P.S.
Here is the link to my diff for your review if you have patience and
time. It is meant to be a rather minimal one:
https://domac.alu.hr/~mtodorov/contrib/pam_url_0.3.3.mod.diff
So I can map cert to username in PHP cgi-bin and verify if the user
exists. If the CN= contains a '@' I would get the username from there,
to allow for your hack as well, as I plan to introduce it to the future
certificates issued.
However, I still don't have a clue how to tell Linux to update utmp and
what should the RHOST be, where do you set that from (which subsystem
sets that so you read it with pam_get_item(pamh, PAM_RHOST, (const void
**)&clientIP).
Obviously, I'm new to this and I need to do more homeworks to catch up
on the things ...
On 1/25/2022 4:24 AM, Paul Wouters wrote:
On Mon, 24 Jan 2022, Mirsad Goran Todorovac wrote:
I can publish a patch diff. I have really made very small
modifications. A couple of lines.
I would also want to map certificate subject lines to unix usernames,
put the user into utmp and display the connected user with `w`
or `who` commands. But I'm not sure how it's done yet.
Attached is what I had gobbled together to pull IDs from certificates
inside pam_url for IKEv2.
Maybe I should think of forking pam_url and supplying a Debian .deb
package, since only .rpm exists in the wild?
I don't think it is well maintained or active upstream?
pam-authenticate is a very practical method of access control. I
would like to clear the doubts that it decreased the security of
IKEv2 VPN, and that it is unprofessional, because pam_url calls a
cgi-bin script in .php over a TLSv1.3 connection.
It still beats 10 round trips of EAPTLS on Windows :)
Paul
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
