[Swan] SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Tue Jan 25 22:36:22 EET 2022
Is there a particular reason why you switched from the POST URL request
to a GET one? AFAIK, GET used to be less safe as it encoded password in
URL which might be visible in some web server logs ... Any idea why you
did that? :-/
I thought that your idea of using a CN=username at hostname,O=myorg.tld
convention is a good one, but I would have to reissue all of the
certificates, and my current system already works partially deployed.
(Only to the testing people, of course ...).
What I was actually looking for is a means to get username from the
script (and it seems to allow only OK or ACCESS DENIED), or should I
call getpwnam() from PHP. But it didn't seem right to modify utmp from
PHP, did it? That breaks modularity paradigm IMHO ... Still looking for
a way to do things "kosher" way ... :-)
On 1/25/2022 4:24 AM, Paul Wouters wrote:
> On Mon, 24 Jan 2022, Mirsad Goran Todorovac wrote:
>
>> I can publish a patch diff. I have really made very small
>> modifications. A couple of lines.
>
>> I would also want to map certificate subject lines to unix usernames,
>> put the user into utmp and display the connected user with `w`
>> or `who` commands. But I'm not sure how it's done yet.
>
> Attached is what I had gobbled together to pull IDs from certificates
> inside pam_url for IKEv2.
>
>> Maybe I should think of forking pam_url and supplying a Debian .deb
>> package, since only .rpm exists in the wild?
>
> I don't think it is well maintained or active upstream?
>
>> pam-authenticate is a very practical method of access control. I
>> would like to clear the doubts that it decreased the security of
>> IKEv2 VPN, and that it is unprofessional, because pam_url calls a
>> cgi-bin script in .php over a TLSv1.3 connection.
>
> It still beats 10 round trips of EAPTLS on Windows :)
>
> Paul
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list