Hi Paul,
I did some research. It may be impossible to log IKEv2 sessions in utmp
and wtmp, for libreswan doesn't appear to be calling pam_open_session(3)
after authenticating the certificate and the user and
pam_close_session(3) after the connection is severed.
I am not confident enough to attempt to add the session management calls
to the libreswan source, or not yet :-)
And leaving it the utmp entry to linger forever upon the breakup of the
connection doesn't seem prudent, so I'll think I'll take a break at this
point and "stand on the ball".
Tell me, did I miss something, or is the utmp/wtmp connection logging
entirely impossible withing the current libreswan framework?
I would like to have some handy connection logging apart from
/var/log/pluto.log ...
Thanks!
Kind regards,
Mirsad
On 1/25/2022 9:36 PM, Mirsad Goran Todorovac wrote:
Is there a particular reason why you switched from the POST URL
request to a GET one? AFAIK, GET used to be less safe as it encoded
password in URL which might be visible in some web server logs ... Any
idea why you did that? :-/
I thought that your idea of using a CN=username@hostname,O=myorg.tld
convention is a good one, but I would have to reissue all of the
certificates, and my current system already works partially deployed.
(Only to the testing people, of course ...).
What I was actually looking for is a means to get username from the
script (and it seems to allow only OK or ACCESS DENIED), or should I
call getpwnam() from PHP. But it didn't seem right to modify utmp from
PHP, did it? That breaks modularity paradigm IMHO ... Still looking
for a way to do things "kosher" way ... :-)
On 1/25/2022 4:24 AM, Paul Wouters wrote:
On Mon, 24 Jan 2022, Mirsad Goran Todorovac wrote:
I can publish a patch diff. I have really made very small
modifications. A couple of lines.
I would also want to map certificate subject lines to unix
usernames, put the user into utmp and display the connected user
with `w`
or `who` commands. But I'm not sure how it's done yet.
Attached is what I had gobbled together to pull IDs from certificates
inside pam_url for IKEv2.
Maybe I should think of forking pam_url and supplying a Debian .deb
package, since only .rpm exists in the wild?
I don't think it is well maintained or active upstream?
pam-authenticate is a very practical method of access control. I
would like to clear the doubts that it decreased the security of
IKEv2 VPN, and that it is unprofessional, because pam_url calls a
cgi-bin script in .php over a TLSv1.3 connection.
It still beats 10 round trips of EAPTLS on Windows :)
Paul
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
