%PDF- %PDF-
Direktori : /usr/share/doc/ppp/ |
Current File : //usr/share/doc/ppp/README.MSCHAP81 |
PPP Support for Microsoft's CHAP-81 =================================== Frank Cusack frank@google.com Some text verbatim from README.MSCHAP80, by Eric Rosenquist, rosenqui@strataware.com INTRODUCTION First, please read README.MSCHAP80; almost everything there applies here. MS-CHAP was basically devised by Microsoft because rather than store plaintext passwords, they (Microsoft) store the md4 hash of passwords. It provides no advantage over standard CHAP, since the hash is used as plaintext-equivalent. (Well, the Change-Password packet is arguably an advantage.) It does introduce a significant weakness if the LM hash is used. Additionally, the format of the failure packet potentially gives information to an attacker. The weakness of the LM hash is partly addressed in RFC 2433, which deprecates its use. MS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer used. (2) Mutual authentication is required. Note that the mutual authentication in MS-CHAPv2 is different than the case where both PPP peers require authentication from the other; the former proves that the server has access to the client's password, the latter proves that the server has access to a secret which the client also has -- which may or may not be the same as the client's password (but should not be the same, per RFC 1994). Whether this provides any actual benefit is outside the scope of this document. The details of MS-CHAPv2 can be found in the document: <http://www.ietf.org/rfc/rfc2759.txt> BUILDING THE PPPD In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1 hash algorithm. A public domain implementation is provided with pppd. TROUBLESHOOTING Assuming that everything else has been configured correctly for PPP and CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly related to your Windows NT account and its settings. A Microsoft server returns error codes in its CHAP response. The following are extracted from RFC 2759: 646 ERROR_RESTRICTED_LOGON_HOURS 647 ERROR_ACCT_DISABLED 648 ERROR_PASSWD_EXPIRED 649 ERROR_NO_DIALIN_PERMISSION 691 ERROR_AUTHENTICATION_FAILURE 709 ERROR_CHANGING_PASSWORD You'll see these in your pppd log as a line similar to: Remote message: E=649 No dialin permission Previously, pppd would log this as: Remote message: E=649 R=0 Now, the text message is logged (both for MS-CHAP and MS-CHAPv2).