<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi again,</p>
<p>I jumped the conclusion. pamtester authentication works though,
but IKEv2 doesn't connect and the pluto.log still shows
"Permission denied" from some other source:</p>
<font face="monospace">root@domac:/home/admin/mtodorov/build/pam_url#
pamtester -v pluto "CN=laptop-mtodorov.alu.hr, O=ALU-UNIZG"
authenticate<br>
pamtester: invoking pam_start(pluto, CN=laptop-mtodorov.alu.hr,
O=ALU-UNIZG, ...)<br>
pamtester: performing operation - authenticate<br>
pamtester: successfully authenticated<br>
</font>
<p><font face="monospace">root@domac:/home/admin/mtodorov/build/pam_url#</font></p>
<p>/var/log/pluto.log:<br>
<font face="monospace">Jan 22 13:01:12.094415: | IKEv2 helper
thread pam_start for state #4, MYCONN-ikev2-cp[8]
user=CN=laptop-mtodorov.alu.hr, O=ALU-UNIZG.<br>
Jan 22 13:01:12.094450: | IKEv2 helper thread pam_set_item for
state #4, MYCONN-ikev2-cp[8] user=CN=laptop-mtodorov.alu.hr,
O=ALU-UNIZG.<br>
Jan 22 13:01:12.107438: | IKEv2 helper thread pam_authenticate
for state #4, MYCONN-ikev2-cp[8] user=CN=laptop-mtodorov.alu.hr,
O=ALU-UNIZG.<br>
Jan 22 13:01:12.108427: "MYCONN-ikev2-cp"[8] 188.252.254.228 #4:
IKEv2 FAILED during pam_acct_mgmt with 'Authentication failure'
for state #4, MYCONN-ikev2-cp[8] user=CN=laptop-mtodorov.alu.hr,
O=ALU-UNIZG.<br>
Jan 22 13:01:12.108763: | PAM: #4: PAM-process completed for
user 'CN=laptop-mtodorov.alu.hr, O=ALU-UNIZG' with result
FAILURE<br>
Jan 22 13:01:12.110169: | processing signal PLUTO_SIGCHLD</font><br>
</p>
<p>/etc/pam.d/pluto:<br>
<font face="monospace">#%PAM-1.0<br>
auth required pam_env.so<br>
auth sufficient /lib64/security/pam_url.so
config=/etc/pam_url.conf debug<br>
auth requisite pam_succeed_if.so uid >= 500 quiet
debug<br>
auth required pam_deny.so debug<br>
<br>
# account include system-auth<br>
# password include system-auth<br>
# session optional pam_keyinit.so revoke<br>
# session required pam_limits.so<br>
</font></p>
<p>This seems weird, but now I am really out of options, for it
doesn't behave as it should.</p>
<p>I felt so close to the solution. Now it seems like going back to
square one.</p>
<p>Mirsad<br>
</p>
<div class="moz-cite-prefix">On 1/22/2022 12:50 PM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1780d5a2-24e3-64a4-e6b2-3893f6366a3c@alu.unizg.hr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Dear Paul,</p>
<p>I have succeeded making it work, with some tweaking to pam_url
source.</p>
<p>Apropos /etc/pam.d/pluto, it appears to be a part of the Debian
libreswan package, so I mailed the maintainer.</p>
<p>Thank you for your thoughts and prayers.</p>
<p>This was an exciting challenge, with ups and downs ;-)</p>
<p>Kind regards,<br>
Mirsad<br>
</p>
<div class="moz-cite-prefix">On 1/22/2022 9:47 AM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7d6a85ce-0d81-5c5d-d4e0-e0c4601d7f14@alu.unizg.hr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>P.P.S.</p>
<p>I apologize, the link in the previous email executed the PHP
script instead of displaying the source. Here is the fixed
link:</p>
<p><a class="moz-txt-link-freetext"
href="https://domac.alu.hr/mtodorov/myauth.php.txt"
moz-do-not-send="true">https://domac.alu.hr/mtodorov/myauth.php.txt</a></p>
<p>But IMHO the script works as intended: it returns 200 OK if
the user is existing in the account.txt file.<br>
The problem seems to be in the /etc/pam.d/test that I can't
seem to get right.<br>
</p>
<p>Mirsad<br>
</p>
<div class="moz-cite-prefix">On 1/22/2022 9:39 AM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1494caa4-bfb5-570f-f804-e960b501e16b@alu.unizg.hr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Hello Paul,</p>
<p>I have unsuccessfully tried libpam-pkcs11 but it seems to
require a card slot and it didn't work with NSS.</p>
<p>I have succeeded to enable pam_url with SSL on my local web
server to call my CGI-BIN script.</p>
<p>However, I couldn't make it to work with PAM.</p>
<p>However, there seems to be a problem with the default
/etc/pam.d/pluto with libreswan-4.6. It is including
system-auth, but system-auth does not exist in my Debian
server's /etc/pam.d . It seems to be sort of a RedHat thing.</p>
<p>The file is:</p>
<p>% cat /etc/pam.d/pluto<br>
#%PAM-1.0<br>
# Regular System auth<br>
auth include system-auth<br>
#<br>
# Google Authenticator with Regular System auth in combined
prompt mode<br>
# (OTP is added to the password at the password prompt
without separator)<br>
# auth required pam_google_authenticator.so forward_pass<br>
# auth include system-auth use_first_pass<br>
#<br>
# Common<br>
account required pam_nologin.so<br>
auth sufficient pam_pkcs11.so<br>
account include system-auth<br>
password include system-auth<br>
session optional pam_keyinit.so debug force revoke<br>
session include system-auth<br>
session required pam_loginuid.so<br>
</p>
<p>The /etc/pam.d/test for pam_url also calls system-auth:</p>
<p># cat /etc/pam.d/test<br>
#%PAM-1.0<br>
auth required pam_env.so<br>
auth sufficient /lib64/security/pam_url.so debug
config=/etc/pam_url.conf<br>
auth requisite pam_succeed_if.so uid >= 500
quiet<br>
auth required pam_deny.so<br>
<br>
account include system-auth<br>
password include system-auth<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
</p>
<p>It seems to be made for local users.</p>
<p>I am going to paste a working system-auth from the web, but
it is rather cumbersome :-P</p>
<p>I feel really confused, as I see none of functions in
pam_authenticate return "yes" or "no". Maybe I was wrong to
take it literally.</p>
<p>I have succeeded to make the script be called from
pamtester and to return "200 OK" in case the username is in
the permitted access file, and "400 Bad Request" if it is
not.</p>
<p>However, pamtester treats both of these cases as
"Authentication failure":</p>
<p>root@domac:/home/admin/mtodorov/build/pam_url# pamtester -v
test user1 authenticate<br>
pamtester: invoking pam_start(test, user1, ...)<br>
pamtester: performing operation - authenticate<br>
161.53.235.3 - - [22/Jan/2022:09:35:45 +0100] "POST
/cgi-bin/myauth.php HTTP/2.0" 200 134 "-" "pam_url/0.3.3"<br>
pamtester: Authentication failure<br>
root@domac:/home/admin/mtodorov/build/pam_url# pamtester -v
test notexisting authenticate<br>
pamtester: invoking pam_start(test, notexisting, ...)<br>
pamtester: performing operation - authenticate<br>
161.53.235.3 - - [22/Jan/2022:09:35:58 +0100] "POST
/cgi-bin/myauth.php HTTP/2.0" 400 125 "-" "pam_url/0.3.3"<br>
pamtester: Authentication failure<br>
root@domac:/home/admin/mtodorov/build/pam_url#<br>
</p>
<p>I feel like I'm out of options.</p>
<p>pam_url/pam_url.c has this:</p>
<p> if( CURLE_OK != curl_easy_perform(eh) )<br>
goto curl_error;<br>
<br>
// No errors<br>
free(post);<br>
curl_easy_cleanup(eh);<br>
curl_global_cleanup();<br>
return PAM_SUCCESS;<br>
</p>
<p>so the "200 OK" should be sufficient to authorize, but
something spurious seems to be happening.<br>
<br>
I hope I can be given an idea, as I feel I ran out of
options.<br>
</p>
<p>Kind regards,<br>
Mirsad</p>
<div class="moz-cite-prefix">On 1/21/2022 5:03 PM, Paul
Wouters wrote:<br>
</div>
<blockquote type="cite"
cite="mid:48823398-B626-4622-893E-CD1B8D9F181C@nohats.ca">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
to use pam, you create or modify /etc/pam.d/pluto
<div><br>
</div>
<div>For example, you could change this file to use pam_url
as the pam module and then run your own REST http server
that will receive the authorization name and you can write
you own code to respond with either “yes” or “no”.</div>
<div><br>
</div>
<div>This part is not libreswan specific, and you can test
your pam module using pam_tester and specifying the
“pluto” method that will then use /etc/pam.d/pluto to
perform the check to your backend. Once pam_tester works,
libreswan should work too.</div>
<div><br>
</div>
<div>Paul <br>
<br>
<div dir="ltr">Sent using a virtual keyboard on a phone</div>
<div dir="ltr"><br>
<blockquote type="cite">On Jan 21, 2022, at 10:44,
Mirsad Goran Todorovac <a
class="moz-txt-link-rfc2396E"
href="mailto:mirsad.todorovac@alu.unizg.hr"
moz-do-not-send="true"><mirsad.todorovac@alu.unizg.hr></a>
wrote:<br>
<br>
</blockquote>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Hello Paul, Manfred,</p>
<p>SO far I have located the lines in the source, but
I am unable to decypher what these meant to do:</p>
<p>pluto/pam-conv.c:<br>
143 what = "pam_start";<br>
144 retval = pam_start("pluto",
arg->name, &conv, &pamh);<br>
145 if (retval != PAM_SUCCESS)<br>
146 break;<br>
147 dbg_pam_step(arg, what);<br>
148<br>
149 /* Send the remote host address
to PAM */<br>
150 what = "pam_set_item";<br>
151 address_buf rhb;<br>
152 retval = pam_set_item(pamh,
PAM_RHOST, str_address(&arg->rhost,
&rhb));<br>
153 if (retval != PAM_SUCCESS)<br>
154 break;<br>
155 dbg_pam_step(arg, what);<br>
156<br>
157 /* Two factor authentication -
Check that the user is valid,<br>
158 * and then check if they are
permitted access<br>
159 */<br>
160 what = "pam_authenticate";<br>
161 retval = pam_authenticate(pamh,
PAM_SILENT); /* is user really user? */<br>
162 if (retval != PAM_SUCCESS)<br>
163 break;<br>
164 dbg_pam_step(arg, what);<br>
165<br>
166 what = "pam_acct_mgmt";<br>
167 retval = pam_acct_mgmt(pamh, 0);
/* permitted access? */<br>
168 if (retval != PAM_SUCCESS)<br>
169 break;<br>
170 dbg_pam_step(arg, what);<br>
171<br>
172 /* success! */<br>
173 pam_end(pamh, PAM_SUCCESS);<br>
174 return true;<br>
</p>
<p>From this it appears that the username should be on
the PAM side, and not in the ipsec.secret (5) file.<br>
But I don't know which file yet. I think that I am
rather certain that it shouldn't mess with
/etc/passwd, for it doesn't allow spaces in
usernames, does it?</p>
<p>Mirsad<br>
</p>
<div class="moz-cite-prefix">On 21.1.2022. 16:00,
Mirsad Goran Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:f67dd47d-1d72-4cec-0e29-8cda978b64be@alu.unizg.hr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>On 21.1.2022. 15:08, Paul Wouters wrote:<br>
</p>
<blockquote type="cite"
cite="mid:A06B4250-A229-4F69-8A8D-2D433E52AD5E@nohats.ca">Hello,
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I have installed the IKEv2 VPN connection at my colleague's laptop and he disappointingly noticed that there is no password authentication in addition to certificate.
This is also akward because we would have to change all certificates if i.e. one laptop configured for the Faculty VPN was lost or stolen. :-(
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">I don't think this is right. The certificate system (in general, not libreswan's specifically) is explicitly designed so that you don't have to do that.
Ref CRL (Certificate Revocation List).
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Exactly. You only need to revoke the laptop certificate. The CA certificate is on the laptop too but not the CA certificate’s private key, only the public key.
An additional password adds little security assuming there is already a login password, an automatic screen lock after a few minutes and whole disk encryption with a password.
The libreswan pam option for IKEv2 is only meant for the server to check authorization of the client ID (usually a cert), not authentication. This is so you can temporary lock out a user without (irrevocably) revoking their certificate. This is often used when a customer hasn’t paid their bill for instance, or could be used if a laptop is missing but most likely will be found again.</pre>
</blockquote>
<p>1. I agree this opportunity to temporary disable
the login with a certificate would be practical. I
have generated the certificates as proposed on the
link: <a class="moz-txt-link-freetext"
href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2#Example_certificate_generation_with_certutil"
moz-do-not-send="true">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2#Example_certificate_generation_with_certutil</a><br>
<br>
export PARM='--keyUsage
digitalSignature,keyEncipherment --extKeyUsage
serverAuth,clientAuth'<br>
certutil -S -c "GRF-UNIZG CA" -n
"laptop-marko.grf.hr" -s
"O=GRF-UNIZG,CN=laptop-marko.grf.hr" -k rsa -g
4096 -v 12 -d sql:${HOME}/tmpdb -t ",," ${PARM} -8
"laptop-marko.grf.hr"<br>
pk12util -o laptop-marko.grf.hr.p12 -n
"laptop-marko.grf.hr" -d sql:${HOME}/tmpdb/</p>
<p>I have imported the cert into Windows 10
certificate manager in the "Local Machine"
keystore.</p>
<p>I can't seem to understand how to revoke such a
local certificate. It is not generated by
Letsencrypt or Sectigo, so where does ipsec check
for revocation lists?</p>
<p>However, once it is revoked, the damage is done.
I can't make it alive again, can I? So, there is a
justified question:</p>
<p>2. Can I get a pointer to the username/password
file for the certificates? I don't know if it
should be in /etc/ipsec.d/hostname.secrets, and
what is the syntax considering that the username
contains spaces when expanded by certificate check
facility of I think pluto.</p>
<p>As the username is as it appears in the pluto
log, what is the location and syntax of the
password file? And who would provide password?
Windows 10 client or else?<br>
</p>
<p>Jan 20 09:45:03.533787: | PAM: #1: PAM-process
completed for user 'CN=pc-mtodorov.alu.hr,
O=ALU-UNIZG' with result FAILURE</p>
<p>This would be a great feature to have.<br>
However, the manual ipsec.conf (5) only says this:</p>
<blockquote>
<p class="level0"><span class="bold">pam-authorize</span>
</p>
<p class="level1">IKEv1 supports PAM authorization
via XAUTH using <span class="emphasis">xauthby=pam</span>.
IKEv2 does not support receiving a plaintext
username and password. Libreswan does not yet
support EAP authentication methods for IKE. The
pam-authorize=yes option performs an
authorization call via PAM, but only includes
the remote ID (not username or password). This
allows for backends to disallow an ID based on
non-password situations, such as "user disabled"
or "user over quota". See also <span
class="emphasis">xauthby=pam<br>
</span></p>
</blockquote>
<p>It is not clear to me which file should provide
remote ID list with permissions? And the syntax.</p>
<p>My current /etc/pam.d/pluto looks like this:</p>
<p>root@domac:~# cat /etc/pam.d/pluto<br>
#%PAM-1.0<br>
auth required pam_unix.so<br>
auth required pam_nologin.so<br>
account required pam_unix.so<br>
password required pam_unix.so<br>
session required pam_unix.so<br>
session required pam_loginuid.so<br>
root@domac:~#<br>
</p>
<p>The 4.6 distribution original did not work for me
either: it said simply this:</p>
<p>Jan 20 09:07:48.551340: "MYCONN-ikev2-cp"[4]
193.198.186.218 #2: IKEv2 FAILED during
pam_authenticate with 'Permission denied' for<br>
state #2, MYCONN-ikev2-cp[4]
user=CN=pc-mtodorov.alu.hr, O=ALU-UNIZG.<br>
Jan 20 09:07:48.551600: | PAM: #2: PAM-process
completed for user 'CN=pc-mtodorov.alu.hr,
O=ALU-UNIZG' with result FAILURE<br>
Jan 20 09:07:48.552834: | processing signal
PLUTO_SIGCHLD<br>
Jan 20 09:07:48.552890: | waitpid returned pid
2652 (exited with status 1)<br>
Jan 20 09:07:48.552903: | suspend: restoring
MD@0x55f56d8e5aa8 from state #2
(server_fork_sigchld_handler() +224
programs/pluto/ser<br>
ver_fork.c)<br>
Jan 20 09:07:48.552928: | #2 waited 0.010288 for
'pamauth' fork()<br>
Jan 20 09:07:48.552941: "MYCONN-ikev2-cp"[4]
193.198.186.218 #2: PAM: authentication of user
'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG' FAILED after
0.01074 seconds</p>
<p>I would love this feature to work on my VPN
server. Libreswan team is very motivational for
experimenting. As I said before, I felt moved by
the all-inclusive code of conduct for the project
:-)<br>
</p>
<blockquote type="cite"
cite="mid:A06B4250-A229-4F69-8A8D-2D433E52AD5E@nohats.ca">
<pre class="moz-quote-pre" wrap="">The next version of libreswan will add EAPTLS authentication, so windows won’t require administrative rights to add the IKEv2 connection. Once that it is, perhaps another EAP method - mschapv2 - will be added that does add a user / password method that can be used without certificates.</pre>
</blockquote>
This sounds great. Looking forward to testing it :-)
<pre class="moz-quote-pre" wrap="">Kind regards,
Mirsad
</pre>
<pre class="moz-signature" cols="72">--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
<span>_______________________________________________</span><br>
<span>Swan mailing list</span><br>
<span><a class="moz-txt-link-abbreviated
moz-txt-link-freetext"
href="mailto:Swan@lists.libreswan.org"
moz-do-not-send="true">Swan@lists.libreswan.org</a></span><br>
<span><a class="moz-txt-link-freetext"
href="https://lists.libreswan.org/mailman/listinfo/swan"
moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</body>
</html>