[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Remy van Elst relst at relst.nl
Thu Aug 21 06:35:26 EEST 2014 

I'll try to make some time to reproduce the setup, the VM's are all
deleted now. I'll also try to work in Paul's suggestion.

I've not tried it on Ubuntu yet.

On 08/21/14 00:05, Matt Rogers wrote:
> On 07/21, Remy van Elst wrote:
>> Hello Paul,
>>
>> 3.9 does not seem to fix the problem, I still get login errors with
>> either PAM or a passwd file, same steps as earlier but with the new
>> packages:
>>
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
>> sender port 61015: I am...behind NAT
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: new NAT mapping for #2, was 83.162.250.46:1024, now
>> 83.162.250.46:61015
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established
>> {auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024}
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT,
>> msgid=00000000, length=28
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: received and ignored informational message for unknown
>> state
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn:
>> Attempting to login
>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam
>> authentication being called to authenticate user vpn
>> Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH:
>> pam_authenticate failed with 'Authentication failure'
>> Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn:
>> Authentication Failed: Incorrect Username or Password
>> Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2
>> Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> 83.162.250.46: deleting connection "xauth-rsa" instance with peer
>> 83.162.250.46 {isakmp=#0/ipsec=#0}
>> Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from
>> 83.162.250.46:61015: received and ignored empty informational
>> notification payload
>>
> 
> I've tried to reproduce this with your configuration on RHEL7 and Win7 with
> the Shrew client 2.2.2, and the pam method worked. For the client authentication
> settings I used Mutual PSK + XAuth, with a Remote Identity of Any and a Local
> Identity with the IP Address, with the PSK added to the Credentials tab.
> 
> It would help to see the debug logs around the failure, with the pam feedback.
> For example, an incorrect password provided:
> 
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ****parse ISAKMP ModeCfg attribute:
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    ModeCfg attr type: 16522??
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    length/value: 1
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | complete state transition with
> STF_IGNORE
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | #9 complete_v1_state_transition:2165
> st->st_calculating == FALSE;
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | * processed 0 messages from
> cryptographic helpers
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds for
> #9
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds for
> #9
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Attempting to login
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: pam authentication being called to
> authenticate user vpnuser
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_start SUCCESS
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_set_item SUCCESS
> Aug 20 13:38:02 rhel7-b1 unix_chkpwd[27403]: password check failed for user
> (vpnuser)
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: pam_unix(pluto:auth): authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=10.13.211.181  user=vpnuser
> Aug 20 13:38:04 rhel7-b1 pluto[27347]: | pam_authenticate failed with
> 'Authentication failure
> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: pam_authenticate failed with
> 'Authentication failure'
> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Authentication
> Failed: Incorrect Username or Password
> 
> The ModeCfg attribute displayed is the password length, so you can at least
> verify the password length in case the client is leaving something out.
> 
> Regards,
> Matt
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x1B7F88DC.asc
Type: application/pgp-keys
Size: 1714 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140821/5a20e036/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140821/5a20e036/attachment.sig>

More information about the Swan mailing list