66 lines
2.4 KiB
Plaintext
66 lines
2.4 KiB
Plaintext
PPP Support for Microsoft's CHAP-81
|
|
===================================
|
|
|
|
Frank Cusack frank@google.com
|
|
|
|
Some text verbatim from README.MSCHAP80,
|
|
by Eric Rosenquist, rosenqui@strataware.com
|
|
|
|
INTRODUCTION
|
|
|
|
First, please read README.MSCHAP80; almost everything there applies here.
|
|
MS-CHAP was basically devised by Microsoft because rather than store
|
|
plaintext passwords, they (Microsoft) store the md4 hash of passwords.
|
|
It provides no advantage over standard CHAP, since the hash is used
|
|
as plaintext-equivalent. (Well, the Change-Password packet is arguably
|
|
an advantage.) It does introduce a significant weakness if the LM hash
|
|
is used. Additionally, the format of the failure packet potentially
|
|
gives information to an attacker. The weakness of the LM hash is partly
|
|
addressed in RFC 2433, which deprecates its use.
|
|
|
|
MS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer
|
|
used. (2) Mutual authentication is required. Note that the mutual
|
|
authentication in MS-CHAPv2 is different than the case where both PPP
|
|
peers require authentication from the other; the former proves that
|
|
the server has access to the client's password, the latter proves that
|
|
the server has access to a secret which the client also has -- which
|
|
may or may not be the same as the client's password (but should not be
|
|
the same, per RFC 1994). Whether this provides any actual benefit is
|
|
outside the scope of this document. The details of MS-CHAPv2 can be
|
|
found in the document:
|
|
|
|
<http://www.ietf.org/rfc/rfc2759.txt>
|
|
|
|
|
|
BUILDING THE PPPD
|
|
|
|
In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1
|
|
hash algorithm. A public domain implementation is provided with pppd.
|
|
|
|
|
|
TROUBLESHOOTING
|
|
|
|
Assuming that everything else has been configured correctly for PPP and
|
|
CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly
|
|
related to your Windows NT account and its settings. A Microsoft server
|
|
returns error codes in its CHAP response. The following are extracted from
|
|
RFC 2759:
|
|
|
|
646 ERROR_RESTRICTED_LOGON_HOURS
|
|
647 ERROR_ACCT_DISABLED
|
|
648 ERROR_PASSWD_EXPIRED
|
|
649 ERROR_NO_DIALIN_PERMISSION
|
|
691 ERROR_AUTHENTICATION_FAILURE
|
|
709 ERROR_CHANGING_PASSWORD
|
|
|
|
You'll see these in your pppd log as a line similar to:
|
|
|
|
Remote message: E=649 No dialin permission
|
|
|
|
Previously, pppd would log this as:
|
|
|
|
Remote message: E=649 R=0
|
|
|
|
Now, the text message is logged (both for MS-CHAP and MS-CHAPv2).
|
|
|