On Mon, 17 Jun 2002 webmaster@hackenschmiede.com wrote: Hi, Neither CHAP or any of its extensions (MS-CHAP,...) is secure because the same requirement 'answer auth-requests' is true for all of these. The extensions just use different hashing function and negotiate keys for further channel encryption which is weak enough to be broken. I am currently in research about the extensions but I am pretty sure VPN clients can be tricked into disabling crypto if the server either doesnt offer it or rejects such requests. This would allow one authenticated user to slip through all traffic through his account and forbidding crypto for all the other clients. There was also a paper from Bruce Schneier and Mudge about MS CHAP extensions covering other weaknesses. Sebastian
Hi,
the paper is about normal chap.
but what about chapms-v2 with mppe-128 stateless?
my pptp server only accept chapms-v2, should be secure or?
here is my option file:
ipparam PoPToP lock mtu 1490 mru 1490 multilink auth #+chap #+chapms +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 30 lcp-echo-interval 5 deflate 0 mppe-128 mppe-stateless require-mppe require-mppe-stateless
for markus:
a good paper for setting up pptpd:
http://www.shorewall.net/PPTP.htm
best regards Wolfgang
-----Ursprungliche Nachricht----- Von: Sebastian Krahmer [mailto:krahmer@suse.de] Gesendet: Mittwoch, 12. Juni 2002 17:08 An: Markus Dahinden Cc: suse-security@suse.com Betreff: Re: [suse-security] VPN with pptp
On Wed, 12 Jun 2002, Markus Dahinden wrote:
Hi,
Just because i often read mails like 'we are using a pptp VPN' on this list: pptp is horrible weak and should not be used to protect critical channels or to authenticate users. A paper can be found at http://stealth.7350.org/chap.pdf. I know it doesnt help in this case but I hope it helps one to decide against pptp :)
regards, Sebastian
Hi My pptp VPN connection between W2K and a SuSE Linux8.0 server (with SuSEfirewall2) seems to work (username and password are verified, PC is registered and authentificated).
/var/log/messages tells me for the vpn-connection: .... - SuSE-FW-UNALLOWED-TARGETIN.........prot. 47...... (after launching vpn-connection) .... - SuSE-FW-DROP-ANTI-SPOOFIN.................DPT 139.... (after hitting network item) .... - SuSE-FW-DROP-ANTI-SPOOFIN.................DPT 139.... (after Start/run "\\192.168.x.y") - SuSE-FW-DROP-ANTI-SPOOFIN.................DPT 445....
These services (protocols and ports) are accessible according to my SuSEfirewall2 definitions. I opened theme in section 9.)
I guess, this is the reason, that I don't see my samba shares on linux.
Can someone give me a hand on this problem?
Markus
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~