[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Pontus Wiberg pontus.wiberg at universumglobal.com
Thu Aug 21 10:55:24 EEST 2014 

Hi all,

This below is what I get when using PAM (same as above) , the password is
correct though. but as you can ssee (further) below when using
xauthby=file, Libreswan interpretes the sent password as (null) even though
the modecfg reports the correct number of letters in the password. Thus it
is received but not hashed correctly or at least null is used when
comparing to the hashed password in the file. This happens to me on 3
different VMs on different versions of Ubuntu all using Libreswan 3.9

XAUTH: User testuser: Attempting to login
XAUTH: pam authentication being called to authenticate user testuser
XAUTH: pam_authenticate failed with 'Permission denied'
XAUTH: User testuser: Authentication Failed: Incorrect Username or Password



XAUTH: User testuser: Attempting to login
XAUTH: passwd file authentication being called to authenticate user testuser
XAUTH: password file (/etc/ipsec.d/passwd) open.
| XAUTH: checking user(testuser:roadwarrior) pass (null) vs $apr1$mjH4.GBd$
***********************/
XAUTH: nope
XAUTH: User testuser: Authentication Failed: Incorrect Username or Password

I also added the part in PAM pluto config that was suggested but this did
not help, I will try on a fourth server with a clean setup (again), any
recommendations on OS or anything? I really need to get past this issue :(

thanks everyone,
Pontus

*Pontus Wiberg*
Operations Lead
Mobile: +46 70 459 9808
universumglobal.com
------------------------------
[image: Universum]


On 21 August 2014 00:05, Matt Rogers <mrogers at redhat.com> wrote:

> On 07/21, Remy van Elst wrote:
> > Hello Paul,
> >
> > 3.9 does not seem to fix the problem, I still get login errors with
> > either PAM or a passwd file, same steps as earlier but with the new
> > packages:
> >
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
> > sender port 61015: I am...behind NAT
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: transition from state STATE_AGGR_R1 to state
> STATE_AGGR_R2
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: new NAT mapping for #2, was 83.162.250.46:1024, now
> > 83.162.250.46:61015
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established
> > {auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024}
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT,
> > msgid=00000000, length=28
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: received and ignored informational message for unknown
> > state
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn:
> > Attempting to login
> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam
> > authentication being called to authenticate user vpn
> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH:
> > pam_authenticate failed with 'Authentication failure'
> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn:
> > Authentication Failed: Incorrect Username or Password
> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2
> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
> > 83.162.250.46: deleting connection "xauth-rsa" instance with peer
> > 83.162.250.46 {isakmp=#0/ipsec=#0}
> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from
> > 83.162.250.46:61015: received and ignored empty informational
> > notification payload
> >
>
> I've tried to reproduce this with your configuration on RHEL7 and Win7 with
> the Shrew client 2.2.2, and the pam method worked. For the client
> authentication
> settings I used Mutual PSK + XAuth, with a Remote Identity of Any and a
> Local
> Identity with the IP Address, with the PSK added to the Credentials tab.
>
> It would help to see the debug logs around the failure, with the pam
> feedback.
> For example, an incorrect password provided:
>
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ****parse ISAKMP ModeCfg
> attribute:
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    ModeCfg attr type: 16522??
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    length/value: 1
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | complete state transition with
> STF_IGNORE
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | #9
> complete_v1_state_transition:2165
> st->st_calculating == FALSE;
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | * processed 0 messages from
> cryptographic helpers
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds
> for
> #9
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds
> for
> #9
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Attempting to
> login
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: pam authentication being
> called to
> authenticate user vpnuser
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_start SUCCESS
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_set_item SUCCESS
> Aug 20 13:38:02 rhel7-b1 unix_chkpwd[27403]: password check failed for user
> (vpnuser)
> Aug 20 13:38:02 rhel7-b1 pluto[27347]: pam_unix(pluto:auth): authentication
> failure; logname= uid=0 euid=0 tty= ruser= rhost=10.13.211.181
> user=vpnuser
> Aug 20 13:38:04 rhel7-b1 pluto[27347]: | pam_authenticate failed with
> 'Authentication failure
> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: pam_authenticate failed with
> 'Authentication failure'
> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Authentication
> Failed: Incorrect Username or Password
>
> The ModeCfg attribute displayed is the password length, so you can at least
> verify the password length in case the client is leaving something out.
>
> Regards,
> Matt
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140821/8d5ad419/attachment-0001.html>

More information about the Swan mailing list