Thus spake Steve Langasek:
> On Tue, 13 Feb 2001, Michael Klein wrote:

> > I was hoping to stick w/chap. I realize pap has the login option...but
> I > wanted something slightly more secure...

> The idea that CHAP is more secure than PAP is a laughable one, which
> unfortunately has received a good deal of encouragement from such
> parties as Microsoft. CHAP unavoidably requires keeping a centralized
> archive of all passwords in plaintext on the server. Given that most
> PPP connections are not sniffable from the Internet, and given that
> most PPP *servers* /can/ be attacked from the Internet, it is almost
> always preferable to send cleartext-equivalent passwords on the wire and
> store one-way hashed passwords on the server, not the other way around.

I have to disagree here, and I've only recently found reason to. In a
lot of configurations nowadays, large ISP with lots of RASes like UUNet,
MegaPop, etc, sell dial-in to smaller regional ISPs, and use proxy RADIUS
to accomplish this. If I understand CHAP correctly (and I'm sure someone
will tell me if I'm wrong), the challenge happens between the RAS and
end RADIUS server--so the password will never pass through the proxy
RADIUS servers and the Internet in clear text. That said, I've never
used CHAP and haven't read much about it. I could also be wrong about
the nature of communication between RADIUS servers; I haven't read up
on the RADIUS protocol.

Wil

-- 
W. Reilly Cooley                         wcooleynakedape.cc
Naked Ape Consulting                      http://nakedape.cc
LNXS: Linux/GNU for servers, networks, and   http://lnxs.org
people who take care of them.  *Now with integrated crypto!*
irc.openprojects.net                                   #lnxs
The first Rotarian was the first man to call John the Baptist "Jack."
		-- H.L. Mencken
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]