XAUTH Server Support

Based on FlexS/WAN code from Colubris Networks (www.colubris.com)
Ported to Openswan by Xelerance (www.xelerance.com)

Sponsored by Astaro AG (www.astaro.com)
Ported to OpenSwan by Sean Mathews Nu Tech Software (www.nutech.com)
   Also added MD5/DES password file support and reworked the PAM code.

XAUTH server code rewritten for Openswan 2.1.0 to permit both client
and server side code. Many changes, most visible to user.

Installation:

1.  In addition to the normal OpenSwan pre-reqs, you will
    also need pam-devel if you choose to use PAM authentication.
    (SEE PAM below)

2.  Edit Makefile.inc. Set "USE_XAUTH" to "true"

    We ship with this disabled by default, as it is not useful for most folks,
    and has additional requirements.

3.  If you wish to use PAM for authentication then set USE_XAUTHPAM=true.

4.  Build & Install as normal.
4.  If you compiled with PAM then Copy contrib/pam.d/pluto to /etc/pam.d/pluto
    (or wherever your distro of choice puts it)

5.  If you choose the MD5/DES password file then create /etc/ipsec.d/passwd
    with the following format. 

	userid:password:conname

    comments are allowed by putting a '#' as the first character of any
    line. You can allow a user access to any connection class in ipsec.conf
    by leaving the last field of the password file blank or '*', or set this
    field to the connection name in your ipsec.conf that you wish this person
    to have access.

  Note:
    If your libc does not support MD5 then you will need to generate DES
    passwords. These can be generated by any typical htpasswd utility.
    If you need to use DES, use htpasswd -d instead of htpasswd -m

Configuration:

One way to use XAUTH is to have a single shared secret (PSK) for
all road warriors.  This is not the best, but it does work.

Configure as normal in /etc/ipsec.secrets  - eg:

0.0.0.0 1.2.3.4	: PSK "a secret for the xauth users"

On your conn block, simply add "{left|right}xauthserver=yes"
to enable XAUTH, and "{right|left}xauthclient=yes" for the client side.

We are working on a way to use XAUTH to upgrade OE connections to RW connections. 

Client Configurations - these assume you already have a working 
non-XAUTH connection setup.  These are tested and known to work.

SSH Sentinel 1.4.1

Note: 1.4.0 has a bug where it will only propose Single DES, 
even if Single DES is disabled.  Please upgrade to 1.4.1

1.	On the Rule Properties page, enabled Extended Authentication.
2.	Click [Settings], and check "Use authentication method types"
3.	Optionally set it to save your login information.


SafeNet SoftRemote LT 10.0

1.	In Security Policy Editor, open your connection.
2.	Expand Authentication (Phase 1)
3.	Click on Proposal, and set the Authentication Method to
	"Pre-Shared Key; Extended Authentication"

Note: SoftRemote does not let you save your Username and Password.


PAM 
    We DO NOT RECOMMEND use of PAM, as it uses threads, and does
    not do so in a safe manner.

    The code supports /etc/ipsec.d/passwd, as an htpasswd-style
    password file. There are some problems with MD5-style passwords
    that we have not tracked down as yet. Perhaps libc differences
    between test environment and where htpasswd was run.



$Id: README.XAUTH,v 1.3 2004/09/30 23:25:57 paul Exp $