On Tue, 13 Feb 2001, Michael Klein wrote:

> I was hoping to stick w/chap. I realize pap has the login option...but I
> wanted something slightly more secure...

The idea that CHAP is more secure than PAP is a laughable one, which
unfortunately has received a good deal of encouragement from such parties as
Microsoft. CHAP unavoidably requires keeping a centralized archive of all
passwords in plaintext on the server. Given that most PPP connections are not
sniffable from the Internet, and given that most PPP *servers* /can/ be
attacked from the Internet, it is almost always preferable to send
cleartext-equivalent passwords on the wire and store one-way hashed passwords
on the server, not the other way around.

CHAP does have its place as a security mechanism, but that place is almost
never on a machine that uses Linux-PAM.

> And I'm not really sure that the login option has anything to do with pam. I
> believe this works because it goes directly to /etc/passwd (the system
> password database).

> If it used pam, then pam would be determining where it would go (ldap,
> etc/passwd, etc.). Maybe just the man page for the login option of pppd is
> out-of-date.

This is probably the case. I imagine that PAM support was added as a
compile-time option, whereas the manpages remain the same whether or not PAM
is compiled in.

Steve Langasek
postmodern programmer

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]