[pptp-server] Authenticating using CHAP and PAM

AJ Ostergaard ostergaard at cubbyhole.net
Thu Apr 5 06:07:58 CDT 2001


Hello all,

I am trying to set-up a secure VPN for remote users to access our internal
networks and have everything working in terms of MPPE, PAP, CHAP, PPP to
PAM, PAM to NT etc. but:

Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using
PAP. PAP is far from secure as it sends password over net in plaintext so my
users NT passwords would be floating around. Also if I use PAP I can't have
MPPE.

Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are
all W2k) but then I can't authenticate against NT.

There are two reasons I want to authenticate against NT. Firstly I don't
want another place to have to administer usernames and passwords. Secondly I
don't want a file with my users plaintext passwords lying around.

As far as I can tell MSCHAP needs the secret to be in the chap-secrets file.
I guess this is because the CHAP algorithm needs access to the secret
string? If so I am in a lose/lose situation.

Does any of this make sense?

Comments?

Thanks,
AJ

99 little bugs in the code, 99 bugs in the code,
 fix one bug, compile it again...
 101 little bugs in the code....




More information about the pptp-server mailing list