[Openswan dev] XAUTH Code for "Domain"

Michael H. Warfield mhw at WittsEnd.com
Tue Jun 28 12:20:38 EDT 2011

On Tue, 2011-06-28 at 11:48 -0400, Paul Wouters wrote: 
> On Tue, 28 Jun 2011, Michael H. Warfield wrote:
> > IAC...  Looking in programs/pluto/xauth.c down around line 1241 is a
> > case statement checking the XAUTH attribute types.  That's only handling
> > TYPE, USER_NAME, and PASSWORD - no DOMAIN.  That appears to be handling
> > attribute responses, though (XAUTH Server?).
> > "nm-conn1" #1: XAUTH: Unsupported attribute: XAUTH-DOMAIN
> > So, it looks like that support is just not there.  In addition to the
> > XAUTH code itself, this would also require some parameter support in the
> > config files for a "domain" parameter.
> >
> > Thoughts?  Is this anything already on anyone's todo list?

> Not that I know. Patches accepted :)

I know da drill...  :-P  Just didn't want to dig too deep and start
tripping over other people and stepping on toes.

I've already got my nose stuffed into xauth.c and the configuration
routines.  Looks like there may be a couple of things that need to be
handled in there based on my reading of some old ietf drafts.

I can add a {left|right}xauthdomain parameter and make that mirror the
xauthusername handling all the way into xauth.c.  Been chatting with
Avesh about it separately since this will also have to coord with
NetworkManager-openswan to handle the Domain parameter.

There's also an XAUTH_PASSCODE and an XAUTH_NEXTPIN, in the spec I have,
intended for tokens that has me a little concerned since one of the
connections I'm looking at involves an RSA SecureID token (I guess that
would parallel the password code).  Everywhere in vpnc where I see
PASSWORD, I'm seeing identical PASSCODE handling (generally just another
option on the case statements).  If it's there in vpnc then there's
likely some Cisco out there somewhere doing it.  :-/=/

Then there's some sort of XAUTH_CHALLENGE which should probably be
handled similar to XAUTH_MESSAGE and XAUTH_MESSAGE isn't really being
handled right to begin with since that's also for messages like "Enter
User Name and Password" kinds of stuff as well and we're logging it as a
"Bad" message.  Is there a way to display a message like that through
whack without prompting for input?  I guess there must be.  I'll track
that down too.  Looks like fun.  As long as I'm in there already.

For now, I'm ONLY going to look at the client side, even though Openswan
can be and XAUTH server.  If we've gotten this far down the road without
them in the client side, I doubt we'll need them in the server side
anytime soon.

> Paul

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20110628/f9730cce/attachment.bin 

More information about the Dev mailing list