On the company I work, they were supporting OTP devices with pulse-secure, to connect through the VPN.  However they stopped that support and moved to what they call MFA (multi factor authenticatio) connection thorugh pulse-secure.   The known way to do it is to use the pulse-secure GUI, which before wasn't necessary, which starts a web interface to provide the company email and password, and then to provide an OTP thorugh a yubikey OTP or through a MFA SW.  I decided to use a yubikey OTP (funny though, I moved from one form of OTP to another).  But I don't like using the GUI, starting from the fact that I need a graphical environment to use it, and with no proxy set, as opposed to before, where I 1st connected using a plain tty, and only after gaining connection I would start the graphical environment.  Also it makes me install the GUI dependencies which I don't like either.  And what's worse, there's a way to avoid having to launch the web interface, by using what in the company is called a class B digital badge, which is a personal certificate, but in order to use it, I need to install and use gnome-keyring, which I don't want, and I guess the need is to prevent storing plain text passwords, but there's no need for gnome-keyring at all, since the password can be asked any time one tries to connect... At any rate, I do have my class B digital badge, and I know its password, so I guess there must be a way to use pulse-secure to use it adn do the MFA withough the need for GUI.  Any hints?   The way I used pulse-secure in the past was:   pulsesvc -h ${GATEWAY} -u ${USER} -p ${OATH_PASS} -r "OATH Passcode"   Where OATH_PASS was a combination of the OTH device pin plus its generated OTP.   Unfortunately the help doesn't give any hint of the posibility of using any sort of sertificates: % pulsesvc --help Usage examples: pulsesvc -h host -u user -p passwd -r realm [-L log_level] [-g] [-U sign_in_url] [-y proxy] [-z proxy_port] [-s proxy_user] [-a proxy_password] [-d proxy_domain] [-I] pulsesvc -v pulsesvc -K pulsesvc -H Signin Options: -h, -host: IVE hostname or IP -u, -username: Username -p, -password: User Password -r, -realm: IVE signin realm -P, -Port: Service Port -U, -Url: IVE realm Signin URL Proxy Options: -y, -proxy: Proxy server hostname or IP -z, -proxy-port: Proxy server port number -s, -proxy-user: Proxy server username -a, -proxy-pass: Proxy server password -d, -proxy-domain: Proxy server domain -I, -proxy-interactpass:Proxy server interactive password mode Logging Options: -L, -log-level: Logging level 0 : Log Critical messages only 1 : Log Critital and Error messages 2 : Log Critital, Error and Warning messages 3 : Log Critital, Error, Warning and Info messages (default) 4 : Log All Verbose messages 5 : Log All messages Miscellaneous Options: -v, -version: Print version information and quit -g, -upload-log: Zip and upload logs to host -K, -Kill: Kill all running ncsvc services -H, -help: print usage information   If anyone is aware and can share on how to use the command line for this sort of MFA with pulse-secure, it'll be really appreciated.   If not possible, how to make the devs aware of this use case need? ... View more

Hi, currently the gnu/linux pulse-secure client depend on webkitgtk, which is based on webkit1.  Webkit1 is insecure and much consider it obsolete.  Actually it's removed from the Arch repos given how insecure it is.  The GTK alternative is using webkit2gtk, and there's also qt5-webkit, both mantained, under development and included in distros' repos.   Is there any reason for pulse-secure to still be built on top of and depend on webkitgtk?  Any way for devs to consider moving out of webkitgtk? ... View more