[strongSwan] Authentications clients using PAM

Martin Willi martin at strongswan.org
Tue Jul 17 12:52:54 CEST 2012


> Is there anyway that I can authenticate clients using the PAM on the
> same server? I'm currently using IPSEC with PSK via Xl2tpd.

When using L2TP/IPsec, strongSwan is not involved in verifying user
credentials, it only verifies the PSK. Maybe it is possible in Xl2tpd, I
don't know.

While it is a bad idea from a security perspective to use (potentially
weak) passwords as PSK, PAM authentication can't work for IPsec PSKs.
IKE needs access to the plain shared secret, but that's not possible, as
PAM backends often store hashed variants of the secret only.

When using IKEv2, we have an eap-gtc plugin that verifies credentials
against PAM. But this requires that your client speaks EAP-GTC, which is
probably not the case. For IKEv1, verifying XAuth credentials against
PAM would be possible, and we've some plans to implement such a backend.


More information about the Users mailing list