OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Klein (mkleinvitria.com)
Date: Tue Feb 13 2001 - 15:10:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks for the info.

    I'll probably switch back to pap since it's a little cleaner/easier.

    I realize that most REAL dial-in servers probably have Radius or some other
    custom authentication mechanism...I just wanted the 'best' solution for my
    little home-grown server box...

    As I'm coming up on *nix, I'm getting tired of remembering every little dang
    password and such (htpasswd for apache, smbpasswd for samba, chap/pap for
    ppp, etc.), and would like everything to use PAM and LDAP if possible...

    mike

    -----Original Message-----
    From: Steve Langasek [mailto:vorlonnetexpress.net]
    Sent: Tuesday, February 13, 2001 12:45 PM
    To: 'pam-listredhat.com'
    Subject: RE: [PAM] PPP and PAM

    On Tue, 13 Feb 2001, Michael Klein wrote:

    > I was hoping to stick w/chap. I realize pap has the login option...but I
    > wanted something slightly more secure...

    The idea that CHAP is more secure than PAP is a laughable one, which
    unfortunately has received a good deal of encouragement from such parties as
    Microsoft. CHAP unavoidably requires keeping a centralized archive of all
    passwords in plaintext on the server. Given that most PPP connections are
    not
    sniffable from the Internet, and given that most PPP *servers* /can/ be
    attacked from the Internet, it is almost always preferable to send
    cleartext-equivalent passwords on the wire and store one-way hashed
    passwords
    on the server, not the other way around.

    CHAP does have its place as a security mechanism, but that place is almost
    never on a machine that uses Linux-PAM.

    > And I'm not really sure that the login option has anything to do with pam.
    I
    > believe this works because it goes directly to /etc/passwd (the system
    > password database).

    > If it used pam, then pam would be determining where it would go (ldap,
    > etc/passwd, etc.). Maybe just the man page for the login option of pppd is
    > out-of-date.

    This is probably the case. I imagine that PAM support was added as a
    compile-time option, whereas the manpages remain the same whether or not PAM
    is compiled in.

    Steve Langasek
    postmodern programmer

    _______________________________________________
    Pam-list mailing list
    Pam-listredhat.com
    https://listman.redhat.com/mailman/listinfo/pam-list

    _______________________________________________
    Pam-list mailing list
    Pam-listredhat.com
    https://listman.redhat.com/mailman/listinfo/pam-list