[strongSwan] Authentication against Linux Users

Thor Simon Thor.Simon at twosigma.com
Wed May 9 22:31:43 CEST 2018


At the expense of reducing the strength of your authentication (and potentially the confidentiality of your passwords) to that of an ad-hoc stream cipher based on MD5 -- unless you encapsulate RADIUS in something else, which adds some complexity but would work.

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Tony Hoyle
Sent: Wednesday, May 9, 2018 4:06 PM
To: users at lists.strongswan.org
Subject: Re: [strongSwan] Authentication against Linux Users

On 09/05/2018 16:17, Christian Salway wrote:
> Unfortunately IKEv2 is a requirement, and they have requested 
> username/password authentication because they don't like the "struggles"
> of installed a CA cert and a client cert.
> 
> Currently the authentication is done with MSCHAPv2 which requires SS 
> to have a plain text copy of the password in order to create the 
> Challenge hash, I understand that.... however, what if SS was able to 
> retrieve the plain text password from another source other than a 
> local config file, eg Amazon's SecretsManager for example?  Is this 
> something that is available or that you guys could write (at a price Im sure)?
> 
If you migrate all the password information into a radius server, that can handle both linux and strongswan login.

Tony


More information about the Users mailing list