-PPP Client Support for Microsoft's CHAP-80
-==========================================
+PPP Support for Microsoft's CHAP-80
+===================================
Eric Rosenquist rosenqui@strataware.com
(updated by Paul Mackerras)
(updated by Al Longyear)
+(updated by Farrell Woods)
+(updated by Frank Cusack)
INTRODUCTION
the password were stored in cleartext.) The details of the Microsoft
extensions can be found in the document:
- <ftp://ftp.microsoft.com/developr/rfc/chapexts.txt>
+ <http://www.ietf.org/rfc/rfc2433.txt>
In short, MS-CHAP is identified as <auth chap 80> since the hex value
of 80 is used to designate Microsoft's scheme. Standard PPP CHAP uses
Windows NT Server systems are often configured to "Accept only
Microsoft Authentication" (this is intended to enhance security). Up
until now, that meant that you couldn't use this version of PPPD to
-connect to such a system. I've managed to get a client-only
-implementation of MS-CHAP working; it will authenticate itself to
-another system using MS-CHAP, but if you're using PPPD as a dial-in
-server, you won't be able to use MS-CHAP to authenticate the clients.
-This would not be a lot of extra work given that the framework is in
-place, but I didn't need it myself so I didn't implement it.
+connect to such a system.
BUILDING THE PPPD
MS-CHAP uses a combination of MD4 hashing and DES encryption for
-authentication. You'll need to get Eric Young's libdes library in
-order to use my MS-CHAP extensions. You can find it in:
+authentication. You may need to get Eric Young's libdes library in
+order to use my MS-CHAP extensions. A lot of UNIX systems already
+have DES encryption available via the crypt(3), encrypt(3) and
+setkey(3) interfaces. Some may (such as that on Digital UNIX)
+provide only the encryption mechanism and will not perform
+decryption. This is okay. We only need to encrypt to perform
+MS-CHAP authentication.
+
+If you have encrypt/setkey available, then hopefully you need only
+define these two things in your Makefile: -DUSE_CRYPT and -DCHAPMS.
+Skip the paragraphs below about obtaining and building libdes. Do
+the "make clean" and "make" as described below. Linux users
+should not need to modify their Makefiles. Instead,
+just do "make CHAPMS=1 USE_CRYPT=1".
+
+If you don't have encrypt and setkey, you will need Eric Young's
+libdes library. You can find it in:
ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.psy.uq.oz.au/DES/libdes-3.06.tar.gz
also. Get the library, build and test it on your system, and install
it somewhere (typically /usr/local/lib and /usr/local/include).
+
+
You should now be ready to (re)compile the PPPD. Go to the pppd
subdirectory and make sure the Makefile contains "-DCHAPMS" in the
CFLAGS or COMPILE_FLAGS macro, and that the LIBS macro (or LDADD for
CHAP, the MS-CHAP-specific problems you're likely to encounter are mostly
related to your Windows NT account and its settings. A Microsoft server
returns error codes in its CHAP response. The following are extracted from
-Microsoft's "chapexts.txt" file referenced above:
+RFC 2433:
646 ERROR_RESTRICTED_LOGON_HOURS
647 ERROR_ACCT_DISABLED
(system byte ordering may be a problem) or my code is screwing up. I've
only got access to a Linux system, so you're on your own for anything else.
+Another thing that might cause problems is that some RAS servers won't
+respond at all to LCP config requests without seeing the word "CLIENT"
+from the other end. If you see pppd sending out LCP config requests
+without getting any reply, try putting something in your chat script
+to send the word CLIENT after the modem has connected.
+
If everything compiles cleanly, but fails at authentication time, then
it might be a case of the MD4 or DES code screwing up. The following
small program can be used to test the MS-CHAP code to see if it
int main(argc, argv)
int argc;
- char *argv[0];
+ char *argv[];
{
u_char challenge[8];
int challengeInt[sizeof(challenge)];
for (i = 0; i < sizeof(challenge); i++)
challenge[i] = (u_char)challengeInt[i];
- ChapMS(&cstate, challenge, sizeof(challenge), argv[2], strlen(argv[2]));
+ ChapMS(&cstate, challenge, argv[2], strlen(argv[2]),
+ (MS_ChapResponse *)&cstate.response);
printf("Response length is %d, response is:", cstate.resp_length);
for (i = 0; i < cstate.resp_length; i++) {
}
-------------
-This needs to link against chap_ms.o, md4.o, and the DES library. When
-you run it with the command line:
+This needs to link against chap_ms.o, md4.o, sha1.o and the DES library.
+When you run it with the command line:
$ testchap 00000000000000000000000000000000 hello
could quite easily be lifted from chap_ms.c (you have to convert the
password to Unicode before hashing it). The chap_ms.c file would also have
to be changed to recognize a password hash (16 binary bytes == 32 ASCII hex
-characters) and skip the hashing stage.
-
-A server implementation would allow MS-CHAP to be used with Windows NT and
-Windows 95 clients for enhanced security. Some new command-line options
-would be required, as would code to generate the Challenge packet and
-verify the response. Most of the helper functions are in place, so this
-shouldn't be too hard for someone to add.
+characters) and skip the hashing stage. This would have no real security
+value as the hash is plaintext-equivalent.
projects / ppp.git / blobdiff