[strongSwan] Autorisation in vici?

Andreas Steffen andreas.steffen at strongswan.org
Mon Dec 18 19:29:00 CET 2017


Hi Michael,

in order to access the charon daemon via a vici UNIX socket you
either must be root or if capability dropping is enabled and
a vpn group is defined, you must be member of that vpn group.

The latter case allows mortals to initiate and terminate connections
without having root access to the configuration and secrets in
swanctl.conf.

In principle the VICI interface could be configured as a TCP network
socket via the charon.plugins.vici.socket option in strongswan.conf.
But because no authentication is required and TLS is currently not
available we strongly advise against enabling vici network sockets.

Best regards

Andreas

On 17.12.2017 14:58, Michael Schwartzkopff wrote:
> Hi,
> 
> 
> is there any kind of authentication / autorization in the vici
> interface? Or does everybody that has access to the socket (or tcp
> socket) full control over charon?
> 
> 
> I did not find anything the docs.
> 
> 
> Mit freundlichen Grüßen,
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171218/c20df8b6/attachment.bin>


More information about the Users mailing list