[pptp-server] Patch blank password/username

Robert Dege rcd at amherst.com
Tue Mar 6 08:53:27 CST 2001


Not sure if anybody tried this or not, but Livingstone's extra patch 
doesn't work correctly.  I couldn't logon using DUN whether I was 
suppliying a user/passwd or not.  PPP was acting as if my USER field was 
always NULL.  I kept getting an error message in the logs ("no secret in 
samba secret file /etc/smbpasswd").  Once I replaced auth.c with the 
original & recompiled, everything worked great.

I tried using Justin's patch with my Win98 Laptop, and everything worked 
as expected.

user/pass      --> access
blank/pass    --> deny
blank/blank  --> deny
user/blank    --> deny

Great job!

-Rob

Godfrey Livingstone wrote:

> Justin your patch does work but the attached patch is tidier as soon as a match is
> found in smbpasswd then the while loop exits this also saves time if smbpasswd is
> large.
> 
> I then check to see if smb == NULL if so then there is no match in smbpasswd file
> so skip to the next line of chap-secrets. No need to make up a secret which my
> potentially match ( I know the chance of that is very very small).
> 
> Godfrey
> 
> Justin Kreger wrote:
> 
>>  In short, Diffrent means of authentication.  It may use the password file,
>> but it does not interact with samba's daemon processes.
>> 
>> As for fixing this problem, I have written a patch.
>> 
>> It fixes the two problems, the blank login/password  problem, and the
>> unknown user/blankpassword problem.
>> 
>> Please TEST this ASAP with win9x, Both my win9x boxen think that they should
>> be only talking in CHAP, not MSCHAP, and I can't seem to find msdun128.exe
>> to fix it.
>> 
>> (This patch was tested on linux 2.2.16, with ppp-2.3.11, and tested with
>> Windows NT Server 4, Service Pack 6)
>> 
>> -Justin Kreger, MCP MCSE
>> 
>> -----Original Message-----
>> From: robert
>> To: Cowles, Steve; pptp-server at lists.schulte.org
>> Sent: 3/2/01 9:24 PM
>> Subject: Re: [pptp-server] Yes, blank username/password works!
>> 
>> I'm wondering if anyone has considered that if  you have a good guest
>> account
>> for samba, then samba will use that if a bad username/password is sent.
>> 
>> Blank would definately count as bad.  I use blank password to list
>> shares,
>> i.e. smbclient -L somemachine and just hit enter when asked for a
>> password.
>> Logs show guest account is used and I do get the listing.  Could someone
>> 
>> having this problem try disabling the guest account and seeing if the
>> problem
>> goes away?
>> 
>> On Friday 02 March 2001 11:19, Cowles, Steve wrote:
>> 
>>>> -----Original Message-----
>>>> From: Dread Boy [mailto:dreadboy at hotmail.com]
>>>> Sent: Friday, March 02, 2001 1:37 AM
>>>> To: pptp-server at lists.schulte.org; vgill at technologist.com
>>>> Subject: RE: [pptp-server] Yes, blank username/password works!
>>>> 
>>>> 
>>>> Yeah, and on top of all this it doesn't seem to matter what I
>>>> log in as, my username and password don't get carried over to
>>>> SAMBA for authenticating with server shares.
>>> 
>>> Lets make sure we are comparing apples to apples here. The
>>> username/password that you specify in your windows PPTP dialup profile
>> 
>> has
>> 
>>> NEVER been carried over for share access. Please keep the following in
>>> mind...
>>> 
>>> 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup
>> 
>> profile
>> 
>>> to authenticate the tunnel connection ONLY.
>>> 
>>> 2) Share access uses the user/pass that you specified when you turned
>> 
>> on
>> 
>>> your PC and logged in to get to your desktop. FWIW: This same
>> 
>> user/pass can
>> 
>>> be specified in your PPTP dialup profile to be used to authenticate
>> 
>> the
>> 
>>> PPTP tunnel.
>>> 
>>>> i.e.  Whether I use a valid username/password or the blank, I
>>>> still can not access resources (or possibly ACLs) on the
>>>> servers even with valid usernames.  On my local LAN it's no
>>>> problem, but remotely, it doesn't seem to know who I am while
>>>> I'm logged on.
>>>> 
>>>> For example, when I click a share locally on my SAMBA server,
>>>> I can get into it and have certain rights based on my username/
>>>> password.  I don't even have to think about it. "security =
>>>> user" in /etc/smb.conf. However, when I log in remotely with
>>>> Windoze using my PPTPD Linux server, when I even try to access
>>>> the server itself (let alone the share) it keeps asking me for
>>>> the IPC$ administration password as if it was an NT server.
>>>> It doesn't matter what I enter here, I can't get any farther.
>>> 
>>> From the samba docs...
>>> 
>>> Some people find browsing fails because they don't have the global
>>> "guest account" set to a valid account.  Remember that the IPC$
>>> connection that lists the shares is done as guest, and thus you must
>>> have a valid guest account.
>>> ----------------------------
>>> 
>>> Also, is the PPTP clients WORKGROUP participation set to match what
>> 
>> the
>> 
>>> clients on the LAN are configured to?
>>> 
>>>> Does PPTPD know my SMB username but not my password, or vice
>>>> versa?  I thought maybe because it was encrypted using
>>>> libsmbpw.so that maybe it couldn't figure it out, but then
>>>> using chap-secrets plain-text passwords don't cut it either.
>>>> 
>>>> Anyone know what this is all about?
>>>> 
>>>> Geez, I thought this whole PPTPD Linux server was gonna be at
>>>> least a weekend of work, but it's turning out to be months
>>>> worth of work.
>>> 
>>> With regards to the "subject" line of this thread... lets make sure we
>> 
>> are
>> 
>>> comparing apples to apples here. I'd hate to see PopTop/PPPD get the
>>> reputation of being insecure without the following clarification being
>>> noted.
>>> 
>>> 1) If you have configured your PopTop/PPPD system to re-direct PPTP
>> 
>> tunnel
>> 
>>> authentication to use the libsmbpw.o lib's (smbpasswd), then your
>> 
>> system
>> 
>>> appears to be vulnerable to the blank user/pass exploit mentioned in
>> 
>> this
>> 
>>> thread.
>>> 
>>> 2) Those of you who are still using the chap-secrets file (no
>> 
>> re-direct)
>> 
>>> for tunnel authentication are NOT vulnerable to the blank user/pass
>> 
>> exploit
>> 
>>> mentioned in this thread. I just verified this on my PopTop server! I
>> 
>> do
>> 
>>> not use the re-direct to libsmbpw.o
>>> 
>>> Steve Cowles
>>> _______________________________________________
>>> pptp-server maillist  -  pptp-server at lists.schulte.org
>>> http://lists.schulte.org/mailman/listinfo/pptp-server
>>> List services provided by www.schulteconsulting.com!
>> 
>> _______________________________________________
>> pptp-server maillist  -  pptp-server at lists.schulte.org
>> http://lists.schulte.org/mailman/listinfo/pptp-server
>> List services provided by www.schulteconsulting.com!
>> 
>>   ------------------------------------------------------------------------
>>                              Name: smbpasswdauthfix.patch
>>    smbpasswdauthfix.patch    Type: unspecified type (application/octet-stream)
>>                          Encoding: quoted-printable
>> 
>> 
>> ------------------------------------------------------------------------
>> 
>> --- ppp-2.3.11/pppd/auth.c.org	Mon Mar  5 12:19:41 2001
>> +++ ppp-2.3.11/pppd/auth.c	Mon Mar  5 12:31:54 2001
>> @@ -1871,10 +1871,15 @@
>>  		) {
>>  		memcpy(word, smbname, NTPASS);
>>  		word[NTPASS]='\000';
>> +		break;
>>  	    }
>>  
>>        }
>>        endsmbpwent();
>> +      if (smb == NULL) {
>> +	  warn("no secret in samba secret file %s", atfile);	
>> +	  continue;
>> +	  }	  
>>      }
>>  #endif
>>  	if (secret != NULL)
>> blank_passwd_fix.diff
>> 
>> Content-Type:
>> 
>> text/plain
>> Content-Encoding:
>> 
>> 7bit
>> 
>> 




More information about the pptp-server mailing list