On Tue, 13 Feb 2001, Michael Klein wrote: > I was hoping to stick w/chap. I realize pap has the login option...but I > wanted something slightly more secure... The idea that CHAP is more secure than PAP is a laughable one, which unfortunately has received a good deal of encouragement from such parties as Microsoft. CHAP unavoidably requires keeping a centralized archive of all passwords in plaintext on the server. Given that most PPP connections are not sniffable from the Internet, and given that most PPP *servers* /can/ be attacked from the Internet, it is almost always preferable to send cleartext-equivalent passwords on the wire and store one-way hashed passwords on the server, not the other way around. CHAP does have its place as a security mechanism, but that place is almost never on a machine that uses Linux-PAM. > And I'm not really sure that the login option has anything to do with pam. I > believe this works because it goes directly to /etc/passwd (the system > password database). > If it used pam, then pam would be determining where it would go (ldap, > etc/passwd, etc.). Maybe just the man page for the login option of pppd is > out-of-date. This is probably the case. I imagine that PAM support was added as a compile-time option, whereas the manpages remain the same whether or not PAM is compiled in. Steve Langasek postmodern programmer