version 1.1.1.1, 2012/02/21 23:32:47
|
version 1.1.1.4, 2021/03/17 00:39:23
|
Line 6
|
Line 6
|
</HEAD> |
</HEAD> |
<BODY text="#000000" bgcolor="#ffffff"> |
<BODY text="#000000" bgcolor="#ffffff"> |
|
|
<A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A> | <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A> |
<b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A> |
<b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A> |
<b>:</b> <EM>Authentication</EM><BR> |
<b>:</b> <EM>Authentication</EM><BR> |
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR> |
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR> |
Line 31 server. The password hash is computed like this: md5(i
|
Line 31 server. The password hash is computed like this: md5(i
|
+ challenge), where the id is incremented after each authentication |
+ challenge), where the id is incremented after each authentication |
attempt. The challenge is generated by the server and then sent to the |
attempt. The challenge is generated by the server and then sent to the |
client (peer). The peer sends the hash to the server and the server |
client (peer). The peer sends the hash to the server and the server |
genrates himself the hash using the plaintext password. If both | generates itself the hash using the plaintext password. If both |
hash are the same, the authentication succeeds.</p> |
hash are the same, the authentication succeeds.</p> |
<p>MS-CHAP doesen't need plaintext passwords on the server, but does | <p>MS-CHAP does not need plaintext passwords on the server, but does |
need the hashed password either as NT-Hash or as LAN-Manager-Hash |
need the hashed password either as NT-Hash or as LAN-Manager-Hash |
(the LAN-Manager-Hash is weak and shouldn't be used). | (the LAN-Manager-Hash is weak and should not be used). |
MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore don't | MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore do not |
use it! MS-CHAPv2 uses a peer challenge and a server |
use it! MS-CHAPv2 uses a peer challenge and a server |
challenge and uses SHA1 as hashing algorithm, so it's much more | challenge and uses SHA1 as hashing algorithm, so it is much more |
secure then MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p> | secure than MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p> |
<p>Usualy UNIX systems have a different non-revertable hashing | <p>Usually UNIX systems have a different non-revertable hashing |
algorithm for passwords, therefore it is not possible to use the |
algorithm for passwords, therefore it is not possible to use the |
traditional UNIX password database if you want to use any |
traditional UNIX password database if you want to use any |
CHAP algorithm, with the exception that FreeBSD versions 5.1 and |
CHAP algorithm, with the exception that FreeBSD versions 5.1 and |
later support the NT-Hash format in the password database |
later support the NT-Hash format in the password database |
(configurable via login.conf: <code>passwd_format=nth</code>). |
(configurable via login.conf: <code>passwd_format=nth</code>). |
However MPD doesen't currently support authentication against | However MPD does not currently support authentication against |
the UNIX password database.</p> |
the UNIX password database.</p> |
<p>EAP is an Extensible Authentication Protocol. Mpd supports |
<p>EAP is an Extensible Authentication Protocol. Mpd supports |
natively only the EAP-Type MD5; other EAP-Types may be used |
natively only the EAP-Type MD5; other EAP-Types may be used |
Line 58 from authentication.</p>
|
Line 58 from authentication.</p>
|
|
|
<dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating |
<dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating |
authentication protocols. MPD searches an internal list of protocols, |
authentication protocols. MPD searches an internal list of protocols, |
from most to least secure, until a mutually agreeable protocol is found. | from most to least secure until a mutually agreeable protocol is found. |
If the link is a PPTP link, then MS-CHAP is most preferrable, otherwise | If the link is a PPTP link, then MS-CHAP is most preferable, otherwise |
MD5-CHAP is most preferrable.</p> | MD5-CHAP is most preferable.</p> |
|
|
</dl> |
</dl> |
</p> |
</p> |
|
|
|
|
<HR NOSHADE> |
<HR NOSHADE> |
<A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A> | <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A> |
<b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A> |
<b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A> |
<b>:</b> <EM>Authentication</EM><BR> |
<b>:</b> <EM>Authentication</EM><BR> |
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR> |
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR> |