NetworkManager & PKCS#11 remoting
Lubomir Rintel
lkundrak at v3.sk
Mon Jun 20 13:50:24 UTC 2016
Hello,
I've been looking into utilizing p11-kit with NetworkManager's VPN
plugins (and wpa_supplicant in future too). The p11-kit remoting
capability seems useful to connect the daemons with the tokens
accessible from the user session.
We're able to spawn a remoting agent in the user session and pass the
open file descriptor to the daemons, but there doesn't seem to be a way
to make the p11-kit or p11-kit-proxy users use that file handle. I've
got it working by passing the file descriptor number via an environment
variable [1] [2]; but perhaps there's a better way?
[1] https://github.com/NetworkManager/p11-kit/commit/e92db917.patch
[2] https://github.com/NetworkManager/p11-kit/commit/fcb5a24.patch
Another problem is that the p11-kit-remote tool needs a module name;
but the VPN daemon only knows the PKCS#11 URI. Would it make sense to
extend the tool to do the resolution as well? [3]
[3] https://github.com/NetworkManager/p11-kit/commit/254ae1a6.patch
If we get a good certificate picker from Tyagi this would make it
considerably easier to comfortably use p11-kit for NetworkManager's
needs.
The overall design & the prototype is described here; I'm wondering if
it looks sane to you? https://bugzilla.gnome.org/show_bug.cgi?id=767872
The links to the patches are at the very bottom of the bug linked
above.
Lubo
More information about the p11-glue
mailing list