This chapter describes implementation specific details of MPD.
Currently MPD supports these authentication protocols: PAP, MD5-CHAP, MS-CHAPv1, MS-CHAPv2 and EAP.
When using PAP, the password is sent as plaintext over the network, therefore PAP should be avoided, if the link between the peers is not secure. On the other hand, PAP allows using any kind of password database on the server, even if the passwords are stored in non-reversible hashed format.
The traditional CHAP-MD5 needs the plaintext password stored on the server. The password hash is computed like this: md5(id + password + challenge), where the id is incremented after each authentication attempt. The challenge is generated by the server and then sent to the client (peer). The peer sends the hash to the server and the server generates itself the hash using the plaintext password. If both hash are the same, the authentication succeeds.
MS-CHAP does not need plaintext passwords on the server, but does need the hashed password either as NT-Hash or as LAN-Manager-Hash (the LAN-Manager-Hash is weak and should not be used). MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore do not use it! MS-CHAPv2 uses a peer challenge and a server challenge and uses SHA1 as hashing algorithm, so it is much more secure than MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.
Usually UNIX systems have a different non-revertable hashing
algorithm for passwords, therefore it is not possible to use the
traditional UNIX password database if you want to use any
CHAP algorithm, with the exception that FreeBSD versions 5.1 and
later support the NT-Hash format in the password database
(configurable via login.conf: passwd_format=nth
).
However MPD does not currently support authentication against
the UNIX password database.
EAP is an Extensible Authentication Protocol. Mpd supports natively only the EAP-Type MD5; other EAP-Types may be used in conjunction with a RADIUS server.
Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is mandatory, because the MPPE keys are generated using the results from authentication.
Starting with MPD 3.14, MPD behaves more intelligently when negotiating authentication protocols. MPD searches an internal list of protocols, from most to least secure until a mutually agreeable protocol is found. If the link is a PPTP link, then MS-CHAP is most preferable, otherwise MD5-CHAP is most preferable.