At the expense of reducing the strength of your authentication (and potentially the confidentiality of your passwords) to that of an ad-hoc stream cipher based on MD5 -- unless you encapsulate RADIUS in something else, which adds some complexity but would work.
-----Original Message----- From: Users <[email protected]> On Behalf Of Tony Hoyle Sent: Wednesday, May 9, 2018 4:06 PM To: [email protected] Subject: Re: [strongSwan] Authentication against Linux Users On 09/05/2018 16:17, Christian Salway wrote: > Unfortunately IKEv2 is a requirement, and they have requested > username/password authentication because they don't like the "struggles" > of installed a CA cert and a client cert. > > Currently the authentication is done with MSCHAPv2 which requires SS > to have a plain text copy of the password in order to create the > Challenge hash, I understand that.... however, what if SS was able to > retrieve the plain text password from another source other than a > local config file, eg Amazon's SecretsManager for example? Is this > something that is available or that you guys could write (at a price Im sure)? > If you migrate all the password information into a radius server, that can handle both linux and strongswan login. Tony
