Project

General

Profile

XAuth PAM Plugin

Purpose

The xauth-pam plugin is an IKEv1 XAuth server backend. It requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM). It may be used for IKEv2 connections via eap-gtc plugin.

The plugin is disabled by default and can be enabled by adding

--enable-xauth-pam
to the ./configure options.

The plugin was introduced in 5.0.1 and is for charon only.

Configuration

The plugin is configured using the following strongswan.conf option:

Key Default Description
charon.plugins.xauth-pam.pam_service login PAM service to use for authentication.
charon.plugins.xauth-pam.session no Open/close a PAM session for each active IKE_SA.
charon.plugins.xauth-pam.trim_email yes If an email address is received as an XAuth username, trim it to just the username part.

By default, the plugin uses the PAM service login which should be available on most systems. But you may create your own service, e.g in /etc/pam.d/ipsec:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

To use that service, set the pam_service option above to ipsec.

Connections

To authenticate clients with this backend, set:

  rightauth=pubkey
  rightauth2=xauth-pam

for traditional XAuth. For Hybrid authentication, use
  rightauth=xauth-pam