On 1.2.2022. 2:53, Paul Wouters wrote:
On Fri, 28 Jan 2022, Mirsad Goran Todorovac wrote:
Thank you, PLUTO_PEER_ID was exactly what I wanted, and it wasn't
documented ;-)
Could I possibly log the information which certificate was used
when the
IKEv2 connection was established?
Yes, if you check the _updown script you should see all the
environment
variables we pass into it from our pluto daemon. Or you can check the
function jam_common_shell_out() in programs/pluto/kernel.c (we might
have not always updated the _updown env variables comments there)
This was a very useful advice. Don't worry about the script not being
updated, nobody
throws a gem because it was not polished :-)
I've updated the variable list:
https://github.com/libreswan/libreswan/commit/beb07948532b6a0a9ff3435f21c44e6e62f1f596
I could also contribute my work on modifying pam_url to make it do a
passwordless auth based
on an authorization file lookup:
[1] https://domac.alu.hr/~mtodorov/contrib/pam_url_0.3.3.mod.diff
[2] PHP authorization script:
https://domac.alu.hr/~mtodorov/contrib/myauth.php.txt
[3] sample /usr/local/etc/vpn-ikev2-authorized file:
https://domac.alu.hr/~mtodorov/contrib/vpn-ikev2-authorized
... because otherwise it will not work (for pam_url to ask for password
or auth token
when the client is authenticated via certificate and there is no
EAP/MS-CHAP v2.
So, the user is authorized via cert, but he can be blacklisted in
authorization file. In fact, he must be
whitelisted to be authorized in the PAM auth pass.
Hope this helps someone.
Kind regards,
Mirsad
--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
