[pptp-server] Authenticating using CHAP and PAM
Charlie Brady
charlieb at e-smith.com
Thu Apr 5 10:06:44 CDT 2001
On Thu, 5 Apr 2001, AJ Ostergaard wrote:
> Correct me if I'm wrong but PPP invokes PAM (and thus NT) only when using
> PAP. PAP is far from secure as it sends password over net in plaintext so my
> users NT passwords would be floating around. Also if I use PAP I can't have
> MPPE.
>
> Thus if I want an encrypted VPN I need to use MSCHAPv2 (fine as clients are
> all W2k) but then I can't authenticate against NT.
>
> There are two reasons I want to authenticate against NT. Firstly I don't
> want another place to have to administer usernames and passwords. Secondly I
> don't want a file with my users plaintext passwords lying around.
>
> As far as I can tell MSCHAP needs the secret to be in the chap-secrets file.
> I guess this is because the CHAP algorithm needs access to the secret
> string? If so I am in a lose/lose situation.
>
> Does any of this make sense?
What you say all matches my understanding. The PPP daemon needs the NT
hash (which it can derive from a plaintext password) in order to do
MSCHAPv2 authentication, and needs to do MSCHAPv2 authentication to set up
MPPE.
If we have understood this correctly, the best you can do is to find/make
a tool to periodically dump the NT hashes from the NT box and store them
in chap-secrets or smbpasswd.
Charlie Brady charlieb at e-smith.com
http://www.e-smith.org (development) http://www.e-smith.com (corporate)
Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739
e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada
More information about the pptp-server
mailing list