XAuth PAM Plugin¶
Purpose¶
The xauth-pam plugin is an IKEv1 XAuth server backend. It requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM). It may be used for IKEv2 connections via eap-gtc plugin.
The plugin is disabled by default and can be enabled by adding
--enable-xauth-pamto the ./configure options.
The plugin was introduced in 5.0.1 and is for charon only.
Configuration¶
The plugin is configured using the following strongswan.conf option:
| Key | Default | Description |
| charon.plugins.xauth-pam.pam_service | login | PAM service to use for authentication. |
| charon.plugins.xauth-pam.session | no | Open/close a PAM session for each active IKE_SA. |
| charon.plugins.xauth-pam.trim_email | yes | If an email address is received as an XAuth username, trim it to just the username part. |
By default, the plugin uses the PAM service login which should be available on most systems. But you may create your own service, e.g in /etc/pam.d/ipsec:
#%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so
To use that service, set the pam_service option above to ipsec.
Connections¶
To authenticate clients with this backend, set:
rightauth=pubkey rightauth2=xauth-pam
for traditional XAuth. For Hybrid authentication, use
rightauth=xauth-pam