Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removed users still working? #613

Closed
qmaxquique opened this issue Jul 4, 2017 · 5 comments
Closed

Removed users still working? #613

qmaxquique opened this issue Jul 4, 2017 · 5 comments
Assignees
@jackivanov

Comments

@qmaxquique
Copy link

OS / Environment

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

Ansible version

ansible 2.2.0.0
config file = /home/enriquec/algo/ansible.cfg
configured module search path = Default w/o overrides

Version of components from requirements.txt

msrestazure | Version: 0.4.11
setuptools | Version: 36.0.1
ansible | Version: 2.2.0.0
dopy | Version: 0.3.5
boto | Version: 2.47.0
boto3 | Version: 1.4.4
azure | Version: 2.0.0rc5
msrest | Version: 0.4.1
apache-libcloud | Version: 2.0.0
six | Version: 1.10.0
pyopenssl | Version: 17.1.0
jinja2 | Version: 2.8

Summary of the problem

Users "removed" from the user list are still working.

Steps to reproduce the behavior

1 - Add a couple users to the config.cfg and deploy Algo locally.
2 - Configure a Client (Tested on an OSX Sierra client) and connect to the VPN
3 - Remove the user from the config.cfg file.
4 - Run ./algo update-users
5 - Client is still up and running
6 - Even restarting the strongswan process, client is still able to reconnect.

The way of deployment (cloud or local)

local

Expected behavior

Ideally, drop the connection when a user is deleted.
Otherwise, prevent user reconnection.

Actual behavior

Connections are still working when you remove a user.
Reconnections are still accepted after removing a user.

Full log

N/A
@ghost
Copy link

ghost commented Aug 3, 2017

@qmaxquique were you able to fix this?

@trailofbits trailofbits deleted a comment from ahrenstein Sep 4, 2017
@trailofbits trailofbits deleted a comment from ilkerc Sep 4, 2017
@ssaarinen
Copy link

ssaarinen commented Oct 6, 2017
edited
Loading

I'm stumbled to this as well in Ubuntu host. Certs of revoked users are copied to ipsec.d/crls/ but revoked clients can still connect.

I tried this with 2 users that I dropped with 2 runs of algo update-users. ipsec listcrls lists 2 CRLs with one containing 0 certs (this is the cert for the user that got removed first is that matters) and the other one containing 1 certs. Both users can still connect.

@vsymmitch
Copy link

I have also encountered this on my Ubuntu 16.04 Algo server today.

I am hypothesizing that the openssl command in the "Revoke non-existing users" section of the roles/vpn/tasks/openssl.yml file can't have both the -gencrl and the -revoke options specified in it, but rather, needs to be split into two openssl commands (the first to do the -revoke, and the second to do the -gencrl).

@dguido
Copy link
Member

dguido commented Oct 12, 2017

Stan Larroque emailed me to say:

"When running the update-users task, it is good to run the command "ipsec purgecrls" on Ubuntu. It will purge in-memory CRL without restarting ipsec. This fix works for my installation at least."

Thanks Stan!

@ssaarinen
Copy link

ssaarinen commented Oct 13, 2017
edited
Loading

I tried also restarting ipsec and even rebooting the vm but neither of those seemed to help in my case.

Edit: Tried running purgecrls which did not help either

@jackivanov jackivanov mentioned this issue Nov 8, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jackivanov jackivanov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dguido @ssaarinen @qmaxquique @vsymmitch @jackivanov