XAuth PAM Plugin¶
The xauth-pam plugin is an IKEv1 XAuth server backend. It requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM). It may be used for IKEv2 connections via eap-gtc plugin.
The plugin is disabled by default and can be enabled by adding
--enable-xauth-pamto the ./configure options.
The plugin was introduced in 5.0.1 and is for charon only.
The plugin is configured using the following strongswan.conf option:
|charon.plugins.xauth-pam.pam_service||login||PAM service to use for authentication.|
|charon.plugins.xauth-pam.session||no||Open/close a PAM session for each active IKE_SA.|
|charon.plugins.xauth-pam.trim_email||yes||If an email address is received as an XAuth username, trim it to just the username part.|
By default, the plugin uses the PAM service login which should be available on most systems. But you may create your own service, e.g in /etc/pam.d/ipsec:
#%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so
To use that service, set the pam_service option above to ipsec.
To authenticate clients with this backend, set:
for traditional XAuth. For Hybrid authentication, use