[ale] Another questions in regards to ppp

Ken Kennedy kkennedy at kenzoid.com
Tue Jan 22 23:08:18 EST 2002 

On Tue, Jan 22, 2002 at 08:44:34PM -0500, Chris Fowler wrote:

> To me a phone connection is fairly tight to begin with.  I would be more
> concerned when using pppd in a tuneling environment.  I use this.  

Oh, I agree, the phone line is much less likely to be "sniffed" than a
PPP over Ethernet connection. I meant to mention that in my earlier
post...*grin*.


> I just do not understand the relation shp of chap + pppd.  To being
> with, to log in as pppuser I have to send username and unix password
> over the phone line.  I'm then need to be able to support mschap,
> pap, chap.  This will be placed in a embedded device.

Gotcha...well, PPP is just the networking protocol. PAP, CHAP, and
MSCHAP are all authentication methods used with the protocol. You
could run PPP without any authentication at all...anyone who dialed in
would automatically be connected! Instead, most of the time people use
some sort of userid/password authentication to ensure that someone
dialing in is authorized to use the PPP link.

PAP is the most basic authentication protocol. It's just a request for
the userid and password over the link, and the information is passed
in the clear. 

CHAP stands for Challenge Handshake Authentication Protocol. It's a
means of authenticating the userid and password without actually
passing them over the link in the clear. The server sends a
"challenge", which is encrypted by the client and returned, along with
an ID that allows the server to verify that the encryption is
correct. (I'm simpifying slightly, but the basics are correct). The
point is that the random challenge allows the secret (password) to be
verified without ever being passed in the clear over the network, and
without allowing an eavesdropper to impersonate the client at a later
date. So it's good...*grin*

MS-CHAP is a Microsoft-specific extension (surprise, surprise!) to the
basic CHAP protocol. The original implementation of the extension by
MS was proven to be insecure (again, surprise, surprise! *grin*) some
time back. I believe they have reworked it since...

That help?

Ken Kennedy



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list