[pptp-server] Yes, blank username/password works!

Justin Kreger jkreger at avidsolutionsinc.com
Fri Mar 2 14:31:27 CST 2001 

It would not be hard to write a patch to fix the smbpasswd authetication.

Now that I think about it, It could authenticate with MSChap and MSChapV2
with no login and password.  If no secret is found with PAP, it kills the
authentication process right then and there, but chap just keeps on going.

-----Original Message-----
From: Dread Boy [mailto:dreadboy at hotmail.com]
Sent: Friday, March 02, 2001 2:13 PM
To: pptp-server at lists.schulte.org; Steve at SteveCowles.com
Subject: RE: [pptp-server] Yes, blank username/password works!


You are correct, Steve.  I was failing to put in my login username/password.

  I was assuming (ASS-outta-U-and-Me-ING) that the dial-up name and password

would do the trick.

It was apples to oranges.

And again, that's correct, using chap-secrets is fine - it's only when using

libsmbpw that problems arise for the blank user/password deal...  Which is a

real drag since I hope hoping to keep user list maintenance synced for ease 
of use.

>From: "Cowles, Steve" <Steve at SteveCowles.com>
>To: pptp-server at lists.schulte.org
>Subject: RE: [pptp-server] Yes, blank username/password works!
>Date: Fri, 2 Mar 2001 11:19:11 -0600
>
> > -----Original Message-----
> > From: Dread Boy [mailto:dreadboy at hotmail.com]
> > Sent: Friday, March 02, 2001 1:37 AM
> > To: pptp-server at lists.schulte.org; vgill at technologist.com
> > Subject: RE: [pptp-server] Yes, blank username/password works!
> >
> >
> > Yeah, and on top of all this it doesn't seem to matter what I
> > log in as, my username and password don't get carried over to
> > SAMBA for authenticating with server shares.
>
>Lets make sure we are comparing apples to apples here. The 
>username/password
>that you specify in your windows PPTP dialup profile has NEVER been carried
>over for share access. Please keep the following in mind...
>
>1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile
>to authenticate the tunnel connection ONLY.
>
>2) Share access uses the user/pass that you specified when you turned on
>your PC and logged in to get to your desktop. FWIW: This same user/pass can
>be specified in your PPTP dialup profile to be used to authenticate the 
>PPTP
>tunnel.
>
> >
> > i.e.  Whether I use a valid username/password or the blank, I
> > still can not access resources (or possibly ACLs) on the
> > servers even with valid usernames.  On my local LAN it's no
> > problem, but remotely, it doesn't seem to know who I am while
> > I'm logged on.
> >
> > For example, when I click a share locally on my SAMBA server,
> > I can get into it and have certain rights based on my username/
> > password.  I don't even have to think about it. "security =
> > user" in /etc/smb.conf. However, when I log in remotely with
> > Windoze using my PPTPD Linux server, when I even try to access
> > the server itself (let alone the share) it keeps asking me for
> > the IPC$ administration password as if it was an NT server.
> > It doesn't matter what I enter here, I can't get any farther.
>
>From the samba docs...
>
>Some people find browsing fails because they don't have the global
>"guest account" set to a valid account.  Remember that the IPC$
>connection that lists the shares is done as guest, and thus you must
>have a valid guest account.
>----------------------------
>
>Also, is the PPTP clients WORKGROUP participation set to match what the
>clients on the LAN are configured to?
>
> >
> > Does PPTPD know my SMB username but not my password, or vice
> > versa?  I thought maybe because it was encrypted using
> > libsmbpw.so that maybe it couldn't figure it out, but then
> > using chap-secrets plain-text passwords don't cut it either.
> >
> > Anyone know what this is all about?
> >
> > Geez, I thought this whole PPTPD Linux server was gonna be at
> > least a weekend of work, but it's turning out to be months
> > worth of work.
> >
>
>With regards to the "subject" line of this thread... lets make sure we are
>comparing apples to apples here. I'd hate to see PopTop/PPPD get the
>reputation of being insecure without the following clarification being
>noted.
>
>1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel
>authentication to use the libsmbpw.o lib's (smbpasswd), then your system
>appears to be vulnerable to the blank user/pass exploit mentioned in this
>thread.
>
>2) Those of you who are still using the chap-secrets file (no re-direct) 
>for
>tunnel authentication are NOT vulnerable to the blank user/pass exploit
>mentioned in this thread. I just verified this on my PopTop server! I do 
>not
>use the re-direct to libsmbpw.o
>
>Steve Cowles
>_______________________________________________
>pptp-server maillist  -  pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulteconsulting.com!

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

More information about the pptp-server mailing list