Página Principal Explorar Ajuda
Iniciar Sessão
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ramo: master
Ramos Etiquetas
csu3_am335x
/
EVSE
/
GPL
/
ppp-2.4.7
/
README.MSCHAP81

README.MSCHAP81 2.4 KB
Link permanente Histórico Em bruto

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. PPP Support for Microsoft's CHAP-81
    2. 

  2. ===================================
    3. 

  3. 

  4. Frank Cusack		frank@google.com
    5. 

  5. 

  6. Some text verbatim from README.MSCHAP80,
    7. 

  7. by Eric Rosenquist, rosenqui@strataware.com
    8. 

  8. 

  9. INTRODUCTION
    10. 

  10. 

  11. First, please read README.MSCHAP80; almost everything there applies here.
    12. 

  12. MS-CHAP was basically devised by Microsoft because rather than store
    13. 

  13. plaintext passwords, they (Microsoft) store the md4 hash of passwords.
    14. 

  14. It provides no advantage over standard CHAP, since the hash is used
    15. 

  15. as plaintext-equivalent.  (Well, the Change-Password packet is arguably
    16. 

  16. an advantage.)  It does introduce a significant weakness if the LM hash
    17. 

  17. is used.  Additionally, the format of the failure packet potentially
    18. 

  18. gives information to an attacker.  The weakness of the LM hash is partly
    19. 

  19. addressed in RFC 2433, which deprecates its use.
    20. 

  20. 

  21. MS-CHAPv2 adds 2 benefits to MS-CHAP.  (1) The LM hash is no longer
    22. 

  22. used.  (2) Mutual authentication is required.  Note that the mutual
    23. 

  23. authentication in MS-CHAPv2 is different than the case where both PPP
    24. 

  24. peers require authentication from the other; the former proves that
    25. 

  25. the server has access to the client's password, the latter proves that
    26. 

  26. the server has access to a secret which the client also has -- which
    27. 

  27. may or may not be the same as the client's password (but should not be
    28. 

  28. the same, per RFC 1994).  Whether this provides any actual benefit is
    29. 

  29. outside the scope of this document.  The details of MS-CHAPv2 can be
    30. 

  30. found in the document:
    31. 

  31. 

  32.     <http://www.ietf.org/rfc/rfc2759.txt>
    33. 

  33. 

  34. 

  35. BUILDING THE PPPD
    36. 

  36. 

  37. In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1
    38. 

  38. hash algorithm.  A public domain implementation is provided with pppd.
    39. 

  39. 

  40. 

  41. TROUBLESHOOTING
    42. 

  42. 

  43. Assuming that everything else has been configured correctly for PPP and
    44. 

  44. CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly
    45. 

  45. related to your Windows NT account and its settings.  A Microsoft server
    46. 

  46. returns error codes in its CHAP response.  The following are extracted from
    47. 

  47. RFC 2759:
    48. 

  48. 

  49.  646 ERROR_RESTRICTED_LOGON_HOURS
    50. 

  50.  647 ERROR_ACCT_DISABLED
    51. 

  51.  648 ERROR_PASSWD_EXPIRED
    52. 

  52.  649 ERROR_NO_DIALIN_PERMISSION
    53. 

  53.  691 ERROR_AUTHENTICATION_FAILURE
    54. 

  54.  709 ERROR_CHANGING_PASSWORD
    55. 

  55. 

  56. You'll see these in your pppd log as a line similar to:
    57. 

  57. 

  58.    Remote message: E=649 No dialin permission
    59. 

  59. 

  60. Previously, pppd would log this as:
    61. 

  61. 

  62.    Remote message: E=649 R=0
    63. 

  63. 

  64. Now, the text message is logged (both for MS-CHAP and MS-CHAPv2).
    65. 

  65.