Linux w/ SBC DSL
Gerald Combs
gerald at ethereal.com
Mon Jul 15 02:20:44 CDT 2002
Monty J. Harder wrote:
> IOW, SBC apparently runs the login in cleartext, so
> that any cracker that can get a connection to your LAN can sniff out
> everything needed to hijack your account and identity. That's nearly as
It makes me physically ill to come out in defense of SBC, but if you're
authenticating PPP (including PPPoE), you have three choices:
- Use PAP. Passwords are sent in the clear, but can be encrypted on
the server.
- Use CHAP. Passwords are encrypted using a one-way hash. They must be
stored in clear text on the client and server.
- Use some proprietary/mangled version of CHAP, such as MS-CHAP
or whatever crap someone (Shiva?) came up with a while back.
[ Note that if you're authenticating against a Unix passwd database,
you're stuck with PAP ]
None of these choices are appealing. However, it's reasonable that they
would pick PAP. If they're running CHAP and someone breaks into the
server, the crook gets _everybody's_ password. If they're running PAP and
someone breaks into a residential or business DSL LAN, the crook gets
_one_ password. Not to mention that if someone breaks into your LAN,
having your PAP password stolen is likely the least of your worries.
Better solutions appear to be on the way. A quick Google search turns up
a few RFCs that define the use of EAP (Extensible Authentication Protocol)
in conjunction with PPP. I don't know of any common PPP implementations
that support it, though.
More information about the Kclug
mailing list