xauth-pam Plugin

Purpose

The xauth-pam plugin for libcharon is an IKEv1 XAuth server backend. It requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM). It may be used for IKEv2 connections via the eap-gtc plugin.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-xauth-pam

Configuration

The xauth-pam plugin is configured using the following options in the charon.plugins.xauth-pam section of strongswan.conf:

Key Default Description

pam_service

[→]

PAM service to use for authentication. [login]

session

no

Open/close a PAM session for each active IKE_SA

trim_email

yes

If an email address is received as an XAuth username, trim it to just the username part

By default the plugin uses the PAM service login which should be available on most systems. But you may create your own service, e.g in /etc/pam.d/ipsec:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

To use that service, set the pam_service option above to ipsec.

Connections

To authenticate clients with this backend, set:

connections {
  <conn>: {
    remote-rsa {
      auth = pubkey
    }
    remote-xauth {
      auth = xauth-pam
    }
    version = 1
    # ...
  }
}

for traditional XAuth plus RSA. For Hybrid authentication, use

connections {
  <conn>: {
    remote {
      auth = xauth-pam
    }
    version = 1
    # ...
  }
}