PAM_AUTH, PAM_SESS, PAM_ACCT, PAM_PASS // 2. PSK, Pre Shared Key // 3. USER // 4. PASS // DO SOURCE IP REGION CHECKS HERE, OTHERWISE BRUTEFORCE attacks might occur!! $ip_address = $_SERVER['REMOTE_ADDR']; if ( $ip_address !== "161.53.235.3" ) { header("HTTP/1.1 403 Forbidden"); echo "HOST NOT PERMITTED"; exit(0); } else if( isset($_POST["user"]) && isset($_POST["pass"]) && isset($_POST["mode"]) ) { $ret=1; switch($_POST["mode"]) { case "PAM_SM_AUTH"; // Perform authing here $path = '/usr/local/etc/vpn-ikev2-authorized'; if (file_exists($path)) { $fp = fopen($path, "r"); if ($fp) { while (($user = fgets($fp)) !== false) { // ignore whitespace and trailing \n $user = trim($user); // enable hash # and // C++ style comments in the authorization file if (strncmp($user, "#", 1) == 0 || strncmp($user, "//", 2) == 0) continue; if (strcmp($user, $_POST['user']) == 0) { $ret = 0; break; } } fclose(fp); } } break; case "PAM_SM_ACCOUNT"; // Perform account aging here $path = '/usr/local/etc/vpn-ikev2-authorized'; if (file_exists($path)) { $fp = fopen($path, "r"); if ($fp) { while (($user = fgets($fp)) !== false) { $user = trim($user); if (strncmp($user, "#", 1) == 0 || strncmp($user, "//", 2) == 0) continue; if (strcmp($user, $_POST['user']) == 0) { $ret = 0; break; } } fclose(fp); } } break; case "PAM_SM_SESSION"; // Perform session management here break; case "PAM_SM_PASSWORD"; // Perform password changes here break; } if( 0 == $ret ) { header("HTTP/1.1 200 OK"); echo "OK"; } else { header("HTTP/1.1 403 Forbidden"); echo "ACCESS DENIED"; } } else { echo "ACCESS DENIED"; header("HTTP/1.1 400 Bad Request"); } ?>