Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: AW: [suse-security] VPN with pptp
  • From: Sebastian Krahmer <krahmer@xxxxxxx>
  • Date: Mon, 17 Jun 2002 18:02:01 +0200 (CEST)
  • Message-id: <Pine.LNX.4.33.0206171757380.3791-100000@xxxxxxxxxxxxxxx>
On Mon, 17 Jun 2002 webmaster@xxxxxxxxxxxxxxxxxx wrote:

Hi,

Neither CHAP or any of its extensions (MS-CHAP,...) is secure
because the same requirement 'answer auth-requests' is true for all
of these. The extensions just use different hashing function and
negotiate keys for further channel encryption which is weak
enough to be broken. I am currently in research about the
extensions but I am pretty sure VPN clients can be tricked into
disabling crypto if the server either doesnt offer it or
rejects such requests. This would allow one authenticated user
to slip through all traffic through his account and
forbidding crypto for all the other clients.

There was also a paper from Bruce Schneier and Mudge about
MS CHAP extensions covering other weaknesses.

Sebastian

> Hi,
>
> the paper is about normal chap.
>
> but what about chapms-v2 with mppe-128 stateless?
>
> my pptp server only accept chapms-v2, should be secure or?
>
> here is my option file:
>
> ipparam PoPToP
> lock
> mtu 1490
> mru 1490
> multilink
> auth
> #+chap
> #+chapms
> +chapms-v2
> ipcp-accept-local
> ipcp-accept-remote
> lcp-echo-failure 30
> lcp-echo-interval 5
> deflate 0
> mppe-128
> mppe-stateless
> require-mppe
> require-mppe-stateless
>
>
>
> for markus:
>
> a good paper for setting up pptpd:
>
> http://www.shorewall.net/PPTP.htm
>
>
> best regards
> Wolfgang
>
>
> -----Ursprungliche Nachricht-----
> Von: Sebastian Krahmer [mailto:krahmer@xxxxxxx]
> Gesendet: Mittwoch, 12. Juni 2002 17:08
> An: Markus Dahinden
> Cc: suse-security@xxxxxxxx
> Betreff: Re: [suse-security] VPN with pptp
>
>
> On Wed, 12 Jun 2002, Markus Dahinden wrote:
>
> Hi,
>
> Just because i often read mails like 'we are using a pptp VPN'
> on this list: pptp is horrible weak and should not be used
> to protect critical channels or to authenticate users.
> A paper can be found at http://stealth.7350.org/chap.pdf.
> I know it doesnt help in this case but I hope it helps
> one to decide against pptp :)
>
> regards,
> Sebastian
>
> > Hi
> > My pptp VPN connection between W2K and a SuSE Linux8.0 server (with
> > SuSEfirewall2) seems to work (username and password are verified, PC is
> > registered and authentificated).
> >
> > /var/log/messages tells me for the vpn-connection:
> > ....
> > - SuSE-FW-UNALLOWED-TARGETIN.........prot. 47...... (after
> > launching vpn-connection)
> > ....
> > - SuSE-FW-DROP-ANTI-SPOOFIN.................DPT 139.... (after
> > hitting network item)
> > ....
> > - SuSE-FW-DROP-ANTI-SPOOFIN.................DPT 139.... (after
> > Start/run "\\192.168.x.y")
> > - SuSE-FW-DROP-ANTI-SPOOFIN.................DPT 445....
> >
> > These services (protocols and ports) are accessible according to my
> > SuSEfirewall2 definitions. I opened theme in section 9.)
> >
> > I guess, this is the reason, that I don't see my samba shares on linux.
> >
> > Can someone give me a hand on this problem?
> >
> > Markus
> >
> >
> >
>
>

--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@xxxxxxx - SuSE Security Team
~



< Previous Next >
References