Re: mpd-netgraph problem.

Thu, 09 May 2002 20:00:47 -0700 

On Thu, 9 May 2002 16:57:37 -0700 (PDT), Archie Cobbs <[EMAIL PROTECTED]> said:
> 
>> Let me see if I understand: a key used in CHAP authentication is
>> also used for MPPE.  However, I authenticate twice, once using CHAP
>> MSOFTv2 and once using CHAP MSOFTv2 -- and you think mpd is
>> choosing the MPPE key from the wrong one of these two
>> authentications?
> 
> Once using MSOFTv2 and then a second time using MSOFTv1.
> According to RFC 3079, you should generate the keys from
> the first authentication. However, this is impossible because
> your server is never completing that authentication.

So I assume that a completed authentication looks like this:

  [vpn] CHAP: rec'd CHALLENGE #173
   Name: "10.16.97.5"
   Using authname "XXX"
  [vpn] CHAP: sending RESPONSE
  [vpn] CHAP: rec'd SUCCESS #173

i.e. the `received SUCCESS' is the important bit.  You say that it's
impossible to use the keys from the first authentication because the
server doesn't complete it.  So that means that after I send my
response to the server's challenge, the server sends back some string
of bits I need for encryption ... is that what this bit of code does?

        /* Need to remember MS-CHAP stuff for use with MPPE encryption */
        if (chap->recv_alg == CHAP_ALG_MSOFTv2) {
          if (!memcmp(bund->peer_ntResp, gMsoftZeros, CHAP_MSOFTv2_RESP_LEN)) {
            memcpy(bund->peer_ntResp,
              chap_value + offsetof(struct mschapv2value, ntHash),
              CHAP_MSOFTv2_RESP_LEN);
          }
        }

If the response I to my first authentication is what I need to encrypt
my traffic, it seems unreasonable of the server not to send it.  

(One things that's odd about my authentication -- this was pointed out
to me by the Windows boys, whom I'm sorry I dissed -- is that all the
Windows users seem to authenticate as ``domain\\user'' whereas I
authenticate as just ``user''.  Who knows what that difference might
tickle.)

Do you have any suggestions for stuff I can try?  I've been hacking at
the mpd code a little bit, but I'm pretty ignorant, so it's slow
going.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to