[Swan] [Openswan Users] XAUTH not receiving/computing password

[Nels Lindquist]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/26/2014 9:06 AM, Paul Wouters wrote:
> On Tue, 19 Aug 2014, Pontus Wiberg wrote:
> 
>> Yes, I use xauthby=file and the /etc/ipsec.d/passwd file is: 
>> pontus:$apr1$G/Yn3NSQ$xBq7LyNNYCBc0COKWM6Dj0:roadwarrior
> 
> So $apr1$ is not standard crypt(), it is apache specific:
> 
> https://httpd.apache.org/docs/current/misc/password_encryptions.html
>
>  "$apr1$" + the result of an Apache-specific algorithm using an 
> iterated (1,000 times) MD5 digest of various combinations of a
> random 32-bit salt and the password. See the APR source file
> apr_md5.c for the details of the algorithm.
> 
> https://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup
>
>  and htpasswd claims it has been the default since apache 2.2.18
> 
> Perhaps someone wants to write a small python script or C binary
> for managing a /etc/ipsec.d/passwd file that only uses crypt() with
> one of the more secure options specified via the $id$ salts?
> 
> Alternatively, we can recognise the salt $apr1$ as special, and use
> a copy of the apr_md5.c code to verify the password. Although since
> it is based on md5, it would not be functional in FIPS mode.

Would/Should this have any impact on using pam with XAUTH?  I'd prefer
to do that myself, if possible, and I'm experiencing the same issues
on CentOS 6 that Remy and Pontus are on CentOS/RHEL 7.


- -- 
Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iEYEARECAAYFAlP8zBEACgkQh6z5POoOLgR2gACdGEAS4QFvzsQ5+ct362z7sgMF
C1kAoLQJWocMcYEcrZ1jDHAZrCPCBJvB
=kEN+
-----END PGP SIGNATURE-----