[Swan-dev] Passing xauth password, DPD status to updown script
Andrew Cagney
andrew.cagney at gmail.com
Tue Dec 1 18:58:49 UTC 2020
FYI, the code uses popen(), which execs:
/bin/sh -c ...TELMATE_SESSION_KEY=...
so anyone with local access can potentially see the key.
On Mon, 30 Nov 2020 at 13:42, Anthony DeRobertis
<anthony.derobertis at gtl.net> wrote:
>
> Quick background, on our client devices, authentication is done via a
> separate program, which returns a session ID. Our clients then their
> client ID & that session ID via IKEv1 xauth, as the username and
> "password". We need to get it passed out of Libreswan to track session
> up/down, and so (locally) we've patched Libreswan to add the "password"
> to the updown script environment.
>
> Our local patch isn't something that can be upstreamed, but I'm
> wondering if a cleaned up version, controlled by a config option
> (default do not export it, of course), could be.
>
> https://github.com/Telmate/libreswan/commit/1f5cd32f22e00ef6ce7ce091977079b2fc15975f
>
> We also track if the connection was shut down due to Libreswan's DPD
> detecting the client dead, and export that to the updown script as well:
>
> https://github.com/Telmate/libreswan/commit/960533723fb6c7666636251679ddf22195a2e1b2
>
>
> This electronic mail transmission is intended for the use of the individual or entity to which it is addressed and may contain confidential information belonging to the sender. If you have received this transmission in error, please notify the sender immediately and delete the original message. Unless explicitly noted above, this e-mail should not, in any way, be considered evidence of the sender’s intent to be bound to any agreement.
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
More information about the Swan-dev
mailing list