[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Matt Rogers mrogers at redhat.com
Thu Aug 21 01:05:06 EEST 2014 

On 07/21, Remy van Elst wrote:
> Hello Paul,
> 
> 3.9 does not seem to fix the problem, I still get login errors with
> either PAM or a passwd file, same steps as earlier but with the new
> packages:
> 
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
> sender port 61015: I am...behind NAT
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: new NAT mapping for #2, was 83.162.250.46:1024, now
> 83.162.250.46:61015
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established
> {auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024}
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT,
> msgid=00000000, length=28
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: received and ignored informational message for unknown
> state
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn:
> Attempting to login
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam
> authentication being called to authenticate user vpn
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH:
> pam_authenticate failed with 'Authentication failure'
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn:
> Authentication Failed: Incorrect Username or Password
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> 83.162.250.46: deleting connection "xauth-rsa" instance with peer
> 83.162.250.46 {isakmp=#0/ipsec=#0}
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from
> 83.162.250.46:61015: received and ignored empty informational
> notification payload
> 

I've tried to reproduce this with your configuration on RHEL7 and Win7 with
the Shrew client 2.2.2, and the pam method worked. For the client authentication
settings I used Mutual PSK + XAuth, with a Remote Identity of Any and a Local
Identity with the IP Address, with the PSK added to the Credentials tab.

It would help to see the debug logs around the failure, with the pam feedback.
For example, an incorrect password provided:

Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ****parse ISAKMP ModeCfg attribute:
Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    ModeCfg attr type: 16522??
Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    length/value: 1
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | complete state transition with
STF_IGNORE
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | #9 complete_v1_state_transition:2165
st->st_calculating == FALSE;
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | * processed 0 messages from
cryptographic helpers
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds for
#9
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds for
#9
Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Attempting to login
Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: pam authentication being called to
authenticate user vpnuser
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_start SUCCESS
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_set_item SUCCESS
Aug 20 13:38:02 rhel7-b1 unix_chkpwd[27403]: password check failed for user
(vpnuser)
Aug 20 13:38:02 rhel7-b1 pluto[27347]: pam_unix(pluto:auth): authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=10.13.211.181  user=vpnuser
Aug 20 13:38:04 rhel7-b1 pluto[27347]: | pam_authenticate failed with
'Authentication failure
Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: pam_authenticate failed with
'Authentication failure'
Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Authentication
Failed: Incorrect Username or Password

The ModeCfg attribute displayed is the password length, so you can at least
verify the password length in case the client is leaving something out.

Regards,
Matt

More information about the Swan mailing list