[Swan] xauthby=alwaysok discussion
Paul Wouters
pwouters at redhat.com
Thu Mar 7 17:38:29 EET 2013
On Thu, 7 Mar 2013, Philippe Vouters wrote:
> I'd like to bring in a discussion upon xauthby=alwaysok.
>
> If you run with PSK secrets and set xauthby=alwaysok then you have no mean to
> withdraw a user or refuse a hacker who robbed the PSK secret.
That's incorrect. You _can_ use Aggressive Mode and set PSKs per
leftid/rightid combination. It is only Main Mode where the ID comes in
the second packet exchange where you cannot have different PSKs.
Regardless, RSA configurations are _always_ preferred over PSK ones. In
my opinion, PSK ones should _only_ be used for site-to-site connections
and not for server-clients connections.
Even when using xauthby=pam or xauthby=file, anyone who knows the PSK
and can intercept your traffic (like at a coffee shop wifi) can pretend
to be the remote IPsec gateway, and you will then give your pam/password
secret to the rogue man in the middle. For example if you run a large
campus wifi using PSK/IPsec for your students, any student can learn any
other student's pam/password credentials.
Where possible, use raw RSA. Otherwise, use X509 certs. Only as a last
resort, use PSK.
Paul
More information about the Swan
mailing list