lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] PPP MPPE "Optional" Support

From: Sylvain Rochet
Subject: Re: [lwip-users] PPP MPPE "Optional" Support
Date: Fri, 12 Aug 2016 01:05:02 +0200
User-agent: Mutt/1.5.23 (2014-03-12) 
Hi Greg,


On Thu, Aug 11, 2016 at 12:48:19AM +0000, Greg Smith wrote:
>
> I have a follow-on question.  Below I said I was able to connect with 
> MSCHAPv2 or no authentication.  I think I was actually not 
> authenticating in either case.  So...  Is there a way to have PPP try 
> authentication first before giving up and trying no authentication?  
> (This may be a violation of LCP, I'm not sure.  It just seems like it 
> should/could be a negotiable option.)

I'm not sure that's possible, even if the protocol might allow it in 
some way (which I doubt) it is not supported in the wild, at least pppd 
nor lwIP are able to try auth with different auth protocol, one auth 
protocol is chosen once for all and it will either succeed or fail. That 
would be a downgrade attack vector anyway and this is why 
PPPAUTHTYPE_ANY shouldn't be used.


> If I set ppp_set_auth_required(, 0);, then I think it always connects 
> with no auth, regardless of what I've set in ppp_set_auth().

ppp_set_auth_required(, 0) only set that -peer- is not required to 
authenticate. It have no influence whatsoever whether the peer is going 
to ask -us- to authenticate.


> If I set ppp_set_auth_required(, 1);, then it refuses the peers that 
> don't support auth at all.

Of course, because we then require the peer to authenticate. This option 
is mostly used on PPP server listener, where we want the incoming PPP 
session to authenticate, asking the server to authenticate is less 
common.


> Is there a solution here that I'm not seeing?

I don't think there is, only PAP have an option to accept null password 
("") to accept clients that are not able to do PPP without an 
authentication phase. There is currently no way to have "try 
authentication but don't care about the result", which is what you 
actually want :-)


> Slightly outside of the scope of lwIP, but if it's possible, what are 
> the appropriate pppd options to allow its side?

Reading the pppd documentation, I can't find a way to achieve that.


Anyway, what you could do is to write this state machine outside, which 
would gives something like that:


begin;

try with MSCHAPv2 + MPPE;

if != PPPERR_NONE is returned:
    try without AUTH;

loop;


This would also make the PPP_MPPE_ALLOW_CLEARTEXT idea useless.


Sylvain

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]