[Swan] SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Tue Jan 25 22:00:40 EET 2022
Hi Paul,
Looking at the username from cert is an excellent idea. I haven't
thought of it myself. I though of using a lookup table from cert subject
name to Linux username like libpam-pkcs11 does, but I didn't know how to
code it for I am newbie in PAM.
I will wait some time until I sleep over it. Maybe I see some new
solution in my spirit. Lord willing.
On 1/25/2022 4:24 AM, Paul Wouters wrote:
> On Mon, 24 Jan 2022, Mirsad Goran Todorovac wrote:
>
>> I can publish a patch diff. I have really made very small
>> modifications. A couple of lines.
>
>> I would also want to map certificate subject lines to unix usernames,
>> put the user into utmp and display the connected user with `w`
>> or `who` commands. But I'm not sure how it's done yet.
>
> Attached is what I had gobbled together to pull IDs from certificates
> inside pam_url for IKEv2.
>
>> Maybe I should think of forking pam_url and supplying a Debian .deb
>> package, since only .rpm exists in the wild?
>
> I don't think it is well maintained or active upstream?
>
>> pam-authenticate is a very practical method of access control. I
>> would like to clear the doubts that it decreased the security of
>> IKEv2 VPN, and that it is unprofessional, because pam_url calls a
>> cgi-bin script in .php over a TLSv1.3 connection.
>
> It still beats 10 round trips of EAPTLS on Windows :)
>
> Paul
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list