Strongswan now supports PAM authentication
November 07, 2012 at 07:40 AM | categories: Centos, Sysadmin, RHEL, Linux, Tips, Security, IPSEC | View CommentsStrongswan release 5.0.1 includes a XAuth PAM plugin which requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM).
This plugin is not enabled by default to enable it you need to add the following to your ./configure options
--enable-xauth-pam
You do require the pam development headers and libraries on your build machine to successfully compile.
System Configuration
The plugin is configurable in the strongswan.conf file, you are able to change the pam service that is used for authentication.
By default the login pam service is used for authentication.
I will create a new service called ipsec for demonstration.
charon {
plugins{
xauth-pam {
pam_service = ipsec
}
}
}
The pam service configuration file is as follows.
#%PAM-1.0 # /etc/pam.d/ipsec auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Now to use PAM authentication in your connections you set for XAuth:
rightauth2=xauth-pam
Hybrid Authentication:
rightauth=xauth-pam
You are good to go and should be able to use any pam module to authenticate your users to your VPN. The options are endless: SQL, LDAP, RADIUS, LOCAL etc.
Related articles
blog comments powered by Disqus
About
I am a Sysadmin and programmer, passionate about Open source software A few notable projects i am associated with are:
Contact
topdog at fedoraproject.organdrew at topdog.za.net
Follow me on Twitter
Latest blog posts
Categories
- Book review (rss) (10)
- CCSP (rss) (1)
- Centos (rss) (16)
- Certification (rss) (1)
- Cisco (rss) (1)
- CouchDB (rss) (1)
- Cyrus (rss) (2)
- DHCP (rss) (2)
- DKIM (rss) (2)
- DLNA (rss) (2)
- DNS (rss) (2)
- Domainkeys (rss) (1)
- Email (rss) (11)
- Exim (rss) (7)
- Fedora (rss) (1)
- Horde (rss) (2)
- Howto (rss) (29)
- IPSEC (rss) (6)
- IPv6 (rss) (1)
- Kickstart (rss) (1)
- Links (rss) (2)
- Linux (rss) (25)
- Mac OS X (rss) (6)
- Markdown (rss) (1)
- Mediaplayer (rss) (2)
- PHP (rss) (1)
- PS3 (rss) (2)
- Postfix (rss) (6)
- Projects (rss) (1)
- PyMYSK (rss) (14)
- Python (rss) (19)
- RHEL (rss) (7)
- SSL (rss) (2)
- Security (rss) (13)
- Sysadmin (rss) (16)
- Tips (rss) (28)
- Ubuntu (rss) (2)
- Unix (rss) (4)
Archives
- February 2014 (1)
- December 2013 (1)
- September 2013 (1)
- March 2013 (1)
- February 2013 (2)
- January 2013 (4)
- November 2012 (3)
- October 2012 (2)
- September 2012 (5)
- August 2012 (7)
- July 2012 (1)
- June 2012 (2)
- May 2012 (9)
- April 2012 (17)
- March 2012 (4)
- August 2010 (1)
- March 2009 (4)
- January 2009 (2)
- August 2008 (1)
- June 2008 (1)
- March 2008 (1)
- February 2008 (2)
- January 2008 (1)
