Hi Paul,
Searching in the code I got the value from the environment using in
do_pam_authentication function
pam_getenv(pamh, "Framed-IP-Address");
but now i don't know how pass it to xauth result.
So far my changes are:
diff --git a/programs/pluto/pam_conv.c b/programs/pluto/pam_conv.c
index a9a01a7..c661113 100644
--- a/programs/pluto/pam_conv.c
+++ b/programs/pluto/pam_conv.c
@@ -168,6 +168,10 @@ bool do_pam_authentication(struct pam_thread_arg *arg)
break;
log_pam_step(arg, what);
+ // get attribute Framed-IP-Address from environment
+ arg->addresspool = pam_getenv(pamh, "Framed-IP-Address");
+ log_pam_step(arg, what);
+
/* success! */
pam_end(pamh, PAM_SUCCESS);
return TRUE;
diff --git a/programs/pluto/pam_conv.h b/programs/pluto/pam_conv.h
index 5fe3c1e..5dc0e2a 100644
--- a/programs/pluto/pam_conv.h
+++ b/programs/pluto/pam_conv.h
@@ -24,6 +24,7 @@ struct pam_thread_arg {
so_serial_t st_serialno;
unsigned long c_instance_serial;
const char *atype; /* string XAUTH or IKEv2 */
+ const char *addresspool;
};
extern bool do_pam_authentication(struct pam_thread_arg *arg);
Thanks,
> On 24 Mar 2020, at 13:53, António Silva <[email protected]> wrote:
>
> Hi Paul,
>
> I’m trying to make it possible to use the frame_ip_address from
> pam_radius_auth, right now i set the framed_ip_address as an environment
> variable.
> Do you thing that libreswan could use this variable and set this IP address
> for the authenticate user?
>
> This is my log:
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0)
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> XAUTH: PAM authentication method requested to authenticate user 'user'
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Got user name user
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: ignore last_pass,
> force_prompt set
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Sending RADIUS
> request code 1
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: DEBUG:
> get_ipaddr(127.0.0.1) returned 0.
> Mar 24 03:46:38 commsmundi radiusd[3081]: (14) Login OK: [user/1234] (from
> client nas01 port 13754 cli 192.168.10.188)
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Got RADIUS response
> code 2
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: Set PAM environment
> variable : Framed-IP-Address=192.168.20.2
> Mar 24 03:46:38 commsmundi pluto[13754]: pam_radius_auth: authentication
> succeeded
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> PAM: #25: completed for user 'user' with status SUCCESSS
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> XAUTH: User user: Authentication Successful
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> XAUTH: xauth_inR1(STF_OK)
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
> cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
> Mar 24 03:46:38 commsmundi pluto[2803]: "tunnel1"[12] 192.168.10.188 #25:
> modecfg_inR0(STF_OK)
>
>
> Thanks,
> António
>
>
>> On 15 Nov 2015, at 10:49, Paul Wouters <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> On Fri, 13 Nov 2015, François wrote:
>>
>>> Do you think it is possible with a tweak in current PAM authentication (not
>>> sure if PAM can send back parameters received by RADIUS), or would it
>>> require Libreswan to support RADIUS?
>>>
>>> Not sure how all this works, but I'm willing to try to make a patch for
>>> that if it's not too complex!
>>
>> I guess it might be possible with pam_radius support? If you can figure
>> out those parts, we can help with getting the IP address from the pam
>> module back into the connection instance.
>>
>> Paul
>> _______________________________________________
>> Swan mailing list
>> [email protected] <mailto:[email protected]>
>> https://lists.libreswan.org/mailman/listinfo/swan
>
> _______________________________________________
> Swan mailing list
> [email protected]
> https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
