Re: [strongSwan] Autorisation in vici?
Hi Michael, in order to access the charon daemon via a vici UNIX socket you either must be root or if capability dropping is enabled and a vpn group is defined, you must be member of that vpn group. The latter case allows mortals to initiate and terminate connections without having root access to the configuration and secrets in swanctl.conf. In principle the VICI interface could be configured as a TCP network socket via the charon.plugins.vici.socket option in strongswan.conf. But because no authentication is required and TLS is currently not available we strongly advise against enabling vici network sockets. Best regards Andreas On 17.12.2017 14:58, Michael Schwartzkopff wrote: > Hi, > > > is there any kind of authentication / autorization in the vici > interface? Or does everybody that has access to the socket (or tcp > socket) full control over charon? > > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]== smime.p7s Description: S/MIME Cryptographic Signature
Re: [strongSwan] Autorisation in vici?
Hi, There's no authentication in VICI. Kind regards Noel On 17.12.2017 14:58, Michael Schwartzkopff wrote: > Hi, > > > is there any kind of authentication / autorization in the vici > interface? Or does everybody that has access to the socket (or tcp > socket) full control over charon? > > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > signature.asc Description: OpenPGP digital signature
[strongSwan] Autorisation in vici?
Hi, is there any kind of authentication / autorization in the vici interface? Or does everybody that has access to the socket (or tcp socket) full control over charon? I did not find anything the docs. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature