[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Paul Wouters paul at nohats.ca
Thu Aug 21 23:48:07 EEST 2014 

On Thu, 21 Aug 2014, Pontus Wiberg wrote:

> FYI did a new setup on a Ubuntu server with no additional software but Libreswan and the requirements, a clean setup,
> clean ipsec.conf, getting the same error. The password is incorrectly handled by Libreswan or some dependency somewhere,
> same error as I've had on Openswan too. 
> Is there anything I can do to help narrow this down? 
> 
>  ****parse ISAKMP ModeCfg attribute:
> |    ModeCfg attr type: 16521??
> |    length/value: 8  <-- username is correct and 8 chars
> | ****parse ISAKMP ModeCfg attribute:
> |    ModeCfg attr type: 16522??
> |    length/value: 12 <-- password is correct and 12 chars
> | complete state transition with STF_IGNORE
> | * processed 0 messages from cryptographic helpers
> | next event EVENT_DPD in 15 seconds for #1
> | next event EVENT_DPD in 15 seconds for #1
> XAUTH: User testuser: Attempting to login
> XAUTH: passwd file authentication being called to authenticate user testuser
> XAUTH: password file (/etc/ipsec.d/passwd) open.
> | XAUTH: found user(testuser/testuser) pass($apr1$RXWgYKAc$***********/) connid(roadwarrior/roadwarrior)
> | XAUTH: checking user(testuser:roadwarrior) pass (null) vs $apr1$RXWgYKAc$***********/ <-- password is now: (null)
> XAUTH: nope
> XAUTH: User testuser: Authentication Failed: Incorrect Username or Password

It's odd. I cannot reproduce this:

XAUTH: User use3: Attempting to login
XAUTH: passwd file authentication being called to authenticate user use3
XAUTH: password file (/etc/ipsec.d/passwd) open.
| XAUTH: found user(road/use3) pass($apr1$898RP...$9gJFVFuZIvsD0dTGADcv10) connid(xauth-road-eastnet/modecfg-road-eastnet-psk)
| XAUTH: found user(use1/use3) pass(xOzlFlqtwJIu2) connid(xauth-road-eastnet/modecfg-road-eastnet-psk)
| XAUTH: found user(use2/use3) pass(xOzlFlqtwJIu2) connid(xauth-road-eastnet-psk/modecfg-road-eastnet-psk)
| XAUTH: found user(use3/use3) pass(xOzlFlqtwJIu2) connid(modecfg-road-eastnet-psk/modecfg-road-eastnet-psk)
| XAUTH: checking user(use3:modecfg-road-eastnet-psk) pass xOzlFlqtwJIu2 vs xOzlFlqtwJIu2
XAUTH: User use3: Authentication Successful

Is your /etc/ipsec.d/passwd marked with the proper connection ?

Note that Matt might be right about the crypt() call, although it is
odd. But you can try using htpasswd -d to generate crypt() passwords.

Paul

More information about the Swan mailing list