0

Hwo can I disable access for a particular user with strongswan public key authentication?

So I have pub key authentication working. the SAN is the email and is the id. Is there a way to reject authentication for a particular userid (rightid) ? I want to be able to switch user access off and on easily which I realize I could do with psk auth by just removing entries in the secrets file. I am hoping there is a way to do with with certs. I would revoke a cert with the "hold" reason, but strongswan's pki doesn't support the unrevoking ability. I also tried to set up a trap to reject authentication with no success. There must be the ability to specify which clientids are allowed to connect

conn main
       leftauth=pubkey
       leftcert=servercert.pem
       rightauth=pubkey
       leftid=mydomain.com
       type=tunnel 
       left=%any 
       leftsubnet=0.0.0.0/0 
       right=%any
       rightsubnet=192.168.137.0/24
       esp=aes128gcm16-sha256-modp3072
       ike=aes128gcm16-sha256-modp3072
       keyexchange=ikev2
       ikelifetime=28800s #Time before re authentication of keys
       auto=add

conn close
       also=main
       rightid=myclientemail@domain.com
       rightauth=never
       auto=route
noone392
  • 113
  • 1
  • 8

1 Answers1

1

While there is currently no plugin to blacklist single identities (or certificates/keys), the whitelist plugin provides a way to whitelist all allowed identities. It comes with a command to manage the whitelist while the IKE daemon is running.

Doing something similar in a more dynamic way (e.g. to reject all identities that match a certain pattern) is possible via the ext-auth plugin. The configured script (or command) is called after a successful client authentication and receives the client identity in the IKE_REMOTE_ID environment variable. If the command exits with anything but 0, the client will be rejected.

Technically, the proper way to block client certificates is via CRL or OCSP. Note that the "hold" reason (--reason certificate-hold with pki --signcrl) is primarily relevant if you use delta CRLs, because such revocations can be reverted in a delta CRL via "removeFromCRL" reason (which strongSwan currently doesn't support at all). But as you pointed out, the pki command currently also doesn't support omitting (i.e. reverting) some of the revocations when using the --lastcrl option to create a new full CRL based on an old one.

And while you could create a new CRL from scratch that includes all certificates that are currently revoked, the problem is that it's currently not possible to manually specify the serial number (cRLNumber) of the issued CRL. Unless --lastcrl (or --basecrl) is used, it will always be 1. And with the same (or lower) serial, the CRL won't be replace when it's reloaded (unless you clear all credentials and caches completely before loading it, which is only possible with swanctl and kind of a drastic measure - as would be to restart the IKE daemon just to reload the CRL).

Using OCSP could be an option, because e.g. with openssl ocsp you could provide a simple index file that you can manually create and modify (see e.g. my answer here for a description of the format). Besides having to run that additional service, a possible disadvantage is that OpenSSL requires that the index contains all currently valid certificates as well.

ecdsa
  • 3,973
  • 15
  • 29
  • This is a lot of good information thank you! the the CRL delta isn't viable because neither refreshing CRL or even crl purging, or ipsec reload removes them from the cash. You have to fullt stop and start the daemon (closing all open connections) to remove something from CRL cash. But whitelist plugin sounds perfect!! Thank you! – noone392 Jun 01 '23 at 19:38
  • I just wanted to add to this for other people. Once you build and install with the enable whitelist its very easy just sudo /usr/local/libexec/ipsec/whitelist enable sudo /usr/local/libexec/ipsec/whitelist add where id is the email (or ip) in the SAN field of the cert. – noone392 Jun 04 '23 at 15:03