Hi Michael, in order to access the charon daemon via a vici UNIX socket you either must be root or if capability dropping is enabled and a vpn group is defined, you must be member of that vpn group.
The latter case allows mortals to initiate and terminate connections without having root access to the configuration and secrets in swanctl.conf. In principle the VICI interface could be configured as a TCP network socket via the charon.plugins.vici.socket option in strongswan.conf. But because no authentication is required and TLS is currently not available we strongly advise against enabling vici network sockets. Best regards Andreas On 17.12.2017 14:58, Michael Schwartzkopff wrote: > Hi, > > > is there any kind of authentication / autorization in the vici > interface? Or does everybody that has access to the socket (or tcp > socket) full control over charon? > > > I did not find anything the docs. > > > Mit freundlichen Grüßen, > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature