Project

General

Profile

Bug #1138

ext-auth plugin not called when using xauth-noauth

Added by Alexey Karagodov almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Category:
libcharon
Target version:
Start date:
29.09.2015
Due date:
Estimated time:
Affected version:
5.3.3
Resolution:
Fixed

Description

hello

ext-auth plugin does nothing

only line in logs: "charon: 00[CFG] using ext-auth script '/usr/local/etc/ipsec.d/connect.sh'"

when someone trying to connect to host, script is not called at all.

strongswan 5.3.3 build from freebsd-port with options --enable-xauth-noauth --enable-ext-auth

please, help.

thanx

strongswan.log (803 KB) strongswan.log Alexey Karagodov, 01.10.2015 15:22
patch-src_libcharon_sa_ikev1_tasks_xauth.c (1019 Bytes) patch-src_libcharon_sa_ikev1_tasks_xauth.c additional patch (must be placed to ./files/ ) Alexey Karagodov, 06.10.2015 14:35
Makefile.local (606 Bytes) Makefile.local Makefile additions to build port with ext-auth and xauth-noauth Alexey Karagodov, 06.10.2015 14:35

Associated revisions

Revision bd5084ae (diff)
Added by Tobias Brunner over 4 years ago

xauth: Call authorize() hook also when xauth-noauth is used

Fixes #1138.

History

#1 Updated by Noel Kuntze almost 5 years ago

Hello,

Is the user you're running charon as allowed to reach and execute the script? Is a security framework enabled?

Regards,
Noel Kuntze

#2 Updated by Alexey Karagodov almost 5 years ago

running under root, for testing.

5 -rwxr-xr-x 1 root wheel 813 Sep 29 15:54 /usr/local/etc/ipsec.d/connect.sh

no security frameworks active.

in the journal no reports that charon tries to run a script ...

#3 Updated by Tobias Brunner almost 5 years ago

  • Status changed from New to Feedback

charon: 00[CFG] using ext-auth script '/usr/local/etc/ipsec.d/connect.sh'

That's logged when the plugins loads the config.

In the authorize hook the plugin tries to invoke (via fork/execve) /bin/sh -c "2>&1 /usr/local/etc/ipsec.d/connect.sh", which I guess should work fine on FreeBSD. At least if the authorize hook is called. Could you please post the log of a connection attempt.

#4 Updated by Alexey Karagodov almost 5 years ago

In the authorize hook the plugin tries to invoke (via fork/execve) /bin/sh -c "2>&1 /usr/local/etc/ipsec.d/connect.sh", which I guess should work fine on FreeBSD. At least if the authorize hook is called. Could you please post the log of a connection attempt.

how to do it w/o logging sensitive data?

#6 Updated by Tobias Brunner almost 5 years ago

  • Tracker changed from Issue to Bug
  • Subject changed from ext-auth plugin to ext-auth plugin not called when using xauth-noauth
  • Target version set to 5.3.4

Looks like this is due to the xauth-noauth plugin (which is a hack and really should only be used in special circumstances). It takes a shortcut in the xauth task, which does not call the authorize hook. You may try the patch in the 1138-xauth-noauth-authorize branch to change this.

Also, there seem to be log messages missing here:

2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[MGR] checkout IKE_SA by message
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[MGR] IKE_SA CiscoIPSec[1] successfully checked out
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[NET] received packet: from 109.188.127.12[36970] to 10.0.226.60[4500] (76 bytes)
...
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[ENC] parsed TRANSACTION response 1142094431 [ HASH CPA(X_STATUS) ]

We don't see thread 5 checking in the SA again but thread 12 is still able to checkout the SA right afterwards:

2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 12[MGR] IKE_SA CiscoIPSec[1] successfully checked out
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 12[MGR] checkin IKE_SA CiscoIPSec[1]

We also don't see the message IKE_SA ... established between ... that should have been logged by thread 5.

#7 Updated by Alexey Karagodov almost 5 years ago

where can i find this patch?
or target version sources?

#8 Updated by Noel Kuntze almost 5 years ago

Hi Alexey,

Here's a link to the patch:
https://wiki.strongswan.org/projects/strongswan/repository/diff?utf8=%E2%9C%93&rev=92e9b1d18bac1cfc004c96e60d5bc7f3a0428f70&rev_to=08afc33e5259399a682bb62ef253b3155e68461e
This is the associated commit. Download the patch by downloading the unified patch and patch the source of 5.3.3 with it.

#9 Updated by Alexey Karagodov almost 5 years ago

thanx. building. 'll report.

#10 Updated by Alexey Karagodov almost 5 years ago

patch helped.
ext-auth + xauth-noauth are working now.

your patch was modified (to match freebsd port's point of view) and applied to freebsd port

#12 Updated by Tobias Brunner almost 5 years ago

  • Category set to libcharon
  • Status changed from Feedback to Resolved
  • Assignee set to Tobias Brunner
  • Resolution set to Fixed

OK, thanks for testing. I'll line this up for the next release.

#13 Updated by Tobias Brunner over 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF