1107120SjulianPPP Support for Microsoft's CHAP-81 2107120Sjulian=================================== 3115185Sru 4107120SjulianFrank Cusack frank@google.com 5107120Sjulian 6107120SjulianSome text verbatim from README.MSCHAP80, 7107120Sjulianby Eric Rosenquist, rosenqui@strataware.com 8107120Sjulian 9107120SjulianINTRODUCTION 10107120Sjulian 11107120SjulianFirst, please read README.MSCHAP80; almost everything there applies here. 12115185SruMS-CHAP was basically devised by Microsoft because rather than store 13107120Sjulianplaintext passwords, they (Microsoft) store the md4 hash of passwords. 14107120SjulianIt provides no advantage over standard CHAP, since the hash is used 15107120Sjulianas plaintext-equivalent. (Well, the Change-Password packet is arguably 16107120Sjulianan advantage.) It does introduce a significant weakness if the LM hash 17107120Sjulianis used. Additionally, the format of the failure packet potentially 18107120Sjuliangives information to an attacker. The weakness of the LM hash is partly 19107120Sjulianaddressed in RFC 2433, which deprecates its use. 20107120Sjulian 21107120SjulianMS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer 22107120Sjulianused. (2) Mutual authentication is required. Note that the mutual 23107120Sjulianauthentication in MS-CHAPv2 is different than the case where both PPP 24115185Srupeers require authentication from the other; the former proves that 25121054Semaxthe server has access to the client's password, the latter proves that 26107120Sjulianthe server has access to a secret which the client also has -- which 27115185Srumay or may not be the same as the client's password (but should not be 28107120Sjulianthe same, per RFC 1994). Whether this provides any actual benefit is 29107120Sjulianoutside the scope of this document. The details of MS-CHAPv2 can be 30107120Sjulianfound in the document: 31107120Sjulian 32115185Sru <http://www.ietf.org/rfc/rfc2759.txt> 33107120Sjulian 34107120Sjulian 35107120SjulianBUILDING THE PPPD 36122452Semax 37107120SjulianIn addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1 38107120Sjulianhash algorithm. A public domain implementation is provided with pppd. 39115185Sru 40115185Sru 41115185SruTROUBLESHOOTING 42107120Sjulian 43115185SruAssuming that everything else has been configured correctly for PPP and 44115185SruCHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly 45115185Srurelated to your Windows NT account and its settings. A Microsoft server 46242997Sjoelreturns error codes in its CHAP response. The following are extracted from 47115185SruRFC 2759: 48115185Sru 49107120Sjulian 646 ERROR_RESTRICTED_LOGON_HOURS 50115185Sru 647 ERROR_ACCT_DISABLED 51130857Smpp 648 ERROR_PASSWD_EXPIRED 52131530Sru 649 ERROR_NO_DIALIN_PERMISSION 53107120Sjulian 691 ERROR_AUTHENTICATION_FAILURE 54107120Sjulian 709 ERROR_CHANGING_PASSWORD 55107120Sjulian 56107120SjulianYou'll see these in your pppd log as a line similar to: 57107120Sjulian 58115185Sru Remote message: E=649 No dialin permission 59115185Sru 60115185SruPreviously, pppd would log this as: 61107120Sjulian 62115185Sru Remote message: E=649 R=0 63115185Sru 64115185SruNow, the text message is logged (both for MS-CHAP and MS-CHAPv2). 65115185Sru 66115185Sru