Thus spake Steve Langasek: > On Tue, 13 Feb 2001, Michael Klein wrote: > > I was hoping to stick w/chap. I realize pap has the login option...but > I > wanted something slightly more secure... > The idea that CHAP is more secure than PAP is a laughable one, which > unfortunately has received a good deal of encouragement from such > parties as Microsoft. CHAP unavoidably requires keeping a centralized > archive of all passwords in plaintext on the server. Given that most > PPP connections are not sniffable from the Internet, and given that > most PPP *servers* /can/ be attacked from the Internet, it is almost > always preferable to send cleartext-equivalent passwords on the wire and > store one-way hashed passwords on the server, not the other way around. I have to disagree here, and I've only recently found reason to. In a lot of configurations nowadays, large ISP with lots of RASes like UUNet, MegaPop, etc, sell dial-in to smaller regional ISPs, and use proxy RADIUS to accomplish this. If I understand CHAP correctly (and I'm sure someone will tell me if I'm wrong), the challenge happens between the RAS and end RADIUS server--so the password will never pass through the proxy RADIUS servers and the Internet in clear text. That said, I've never used CHAP and haven't read much about it. I could also be wrong about the nature of communication between RADIUS servers; I haven't read up on the RADIUS protocol. Wil -- W. Reilly Cooley wcooley@nakedape.cc Naked Ape Consulting http://nakedape.cc LNXS: Linux/GNU for servers, networks, and http://lnxs.org people who take care of them. *Now with integrated crypto!* irc.openprojects.net #lnxs The first Rotarian was the first man to call John the Baptist "Jack." -- H.L. Mencken
