Hi, Sylvain. > -----Original Message----- > From: lwip-users > On Behalf Of Sylvain Rochet > Sent: Thursday, 11 August 2016 19:05 > On Thu, Aug 11, 2016 at 12:48:19AM +0000, Greg Smith wrote: > > > > I have a follow-on question. Below I said I was able to connect with > > MSCHAPv2 or no authentication. I think I was actually not > > authenticating in either case. So... Is there a way to have PPP try > > authentication first before giving up and trying no authentication? > > (This may be a violation of LCP, I'm not sure. It just seems like it > > should/could be a negotiable option.) > > I'm not sure that's possible, even if the protocol might allow it in some way > (which I doubt) it is not supported in the wild, at least pppd nor lwIP are > able to try auth with different auth protocol, one auth protocol is chosen > once > for all and it will either succeed or fail. That would be a downgrade attack > vector anyway and this is why PPPAUTHTYPE_ANY shouldn't be used.
It was a long shot. Reading through various pppd documentation, there doesn't seem to be a way to force anything. Instead, you can just disallow certain options with the peer. (i.e. I can't force MSCHAPv2 on one side, but I can disallow CHAP, MSCHAP, and PAP, for example, which _almost_ implicitly forces MSCHAPv2. (Unfortunately, there's no way that I've found to disallow no auth, so nothing is still acceptable if the other peer allows it.) > > If I set ppp_set_auth_required(, 0);, then I think it always connects > > with no auth, regardless of what I've set in ppp_set_auth(). > > ppp_set_auth_required(, 0) only set that -peer- is not required to > authenticate. It have no influence whatsoever whether the peer is going to ask > -us- to authenticate. > > > > If I set ppp_set_auth_required(, 1);, then it refuses the peers that > > don't support auth at all. > > Of course, because we then require the peer to authenticate. This option is > mostly used on PPP server listener, where we want the incoming PPP session to > authenticate, asking the server to authenticate is less common. Understood, and is what I've found in practice. I wanted to verify that I wasn't missing something. > Anyway, what you could do is to write this state machine outside, which would > gives something like that: > > > begin; > > try with MSCHAPv2 + MPPE; > > if != PPPERR_NONE is returned: > try without AUTH; > > loop; > > > This would also make the PPP_MPPE_ALLOW_CLEARTEXT idea useless. Yes, don't spend time on the PPP_MPPE_ALLOW_CLEARTEXT option. That sounds like a lot of work and peculiarity to lwIP that I'd like to avoid. But I will try something like the loop and see if I can make it work. It sounds like a pretty simple idea, which I like! When I can get some testing on new and old, and if it works, I'll post back to let the community know. Thanks again for your ideas; this is a great help. -- G --------------------------------------------------------------------------------------- This email has been scanned for email related threats and delivered safely by Mimecast. For more information please visit http://www.mimecast.com ---------------------------------------------------------------------------------------
_______________________________________________ lwip-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lwip-users
