[Swan-dev] Passing xauth password, DPD status to updown script

Paul Wouters paul at nohats.ca
Tue Dec 1 15:20:21 UTC 2020

On Tue, 1 Dec 2020, Anthony DeRobertis wrote:

>>  How are you getting the XAUTH password into pluto? There are three
>>  methods. One is via a secrets file with XAUTH entry. The second is
>>  via ipsec whack --initiate --name XXX --xauthpass PASSWORD. and the
>>  third is via ipsec whack --initiate without --xauthpass and waiting
>>  for the whack prompt and then type it in.
> Ah! I think that's the confusion. Libreswan is the XAUTH server,
> accepting the XAUTH password from the client. That's how the "password"
> is coming in to Libreswan. Libreswan verifies them via PAM
> (xauthby=pam), then is patched to pass it along to the updown script.

Oh of course....

So in that case, I think we should perhaps just call it:


And just call it XAUTH_PASSWD= without wrapping it in a "session id"
type of name, which seems specific to your setup? For good meassure,
I would probably ignore this keyword when running in FIPS mode.

>>  Okay. So let's add it but then we should also cover some other cases
>>  such as the DPD RESTART event, received delete from peer, and received
>>  delete from administrator as reasons, and use a little more generic
>>  named variable. It should probably go into c->temp_vars, so that any
>>  instantiating of the connection wouldn't accidentally copy the reason.
> Sounds good. I'll work on updating it (which may take me a bit with
> other work and I'm new to the Libreswan code base).

Sure, just ping me when you have an update.


More information about the Swan-dev mailing list