[Swan] SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Tue Jan 25 22:36:22 EET 2022

Is there a particular reason why you switched from the POST URL request 
to a GET one? AFAIK, GET used to be less safe as it encoded password in 
URL which might be visible in some web server logs ... Any idea why you 
did that? :-/

I thought that your idea of using a CN=username at hostname,O=myorg.tld 
convention is a good one, but I would have to reissue all of the 
certificates, and my current system already works partially deployed. 
(Only to the testing people, of course ...).

What I was actually looking for is a means to get username from the 
script (and it seems to allow only OK or ACCESS DENIED), or should I 
call getpwnam() from PHP. But it didn't seem right to modify utmp from 
PHP, did it? That breaks modularity paradigm IMHO ... Still looking for 
a way to do things "kosher" way ... :-)

On 1/25/2022 4:24 AM, Paul Wouters wrote:
> On Mon, 24 Jan 2022, Mirsad Goran Todorovac wrote:
>> I can publish a patch diff. I have really made very small 
>> modifications. A couple of lines.
>> I would also want to map certificate subject lines to unix usernames, 
>> put the user into utmp and display the connected user with `w`
>> or `who` commands. But I'm not sure how it's done yet.
> Attached is what I had gobbled together to pull IDs from certificates 
> inside pam_url for IKEv2.
>> Maybe I should think of forking pam_url and supplying a Debian .deb 
>> package, since only .rpm exists in the wild?
> I don't think it is well maintained or active upstream?
>> pam-authenticate is a very practical method of access control. I 
>> would like to clear the doubts that it decreased the security of
>> IKEv2 VPN, and that it is unprofessional, because pam_url calls a 
>> cgi-bin script in .php over a TLSv1.3 connection.
> It still beats 10 round trips of EAPTLS on Windows :)
> Paul

Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list