[pptp-server] Yes, blank username/password works!

Robert Dege rcd at amherst.com
Fri Mar 2 15:26:12 CST 2001 

Would it be possible to add an entry to chap-secrets, creating a NULL 
user, and assign a passwd?  Just as a temporary workaround?

-Rob

Justin Kreger wrote:

> It would not be hard to write a patch to fix the smbpasswd authetication.
> 
> Now that I think about it, It could authenticate with MSChap and MSChapV2
> with no login and password.  If no secret is found with PAP, it kills the
> authentication process right then and there, but chap just keeps on going.
> 
> -----Original Message-----
> From: Dread Boy [mailto:dreadboy at hotmail.com]
> Sent: Friday, March 02, 2001 2:13 PM
> To: pptp-server at lists.schulte.org; Steve at SteveCowles.com
> Subject: RE: [pptp-server] Yes, blank username/password works!
> 
> 
> You are correct, Steve.  I was failing to put in my login username/password.
> 
>   I was assuming (ASS-outta-U-and-Me-ING) that the dial-up name and password
> 
> would do the trick.
> 
> It was apples to oranges.
> 
> And again, that's correct, using chap-secrets is fine - it's only when using
> 
> libsmbpw that problems arise for the blank user/password deal...  Which is a
> 
> real drag since I hope hoping to keep user list maintenance synced for ease 
> of use.
> 
>> From: "Cowles, Steve" <Steve at SteveCowles.com>
>> To: pptp-server at lists.schulte.org
>> Subject: RE: [pptp-server] Yes, blank username/password works!
>> Date: Fri, 2 Mar 2001 11:19:11 -0600
>> 
>>> -----Original Message-----
>>> From: Dread Boy [mailto:dreadboy at hotmail.com]
>>> Sent: Friday, March 02, 2001 1:37 AM
>>> To: pptp-server at lists.schulte.org; vgill at technologist.com
>>> Subject: RE: [pptp-server] Yes, blank username/password works!
>>> 
>>> 
>>> Yeah, and on top of all this it doesn't seem to matter what I
>>> log in as, my username and password don't get carried over to
>>> SAMBA for authenticating with server shares.
>> 
>> Lets make sure we are comparing apples to apples here. The 
>> username/password
>> that you specify in your windows PPTP dialup profile has NEVER been carried
>> over for share access. Please keep the following in mind...
>> 
>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup profile
>> to authenticate the tunnel connection ONLY.
>> 
>> 2) Share access uses the user/pass that you specified when you turned on
>> your PC and logged in to get to your desktop. FWIW: This same user/pass can
>> be specified in your PPTP dialup profile to be used to authenticate the 
>> PPTP
>> tunnel.
>> 
>>> i.e.  Whether I use a valid username/password or the blank, I
>>> still can not access resources (or possibly ACLs) on the
>>> servers even with valid usernames.  On my local LAN it's no
>>> problem, but remotely, it doesn't seem to know who I am while
>>> I'm logged on.
>>> 
>>> For example, when I click a share locally on my SAMBA server,
>>> I can get into it and have certain rights based on my username/
>>> password.  I don't even have to think about it. "security =
>>> user" in /etc/smb.conf. However, when I log in remotely with
>>> Windoze using my PPTPD Linux server, when I even try to access
>>> the server itself (let alone the share) it keeps asking me for
>>> the IPC$ administration password as if it was an NT server.
>>> It doesn't matter what I enter here, I can't get any farther.
>> 
> >From the samba docs...
> 
>> Some people find browsing fails because they don't have the global
>> "guest account" set to a valid account.  Remember that the IPC$
>> connection that lists the shares is done as guest, and thus you must
>> have a valid guest account.
>> ----------------------------
>> 
>> Also, is the PPTP clients WORKGROUP participation set to match what the
>> clients on the LAN are configured to?
>> 
>>> Does PPTPD know my SMB username but not my password, or vice
>>> versa?  I thought maybe because it was encrypted using
>>> libsmbpw.so that maybe it couldn't figure it out, but then
>>> using chap-secrets plain-text passwords don't cut it either.
>>> 
>>> Anyone know what this is all about?
>>> 
>>> Geez, I thought this whole PPTPD Linux server was gonna be at
>>> least a weekend of work, but it's turning out to be months
>>> worth of work.
>>> 
>> With regards to the "subject" line of this thread... lets make sure we are
>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the
>> reputation of being insecure without the following clarification being
>> noted.
>> 
>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP tunnel
>> authentication to use the libsmbpw.o lib's (smbpasswd), then your system
>> appears to be vulnerable to the blank user/pass exploit mentioned in this
>> thread.
>> 
>> 2) Those of you who are still using the chap-secrets file (no re-direct) 
>> for
>> tunnel authentication are NOT vulnerable to the blank user/pass exploit
>> mentioned in this thread. I just verified this on my PopTop server! I do 
>> not
>> use the re-direct to libsmbpw.o
>> 
>> Steve Cowles
>> _______________________________________________
>> pptp-server maillist  -  pptp-server at lists.schulte.org
>> http://lists.schulte.org/mailman/listinfo/pptp-server
>> List services provided by www.schulteconsulting.com!
> 
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
> 
> 
>

More information about the pptp-server mailing list