[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Pontus Wiberg pontus.wiberg at universumglobal.com
Thu Aug 21 11:49:34 EEST 2014 

FYI did a new setup on a Ubuntu server with no additional software but
Libreswan and the requirements, a clean setup, clean ipsec.conf, getting
the same error. The password is incorrectly handled by Libreswan or some
dependency somewhere, same error as I've had on Openswan too.

Is there anything I can do to help narrow this down?

 ****parse ISAKMP ModeCfg attribute:
|    ModeCfg attr type: 16521??
|    length/value: 8  *<-- username is correct and 8 chars*
| ****parse ISAKMP ModeCfg attribute:
|    ModeCfg attr type: 16522??
|    length/value: 12 *<-- password is correct and 12 chars*
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 15 seconds for #1
| next event EVENT_DPD in 15 seconds for #1
XAUTH: User testuser: Attempting to login
XAUTH: passwd file authentication being called to authenticate user testuser
XAUTH: password file (/etc/ipsec.d/passwd) open.
| XAUTH: found user(testuser/testuser) pass($apr1$RXWgYKAc$***********/)
connid(roadwarrior/roadwarrior)
| XAUTH: checking user(testuser:roadwarrior) pass (null) vs
$apr1$RXWgYKAc$***********/ *<-- password is now: (null)*
XAUTH: nope
XAUTH: User testuser: Authentication Failed: Incorrect Username or Password





On 21 August 2014 09:55, Pontus Wiberg <pontus.wiberg at universumglobal.com>
wrote:

> Hi all,
>
> This below is what I get when using PAM (same as above) , the password is
> correct though. but as you can ssee (further) below when using
> xauthby=file, Libreswan interpretes the sent password as (null) even though
> the modecfg reports the correct number of letters in the password. Thus it
> is received but not hashed correctly or at least null is used when
> comparing to the hashed password in the file. This happens to me on 3
> different VMs on different versions of Ubuntu all using Libreswan 3.9
>
> XAUTH: User testuser: Attempting to login
> XAUTH: pam authentication being called to authenticate user testuser
> XAUTH: pam_authenticate failed with 'Permission denied'
> XAUTH: User testuser: Authentication Failed: Incorrect Username or Password
>
>
>
> XAUTH: User testuser: Attempting to login
> XAUTH: passwd file authentication being called to authenticate user
> testuser
> XAUTH: password file (/etc/ipsec.d/passwd) open.
> | XAUTH: checking user(testuser:roadwarrior) pass (null) vs $apr1$mjH4.GBd$
> ***********************/
> XAUTH: nope
> XAUTH: User testuser: Authentication Failed: Incorrect Username or Password
>
> I also added the part in PAM pluto config that was suggested but this did
> not help, I will try on a fourth server with a clean setup (again), any
> recommendations on OS or anything? I really need to get past this issue :(
>
> thanks everyone,
> Pontus
>
> *Pontus Wiberg*
> Operations Lead
> Mobile: +46 70 459 9808
> universumglobal.com
> ------------------------------
> [image: Universum]
>
>
> On 21 August 2014 00:05, Matt Rogers <mrogers at redhat.com> wrote:
>
>> On 07/21, Remy van Elst wrote:
>> > Hello Paul,
>> >
>> > 3.9 does not seem to fix the problem, I still get login errors with
>> > either PAM or a passwd file, same steps as earlier but with the new
>> > packages:
>> >
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)
>> > sender port 61015: I am...behind NAT
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: transition from state STATE_AGGR_R1 to state
>> STATE_AGGR_R2
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: new NAT mapping for #2, was 83.162.250.46:1024, now
>> > 83.162.250.46:61015
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established
>> > {auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024}
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0)
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT,
>> > msgid=00000000, length=28
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: received and ignored informational message for unknown
>> > state
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn:
>> > Attempting to login
>> > Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam
>> > authentication being called to authenticate user vpn
>> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH:
>> > pam_authenticate failed with 'Authentication failure'
>> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn:
>> > Authentication Failed: Incorrect Username or Password
>> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2
>> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]
>> > 83.162.250.46: deleting connection "xauth-rsa" instance with peer
>> > 83.162.250.46 {isakmp=#0/ipsec=#0}
>> > Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from
>> > 83.162.250.46:61015: received and ignored empty informational
>> > notification payload
>> >
>>
>> I've tried to reproduce this with your configuration on RHEL7 and Win7
>> with
>> the Shrew client 2.2.2, and the pam method worked. For the client
>> authentication
>> settings I used Mutual PSK + XAuth, with a Remote Identity of Any and a
>> Local
>> Identity with the IP Address, with the PSK added to the Credentials tab.
>>
>> It would help to see the debug logs around the failure, with the pam
>> feedback.
>> For example, an incorrect password provided:
>>
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ****parse ISAKMP ModeCfg
>> attribute:
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    ModeCfg attr type: 16522??
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: |    length/value: 1
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | complete state transition with
>> STF_IGNORE
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | #9
>> complete_v1_state_transition:2165
>> st->st_calculating == FALSE;
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | * processed 0 messages from
>> cryptographic helpers
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9
>> seconds for
>> #9
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9
>> seconds for
>> #9
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Attempting to
>> login
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: pam authentication being
>> called to
>> authenticate user vpnuser
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_start SUCCESS
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_set_item SUCCESS
>> Aug 20 13:38:02 rhel7-b1 unix_chkpwd[27403]: password check failed for
>> user
>> (vpnuser)
>> Aug 20 13:38:02 rhel7-b1 pluto[27347]: pam_unix(pluto:auth):
>> authentication
>> failure; logname= uid=0 euid=0 tty= ruser= rhost=10.13.211.181
>> user=vpnuser
>> Aug 20 13:38:04 rhel7-b1 pluto[27347]: | pam_authenticate failed with
>> 'Authentication failure
>> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: pam_authenticate failed with
>> 'Authentication failure'
>> Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Authentication
>> Failed: Incorrect Username or Password
>>
>> The ModeCfg attribute displayed is the password length, so you can at
>> least
>> verify the password length in case the client is leaving something out.
>>
>> Regards,
>> Matt
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140821/1e48e3d9/attachment.html>

More information about the Swan mailing list