[pptp-server] pppd authentication via system passwords?
Charlie Brady
charlieb at e-smith.com
Fri May 18 18:56:35 CDT 2001
On Sat, 19 May 2001, Joost Bijl wrote:
> currently i'm working on a project which involves some VPN parts.
>
> I can't get it to work for the pppd to authenticate it's users to the local passwd database.
> There are patches around which will authenticate against a smb server but that's not a real option.
What you're asking isn't really possible.
The Mickysoft PPTP client authenticates using MSCHAPv2, that is, version
two of a Microsoft specific version of CHAP. That protocol doesn't send
the plaintext version of the password, but instead uses a cryptographic
handshake that verifies that the server and client both have a copy of the
NT hash of the plaintext password. pppd cannot calculate the NT hash
without the plaintext, but it needs it both for authentication (although
it can ask samba to do the authentication) and to initialise the keys used
in MPPE encryption.
This state of events will probably make it impossible for a PopTop server
to authenticate against an NT PDC - what you are asking it to do is to
become a man-in-the-middle, and the protocols are designed to prevent
that.
At least, that's my understanding. Correct me if I am wrong.
--
Charlie Brady charlieb at e-smith.com
http://www.e-smith.org (development) http://www.e-smith.com (corporate)
Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739
e-smith, inc. 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada
More information about the pptp-server
mailing list