From owner-freebsd-net Thu May 9 20:17:48 2002 Delivered-To: freebsd-net@freebsd.org Received: from spontoon.braithwaite.net (spontoon.braithwaite.net [207.135.122.130]) by hub.freebsd.org (Postfix) with ESMTP id 3F23837B404 for ; Thu, 9 May 2002 20:17:44 -0700 (PDT) Received: from dogberry.braithwaite.net (nat-236-141.cnet.com [64.124.236.141]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "dogberry.braithwaite.net", Issuer "Braithwaite's Certifying Authority" (verified OK)) by spontoon.braithwaite.net (Postfix) with ESMTP id D249F7DF03; Thu, 9 May 2002 20:17:42 -0700 (PDT) Received: by dogberry.braithwaite.net (Postfix, from userid 1001) id 7D6F0924F; Thu, 9 May 2002 20:17:41 -0700 (PDT) From: Matthew Braithwaite To: Archie Cobbs Cc: Matthew Braithwaite , dgilbert@velocet.ca, freebsd-net@FreeBSD.ORG Subject: Re: mpd-netgraph problem. References: <200205092357.g49Nvb204332@arch20m.dellroad.org> Date: 09 May 2002 20:17:41 -0700 In-Reply-To: <200205092357.g49Nvb204332@arch20m.dellroad.org> Message-ID: <86bsbo6696.fsf@limekiller.braithwaite.net> Lines: 48 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 9 May 2002 16:57:37 -0700 (PDT), Archie Cobbs said: > >> Let me see if I understand: a key used in CHAP authentication is >> also used for MPPE. However, I authenticate twice, once using CHAP >> MSOFTv2 and once using CHAP MSOFTv2 -- and you think mpd is >> choosing the MPPE key from the wrong one of these two >> authentications? > > Once using MSOFTv2 and then a second time using MSOFTv1. > According to RFC 3079, you should generate the keys from > the first authentication. However, this is impossible because > your server is never completing that authentication. So I assume that a completed authentication looks like this: [vpn] CHAP: rec'd CHALLENGE #173 Name: "10.16.97.5" Using authname "XXX" [vpn] CHAP: sending RESPONSE [vpn] CHAP: rec'd SUCCESS #173 i.e. the `received SUCCESS' is the important bit. You say that it's impossible to use the keys from the first authentication because the server doesn't complete it. So that means that after I send my response to the server's challenge, the server sends back some string of bits I need for encryption ... is that what this bit of code does? /* Need to remember MS-CHAP stuff for use with MPPE encryption */ if (chap->recv_alg == CHAP_ALG_MSOFTv2) { if (!memcmp(bund->peer_ntResp, gMsoftZeros, CHAP_MSOFTv2_RESP_LEN)) { memcpy(bund->peer_ntResp, chap_value + offsetof(struct mschapv2value, ntHash), CHAP_MSOFTv2_RESP_LEN); } } If the response I to my first authentication is what I need to encrypt my traffic, it seems unreasonable of the server not to send it. (One things that's odd about my authentication -- this was pointed out to me by the Windows boys, whom I'm sorry I dissed -- is that all the Windows users seem to authenticate as ``domain\\user'' whereas I authenticate as just ``user''. Who knows what that difference might tickle.) Do you have any suggestions for stuff I can try? I've been hacking at the mpd code a little bit, but I'm pretty ignorant, so it's slow going. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message