[Swan] UPDATE Re: Authentication with pam_url and nonces

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Feb 23 16:42:25 EET 2022

mTLS did not work for me.

I didn't invent my own crypto, but I used mutual HMAC authentication 
with preshared secret and
pluggable hash functions. It is an evolutionary step for a server side 
PHP script that relied on IP
address alone to verify its client.

If anyone thinks it is worth a look, it is here:


It would probably be prudent to have a peer review of the code before it 
is given for people trying
to authenticate the VPNs with PAM.

Kind regards,

On 7.2.2022. 19:51, Paul Wouters wrote:
> If you feel the pam TLS calls needs more than server side cert verification, you should look into client authentication, eg mTLS. Don’t invent your own crypto.
> Paul

Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu

More information about the Swan mailing list