[Swan] pam_open_session(3) Re: SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Wed Jan 26 16:45:02 EET 2022
Hi Paul,
I did some research. It may be impossible to log IKEv2 sessions in utmp
and wtmp, for libreswan doesn't appear to be calling pam_open_session(3)
after authenticating the certificate and the user and
pam_close_session(3) after the connection is severed.
I am not confident enough to attempt to add the session management calls
to the libreswan source, or not yet :-)
And leaving it the utmp entry to linger forever upon the breakup of the
connection doesn't seem prudent, so I'll think I'll take a break at this
point and "stand on the ball".
Tell me, did I miss something, or is the utmp/wtmp connection logging
entirely impossible withing the current libreswan framework?
I would like to have some handy connection logging apart from
/var/log/pluto.log ...
Thanks!
Kind regards,
Mirsad
On 1/25/2022 9:36 PM, Mirsad Goran Todorovac wrote:
> Is there a particular reason why you switched from the POST URL
> request to a GET one? AFAIK, GET used to be less safe as it encoded
> password in URL which might be visible in some web server logs ... Any
> idea why you did that? :-/
>
> I thought that your idea of using a CN=username at hostname,O=myorg.tld
> convention is a good one, but I would have to reissue all of the
> certificates, and my current system already works partially deployed.
> (Only to the testing people, of course ...).
>
> What I was actually looking for is a means to get username from the
> script (and it seems to allow only OK or ACCESS DENIED), or should I
> call getpwnam() from PHP. But it didn't seem right to modify utmp from
> PHP, did it? That breaks modularity paradigm IMHO ... Still looking
> for a way to do things "kosher" way ... :-)
>
> On 1/25/2022 4:24 AM, Paul Wouters wrote:
>> On Mon, 24 Jan 2022, Mirsad Goran Todorovac wrote:
>>
>>> I can publish a patch diff. I have really made very small
>>> modifications. A couple of lines.
>>
>>> I would also want to map certificate subject lines to unix
>>> usernames, put the user into utmp and display the connected user
>>> with `w`
>>> or `who` commands. But I'm not sure how it's done yet.
>>
>> Attached is what I had gobbled together to pull IDs from certificates
>> inside pam_url for IKEv2.
>>
>>> Maybe I should think of forking pam_url and supplying a Debian .deb
>>> package, since only .rpm exists in the wild?
>>
>> I don't think it is well maintained or active upstream?
>>
>>> pam-authenticate is a very practical method of access control. I
>>> would like to clear the doubts that it decreased the security of
>>> IKEv2 VPN, and that it is unprofessional, because pam_url calls a
>>> cgi-bin script in .php over a TLSv1.3 connection.
>>
>> It still beats 10 round trips of EAPTLS on Windows :)
>>
>> Paul
>
> --
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list