[pptp-server] PoPToP and Authentication Questions

Neale Banks neale at lowendale.com.au
Tue Mar 14 15:25:22 CST 2000 

On Tue, 14 Mar 2000, Adam Williams wrote:

[...]
> >>Authentication is actually handled by PPP.  PPP supports PAM if you use PAP
> >>authentication, which means no encryption.  With PAM you can authenticate
> >>against anything you want.  With CHAP  you must maintain a hideous secrets
> >>file on the PPP server, because you don't have the password you can't auth
> >>against something like PAM.  A couple of people are pondering this dilemma,
> >>but I haven't seen anything come through.  I am also eagerly awaiting this
> >>feature (I want to auth with PAM against an LDAP server).  I'll buy pizza
> >>for anyone who can provide a patch to let me CHAP against PAM.
> >Interesting... The pizza that is :).
> 
> Hey, I'm serious.~

Well, I'm not up to producing the patch (so I guess I forgo the pizza),
but here's a few hypotheses on the directions required...

> >Since one needs that password to CHAPinate, would you care if it was bare
> >text stored ACL'd on the LDAP server?
> 
> I suppose if I don't have a choice, then I don't have one, but i'm not too
> excited about storing a plain text password.  Is it possible to CHAPinate
> first, and store the chapination?

In theory yes, but you'd lose advantages of CHAP - starting with leaving
yourself wide open to replay attack (in essence you have reverted to PAP)
as the random challenge used in teh CHAP computation would be fixed in
advance.  In short, if you are seriously tempted to go down this path then
you can probably save yourself a lot of hassle by just using PAP as it is.

> >I've had it working this way against ICRadius, but never completed that
> >project. It was quite an ugly hack at best, but the underlying pain in
> >the neck was that to make the CHAP compares work, you start with the plain
> >text password and go forward, not take and MD5, etc... password and work
> >any other way.
> 
> Yep, I relize this and am curious how NT gets around this problem?  Certainly
> they don't store the plain text password?~

Correct.  But MS-CHAP is not CHAP ;-)  They perverted the original
standard (how surprising ;-).

> >Possibly I missed the obvious solution, but that was the problem as I saw
> >it and went onward using clear passwords.

Taking a brief look at some (now aging) PAM docs and considering the
exchanges in CHAP, it appears to me that this *might* be possible, with
some non-trivial restrictions - starting with the PAM module:

1) being specifically written for CHAP

2) having access to the cleartext (or the hash, in the case of MS-CHAP)

In the PAM Applications docs, there is reference to a "conversational"
state.  If I've understood this correctly (big if ;-) the idea is that an
application calls a PAM-module to request authentication and the module
can then call back to the application for such things as prompting for a
password.  It occurs to me that this conversation might be hackable for
CHAP:

(a) the PAM-module passes the clear-text password back to the calling pppd
- this minimises the hacks required in pppd but is a REALLY EVIL idea for
security - exposing the bare password places a lot of trust i the calling
application.  Please don't be tempted to implement this.

(b) the PAM-module passes a random challenge back to the calling pppd
which, in the normal manner of CHAP, passes this challenge to the other
side and receives the computed response back - this computed response is
then passed back to the CHAP-aware PAM-module.  The PAM-module then also
performs the CHAP-function on its copy of the shared secret and the random
chalenge it issued to arrive at it's version of the CHAP-response - if
the received and computed CHAP-responses match then the PAM-module returns
"authentication succeeded".  This obviously require relocating the CHAP
handling from pppd into the PAM-module but is arguably the correct way of
doing things.

Question: is anyone with PAM-hacking experience able to comment of the
feasibility of the above?

A completely different approach would be to hack upon pppd and create a
generic PAM-like interface in place of the current reading of the
chap-secrets file.

HTH,
Neale.

More information about the pptp-server mailing list