[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lwip-users] PPP MPPE "Optional" Support
From: |
Sylvain Rochet |
Subject: |
Re: [lwip-users] PPP MPPE "Optional" Support |
Date: |
Fri, 12 Aug 2016 01:05:02 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi Greg,
On Thu, Aug 11, 2016 at 12:48:19AM +0000, Greg Smith wrote:
>
> I have a follow-on question. Below I said I was able to connect with
> MSCHAPv2 or no authentication. I think I was actually not
> authenticating in either case. So... Is there a way to have PPP try
> authentication first before giving up and trying no authentication?
> (This may be a violation of LCP, I'm not sure. It just seems like it
> should/could be a negotiable option.)
I'm not sure that's possible, even if the protocol might allow it in
some way (which I doubt) it is not supported in the wild, at least pppd
nor lwIP are able to try auth with different auth protocol, one auth
protocol is chosen once for all and it will either succeed or fail. That
would be a downgrade attack vector anyway and this is why
PPPAUTHTYPE_ANY shouldn't be used.
> If I set ppp_set_auth_required(, 0);, then I think it always connects
> with no auth, regardless of what I've set in ppp_set_auth().
ppp_set_auth_required(, 0) only set that -peer- is not required to
authenticate. It have no influence whatsoever whether the peer is going
to ask -us- to authenticate.
> If I set ppp_set_auth_required(, 1);, then it refuses the peers that
> don't support auth at all.
Of course, because we then require the peer to authenticate. This option
is mostly used on PPP server listener, where we want the incoming PPP
session to authenticate, asking the server to authenticate is less
common.
> Is there a solution here that I'm not seeing?
I don't think there is, only PAP have an option to accept null password
("") to accept clients that are not able to do PPP without an
authentication phase. There is currently no way to have "try
authentication but don't care about the result", which is what you
actually want :-)
> Slightly outside of the scope of lwIP, but if it's possible, what are
> the appropriate pppd options to allow its side?
Reading the pppd documentation, I can't find a way to achieve that.
Anyway, what you could do is to write this state machine outside, which
would gives something like that:
begin;
try with MSCHAPv2 + MPPE;
if != PPPERR_NONE is returned:
try without AUTH;
loop;
This would also make the PPP_MPPE_ALLOW_CLEARTEXT idea useless.
Sylvain
signature.asc
Description: Digital signature