[strongSwan] Prompting for Credentials with strongswan 5

[richter at ecos.de]

Hi,

the     ipsec stroke user-creds   is perferctly for me purpose. I have to ask the user for the username/password anyway with some kind of graphical interface and pass it down to  ipsec.

Does this work in a similar way for smartcard pins? (I didn't tested ipsec rereadsecrets, but I guess it will read _all_ secrets and not only the pin I want to pass over)

Thank & Regards

Gerald

> -----Original Message-----
> From: Tobias Brunner [mailto:tobias at strongswan.org]
> Sent: Tuesday, September 18, 2012 4:58 PM
> To: Martin Willi
> Cc: Gerald Richter - ECOS; users at lists.strongswan.org
> Subject: Re: [strongSwan] Prompting for Credentials with strongswan 5
> 
> Hi Gerald, Martin,
> 
> >> What I would like to have, is that the user gets ask for username
> >> _and_ password (maybe with some default username already filled in).
> >> Is it possible to supply the username via the credential manager or
> >> can it only be changed in the config, so I have to do it upfront?
> >
> > Usually the different identities are part of the configuration. When
> > you use configurations from ipsec.conf, you currently can't change
> > them dynamically.
> 
> That's not entirely true. There is a (slightly hackish) feature of stroke that
> allows you to set username and password for configs that are configured for
> EAP or XAuth (only with [1] or the upcoming 5.0.1) authentication (e.g. with
> leftauth=eap):
> 
>   ipsec stroke user-creds <conn> <username> [<password>]
> 
> If the password is not given on the command line the user is prompted for it.
> The username is not optional, so you'd have to prompt the user yourself to
> get that (and since it uses the stroke socket, root permission is required to
> execute this command).  And it only works if executed before the
> connection is started with ipsec up <conn>.
> 
> Regards,
> Tobias
> 
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=8c19323c