Web linux-server.50webs.com
Home
Linux Server Basics
Linux Web Server
Linux Mail Server
Linux FTP Server
Linux DHCP Server
Linux DNS Server
Maintaining Your Linux Server
Linux Server Forum
Site Map

Linux Server Basics

PPP Security(Part 2):

Challenge Handshake Authentication Protocol is the default authentication protocol used by PPP. CHAP is not vulnerable to the security attacks that threaten PAP. In fact, a PPP connection that uses CHAP is probably more secure than your local Ethernet connection. For one, CHAP does not send clear-text passwords. Instead, CHAP sends a string of characters called a challenge string. The system seeking authentication encrypts the challenge string with a secret key from the etc/ppp/chap-secrets/ file, and returns the encrypted string back to the servers. The secret key never travels across the network and therefore cannot be read off the network by a snooper.

Additionally, CHAP repeatedly reauthenticates the systems. Even if a thief steals the connection through address spoofing, he cannot keep the connection for long without responding correctly to the CHAP challenge.

CHAP is configured through the chap-secrets file. Entries in the chap-secrets file contain the following fields:

  • respondent This is the name of the computer that will respond to the CHAP challenge. Most documentation calls this the "client" field. However, PPP clients require authentication from servers in the same way that servers require authentication from clients. The first field defines the system that must respond to the challenge in order to be authenticated.
  • challenger This is the name of the system that will issue the CHAP challenge. Most documentation calls this the "server" field, but as noted earlier, servers are not the only systems that issue CHAP challenges. The second field contains the name of the computer that challenges the other system to authenticate itself.
  • secret This is the secret key that is used to encrypt and decrypt the challenge string. The challenger sends a challenge string to the system that is being authenticated. The respondent encrypts that string using the secret key, and sends the encrypted string back to the challenger. Then, the challenger decrypts the string with the secret key. If the decrypted string matches the original challenge string, the responding system is authenticated. Using this system, the secret key never travels across the network.
  • address This is an address written either as a numeric IP address or as a hostname. If an address is defined, the respondent must use the specified IP address. Even if a system responds with the correct secret key, it will not be authenticated unless it is also the host at the correct IP address.
.
©linux-server.50webs.com All Rights Reserved. www.algerie-dz.info
webmaster