[pptp-server] MSCHAPv2 + PPTP + RADIUS + Samba... guidance sought.
Steve Langasek
vorlon at netexpress.net
Sun Oct 7 19:41:36 CDT 2001
On Sun, 7 Oct 2001, Josh Howlett wrote:
> We're doing the same thing - running PPTP over 802.11 w/ no WEP and
> using MPPE for security (actually PPTP over PPPoE over 802.11). It
> works great.
> We initially wanted it to integrate with our NT authentication, but you
> can't backend CHAP onto RADIUS via PAM. So, we then looked at dumping
> the NT password hashes into Samba passwd format, and using the smb
> poptop patch. But, it turns out MS-CHAP-v2 is vulnerable to a
> dictionary attack, so we dumped that (it worked :( ) in favour of
> mandatory random 10 character random passwords. Yeah, the users loved
> it!
Hmm, it seems self-evident to me that any security built on top of user-chosen
passwords is vulnerable to a dictionary attack. Even so, I admit I hadn't
given much thought to this. There are still significant advantages for us if
we can integrate this both with our RADIUS server and our NT domain, so we'll
probably address the security questions by using centrally-assigned passwords.
> I'm in the process of knocking up a CDROM distribution that provides
> this functionality - let me know if'd you'd like an ISO.
If it doesn't make use of RADIUS and NT auth, I'm not sure how much use it
would be to me. Thanks for the offer, though. :)
Regards,
Steve Langasek
postmodern programmer
More information about the pptp-server
mailing list