[pptp-server] PoPToP and Authentication Questions
Adam Williams
adam at morrison-ind.com
Wed Mar 15 06:54:47 CST 2000
From : lists>pptp-server-admin
To : adam
Subject : Re: [pptp-server] PoPToP and Authentication Questions
Date : 01/01/70 01:01
>>>>Interesting... The pizza that is :).
>>>Hey, I'm serious.~
>Me too, but I've asked lists for quite a while before I began my home-brew
>and I am surprised the interest was there and never came forth before.
I've asked before, we must have missed each other.~
>My desire was to have a centralized radius solution. Now that I _finally_
>am starting to see a _bit_ of the LDAP light, I am seeing other
>opportunities. But I only asked here (PPTP) and the Radius lists for
>interest. There may be some help from the LDAP crew, or as sugested
>below, from the PAM'ers.
I know how to "program" for LDAP, but little or nothing about the API for
PAM (although it don't look too complicated).~
>>>Since one needs that password to CHAPinate, would you care if it was bare
>>>text stored ACL'd on the LDAP server?
>>I suppose if I don't have a choice, then I don't have one, but i'm not too
>>excited about storing a plain text password. Is it possible to CHAPinate
>>first, and store the chapination?
>Nor was I. One other option not exactly elluded to here is to go the way
>that Samba does and use PAM to keep a current NT hashed password as well
>as a MD5 Linux/Unix password.(And Samba too if you need it). Then you
>don't need to store the plain password. Understand that this would work
>for MS-CHAPv2. Or, I think it would :).
I have the NT, DES, and LanMAN hashes in the LDAP directory, as with Samba
that is a very easy and convenient thing to do. I assume that M$ uses the NT
hash as the beginning of thier CHAP sequence, but that is only an assumption
from the documentation I have found.
>>In theory yes, but you'd lose advantages of CHAP - starting with leaving
>>yourself wide open to replay attack (in essence you have reverted to PAP)
>>as the random challenge used in teh CHAP computation would be fixed in
>>advance. In short, if you are seriously tempted to go down this path then
>>you can probably save yourself a lot of hassle by just using PAP as it is
More information about the pptp-server
mailing list