-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/26/2014 9:06 AM, Paul Wouters wrote: > On Tue, 19 Aug 2014, Pontus Wiberg wrote: > >> Yes, I use xauthby=file and the /etc/ipsec.d/passwd file is: >> pontus:$apr1$G/Yn3NSQ$xBq7LyNNYCBc0COKWM6Dj0:roadwarrior > > So $apr1$ is not standard crypt(), it is apache specific: > > https://httpd.apache.org/docs/current/misc/password_encryptions.html > > "$apr1$" + the result of an Apache-specific algorithm using an > iterated (1,000 times) MD5 digest of various combinations of a > random 32-bit salt and the password. See the APR source file > apr_md5.c for the details of the algorithm. > > https://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup > > and htpasswd claims it has been the default since apache 2.2.18 > > Perhaps someone wants to write a small python script or C binary > for managing a /etc/ipsec.d/passwd file that only uses crypt() with > one of the more secure options specified via the $id$ salts? > > Alternatively, we can recognise the salt $apr1$ as special, and use > a copy of the apr_md5.c code to verify the password. Although since > it is based on md5, it would not be functional in FIPS mode.
Would/Should this have any impact on using pam with XAUTH? I'd prefer to do that myself, if possible, and I'm experiencing the same issues on CentOS 6 that Remy and Pontus are on CentOS/RHEL 7. - -- Nels Lindquist <[email protected]> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iEYEARECAAYFAlP8zBEACgkQh6z5POoOLgR2gACdGEAS4QFvzsQ5+ct362z7sgMF C1kAoLQJWocMcYEcrZ1jDHAZrCPCBJvB =kEN+ -----END PGP SIGNATURE----- _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
