Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 210826

Summary: net-firewall/ipsec-tools should provide a default /etc/pam.d/racoon file
Product: Gentoo Linux Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: New packagesAssignee: Anthony Basile <blueness>
Status: RESOLVED FIXED    
Severity: enhancement CC: mmokrejs, pam-bugs+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 326647    

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-02-20 01:22:26 UTC 
Not sure what it should use as default though, if you can summarise me what it should authenticate I can see to tell you the best default for it.
Comment 1 Martin Mokrejš 2010-05-16 12:45:54 UTC 
I am not an expert in this but as I am trying to setupIPsec, I came acress this which might help you:

$ man racoon.conf:

[cut]
             accounting (none | system | radius | pam);
                     Enables or disables accounting for Xauth logins and logouts.  The default is none which disable
                     accounting.  Specifying system enables system accounting through utmp(5).  Specifying radius
                     enables RADIUS accounting.  It works only if racoon(8) was built with libradius support and
                     requires RADIUS authentication.  RADIUS configuration is handled by radius.conf(5).  Specifying pam
                     enables PAM accounting.  It works only if racoon(8) was build with libpam support and requires PAM
                     authentication.
Comment 2 Anthony Basile gentoo-dev 2012-02-09 23:40:59 UTC 
Hi Diego, ancient bug, but important package.  I just adopted it.

The racoon.conf statement of interest is auth_source (not accounting), which means how users are authenticated to the service.

I'm looking at what fedora does (fc 16) and their pam.d/racoon file looks something like this:

auth       required     pam_succeed_if.so user != root
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    include      password-auth

where their password-auth is approximately equal to our system-auth.  I'm not sure why they have the pam_succeed_if user != root.  Also, their account required pam_nologin.so is already in our system-auth.

I'm thinking we might be okay with just a copy of pam.d/sshd for racoon.  If you think its a good idea, I can add that to my next rev bump.
Comment 3 Anthony Basile gentoo-dev 2012-02-28 22:56:35 UTC 
Okay I've added pam.d/racoon equal to

auth       include	system-remote-login
account    include	system-remote-login
password   include	system-remote-login
session	   include	system-remote-login

Its in the tree with ipsec-tools-0.8.0-r1.

Please reopen this bug if there's a problem with this pam file as a *default*.