Date: 09 May 2002 20:17:41 -0700 From: Matthew Braithwaite <matt@braithwaite.net> To: Archie Cobbs <archie@dellroad.org> Cc: Matthew Braithwaite <matt@braithwaite.net>, dgilbert@velocet.ca, freebsd-net@FreeBSD.ORG Subject: Re: mpd-netgraph problem. Message-ID: <86bsbo6696.fsf@limekiller.braithwaite.net> In-Reply-To: <200205092357.g49Nvb204332@arch20m.dellroad.org> References: <200205092357.g49Nvb204332@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 9 May 2002 16:57:37 -0700 (PDT), Archie Cobbs <archie@dellroad.org> said:
>
>> Let me see if I understand: a key used in CHAP authentication is
>> also used for MPPE. However, I authenticate twice, once using CHAP
>> MSOFTv2 and once using CHAP MSOFTv2 -- and you think mpd is
>> choosing the MPPE key from the wrong one of these two
>> authentications?
>
> Once using MSOFTv2 and then a second time using MSOFTv1.
> According to RFC 3079, you should generate the keys from
> the first authentication. However, this is impossible because
> your server is never completing that authentication.
So I assume that a completed authentication looks like this:
[vpn] CHAP: rec'd CHALLENGE #173
Name: "10.16.97.5"
Using authname "XXX"
[vpn] CHAP: sending RESPONSE
[vpn] CHAP: rec'd SUCCESS #173
i.e. the `received SUCCESS' is the important bit. You say that it's
impossible to use the keys from the first authentication because the
server doesn't complete it. So that means that after I send my
response to the server's challenge, the server sends back some string
of bits I need for encryption ... is that what this bit of code does?
/* Need to remember MS-CHAP stuff for use with MPPE encryption */
if (chap->recv_alg == CHAP_ALG_MSOFTv2) {
if (!memcmp(bund->peer_ntResp, gMsoftZeros, CHAP_MSOFTv2_RESP_LEN)) {
memcpy(bund->peer_ntResp,
chap_value + offsetof(struct mschapv2value, ntHash),
CHAP_MSOFTv2_RESP_LEN);
}
}
If the response I to my first authentication is what I need to encrypt
my traffic, it seems unreasonable of the server not to send it.
(One things that's odd about my authentication -- this was pointed out
to me by the Windows boys, whom I'm sorry I dissed -- is that all the
Windows users seem to authenticate as ``domain\\user'' whereas I
authenticate as just ``user''. Who knows what that difference might
tickle.)
Do you have any suggestions for stuff I can try? I've been hacking at
the mpd code a little bit, but I'm pretty ignorant, so it's slow
going.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86bsbo6696.fsf>