguments on the 'openconnect --authenticate' command line are
per-user, per-config stuff. What you do with $COOKIE/$FINGERPRINT/$HOST
are not.
#!/bin/sh
HOST="$1"
if [ -z "$HOST" ]; then
????HOST=vpn.example.com
fi
COOKIE=
eval `openconnect --csd-wrapper ~/bin/csd_wrapper --user $LOGNAME \
--authgroup foo $HOST --authenticate`
if [ -z "$COOKIE" ]; then
????exit 1
fi
nmcli con up 'Example VPN' passwd-file /proc/self/fd/5 5<<EOF
vpn.secrets.cookie:$COOKIE
vpn.secrets.gwcert:$FINGERPRINT
vpn.secrets.gateway:$HOST
EOF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL:
<http://lists.01.org/pipermail/connman/attachments/20180613/f2f85904/attachment.bin>
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 32, Issue 6
**************************************
