[Swan] [Openswan Users] XAUTH not receiving/computing password
Paul Wouters
paul at nohats.ca
Tue Aug 26 18:06:08 EEST 2014
On Tue, 19 Aug 2014, Pontus Wiberg wrote:
> Yes, I use xauthby=file and the /etc/ipsec.d/passwd file is:
> pontus:$apr1$G/Yn3NSQ$xBq7LyNNYCBc0COKWM6Dj0:roadwarrior
So $apr1$ is not standard crypt(), it is apache specific:
https://httpd.apache.org/docs/current/misc/password_encryptions.html
"$apr1$" + the result of an Apache-specific algorithm using an
iterated (1,000 times) MD5 digest of various combinations of a random
32-bit salt and the password. See the APR source file apr_md5.c for the
details of the algorithm.
https://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup
and htpasswd claims it has been the default since apache 2.2.18
Perhaps someone wants to write a small python script or C binary for
managing a /etc/ipsec.d/passwd file that only uses crypt() with one
of the more secure options specified via the $id$ salts?
Alternatively, we can recognise the salt $apr1$ as special, and use a
copy of the apr_md5.c code to verify the password. Although since it is
based on md5, it would not be functional in FIPS mode.
Paul
More information about the Swan
mailing list