[Swan] pam_open_session(3) Re: SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?

[Mirsad Goran Todorovac]

On 1/27/2022 9:02 PM, Paul Wouters wrote:

> On Thu, 27 Jan 2022, Mirsad Goran Todorovac wrote:
>
>>>  Have a look at
>>>  https://github.com/libreswan/libreswan/blob/main/contrib/updown-example/example-terminate.py 
>>>
>>>
>>>  It shows how you can log the disconnect to a file, but you can replace
>>>  the file with like your REST server call.
>>
>> Did just that, but I see remote IP ($PLUTO_PEER), but not 
>> $PLUTO_USERNAME:
>
> It might be the example. PLUTO_PEER is related to the peer and peer ID
> and thus certificate. The username I think only refers to the IKEv1
> XAUTH username, which has no IKEv2 equivalent (yet, until we implement
> EAP mschapv2)
Thank you, PLUTO_PEER_ID was exactly what I wanted, and it wasn't 
documented ;-)
>> Could I possibly log the information which certificate was used when 
>> the IKEv2 connection was established?
>
> Yes, if you check the _updown script you should see all the environment
> variables we pass into it from our pluto daemon. Or you can check the
> function jam_common_shell_out() in programs/pluto/kernel.c  (we might
> have not always updated the _updown env variables comments there)

This was a very useful advice. Don't worry about the script not being 
updated, nobody
throws a gem because it was not polished :-)

Mirsad

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355