Thanks for the info. I'll probably switch back to pap since it's a little cleaner/easier. I realize that most REAL dial-in servers probably have Radius or some other custom authentication mechanism...I just wanted the 'best' solution for my little home-grown server box... As I'm coming up on *nix, I'm getting tired of remembering every little dang password and such (htpasswd for apache, smbpasswd for samba, chap/pap for ppp, etc.), and would like everything to use PAM and LDAP if possible... mike -----Original Message----- From: Steve Langasek [mailto:vorlon@netexpress.net] Sent: Tuesday, February 13, 2001 12:45 PM To: 'pam-list@redhat.com' Subject: RE: [PAM] PPP and PAM On Tue, 13 Feb 2001, Michael Klein wrote: > I was hoping to stick w/chap. I realize pap has the login option...but I > wanted something slightly more secure... The idea that CHAP is more secure than PAP is a laughable one, which unfortunately has received a good deal of encouragement from such parties as Microsoft. CHAP unavoidably requires keeping a centralized archive of all passwords in plaintext on the server. Given that most PPP connections are not sniffable from the Internet, and given that most PPP *servers* /can/ be attacked from the Internet, it is almost always preferable to send cleartext-equivalent passwords on the wire and store one-way hashed passwords on the server, not the other way around. CHAP does have its place as a security mechanism, but that place is almost never on a machine that uses Linux-PAM. > And I'm not really sure that the login option has anything to do with pam. I > believe this works because it goes directly to /etc/passwd (the system > password database). > If it used pam, then pam would be determining where it would go (ldap, > etc/passwd, etc.). Maybe just the man page for the login option of pppd is > out-of-date. This is probably the case. I imagine that PAM support was added as a compile-time option, whereas the manpages remain the same whether or not PAM is compiled in. Steve Langasek postmodern programmer _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
