[pptp-server] Hack to force MPPE encryption from the server side

Wed Jan 5 20:35:49 CST 2000

Geoff Nordli wrote:
> 
> I am trying your patch.  It works really well, but unfortunately
> kills the pptp daemon also.
> 
> I renamed pppd as pppd.real.
> 
> I named the script /usr/sbin/pppd.
> 
> It really does work, but why do you think it kills the pptp daemon?
> 
> It doesn't kill the daemon if the client has mppe enabled.

Hmmm... don't know. It issues a kill only against pppd, and doesn't
affect pptpd in my environment. No obvious reason comes to mind. I
probably won't get much time to look at the problem, but I'll let you
know if I identify it.

Nathan

> 
> thanks,
> 
> geoff nordli
> 
> -----Original Message-----
> From: pptp-server-admin at lists.schulte.org
> [mailto:pptp-server-admin at lists.schulte.org]On Behalf Of Nathan Meyers
> Sent: Tuesday, December 28, 1999 12:09 PM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] Hack to force MPPE encryption from the server
> side
> 
> When I was looking recently for a way for PoPToP to force PPTP clients
> to use MPPE encryption, it appeared to be impossible - outside the
> bounds of PPP to force a compression choice on the client.
> 
> I've developed a hack that gets the job done without too much ugliness.
> It's a small sentry, written in perl, that detects whan an unencrypted
> PPTP connection has been established, and kills it. If anyone's
> interested, here's what I did:
> 
> 1) Hacked pptpd to run /usr/sbin/pppd.mppe_sentry instead of
> /usr/sbin/pppd as the PPP daemon.
> 
> 2) Implemented /usr/sbin/pppd.mppe_sentry in perl (see below).
> 
> It works by sitting between pptpd and pppd, and monitoring the log
> output from pppd. It looks for two things in the log output:
> 
> - The message announcing the "remote IP" connection
> 
> - The message announcing the use of MPPE encryption, which may occur
> before or shortly after the "remote IP" message.
> 
> If it doesn't see the MPPE message within 10 seconds of seeing the
> "remote IP" message, it kills pppd. Crude, but effective.
> 
> A possible alternate implementation would be to:
> 
> 1) Don't hack pptpd
> 
> 2) Rename /usr/sbin/pppd to /usr/sbin/pppd.real
> 
> 3) Install the script as /usr/sbin/pppd, changing line 14 to run
> /usr/sbin/pppd.real
> 
> Unfortunately, this approach involves the sentry whenever pppd is used
> for anything, not just PPTP connections - which won't work in my
> environment.
> 
> Perl source for the sentry is attached below.
> 
> Nathan Meyers
> nmeyers at javalinux.net
> 
> #!/bin/sh
> # This is a shell archive (produced by GNU sharutils 4.2).
> # To extract the files from this archive, save it to some FILE, remove
> # everything before the `!/bin/sh' line above, then type `sh FILE'.
> #
> # Made on 1999-12-28 12:06 PST by <nathanm at vectra>.
> # Source directory was `/home/nathanm/VPN'.
> #
> # Existing files will *not* be overwritten unless `-c' is specified.
> #
> # This shar contains:
> # length mode       name
> # ------ ---------- ------------------------------------------
> #    716 -rwxr-xr-x pppd.mppe_sentry
> #
> save_IFS="${IFS}"
> IFS="${IFS}:"
> gettext_dir=FAILED
> locale_dir=FAILED
> first_param="$1"
> for dir in $PATH
> do
>   if test "$gettext_dir" = FAILED && test -f $dir/gettext \
>      && ($dir/gettext --version >/dev/null 2>&1)
>   then
>     set `$dir/gettext --version 2>&1`
>     if test "$3" = GNU
>     then
>       gettext_dir=$dir
>     fi
>   fi
>   if test "$locale_dir" = FAILED && test -f $dir/shar \
>      && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
>   then
>     locale_dir=`$dir/shar --print-text-domain-dir`
>   fi
> done
> IFS="$save_IFS"
> if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
> then
>   echo=echo
> else
>   TEXTDOMAINDIR=$locale_dir
>   export TEXTDOMAINDIR
>   TEXTDOMAIN=sharutils
>   export TEXTDOMAIN
>   echo="$gettext_dir/gettext -s"
> fi
> touch -am 1231235999 $$.touch >/dev/null 2>&1
> if test ! -f 1231235999 && test -f $$.touch; then
>   shar_touch=touch
> else
>   shar_touch=:
>   echo
>   $echo 'WARNING: not restoring timestamps.  Consider getting and'
>   $echo "installing GNU \`touch', distributed in GNU File Utilities..."
>   echo
> fi
> rm -f 1231235999 $$.touch
> #
> if mkdir _sh14010; then
>   $echo 'x -' 'creating lock directory'
> else
>   $echo 'failed to create lock directory'
>   exit 1
> fi
> # ============= pppd.mppe_sentry ==============
> if test -f 'pppd.mppe_sentry' && test "$first_param" != -c; then
>   $echo 'x -' SKIPPING 'pppd.mppe_sentry' '(file already exists)'
> else
>   $echo 'x -' extracting 'pppd.mppe_sentry' '(text)'
>   sed 's/^X//' << 'SHAR_EOF' > 'pppd.mppe_sentry' &&
> #!/usr/bin/perl
> X
> $^F = 20;
> pipe(FROMPPPD, TOSENTRY) || die "Failed to open pipe";
> X
> $pid = fork;
> if ($pid == -1) { die "fork() failed"; }
> X
> if ($pid == 0)
> {
> X    # Child... run pppd
> X    close(FROMPPPD);
> X    open(STDOUT, '>&TOSENTRY');
> X    unshift @ARGV, "/usr/sbin/pppd";
> X    exec(@ARGV) || die "Failed to execute pppd";
> }
> X
> close(TOSENTRY);
> X
> $encryption = 0;
> while (<FROMPPPD>)
> {
> X    chomp;
> X    if (/MPPE/) { $encryption = 1; }
> X    if (/remote IP/ && !$encryption)
> X    {
> X       # We've seen the "remote IP" message but no sign of encryption.
> X       # Give pppd 10 seconds to report encryption or the dog dies
> X       $SIG{ALRM} = 'check_encrypt';
> X       alarm 10;
> X    }
> }
> X
> sub check_encrypt
> {
> X    if (!$encryption) { kill SIGTERM, pid; }
> }
> SHAR_EOF
>   $shar_touch -am 1225114399 'pppd.mppe_sentry' &&
>   chmod 0755 'pppd.mppe_sentry' ||
>   $echo 'restore of' 'pppd.mppe_sentry' 'failed'
>   if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
>   && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null;
> then
>     md5sum -c << SHAR_EOF >/dev/null 2>&1 \
>     || $echo 'pppd.mppe_sentry:' 'MD5 check failed'
> 21d20f3cc32b233450f52c0402f59386  pppd.mppe_sentry
> SHAR_EOF
>   else
>     shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'pppd.mppe_sentry'`"
>     test 716 -eq "$shar_count" ||
>     $echo 'pppd.mppe_sentry:' 'original size' '716,' 'current size'
> "$shar_count!"
>   fi
> fi
> rm -fr _sh14010
> exit 0
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!