[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Remy van Elst Sun, 20 Jul 2014 11:20:29 -0700

I'm having an issue with  Libreswan 3.8 (netkey) on 3.15.4-x86_64 /
CentOS 7.


The user authentication fails. I'm using a windows 7 machine with the
Shrew client. Both with PAM as with the passwd file. I'm sure the
password is correct, tried multiple different ones, even testtest.

/etc/ipsec.conf:

config setup
        dumpdir=/var/run/pluto/
        plutodebug=all
        nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
        protostack=netkey
        keep_alive=60
conn xauth-psk
      authby=secret
      auto=add
      aggrmode=yes
      left=external_ip
      leftsubnet=0.0.0.0/0
      right=%any
      rightaddresspool=10.200.200.20-10.200.200.250
      dpddelay=10
      dpdtimeout=20
      dpdaction=clear
      modecfgdns1=8.8.4.4
      modecfgdns2=8.8.8.8
      leftxauthserver=yes
      rightxauthclient=yes
      leftmodecfgserver=yes
      rightmodecfgclient=yes
      modecfgpull=yes
      xauthby=pam
      ike_frag=yes
      keyingtries=3
      ikelifetime=8h
      keylife=1h
      ike=aes256-sha1,aes128-sha1,3des-sha1
      phase2alg=aes256-sha1,aes128-sha1,3des-sha1


/etc/pam.d/pluto:

#%PAM-1.0
# Regular System auth
auth include system-auth
#
# Google Authenticator with Regular System auth in combined prompt mode
# (OTP is added to the password at the password prompt without separator)
# auth required pam_google_authenticator.so forward_pass
# auth include system-auth use_first_pass
#
# Common
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

/etc/passwd:

vpn:x:1000:1000::/home/vpn:/bin/bash


It fails with the following in journalctl:


Here's the output in journalctl:

Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1: Oakley
Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
STATE_AGGR_R1: sent AR1, expecting AI2
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1: new NAT
mapping for #1, was 83.162.250.46:1024, now 83.162.250.46:61015
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
STATE_AGGR_R2: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha...up=modp1024}
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1: Dead
Peer Detection (RFC 3706): enabled
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1: XAUTH:
Sending XAUTH Login/Password Request
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1: XAUTH:
Sending Username/Password request (XAUTH_R0)
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000,
length=28
Jul 20 18:05:39 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
received and ignored informational message for unknown state
Jul 20 18:05:39 b pluto[16472]: XAUTH: User vpn: Attempting to login
Jul 20 18:05:39 b pluto[16472]: XAUTH: pam authentication being called
to authenticate user vpn
Jul 20 18:05:41 b pluto[16472]: XAUTH: PAM auth chain failed with '7'
Jul 20 18:05:41 b pluto[16472]: XAUTH: User vpn: Authentication Failed:
Incorrect Username or Password
Jul 20 18:05:41 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46 #1:
received Delete SA payload: deleting ISAKMP State #1
Jul 20 18:05:41 b pluto[16472]: "xauth-rsa"[2] 83.162.250.46: deleting
connection "xauth-rsa" instance with peer 83.162.250.46 {isakmp=#0/ipsec=#0}
Jul 20 18:05:41 b pluto[16472]: packet from 83.162.250.46:61015:
received and ignored empty informational notification payload





With authby=file and the following in /etc/ipsec.d/passwd:

vpn:$apr1$cpOYdKhQ$bcxM5CTXK427IxiEZzZ5Y/:xauth-rsa

(Created by htpasswd -c -m -b /etc/ipsec.d/passwd vpn testtest)

It fails with the following:

Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[3] 83.162.250.46 #2:
switched from "xauth-rsa" to "xauth-rsa"
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
deleting connection "xauth-rsa" instance with peer 83.162.250.46
{isakmp=#0/ipsec=#0}
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
responding to Aggressive Mode, state #2, connection "xauth-rsa" from
83.162.250.46
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2: Oakley
Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2: Oakley
Transform [OAKLEY_AES_CBC (256), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
STATE_AGGR_R1: sent AR1, expecting AI2
Jul 20 18:18:33 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
transition from state STATE_AGGR_R1 to state STATE_AGGR_R2
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2: new NAT
mapping for #2, was 83.162.250.46:1024, now 83.162.250.46:61354
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
STATE_AGGR_R2: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha...up=modp1024}
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2: Dead
Peer Detection (RFC 3706): enabled
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2: XAUTH:
Sending XAUTH Login/Password Request
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2: XAUTH:
Sending Username/Password request (XAUTH_R0)
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000,
length=28
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
received and ignored informational message for unknown state
Jul 20 18:18:34 b pluto[16938]: XAUTH: User vpn: Attempting to login
Jul 20 18:18:34 b pluto[16938]: XAUTH: passwd file authentication being
called to authenticate user vpn
Jul 20 18:18:34 b pluto[16938]: XAUTH: password file
(/etc/ipsec.d/passwd) open.
Jul 20 18:18:34 b pluto[16938]: XAUTH: nope
Jul 20 18:18:34 b pluto[16938]: XAUTH: User vpn: Authentication Failed:
Incorrect Username or Password
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46 #2:
received Delete SA payload: deleting ISAKMP State #2
Jul 20 18:18:34 b pluto[16938]: "xauth-rsa"[4] 83.162.250.46: deleting
connection "xauth-rsa" instance with peer 83.162.250.46 {isakmp=#0/ipsec=#0}
Jul 20 18:18:34 b pluto[16938]: packet from 83.162.250.46:61354:
received and ignored empty informational notification payload



Output of ipsec verify:

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.8 (netkey) on 3.15.4-x86_64-linode45
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options             [OK]
Opportunistic Encryption                                [DISABLED]


This all with selinux on permissive or enabled.

Any tips or help would be appriciated.

0x1B7F88DC.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

[Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

Reply via email to