On the company I work, they were supporting OTP devices with pulse-secure, to connect through the VPN. However they stopped that support and moved to what they call MFA (multi factor authenticatio) connection thorugh pulse-secure. The known way to do it is to use the pulse-secure GUI, which before wasn't necessary, which starts a web interface to provide the company email and password, and then to provide an OTP thorugh a yubikey OTP or through a MFA SW. I decided to use a yubikey OTP (funny though, I moved from one form of OTP to another). But I don't like using the GUI, starting from the fact that I need a graphical environment to use it, and with no proxy set, as opposed to before, where I 1st connected using a plain tty, and only after gaining connection I would start the graphical environment. Also it makes me install the GUI dependencies which I don't like either. And what's worse, there's a way to avoid having to launch the web interface, by using what in the company is called a class B digital badge, which is a personal certificate, but in order to use it, I need to install and use gnome-keyring, which I don't want, and I guess the need is to prevent storing plain text passwords, but there's no need for gnome-keyring at all, since the password can be asked any time one tries to connect... At any rate, I do have my class B digital badge, and I know its password, so I guess there must be a way to use pulse-secure to use it adn do the MFA withough the need for GUI. Any hints? The way I used pulse-secure in the past was: pulsesvc -h ${GATEWAY} -u ${USER} -p ${OATH_PASS} -r "OATH Passcode" Where OATH_PASS was a combination of the OTH device pin plus its generated OTP. Unfortunately the help doesn't give any hint of the posibility of using any sort of sertificates: % pulsesvc --help Usage examples: pulsesvc -h host -u user -p passwd -r realm [-L log_level] [-g] [-U sign_in_url] [-y proxy] [-z proxy_port] [-s proxy_user] [-a proxy_password] [-d proxy_domain] [-I] pulsesvc -v pulsesvc -K pulsesvc -H Signin Options: -h, -host: IVE hostname or IP -u, -username: Username -p, -password: User Password -r, -realm: IVE signin realm -P, -Port: Service Port -U, -Url: IVE realm Signin URL Proxy Options: -y, -proxy: Proxy server hostname or IP -z, -proxy-port: Proxy server port number -s, -proxy-user: Proxy server username -a, -proxy-pass: Proxy server password -d, -proxy-domain: Proxy server domain -I, -proxy-interactpass:Proxy server interactive password mode Logging Options: -L, -log-level: Logging level 0 : Log Critical messages only 1 : Log Critital and Error messages 2 : Log Critital, Error and Warning messages 3 : Log Critital, Error, Warning and Info messages (default) 4 : Log All Verbose messages 5 : Log All messages Miscellaneous Options: -v, -version: Print version information and quit -g, -upload-log: Zip and upload logs to host -K, -Kill: Kill all running ncsvc services -H, -help: print usage information If anyone is aware and can share on how to use the command line for this sort of MFA with pulse-secure, it'll be really appreciated. If not possible, how to make the devs aware of this use case need?
... View more