[Swan] pam_open_session(3) Re: SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?
Paul Wouters
paul at nohats.ca
Thu Jan 27 22:02:32 EET 2022
On Thu, 27 Jan 2022, Mirsad Goran Todorovac wrote:
>> Have a look at
>> https://github.com/libreswan/libreswan/blob/main/contrib/updown-example/example-terminate.py
>>
>> It shows how you can log the disconnect to a file, but you can replace
>> the file with like your REST server call.
>
> Did just that, but I see remote IP ($PLUTO_PEER), but not $PLUTO_USERNAME:
It might be the example. PLUTO_PEER is related to the peer and peer ID
and thus certificate. The username I think only refers to the IKEv1
XAUTH username, which has no IKEv2 equivalent (yet, until we implement
EAP mschapv2)
> Could I possibly log the information which certificate was used when the
> IKEv2 connection was established?
Yes, if you check the _updown script you should see all the environment
variables we pass into it from our pluto daemon. Or you can check the
function jam_common_shell_out() in programs/pluto/kernel.c (we might
have not always updated the _updown env variables comments there)
Paul
More information about the Swan
mailing list