FedoraForum.org - Fedora Support Forums and Community
Results 1 to 2 of 2

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    Nov 2017
    Location
    whoami
    Posts
    1

    openconnect using smart card

    Greetings to forum!

    I am crazy about resolve issue with connecting to VPN via openconnect using smart card and two other certificate files. I'll describe how am I connecting on Windows machine.

    I have two certificates, the cer files. Then I have smart card with PIN. There are also some certificates on that smart card. Using Cisco AnyConnect I just pres the button and everything works fine.

    Linux box setup:
    Fedora Fedora 26
    kernel: 4.13.11-200.fc26.x86_64
    OpenConnect version v7.08
    OpenSSL 1.1.0f-fips 25 May 2017
    p11tool 3.5.16
    pcsc-lite version 1.8.22.

    I have converted DEM certificates to PEM
    Code:
    sudo openssl x509 -inform der -in ~/cert1.cer -out /etc/pki/ca-trust/source/anchors/cert1.pem
    sudo openssl x509 -inform der -in ~/cert2.cer -out /etc/pki/ca-trust/source/anchors/cert2.pem
    then
    Code:
    sudo update-ca-trust
    then using p11tool I fetched URI's

    Code:
    p11tool  --list-tokens --provider=/usr/lib64/specificLibrary.so
    p11tool  --list-all-certs 'pkcs11:model=myGreatModel' --provider=/usr/lib64/specificLibrary.so
    openconnect -c 'pkcs11:model=myGreatModel my.vpn.gateway
    but endup with following error message
    Code:
    POST https://my.vpn.gateway/
    Connected to X.X.X.X:443
    Error loading certificate from PKCS#11: The requested data were not available.
    Loading certificate failed. Aborting.
    Failed to open HTTPS connection to my.vpn.gateway
    Failed to obtain WebVPN cookie
    When I look into the certificate (exported as pem) I can see BEGIN and END. I do not understand why I have two certificates. I gues one is issuer/publisher and 2nd is pure certificate. On card I have certificates generated on Active Directory connected with my user name on AD.

    I don't know if I should place certificates (not those from smart card) into /etc/pki.... or where. I don't know how come that Linux is not asking me about PIN ( I remember only once ) and allows me to fetch certificates URI's from smart card. I don't know how to point openconnect to fetch certificate from my /etc/pki directory and also use certificates from smart card. I am really confused

    Thanks for any help!

  2. #2
    Join Date
    Nov 2015
    Location
    Gothenburg, Sweden
    Posts
    35

    Re: openconnect using smart card

    This is a longshot, but are you logged on via the console when you get the
    Error loading certificate from PKCS#11: The requested data were not available.
    message?

    Do you get any pcscd entries in /var/log/messages looking something like this:
    Code:
    2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 03445385 auth.c:137:IsClientAuthorized() Process 48952 (user: 48) is NOT authorized for action: access_pcsc
    2017-09-21T10:54:35+02:00 ninja pcscd[2721]: 00000279 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
    If you are not logged on via the console and you see pcscd entries in your log, try running as root. Do you get the same error? If it's working as root but you need this to work when not sitting by the console or logged on as root, then you may need to add polkit rules.

    The below rules are directly from
    https://github.com/LudovicRousseau/P.../README.polkit
    giving the user www-data access rights to the SC reader.

    Code:
    # cat /usr/share/polkit-1/rules.d/org.debian.pcsc-lite.rules
    
    polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_card" &&
            action.lookup("reader") == 'name of reader' &&
            subject.user == "www-data") {
                return polkit.Result.YES;
        }
    });
    
    polkit.addRule(function(action, subject) {
        if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
            subject.user == "www-data") {
                return polkit.Result.YES;
        }
    });
    Br,
    Ted

Similar Threads

  1. Smart card and Fedora
    By tkalfaoglu in forum Using Fedora
    Replies: 0
    Last Post: 28th February 2011, 03:41 PM
  2. Smart card and Fedora
    By tkalfaoglu in forum Using Fedora
    Replies: 1
    Last Post: 25th February 2011, 10:38 AM
  3. Smart card login
    By HadManySons in forum Using Fedora
    Replies: 1
    Last Post: 16th September 2009, 07:24 PM
  4. Smart Card Reader
    By Bloomer510 in forum Guides & Solutions (Not For Questions)
    Replies: 0
    Last Post: 5th July 2007, 06:21 AM
  5. Smart Card Reader
    By dipeshpatel in forum Using Fedora
    Replies: 5
    Last Post: 22nd March 2007, 04:22 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •