Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH v2 6/8] openconnect: No PKCS auth mode restriction and support
interactive mode
(Jussi Laakkonen)
2. [PATCH v2 8/8] doc: Add new OpenConnect configuration options to VPN
config format
(Jussi Laakkonen)
----------------------------------------------------------------------
Date: Fri, 4 Oct 2019 17:35:19 +0300
From: Jussi Laakkonen <[email protected]>
Subject: [PATCH v2 6/8] openconnect: No PKCS auth mode restriction and
support interactive mode
To: [email protected]
Message-ID: <[email protected]>
Rename PKCS#12 to plain PKCS as being too restrictive to PKCS to
indicate that PKCS#1/8/12 files are allowed as well. Change the
authentiation mode to "pkcs". Do not use syslog (--syslog) if PKCS
authentication is used, output all to stderr to get PKCS pass phrase
requests in reactive manner.
Since the request for PKCS file pass phrase is sent to stderr without
terminating newline character it is imperative to implement additional
way of reading the content. The request for PKCS pass phrase is read
byte by byte in interactive mode to support both encrypted and
unencrypted PKCS#8, and to keep support for PKCS#12. The pass phrase is
queried from VPN agent if needed and in case of error (decryption failed
is regarded as invalid pass phrase) connection is terminated.
Using the interactive mode also fixes the issue of previous commit that
self signed certificate acceptance ("yes") couldn't have been written to
stdin of OpenConnect process. This is because in non-interactive mode
(--non-inter) OpenConnect quits if the certificate is self signed and
server SHA1 fingerprint is not set with --servercert. With these changes
OpenConnect is started in interactive mode if self signed certificates
are allowed and there is no OpenConnect.ServerCert set. Otherwise,
non-interactive mode is used.
Set both the IO channels to have no encoding (rely on content as ASCII).
---
vpn/plugins/openconnect.c | 341 ++++++++++++++++++++++++++++++--------
1 file changed, 274 insertions(+), 67 deletions(-)
diff --git a/vpn/plugins/openconnect.c b/vpn/plugins/openconnect.c
index 7b0f68e7..a2e91902 100644
--- a/vpn/plugins/openconnect.c
+++ b/vpn/plugins/openconnect.c
@@ -48,6 +48,7 @@
#include "vpn.h"
#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
+#define OC_MAX_READBUF_LEN 128
struct {
const char *cm_opt;
@@ -67,11 +68,11 @@ enum oc_connect_type {
OC_CONNECT_COOKIE_WITH_USERPASS,
OC_CONNECT_USERPASS,
OC_CONNECT_PUBLICKEY,
- OC_CONNECT_PKCS12,
+ OC_CONNECT_PKCS,
};
static const char *connect_types[] = {"cookie", "cookie_with_userpass",
- "userpass", "publickey", "pkcs12", NULL};
+ "userpass", "publickey", "pkcs", NULL};
static const char *protocols[] = { "anyconnect", "nc", "gp", NULL};
struct oc_private_data {
@@ -87,6 +88,7 @@ struct oc_private_data {
GIOChannel *out_ch;
GIOChannel *err_ch;
enum oc_connect_type connect_type;
+ bool interactive;
};
static bool is_valid_protocol(const char* protocol)
@@ -447,7 +449,7 @@ static void clear_provider_credentials(struct vpn_provider
*provider)
{
const char *keys[] = { "OpenConnect.Username",
"OpenConnect.Password",
- "OpenConnect.PKCS12Password",
+ "OpenConnect.PKCSPassword",
"OpenConnect.Cookie",
NULL
};
@@ -462,6 +464,82 @@ static void clear_provider_credentials(struct vpn_provider
*provider)
}
}
+typedef void (* request_input_reply_cb_t) (DBusMessage *reply,
+ void *user_data);
+
+static int request_input_credentials(struct oc_private_data *data,
+ request_input_reply_cb_t cb);
+
+
+static void request_input_pkcs_reply(DBusMessage *reply, void *user_data)
+{
+ struct oc_private_data *data = user_data;
+ const char *password = NULL;
+ const char *key;
+ DBusMessageIter iter, dict;
+ int err;
+
+ DBG("provider %p", data->provider);
+
+ if (!reply)
+ goto err;
+
+ err = vpn_agent_check_and_process_reply_error(reply, data->provider,
+ data->task, data->cb, data->user_data);
+ if (err) {
+ /* Ensure cb is called only once */
+ data->cb = NULL;
+ data->user_data = NULL;
+ goto err;
+ }
+
+ if (!vpn_agent_check_reply_has_dict(reply))
+ goto err;
+
+ dbus_message_iter_init(reply, &iter);
+ dbus_message_iter_recurse(&iter, &dict);
+ while (dbus_message_iter_get_arg_type(&dict) == DBUS_TYPE_DICT_ENTRY) {
+ DBusMessageIter entry, value;
+
+ dbus_message_iter_recurse(&dict, &entry);
+ if (dbus_message_iter_get_arg_type(&entry) != DBUS_TYPE_STRING)
+ break;
+
+ dbus_message_iter_get_basic(&entry, &key);
+
+ if (g_str_equal(key, "OpenConnect.PKCSPassword")) {
+ dbus_message_iter_next(&entry);
+ if (dbus_message_iter_get_arg_type(&entry)
+ != DBUS_TYPE_VARIANT)
+ break;
+ dbus_message_iter_recurse(&entry, &value);
+ if (dbus_message_iter_get_arg_type(&value)
+ != DBUS_TYPE_STRING)
+ break;
+ dbus_message_iter_get_basic(&value, &password);
+ vpn_provider_set_string_hide_value(data->provider, key,
+ password);
+ }
+
+ dbus_message_iter_next(&dict);
+ }
+
+ if (data->connect_type != OC_CONNECT_PKCS || !password)
+ goto err;
+
+ if (write_data(data->fd_in, password) != 0) {
+ connman_error("openconnect failed to take PKCS pass phrase on"
+ " stdin");
+ goto err;
+ }
+
+ clear_provider_credentials(data->provider);
+
+ return;
+err:
+ oc_connect_done(data, EACCES);
+}
+
static gboolean io_channel_err_cb(GIOChannel *source, GIOCondition condition,
gpointer user_data)
{
@@ -486,8 +564,18 @@ static gboolean io_channel_err_cb(GIOChannel *source,
GIOCondition condition,
"Failed to open HTTPS connection to",
NULL
};
- const char *pkcs12_failure =
- "Failed to decrypt PKCS#12 certificate file";
+ /* Handle both PKCS#12 and PKCS#8 failures */
+ const char *pkcs_failures[] = {
+ "Failed to decrypt PKCS#12 certificate file",
+ "Failed to decrypt PKCS#8 certificate file",
+ NULL
+ };
+ /* Handle both PKCS#12 and PKCS#8 requests */
+ const char *pkcs_requests[] = {
+ "Enter PKCS#12 pass phrase",
+ "Enter PKCS#8 pass phrase",
+ NULL
+ };
const char *server_key_hash = " --servercert";
char *str;
bool close = false;
@@ -501,14 +589,60 @@ static gboolean io_channel_err_cb(GIOChannel *source,
GIOCondition condition,
if (source && data->err_ch != source)
return G_SOURCE_REMOVE;
- if ((condition & G_IO_IN) &&
- g_io_channel_read_line(source, &str, NULL, NULL, NULL) ==
- G_IO_STATUS_NORMAL) {
- str[strlen(str) - 1] = '\0';
+ if ((condition & G_IO_IN)) {
+ gsize len;
+ int pos;
+
+ if (!data->interactive) {
+ if (g_io_channel_read_line(source, &str, &len, NULL,
+ NULL) != G_IO_STATUS_NORMAL)
+ err = EIO;
+ else
+ str[len - 1] = '\0';
+ } else {
+ GIOStatus status;
+ str = g_try_new0(char, OC_MAX_READBUF_LEN);
+ if (!str)
+ return G_SOURCE_REMOVE;
+
+ for (pos = 0; pos < OC_MAX_READBUF_LEN - 1 ; ++pos) {
+ status = g_io_channel_read_chars(source,
+ str+pos, 1, &len, NULL);
+
+ if (status == G_IO_STATUS_EOF) {
+ break;
+ } else if (status != G_IO_STATUS_NORMAL) {
+ err = EIO;
+ break;
+ }
+
+ /* Ignore control chars and digits at start */
+ if (!pos && (g_ascii_iscntrl(str[pos]) ||
+ g_ascii_isdigit(str[pos])))
+ --pos;
+
+ /* Read zero length or no more to read */
+ if (!len || g_io_channel_get_buffer_condition(
+ source) != G_IO_IN ||
+ str[pos] == '\n')
+ break;
+ }
+
+ /*
+ * When self signed certificates are allowed and server
+ * SHA1 fingerprint is printed to stderr there is a
+ * newline char at the end of SHA1 fingerprint.
+ */
+ if (str[pos] == '\n')
+ str[pos] = '\0';
+ }
connman_info("openconnect: %s", str);
- if (g_str_has_prefix(str, server_key_hash)) {
+ if (err || !str || !*str) {
+ DBG("error reading from openconnect");
+ } else if (g_str_has_prefix(str, server_key_hash)) {
+ const char *fingerprint;
int position;
bool allow_self_signed;
@@ -519,21 +653,23 @@ static gboolean io_channel_err_cb(GIOChannel *source,
GIOCondition condition,
if (allow_self_signed) {
position = strlen(server_key_hash) + 1;
+ fingerprint = g_strstrip(str + position);
connman_info("Set server key hash: \"%s\"",
- str + position);
+ fingerprint);
vpn_provider_set_string(data->provider,
"OpenConnect.ServerCert",
- str + position);
+ fingerprint);
/*
* OpenConnect waits for "yes" or "no" as
* response to certificate acceptance request.
*/
if (write_data(data->fd_in, "yes") != 0)
- connman_error("cannot write answer to "
- "certificate accept request");
+ connman_error("openconnect: cannot "
+ "write answer to certificate "
+ "accept request");
} else {
connman_warn("Self signed certificate is not "
@@ -547,17 +683,22 @@ static gboolean io_channel_err_cb(GIOChannel *source,
GIOCondition condition,
close = true;
err = ECONNREFUSED;
}
- } else if (g_str_has_prefix(str, pkcs12_failure)) {
- connman_warn("invalid PKCS#12 password: %s", str);
- /*
- * Close IO channel to avoid deadlock. This is because
- * after PKCS#12 decryption fails OpenConnect will wait
- * for a new pass phrase to be written to stdin,
- * blocking vpnd as well. Instead of waiting for a
- * timeout it is better to close the IO channel here.
- */
+ } else if (strv_contains_prefix(pkcs_failures, str)) {
+ connman_warn("PKCS failure: %s", str);
+
close = true;
err = EACCES;
+ } else if (strv_contains_prefix(pkcs_requests, str)) {
+ DBG("PKCS file pass phrase request: %s", str);
+ err = request_input_credentials(data,
+ request_input_pkcs_reply);
+
+ if (err != -EINPROGRESS) {
+ err = EACCES;
+ close = true;
+ } else {
+ err = 0;
+ }
} else if (strv_contains_prefix(auth_failures, str)) {
connman_warn("authentication failed: %s", str);
err = EACCES;
@@ -608,9 +749,10 @@ static int run_connect(struct oc_private_data *data)
const char *usergroup;
const char *certificate = NULL;
const char *private_key;
+ const char *setting_str;
bool setting;
bool use_stdout = false;
- int fd_out;
+ int fd_out = -1;
int fd_err;
int err = 0;
@@ -690,17 +832,22 @@ static int run_connect(struct oc_private_data *data)
connman_task_add_argument(task, "--certificate", certificate);
connman_task_add_argument(task, "--sslkey", private_key);
break;
- case OC_CONNECT_PKCS12:
+ case OC_CONNECT_PKCS:
certificate = vpn_provider_get_string(provider,
- "OpenConnect.PKCS12ClientCert");
- password = vpn_provider_get_string(data->provider,
- "OpenConnect.PKCS12Password");
- if (!certificate || !password) {
+ "OpenConnect.PKCSClientCert");
+ if (!certificate) {
err = -EACCES;
goto done;
}
connman_task_add_argument(task, "--certificate", certificate);
+
+ password = vpn_provider_get_string(data->provider,
+ "OpenConnect.PKCSPassword");
+ /* Add password only if it is has been set */
+ if (!password || !g_strcmp0(password, "-"))
+ break;
+
connman_task_add_argument(task, "--passwd-on-stdin", NULL);
break;
}
@@ -730,10 +877,41 @@ static int run_connect(struct oc_private_data *data)
if (setting)
connman_task_add_argument(task, "--no-http-keepalive", NULL);
- connman_task_add_argument(task, "--non-inter", NULL);
+ /*
+ * To clarify complex situation, if cookie is expected to be printed
+ * to stdout all other output must go to syslog. But with PKCS all
+ * output must be catched in order to get message about file decryption
+ * error. For this reason, the mode has to be interactive as well.
+ */
+ switch (data->connect_type) {
+ case OC_CONNECT_COOKIE:
+ /* fall through */
+ case OC_CONNECT_COOKIE_WITH_USERPASS:
+ /* fall through */
+ case OC_CONNECT_USERPASS:
+ /* fall through */
+ case OC_CONNECT_PUBLICKEY:
+ connman_task_add_argument(task, "--syslog", NULL);
+
+ setting = vpn_provider_get_boolean(provider,
+ "OpenConnect.AllowSelfSignedCert",
+ false);
+ setting_str = vpn_provider_get_string(provider,
+ "OpenConnect.ServerCert");
- /* Output all to syslog to output cookie only to stdout */
- connman_task_add_argument(task, "--syslog", NULL);
+ /*
+ * Run in interactive mode if self signed certificates are
+ * allowed and there is no set server SHA1 fingerprint.
+ */
+ if (setting_str || !setting)
+ connman_task_add_argument(task, "--non-inter", NULL);
+ else
+ data->interactive = true;
+ break;
+ case OC_CONNECT_PKCS:
+ data->interactive = true;
+ break;
+ }
connman_task_add_argument(task, "--script", SCRIPTDIR "/vpn-script");
@@ -783,10 +961,13 @@ static int run_connect(struct oc_private_data *data)
break;
case OC_CONNECT_PUBLICKEY:
break;
- case OC_CONNECT_PKCS12:
+ case OC_CONNECT_PKCS:
+ if (!password || !g_strcmp0(password, "-"))
+ break;
+
if (write_data(data->fd_in, password) != 0) {
- connman_error("openconnect failed to take PKCS#12 "
- "password on stdin");
+ connman_error("openconnect failed to take PKCS "
+ "pass phrase on stdin");
err = -EIO;
}
@@ -807,15 +988,32 @@ static int run_connect(struct oc_private_data *data)
if (use_stdout) {
data->out_ch = g_io_channel_unix_new(fd_out);
- data->out_ch_id = g_io_add_watch(data->out_ch,
- G_IO_IN | G_IO_ERR | G_IO_HUP,
- (GIOFunc)io_channel_out_cb, data);
+
+ /* Use ASCII encoding only */
+ if (g_io_channel_set_encoding(data->out_ch, NULL, NULL) !=
+ G_IO_STATUS_NORMAL) {
+ close_io_channel(data, data->out_ch);
+ err = -EIO;
+ } else {
+ data->out_ch_id = g_io_add_watch(data->out_ch,
+ G_IO_IN | G_IO_ERR | G_IO_HUP,
+ (GIOFunc)io_channel_out_cb,
+ data);
+ }
}
data->err_ch = g_io_channel_unix_new(fd_err);
- data->err_ch_id = g_io_add_watch(data->err_ch,
- G_IO_IN | G_IO_ERR | G_IO_HUP | G_IO_PRI,
- (GIOFunc)io_channel_err_cb, data);
+
+ /* Use ASCII encoding only */
+ if (g_io_channel_set_encoding(data->err_ch, NULL, NULL) !=
+ G_IO_STATUS_NORMAL) {
+ close_io_channel(data, data->err_ch);
+ err = -EIO;
+ } else {
+ data->err_ch_id = g_io_add_watch(data->err_ch,
+ G_IO_IN | G_IO_ERR | G_IO_HUP,
+ (GIOFunc)io_channel_err_cb, data);
+ }
done:
clear_provider_credentials(data->provider);
@@ -903,8 +1101,12 @@ static void request_input_append_to_dict(struct
vpn_provider *provider,
static void request_input_credentials_reply(DBusMessage *reply, void
*user_data)
{
struct oc_private_data *data = user_data;
- char *cookie = NULL, *servercert = NULL, *vpnhost = NULL;
- const char *username = NULL, *password = NULL, *pkcs12password = NULL;
+ const char *cookie = NULL;
+ const char *servercert = NULL;
+ const char *vpnhost = NULL;
+ const char *username = NULL;
+ const char *password = NULL;
+ const char *pkcspassword = NULL;
const char *key;
DBusMessageIter iter, dict;
int err;
@@ -997,7 +1199,7 @@ static void request_input_credentials_reply(DBusMessage
*reply, void *user_data)
dbus_message_iter_get_basic(&value, &password);
vpn_provider_set_string_hide_value(data->provider,
"OpenConnect.Password", password);
- } else if (g_str_equal(key, "OpenConnect.PKCS12Password")) {
+ } else if (g_str_equal(key, "OpenConnect.PKCSPassword")) {
dbus_message_iter_next(&entry);
if (dbus_message_iter_get_arg_type(&entry)
!= DBUS_TYPE_VARIANT)
@@ -1006,9 +1208,9 @@ static void request_input_credentials_reply(DBusMessage
*reply, void *user_data)
if (dbus_message_iter_get_arg_type(&value)
!= DBUS_TYPE_STRING)
break;
- dbus_message_iter_get_basic(&value, &pkcs12password);
+ dbus_message_iter_get_basic(&value, &pkcspassword);
vpn_provider_set_string_hide_value(data->provider, key,
- pkcs12password);
+ pkcspassword);
}
dbus_message_iter_next(&dict);
@@ -1029,8 +1231,8 @@ static void request_input_credentials_reply(DBusMessage
*reply, void *user_data)
break;
case OC_CONNECT_PUBLICKEY:
break; // This should not be reached.
- case OC_CONNECT_PKCS12:
- if (!pkcs12password)
+ case OC_CONNECT_PKCS:
+ if (!pkcspassword)
goto err;
break;
@@ -1049,10 +1251,14 @@ out:
free_private_data(data);
}
-static int request_input_credentials(struct oc_private_data *data)
+static int request_input_credentials(struct oc_private_data *data,
+ request_input_reply_cb_t cb)
{
DBusMessage *message;
- const char *path, *agent_sender, *agent_path, *username;
+ const char *path;
+ const char *agent_sender;
+ const char *agent_path;
+ const char *username;
DBusMessageIter iter;
DBusMessageIter dict;
int err;
@@ -1063,6 +1269,9 @@ static int request_input_credentials(struct
oc_private_data *data)
connman_info("provider %p", data->provider);
+ if (!data || !cb)
+ return -ESRCH;
+
agent = connman_agent_get_info(data->dbus_sender,
&agent_sender, &agent_path);
if (!data->provider || !agent || !agent_path)
@@ -1126,14 +1335,14 @@ static int request_input_credentials(struct
oc_private_data *data)
break;
case OC_CONNECT_PUBLICKEY:
return -EINVAL;
- case OC_CONNECT_PKCS12:
+ case OC_CONNECT_PKCS:
request_input_append_to_dict(data->provider, &dict,
request_input_append_informational,
- "OpenConnect.PKCS12ClientCert");
+ "OpenConnect.PKCSClientCert");
request_input_append_to_dict(data->provider, &dict,
request_input_append_password,
- "OpenConnect.PKCS12Password");
+ "OpenConnect.PKCSPassword");
break;
}
@@ -1142,8 +1351,7 @@ static int request_input_credentials(struct
oc_private_data *data)
connman_dbus_dict_close(&iter, &dict);
err = connman_agent_queue_message(data->provider, message,
- connman_timeout_input_request(),
- request_input_credentials_reply, data, agent);
+ connman_timeout_input_request(), cb, data, agent);
dbus_message_unref(message);
@@ -1184,7 +1392,11 @@ static int oc_connect(struct vpn_provider *provider,
const char *dbus_sender, void *user_data)
{
struct oc_private_data *data;
- const char *vpnhost, *vpncookie, *certificate, *username, *password;
+ const char *vpnhost;
+ const char *vpncookie;
+ const char *certificate;
+ const char *username;
+ const char *password;
const char *private_key;
int err;
@@ -1260,16 +1472,11 @@ static int oc_connect(struct vpn_provider *provider,
}
break;
- case OC_CONNECT_PKCS12:
+ case OC_CONNECT_PKCS:
certificate = vpn_provider_get_string(provider,
- "OpenConnect.PKCS12ClientCert");
- if (certificate) {
- password = vpn_provider_get_string(provider,
- "OpenConnect.PKCS12Password");
- if (!password || !g_strcmp0(password, "-"))
- goto request_input;
- } else {
- connman_warn("missing PKCS#12 certificate");
+ "OpenConnect.PKCSClientCert");
+ if (!certificate) {
+ connman_warn("missing PKCS certificate");
oc_connect_done(data, EACCES);
free_private_data(data);
return -EACCES;
@@ -1281,7 +1488,7 @@ static int oc_connect(struct vpn_provider *provider,
return run_connect(data);
request_input:
- err = request_input_credentials(data);
+ err = request_input_credentials(data, request_input_credentials_reply);
if (err != -EINPROGRESS) {
oc_connect_done(data, err);
vpn_provider_indicate_error(data->provider,
@@ -1313,7 +1520,7 @@ static int oc_save(struct vpn_provider *provider,
GKeyFile *keyfile)
"OpenConnect.AuthType",
"OpenConnect.CACert",
"OpenConnect.ClientCert",
- "OpenConnect.PKCS12ClientCert",
+ "OpenConnect.PKCSClientCert",
"OpenConnect.ServerCert",
"OpenConnect.UserPrivateKey",
"OpenConnect.DisableIPv6",
--
2.20.1
------------------------------
Date: Fri, 4 Oct 2019 17:35:21 +0300
From: Jussi Laakkonen <[email protected]>
Subject: [PATCH v2 8/8] doc: Add new OpenConnect configuration options
to VPN config format
To: [email protected]
Message-ID: <[email protected]>
Documented the new options implemented for OpenConnect and the possible
choices for authentication.
---
Changes since V2:
* Change PKCS#12 to PKCS in settings and authentication type.
doc/vpn-config-format.txt | 75 ++++++++++++++++++++++++++++++++++++---
1 file changed, 71 insertions(+), 4 deletions(-)
diff --git a/doc/vpn-config-format.txt b/doc/vpn-config-format.txt
index b9d37fa4..beee160f 100644
--- a/doc/vpn-config-format.txt
+++ b/doc/vpn-config-format.txt
@@ -54,8 +54,9 @@ OpenConnect VPN supports following options (see
openconnect(8) for details):
OpenConnect.CACert --cafile File containing other Certificate
Authorities in addition to the ones
in the system trust database (O)
- OpenConnect.ClientCert --certificate Client certificate file, if needed
- by web authentication (O)
+ OpenConnect.ClientCert --certificate Client certificate file, needed
+ by web authentication when AuthType
+ is set as "publickey" (O)
VPN.MTU --mtu Request MTU from server as the MTU
of the tunnel (O)
OpenConnect.Cookie --cookie-on-stdin Cookie received as a result of the
@@ -68,8 +69,73 @@ OpenConnect VPN supports following options (see
openconnect(8) for details):
Only usable for extremely simple VPN
configurations and should normally
be set only via the VPN Agent API.
-If OpenConnect.Cookie or OpenConnect.ServerCert are missing, the VPN Agent will
-be contacted to supply the information.
+ OpenConnect.AllowSelfSignedCert none Additional option to define if self
+ signed server certificates are
+ allowed. Boolean string and defaults
+ to false, value "true" enables the
+ option. Affects to the OpenConnect
+ internal function only: --servercert
+ is not added to startup parameters
+ and receiving self signed cert from
+ server terminates the connection if
+ set as false (or omitted) (O)
+ OpenConnect.AuthType Type of authentication used with
+ OpenConnect. Applicable values are
+ "cookie", "cookie_with_userpass",
+ "userpass", "publickey" and
+ "pkcs". Value "cookie" is basic
+ cookie based authentication. Value
+ "cookie_with_userpass" means that
+ credentials are used to retrieve the
+ connection cookie, which hides the
+ username from commandline. With
+ value "userpass" username and
+ password are used. Value "publickey"
+ requires CACert and UserPrivateKey
+ to be set. Value "pkcs" uses the
+ PKCSClientCert and requests password
+ input. Defaults to "cookie" (O)
+ cookie --cookie-on-stdin Default cookie based authentication
+ cookie_with_userpass Two phased connection, first
+ authentication: --cookieonly authenticate with credentials then
+ --passwd-on-stdin use cookie for connection. Username
+ --user is hidden from commandline during
+ connection: --cookie-on-stdin connection.
+ userpass --passwd-on-stdin Credential based authentication,
+ --user username is visible on commandline.
+ publickey --clientcert Non-encrypted client certificate and
+ --sslkey private key file is used for auth.
+ pkcs --cliencert Authenticate with PKCS#1/PKCS#8/
+ PKCS#12 client certificate.
+ OpenConnect.DisableIPv6 --disable-ipv6 Do not ask for IPv6 connectivity.
+ Boolean string and defaults to
+ false, value "true" enables the
+ option (O)
+ OpenConnect.NoDTLS --no-dtls Disable DTLS and ESP (O)
+ OpenConnect.NoHTTPKeepalive --no-http-keepalive Disable HTTP connection
+ re-use to workaround issues with
+ some servers. Boolean string and
+ defaults to false, value "true"
+ enables the option (O)
+ OpenConnect.PKCSClientCert --certificate Certificate and private key in
+ a PKCS#1/PKCS#8/PKCS#12 structure.
+ Needed when AuthType is "pkcs" (O)
+ OpenConnect.Usergroup --usergroup Set login usergroup on remote server
+ (O)
+ OpenConnect.UserPrivateKey --sslkey SSL private key file needed by web
+ authentication when AuthType is set
+ as "publickey" (O)
+
+The VPN agent will be contacted to supply the information based on the
+authentication type as follows:
+ Authentication type Information requested Saved with name
+ cookie OpenConnect.Cookie OpenConnect.Cookie
+ cookie_with_userpass Username OpenConnect.Username
+ Password OpenConnect.Password
+ userpass Username OpenConnect.Username
+ Password OpenConnect.Password
+ publickey <none>
+ pkcs OpenConnect.PKCSPassword OpenConnect.PKCSPassword
OpenVPN VPN supports following options (see openvpn(8) for details):
Option name OpenVPN option Description
@@ -235,6 +301,7 @@ L2TP.User = username
[provider_openconnect]
Type = OpenConnect
+AuthType = pkcs
Name = Connection to corporate network using Cisco VPN
Host = 7.6.5.4
Domain = corporate.com
--
2.20.1
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list -- [email protected]
To unsubscribe send an email to [email protected]
------------------------------
End of connman Digest, Vol 48, Issue 7
**************************************
