| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | PPP Support for Microsoft's CHAP-80 |
| 2 | =================================== |
| 3 | |
| 4 | Eric Rosenquist rosenqui@strataware.com |
| 5 | (updated by Paul Mackerras) |
| 6 | (updated by Al Longyear) |
| 7 | (updated by Farrell Woods) |
| 8 | (updated by Frank Cusack) |
| 9 | |
| 10 | INTRODUCTION |
| 11 | |
| 12 | Microsoft has introduced an extension to the Challenge/Handshake |
| 13 | Authentication Protocol (CHAP) which avoids storing cleartext |
| 14 | passwords on a server. (Unfortunately, this is not as secure as it |
| 15 | sounds, because the encrypted password stored on a server can be used |
| 16 | by a bogus client to gain access to the server just as easily as if |
| 17 | the password were stored in cleartext.) The details of the Microsoft |
| 18 | extensions can be found in the document: |
| 19 | |
| 20 | <http://www.ietf.org/rfc/rfc2433.txt> |
| 21 | |
| 22 | In short, MS-CHAP is identified as <auth chap 80> since the hex value |
| 23 | of 80 is used to designate Microsoft's scheme. Standard PPP CHAP uses |
| 24 | a value of 5. If you enable PPP debugging with the "debug" option and |
| 25 | see something like the following in your logs, the remote server is |
| 26 | requesting MS-CHAP: |
| 27 | |
| 28 | rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <auth MS> <magic 0x46a3>] |
| 29 | ^^^^^^^ |
| 30 | |
| 31 | MS-CHAP is enabled by default under Linux in pppd/Makefile.linux by |
| 32 | the line "CHAPMS=y". |
| 33 | |
| 34 | |
| 35 | CONFIGURATION |
| 36 | |
| 37 | If you've never used PPPD with CHAP before, read the man page (type |
| 38 | "man pppd") and read the description in there. Basically, you need to |
| 39 | edit the "chap-secrets" file typically named /etc/ppp/chap-secrets. |
| 40 | This should contain the following two lines for each system with which |
| 41 | you use CHAP (with no leading blanks): |
| 42 | |
| 43 | RemoteHost Account Secret |
| 44 | Account RemoteHost Secret |
| 45 | |
| 46 | Note that you need both lines and that item 1 and 2 are swapped in the |
| 47 | second line. I'm not sure why you need it twice, but it works and I didn't |
| 48 | have time to look into it further. The "RemoteHost" is a somewhat |
| 49 | arbitrary name for the remote Windows NT system you're dialing. It doesn't |
| 50 | have to match the NT system's name, but it *does* have to match what you |
| 51 | use with the "remotename" parameter. The "Account" is the Windows NT |
| 52 | account name you have been told to use when dialing, and the "Secret" is |
| 53 | the password for that account. For example, if your service provider calls |
| 54 | their machine "DialupNT" and tells you your account and password are |
| 55 | "customer47" and "foobar", add the following to your chap-secrets file: |
| 56 | |
| 57 | DialupNT customer47 foobar |
| 58 | customer47 DialupNT foobar |
| 59 | |
| 60 | The only other thing you need to do for MS-CHAP (compared to normal CHAP) |
| 61 | is to always use the "remotename" option, either on the command line or in |
| 62 | your "options" file (see the pppd man page for details). In the case of |
| 63 | the above example, you would need to use the following command line: |
| 64 | |
| 65 | pppd name customer47 remotename DialupNT <other options> |
| 66 | |
| 67 | or add: |
| 68 | |
| 69 | name customer47 |
| 70 | remotename DialupNT |
| 71 | |
| 72 | to your PPPD "options" file. |
| 73 | |
| 74 | The "remotename" option is required for MS-CHAP since Microsoft PPP servers |
| 75 | don't send their system name in the CHAP challenge packet. |
| 76 | |
| 77 | |
| 78 | E=691 (AUTHENTICATION_FAILURE) ERRORS WHEN YOU HAVE THE VALID SECRET (PASSWORD) |
| 79 | |
| 80 | If your RAS server is not the domain controller and is not a 'stand-alone' |
| 81 | server then it must make a query to the domain controller for your domain. |
| 82 | |
| 83 | You need to specify the domain name with the user name when you attempt to |
| 84 | use this type of a configuration. The domain name is specified with the |
| 85 | local name in the chap-secrets file and with the option for the 'name' |
| 86 | parameter. |
| 87 | |
| 88 | For example, the previous example would become: |
| 89 | |
| 90 | DialupNT domain\\customer47 foobar |
| 91 | domain\\customer47 DialupNT foobar |
| 92 | |
| 93 | and |
| 94 | |
| 95 | pppd name 'domain\\customer47' remotename DialupNT <other options> |
| 96 | |
| 97 | or add: |
| 98 | |
| 99 | name domain\\customer47 |
| 100 | remotename DialupNT |
| 101 | |
| 102 | when the Windows NT domain name is simply called 'domain'. |
| 103 | |
| 104 | |
| 105 | TROUBLESHOOTING |
| 106 | |
| 107 | Assuming that everything else has been configured correctly for PPP and |
| 108 | CHAP, the MS-CHAP-specific problems you're likely to encounter are mostly |
| 109 | related to your Windows NT account and its settings. A Microsoft server |
| 110 | returns error codes in its CHAP response. The following are extracted from |
| 111 | RFC 2433: |
| 112 | |
| 113 | 646 ERROR_RESTRICTED_LOGON_HOURS |
| 114 | 647 ERROR_ACCT_DISABLED |
| 115 | 648 ERROR_PASSWD_EXPIRED |
| 116 | 649 ERROR_NO_DIALIN_PERMISSION |
| 117 | 691 ERROR_AUTHENTICATION_FAILURE |
| 118 | 709 ERROR_CHANGING_PASSWORD |
| 119 | |
| 120 | You'll see these in your pppd log as a line similar to: |
| 121 | |
| 122 | Remote message: E=649 R=0 |
| 123 | |
| 124 | The "E=" is the error number from the table above, and the "R=" flag |
| 125 | indicates whether the error is transient and the client should retry. If |
| 126 | you consistently get error 691, then either you're using the wrong account |
| 127 | name/password, or the DES library or MD4 hashing (in md4.c) aren't working |
| 128 | properly. Verify your account name and password (use a Windows NT or |
| 129 | Windows 95 system to dial-in if you have one available). If that checks |
| 130 | out, test the DES library with the "destest" program included with the DES |
| 131 | library. If DES checks out, the md4.c routines are probably failing |
| 132 | (system byte ordering may be a problem) or my code is screwing up. I've |
| 133 | only got access to a Linux system, so you're on your own for anything else. |
| 134 | |
| 135 | Another thing that might cause problems is that some RAS servers won't |
| 136 | respond at all to LCP config requests without seeing the word "CLIENT" |
| 137 | from the other end. If you see pppd sending out LCP config requests |
| 138 | without getting any reply, try putting something in your chat script |
| 139 | to send the word CLIENT after the modem has connected. |
| 140 | |
| 141 | STILL TO DO |
| 142 | |
| 143 | A site using only MS-CHAP to authenticate has no need to store cleartext |
| 144 | passwords in the "chap-secrets" file. A utility that spits out the ASCII |
| 145 | hex MD4 hash of a given password would be nice, and would allow that hash |
| 146 | to be used in chap-secrets in place of the password. The code to do this |
| 147 | could quite easily be lifted from chap_ms.c (you have to convert the |
| 148 | password to Unicode before hashing it). The chap_ms.c file would also have |
| 149 | to be changed to recognize a password hash (16 binary bytes == 32 ASCII hex |
| 150 | characters) and skip the hashing stage. This would have no real security |
| 151 | value as the hash is plaintext-equivalent. |