[pptp-server] RE: PAM is a very bad fit for pppd

[Steve Langasek]

Vladimir,

On Fri, Nov 30, 2001 at 11:13:11AM -0600, Vladimir Strezhnev wrote:

> Could you (or anybody on the list) explain more specifically why it is so.
> We're using ppp pam module on Linux dialup server, which (the module) is  
> configured to authenticate - via pam_winbind.so - on W2K Domain Controller.
> All accounts on W2K DC that are not in the embargo file checked by 
> pam_listfile.so module are able to use dialup.

> (It is nothing to do with pptp - just plain dialup ppp with pap 
> authentication)

> Do you think it is insecure and why?

There's nothing wrong with using PAM for PPP authentication if it fits
your needs.  However, PAM is a general-purpose plugin API that gives
little information back to the application; it basically answers the
question, "is this user who he says he is?"  This means any application
which needs more information back from its authentication modules can't
use standard PAM modules, and therefore probably shouldn't use PAM as an
API.

The first place where this limit affects pppd is when you want the
remote IP address to be assigned by the authenticator (this is the whole
reason my employer wants to use RADIUS).  pppd's PAP plugins can do
this, but PAM modules cannot.  The second problem is when you want to do
CHAP authentication, which is required for pptp encryption (and not just
any CHAP, but MSCHAPv2).  Stuffing CHAP handshaking into a PAM module
would be /possible/, but it would also be painful -- and you *still*
wouldn't have IP address assignment.

PAM is great technology, but it doesn't fit every problem.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.schulte.org/mailman/private/pptp-server/attachments/20011130/a7dd09d1/attachment.bin>