Webview for SAML does not allow Duo to use a Yubikey

Bug #1968790 reported by Jason Gunthorpe
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager-openconnect (Ubuntu)
New
Undecided
Unassigned

Bug Description

Thanks a lot for working on the new SAML support for openconnect, I just succeeded to make it work with our cisco anyconnect setup - it is going to make a lot of people happy here. Is there any thing I can do to help get the upstream parts merged - eg confirm it works etc?

For this bug - one thing I hope is simple to resolve is that the webview that is spawned causes Duo MFA to complain it cannot use a Yubikey U2F token because popups are blocked - can popups be unblocked?

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: network-manager-openconnect-gnome 1.2.6-4
ProcVersionSignature: Ubuntu 5.15.0-25.25-generic 5.15.30
Uname: Linux 5.15.0-25-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu80
Architecture: amd64
CasperMD5CheckResult: pass
CasperVersion: 1.468
CurrentDesktop: ubuntu:GNOME
Date: Tue Apr 12 20:44:56 2022
LiveMediaBuild: Ubuntu 22.04 LTS "Jammy Jellyfish" - Daily amd64 (20220409)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: network-manager-openconnect
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote :
Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote :

Upon more research it seems there is alot more wrong here than the misleading message from Duo.

GTK Webkit completely lacks support for webauthn, so it is pointless to think about anything at the network-manager-openconnect level. This means this will not support security tokens for VPN login.

Revision history for this message
dwmw2 (dwmw2) wrote :
Revision history for this message
dwmw2 (dwmw2) wrote :
Revision history for this message
Jason Gunthorpe (jgunthorpe) wrote :

I don't think this is an openconnect issue? Or are you handling network manager issues there too? I see the Ubuntu patch was merged upstream since this was opened?

"External browser" would be nice, but IT says we can't turn it on, needs some upgrade, and CISCO says not to use it:

 The saml external-browser command is for migration purposes for those upgrading to AnyConnect 4.6
 or later. Because of security limitations, use this solution only as part of a temporary migration
 while upgrading AnyConnect software. The command itself will be depreciated in the future.

Since the latest Anyconnect client on Windows got the integrated browser upgraded to Edge and now supports all security key flows I'm not optimistic our deployment will ever enable it.

So what we really want to see is something like network-manager-openconnect that can support webauthn, with CTAP2 support, but that seems alarmingly hard :(

Revision history for this message
dwmw2 (dwmw2) wrote :

NetworkManager-openconnect issues would be at https://gitlab.gnome.org/GNOME/NetworkManager-openconnect but most of the hard thinking ends up on the openconnect side.

So what is the best solution here? The external browser mode is useful because we get the fully features of Chrome/Firefox and then the resulting SSO token is encrypted and passed back to the VPN client. But that HPKE encryption and the connection back over http://localhost:29786/ is kind of awful.

The embedded browser mode avoids that because we are in control, and we can see the token directly as we're running the browser within our own NM-openconnect authentication GUI process. But obviously doesn't work for the openconnect CLI, as the external-browser mode does.

Should we (can we) implement a Firefox/Chrome plugin to exfiltrate cookies, which might give us a way to do this "embedded mode" with a *real* browser? Or should we just go and implement webauthn/CTAP2 support in WebKit?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.