1: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2: <HTML>
3: <HEAD>
4: <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
5: <TITLE>Authentication</TITLE>
6: </HEAD>
7: <BODY text="#000000" bgcolor="#ffffff">
8:
9: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
10: <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
11: <b>:</b> <EM>Authentication</EM><BR>
12: <b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
13: <b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
14:
15:
16: <HR NOSHADE>
17: <H2><A NAME="66"></A>8.2. Authentication<A NAME="authentication"></A></H2>
18: <p>This chapter describes implementation specific details of MPD.</p>
19: <p>
20: <dl>
21:
22: <dt><b>Authentication protocols - a short overview</b><dd><p>Currently MPD supports these authentication protocols: PAP, MD5-CHAP,
23: MS-CHAPv1, MS-CHAPv2 and EAP.</p>
24: <p>When using PAP, the password is sent as plaintext over the network,
25: therefore PAP should be avoided, if the link between the peers is
26: not secure. On the other hand, PAP allows using any kind of password
27: database on the server, even if the passwords are stored in
28: non-reversible hashed format.</p>
29: <p>The traditional CHAP-MD5 needs the plaintext password stored on the
30: server. The password hash is computed like this: md5(id + password
31: + challenge), where the id is incremented after each authentication
32: attempt. The challenge is generated by the server and then sent to the
33: client (peer). The peer sends the hash to the server and the server
34: generates itself the hash using the plaintext password. If both
35: hash are the same, the authentication succeeds.</p>
36: <p>MS-CHAP does not need plaintext passwords on the server, but does
37: need the hashed password either as NT-Hash or as LAN-Manager-Hash
38: (the LAN-Manager-Hash is weak and should not be used).
39: MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore do not
40: use it! MS-CHAPv2 uses a peer challenge and a server
41: challenge and uses SHA1 as hashing algorithm, so it is much more
42: secure than MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p>
43: <p>Usually UNIX systems have a different non-revertable hashing
44: algorithm for passwords, therefore it is not possible to use the
45: traditional UNIX password database if you want to use any
46: CHAP algorithm, with the exception that FreeBSD versions 5.1 and
47: later support the NT-Hash format in the password database
48: (configurable via login.conf: <code>passwd_format=nth</code>).
49: However MPD does not currently support authentication against
50: the UNIX password database.</p>
51: <p>EAP is an Extensible Authentication Protocol. Mpd supports
52: natively only the EAP-Type MD5; other EAP-Types may be used
53: in conjunction with a RADIUS server.</p>
54: <p>Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is
55: mandatory, because the MPPE keys are generated using the results
56: from authentication.</p>
57:
58:
59: <dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating
60: authentication protocols. MPD searches an internal list of protocols,
61: from most to least secure until a mutually agreeable protocol is found.
62: If the link is a PPTP link, then MS-CHAP is most preferable, otherwise
63: MD5-CHAP is most preferable.</p>
64:
65: </dl>
66: </p>
67:
68:
69: <HR NOSHADE>
70: <A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
71: <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
72: <b>:</b> <EM>Authentication</EM><BR>
73: <b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
74: <b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
75:
76:
77:
78: </BODY>
79: </HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mpd66.html CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc