[Swan] pam_open_session(3) Re: SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?

Paul Wouters paul at nohats.ca
Thu Jan 27 22:02:32 EET 2022

On Thu, 27 Jan 2022, Mirsad Goran Todorovac wrote:

>>  Have a look at
>>  https://github.com/libreswan/libreswan/blob/main/contrib/updown-example/example-terminate.py
>>  It shows how you can log the disconnect to a file, but you can replace
>>  the file with like your REST server call.
> Did just that, but I see remote IP ($PLUTO_PEER), but not $PLUTO_USERNAME:

It might be the example. PLUTO_PEER is related to the peer and peer ID
and thus certificate. The username I think only refers to the IKEv1
XAUTH username, which has no IKEv2 equivalent (yet, until we implement
EAP mschapv2)

> Could I possibly log the information which certificate was used when the 
> IKEv2 connection was established?

Yes, if you check the _updown script you should see all the environment
variables we pass into it from our pluto daemon. Or you can check the
function jam_common_shell_out() in programs/pluto/kernel.c  (we might
have not always updated the _updown env variables comments there)


More information about the Swan mailing list