[strongSwan] XAuth with interactive authentication?

Martin Willi martin at strongswan.org
Tue Sep 23 13:22:15 CEST 2014


> Is it possible to create plugin of my own to request
> credential/password?

Yes. The daemon queries the registered credential_set_t [1] instances
for credentials; in such an implementation you can request the password
from the user. There is a simple callback based wrapper [2] to query
passwords with a callback function. It is used, for example, by
charon-cmd to query passwords on the console [3].

> Main obstacle I see here is how IKE daemon will behave itself in case
> of long plugin callback execution time as user can be quite slow in
> response.

This is usually not a problem. The executing thread will block, but all
others work as usual. For XAuth you might see password request
retransmits for the server, but the daemon handles all that for you.

> Another question I want ask: Is there anything like "ipsec stroke
> user-creds" to setup password for private key decryption during public
> key auth?

You can set the decryption password to "%prompt" in ipsec.secrets, and
then use "ipsec secrets" to enter it on the console. The key is
decrypted, but kept unencrypted in memory for further use.

If that is not acceptable, you may return a private_key_t instance from
a custom credential_set_t, which wraps all the decryption logic.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/credentials/credential_set.h
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/credentials/sets/callback_cred.h
[3]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/charon-cmd/cmd/cmd_creds.c



More information about the Users mailing list