On Tue, 1 Dec 2020, Anthony DeRobertis wrote:
How are you getting the XAUTH password into pluto? There are three
methods. One is via a secrets file with XAUTH entry. The second is
via ipsec whack --initiate --name XXX --xauthpass PASSWORD. and the
third is via ipsec whack --initiate without --xauthpass and waiting
for the whack prompt and then type it in.
Ah! I think that's the confusion. Libreswan is the XAUTH server,
accepting the XAUTH password from the client. That's how the "password"
is coming in to Libreswan. Libreswan verifies them via PAM
(xauthby=pam), then is patched to pass it along to the updown script.
Oh of course....
So in that case, I think we should perhaps just call it:
ikev1-xauthpass-updown=yes|no
And just call it XAUTH_PASSWD= without wrapping it in a "session id"
type of name, which seems specific to your setup? For good meassure,
I would probably ignore this keyword when running in FIPS mode.
Okay. So let's add it but then we should also cover some other cases
such as the DPD RESTART event, received delete from peer, and received
delete from administrator as reasons, and use a little more generic
named variable. It should probably go into c->temp_vars, so that any
instantiating of the connection wouldn't accidentally copy the reason.
Sounds good. I'll work on updating it (which may take me a bit with
other work and I'm new to the Libreswan code base).
Sure, just ping me when you have an update.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
