Re: Yubikey OTP for Anyconnect VPN with Duo 2FA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2019-08-01 at 13:09 -0400, Mustafa Veysi Nural wrote:
> Hi,
> 
> My institution uses Anyconnect VPN with Duo 2FA. I'm able use
> openconnect with NM Gnome plugin just fine when I put "push" as the
> second password to initiate a push request to my phone. Recently, I've
> registered my Yubikey with Duo so I'm able to tap and generate an OTP
> for the secondary password field. The issue is, I either need to
> delete the previously saved OTP from the second password field
> everytime (when save passwords is checked) or I have to type in my
> password in addition to the OTP (when save passwords is unchecked). Is
> it possible to configure the network manager to only save the primary
> password but not the secondary? I've seen the  "yubioath" support in
> the command line but it seems the "Yubikey OTP" utilizes an encrypted
> AES based token different than the oath mode.

A workaround:

If you uncheck the 'save passwords' box in the auth-dialog, I believe
it actually goes and deletes the passwords from your secret store. 

However, if you edit that field manually with nmcli (or just editing
the NM config file, which might be easier), you can set save_passwords
to zero without deleting the currently saved passwords. 

Then you delete the OTP one from the secret store, but leave the normal
one. Which will still get populated for you even though
'save_passwords' is now unset. Because that doesn't prevent it from
*loading* passwords :)


That's a bit horrid though. Since we do know, allegedly, which
passwords are OTP and which are not, we possibly ought to just
automatically *not* save the OTP ones? The problem with that is that
our heuristics for knowing which are OTP are a bit crap, and it's only
ever mattered for people who are actually using the direct OTP
generation (via hardware or libstoken, etc.).

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux