| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | PPP Support for Microsoft's CHAP-81 |
| 2 | =================================== |
| 3 | |
| 4 | Frank Cusack frank@google.com |
| 5 | |
| 6 | Some text verbatim from README.MSCHAP80, |
| 7 | by Eric Rosenquist, rosenqui@strataware.com |
| 8 | |
| 9 | INTRODUCTION |
| 10 | |
| 11 | First, please read README.MSCHAP80; almost everything there applies here. |
| 12 | MS-CHAP was basically devised by Microsoft because rather than store |
| 13 | plaintext passwords, they (Microsoft) store the md4 hash of passwords. |
| 14 | It provides no advantage over standard CHAP, since the hash is used |
| 15 | as plaintext-equivalent. (Well, the Change-Password packet is arguably |
| 16 | an advantage.) It does introduce a significant weakness if the LM hash |
| 17 | is used. Additionally, the format of the failure packet potentially |
| 18 | gives information to an attacker. The weakness of the LM hash is partly |
| 19 | addressed in RFC 2433, which deprecates its use. |
| 20 | |
| 21 | MS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer |
| 22 | used. (2) Mutual authentication is required. Note that the mutual |
| 23 | authentication in MS-CHAPv2 is different than the case where both PPP |
| 24 | peers require authentication from the other; the former proves that |
| 25 | the server has access to the client's password, the latter proves that |
| 26 | the server has access to a secret which the client also has -- which |
| 27 | may or may not be the same as the client's password (but should not be |
| 28 | the same, per RFC 1994). Whether this provides any actual benefit is |
| 29 | outside the scope of this document. The details of MS-CHAPv2 can be |
| 30 | found in the document: |
| 31 | |
| 32 | <http://www.ietf.org/rfc/rfc2759.txt> |
| 33 | |
| 34 | |
| 35 | BUILDING THE PPPD |
| 36 | |
| 37 | In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1 |
| 38 | hash algorithm. A public domain implementation is provided with pppd. |
| 39 | |
| 40 | |
| 41 | TROUBLESHOOTING |
| 42 | |
| 43 | Assuming that everything else has been configured correctly for PPP and |
| 44 | CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly |
| 45 | related to your Windows NT account and its settings. A Microsoft server |
| 46 | returns error codes in its CHAP response. The following are extracted from |
| 47 | RFC 2759: |
| 48 | |
| 49 | 646 ERROR_RESTRICTED_LOGON_HOURS |
| 50 | 647 ERROR_ACCT_DISABLED |
| 51 | 648 ERROR_PASSWD_EXPIRED |
| 52 | 649 ERROR_NO_DIALIN_PERMISSION |
| 53 | 691 ERROR_AUTHENTICATION_FAILURE |
| 54 | 709 ERROR_CHANGING_PASSWORD |
| 55 | |
| 56 | You'll see these in your pppd log as a line similar to: |
| 57 | |
| 58 | Remote message: E=649 No dialin permission |
| 59 | |
| 60 | Previously, pppd would log this as: |
| 61 | |
| 62 | Remote message: E=649 R=0 |
| 63 | |
| 64 | Now, the text message is logged (both for MS-CHAP and MS-CHAPv2). |
| 65 | |