[strongSwan] Authentication against Linux Users

Christian Salway christian.salway at naimuri.com
Wed May 9 17:17:19 CEST 2018


Hi Tobias,

Unfortunately IKEv2 is a requirement, and they have requested username/password authentication because they don't like the "struggles" of installed a CA cert and a client cert.

Currently the authentication is done with MSCHAPv2 which requires SS to have a plain text copy of the password in order to create the Challenge hash, I understand that.... however, what if SS was able to retrieve the plain text password from another source other than a local config file, eg Amazon's SecretsManager for example?  Is this something that is available or that you guys could write (at a price Im sure)?

Regards,

Christian Salway 
IT Consultant
Tel: 07463 331432
christian.salway at naimuri.com

 <http://www.naimuri.com/>
 <http://www.naimuri.com/>

> On 9 May 2018, at 13:12, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Christian,
> 
>> Is there a way to authenticate against local Linux users?
> 
> Not with Windows or Apple clients, unless you use IKEv1 (see [1] and [2]).
> 
> Regards,
> Tobias
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/XAuthPAM
> [2] https://wiki.strongswan.org/projects/strongswan/wiki/Eap-gtc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180509/11c95993/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email-signature-logo.png
Type: image/png
Size: 10961 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180509/11c95993/attachment-0001.png>


More information about the Users mailing list