1PPP Support for Microsoft's CHAP-81 2=================================== 3 4Frank Cusack frank@google.com 5 6Some text verbatim from README.MSCHAP80, 7by Eric Rosenquist, rosenqui@strataware.com 8 9INTRODUCTION 10 11First, please read README.MSCHAP80; almost everything there applies here. 12MS-CHAP was basically devised by Microsoft because rather than store 13plaintext passwords, they (Microsoft) store the md4 hash of passwords. 14It provides no advantage over standard CHAP, since the hash is used 15as plaintext-equivalent. (Well, the Change-Password packet is arguably 16an advantage.) It does introduce a significant weakness if the LM hash 17is used. Additionally, the format of the failure packet potentially 18gives information to an attacker. The weakness of the LM hash is partly 19addressed in RFC 2433, which deprecates its use. 20 21MS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer 22used. (2) Mutual authentication is required. Note that the mutual 23authentication in MS-CHAPv2 is different than the case where both PPP 24peers require authentication from the other; the former proves that 25the server has access to the client's password, the latter proves that 26the server has access to a secret which the client also has -- which 27may or may not be the same as the client's password (but should not be 28the same, per RFC 1994). Whether this provides any actual benefit is 29outside the scope of this document. The details of MS-CHAPv2 can be 30found in the document: 31 32 <http://www.ietf.org/rfc/rfc2759.txt> 33 34 35BUILDING THE PPPD 36 37In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1 38hash algorithm. A public domain implementation is provided with pppd. 39 40 41TROUBLESHOOTING 42 43Assuming that everything else has been configured correctly for PPP and 44CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly 45related to your Windows NT account and its settings. A Microsoft server 46returns error codes in its CHAP response. The following are extracted from 47RFC 2759: 48 49 646 ERROR_RESTRICTED_LOGON_HOURS 50 647 ERROR_ACCT_DISABLED 51 648 ERROR_PASSWD_EXPIRED 52 649 ERROR_NO_DIALIN_PERMISSION 53 691 ERROR_AUTHENTICATION_FAILURE 54 709 ERROR_CHANGING_PASSWORD 55 56You'll see these in your pppd log as a line similar to: 57 58 Remote message: E=649 No dialin permission 59 60Previously, pppd would log this as: 61 62 Remote message: E=649 R=0 63 64Now, the text message is logged (both for MS-CHAP and MS-CHAPv2). 65 66