[Openswan Users] OpenSWAN truncating NSS passwords
John A. Sullivan III
jsullivan at opensourcedevel.com
Fri Oct 23 12:01:58 EDT 2009
On Fri, 2009-10-23 at 10:36 -0400, Avesh Agarwal wrote:
> On 10/23/2009 10:25 AM, John A. Sullivan III wrote:
> > Hello, all. We had quite an adventure this morning learning the hard
> > way that RHEL/CentOS 5.4 have changed the openswan RPM to use NSS. We
> > are working again but may have stumbled across a bug (or a point of
> > ignorance on our part!).
> >
> > It appears that when OpenSWAN passes the password to unlock the nss
> > database, it truncates the last letter. Here is what we experienced.
> >
> > We first tried to implement FIPS as we do try to run a secure site.
> > Here is our procedure from our internal documentation:
> >
> > Do the following to convert the old installation to the new one.
> > Create the NSS database using the medium security password:
> > export NSS_DEFAULT_DB_TYPE="sql"
> > certutil -N -d /etc/ipsec.d
> > Create the nsspassword file:
> > NSS FIPS 140-2 Certificate DB:<password>
> > chmod 660 /etc/ipsec.d/nsspassword
> > Enable FIPS:
> > modutil -fips true -dbdir /etc/ipsec.d
> > We will need the original PKCS#12 packages rather than the
> > extracted keys and certs. If we need to recreate the PKCS#12
> > file from the key and cert, do the following:
> > openssl pkcs12 -export -in cert.pem -inkey key.pem
> > -certfile cacert.pem -out certkey.p12 -name<nickname -
> > if omitted it will be supplied automatically by pk12util
> > during the import procedure below>
> > Import the PKCS#12 file:
> > pk12util -i<file>.p12 -d /etc/ipsec.d
> > Import any other needed CA certs:
> > certutil -d . -A -i otherca.pem -t "TCu,Cu,Tuw" -n
> > OtherCANickName
> > create file /etc/ipsec.d/nss.certs with the following:
> > @fqdn: RSA "<name of certificate in nss db>" ""
> > Edit /etc/ipsec.secrets to reflect the cert nick name rather
> > than the key:
> > : RSA "<name of certificate in nss db>"
> > Edit your connection and replace the leftcert/rightcert with the
> > certificate nickname of the certificate in nss db.
> >
> > It failed to unlock the NSS database. It showed the failed password
> > in /var/log/secure and it was missing the last letter. We thought it
> > might be a FIPS thing so we disabled FIPS and changed the nsspassword
> > file token name. We saw the same failed result - the password missing
> > the last letter.
> >
> > We thought we might be one letter too long as we do use long passwords
> > so we changed the password on the NSS store to be the one which was
> > being passed by OpenSWAN (i.e., without the last letter) and changed
> > nsspassword. The same results - it was now missing the new last letter.
> >
> > Finally we disabled password protection and it all worked. Is this a
> > bug or did we do something wrong? We'd like to enable FIPS and use
> > password protection on the NSS store. Thanks - John
> >
> It is surprising why it is happening. Anyway as you say that it is
> truncating, one way of dealing with it, for example, say your password
> is "1234", may be you can put "1234x" in the file. Just a workaround.
>
> I will look into it soon. But again, I have been using it and i did not
> experience it.
<snip>
Someone from IRC had asked if I had a newline at the end of the file. I
intentionally did not since the documentation said to make sure there
was no white space around the ":" or password. I'll try adding a new
line tonight and see if that solves the problem. Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Users
mailing list