On the company I work, they were supporting OTP devices with pulse-secure, to connect through the VPN. However they stopped that support and moved to what they call MFA (multi factor authenticatio) connection thorugh pulse-secure.
The known way to do it is to use the pulse-secure GUI, which before wasn't necessary, which starts a web interface to provide the company email and password, and then to provide an OTP thorugh a yubikey OTP or through a MFA SW. I decided to use a yubikey OTP (funny though, I moved from one form of OTP to another). But I don't like using the GUI, starting from the fact that I need a graphical environment to use it, and with no proxy set, as opposed to before, where I 1st connected using a plain tty, and only after gaining connection I would start the graphical environment. Also it makes me install the GUI dependencies which I don't like either. And what's worse, there's a way to avoid having to launch the web interface, by using what in the company is called a class B digital badge, which is a personal certificate, but in order to use it, I need to install and use gnome-keyring, which I don't want, and I guess the need is to prevent storing plain text passwords, but there's no need for gnome-keyring at all, since the password can be asked any time one tries to connect...
At any rate, I do have my class B digital badge, and I know its password, so I guess there must be a way to use pulse-secure to use it adn do the MFA withough the need for GUI. Any hints?
The way I used pulse-secure in the past was:
pulsesvc -h ${GATEWAY} -u ${USER} -p ${OATH_PASS} -r "OATH Passcode"
Where OATH_PASS was a combination of the OTH device pin plus its generated OTP.
Unfortunately the help doesn't give any hint of the posibility of using any sort of sertificates:
% pulsesvc --help
Usage examples:
pulsesvc -h host -u user -p passwd -r realm [-L log_level] [-g] [-U sign_in_url] [-y proxy] [-z proxy_port] [-s proxy_user] [-a proxy_password] [-d proxy_domain] [-I]
pulsesvc -v
pulsesvc -K
pulsesvc -H
Signin Options:
-h, -host: IVE hostname or IP
-u, -username: Username
-p, -password: User Password
-r, -realm: IVE signin realm
-P, -Port: Service Port
-U, -Url: IVE realm Signin URL
Proxy Options:
-y, -proxy: Proxy server hostname or IP
-z, -proxy-port: Proxy server port number
-s, -proxy-user: Proxy server username
-a, -proxy-pass: Proxy server password
-d, -proxy-domain: Proxy server domain
-I, -proxy-interactpass
roxy server interactive password mode
Logging Options:
-L, -log-level: Logging level
0 : Log Critical messages only
1 : Log Critital and Error messages
2 : Log Critital, Error and Warning messages
3 : Log Critital, Error, Warning and Info messages (default)
4 : Log All Verbose messages
5 : Log All messages
Miscellaneous Options:
-v, -version: Print version information and quit
-g, -upload-log: Zip and upload logs to host
-K, -Kill: Kill all running ncsvc services
-H, -help: print usage information
If anyone is aware and can share on how to use the command line for this sort of MFA with pulse-secure, it'll be really appreciated.
If not possible, how to make the devs aware of this use case need?
