On Sun, 6 Feb 2022, Mirsad Goran Todorovac wrote:
The passwordless authentication over pam_url used with IKEv2 with the certificates was considered a source of brute force attacks and a dangerous module to implement for it could allow everyone to access the system if accidentally left as the only and sufficient module in PAM stack.
You can't really brute force the certificate validation part. The pam module is just an _additional_ restriction that can restrict an otherwise validated certificate. It is never even called for invalid, bad or revoked certificates as the connection is rejected before the pam phase due to the failed verification.
So, the main question appears to be if there is a smarter way of preventing brute force replay attacks
IKE has build-in protection against replay attacks. Both sides you a nonce for different connection attempts. So it is always different and there is no replaying possible. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
