[pptp-server] blank username/password works!?

[Gill, Vern]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Holy Toledo Batman!!!! You are correct!!! I does not appear to be the
guest user, either. The log file reads mschap auth succeeded for user
<blank>


This is a SERIOUS problem that I was not previously aware of. Thank
you for pointing that out... Wow!!! In testing I found that if you
actually specify a USERNAME in chap-secs it will fail on a blank
user.
I.E.
/etc/ppp/chap-secrets;
user1	*       &/etc/samba/smbpasswd   *
user2 *       &/etc/samba/smbpasswd   *
user3 *       &/etc/samba/smbpasswd   *
etc
etc

But it still allows users who are IN the file to work, even if they
DON'T exist in smbpasswd.
I.E.
/etc/smbpasswd;
user1:XXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXX:[U          ]:LCT-XXXXXXXX:
user2:XXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX:[U          ]:LCT-XXXXXXXX:

Users 1 2 AND 3 CAN LOGIN SUCCESFULLY!!!!!

This is REAL bad... Maybe this is something to seriously look at the
code for. Too bad I know NOTHING about coding. I would not be of ANY
assitance, but I would LOVE to hear if a "correction" is made to
this...


Thanks again for pointing this out....


- ---> Running to nearest computer terminal to secure his network
against intrusion

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOp85gBeamMdwy9TXEQLmUgCgksF290fkMVzt3P6l0GBfdYCZ+tAAniDo
WI3GQspdWQ3YoBhgXY/bPO2y
=/Gx7
-----END PGP SIGNATURE-----