On 11 Mar 2003, Tim Fournet wrote: > I'm not sure that's possible. and I'm having trouble finding out where > to go to go about this. I've currently got individual user accounts able > to authenticate on the machine, however the pptp daemon doesn't seem to > be using any of the PAM configurations I try.
It doesn't (and can't AFAICT) use PAM for MS-CHAP authentication. > Can someone explain a little better how authentication happens in PPTP. See: http://www.faqs.org/rfcs/rfc2433.html http://www.faqs.org/rfcs/rfc2759.html > I see that it can > happen in either the chap-secrets file, or the system passwd database. No, the chap-secrets file, or the smbpasswd file. The bottom line is that the ppp daemon must have access to the NT hashed form of the user's password. It never sees the cleartext form of the password. > Does it even use PAM? No. > can I make it do so, or use some other means to authenticate against > samba? It's essentially authenticating against samba anyway, since it's using samba's password database. If you mean "against samba running on another machine" then I'm don't think that's possible(*). That would be a man-in-the-middle attack, which is what the cryptographic handshake is intended to prevent. (*) Unless you can set up a trust relationship with the other machine so that you can get access to its smbpasswd file. Or equivalent, in the case of an NT domain master. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Group Mitel Networks Corporation http://www.mitel.com/smallbusiness Phone: +1 (613) 592 5660 or 592 2122 Fax: +1 (613) 592 1175 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Searchable archive at http://www.mail-archive.com/devinfo%40lists.e-smith.org
