On Jul 8, 2020, at 09:10, Balaji Thoguluva <[email protected]> wrote:
>
>
> Hi Folks,
>
> Currently for pre-shared (authby=secret), we have to specify the clear
> password in ipsec.secrets file.
>
> Is there any way to specify encrypted or obfuscated password in ipsec.secrets
> file so that clear password is not visible for an user and still Libreswan
> able to establish PSK based tunnel?
No.
How would this work? If it is encrypted, then there is a private key, and you
need to protect that private key so your need a password again if you want the
system to be able to automatically start on boot.
Obfuscation seems pointless. If you take Cisco as example where they do this,
well some users wanted to write or read Cisco config files and so this easy
tool that works instantly converts the psk from/to obfuscation:
https://github.com/libreswan/libreswan/tree/main/contrib/cisco-decrypt
For consistency, we could store it in the nss db with an identifier, along with
private keys and certificates. It is encrypted by default with a private key
without password and get be password locked but then the nss password file
contains the plaintext password or you have to supply the password on startup.
But I don’t think the nss db supports this type of entry and we would have to
wrap it in something else.
Ideally, you would move away from PSK and use raw key pairs or certificates for
authentication.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
