[Swan] [Openswan Users] XAUTH not receiving/computing password
Nels Lindquist
nlindq at maei.ca
Tue Aug 26 21:04:03 EEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8/26/2014 9:06 AM, Paul Wouters wrote:
> On Tue, 19 Aug 2014, Pontus Wiberg wrote:
>
>> Yes, I use xauthby=file and the /etc/ipsec.d/passwd file is:
>> pontus:$apr1$G/Yn3NSQ$xBq7LyNNYCBc0COKWM6Dj0:roadwarrior
>
> So $apr1$ is not standard crypt(), it is apache specific:
>
> https://httpd.apache.org/docs/current/misc/password_encryptions.html
>
> "$apr1$" + the result of an Apache-specific algorithm using an
> iterated (1,000 times) MD5 digest of various combinations of a
> random 32-bit salt and the password. See the APR source file
> apr_md5.c for the details of the algorithm.
>
> https://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup
>
> and htpasswd claims it has been the default since apache 2.2.18
>
> Perhaps someone wants to write a small python script or C binary
> for managing a /etc/ipsec.d/passwd file that only uses crypt() with
> one of the more secure options specified via the $id$ salts?
>
> Alternatively, we can recognise the salt $apr1$ as special, and use
> a copy of the apr_md5.c code to verify the password. Although since
> it is based on md5, it would not be functional in FIPS mode.
Would/Should this have any impact on using pam with XAUTH? I'd prefer
to do that myself, if possible, and I'm experiencing the same issues
on CentOS 6 that Remy and Pontus are on CentOS/RHEL 7.
- --
Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
iEYEARECAAYFAlP8zBEACgkQh6z5POoOLgR2gACdGEAS4QFvzsQ5+ct362z7sgMF
C1kAoLQJWocMcYEcrZ1jDHAZrCPCBJvB
=kEN+
-----END PGP SIGNATURE-----
More information about the Swan
mailing list