[Swan] pam_open_session(3) Re: SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Fri Jan 28 01:12:34 EET 2022
On 1/27/2022 9:02 PM, Paul Wouters wrote:
> On Thu, 27 Jan 2022, Mirsad Goran Todorovac wrote:
>
>>> Have a look at
>>> https://github.com/libreswan/libreswan/blob/main/contrib/updown-example/example-terminate.py
>>>
>>>
>>> It shows how you can log the disconnect to a file, but you can replace
>>> the file with like your REST server call.
>>
>> Did just that, but I see remote IP ($PLUTO_PEER), but not
>> $PLUTO_USERNAME:
>
> It might be the example. PLUTO_PEER is related to the peer and peer ID
> and thus certificate. The username I think only refers to the IKEv1
> XAUTH username, which has no IKEv2 equivalent (yet, until we implement
> EAP mschapv2)
Thank you, PLUTO_PEER_ID was exactly what I wanted, and it wasn't
documented ;-)
>> Could I possibly log the information which certificate was used when
>> the IKEv2 connection was established?
>
> Yes, if you check the _updown script you should see all the environment
> variables we pass into it from our pluto daemon. Or you can check the
> function jam_common_shell_out() in programs/pluto/kernel.c (we might
> have not always updated the _updown env variables comments there)
This was a very useful advice. Don't worry about the script not being
updated, nobody
throws a gem because it was not polished :-)
Mirsad
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list