[strongSwan] charon plugin xauth-pam

Cindy Moore ctmoore at cs.ucsd.edu
Wed Sep 17 00:14:09 CEST 2014

According to /etc/strongswan.conf, which includes all the *conf files
in /etc/strongswan.d/charon/
I *should* be loading up the contents of
/etc/strongswan.d/charon/xauth-pam.conf which are
root at vpn:/etc/strongswan.d/charon# more xauth-pam.conf
xauth-pam {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # PAM service to be used for authentication.
    pam_service = login

    # Open/close a PAM session for each active IKE_SA.
    session = no

    # If an email address is received as an XAuth username, trim it to just the
    # username part.
    trim_email = yes


However, ipsec statusall gives me
  loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-mschapv2 eap-radius
xauth-generic addrblock

No xauth-pam :-/

Which unless I'm mistaken (possible!) is why I get
Sep 16 14:44:46 c09-44 charon: 08[IKE]   activating XAUTH task
Sep 16 14:44:46 c09-44 charon: 08[CFG] no XAuth method found for 'pam'

in a hybrid rsa configuration when i try to use rightauth=xauth-pam as
described here

How do I get strongswan to load this module in?  This page

kind of suggests I'd have to recompile strongswan.  I'm really hoping
I don't have to!

More information about the Users mailing list