[pptp-server] PPTP Authentication via PAM

[James B. MacLean]

On Mon, 29 Nov 1999, Nate Carlson wrote:
> Hi,
> Is it possible to have PPTP users authenticated via pam instead of
> chap-secrets? I'd really prefer to allow my users to have the same
> password for VPN as e-mail and such. Thanks!
> Nate Carlson <carlson at real-time.com>    | Phone : (612)943-8700

Out of the box? I do not know of one. A possible solution, incuding some
programming, might be possible.

The MS_Chap-v2 spec uses NT-Hashes instead of the clear password for
authentication... But that's not how Unix is storing the passwords. Ergo
no direct use of /etc/passwd. But if:

. Users had an additional pam passwd_change module that synced their Unix
with an NTHash file (maybe even rith to /etc/ppp/shap-secrets), possibly
using one of the Samba PAM modules?

 pppd was modified to check this hash area against its 2 challenges to
make it's response check, instead of making it into a hash. (maybe do
both).

. this positive compare resulted in pppd using the hash instead of
creating its own as you would not have the actual password.

I can see that working.

I currently have a basically working PPTP authentication against a
modified radius server using the MS_CHAP_v2 handshaking. For me though, a
successfull challenge/response by the radius server sends the password
(currently clear text) to the NAS (pppd) so that it can be used to make
the mppe stream.

I am hoping to be able to use pptpd, vtun, and radius to allow users to
log in around the province always with _thier_ ip, and always with
firewall rules specific to them :). So different people have different
access rights on the network, and it's all more secure than telnet :). I
figure once I have it running I'll find out it's already been done in a
much more robust way :).

Hope this atleast peaks you imaginition ;),
JES
--
James B. MacLean        macleajb at ednet.ns.ca
Department of Education http://www.ednet.ns.ca/~macleajb
Nova Scotia, Canada
B3M 4B2