[pptp-server] Authenticating using CHAP and PAM
Michael Lantzen
lantzen at alife.de
Thu Apr 5 08:07:28 CDT 2001
I just asked the same yesterday. The only way to go is to use samba to
mirror the passwords onto the linux box and put an entry into the
chap-secrets that links to the smbpasswd. As far as i know thats the only
way to currently get the functionality you want and not having the
passwords unencrypted in any place.
bye
Michael
At 12:07 05.04.2001 +0100, AJ Ostergaard wrote:
>Hello all,
>
>I am trying to set-up a secure VPN for remote users to access our internal
>networks and have everything working in terms of MPPE, PAP, CHAP, PPP to
>PAM, PAM to NT etc. but:
>
>Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using
>PAP. PAP is far from secure as it sends password over net in plaintext so my
>users NT passwords would be floating around. Also if I use PAP I can't have
>MPPE.
>
>Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are
>all W2k) but then I can't authenticate against NT.
>
>There are two reasons I want to authenticate against NT. Firstly I don't
>want another place to have to administer usernames and passwords. Secondly I
>don't want a file with my users plaintext passwords lying around.
>
>As far as I can tell MSCHAP needs the secret to be in the chap-secrets file.
>I guess this is because the CHAP algorithm needs access to the secret
>string? If so I am in a lose/lose situation.
>
>Does any of this make sense?
>
>Comments?
>
>Thanks,
>AJ
>
>99 little bugs in the code, 99 bugs in the code,
> fix one bug, compile it again...
> 101 little bugs in the code....
>
>_______________________________________________
>pptp-server maillist - pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list