[Swan] UPDATE Re: Authentication with pam_url and nonces
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Tue Feb 8 17:07:37 EET 2022
P.S.
I get the error:
Feb 8 15:48:21 domac pamtester: pam_url(test:auth): TLSv1.3 (IN), TLS
alert, unknown CA (560):
Feb 8 15:48:21 domac pamtester: pam_url(test:auth): OpenSSL SSL_read:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
and the certificates in pam_url.conf are the same as the working apache2
certificates:
pam_url:
{
settings:
{
url =
"https://domac.alu.hr:443/cgi-bin/myauth-hmac.php"; # URI to fetch
returncode = "OK"; # The remote
script/cgi should return a 200 http code and this string as its only results
userfield = "user"; # userfield name to send
passwdfield = "pass"; # passwdfield name
to send
extradata = "&do=login"; # extra data to send
# prompt = "Token: "; # password prompt
};
ssl:
{
verify_peer = true; # Verify peer?
verify_host = true; # Make sure
peer CN matches?
client_cert =
"/etc/ssl/certs/domac_alu_hr_wchain_20220110.pem"; # Client-side
certificate
client_key = "/etc/ssl/private/domac_alu_hr_20220110.key"; #
Client-side key
ca_cert = "/etc/ssl/certs/SectigoCA_20220110.pem"; # ca
cert - defaults to ca-bundle.crt
};
};
I have verified the certs with "diff" and they are literally the same.
I am running out of options. Perhaps you have tested mTLS with pam_url?
I feel so tired, and it is only Tuesday. My weekend enthusiasm appears
to have splashed :-(
Mirsad
On 2/8/2022 3:17 PM, Mirsad Goran Todorovac wrote:
> SSLVerifyClient did not exactly work out of the box on our apache2
> server, and I don't have
> liberty to experiment with it ...
>
> pam_url with HMAC-SHA-2 just works, and I believe it has sound logic:
> HMAC-SHA-256 protected the
> URL POST fields from tampering in the man-in-the-middle attacks and
> the script return code.
>
> However, brute forcing CGI PHP script presents a problem, and mTLS
> still seems like a way to do it, if only
> I could make it work for me.
>
> Mirsad
>
> On 2/7/2022 7:51 PM, Paul Wouters wrote:
>> If you feel the pam TLS calls needs more than server side cert
>> verification, you should look into client authentication, eg mTLS.
>> Don’t invent your own crypto.
>>
>> Paul
>
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
More information about the Swan
mailing list