embedaddon/mpd/doc/mpd66.html - annotate

Return to mpd66.html CVS log
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc
Annotation of embedaddon/mpd/doc/mpd66.html, revision 1.1

1.1     ! misho       1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
        !             2: <HTML>
        !             3: <HEAD>
        !             4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
        !             5: <TITLE>Authentication</TITLE>
        !             6: </HEAD>
        !             7: <BODY text="#000000" bgcolor="#ffffff">
        !             8: 
        !             9: <A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A>
        !            10:  <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
        !            11:  <b>:</b> <EM>Authentication</EM><BR>
        !            12: <b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
        !            13: <b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
        !            14: 
        !            15: 
        !            16: <HR NOSHADE>
        !            17:   <H2><A NAME="66"></A>8.2. Authentication<A NAME="authentication"></A></H2>
        !            18: <p>This chapter describes implementation specific details of MPD.</p>
        !            19: <p>
        !            20: <dl>
        !            21: 
        !            22: <dt><b>Authentication protocols - a short overview</b><dd><p>Currently MPD supports these authentication protocols: PAP, MD5-CHAP,
        !            23: MS-CHAPv1, MS-CHAPv2 and EAP.</p>
        !            24: <p>When using PAP, the password is sent as plaintext over the network,
        !            25: therefore PAP should be avoided, if the link between the peers is
        !            26: not secure. On the other hand, PAP allows using any kind of password
        !            27: database on the server, even if the passwords are stored in
        !            28: non-reversible hashed format.</p>
        !            29: <p>The traditional CHAP-MD5 needs the plaintext password stored on the
        !            30: server. The password hash is computed like this: md5(id + password
        !            31: + challenge), where the id is incremented after each authentication
        !            32: attempt. The challenge is generated by the server and then sent to the
        !            33: client (peer). The peer sends the hash to the server and the server
        !            34: genrates himself the hash using the plaintext password. If both
        !            35: hash are the same, the authentication succeeds.</p>
        !            36: <p>MS-CHAP doesen't need plaintext passwords on the server, but does
        !            37: need the hashed password either as NT-Hash or as LAN-Manager-Hash
        !            38: (the LAN-Manager-Hash is weak and shouldn't be used).
        !            39: MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore don't
        !            40: use it! MS-CHAPv2 uses a peer challenge and a server
        !            41: challenge and uses SHA1 as hashing algorithm, so it's much more
        !            42: secure then MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p>
        !            43: <p>Usualy UNIX systems have a different non-revertable hashing
        !            44: algorithm for passwords, therefore it is not possible to use the
        !            45: traditional UNIX password database if you want to use any
        !            46: CHAP algorithm, with the exception that FreeBSD versions 5.1 and
        !            47: later support the NT-Hash format in the password database
        !            48: (configurable via login.conf: <code>passwd_format=nth</code>).
        !            49: However MPD doesen't currently support authentication against
        !            50: the UNIX password database.</p>
        !            51: <p>EAP is an Extensible Authentication Protocol. Mpd supports 
        !            52: natively only the EAP-Type MD5; other EAP-Types may be used 
        !            53: in conjunction with a RADIUS server.</p>
        !            54: <p>Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is
        !            55: mandatory, because the MPPE keys are generated using the results
        !            56: from authentication.</p>
        !            57: 
        !            58: 
        !            59: <dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating
        !            60: authentication protocols. MPD searches an internal list of protocols,
        !            61: from most to least secure, until a mutually agreeable protocol is found.
        !            62: If the link is a PPTP link, then MS-CHAP is most preferrable, otherwise
        !            63: MD5-CHAP is most preferrable.</p>
        !            64: 
        !            65: </dl>
        !            66: </p>
        !            67: 
        !            68: 
        !            69:  <HR NOSHADE>
        !            70: <A HREF="mpd.html"><EM>Mpd 5.6 User Manual</EM></A>
        !            71:  <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
        !            72:  <b>:</b> <EM>Authentication</EM><BR>
        !            73: <b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
        !            74: <b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
        !            75: 
        !            76: 
        !            77: 
        !            78: </BODY>
        !            79: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>