<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>I can publish a patch diff. I have really made very small
      modifications. A couple of lines.</p>
    <p>I would also want to map certificate subject lines to unix
      usernames, put the user into utmp and display the connected user
      with `w` or `who` commands. But I'm not sure how it's done yet.<br>
    </p>
    <p>Maybe I should think of forking pam_url and supplying a Debian
      .deb package, since only .rpm exists in the wild?</p>
    <p>I do have configs that work of course, but the original pam_url
      required password, so I have skip prompt if the password token is
      not in the config file /etc/pam_url.h or is commented out.<br>
      Plus four additional lines of debugging to see the exact code
      returned by the CGI script, total modification is about a half a
      dozen lines.<br>
    </p>
    <p>There were non-transparent errors like missing libraries in
      libcurl.so.4 call which could only be seen by a DEBUG recompile. I
      think a .deb module with right dependencies would clear the
      confusion.<br>
    </p>
    <p>pam-authenticate is a very practical method of access control. I
      would like to clear the doubts that it decreased the security of
      IKEv2 VPN, and that it is unprofessional, because pam_url calls a
      cgi-bin script in .php over a TLSv1.3 connection.</p>
    <p>May the LORD help me with that.<br>
    </p>
    <div class="moz-cite-prefix">Kind regards,</div>
    <div class="moz-cite-prefix">Mirsad<br>
    </div>
    <div class="moz-cite-prefix"><br>
    </div>
    <div class="moz-cite-prefix">On 1/24/2022 2:19 AM, Paul Wouters
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:06254660-23CF-4B55-9D48-DB74B62A9A72@nohats.ca">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      I have wanted to put a pam_url example in libreswan/contrib but I
      also ended up modifying pam_url, so I never did. If you have
      configs you want to share for unmodified versions, I’d be happy to
      include it as documentation <br>
      <br>
      <div dir="ltr">Sent using a virtual keyboard on a phone</div>
      <div dir="ltr"><br>
        <blockquote type="cite">On Jan 23, 2022, at 17:57, Mirsad Goran
          Todorovac <a class="moz-txt-link-rfc2396E" href="mailto:mirsad.todorovac@alu.unizg.hr"><mirsad.todorovac@alu.unizg.hr></a> wrote:<br>
          <br>
        </blockquote>
      </div>
      <blockquote type="cite">
        <div dir="ltr">
          <meta http-equiv="Content-Type" content="text/html;
            charset=UTF-8">
          <p>SOLVED.</p>
          <p>pam_url authentications worked (with minor problems) also
            on our Debian 11 Bullseye server with libreswan 4.6.</p>
          <p>gcc-11 had reported linking errors which was easily fixed,
            but the setup required additional debugging turned on in
            pam_url, so I don't think this will attract too many users.
            I would like to make this pam-authenticate more usable and
            user-friendly.</p>
          <p>Kind regards,<br>
            Mirsad</p>
          <div class="moz-cite-prefix">On 1/22/2022 1:55 PM, Mirsad
            Goran Todorovac wrote:<br>
          </div>
          <blockquote type="cite"
            cite="mid:71fffa1a-7a8d-c318-23fa-cc135474beef@alu.unizg.hr">
            <meta http-equiv="Content-Type" content="text/html;
              charset=UTF-8">
            <p>Now, it works and it connects IKEv2.</p>
            <p>I have hacked the PAM to call the pam_acct_mgmt with the
              same pam_url module. Optionally it can be administered
              with two files, but as a quick fix I have just copy+pasted
              the auth stuff.</p>
            <p>IMHO it is only added functionality (I can disable and
              reenable connections per certificate), so I hope I haven't
              introduced any security issues. It shouldn't since I used
              ECDSA backed TSL1.3 connection.<br>
            </p>
            <p>However, the pam_url is a little bit rusty, it doesn't
              even compile out of the box.</p>
            <p>I will put my modified version that works here (so others
              wouldn't waste time debugging): <a
                class="moz-txt-link-freetext"
                href="https://domac.alu.hr/~mtodorov/contrib/pam_url_0.3.3mod.tgz"
                moz-do-not-send="true">https://domac.alu.hr/~mtodorov/contrib/pam_url_0.3.3mod.tgz</a></p>
            <p>Thanks for all help. Now I feel like we are ready for
              some serious testing.</p>
            <p>I really feel great about libreswan and the developer
              team. It is so open for hacking ;-)</p>
            <p>Have a nice day!</p>
            <p>Mirsad<br>
            </p>
            <div class="moz-cite-prefix">On 1/22/2022 1:17 PM, Mirsad
              Goran Todorovac wrote:<br>
            </div>
            <blockquote type="cite"
              cite="mid:a2fea545-8e3e-170c-37f0-ce9fe3e9e003@alu.unizg.hr">
              <meta http-equiv="Content-Type" content="text/html;
                charset=UTF-8">
              <p>Hi again,</p>
              <p>I jumped the conclusion. pamtester authentication works
                though, but IKEv2 doesn't connect and the pluto.log
                still shows "Permission denied" from some other source:</p>
              <font face="monospace">root@domac:/home/admin/mtodorov/build/pam_url#
                pamtester -v pluto "CN=laptop-mtodorov.alu.hr,
                O=ALU-UNIZG" authenticate<br>
                pamtester: invoking pam_start(pluto,
                CN=laptop-mtodorov.alu.hr, O=ALU-UNIZG, ...)<br>
                pamtester: performing operation - authenticate<br>
                pamtester: successfully authenticated<br>
              </font>
              <p><font face="monospace">root@domac:/home/admin/mtodorov/build/pam_url#</font></p>
              <p>/var/log/pluto.log:<br>
                <font face="monospace">Jan 22 13:01:12.094415: | IKEv2
                  helper thread pam_start for state #4,
                  MYCONN-ikev2-cp[8] user=CN=laptop-mtodorov.alu.hr,
                  O=ALU-UNIZG.<br>
                  Jan 22 13:01:12.094450: | IKEv2 helper thread
                  pam_set_item for state #4, MYCONN-ikev2-cp[8]
                  user=CN=laptop-mtodorov.alu.hr, O=ALU-UNIZG.<br>
                  Jan 22 13:01:12.107438: | IKEv2 helper thread
                  pam_authenticate for state #4, MYCONN-ikev2-cp[8]
                  user=CN=laptop-mtodorov.alu.hr, O=ALU-UNIZG.<br>
                  Jan 22 13:01:12.108427: "MYCONN-ikev2-cp"[8]
                  188.252.254.228 #4: IKEv2 FAILED during pam_acct_mgmt
                  with 'Authentication failure' for state #4,
                  MYCONN-ikev2-cp[8] user=CN=laptop-mtodorov.alu.hr,
                  O=ALU-UNIZG.<br>
                  Jan 22 13:01:12.108763: | PAM: #4: PAM-process
                  completed for user 'CN=laptop-mtodorov.alu.hr,
                  O=ALU-UNIZG' with result FAILURE<br>
                  Jan 22 13:01:12.110169: | processing signal
                  PLUTO_SIGCHLD</font><br>
              </p>
              <p>/etc/pam.d/pluto:<br>
                <font face="monospace">#%PAM-1.0<br>
                  auth       required     pam_env.so<br>
                  auth       sufficient   /lib64/security/pam_url.so
                  config=/etc/pam_url.conf debug<br>
                  auth       requisite    pam_succeed_if.so uid >=
                  500 quiet debug<br>
                  auth       required     pam_deny.so debug<br>
                  <br>
                  # account    include      system-auth<br>
                  # password   include      system-auth<br>
                  # session    optional     pam_keyinit.so revoke<br>
                  # session    required     pam_limits.so<br>
                </font></p>
              <p>This seems weird, but now I am really out of options,
                for it doesn't behave as it should.</p>
              <p>I felt so close to the solution. Now it seems like
                going back to square one.</p>
              <p>Mirsad<br>
              </p>
              <div class="moz-cite-prefix">On 1/22/2022 12:50 PM, Mirsad
                Goran Todorovac wrote:<br>
              </div>
              <blockquote type="cite"
                cite="mid:1780d5a2-24e3-64a4-e6b2-3893f6366a3c@alu.unizg.hr">
                <meta http-equiv="Content-Type" content="text/html;
                  charset=UTF-8">
                <p>Dear Paul,</p>
                <p>I have succeeded making it work, with some tweaking
                  to pam_url source.</p>
                <p>Apropos /etc/pam.d/pluto, it appears to be a part of
                  the Debian libreswan package, so I mailed the
                  maintainer.</p>
                <p>Thank you for your thoughts and prayers.</p>
                <p>This was an exciting challenge, with ups and downs
                  ;-)</p>
                <p>Kind regards,<br>
                  Mirsad<br>
                </p>
                <div class="moz-cite-prefix">On 1/22/2022 9:47 AM,
                  Mirsad Goran Todorovac wrote:<br>
                </div>
                <blockquote type="cite"
                  cite="mid:7d6a85ce-0d81-5c5d-d4e0-e0c4601d7f14@alu.unizg.hr">
                  <meta http-equiv="Content-Type" content="text/html;
                    charset=UTF-8">
                  <p>P.P.S.</p>
                  <p>I apologize, the link in the previous email
                    executed the PHP script instead of displaying the
                    source. Here is the fixed link:</p>
                  <p><a class="moz-txt-link-freetext"
                      href="https://domac.alu.hr/mtodorov/myauth.php.txt"
                      moz-do-not-send="true">https://domac.alu.hr/mtodorov/myauth.php.txt</a></p>
                  <p>But IMHO the script works as intended: it returns
                    200 OK if the user is existing in the account.txt
                    file.<br>
                    The problem seems to be in the /etc/pam.d/test that
                    I can't seem to get right.<br>
                  </p>
                  <p>Mirsad<br>
                  </p>
                  <div class="moz-cite-prefix">On 1/22/2022 9:39 AM,
                    Mirsad Goran Todorovac wrote:<br>
                  </div>
                  <blockquote type="cite"
                    cite="mid:1494caa4-bfb5-570f-f804-e960b501e16b@alu.unizg.hr">
                    <meta http-equiv="Content-Type" content="text/html;
                      charset=UTF-8">
                    <p>Hello Paul,</p>
                    <p>I have unsuccessfully tried libpam-pkcs11 but it
                      seems to require a card slot and it didn't work
                      with NSS.</p>
                    <p>I have succeeded to enable pam_url with SSL on my
                      local web server to call my CGI-BIN script.</p>
                    <p>However, I couldn't make it to work with PAM.</p>
                    <p>However, there seems to be a problem with the
                      default /etc/pam.d/pluto with libreswan-4.6. It is
                      including system-auth, but system-auth does not
                      exist in my Debian server's /etc/pam.d . It seems
                      to be sort of a RedHat thing.</p>
                    <p>The file is:</p>
                    <p>% cat /etc/pam.d/pluto<br>
                      #%PAM-1.0<br>
                      # Regular System auth<br>
                      auth include system-auth<br>
                      #<br>
                      # Google Authenticator with Regular System auth in
                      combined prompt mode<br>
                      # (OTP is added to the password at the password
                      prompt without separator)<br>
                      # auth required pam_google_authenticator.so
                      forward_pass<br>
                      # auth include system-auth use_first_pass<br>
                      #<br>
                      # Common<br>
                      account required pam_nologin.so<br>
                      auth    sufficient pam_pkcs11.so<br>
                      account include system-auth<br>
                      password include system-auth<br>
                      session optional pam_keyinit.so debug force revoke<br>
                      session include system-auth<br>
                      session required pam_loginuid.so<br>
                    </p>
                    <p>The /etc/pam.d/test for pam_url also calls
                      system-auth:</p>
                    <p># cat /etc/pam.d/test<br>
                      #%PAM-1.0<br>
                      auth       required     pam_env.so<br>
                      auth       sufficient   /lib64/security/pam_url.so
                      debug config=/etc/pam_url.conf<br>
                      auth       requisite    pam_succeed_if.so uid
                      >= 500 quiet<br>
                      auth       required     pam_deny.so<br>
                      <br>
                      account    include      system-auth<br>
                      password   include      system-auth<br>
                      session    optional     pam_keyinit.so revoke<br>
                      session    required     pam_limits.so<br>
                    </p>
                    <p>It seems to be made for local users.</p>
                    <p>I am going to paste a working system-auth from
                      the web, but it is rather cumbersome :-P</p>
                    <p>I feel really confused, as I see none of
                      functions in pam_authenticate return "yes" or
                      "no". Maybe I was wrong to take it literally.</p>
                    <p>I have succeeded to make the script be called
                      from pamtester and to return "200 OK" in case the
                      username is in the permitted access file, and "400
                      Bad Request" if it is not.</p>
                    <p>However, pamtester treats both of these cases as
                      "Authentication failure":</p>
                    <p>root@domac:/home/admin/mtodorov/build/pam_url#
                      pamtester -v test user1 authenticate<br>
                      pamtester: invoking pam_start(test, user1, ...)<br>
                      pamtester: performing operation - authenticate<br>
                      161.53.235.3 - - [22/Jan/2022:09:35:45 +0100]
                      "POST /cgi-bin/myauth.php HTTP/2.0" 200 134 "-"
                      "pam_url/0.3.3"<br>
                      pamtester: Authentication failure<br>
                      root@domac:/home/admin/mtodorov/build/pam_url#
                      pamtester -v test notexisting authenticate<br>
                      pamtester: invoking pam_start(test, notexisting,
                      ...)<br>
                      pamtester: performing operation - authenticate<br>
                      161.53.235.3 - - [22/Jan/2022:09:35:58 +0100]
                      "POST /cgi-bin/myauth.php HTTP/2.0" 400 125 "-"
                      "pam_url/0.3.3"<br>
                      pamtester: Authentication failure<br>
                      root@domac:/home/admin/mtodorov/build/pam_url#<br>
                    </p>
                    <p>I feel like I'm out of options.</p>
                    <p>pam_url/pam_url.c has this:</p>
                    <p>        if( CURLE_OK != curl_easy_perform(eh) )<br>
                                      goto curl_error;<br>
                      <br>
                              // No errors<br>
                              free(post);<br>
                              curl_easy_cleanup(eh);<br>
                              curl_global_cleanup();<br>
                              return PAM_SUCCESS;<br>
                    </p>
                    <p>so the "200 OK" should be sufficient to
                      authorize, but something spurious seems to be
                      happening.<br>
                      <br>
                      I hope I can be given an idea, as I feel I ran out
                      of options.<br>
                    </p>
                    <p>Kind regards,<br>
                      Mirsad</p>
                    <div class="moz-cite-prefix">On 1/21/2022 5:03 PM,
                      Paul Wouters wrote:<br>
                    </div>
                    <blockquote type="cite"
                      cite="mid:48823398-B626-4622-893E-CD1B8D9F181C@nohats.ca">
                      <meta http-equiv="content-type"
                        content="text/html; charset=UTF-8">
                      to use pam, you create or modify /etc/pam.d/pluto 
                      <div><br>
                      </div>
                      <div>For example, you could change this file to
                        use pam_url as the pam module and then run your
                        own REST http server that will receive the
                        authorization name and you can write you own
                        code to respond with either “yes” or “no”.</div>
                      <div><br>
                      </div>
                      <div>This part is not libreswan specific, and you
                        can test your pam module using pam_tester and
                        specifying the “pluto” method that will then use
                        /etc/pam.d/pluto to perform the check to your
                        backend. Once pam_tester works, libreswan should
                        work too.</div>
                      <div><br>
                      </div>
                      <div>Paul <br>
                        <br>
                        <div dir="ltr">Sent using a virtual keyboard on
                          a phone</div>
                        <div dir="ltr"><br>
                          <blockquote type="cite">On Jan 21, 2022, at
                            10:44, Mirsad Goran Todorovac <a
                              class="moz-txt-link-rfc2396E"
                              href="mailto:mirsad.todorovac@alu.unizg.hr"
                              moz-do-not-send="true"><mirsad.todorovac@alu.unizg.hr></a>
                            wrote:<br>
                            <br>
                          </blockquote>
                        </div>
                        <blockquote type="cite">
                          <div dir="ltr">
                            <meta http-equiv="Content-Type"
                              content="text/html; charset=UTF-8">
                            <p>Hello Paul, Manfred,</p>
                            <p>SO far I have located the lines in the
                              source, but I am unable to decypher what
                              these meant to do:</p>
                            <p>pluto/pam-conv.c:<br>
                              143                 what = "pam_start";<br>
                              144                 retval =
                              pam_start("pluto", arg->name,
                              &conv, &pamh);<br>
                              145                 if (retval !=
                              PAM_SUCCESS)<br>
                              146                         break;<br>
                              147                 dbg_pam_step(arg,
                              what);<br>
                              148<br>
                              149                 /* Send the remote
                              host address to PAM */<br>
                              150                 what = "pam_set_item";<br>
                              151                 address_buf rhb;<br>
                              152                 retval =
                              pam_set_item(pamh, PAM_RHOST,
                              str_address(&arg->rhost,
                              &rhb));<br>
                              153                 if (retval !=
                              PAM_SUCCESS)<br>
                              154                         break;<br>
                              155                 dbg_pam_step(arg,
                              what);<br>
                              156<br>
                              157                 /* Two factor
                              authentication - Check that the user is
                              valid,<br>
                              158                  * and then check if
                              they are permitted access<br>
                              159                  */<br>
                              160                 what =
                              "pam_authenticate";<br>
                              161                 retval =
                              pam_authenticate(pamh, PAM_SILENT); /* is
                              user really user? */<br>
                              162                 if (retval !=
                              PAM_SUCCESS)<br>
                              163                         break;<br>
                              164                 dbg_pam_step(arg,
                              what);<br>
                              165<br>
                              166                 what =
                              "pam_acct_mgmt";<br>
                              167                 retval =
                              pam_acct_mgmt(pamh, 0); /* permitted
                              access? */<br>
                              168                 if (retval !=
                              PAM_SUCCESS)<br>
                              169                         break;<br>
                              170                 dbg_pam_step(arg,
                              what);<br>
                              171<br>
                              172                 /* success! */<br>
                              173                 pam_end(pamh,
                              PAM_SUCCESS);<br>
                              174                 return true;<br>
                            </p>
                            <p>From this it appears that the username
                              should be on the PAM side, and not in the
                              ipsec.secret (5) file.<br>
                              But I don't know which file yet. I think
                              that I am rather certain that it shouldn't
                              mess with /etc/passwd, for it doesn't
                              allow spaces in usernames, does it?</p>
                            <p>Mirsad<br>
                            </p>
                            <div class="moz-cite-prefix">On 21.1.2022.
                              16:00, Mirsad Goran Todorovac wrote:<br>
                            </div>
                            <blockquote type="cite"
                              cite="mid:f67dd47d-1d72-4cec-0e29-8cda978b64be@alu.unizg.hr">
                              <meta http-equiv="Content-Type"
                                content="text/html; charset=UTF-8">
                              <p>On 21.1.2022. 15:08, Paul Wouters
                                wrote:<br>
                              </p>
                              <blockquote type="cite"
                                cite="mid:A06B4250-A229-4F69-8A8D-2D433E52AD5E@nohats.ca">Hello,
                                <blockquote type="cite">
                                  <blockquote type="cite">
                                    <pre class="moz-quote-pre" wrap="">I have installed the IKEv2 VPN connection at my colleague's laptop and he disappointingly noticed that there is no password authentication in addition to certificate.
This is also akward because we would have to change all certificates if i.e. one laptop configured for the Faculty VPN was lost or stolen. :-(
</pre>
                                  </blockquote>
                                  <pre class="moz-quote-pre" wrap="">I don't think this is right. The certificate system (in general, not libreswan's specifically) is explicitly designed so that you don't have to do that.
Ref CRL (Certificate Revocation List).
</pre>
                                </blockquote>
                                <pre class="moz-quote-pre" wrap="">Exactly. You only need to revoke the laptop certificate. The CA certificate is on the laptop too but not the CA certificate’s private key, only the public key.

An additional password adds little security assuming there is already a login password, an automatic screen lock after a few minutes and whole disk encryption with a password.

The libreswan pam option for IKEv2 is only meant for the server to check authorization of the client ID (usually a cert), not authentication. This is so you can temporary lock out a user without (irrevocably) revoking their certificate. This is often used when a customer hasn’t paid their bill for instance, or could be used if a laptop is missing but most likely will be found again.</pre>
                              </blockquote>
                              <p>1. I agree this opportunity to
                                temporary disable the login with a
                                certificate would be practical. I have
                                generated the certificates as proposed
                                on the link: <a
                                  class="moz-txt-link-freetext"
href="https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2#Example_certificate_generation_with_certutil"
                                  moz-do-not-send="true">https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2#Example_certificate_generation_with_certutil</a><br>
                                <br>
                                export PARM='--keyUsage
                                digitalSignature,keyEncipherment
                                --extKeyUsage serverAuth,clientAuth'<br>
                                certutil -S -c "GRF-UNIZG CA" -n
                                "laptop-marko.grf.hr" -s
                                "O=GRF-UNIZG,CN=laptop-marko.grf.hr"  -k
                                rsa -g 4096 -v 12 -d sql:${HOME}/tmpdb
                                -t ",," ${PARM} -8 "laptop-marko.grf.hr"<br>
                                pk12util -o laptop-marko.grf.hr.p12 -n
                                "laptop-marko.grf.hr" -d
                                sql:${HOME}/tmpdb/</p>
                              <p>I have imported the cert into Windows
                                10 certificate manager in the "Local
                                Machine" keystore.</p>
                              <p>I can't seem to understand how to
                                revoke such a local certificate. It is
                                not generated by Letsencrypt or Sectigo,
                                so where does ipsec check for revocation
                                lists?</p>
                              <p>However, once it is revoked, the damage
                                is done. I can't make it alive again,
                                can I? So, there is a justified
                                question:</p>
                              <p>2. Can I get a pointer to the
                                username/password file for the
                                certificates? I don't know if it should
                                be in /etc/ipsec.d/hostname.secrets, and
                                what is the syntax considering that the
                                username contains spaces when expanded
                                by certificate check facility of I think
                                pluto.</p>
                              <p>As the username is as it appears in the
                                pluto log, what is the location and
                                syntax of the password file? And who
                                would provide password? Windows 10
                                client or else?<br>
                              </p>
                              <p>Jan 20 09:45:03.533787: | PAM: #1:
                                PAM-process completed for user
                                'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG'
                                with result FAILURE</p>
                              <p>This would be a great feature to have.<br>
                                However, the manual ipsec.conf (5) only
                                says this:</p>
                              <blockquote>
                                <p class="level0"><span class="bold">pam-authorize</span>
                                </p>
                                <p class="level1">IKEv1 supports PAM
                                  authorization via XAUTH using <span
                                    class="emphasis">xauthby=pam</span>.
                                  IKEv2 does not support receiving a
                                  plaintext username and password.
                                  Libreswan does not yet support EAP
                                  authentication methods for IKE. The
                                  pam-authorize=yes option performs an
                                  authorization call via PAM, but only
                                  includes the remote ID (not username
                                  or password). This allows for backends
                                  to disallow an ID based on
                                  non-password situations, such as "user
                                  disabled" or "user over quota". See
                                  also <span class="emphasis">xauthby=pam<br>
                                  </span></p>
                              </blockquote>
                              <p>It is not clear to me which file should
                                provide remote ID list with permissions?
                                And the syntax.</p>
                              <p>My current /etc/pam.d/pluto looks like
                                this:</p>
                              <p>root@domac:~# cat /etc/pam.d/pluto<br>
                                #%PAM-1.0<br>
                                auth       required     pam_unix.so<br>
                                auth       required     pam_nologin.so<br>
                                account    required     pam_unix.so<br>
                                password   required     pam_unix.so<br>
                                session    required     pam_unix.so<br>
                                session    required     pam_loginuid.so<br>
                                root@domac:~#<br>
                              </p>
                              <p>The 4.6 distribution original did not
                                work for me either: it said simply this:</p>
                              <p>Jan 20 09:07:48.551340:
                                "MYCONN-ikev2-cp"[4] 193.198.186.218 #2:
                                IKEv2 FAILED during pam_authenticate
                                with 'Permission denied' for<br>
                                state #2, MYCONN-ikev2-cp[4]
                                user=CN=pc-mtodorov.alu.hr, O=ALU-UNIZG.<br>
                                Jan 20 09:07:48.551600: | PAM: #2:
                                PAM-process completed for user
                                'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG'
                                with result FAILURE<br>
                                Jan 20 09:07:48.552834: | processing
                                signal PLUTO_SIGCHLD<br>
                                Jan 20 09:07:48.552890: | waitpid
                                returned pid 2652 (exited with status 1)<br>
                                Jan 20 09:07:48.552903: | suspend:
                                restoring MD@0x55f56d8e5aa8 from state
                                #2 (server_fork_sigchld_handler() +224
                                programs/pluto/ser<br>
                                ver_fork.c)<br>
                                Jan 20 09:07:48.552928: | #2 waited
                                0.010288 for 'pamauth' fork()<br>
                                Jan 20 09:07:48.552941:
                                "MYCONN-ikev2-cp"[4] 193.198.186.218 #2:
                                PAM: authentication of user
                                'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG'
                                FAILED after 0.01074 seconds</p>
                              <p>I would love this feature to work on my
                                VPN server. Libreswan team is very
                                motivational for experimenting. As I
                                said before, I felt moved by the
                                all-inclusive code of conduct for the
                                project :-)<br>
                              </p>
                              <blockquote type="cite"
                                cite="mid:A06B4250-A229-4F69-8A8D-2D433E52AD5E@nohats.ca">
                                <pre class="moz-quote-pre" wrap="">The next version of libreswan will add EAPTLS authentication, so windows won’t require administrative rights to add the IKEv2 connection. Once that it is, perhaps another EAP method - mschapv2 - will be added that does add a user / password method that can be used without certificates.</pre>
                              </blockquote>
                              This sounds great. Looking forward to
                              testing it :-)
                              <pre class="moz-quote-pre" wrap="">Kind regards,
Mirsad
</pre>
                              <pre class="moz-signature" cols="72">-- 
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
                              <br>
                              <fieldset
                                class="moz-mime-attachment-header"></fieldset>
                              <pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
                            </blockquote>
                            <pre class="moz-signature" cols="72">-- 
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu</pre>
                            <span>_______________________________________________</span><br>
                            <span>Swan mailing list</span><br>
                            <span><a class="moz-txt-link-abbreviated
                                moz-txt-link-freetext"
                                href="mailto:Swan@lists.libreswan.org"
                                moz-do-not-send="true">Swan@lists.libreswan.org</a></span><br>
                            <span><a class="moz-txt-link-freetext"
                                href="https://lists.libreswan.org/mailman/listinfo/swan"
                                moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br>
                          </div>
                        </blockquote>
                      </div>
                    </blockquote>
                    <pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
                    <br>
                    <fieldset class="moz-mime-attachment-header"></fieldset>
                    <pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
                  </blockquote>
                  <pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
                  <br>
                  <fieldset class="moz-mime-attachment-header"></fieldset>
                  <pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
                </blockquote>
                <pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
                <br>
                <fieldset class="moz-mime-attachment-header"></fieldset>
                <pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
              </blockquote>
              <pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
              <br>
              <fieldset class="moz-mime-attachment-header"></fieldset>
              <pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
            </blockquote>
            <pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
            <br>
            <fieldset class="moz-mime-attachment-header"></fieldset>
            <pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Swan@lists.libreswan.org" moz-do-not-send="true">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan" moz-do-not-send="true">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
          </blockquote>
          <pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
          <span>_______________________________________________</span><br>
          <span>Swan mailing list</span><br>
          <span><a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a></span><br>
          <span><a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br>
        </div>
      </blockquote>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
  </body>
</html>