FYI, the code uses popen(), which execs: /bin/sh -c ...TELMATE_SESSION_KEY=... so anyone with local access can potentially see the key.
On Mon, 30 Nov 2020 at 13:42, Anthony DeRobertis <[email protected]> wrote: > > Quick background, on our client devices, authentication is done via a > separate program, which returns a session ID. Our clients then their > client ID & that session ID via IKEv1 xauth, as the username and > "password". We need to get it passed out of Libreswan to track session > up/down, and so (locally) we've patched Libreswan to add the "password" > to the updown script environment. > > Our local patch isn't something that can be upstreamed, but I'm > wondering if a cleaned up version, controlled by a config option > (default do not export it, of course), could be. > > https://github.com/Telmate/libreswan/commit/1f5cd32f22e00ef6ce7ce091977079b2fc15975f > > We also track if the connection was shut down due to Libreswan's DPD > detecting the client dead, and export that to the updown script as well: > > https://github.com/Telmate/libreswan/commit/960533723fb6c7666636251679ddf22195a2e1b2 > > > This electronic mail transmission is intended for the use of the individual > or entity to which it is addressed and may contain confidential information > belonging to the sender. If you have received this transmission in error, > please notify the sender immediately and delete the original message. Unless > explicitly noted above, this e-mail should not, in any way, be considered > evidence of the sender’s intent to be bound to any agreement. > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
