Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) CHAP authentication - I hate to ask, but...



Christian Vogel wrote:
> 
> On Mon, 23 Jun 1997, Troy Settle wrote:
> 
> >Anyways, according to http://www.ascend.com/service/technotes/chap_rad.html,
> > it's possible to get chap working while using the UNIX passwd to
> >authenticate users.  However, the technote doesn't explain how to set it
> >up.
> They are wrong. To use chap you have to know the _plain_ Passwords.
> UNIX-Passwords are stored encrypted.

AFAIK not even that - they are stored "hashed". I.e. you can prove
a plain text password against such hash to be correct, but you
cannot recreate the original plain text password from the hash
(as with message digests). Thus CHAP/MD5 _cannot_ work with UNIX
passwords, because CHAP/MD5 is absolutely depending on the access
to a clear text password on both ends of the authentication.

Thats why MS-CHAP is probably really better, even if we don't like
the fact that it's made by M$.

-- 

Kanther-Line: PGP SSH IDEA MD5 GOST RIPE-MD160 3DES RSA FEAL32 RC4

+-o-+--------------------------------------------------------+-o-+
| o |               \\\- Brain Inside -///                   | o |
| o |                   ^^^^^^^^^^^^^^                       | o |
| o | Andre' Beck (ABPSoft) beck@ibh-dd.de XLink PoP Dresden | o |
+-o-+--------------------------------------------------------+-o-+
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.shore.net/~dreaming/ascend-faq>
or		<ftp://ftp.shore.net/members/dreaming/ascend-faq.txt>


Follow-Ups: References: