<div dir="ltr">Hi all,<div><br></div><div>This below is what I get when using PAM (same as above) , the password is correct though. but as you can ssee (further) below when using xauthby=file, Libreswan interpretes the sent password as (null) even though the modecfg reports the correct number of letters in the password. Thus it is received but not hashed correctly or at least null is used when comparing to the hashed password in the file. This happens to me on 3 different VMs on different versions of Ubuntu all using Libreswan 3.9</div>
<div><br></div><div><div>XAUTH: User testuser: Attempting to login</div><div>XAUTH: pam authentication being called to authenticate user testuser</div><div>XAUTH: pam_authenticate failed with 'Permission denied'</div>
<div>XAUTH: User testuser: Authentication Failed: Incorrect Username or Password</div></div><div><br></div><div><br></div><div><br></div><div><div>XAUTH: User testuser: Attempting to login</div><div>XAUTH: passwd file authentication being called to authenticate user testuser</div>
<div>XAUTH: password file (/etc/ipsec.d/passwd) open.</div><div>| XAUTH: checking user(testuser:roadwarrior) pass (null) vs $apr1$mjH4.GBd$<i>*********************</i>/</div><div>XAUTH: nope</div><div>XAUTH: User testuser: Authentication Failed: Incorrect Username or Password</div>
</div><div><br></div><div>I also added the part in PAM pluto config that was suggested but this did not help, I will try on a fourth server with a clean setup (again), any recommendations on OS or anything? I really need to get past this issue :(</div>
<div><br></div><div>thanks everyone,</div><div>Pontus</div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><table align="left" border="0" cellpadding="0" cellspacing="0" width="100%" style="border-collapse:collapse;color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium">
<tbody><tr><td valign="top" style="padding:9px 0px 7px;color:rgb(65,64,65);font-family:Arial;font-size:11px;line-height:14px"><p style="margin:1em 0px;padding:0px;font-size:12px;line-height:16px"><strong>Pontus Wiberg</strong><br>
Operations Lead<br></p>Mobile: +46 70 459 9808<br><a href="http://universumglobal.com/" alt="Universum" style="word-wrap:break-word;color:rgb(14,151,193);text-decoration:none" target="_blank">universumglobal.com</a> <br>
<hr color="#f1612a" align="left" height="1" style="height:1px;max-height:1px;border:none;margin-top:12px;float:left;clear:both;width:366px">
</td></tr><tr><td><img align="left" alt="Universum" title="Universum" src="http://emailsignatures.universumglobal.com/gem-signature-20140108.png" border="0" width="180" height="29" style="border:0px;outline:none;max-width:184px;width:184px;height:30px;max-height:30px;vertical-align:bottom;padding-bottom:0px;padding-left:0px;display:inline!important"></td>
</tr><tr><td> </td></tr></tbody></table></div></div>
<br><br><div class="gmail_quote">On 21 August 2014 00:05, Matt Rogers <span dir="ltr"><<a href="mailto:mrogers@redhat.com" target="_blank">mrogers@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 07/21, Remy van Elst wrote:<br>
> Hello Paul,<br>
<div class="">><br>
> 3.9 does not seem to fix the problem, I still get login errors with<br>
> either PAM or a passwd file, same steps as earlier but with the new<br>
> packages:<br>
><br>
</div>> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal)<br>
> sender port 61015: I am...behind NAT<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: new NAT mapping for #2, was <a href="http://83.162.250.46:1024" target="_blank">83.162.250.46:1024</a>, now<br>
> <a href="http://83.162.250.46:61015" target="_blank">83.162.250.46:61015</a><br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: STATE_AGGR_R2: ISAKMP SA established<br>
> {auth=PRESHARED_KEY cipher=aes_256 prf=...=MODP1024}<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: Dead Peer Detection (RFC 3706): enabled<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: XAUTH: Sending XAUTH Login/Password Request<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: XAUTH: Sending Username/Password request (XAUTH_R0)<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: ignoring informational payload IPSEC_INITIAL_CONTACT,<br>
> msgid=00000000, length=28<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: received and ignored informational message for unknown<br>
> state<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: User vpn:<br>
> Attempting to login<br>
> Jul 21 16:04:45 localhost.localdomain pluto[3836]: XAUTH: pam<br>
> authentication being called to authenticate user vpn<br>
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH:<br>
> pam_authenticate failed with 'Authentication failure'<br>
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: XAUTH: User vpn:<br>
> Authentication Failed: Incorrect Username or Password<br>
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> 83.162.250.46 #2: received Delete SA payload: deleting ISAKMP State #2<br>
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: "xauth-rsa"[4]<br>
> <a href="http://83.162.250.46" target="_blank">83.162.250.46</a>: deleting connection "xauth-rsa" instance with peer<br>
> 83.162.250.46 {isakmp=#0/ipsec=#0}<br>
> Jul 21 16:04:47 localhost.localdomain pluto[3836]: packet from<br>
> <a href="http://83.162.250.46:61015" target="_blank">83.162.250.46:61015</a>: received and ignored empty informational<br>
> notification payload<br>
><br>
<br>
I've tried to reproduce this with your configuration on RHEL7 and Win7 with<br>
the Shrew client 2.2.2, and the pam method worked. For the client authentication<br>
settings I used Mutual PSK + XAuth, with a Remote Identity of Any and a Local<br>
Identity with the IP Address, with the PSK added to the Credentials tab.<br>
<br>
It would help to see the debug logs around the failure, with the pam feedback.<br>
For example, an incorrect password provided:<br>
<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ****parse ISAKMP ModeCfg attribute:<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | ModeCfg attr type: 16522??<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | length/value: 1<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | complete state transition with<br>
STF_IGNORE<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | #9 complete_v1_state_transition:2165<br>
st->st_calculating == FALSE;<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | * processed 0 messages from<br>
cryptographic helpers<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds for<br>
#9<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | next event EVENT_DPD in 9 seconds for<br>
#9<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Attempting to login<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: XAUTH: pam authentication being called to<br>
authenticate user vpnuser<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_start SUCCESS<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: | pam_set_item SUCCESS<br>
Aug 20 13:38:02 rhel7-b1 unix_chkpwd[27403]: password check failed for user<br>
(vpnuser)<br>
Aug 20 13:38:02 rhel7-b1 pluto[27347]: pam_unix(pluto:auth): authentication<br>
failure; logname= uid=0 euid=0 tty= ruser= rhost=10.13.211.181 user=vpnuser<br>
Aug 20 13:38:04 rhel7-b1 pluto[27347]: | pam_authenticate failed with<br>
'Authentication failure<br>
Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: pam_authenticate failed with<br>
'Authentication failure'<br>
Aug 20 13:38:04 rhel7-b1 pluto[27347]: XAUTH: User vpnuser: Authentication<br>
Failed: Incorrect Username or Password<br>
<br>
The ModeCfg attribute displayed is the password length, so you can at least<br>
verify the password length in case the client is leaving something out.<br>
<br>
Regards,<br>
Matt<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Swan mailing list<br>
<a href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a><br>
<a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a><br>
</div></div></blockquote></div><br></div>