[Swan] xauthby=alwaysok discussion

[Paul Wouters]

On Thu, 7 Mar 2013, Philippe Vouters wrote:

> Even with RSA authentication, right=%any and xauthby=ok, you can't prevent a 
> hacker to rob the RSA keys and IPSec connect with no problem.
> So xauthby=alwaysok should never be allowed if IP security is a concern.

xauthby=alwaysok is not much different from xauthby=pam|file where you
"remember" the credentials in the device, such as a phone. It is not
desirable to input your password every time your phone brings up the
VPN. It would make using a VPN impossible. It has been shown again
and again that any password stored on a phone is trivial to obtain,
whether it is an iphone, android or otherwise (Blackberry excluded). So
if you deploy a server for many mobile devices, I strongly recommand
XAUTH+Certificates over other scenario's like PSK+L2TP

xauthby=alwaysok is a circumvention for those people who do not want to
rely on the second set of authentication, where they use X509/RSA for
authentication and where they can revoke compromised X509 certificates,
but where the IPsec protocol insists they use the XAUTH layer.

As always, if the security setting make using your device impossible,
people will simply use it without security. xauthby=alwaysok in practise
is the same as xauthby=pam|file because everyone stores their password
on the device. If they would have to type it everytime on a keyboard-less
phone, you would end up anyway with very very insecure passwords.

The XAUTH/ModeConfig layer is mostly used to deal with IP address
management, and is an excellent way to get rid of the PSK/L2TP layered
solution of handing out IP addresses - even when not using the
additional option of user/password authentication. Those who desire
two factor authentication without the possibility of storing that
password on the device can use a pam backend that uses "two factor"
authentication, such as SecureID, YubiKey, etc etc.

Paul