[Swan-dev] Passing xauth password, DPD status to updown script
Paul Wouters
paul at nohats.ca
Tue Dec 1 15:20:21 UTC 2020
On Tue, 1 Dec 2020, Anthony DeRobertis wrote:
>> How are you getting the XAUTH password into pluto? There are three
>> methods. One is via a secrets file with XAUTH entry. The second is
>> via ipsec whack --initiate --name XXX --xauthpass PASSWORD. and the
>> third is via ipsec whack --initiate without --xauthpass and waiting
>> for the whack prompt and then type it in.
>
> Ah! I think that's the confusion. Libreswan is the XAUTH server,
> accepting the XAUTH password from the client. That's how the "password"
> is coming in to Libreswan. Libreswan verifies them via PAM
> (xauthby=pam), then is patched to pass it along to the updown script.
Oh of course....
So in that case, I think we should perhaps just call it:
ikev1-xauthpass-updown=yes|no
And just call it XAUTH_PASSWD= without wrapping it in a "session id"
type of name, which seems specific to your setup? For good meassure,
I would probably ignore this keyword when running in FIPS mode.
>> Okay. So let's add it but then we should also cover some other cases
>> such as the DPD RESTART event, received delete from peer, and received
>> delete from administrator as reasons, and use a little more generic
>> named variable. It should probably go into c->temp_vars, so that any
>> instantiating of the connection wouldn't accidentally copy the reason.
>
>
> Sounds good. I'll work on updating it (which may take me a bit with
> other work and I'm new to the Libreswan code base).
Sure, just ping me when you have an update.
Paul
More information about the Swan-dev
mailing list