[Fwd: [pptp-server] PATCHES to allow MS-Chap v2 auth using Xtradius]

Jerry Vonau jvonau at home.com
Sun Oct 7 14:07:57 CDT 2001

Found this in my mail it may help, may not...

James MacLean wrote:
> Hi Folks,
> Second in the series of hacks to get MSChap v2 authentication out of
> chap-secrets and into somewhere easier to maintain :). Uses MySQL via 2
> simplistic perl scripts to add/modify users and access rules.
> No, this is not for the pizza :(.
> Please find for your development pleasure a combination of patches and
> scripts at :
> http://www.ednet.ns.ca/~macleajb/chap_crap-0.2.tgz
> The README is brief. The chances of cleanly installing it at this time are
> probably not above 60%. But don't let that stop you.
> When working, it will allow you to run a modified pppd which will use an
> xtradius server to get the NtHash password and use it for authentication.
> It will also send accounting start/stop to the server which can be used to
> setup filter rules, etc...
> It also includes the smbpasswd patches from the first effort.
> It still uses the rule that if a password is 32 bytes, it will use it as
> an NtHash password.
> The communication with the radius server is not the right way to do it.
> The authenticate request call always succeeds if the user exists and then
> returns with the NtHash in a CALLBACK response pair. I believe the more
> correct method would have been to send to the radius server a
> challenge/response and if valid return the same, but I took the short cut
> to see if I could get something working.
> One benefit of these patches/scripts is that it allows you to authorize
> access to only specific resources by making the accounting start/stop
> procedures of Xtradius build filters from the rules stored in a database.
> This system expects to give each user their own IP at this time.
> Later,
> --
> James B. MacLean        macleajb at ednet.ns.ca
> Department of Education http://www.ednet.ns.ca/~macleajb
> Nova Scotia, Canada
> B3M 4B2
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulte.org!

The link still works!!!  

Here is the readme file:

* Chap Crap : 
* Hack to allow pppd to do
* MS Chap v2 authentication using smbpasswd file and/or xtradius
* with the emphasis on xtradius.
* Radius to also be used for setting up access rules using filtering
* tools like ipchains.
* 2000-05-16 : James B. MacLean (macleajb at ednet.ns.ca)


You have many sites (or not) that each have a secure tunnel 
back to your business network. You wish to allow access from these
but can not trust their local network to be free from sniffing.

You wish to allow access to resources be controlled by user profiles so
access via the network to a resource is only granted if the signon
has that resource included in their profile. Traffic to other resources
is blocked from them. Perhaps and example is giving a consultant access
to only one box that they are working on, instead of the current
option of either letting them on your network, or not.

These remote users would make a PPTP connection to the remote PPPD
which authenticates then via the central xtradius server and brings up
a link between them and the resources they wish to access. That remote 
client can then be a Windows(tm) platform with MS Chap v2/MPPE 128bit
stateless encryption.

Resrouces are allowed or removed using a WWW interface to update a
MySQL database.


. Remote user with PPTP requests connection to PPTPD.
. PPTPD uses modified PPPD to contact Xtradius on protected host 
  at other end of tunnel (or on same box).
. Xtradius returns NtHash for PPPD to authenticate user with.
. If authentication is successfull, accouting start request
  is sent to Xtradius, which it uses to run external script
  radrules.pl that creates rules to allow / restrict user access.
. These rules are read and applied from a MySQL database.
. Remote user then works by being connected in a controlled
  manner to protected network.
. Remote user logs off.
. PPPD sends accouting stop to Xtradius which again runs
  radrules.pl to remove filter rules, and update accounting
  on MySQL database.


Instructions in short form to get mschap_v2 authentication using
server, or to use smbpasswd file for same.

You need to have already installed and configured :

. radiusclient : http://www.cityline.net/~lf/radius/ 
. libsmbpw : http://www.mssl.ucl.ac.uk/~atp/comp/libsmb/
. MySQL as a database to use for userids : http://www.mysql.org/
. pptpd : http://www.moretonbay.com/vpn/pptp.html
. Others?

Then get :

. xtradius : http://www.xtradius.com/ 
. ppp-2.3.11 with MSCHAP/MPPE patches applied :
ftp://ftp.linuxcare.com.au/pub/ppp/ + patches from ?
. AuthAccount : http://www.xtradius.com/download/AuthAccount-1.0.tar.gz

and recompile after applying the patches from this directory. There
should be
one for each application. You should look at each patch to see if you
need all
the changes that I made.

Make ntpasswd :

gcc -g -o ntpasswd ntpasswd.c -L. -lsmbpw

and install where user.pl (discussed below) can access it to make
NtPasswds from user

Use the database table layouts in radius.sql to create your MySQL
(It is a little different from the AuthAccount setup). This step will
also likely involve setting up a user/password for this project.

Modify your /etc/raddb/users file to use the external checkmysql and 
radrules.pl. See users.sample file.

Make changes to radrules.pl and put somewhere protected (mod 700 ?) as
it will be
called when a person logs in and again when they log out.

Get access to rules.pl and user.pl via a webpage and use them for
users, and modifying rules. Uses DBI::MySQL and CGI.pm stuff for perl.
User.pl shows to passwds. The first one is not used. The second one gets
translated to an NtHash once saved (still more work to do here :)).

Modify /etc/ppp/chap-secrets to have a line like :
*	*	!nothing	*
for access using xtradius or :
*	*	&/etc/smbpasswd *
if you only want access using /etc/smbpasswd hashes

*** Notes ***

. Currently only using NtHashes.

. Currently hacked so that it expects that if the password is 32 bytes,
  then it must be an NtHash.

. Currently missing scripts to route traffic between remote signin point
  local authenticating server.



Hope it helps 

Jerry Vonau

More information about the pptp-server mailing list