Hi, just following up on the issue regarding dns resolution... This seems to be a problem with access to update resolv.conf through using the -s 'sudo -E /etc/vpnc/vpnc' flag. IF I run openconnect as root and remove the -s flag is not used, /etc/resolv.conf gets updated correctly and shows commented headings stating that it was updated by vpnc. Everything works. As an standard user, I modified the -s flag to include a printenv command prior to the sudo command. Running the openconnect comand then prints all of the environment settings needed for vpnc (like INTERNAL_IP4_DNS) which has two correct addresses for VPN servers as its value. I don't quite understand why updating /etc/resolv.conf through the vpnc script does not happen when executed through the -s flag as suggested on the nonroot.html page of the website (linked previously). There are no selinux denials in the audit log - we're running in Enforcing mode. I guess the new question is in regards to the security of running openconnect as root through sudo versus running the vpnc script as root through sudo. If there is not a significant difference in risk, I can rework our configuration to run openconnect as root. Can anyone provide any reasons why one method would present more risk than the other? Thanks! --Sean On Wed, Nov 2, 2016 at 6:34 AM, Sean <smalder73 at gmail.com> wrote: > Yes, even in the latest version, it does not support authentication > with pkcs#11 smart cards - > https://wiki.gnome.org/Projects/NetworkManager/PKCS11 > > I was following guidance from > http://www.infradead.org/openconnect/pkcs11.html, > http://www.infradead.org/openconnect/nonroot.html and Mr. Woodhouse in > configuring my systems this way. > > --Sean > > > On Wed, Nov 2, 2016 at 4:46 AM, Nikos Mavrogiannopoulos > <n.mavrogiannopoulos at gmail.com> wrote: >> On Tue, Nov 1, 2016 at 8:37 PM, Sean <smalder73 at gmail.com> wrote: >>> Hi, >>> I am using openconnect from Enterprise Linux 7 distributions to >>> connect to a Cisco VPN, authenticating with a PCKS#11 smart card. >>> When an unprivileged user connects externally two issues arise. >>> >>> 1. Name resolution doesn't get updated with the VPN's name servers. I >>> guess this is because NetworkManager sets /etc/resolv.conf, and >>> openconnect is being executed outside of NetworkManager, though I'm >>> not certain. >> >> Since you are using network manager, have you tried using the >> networkmanager-openconnect plugin from epel? That would integrate with >> the rest of the system. >> >> regards, >> Nikos
