Paul Lussier writes:
> I can't say for sure it's NT-RAS, but it might be.
This is kindof taken from a web page that I maintain internally here
at work. Some irrelevant details and sarcasm has been removed. (-:
If you're stuck using an NT RAS system, it might be useful to you.
If you're just using plain vanilla CHAP or PAP, these instructions
aren't really relelvant -- you probably just need to add one line to
your secrets files.
End result: I have had success using an NT-RAS system from my Linux
box. Heck, I can even use ssh over the link...
--kevin
PS This is a little bit dated. Export regulations on encryption have
been relaxed recently. Also, I have no idea as to how to upgrade your
pppd to handle DES using any other method than by installing from
source. I don't deal with binary packages very often because I have
to deal with so many different types of systems...
Accessing a NT RAS Server via a Unix Box
Keywords: PPP, Unix, pppd, Linux, FreeBSD, NetBSD, OpenBSD, Solaris, CHAP,
PAP, RAS, frustration.
Change log
* 27-Aug-1999 -- I added notes relevant to the Solaris PPP implementation
to this document. See the Notes regarding specific implementations
section, below.
* 23-Aug-1999 -- After a week of struggling with a problem that turned
out to be caused by an extra backslash, I have now added instructions
for how to access Cabletron's NT RAS server via a Unix box.
------------------------------------------------------------------------
How to use a NT RAS PPP Peer:
Most of this stuff was gleaned from reading PPP documentation and FAQs and
Usenet newsgroups.
An NT RAS server uses a slightly different authentication protocol than what
most other PPP peers use. This type of server still uses CHAP, but instead
of using the more common MD5 one-way encryption algorithm, the NT RAS server
instead uses the DES algorithm. You might notice in your PPP logs that the
NT RAS PPP peer is using an authentication code of 0x80 for CHAP
authentication. (whereas systems using MD5 encryption use an authentication
code of 0x05). The NT RAS server isn't any more secure than a system that
uses the MD5 algorithm, it's just different.
How to fix this:
You need to get your PPP peer to understand DES encryption:
-----------------------------------------------------------
You need to get your PPP peer to understand and deal with DES encryption.
This might be fairly easy, depending on your system.
On my system (Linux), the default pppd didn't support DES encryption. The
reason for this has to do with the fact that the US government has decreed
that strong encryption can't be exported legally. DES is one such algorithm
covered by these laws.
However, when I grabbed the source to pppd I was happy to find that the
author had already added support for DES -- all that the end user needs to
do is provide the DES routines and recompile the source with the appropriate
flags set. My system comes with a -lcrypt, so I already had the DES
routines. The actual re-compilation was trivial. One place to find the
source for an implementation of pppd is here:
ftp://cs.anu.edu.au/pub/software/ppp/
Somehow you've got to get your pppd to handle DES. The source for various
PPP implementations is generally available in lots of places, so you're
probably in luck. If you have any interesting or noteworthy experiences in
this area, please let me know.
You need to modify your chap-secrets file appropriately:
--------------------------------------------------------
This is hokey. Thank you Microsoft.
For deep technical reasons (mostly due to C2 security requirements (which,
last time I checked, Microsoft passed using a machine that wasn't hooked up
to a network), but also due to the fact that we're dealing with NT domains
here), your chap-secrets file has to look something like this:
(this is my file; modify to suit your tastes)
# Secrets for authentication using CHAP
# client server secret IP addresses
my-domain\\kclark my-domain my-password
my-domain my-domain\\kclark my-password
In this example, "my-domain" is the domain, "kclark" is my username, and
"my-password" is my NT domain password. Case and number of backslashes is
important here. You have been warned.
You need to invoke pppd correctly:
----------------------------------
Here's a simplistic way to invoke pppd:
#!/bin/sh
WHOAMI='my-domain\kclark' # ONE backslash, not two!!!
/usr/sbin/pppd -detach lock modem debug crtscts /dev/modem \
name "$WHOAMI" remotename my-domain \
noipdefault defaultroute connect \
"chat -v TIMEOUT 120 \"\" atdt18005551212 CONNECT"
The "name" and "remotename" options are critical to pppd's operation here.
Don't leave them out. Also, when running pppd this way you need to be
running as root.
Notes regarding specific implementations:
-----------------------------------------
* I can confirm that the Linux implementation of pppd works just fine
(after I recompiled it, that is).
* I have had two different people tell me that they had no luck with the
Solaris PPP implementation. It appears that Sun doesn't support
Microsoft's PPP authentication mechanism. I assume that the root cause
of this is a legal one -- Sun can't ship a PPP implementation that
includes code for DES encryption. Which brings up this question: how is
Microsoft getting away with shipping this software? Anyways, this
problem is documented in this infodoc. And, I have received
confirmation that using other PPP implementations (such as the one that
I used) works just fine. If you're using Solaris you should check these
out.
Epilogue:
---------
Please contact me and tell me about any caveats, tricks, tips, dead-ends,
etc. that you encounter while using this service. I'll try to document them
here.
------------------------------------------------------------------------
Kevin D. Clark
Last modified: Thu Oct 21 08:43:27 EDT 1999
--
Kevin D. Clark | |
[EMAIL PROTECTED] | [EMAIL PROTECTED] | Give me a decent UNIX
Cabletron Systems, Inc. | PGP Key Available | and I can move the world
Durham, N.H. (USA) | |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
