----- Original Message -----
From: Orlando Andico
To: Philippine Linux Users' Group (PLUG) Technical Discussion List
Sent: Wednesday, April 12, 2006 5:28 PM
Subject: Re: [plug] Hotspot Howto
Yes this is true. Hence your PPP configuration should require MSCHAPv2.
it's a configuration setting. :)
yup :-> and i dont allowed any authentication method except for mschapv2 in
order the client to force to use it for their protection...
forgive my ignorance in this case, as i haven't used windows-based server
stuff for ages and i wasn't aware that NT hashed password could do this..
me neither because my setup didnt use any microsoft products on the server
side... it is all open source... what important most you understand how
certain protocol works...
but here is what really happened... when client send a password to a server
using mschapv2... it uses MD4 to encrypt and send it to the server.. the
server receives the password in encrypted form and you cant decrypt it
because it is a one-way hash... since it encrypted using MD4... you cant
compare that to an MD5() or crypt() stored password (as what you have
said)... in order to use the encrypted stored password (for another security
level) with mschapv2... you must use and store the MD4(cleartext password)
results to your database then compare it...
and so in the spirit of software libre, if providing a solution is THAT
SIMPLE
(i.e. just integrating existing F/OSS software) then the "correct" response
to
inquiries from others is not "I can't tell you more" but "use this package
and
this package, and you will be able to do it."
i can simply point the poster to an URL that will answer to his question but
i cant due to the fact that i find security implications with their
design... use this package and that package using a wrong configuration on
their side without the full details on how to do it is still useless :->
im willing to disclose it but my job prevents me to do such things...
fooler.
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
