Hello Paul, Manfred,
SO far I have located the lines in the source, but I am unable to
decypher what these meant to do:
pluto/pam-conv.c:
143 what = "pam_start";
144 retval = pam_start("pluto", arg->name, &conv, &pamh);
145 if (retval != PAM_SUCCESS)
146 break;
147 dbg_pam_step(arg, what);
148
149 /* Send the remote host address to PAM */
150 what = "pam_set_item";
151 address_buf rhb;
152 retval = pam_set_item(pamh, PAM_RHOST,
str_address(&arg->rhost, &rhb));
153 if (retval != PAM_SUCCESS)
154 break;
155 dbg_pam_step(arg, what);
156
157 /* Two factor authentication - Check that the user
is valid,
158 * and then check if they are permitted access
159 */
160 what = "pam_authenticate";
161 retval = pam_authenticate(pamh, PAM_SILENT); /* is
user really user? */
162 if (retval != PAM_SUCCESS)
163 break;
164 dbg_pam_step(arg, what);
165
166 what = "pam_acct_mgmt";
167 retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
168 if (retval != PAM_SUCCESS)
169 break;
170 dbg_pam_step(arg, what);
171
172 /* success! */
173 pam_end(pamh, PAM_SUCCESS);
174 return true;
From this it appears that the username should be on the PAM side, and
not in the ipsec.secret (5) file.
But I don't know which file yet. I think that I am rather certain that
it shouldn't mess with /etc/passwd, for it doesn't allow spaces in
usernames, does it?
Mirsad
On 21.1.2022. 16:00, Mirsad Goran Todorovac wrote:
On 21.1.2022. 15:08, Paul Wouters wrote:
Hello,
I have installed the IKEv2 VPN connection at my colleague's laptop and he
disappointingly noticed that there is no password authentication in addition to
certificate.
This is also akward because we would have to change all certificates if i.e.
one laptop configured for the Faculty VPN was lost or stolen. :-(
I don't think this is right. The certificate system (in general, not
libreswan's specifically) is explicitly designed so that you don't have to do
that.
Ref CRL (Certificate Revocation List).
Exactly. You only need to revoke the laptop certificate. The CA certificate is
on the laptop too but not the CA certificate’s private key, only the public key.
An additional password adds little security assuming there is already a login
password, an automatic screen lock after a few minutes and whole disk
encryption with a password.
The libreswan pam option for IKEv2 is only meant for the server to check
authorization of the client ID (usually a cert), not authentication. This is so
you can temporary lock out a user without (irrevocably) revoking their
certificate. This is often used when a customer hasn’t paid their bill for
instance, or could be used if a laptop is missing but most likely will be found
again.
1. I agree this opportunity to temporary disable the login with a
certificate would be practical. I have generated the certificates as
proposed on the link:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2#Example_certificate_generation_with_certutil
export PARM='--keyUsage digitalSignature,keyEncipherment --extKeyUsage
serverAuth,clientAuth'
certutil -S -c "GRF-UNIZG CA" -n "laptop-marko.grf.hr" -s
"O=GRF-UNIZG,CN=laptop-marko.grf.hr" -k rsa -g 4096 -v 12 -d
sql:${HOME}/tmpdb -t ",," ${PARM} -8 "laptop-marko.grf.hr"
pk12util -o laptop-marko.grf.hr.p12 -n "laptop-marko.grf.hr" -d
sql:${HOME}/tmpdb/
I have imported the cert into Windows 10 certificate manager in the
"Local Machine" keystore.
I can't seem to understand how to revoke such a local certificate. It
is not generated by Letsencrypt or Sectigo, so where does ipsec check
for revocation lists?
However, once it is revoked, the damage is done. I can't make it alive
again, can I? So, there is a justified question:
2. Can I get a pointer to the username/password file for the
certificates? I don't know if it should be in
/etc/ipsec.d/hostname.secrets, and what is the syntax considering that
the username contains spaces when expanded by certificate check
facility of I think pluto.
As the username is as it appears in the pluto log, what is the
location and syntax of the password file? And who would provide
password? Windows 10 client or else?
Jan 20 09:45:03.533787: | PAM: #1: PAM-process completed for user
'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG' with result FAILURE
This would be a great feature to have.
However, the manual ipsec.conf (5) only says this:
pam-authorize
IKEv1 supports PAM authorization via XAUTH using xauthby=pam.
IKEv2 does not support receiving a plaintext username and
password. Libreswan does not yet support EAP authentication
methods for IKE. The pam-authorize=yes option performs an
authorization call via PAM, but only includes the remote ID (not
username or password). This allows for backends to disallow an ID
based on non-password situations, such as "user disabled" or "user
over quota". See also xauthby=pam
It is not clear to me which file should provide remote ID list with
permissions? And the syntax.
My current /etc/pam.d/pluto looks like this:
root@domac:~# cat /etc/pam.d/pluto
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
root@domac:~#
The 4.6 distribution original did not work for me either: it said
simply this:
Jan 20 09:07:48.551340: "MYCONN-ikev2-cp"[4] 193.198.186.218 #2: IKEv2
FAILED during pam_authenticate with 'Permission denied' for
state #2, MYCONN-ikev2-cp[4] user=CN=pc-mtodorov.alu.hr, O=ALU-UNIZG.
Jan 20 09:07:48.551600: | PAM: #2: PAM-process completed for user
'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG' with result FAILURE
Jan 20 09:07:48.552834: | processing signal PLUTO_SIGCHLD
Jan 20 09:07:48.552890: | waitpid returned pid 2652 (exited with status 1)
Jan 20 09:07:48.552903: | suspend: restoring MD@0x55f56d8e5aa8 from
state #2 (server_fork_sigchld_handler() +224 programs/pluto/ser
ver_fork.c)
Jan 20 09:07:48.552928: | #2 waited 0.010288 for 'pamauth' fork()
Jan 20 09:07:48.552941: "MYCONN-ikev2-cp"[4] 193.198.186.218 #2: PAM:
authentication of user 'CN=pc-mtodorov.alu.hr, O=ALU-UNIZG' FAILED
after 0.01074 seconds
I would love this feature to work on my VPN server. Libreswan team is
very motivational for experimenting. As I said before, I felt moved by
the all-inclusive code of conduct for the project :-)
The next version of libreswan will add EAPTLS authentication, so windows won’t
require administrative rights to add the IKEv2 connection. Once that it is,
perhaps another EAP method - mschapv2 - will be added that does add a user /
password method that can be used without certificates.
This sounds great. Looking forward to testing it :-)
Kind regards,
Mirsad
--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
