[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Matt Rogers mrogers at redhat.com
Thu Aug 21 22:15:30 EEST 2014


On 08/21, Pontus Wiberg wrote:
> FYI did a new setup on a Ubuntu server with no additional software but
> Libreswan and the requirements, a clean setup, clean ipsec.conf, getting
> the same error. The password is incorrectly handled by Libreswan or some
> dependency somewhere, same error as I've had on Openswan too.
> 
> Is there anything I can do to help narrow this down?
> 
>  ****parse ISAKMP ModeCfg attribute:
> |    ModeCfg attr type: 16521??
> |    length/value: 8  *<-- username is correct and 8 chars*
> | ****parse ISAKMP ModeCfg attribute:
> |    ModeCfg attr type: 16522??
> |    length/value: 12 *<-- password is correct and 12 chars*
> | complete state transition with STF_IGNORE
> | * processed 0 messages from cryptographic helpers
> | next event EVENT_DPD in 15 seconds for #1
> | next event EVENT_DPD in 15 seconds for #1
> XAUTH: User testuser: Attempting to login
> XAUTH: passwd file authentication being called to authenticate user testuser
> XAUTH: password file (/etc/ipsec.d/passwd) open.
> | XAUTH: found user(testuser/testuser) pass($apr1$RXWgYKAc$***********/)
> connid(roadwarrior/roadwarrior)
> | XAUTH: checking user(testuser:roadwarrior) pass (null) vs
> $apr1$RXWgYKAc$***********/ *<-- password is now: (null)*
> XAUTH: nope
> XAUTH: User testuser: Authentication Failed: Incorrect Username or Password
> 

I found this to be the result of crypt() failing when passed the default
htpasswd created hash. The $apr1$ part specifies an ID that crypt doesn't seem
to support. If you want to work around this you can add -d to the htpasswd
option and that will give you a crypt() compatible hash (or use a different tool
to create one of the types mentioned in crypt(3))

So we'll need to handle this hash type seperately, or not recommend htpasswd like we
do currently in the code comments.

Regards,
Matt


More information about the Swan mailing list