Openswan 2.4.7, "doc/README.XAUTH" states that
/etc/ipsec.d/passwd's format is
userid:password:conname
were it says the following about 'conname'
You can allow a user access to any connection class in
ipsec.conf by
leaving the last field of the password file blank or '*'
This does not seem to be correct.
Now, the code in 'do_md5_authentication' (connname is stored
in 'szconnid') is
if ( strcasecmp(szconnid, arg->connname.ptr) ==
0
&& strcmp( szuser, arg->name.ptr )
== 0 ) /* user correct ?*/
{
but instead it should be something like this
if ( ( szconnid[0]==0 ||
(szconnid[0]=='*' &&
szconnid[1]=='�') ||
strcasecmp(szconnid, arg->connname.ptr) ==
0 ) &&
strcmp( szuser, arg->name.ptr ) == 0 ) /*
user correct ?*/
{
or, even better, with fnmatch handling the wildcard:
if ( ( szconnid[0]==0 ||
fnmatch(szconnid, arg->connname.ptr, 0)
||
strcasecmp(szconnid, arg->connname.ptr) ==
0 ) &&
strcmp( szuser, arg->name.ptr ) == 0 ) /*
user correct ?*/
{
Have a nice day,
Mark
--
mark-andre.hopf innominate.com innominate security
technologies AG
senior software engineer protecting
industrial networks
development http://innominate.com
_______________________________________________
Dev mailing list
Devopenswan.org
http:/
/lists.openswan.org/mailman/listinfo/dev
|