[Openswan Users] OpenSWAN truncating NSS passwords

John A. Sullivan III jsullivan at opensourcedevel.com
Fri Oct 23 12:01:58 EDT 2009


On Fri, 2009-10-23 at 10:36 -0400, Avesh Agarwal wrote:
> On 10/23/2009 10:25 AM, John A. Sullivan III wrote:
> > Hello, all.  We had quite an adventure this morning learning the hard
> > way that RHEL/CentOS 5.4 have changed the openswan RPM to use NSS.  We
> > are working again but may have stumbled across a bug (or a point of
> > ignorance on our part!).
> >
> > It appears that when OpenSWAN passes the password to unlock the nss
> > database, it truncates the last letter.  Here is what we experienced.
> >
> > We first tried to implement FIPS as we do try to run a secure site.
> > Here is our procedure from our internal documentation:
> >
> >          Do the following to convert the old installation to the new one.
> >          Create the NSS database using the medium security password:
> >                  export NSS_DEFAULT_DB_TYPE="sql"
> >                  certutil -N -d /etc/ipsec.d
> >          Create the nsspassword file:
> >                  NSS FIPS 140-2 Certificate DB:<password>
> >                  chmod 660 /etc/ipsec.d/nsspassword
> >          Enable FIPS:
> >                  modutil -fips true -dbdir /etc/ipsec.d
> >          We will need the original PKCS#12 packages rather than the
> >          extracted keys and certs.  If we need to recreate the PKCS#12
> >          file from the key and cert, do the following:
> >                  openssl pkcs12 -export -in cert.pem -inkey key.pem
> >                  -certfile cacert.pem -out certkey.p12 -name<nickname -
> >                  if omitted it will be supplied automatically by pk12util
> >                  during the import procedure below>
> >          Import the PKCS#12 file:
> >                  pk12util -i<file>.p12 -d /etc/ipsec.d
> >          Import any other needed CA certs:
> >                  certutil -d . -A -i otherca.pem -t "TCu,Cu,Tuw" -n
> >                  OtherCANickName
> >          create file /etc/ipsec.d/nss.certs with the following:
> >                  @fqdn: RSA "<name of certificate in nss db>" ""
> >          Edit /etc/ipsec.secrets to reflect the cert nick name rather
> >          than the key:
> >                  : RSA "<name of certificate in nss db>"
> >          Edit your connection and replace the leftcert/rightcert with the
> >          certificate nickname of the certificate in nss db.
> >
> > It failed to unlock the NSS database.  It showed the failed password
> > in /var/log/secure and it was missing the last letter.  We thought it
> > might be a FIPS thing so we disabled FIPS and changed the nsspassword
> > file token name.  We saw the same failed result - the password missing
> > the last letter.
> >
> > We thought we might be one letter too long as we do use long passwords
> > so we changed the password on the NSS store to be the one which was
> > being passed by OpenSWAN (i.e., without the last letter) and changed
> > nsspassword.  The same results - it was now missing the new last letter.
> >
> > Finally we disabled password protection and it all worked.  Is this a
> > bug or did we do something wrong? We'd like to enable FIPS and use
> > password protection on the NSS store.  Thanks - John
> >    
> It is surprising why it is happening. Anyway as you say that it is 
> truncating, one way of dealing with it, for example, say your password 
> is "1234", may be you can put "1234x" in the file. Just a workaround.
> 
> I will look into it soon. But again, I have been using it and i did not 
> experience it.
<snip>
Someone from IRC had asked if I had a newline at the end of the file.  I
intentionally did not since the documentation said to make sure there
was no white space around the ":" or password.  I'll try adding a new
line tonight and see if that solves the problem.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society



More information about the Users mailing list