Bug #1138: ext-auth plugin not called when using xauth-noauth - strongSwan

Bug #1138

ext-auth plugin not called when using xauth-noauth

Added by Alexey Karagodov almost 10 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

libcharon

Target version:

5.3.4

Start date:

29.09.2015

Due date:

Estimated time:

Affected version:

5.3.3

Resolution:

Fixed

Description

hello

ext-auth plugin does nothing

only line in logs: "charon: 00[CFG] using ext-auth script '/usr/local/etc/ipsec.d/connect.sh'"

when someone trying to connect to host, script is not called at all.

strongswan 5.3.3 build from freebsd-port with options --enable-xauth-noauth --enable-ext-auth

please, help.

thanx

strongswan.log (803 KB) strongswan.log		Alexey Karagodov, 01.10.2015 15:22
patch-src_libcharon_sa_ikev1_tasks_xauth.c (1019 Bytes) patch-src_libcharon_sa_ikev1_tasks_xauth.c	additional patch (must be placed to ./files/ )	Alexey Karagodov, 06.10.2015 14:35
Makefile.local (606 Bytes) Makefile.local	Makefile additions to build port with ext-auth and xauth-noauth	Alexey Karagodov, 06.10.2015 14:35

History

#1 Updated by Noel Kuntze almost 10 years ago

Hello,

Is the user you're running charon as allowed to reach and execute the script? Is a security framework enabled?

Regards,
Noel Kuntze

#2 Updated by Alexey Karagodov almost 10 years ago

running under root, for testing.

5 -rwxr-xr-x 1 root wheel 813 Sep 29 15:54 /usr/local/etc/ipsec.d/connect.sh

no security frameworks active.

in the journal no reports that charon tries to run a script ...

#3 Updated by Tobias Brunner almost 10 years ago

Status changed from New to Feedback

charon: 00[CFG] using ext-auth script '/usr/local/etc/ipsec.d/connect.sh'

That's logged when the plugins loads the config.

In the authorize hook the plugin tries to invoke (via fork/execve) /bin/sh -c "2>&1 /usr/local/etc/ipsec.d/connect.sh", which I guess should work fine on FreeBSD. At least if the authorize hook is called. Could you please post the log of a connection attempt.

#4 Updated by Alexey Karagodov almost 10 years ago

In the authorize hook the plugin tries to invoke (via fork/execve) /bin/sh -c "2>&1 /usr/local/etc/ipsec.d/connect.sh", which I guess should work fine on FreeBSD. At least if the authorize hook is called. Could you please post the log of a connection attempt.

how to do it w/o logging sensitive data?

#5 Updated by Alexey Karagodov almost 10 years ago

File strongswan.log strongswan.log added

#6 Updated by Tobias Brunner almost 10 years ago

Tracker changed from Issue to Bug
Subject changed from ext-auth plugin to ext-auth plugin not called when using xauth-noauth
Target version set to 5.3.4

Looks like this is due to the xauth-noauth plugin (which is a hack and really should only be used in special circumstances). It takes a shortcut in the xauth task, which does not call the authorize hook. You may try the patch in the 1138-xauth-noauth-authorize branch to change this.

Also, there seem to be log messages missing here:

2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[MGR] checkout IKE_SA by message
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[MGR] IKE_SA CiscoIPSec[1] successfully checked out
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[NET] received packet: from 109.188.127.12[36970] to 10.0.226.60[4500] (76 bytes)
...
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 05[ENC] parsed TRANSACTION response 1142094431 [ HASH CPA(X_STATUS) ]

We don't see thread 5 checking in the SA again but thread 12 is still able to checkout the SA right afterwards:

2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 12[MGR] IKE_SA CiscoIPSec[1] successfully checked out
2015-10-01T16:20:58+03:00 s_client@probe0226.domain.tld charon: 12[MGR] checkin IKE_SA CiscoIPSec[1]

We also don't see the message IKE_SA ... established between ... that should have been logged by thread 5.

#7 Updated by Alexey Karagodov almost 10 years ago

where can i find this patch?
or target version sources?

#8 Updated by Noel Kuntze almost 10 years ago

Hi Alexey,

Here's a link to the patch:
https://wiki.strongswan.org/projects/strongswan/repository/diff?utf8=%E2%9C%93&rev=92e9b1d18bac1cfc004c96e60d5bc7f3a0428f70&rev_to=08afc33e5259399a682bb62ef253b3155e68461e
This is the associated commit. Download the patch by downloading the unified patch and patch the source of 5.3.3 with it.

#9 Updated by Alexey Karagodov almost 10 years ago

thanx. building. 'll report.

#10 Updated by Alexey Karagodov almost 10 years ago

patch helped.
ext-auth + xauth-noauth are working now.

your patch was modified (to match freebsd port's point of view) and applied to freebsd port

#11 Updated by Alexey Karagodov almost 10 years ago

File patch-src_libcharon_sa_ikev1_tasks_xauth.c patch-src_libcharon_sa_ikev1_tasks_xauth.c added
File Makefile.local Makefile.local added

#12 Updated by Tobias Brunner almost 10 years ago

Category set to libcharon
Status changed from Feedback to Resolved
Assignee set to Tobias Brunner
Resolution set to Fixed

OK, thanks for testing. I'll line this up for the next release.

#13 Updated by Tobias Brunner almost 10 years ago

Status changed from Resolved to Closed

Project

General

Profile

strongSwan

Issues