| Up to higher level directory | |||
| Name | Date | Size | |
|---|---|---|---|
| chat/ | 09-Jun-2008 | ||
| FAQ | 20-Feb-2005 | 25.3K | |
| PLUGINS | 29-Jun-2006 | 12.1K | |
| ppp2netbsd | 30-Apr-2008 | 3.8K | |
| pppd/ | 09-Jun-2008 | ||
| pppdump/ | 09-Jun-2008 | ||
| pppstats/ | 09-Jun-2008 | ||
| README | 29-Jun-2006 | 10.6K | |
| README.cbcp | 20-Feb-2005 | 2K | |
| README.eap-srp | 20-Feb-2005 | 6.2K | |
| README.MPPE | 20-Feb-2005 | 3.4K | |
| README.MSCHAP80 | 20-Feb-2005 | 8.2K | |
| README.MSCHAP81 | 20-Feb-2005 | 2.4K | |
| README.pwfd | 20-Feb-2005 | 3.5K | |
| SETUP | 20-Feb-2005 | 4.1K | |
README
1 This is the README file for ppp-2.4, a package which implements the 2 Point-to-Point Protocol (PPP) to provide Internet connections over 3 serial lines. 4 5 6 Introduction. 7 ************* 8 9 The Point-to-Point Protocol (PPP) provides a standard way to establish 10 a network connection over a serial link. At present, this package 11 supports IP and the protocols layered above IP, such as TCP and UDP. 12 The Linux and Solaris ports of this package have optional support for 13 IPV6; the Linux port of this package also has support for IPX. 14 15 This software consists of two parts: 16 17 - Kernel code, which establishes a network interface and passes 18 packets between the serial port, the kernel networking code and the 19 PPP daemon (pppd). This code is implemented using STREAMS modules on 20 Solaris, and as a line discipline under Linux. 21 22 - The PPP daemon (pppd), which negotiates with the peer to establish 23 the link and sets up the ppp network interface. Pppd includes support 24 for authentication, so you can control which other systems may make a 25 PPP connection and what IP addresses they may use. 26 27 The platforms supported by this package are Linux and Solaris. I have 28 code for NeXTStep, FreeBSD, SunOS 4.x, SVR4, Tru64 (Digital Unix), AIX 29 and Ultrix but no active maintainers for these platforms. Code for 30 all of these except AIX is included in the ppp-2.3.11 release. 31 32 33 Installation. 34 ************* 35 36 The file SETUP contains general information about setting up your 37 system for using PPP. There is also a README file for each supported 38 system, which contains more specific details for installing PPP on 39 that system. The supported systems, and the corresponding README 40 files, are: 41 42 Linux README.linux 43 Solaris README.sol2 44 45 In each case you start by running the ./configure script. This works 46 out which operating system you are using and creates the appropriate 47 makefiles. You then run `make' to compile the user-level code, and 48 (as root) `make install' to install the user-level programs pppd, chat 49 and pppstats. 50 51 N.B. Since 2.3.0, leaving the permitted IP addresses column of the 52 pap-secrets or chap-secrets file empty means that no addresses are 53 permitted. You need to put a "*" in that column to allow the peer to 54 use any IP address. (This only applies where the peer is 55 authenticating itself to you, of course.) 56 57 58 What's new in ppp-2.4.4. 59 ************************ 60 61 * Pppd will now run /etc/ppp/ip-pre-up, if it exists, after creating 62 the ppp interface and configuring its IP addresses but before 63 bringing it up. This can be used, for example, for adding firewall 64 rules for the interface. 65 66 * Lots of bugs fixed, particularly in the area of demand-dialled and 67 persistent connections. 68 69 * The rp-pppoe plugin now accepts any interface name (that isn't an 70 existing pppd option name) without putting "nic-" on the front of 71 it, not just eth*, nas*, tap* and br*. 72 73 74 What was new in ppp-2.4.3. 75 ************************** 76 77 * The configure script now accepts --prefix and --sysconfdir options. 78 These default to /usr/local and /etc. If you want pppd put in 79 /usr/sbin as before, use ./configure --prefix=/usr. 80 81 * Doing `make install' no longer puts example configuration files in 82 /etc/ppp. Use `make install-etcppp' if you want that. 83 84 * The code has been updated to work with version 0.8.3 of libpcap. 85 Unfortunately the libpcap maintainers removed support for the 86 "inbound" and "outbound" keywords on PPP links, meaning that if you 87 link pppd with libpcap-0.8.3, you can't use those keywords in the 88 active-filter and pass-filter expressions. The support has been 89 reinstated in the CVS version and should be in future libpcap 90 releases. If you need the in/outbound keywords, use a later release 91 than 0.8.3, or get the CVS version from http://www.tcpdump.org. 92 93 * There is a new option, child-timeout, which sets the length of time 94 that pppd will wait for child processes (such as the command 95 specified with the pty option) to exit before exiting itself. It 96 defaults to 5 seconds. After the timeout, pppd will send a SIGTERM 97 to any remaining child processes and exit. A value of 0 means no 98 timeout. 99 100 * Various bugs have been fixed, including some CBCP packet parsing 101 bugs that could lead to the peer being able to crash pppd if CBCP 102 support is enabled. 103 104 * Various fixes and enhancements to the radius and rp-pppoe plugins 105 have been added. 106 107 * There is a new winbind plugin, from Andrew Bartlet of the Samba 108 team, which provides the ability to authenticate the peer against an 109 NT domain controller using MS-CHAP or MS-CHAPV2. 110 111 * There is a new pppoatm plugin, by various authors, sent in by David 112 Woodhouse. 113 114 * The multilink code has been substantially reworked. The first pppd 115 for a bundle still controls the ppp interface, but it doesn't exit 116 until all the links in the bundle have terminated. If the first 117 pppd is signalled to exit, it signals all the other pppds 118 controlling links in the bundle. 119 120 * The TDB code has been updated to the latest version. This should 121 eliminate the problem that some people have seen where the database 122 file (/var/run/pppd.tdb) keeps on growing. Unfortunately, however, 123 the new code uses an incompatible database format. For this reason, 124 pppd now uses /var/run/pppd2.tdb as the database filename. 125 126 127 What was new in ppp-2.4.2. 128 ************************** 129 130 * The CHAP code has been rewritten. Pppd now has support for MS-CHAP 131 V1 and V2 authentication, both as server and client. The new CHAP 132 code is cleaner than the old code and avoids some copyright problems 133 that existed in the old code. 134 135 * MPPE (Microsoft Point-to-Point Encryption) support has been added, 136 although the current implementation shouldn't be considered 137 completely secure. (There is no assurance that the current code 138 won't ever transmit an unencrypted packet.) 139 140 * James Carlson's implementation of the Extensible Authentication 141 Protocol (EAP) has been added. 142 143 * Support for the Encryption Control Protocol (ECP) has been added. 144 145 * Some new plug-ins have been included: 146 - A plug-in for kernel-mode PPPoE (PPP over Ethernet) 147 - A plug-in for supplying the PAP password over a pipe from another 148 process 149 - A plug-in for authenticating using a Radius server. 150 151 * Updates and bug-fixes for the Solaris port. 152 153 * The CBCP (Call Back Control Protocol) code has been updated. There 154 are new options `remotenumber' and `allow-number'. 155 156 * Extra hooks for plugins to use have been added. 157 158 * There is now a `maxoctets' option, which causes pppd to terminate 159 the link once the number of bytes passed on the link exceeds a given 160 value. 161 162 * There are now options to control whether pppd can use the IPCP 163 IP-Address and IP-Addresses options: `ipcp-no-address' and 164 `ipcp-no-addresses'. 165 166 * Fixed several bugs, including potential buffer overflows in chat. 167 168 169 What was new in ppp-2.4.1. 170 ************************** 171 172 * Pppd can now print out the set of options that are in effect. The 173 new `dump' option causes pppd to print out the option values after 174 option parsing is complete. The `dryrun' option causes pppd to 175 print the options and then exit. 176 177 * The option parsing code has been fixed so that options in the 178 per-tty options file are parsed correctly, and don't override values 179 from the command line in most cases. 180 181 * The plugin option now looks in /usr/lib/pppd/<pppd-version> (for 182 example, /usr/lib/pppd/2.4.1b1) for shared objects for plugins if 183 there is no slash in the plugin name. 184 185 * When loading a plugin, pppd will now check the version of pppd for 186 which the plugin was compiled, and refuse to load it if it is 187 different to pppd's version string. To enable this, the plugin 188 source needs to #include "pppd.h" and have a line saying: 189 char pppd_version[] = VERSION; 190 191 * There is a bug in zlib, discovered by James Carlson, which can cause 192 kernel memory corruption if Deflate is used with the lowest setting, 193 8. As a workaround pppd will now insist on using at least 9. 194 195 * Pppd should compile on Solaris and SunOS again. 196 197 * Pppd should now set the MTU correctly on demand-dialled interfaces. 198 199 200 What was new in ppp-2.4.0. 201 ************************** 202 203 * Multilink: this package now allows you to combine multiple serial 204 links into one logical link or `bundle', for increased bandwidth and 205 reduced latency. This is currently only supported under the 206 2.4.x and later Linux kernels. 207 208 * All the pppd processes running on a system now write information 209 into a common database. I used the `tdb' code from samba for this. 210 211 * New hooks have been added. 212 213 For a list of the changes made during the 2.3 series releases of this 214 package, see the Changes-2.3 file. 215 216 217 Compression methods. 218 ******************** 219 220 This package supports two packet compression methods: Deflate and 221 BSD-Compress. Other compression methods which are in common use 222 include Predictor, LZS, and MPPC. These methods are not supported for 223 two reasons - they are patent-encumbered, and they cause some packets 224 to expand slightly, which pppd doesn't currently allow for. 225 BSD-Compress and Deflate (which uses the same algorithm as gzip) don't 226 ever expand packets. 227 228 229 Patents. 230 ******** 231 232 The BSD-Compress algorithm used for packet compression is the same as 233 that used in the Unix "compress" command. It was apparently covered 234 by U.S. patents 4,814,746 (owned by IBM) and 4,558,302 (owned by 235 Unisys), and corresponding patents in various other countries (but not 236 Australia). Apparently the Unisys patent expired in the US on 20 June 237 2003, but the IBM patent is still pending. 238 239 If these patents are of concern in your situation, you can build the 240 package without including BSD-Compress. To do this, edit 241 net/ppp-comp.h to change the definition of DO_BSD_COMPRESS to 0. The 242 bsd-comp.c files are then no longer needed, so the references to 243 bsd-comp.o may optionally be removed from the Makefiles. 244 245 246 Contacts. 247 ********* 248 249 The comp.protocols.ppp newsgroup is a useful place to get help if you 250 have trouble getting your ppp connections to work. Please do not send 251 me questions of the form "please help me get connected to my ISP" - 252 I'm sorry, but I simply do not have the time to answer all the 253 questions like this that I get. 254 255 If you find bugs in this package, please report them to the maintainer 256 for the port for the operating system you are using: 257 258 Linux Paul Mackerras <paulus (a] samba.org> 259 Solaris James Carlson <carlson (a] workingcode.com> 260 261 262 Copyrights: 263 *********** 264 265 All of the code can be freely used and redistributed. The individual 266 source files each have their own copyright and permission notice. 267 Pppd, pppstats and pppdump are under BSD-style notices. Some of the 268 pppd plugins are GPL'd. Chat is public domain. 269 270 271 Distribution: 272 ************* 273 274 The primary site for releases of this software is: 275 276 ftp://ftp.samba.org/pub/ppp/ 277 278 279 (Id: README,v 1.37 2006/05/29 23:51:29 paulus Exp) 280
README.cbcp
1 Microsoft Call Back Configuration Protocol. 2 by Pedro Roque Marques 3 (updated by Paul Mackerras) 4 5 The CBCP is a method by which the Microsoft Windows NT Server may 6 implement additional security. It is possible to configure the server 7 in such a manner so as to require that the client systems which 8 connect with it are required that following a valid authentication to 9 leave a method by which the number may be returned call. 10 11 It is a requirement of servers to be so configured that the protocol be 12 exchanged. 13 14 So, this set of patches may be applied to the pppd process to enable 15 the cbcp client *only* portion of the specification. It is primarily 16 meant to permit connection with Windows NT Servers. 17 18 The ietf-working specification may be obtained from ftp.microsoft.com 19 in the developr/rfc directory. 20 21 The ietf task group has decided to recommend that the LCP sequence be 22 extended to permit the callback operation. For this reason, these 23 patches are not 'part' of pppd but are an adjunct to the code. 24 25 To enable CBCP support, all that is required is to uncomment the line 26 in Makefile.linux that sets CBCP=y and recompile pppd. 27 28 I use such script to make a callback: 29 30 pppd debug nodetach /dev/modem 115200 crtscts modem \ 31 callback 222222 name NAME remotename SERVER \ 32 connect 'chat -v "" atz OK atdt111111 CONNECT ""' 33 sleep 1 34 pppd debug /dev/modem 115200 crtscts modem \ 35 name NAME remotename SERVER defaultroute \ 36 connect 'chat -v RING ATA CONNECT "\c"' 37 38 First we invoke pppd with 'nodetach' option in order to not detach from 39 the controlling terminal and 'callback NUMBER' option, then wait for 40 1 second and invoke pppd again which waits for a callback (RING) and 41 then answers (ATA). Number 222222 is a callback number, i.e. server will 42 call us back at this number, while number 111111 is the number we are 43 calling to. 44 45 You have to put in /etc/ppp/chap-secrets the following two lines: 46 47 NAME SERVER PASSWORD 48 SERVER NAME PASSWORD 49 50 You have to use your real login name, remote server name and password. 51 52
README.eap-srp
1 EAP with MD5-Challenge and SRP-SHA1 support 2 by James Carlson, Sun Microsystems 3 Version 2, September 22nd, 2002 4 5 6 1. What it does 7 8 The Extensible Authentication Protocol (EAP; RFC 2284) is a 9 security protocol that can be used with PPP. It provides a means 10 to plug in multiple optional authentication methods. 11 12 This implementation includes the required default MD5-Challenge 13 method, which is similar to CHAP (RFC 1994), as well as the new 14 SRP-SHA1 method. This latter method relies on an exchange that is 15 not vulnerable to dictionary attacks (as is CHAP), does not 16 require the server to keep a cleartext copy of the secret (as in 17 CHAP), supports identity privacy, and produces a temporary shared 18 key that could be used for data encryption. 19 20 The SRP-SHA1 method is based on draft-ietf-pppext-eap-srp-03.txt, 21 a work in progress. 22 23 2. Required libraries 24 25 Two other packages are required first. Download and install 26 OpenSSL and Thomas Wu's SRP implementation. 27 28 http://www.openssl.org/ (or ftp://ftp.openssl.org/source/) 29 http://srp.stanford.edu/ 30 31 Follow the directions in each package to install the SSL and SRP 32 libraries. Once SRP is installed, you may run tconf as root to 33 create known fields, if desired. (This step is not required.) 34 35 3. Installing the patch 36 37 The EAP-SRP patch described here is integrated into this version 38 of pppd. The following patch may be used with older pppd sources: 39 40 ftp://playground.sun.com/carlsonj/eap/ppp-2.4.1-eap-1.tar.gz 41 42 Configure, compile, and install as root. You may want to edit 43 pppd/Makefile after configuring to enable or disable optional 44 features. 45 46 % ./configure 47 % make 48 % su 49 # make install 50 51 If you use csh or tcsh, run "rehash" to pick up the new commands. 52 53 If you're using Solaris, and you run into trouble with the 54 pseudonym feature on the server side ("no DES here" shows in the 55 log file), make sure that you have the "domestic" versions of the 56 DES libraries linked. You should see "crypt_d" in "ldd 57 /usr/local/bin/pppd". If you see "crypt_i" instead, then make 58 sure that /usr/lib/libcrypt.* links to /usr/lib/libcrypt_d.*. (If 59 you have the international version of Solaris, then you won't have 60 crypt_d. You might want to find an alternative DES library.) 61 62 4. Adding the secrets 63 64 On the EAP SRP-SHA1 client side, access to the cleartext secret is 65 required. This can be done in two ways: 66 67 - Enter the client name, server name, and password in the 68 /etc/ppp/srp-secrets file. This file has the same format as 69 the existing chap-secrets and pap-secrets files. 70 71 clientname servername "secret here" 72 73 - Use the "password" option in any of the standard 74 configuration files (or the command line) to specify the 75 secret. 76 77 password "secret here" 78 79 On the EAP SRP-SHA1 server side, a secret verifier is required. 80 This is a one-way hash of the client's name and password. To 81 generate this value, run the srp-entry program (see srp-entry(8)). 82 This program prompts for the client name and the passphrase (the 83 secret). The output will be an entry, such as the following, 84 suitable for use in the server's srp-secrets file. Note that if 85 this is transferred by cut-and-paste, the entry must be a single 86 line of text in the file. 87 88 pppuser srpserver 0:LFDpwg4HBLi4/kWByzbZpW6pE95/iIWBSt7L.DAkHsvwQphtiq0f6reoUy/1LC1qYqjcrV97lCDmQHQd4KIACGgtkhttLdP3KMowvS0wLXLo25FPJeG2sMAUEWu/HlJPn2/gHyh9aT.ZxUs5MsoQ1E61sJkVBc.2qze1CdZiQGTK3qtWRP6DOpM1bfhKtPoVm.g.MiCcTMWzc54xJUIA0mgKtpthE3JrqCc81cXUt4DYi5yBzeeGTqrI0z2/Gj8Jp7pS4Fkq3GmnYjMxnKfQorFXNwl3m7JSaPa8Gj9/BqnorJOsnSMlIhBe6dy4CYytuTbNb4Wv/nFkmSThK782V:2cIyMp1yKslQgE * 89 90 The "secret" field consists of three entries separated by colons. 91 The first entry is the index of the modulus and generator from 92 SRP's /etc/tpasswd.conf. If the special value 0 is used, then the 93 well-known modulus/generator value is used (this is recommended, 94 because it is much faster). The second value is the verifier 95 value. The third is the password "salt." These latter two values 96 are encoded in base64 notation. 97 98 For EAP MD5-Challenge, both client and server use the existing 99 /etc/ppp/chap-secrets file. 100 101 5. Configuration options 102 103 There are two main options relating to EAP available for the 104 client. These are: 105 106 refuse-eap - refuse to authenticate with EAP 107 srp-use-pseudonym - use the identity privacy if 108 offered by server 109 110 The second option stores a pseudonym, if offered by the EAP 111 SRP-SHA1 server, in the $HOME/.ppp_pseudonym file. The pseudonym 112 is typically an encrypted version of the client identity. During 113 EAP start-up, the pseudonym stored in this file is offered to the 114 peer as the identity. If this is accepted by the peer, then 115 eavesdroppers will be unable to determine the identity of the 116 client. Each time the client is authenticated, the server will 117 offer a new pseudoname to the client using an obscured (reversibly 118 encrypted) message. Thus, access across successive sessions 119 cannot be tracked. 120 121 There are two main options for EAP on the server: 122 123 require-eap - require client to use EAP 124 srp-pn-secret "string" - set server's pseudoname secret 125 126 The second option sets the long-term secret used on the server to 127 encrypt the user's identity to produce pseudonames. The 128 pseudoname is constructed by hashing this string with the current 129 date (to the nearest day) with SHA1, then using this hash as the 130 key for a DES encryption of the client's name. The date is added 131 to the hash for two reasons. First, this allows the pseudonym to 132 change daily. Second, it allows the server to decode any previous 133 pseudonym by trying previous dates. 134 135 See the pppd(8) man page for additional options. 136 137 6. Comments welcome! 138 139 This is still an experimental implementation. It has been tested 140 and reviewed carefully for correctness, but may still be 141 incomplete or have other flaws. All comments are welcome. Please 142 address them to the author: 143 144 james.d.carlson (a] sun.com 145 146 or, for EAP itself or the SRP extensions to EAP, to the IETF PPP 147 Extensions working group: 148 149 ietf-ppp (a] merit.edu 150
README.MPPE
1 PPP Support for MPPE (Microsoft Point to Point Encryption) 2 ========================================================== 3 4 Frank Cusack frank (a] google.com 5 Mar 19, 2002 6 7 8 DISCUSSION 9 10 MPPE is Microsoft's encryption scheme for PPP links. It is pretty much 11 solely intended for use with PPP over Internet links -- if you have a true 12 point to point link you have little need for encryption. It is generally 13 used with PPTP. 14 15 MPPE is negotiated within CCP (Compression Control Protocol) as option 16 18. In order for MPPE to work, both peers must agree to do it. This 17 complicates things enough that I chose to implement it as strictly a binary 18 option, off by default. If you turn it on, all other compression options 19 are disabled and MPPE *must* be negotiated successfully in both directions 20 (CCP is unidirectional) or the link will be disconnected. I think this is 21 reasonable since, if you want encryption, you want encryption. That is, 22 I am not convinced that optional encryption is useful. 23 24 While PPP regards MPPE as a "compressor", it actually expands every frame 25 by 4 bytes, the MPPE overhead (encapsulation). 26 27 Because of the data expansion, you'll see that ppp interfaces get their 28 mtu reduced by 4 bytes whenever MPPE is negotiated. This is because 29 when MPPE is active, it is *required* that *every* packet be encrypted. 30 PPPD sets the mtu = MIN(peer mru, configured mtu). To ensure that 31 MPPE frames are not larger than the peer's mru, we reduce the mtu by 4 32 bytes so that the network layer never sends ppp a packet that's too large. 33 34 There is an option to compress the data before encrypting (MPPC), however 35 the algorithm is patented and requires execution of a license with Hifn. 36 MPPC as an RFC is a complete farce. I have no further details on MPPC. 37 38 Some recommendations: 39 40 - Use stateless mode. Stateful mode is disabled by default. Unfortunately, 41 stateless mode is very expensive as the peers must rekey for every packet. 42 - Use 128-bit encryption. 43 - Use MS-CHAPv2 only. 44 45 Reference documents: 46 47 <http://www.ietf.org/rfc/rfc3078.txt> MPPE 48 <http://www.ietf.org/rfc/rfc3079.txt> MPPE Key Derivation 49 <http://www.ietf.org/rfc/rfc2118.txt> MPPC 50 <http://www.ietf.org/rfc/rfc2637.txt> PPTP 51 <http://www.ietf.org/rfc/rfc2548.txt> MS RADIUS Attributes 52 53 You might be interested in PoPToP, a Linux PPTP server. You can find it at 54 <http://www.poptop.org/> 55 56 RADIUS support for MPPE is from Ralf Hofmann, <ralf.hofmann (a] elvido.net>. 57 58 59 BUILDING THE PPPD 60 61 The userland component of PPPD has no additional requirements above 62 those for MS-CHAP and MS-CHAPv2. The kernel, however, requires SHA-1 63 and ARCFOUR. Public domain implementations of these are provided. 64 65 Until such time as MPPE support ships with kernels, you can use 66 the Linux 2.2 or 2.4 implementation that comes with PPPD. Run the 67 ppp/linux/mppe/mppeinstall.sh script, giving it the location to your 68 kernel source. Then add the CONFIG_PPP_MPPE option to your config and 69 rebuild the kernel. The ppp_mppe.o module is added, and the ppp.o module 70 (2.2) or ppp_generic.o (2.4) is modified (unfortunately). You'll need 71 the new ppp.o/ppp_generic.o since it does the right thing for the 4 72 extra bytes problem discussed above. 73 74 75 CONFIGURATION 76 77 See pppd(8) for the MPPE options. Under Linux, if your modutils is earlier 78 than 2.4.15, you will need to add 79 80 alias ppp-compress-18 ppp_mppe 81 82 to /etc/modules.conf. (A patch for earlier versions of modutils is included 83 with the kernel patches.) 84 85 86
README.MSCHAP80
1 PPP Support for Microsoft's CHAP-80 2 =================================== 3 4 Eric Rosenquist rosenqui (a] strataware.com 5 (updated by Paul Mackerras) 6 (updated by Al Longyear) 7 (updated by Farrell Woods) 8 (updated by Frank Cusack) 9 10 INTRODUCTION 11 12 Microsoft has introduced an extension to the Challenge/Handshake 13 Authentication Protocol (CHAP) which avoids storing cleartext 14 passwords on a server. (Unfortunately, this is not as secure as it 15 sounds, because the encrypted password stored on a server can be used 16 by a bogus client to gain access to the server just as easily as if 17 the password were stored in cleartext.) The details of the Microsoft 18 extensions can be found in the document: 19 20 <http://www.ietf.org/rfc/rfc2433.txt> 21 22 In short, MS-CHAP is identified as <auth chap 80> since the hex value 23 of 80 is used to designate Microsoft's scheme. Standard PPP CHAP uses 24 a value of 5. If you enable PPP debugging with the "debug" option and 25 see something like the following in your logs, the remote server is 26 requesting MS-CHAP: 27 28 rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <auth chap 80> <magic 0x46a3>] 29 ^^^^^^^^^^^^ 30 31 The standard pppd implementation will indicate its lack of support for 32 MS-CHAP by NAKing it: 33 34 sent [LCP ConfNak id=0x2 <auth chap 05>] 35 36 Windows NT Server systems are often configured to "Accept only 37 Microsoft Authentication" (this is intended to enhance security). Up 38 until now, that meant that you couldn't use this version of PPPD to 39 connect to such a system. 40 41 42 BUILDING THE PPPD 43 44 MS-CHAP uses a combination of MD4 hashing and DES encryption for 45 authentication. You may need to get Eric Young's libdes library in 46 order to use my MS-CHAP extensions. A lot of UNIX systems already 47 have DES encryption available via the crypt(3), encrypt(3) and 48 setkey(3) interfaces. Some may (such as that on Digital UNIX) 49 provide only the encryption mechanism and will not perform 50 decryption. This is okay. We only need to encrypt to perform 51 MS-CHAP authentication. 52 53 If you have encrypt/setkey available, then hopefully you need only 54 define these two things in your Makefile: -DUSE_CRYPT and -DCHAPMS. 55 Skip the paragraphs below about obtaining and building libdes. Do 56 the "make clean" and "make" as described below. Linux users 57 should not need to modify their Makefiles. Instead, 58 just do "make CHAPMS=1 USE_CRYPT=1". 59 60 If you don't have encrypt and setkey, you will need Eric Young's 61 libdes library. You can find it in: 62 63 ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.psy.uq.oz.au/DES/libdes-3.06.tar.gz 64 65 Australian residents can get libdes from Eric Young's site: 66 67 ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-3.06.tar.gz 68 69 It is also available on many other sites (ask Archie). 70 71 I used libdes-3.06, but hopefully anything newer than that will work 72 also. Get the library, build and test it on your system, and install 73 it somewhere (typically /usr/local/lib and /usr/local/include). 74 75 76 77 You should now be ready to (re)compile the PPPD. Go to the pppd 78 subdirectory and make sure the Makefile contains "-DCHAPMS" in the 79 CFLAGS or COMPILE_FLAGS macro, and that the LIBS macro (or LDADD for 80 BSD systems) contains "-ldes". Depending on your system and where the 81 DES library was installed, you may also need to alter the include and 82 library paths used by your compiler. 83 84 Do a "make clean" and then a "make" to rebuild pppd. Assuming all 85 goes well, install the new pppd and move on to the CONFIGURATION 86 section. 87 88 89 CONFIGURATION 90 91 If you've never used PPPD with CHAP before, read the man page (type 92 "man pppd") and read the description in there. Basically, you need to 93 edit the "chap-secrets" file typically named /etc/ppp/chap-secrets. 94 This should contain the following two lines for each system with which 95 you use CHAP (with no leading blanks): 96 97 RemoteHost Account Secret 98 Account RemoteHost Secret 99 100 Note that you need both lines and that item 1 and 2 are swapped in the 101 second line. I'm not sure why you need it twice, but it works and I didn't 102 have time to look into it further. The "RemoteHost" is a somewhat 103 arbitrary name for the remote Windows NT system you're dialing. It doesn't 104 have to match the NT system's name, but it *does* have to match what you 105 use with the "remotename" parameter. The "Account" is the Windows NT 106 account name you have been told to use when dialing, and the "Secret" is 107 the password for that account. For example, if your service provider calls 108 their machine "DialupNT" and tells you your account and password are 109 "customer47" and "foobar", add the following to your chap-secrets file: 110 111 DialupNT customer47 foobar 112 customer47 DialupNT foobar 113 114 The only other thing you need to do for MS-CHAP (compared to normal CHAP) 115 is to always use the "remotename" option, either on the command line or in 116 your "options" file (see the pppd man page for details). In the case of 117 the above example, you would need to use the following command line: 118 119 pppd name customer47 remotename DialupNT <other options> 120 121 or add: 122 123 name customer47 124 remotename DialupNT 125 126 to your PPPD "options" file. 127 128 The "remotename" option is required for MS-CHAP since Microsoft PPP servers 129 don't send their system name in the CHAP challenge packet. 130 131 132 E=691 (AUTHENTICATION_FAILURE) ERRORS WHEN YOU HAVE THE VALID SECRET (PASSWORD) 133 134 If your RAS server is not the domain controller and is not a 'stand-alone' 135 server then it must make a query to the domain controller for your domain. 136 137 You need to specify the domain name with the user name when you attempt to 138 use this type of a configuration. The domain name is specified with the 139 local name in the chap-secrets file and with the option for the 'name' 140 parameter. 141 142 For example, the previous example would become: 143 144 DialupNT domain\\customer47 foobar 145 domain\\customer47 DialupNT foobar 146 147 and 148 149 pppd name 'domain\\customer47' remotename DialupNT <other options> 150 151 or add: 152 153 name domain\\customer47 154 remotename DialupNT 155 156 when the Windows NT domain name is simply called 'domain'. 157 158 159 TROUBLESHOOTING 160 161 Assuming that everything else has been configured correctly for PPP and 162 CHAP, the MS-CHAP-specific problems you're likely to encounter are mostly 163 related to your Windows NT account and its settings. A Microsoft server 164 returns error codes in its CHAP response. The following are extracted from 165 RFC 2433: 166 167 646 ERROR_RESTRICTED_LOGON_HOURS 168 647 ERROR_ACCT_DISABLED 169 648 ERROR_PASSWD_EXPIRED 170 649 ERROR_NO_DIALIN_PERMISSION 171 691 ERROR_AUTHENTICATION_FAILURE 172 709 ERROR_CHANGING_PASSWORD 173 174 You'll see these in your pppd log as a line similar to: 175 176 Remote message: E=649 R=0 177 178 The "E=" is the error number from the table above, and the "R=" flag 179 indicates whether the error is transient and the client should retry. If 180 you consistently get error 691, then either you're using the wrong account 181 name/password, or the DES library or MD4 hashing (in md4.c) aren't working 182 properly. Verify your account name and password (use a Windows NT or 183 Windows 95 system to dial-in if you have one available). If that checks 184 out, test the DES library with the "destest" program included with the DES 185 library. If DES checks out, the md4.c routines are probably failing 186 (system byte ordering may be a problem) or my code is screwing up. I've 187 only got access to a Linux system, so you're on your own for anything else. 188 189 Another thing that might cause problems is that some RAS servers won't 190 respond at all to LCP config requests without seeing the word "CLIENT" 191 from the other end. If you see pppd sending out LCP config requests 192 without getting any reply, try putting something in your chat script 193 to send the word CLIENT after the modem has connected. 194 195 STILL TO DO 196 197 A site using only MS-CHAP to authenticate has no need to store cleartext 198 passwords in the "chap-secrets" file. A utility that spits out the ASCII 199 hex MD4 hash of a given password would be nice, and would allow that hash 200 to be used in chap-secrets in place of the password. The code to do this 201 could quite easily be lifted from chap_ms.c (you have to convert the 202 password to Unicode before hashing it). The chap_ms.c file would also have 203 to be changed to recognize a password hash (16 binary bytes == 32 ASCII hex 204 characters) and skip the hashing stage. This would have no real security 205 value as the hash is plaintext-equivalent. 206
README.MSCHAP81
1 PPP Support for Microsoft's CHAP-81 2 =================================== 3 4 Frank Cusack frank (a] google.com 5 6 Some text verbatim from README.MSCHAP80, 7 by Eric Rosenquist, rosenqui (a] strataware.com 8 9 INTRODUCTION 10 11 First, please read README.MSCHAP80; almost everything there applies here. 12 MS-CHAP was basically devised by Microsoft because rather than store 13 plaintext passwords, they (Microsoft) store the md4 hash of passwords. 14 It provides no advantage over standard CHAP, since the hash is used 15 as plaintext-equivalent. (Well, the Change-Password packet is arguably 16 an advantage.) It does introduce a significant weakness if the LM hash 17 is used. Additionally, the format of the failure packet potentially 18 gives information to an attacker. The weakness of the LM hash is partly 19 addressed in RFC 2433, which deprecates its use. 20 21 MS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer 22 used. (2) Mutual authentication is required. Note that the mutual 23 authentication in MS-CHAPv2 is different than the case where both PPP 24 peers require authentication from the other; the former proves that 25 the server has access to the client's password, the latter proves that 26 the server has access to a secret which the client also has -- which 27 may or may not be the same as the client's password (but should not be 28 the same, per RFC 1994). Whether this provides any actual benefit is 29 outside the scope of this document. The details of MS-CHAPv2 can be 30 found in the document: 31 32 <http://www.ietf.org/rfc/rfc2759.txt> 33 34 35 BUILDING THE PPPD 36 37 In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1 38 hash algorithm. A public domain implementation is provided with pppd. 39 40 41 TROUBLESHOOTING 42 43 Assuming that everything else has been configured correctly for PPP and 44 CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly 45 related to your Windows NT account and its settings. A Microsoft server 46 returns error codes in its CHAP response. The following are extracted from 47 RFC 2759: 48 49 646 ERROR_RESTRICTED_LOGON_HOURS 50 647 ERROR_ACCT_DISABLED 51 648 ERROR_PASSWD_EXPIRED 52 649 ERROR_NO_DIALIN_PERMISSION 53 691 ERROR_AUTHENTICATION_FAILURE 54 709 ERROR_CHANGING_PASSWORD 55 56 You'll see these in your pppd log as a line similar to: 57 58 Remote message: E=649 No dialin permission 59 60 Previously, pppd would log this as: 61 62 Remote message: E=649 R=0 63 64 Now, the text message is logged (both for MS-CHAP and MS-CHAPv2). 65 66
README.pwfd
1 2 Support to pass the password via a pipe to the pppd 3 --------------------------------------------------- 4 5 Arvin Schnell <arvin (a] suse.de> 6 2002-02-08 7 8 9 1. Introduction 10 --------------- 11 12 Normally programs like wvdial or kppp read the online password from their 13 config file and store them in the pap- and chap-secrets before they start the 14 pppd and remove them afterwards. Sure they need special privileges to do so. 15 16 The passwordfd feature offers a simpler and more secure solution. The program 17 that starts the pppd opens a pipe and writes the password into it. The pppd 18 simply reads the password from that pipe. 19 20 This methods is used for quiet a while on SuSE Linux by the programs wvdial, 21 kppp and smpppd. 22 23 24 2. Example 25 ---------- 26 27 Here is a short C program that uses the passwordfd feature. It starts the pppd 28 to buildup a pppoe connection. 29 30 31 --snip-- 32 33 #include <stdio.h> 34 #include <stdlib.h> 35 #include <unistd.h> 36 #include <signal.h> 37 #include <string.h> 38 #include <paths.h> 39 40 #ifndef _PATH_PPPD 41 #define _PATH_PPPD "/usr/sbin/pppd" 42 #endif 43 44 45 // Of course these values can be read from a configuration file or 46 // entered in a graphical dialog. 47 char *device = "eth0"; 48 char *username = "1122334455661122334455660001 (a] t-online.de"; 49 char *password = "hello"; 50 51 pid_t pid = 0; 52 53 54 void 55 sigproc (int src) 56 { 57 fprintf (stderr, "Sending signal %d to pid %d\n", src, pid); 58 kill (pid, src); 59 exit (EXIT_SUCCESS); 60 } 61 62 63 void 64 sigchild (int src) 65 { 66 fprintf (stderr, "Daemon died\n"); 67 exit (EXIT_SUCCESS); 68 } 69 70 71 int 72 start_pppd () 73 { 74 signal (SIGINT, &sigproc); 75 signal (SIGTERM, &sigproc); 76 signal (SIGCHLD, &sigchild); 77 78 pid = fork (); 79 if (pid < 0) { 80 fprintf (stderr, "unable to fork() for pppd: %m\n"); 81 return 0; 82 } 83 84 if (pid == 0) { 85 86 int i, pppd_argc = 0; 87 char *pppd_argv[20]; 88 char buffer[32] = ""; 89 int pppd_passwdfd[2]; 90 91 for (i = 0; i < 20; i++) 92 pppd_argv[i] = NULL; 93 94 pppd_argv[pppd_argc++] = "pppd"; 95 96 pppd_argv[pppd_argc++] = "call"; 97 pppd_argv[pppd_argc++] = "pwfd-test"; 98 99 // The device must be after the call, since the call loads the plugin. 100 pppd_argv[pppd_argc++] = device; 101 102 pppd_argv[pppd_argc++] = "user"; 103 pppd_argv[pppd_argc++] = username; 104 105 // Open a pipe to pass the password to pppd. 106 if (pipe (pppd_passwdfd) == -1) { 107 fprintf (stderr, "pipe failed: %m\n"); 108 exit (EXIT_FAILURE); 109 } 110 111 // Of course this only works it the password is shorter 112 // than the pipe buffer. Otherwise you have to fork to 113 // prevent that your main program blocks. 114 write (pppd_passwdfd[1], password, strlen (password)); 115 close (pppd_passwdfd[1]); 116 117 // Tell the pppd to read the password from the fd. 118 pppd_argv[pppd_argc++] = "passwordfd"; 119 snprintf (buffer, 32, "%d", pppd_passwdfd[0]); 120 pppd_argv[pppd_argc++] = buffer; 121 122 if (execv (_PATH_PPPD, (char **) pppd_argv) < 0) { 123 fprintf (stderr, "cannot execl %s: %m\n", _PATH_PPPD); 124 exit (EXIT_FAILURE); 125 } 126 } 127 128 pause (); 129 130 return 1; 131 } 132 133 134 int 135 main (int argc, char **argv) 136 { 137 if (start_pppd ()) 138 exit (EXIT_SUCCESS); 139 140 exit (EXIT_FAILURE); 141 } 142 143 ---snip--- 144 145 146 Copy this file to /etc/ppp/peers/pwfd-test. The plugins can't be loaded on the 147 command line (unless you are root) since the plugin option is privileged. 148 149 150 ---snip--- 151 152 # 153 # PPPoE plugin for kernel 2.4 154 # 155 plugin pppoe.so 156 157 # 158 # This plugin enables us to pipe the password to pppd, thus we don't have 159 # to fiddle with pap-secrets and chap-secrets. The user is also passed 160 # on the command line. 161 # 162 plugin passwordfd.so 163 164 noauth 165 usepeerdns 166 defaultroute 167 hide-password 168 nodetach 169 nopcomp 170 novjccomp 171 noccp 172 173 ---snip--- 174 175
