[Swan] pam_open_session(3) Re: SUCCESS Re: NEW PROBLEM Re: IKEv2 PAM auth failure - how it's done properly?

[Mirsad Goran Todorovac]

On 1.2.2022. 2:53, Paul Wouters wrote:
> On Fri, 28 Jan 2022, Mirsad Goran Todorovac wrote:
>
>> Thank you, PLUTO_PEER_ID was exactly what I wanted, and it wasn't 
>> documented ;-)
>>>>  Could I possibly log the information which certificate was used 
>>>> when the
>>>>  IKEv2 connection was established?
>>>
>>>  Yes, if you check the _updown script you should see all the 
>>> environment
>>>  variables we pass into it from our pluto daemon. Or you can check the
>>>  function jam_common_shell_out() in programs/pluto/kernel.c (we might
>>>  have not always updated the _updown env variables comments there)
>>
>> This was a very useful advice. Don't worry about the script not being 
>> updated, nobody
>> throws a gem because it was not polished :-)
>
> I've updated the variable list:
>
> https://github.com/libreswan/libreswan/commit/beb07948532b6a0a9ff3435f21c44e6e62f1f596 
>
I could also contribute my work on modifying pam_url to make it do a 
passwordless auth based
on an authorization file lookup:

[1] https://domac.alu.hr/~mtodorov/contrib/pam_url_0.3.3.mod.diff
[2] PHP authorization script: 
https://domac.alu.hr/~mtodorov/contrib/myauth.php.txt
[3] sample /usr/local/etc/vpn-ikev2-authorized file: 
https://domac.alu.hr/~mtodorov/contrib/vpn-ikev2-authorized

... because otherwise it will not work (for pam_url to ask for password 
or auth token
when the client is authenticated via certificate and there is no 
EAP/MS-CHAP v2.

So, the user is authorized via cert, but he can be blacklisted in 
authorization file. In fact, he must be
whitelisted to be authorized in the PAM auth pass.

Hope this helps someone.

Kind regards,
Mirsad

-- 
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu