<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Authentication</TITLE>
</HEAD>
<BODY text="#000000" bgcolor="#ffffff">
<A HREF="mpd.html"><EM>Mpd 5.8 User Manual</EM></A>
<b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
<b>:</b> <EM>Authentication</EM><BR>
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
<b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
<HR NOSHADE>
<H2><A NAME="66"></A>8.2. Authentication<A NAME="authentication"></A></H2>
<p>This chapter describes implementation specific details of MPD.</p>
<p>
<dl>
<dt><b>Authentication protocols - a short overview</b><dd><p>Currently MPD supports these authentication protocols: PAP, MD5-CHAP,
MS-CHAPv1, MS-CHAPv2 and EAP.</p>
<p>When using PAP, the password is sent as plaintext over the network,
therefore PAP should be avoided, if the link between the peers is
not secure. On the other hand, PAP allows using any kind of password
database on the server, even if the passwords are stored in
non-reversible hashed format.</p>
<p>The traditional CHAP-MD5 needs the plaintext password stored on the
server. The password hash is computed like this: md5(id + password
+ challenge), where the id is incremented after each authentication
attempt. The challenge is generated by the server and then sent to the
client (peer). The peer sends the hash to the server and the server
genrates himself the hash using the plaintext password. If both
hash are the same, the authentication succeeds.</p>
<p>MS-CHAP doesen't need plaintext passwords on the server, but does
need the hashed password either as NT-Hash or as LAN-Manager-Hash
(the LAN-Manager-Hash is weak and shouldn't be used).
MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore don't
use it! MS-CHAPv2 uses a peer challenge and a server
challenge and uses SHA1 as hashing algorithm, so it's much more
secure then MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.</p>
<p>Usually UNIX systems have a different non-revertable hashing
algorithm for passwords, therefore it is not possible to use the
traditional UNIX password database if you want to use any
CHAP algorithm, with the exception that FreeBSD versions 5.1 and
later support the NT-Hash format in the password database
(configurable via login.conf: <code>passwd_format=nth</code>).
However MPD doesen't currently support authentication against
the UNIX password database.</p>
<p>EAP is an Extensible Authentication Protocol. Mpd supports
natively only the EAP-Type MD5; other EAP-Types may be used
in conjunction with a RADIUS server.</p>
<p>Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is
mandatory, because the MPPE keys are generated using the results
from authentication.</p>
<dt><b>Authentication protocol negotiation</b><dd><p>Starting with MPD 3.14, MPD behaves more intelligently when negotiating
authentication protocols. MPD searches an internal list of protocols,
from most to least secure, until a mutually agreeable protocol is found.
If the link is a PPTP link, then MS-CHAP is most preferrable, otherwise
MD5-CHAP is most preferrable.</p>
</dl>
</p>
<HR NOSHADE>
<A HREF="mpd.html"><EM>Mpd 5.8 User Manual</EM></A>
<b>:</b> <A HREF="mpd64.html"><EM>Internals</EM></A>
<b>:</b> <EM>Authentication</EM><BR>
<b>Previous:</b> <A HREF="mpd65.html"><EM>ToDo</EM></A><BR>
<b>Next:</b> <A HREF="mpd67.html"><EM>Hints for developers</EM></A>
</BODY>
</HTML>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to mpd66.html CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / mpd / doc