File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc / mpd66.html
Revision 1.1.1.4 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Mar 17 00:39:23 2021 UTC (3 years, 9 months ago) by misho
Branches: mpd, MAIN
CVS tags: v5_9p16, v5_9, HEAD
mpd 5.9

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Authentication</TITLE>
</HEAD>
<BODY text="#000000" bgcolor="#ffffff">

<A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
 <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
 <b>:</b> <EM>Authentication</EM><BR>
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
<b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>


<HR NOSHADE>
  <H2><A NAME="66"></A>8.2. Authentication<A NAME="authentication"></A></H2>
<p>This chapter describes implementation specific details of MPD.</p>
<p>
<dl>

<dt><b>Authentication protocols - a short overview</b><dd><p>Currently MPD supports these authentication protocols: PAP, MD5-CHAP,
MS-CHAPv1, MS-CHAPv2 and EAP.</p>
<p>When using PAP, the password is sent as plaintext over the network,
therefore PAP should be avoided, if the link between the peers is
not secure. On the other hand, PAP allows using any kind of password
database on the server, even if the passwords are stored in
non-reversible hashed format.</p>
<p>The traditional CHAP-MD5 needs the plaintext password stored on the
server. The password hash is computed like this: md5(id + password
+ challenge), where the id is incremented after each authentication
attempt. The challenge is generated by the server and then sent to the
client (peer). The peer sends the hash to the server and the server
generates itself the hash using the plaintext password. If both
hash are the same, the authentication succeeds.</p>
<p>MS-CHAP does not need plaintext passwords on the server, but does
need the hashed password either as NT-Hash or as LAN-Manager-Hash
(the LAN-Manager-Hash is weak and should not be used).
MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore do not
use it! MS-CHAPv2 uses a peer challenge and a server
challenge and uses SHA1 as hashing algorithm, so it is much more
secure than MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p>
<p>Usually UNIX systems have a different non-revertable hashing
algorithm for passwords, therefore it is not possible to use the
traditional UNIX password database if you want to use any
CHAP algorithm, with the exception that FreeBSD versions 5.1 and
later support the NT-Hash format in the password database
(configurable via login.conf: <code>passwd_format=nth</code>).
However MPD does not currently support authentication against
the UNIX password database.</p>
<p>EAP is an Extensible Authentication Protocol. Mpd supports 
natively only the EAP-Type MD5; other EAP-Types may be used 
in conjunction with a RADIUS server.</p>
<p>Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is
mandatory, because the MPPE keys are generated using the results
from authentication.</p>


<dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating
authentication protocols. MPD searches an internal list of protocols,
from most to least secure until a mutually agreeable protocol is found.
If the link is a PPTP link, then MS-CHAP is most preferable, otherwise
MD5-CHAP is most preferable.</p>

</dl>
</p>


 <HR NOSHADE>
<A HREF="mpd.html"><EM>Mpd 5.9 User Manual</EM></A>
 <b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
 <b>:</b> <EM>Authentication</EM><BR>
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
<b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>



</BODY>
</HTML>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>