Annotation of embedaddon/mpd/doc/mpd66.html, revision 1.1.1.4

1.1       misho       1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
                      2: <HTML>
                      3: <HEAD>
                      4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
                      5: <TITLE>Authentication</TITLE>
                      6: </HEAD>
                      7: <BODY text="#000000" bgcolor="#ffffff">
                      8: 
1.1.1.4 ! misho       9: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
1.1       misho      10:  <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
                     11:  <b>:</b> <EM>Authentication</EM><BR>
                     12: <b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
                     13: <b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
                     14: 
                     15: 
                     16: <HR NOSHADE>
                     17:   <H2><A NAME="66"></A>8.2. Authentication<A NAME="authentication"></A></H2>
                     18: <p>This chapter describes implementation specific details of MPD.</p>
                     19: <p>
                     20: <dl>
                     21: 
                     22: <dt><b>Authentication protocols - a short overview</b><dd><p>Currently MPD supports these authentication protocols: PAP, MD5-CHAP,
                     23: MS-CHAPv1, MS-CHAPv2 and EAP.</p>
                     24: <p>When using PAP, the password is sent as plaintext over the network,
                     25: therefore PAP should be avoided, if the link between the peers is
                     26: not secure. On the other hand, PAP allows using any kind of password
                     27: database on the server, even if the passwords are stored in
                     28: non-reversible hashed format.</p>
                     29: <p>The traditional CHAP-MD5 needs the plaintext password stored on the
                     30: server. The password hash is computed like this: md5(id + password
                     31: + challenge), where the id is incremented after each authentication
                     32: attempt. The challenge is generated by the server and then sent to the
                     33: client (peer). The peer sends the hash to the server and the server
1.1.1.4 ! misho      34: generates itself the hash using the plaintext password. If both
1.1       misho      35: hash are the same, the authentication succeeds.</p>
1.1.1.4 ! misho      36: <p>MS-CHAP does not need plaintext passwords on the server, but does
1.1       misho      37: need the hashed password either as NT-Hash or as LAN-Manager-Hash
1.1.1.4 ! misho      38: (the LAN-Manager-Hash is weak and should not be used).
        !            39: MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore do not
1.1       misho      40: use it! MS-CHAPv2 uses a peer challenge and a server
1.1.1.4 ! misho      41: challenge and uses SHA1 as hashing algorithm, so it is much more
        !            42: secure than MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p>
1.1.1.3   misho      43: <p>Usually UNIX systems have a different non-revertable hashing
1.1       misho      44: algorithm for passwords, therefore it is not possible to use the
                     45: traditional UNIX password database if you want to use any
                     46: CHAP algorithm, with the exception that FreeBSD versions 5.1 and
                     47: later support the NT-Hash format in the password database
                     48: (configurable via login.conf: <code>passwd_format=nth</code>).
1.1.1.4 ! misho      49: However MPD does not currently support authentication against
1.1       misho      50: the UNIX password database.</p>
                     51: <p>EAP is an Extensible Authentication Protocol. Mpd supports 
                     52: natively only the EAP-Type MD5; other EAP-Types may be used 
                     53: in conjunction with a RADIUS server.</p>
                     54: <p>Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is
                     55: mandatory, because the MPPE keys are generated using the results
                     56: from authentication.</p>
                     57: 
                     58: 
                     59: <dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating
                     60: authentication protocols. MPD searches an internal list of protocols,
1.1.1.4 ! misho      61: from most to least secure until a mutually agreeable protocol is found.
        !            62: If the link is a PPTP link, then MS-CHAP is most preferable, otherwise
        !            63: MD5-CHAP is most preferable.</p>
1.1       misho      64: 
                     65: </dl>
                     66: </p>
                     67: 
                     68: 
                     69:  <HR NOSHADE>
1.1.1.4 ! misho      70: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
1.1       misho      71:  <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
                     72:  <b>:</b> <EM>Authentication</EM><BR>
                     73: <b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
                     74: <b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
                     75: 
                     76: 
                     77: 
                     78: </BODY>
                     79: </HTML>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>