On the company I work, they were supporting OTP devices with pulse-secure, to connect through the VPN. However they stopped that support and moved to what they call MFA (multi factor authenticatio) connection thorugh pulse-secure.
The known way to do it is to use the pulse-secure GUI, which before wasn't necessary, which starts a web interface to provide the company email and password, and then to provide an OTP thorugh a yubikey OTP or through a MFA SW. I decided to use a yubikey OTP (funny though, I moved from one form of OTP to another). But I don't like using the GUI, starting from the fact that I need a graphical environment to use it, and with no proxy set, as opposed to before, where I 1st connected using a plain tty, and only after gaining connection I would start the graphical environment. Also it makes me install the GUI dependencies which I don't like either. And what's worse, there's a way to avoid having to launch the web interface, by using what in the company is called a class B digital badge, which is a personal certificate, but in order to use it, I need to install and use gnome-keyring, which I don't want, and I guess the need is to prevent storing plain text passwords, but there's no need for gnome-keyring at all, since the password can be asked any time one tries to connect...
At any rate, I do have my class B digital badge, and I know its password, so I guess there must be a way to use pulse-secure to use it adn do the MFA withough the need for GUI. Any hints?
The way I used pulse-secure in the past was:
pulsesvc -h ${GATEWAY} -u ${USER} -p ${OATH_PASS} -r "OATH Passcode"
Where OATH_PASS was a combination of the OTH device pin plus its generated OTP.
Unfortunately the help doesn't give any hint of the posibility of using any sort of sertificates:
% pulsesvc --help
Usage examples:
pulsesvc -h host -u user -p passwd -r realm [-L log_level] [-g] [-U sign_in_url] [-y proxy] [-z proxy_port] [-s proxy_user] [-a proxy_password] [-d proxy_domain] [-I]
pulsesvc -v
pulsesvc -K
pulsesvc -H
Signin Options:
-h, -host: IVE hostname or IP
-u, -username: Username
-p, -password: User Password
-r, -realm: IVE signin realm
-P, -Port: Service Port
-U, -Url: IVE realm Signin URL
Proxy Options:
-y, -proxy: Proxy server hostname or IP
-z, -proxy-port: Proxy server port number
-s, -proxy-user: Proxy server username
-a, -proxy-pass: Proxy server password
-d, -proxy-domain: Proxy server domain
-I, -proxy-interactpassroxy server interactive password mode
Logging Options:
-L, -log-level: Logging level
0 : Log Critical messages only
1 : Log Critital and Error messages
2 : Log Critital, Error and Warning messages
3 : Log Critital, Error, Warning and Info messages (default)
4 : Log All Verbose messages
5 : Log All messages
Miscellaneous Options:
-v, -version: Print version information and quit
-g, -upload-log: Zip and upload logs to host
-K, -Kill: Kill all running ncsvc services
-H, -help: print usage information
If anyone is aware and can share on how to use the command line for this sort of MFA with pulse-secure, it'll be really appreciated.
If not possible, how to make the devs aware of this use case need?
Unfortunately I'm just a gnu/linux user from a vast majority of ms-windows users. I'm like no one to pay attention to by the company's IT team. So sad there's no way one can get feature requests visible to people that can take action.