[pptp-server] Windows sends "\\" in the login - chap-secrets

Gill, Vern vgill at technologist.com
Thu May 17 17:42:11 CDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On my site, and others, there is a patch for ppp-2.4.x that will
strip the domain name, as well as add mppe, require-mppe, and
smbpasswd authentication for pppd. Go to http://linus.yi.org, and
click the PPP tab at the top. smbpasswd is a great place for
passwords, as it allows them to be encrypted on-disk, as well as
allowing users to change them via samba. Check it out.

PGP Signed! Why?

"If all the personal computers in the world -
~260 million computers - were put to work on a
single PGP-encrypted message, it would still
take an estimated 12 million times the age of
the universe, on average, to break a single message."

- - William Crowell,
Deputy Director of the
National Security Agency, in testimony to the
U.S. Congress, March 20, 1997

- -----Original Message-----
From: Neale Banks [mailto:neale at lowendale.com.au]
Sent: Tuesday, May 15, 2001 3:25 PM
To: Jose de Paula E. Junior
Cc: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] Windows sends "\\" in the login -
chap-secrets


On Tue, 15 May 2001, Jose de Paula E. Junior wrote:

> I'm using poptop in my ISP, and I have 120 clients using the system
>  right now. Poptop is doing fine the job.
> 
> But, sometimes, the windows clients start to send a \\ before the
> login,  and the client can't connect (no MSCHAP found for
> authenticating 
> \\client...)
> 
> Somebody see this happening? Solutions?

As has been pointed out, this is a known "challenge" and there are
patches
around to strip this cruft (sorry, don't have a pointer at hand).

> And about chap-secrets, the pppd can only authenticate using this
> file?  It's really hard to make programs that manipulate the
> chap-secrets, and  my clients want to change passwords and things
> like this via a web  interface or something like that...

With CHAP, the absolute requirement is that the CHAP routines have
the
plaintext password available - as you've pointed out pppd's
out-of-the-box
answer to this is the chap-secrets file.  It's also a Good Idea to
protect
these plaintexts from prying eyes ;-)

In theory, you should be able to substitute any other mechanism
(obviously
paying due respect to security) so long as it returns said plaintext
password.  Whilst conventional PAM is not an answer (AFAIK it returns
success or failure rather than the password) it looks to me that it
should
be possible to write what might be called "Pluggable Chap Modules" -
each
module having a different back-end access to the plaintext.

HTH,
Neale.

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOwRROheamMdwy9TXEQK0rQCggyDul5BYawEZMInA24/V17ZphlIAn3/t
a4JEchAz34XxIPXtih68BRdE
=RBW7
-----END PGP SIGNATURE-----



More information about the pptp-server mailing list