[Swan-dev] Passing xauth password, DPD status to updown script

Anthony DeRobertis anthony.derobertis at gtl.net
Tue Dec 1 14:56:58 UTC 2020


On 11/30/20 7:36 PM, Paul Wouters wrote:
>
> How are you getting the XAUTH password into pluto? There are three
> methods. One is via a secrets file with XAUTH entry. The second is
> via ipsec whack --initiate --name XXX --xauthpass PASSWORD. and the
> third is via ipsec whack --initiate without --xauthpass and waiting
> for the whack prompt and then type it in.

Ah! I think that's the confusion. Libreswan is the XAUTH server,
accepting the XAUTH password from the client. That's how the "password"
is coming in to Libreswan. Libreswan verifies them via PAM
(xauthby=pam), then is patched to pass it along to the updown script.


> Okay. So let's add it but then we should also cover some other cases
> such as the DPD RESTART event, received delete from peer, and received
> delete from administrator as reasons, and use a little more generic
> named variable. It should probably go into c->temp_vars, so that any
> instantiating of the connection wouldn't accidentally copy the reason.


Sounds good. I'll work on updating it (which may take me a bit with
other work and I'm new to the Libreswan code base).


This electronic mail transmission is intended for the use of the individual or entity to which it is addressed and may contain confidential information belonging to the sender. If you have received this transmission in error, please notify the sender immediately and delete the original message. Unless explicitly noted above, this e-mail should not, in any way, be considered evidence of the sender’s intent to be bound to any agreement.


More information about the Swan-dev mailing list