[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Remy van Elst relst at relst.nl
Mon Jul 21 19:07:43 EEST 2014


Hello Paul,

3.9 does not seem to fix the problem, I still get login errors with
either PAM or a passwd file, same steps as earlier but with the new
packages:

Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
sender port 61015: I am...behind NAT
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: new NAT mapping for #2, was 83.162.250.46:1024, now
83.162.250.46:61015
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024}
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28
Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: received and ignored informational message for unknown
state
Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn:
Attempting to login
Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam
authentication being called to authenticate user vpn
Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH:
pam_authenticate failed with 'Authentication failure'
Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn:
Authentication Failed: Incorrect Username or Password
Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2
Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
83.162.250.46: deleting connection "xauth-rsa" instance with peer
83.162.250.46 {isakmp=#0/ipsec=#0}
Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from
83.162.250.46:61015: received and ignored empty informational
notification payload


Ipsec verify:

[root at localhost ~]# ipsec  verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.9 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Hardware random device                            	[N/A]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options          	[OK]
Opportunistic Encryption                          	[DISABLED]



On 07/21/14 16:38, Paul Wouters wrote:
> On Sun, 20 Jul 2014, Remy van Elst wrote:
> 
>> Date: Sun, 20 Jul 2014 14:20:38
>> From: Remy van Elst <relst at relst.nl>
>> To: swan at lists.libreswan.org
>> Subject: [Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7
>>
>> I'm having an issue with  Libreswan 3.8 (netkey) on 3.15.4-x86_64 /
>> CentOS 7.
> 
> I have a vague recollection of this bug.
> 
> Could you try 3.9? There were a few fixes in the pam code between 3.8
> and 3.9
> 
> You can find a centos7 package at:
> 
> http://download.libreswan.org/binaries/rhel/7/
> 
> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x1B7F88DC.asc
Type: application/pgp-keys
Size: 1714 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140721/67efc4f4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140721/67efc4f4/attachment.sig>


More information about the Swan mailing list