[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Pontus Wiberg pontus.wiberg at universumglobal.com
Fri Aug 22 09:50:01 EEST 2014


Seems really odd, I tried it on RHEL7 as well with the same issue.. passwd
file is indeed marked correctly - I changed to using crypt() passwords and
it worked immediately! Thanks, I guess crypt should be fine for XAUTH, and
this way I can at least finish my setup for now. If anything is needed from
me to further troubleshoot let me know and I can check on one of my now 5
VMs set up for this issue :)

*Pontus Wiberg*
Operations Lead
universumglobal.com
------------------------------
[image: Universum]


On 21 August 2014 22:48, Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 21 Aug 2014, Pontus Wiberg wrote:
>
>  FYI did a new setup on a Ubuntu server with no additional software but
>> Libreswan and the requirements, a clean setup,
>> clean ipsec.conf, getting the same error. The password is incorrectly
>> handled by Libreswan or some dependency somewhere,
>> same error as I've had on Openswan too.
>> Is there anything I can do to help narrow this down?
>>
>>  ****parse ISAKMP ModeCfg attribute:
>> |    ModeCfg attr type: 16521??
>> |    length/value: 8  <-- username is correct and 8 chars
>> | ****parse ISAKMP ModeCfg attribute:
>> |    ModeCfg attr type: 16522??
>> |    length/value: 12 <-- password is correct and 12 chars
>> | complete state transition with STF_IGNORE
>> | * processed 0 messages from cryptographic helpers
>> | next event EVENT_DPD in 15 seconds for #1
>> | next event EVENT_DPD in 15 seconds for #1
>> XAUTH: User testuser: Attempting to login
>> XAUTH: passwd file authentication being called to authenticate user
>> testuser
>> XAUTH: password file (/etc/ipsec.d/passwd) open.
>> | XAUTH: found user(testuser/testuser) pass($apr1$RXWgYKAc$***********/)
>> connid(roadwarrior/roadwarrior)
>> | XAUTH: checking user(testuser:roadwarrior) pass (null) vs
>> $apr1$RXWgYKAc$***********/ <-- password is now: (null)
>> XAUTH: nope
>> XAUTH: User testuser: Authentication Failed: Incorrect Username or
>> Password
>>
>
> It's odd. I cannot reproduce this:
>
> XAUTH: User use3: Attempting to login
> XAUTH: passwd file authentication being called to authenticate user use3
>
> XAUTH: password file (/etc/ipsec.d/passwd) open.
> | XAUTH: found user(road/use3) pass($apr1$898RP...$9gJFVFuZIvsD0dTGADcv10)
> connid(xauth-road-eastnet/modecfg-road-eastnet-psk)
> | XAUTH: found user(use1/use3) pass(xOzlFlqtwJIu2)
> connid(xauth-road-eastnet/modecfg-road-eastnet-psk)
> | XAUTH: found user(use2/use3) pass(xOzlFlqtwJIu2)
> connid(xauth-road-eastnet-psk/modecfg-road-eastnet-psk)
> | XAUTH: found user(use3/use3) pass(xOzlFlqtwJIu2)
> connid(modecfg-road-eastnet-psk/modecfg-road-eastnet-psk)
> | XAUTH: checking user(use3:modecfg-road-eastnet-psk) pass xOzlFlqtwJIu2
> vs xOzlFlqtwJIu2
> XAUTH: User use3: Authentication Successful
>
> Is your /etc/ipsec.d/passwd marked with the proper connection ?
>
> Note that Matt might be right about the crypt() call, although it is
> odd. But you can try using htpasswd -d to generate crypt() passwords.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140822/976db535/attachment.html>


More information about the Swan mailing list