Very Computer

Two questions:

1. Has anyone ever established a PPP connection to a Shiva box from
Linux? A scan of DejaNews says probably not.

2. If so, is there a way to make a dial-up connection using a non-static
password? My employer requires the use of a SecurID card, and therefore
that the static passwords in the pap-secrets and chap-secrets files are
apparently not going to work.

Given that Shiva is probably under contractural obligation to M$ never
to support Linux, I am not hopeful that the answer to either of these
questions is positive.  But if I'm wrong, it should probably be in the
PPP-Howto.

Thanks,
- Steve.
masticol scr siemens com

Reply address spamproofed.

: 1. Has anyone ever established a PPP connection to a Shiva box from
: Linux? A scan of DejaNews says probably not.

There should be no problem unless the Shiva only uses a proprietary
authentication protocol such as SPAP or MSCHAP v2 .

: 2. If so, is there a way to make a dial-up connection using a non-static
: password? My employer requires the use of a SecurID card, and therefore
: that the static passwords in the pap-secrets and chap-secrets files are
: apparently not going to work.

If you're into "expect" then there's a script, secure-card, in the scripts
directory of the ppp-2.3.8 source tree that might help.  Otherwise you
might want to try this:

http://www.inetport.com/~kite/SecurID.gz

It has a patch to chat that was posted a while back.

--

/* Speak softly and carry a +6 two-handed sword. */

: If you're into "expect" then there's a script, secure-card, in the
scripts
: directory of the ppp-2.3.8 source tree that might help.  Otherwise you
: might want to try this:
:
: http://www.inetport.com/~kite/SecurID.gz
:
: It has a patch to chat that was posted a while back.

Unfortunately, I think the problem goes beyond what can be done with
expect or chat scripts.  The password has to be specified somehow to pap
or chap.

AFAICT, the only way to specify a password to pap or chap is through the
pap-secrets and chap-secrets files respectively. From the PPP-Howto's
bit about the (p|ch)ap-secrets files:

Quote:> They must be owned by user root, group root and have > file permissions 740 for security.

Thanks,
- Steve.
masticol scr siemens com

Reply address spamproofed.

: Unfortunately, I think the problem goes beyond what can be done with
: expect or chat scripts.  The password has to be specified somehow to pap
: or chap.

I passed over that in your post.  But I've never seen another post asking
for help for SecureID that needed to be in a secrets file.   I guess you
are sure that PAP or CHAP must be used in this way but it's new to me.

Sounds gruesome even for Shiva.

--

/* Microsoft is a great marketing organization.
 * It _has_ to be */

Quote:> Sounds gruesome even for Shiva.

Step 10 below is the kicker. The 4-digit passcode plus SecurID code are
entered into a text field as a single string, and are used (apparently
by SPAP, given the verbiage about spap.vxd) during authentication.  My
hope is that the Shiva box will use PAP the same way.

BTW, I even went so far as to talk to an engineer at Shiva about this
problem.  I gathered from his response that Shiva has no intention of
ever supporting dial-up interoperability with any version of Unix,
including Linux. (I hope that netadmins will note this for future
product reviews.)

- Steve.
masticol scr siemens com

Reply address spamproofed.

P.S. My experiment last night could not be completed because the Shiva
box refused to complete a handshake with my Courier modem. Maybe tonight
it'll be healthier.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Installing Shiva Security Pack for Windows 95/98 and NT 4.0
to Access SCR's 56K Modems

Follow these instructions to install the Shiva Security Pack. You must
restart Windows after completing the installation.

Prerequisites:
1. You must have Dial-Up Networking installed. Windows 95 users must
have version 1.1 or higher of Dial-Up Networking installed.
2. You must have the Dial-Up Adapter installed and bound to the
appropriate protocol: TCP.
3. If you use the Microsoft ISDN Accelerator Pack, you must have the
ISDN Accelerator Pack version 1.1 or higher installed.

        Windows 95/98:

1. You must have Dial-Up Networking installed on your system before
installing the Shiva Security Pack for Windows 95/98 or NT. You can
verify that the correct version of Dial-Up Networking is installed under
Windows 95/98 by looking in the Add/Remove Programs Control Panel under
the Windows Setup tab.  

1.1. Double-click on the Communications component and verify that
Dial-Up Networking is checked. Also, you must have the Dial-Up Adapter
installed and bound to the appropriate protocol: TCP.  

2. To verify that you have the Dial-Up Adapter installed and bound to
TCP:

2.1. , gGo to the Network Control Panel and see if Dial-Up Adapter
appears in the list.

2.2. If Dial-Up Adapter is not in the list, you will need to install it.

2.3. Bind it to TCP if it isn't? How?

Under Windows NT:
The The Remote Access Service needs to be installed.  

1. To verify this, dDouble click on Network Icon in the Control Panel
and c.

2. Check for its presenceRemote Access Service under the Services tab.  

3. If you don't find thisRemote Access Service, you will need to click
on the add button to install it.

4.  (don't forget to re-apply any service packs that you may have
installed).

Shiva Security Pack Installation Steps
1. Copy the files under \\<directory name deleted>\common\shiva into a
1.44 MB floppy disk

2. Click the Add/Remove Programs control panel.

3. Click the Windows Setup tab.

4. Click the Have Disk button.

5. Click the Browse button to locate the directory or disk that contains
the Shiva Security Pack installation files for the operating system that
you are running, then click OK.

6. Select the checkbox next to Shiva Security Pack.  This is the third
option in the list.  Don't select the first two options.

7. If you have the Microsoft ISDN Accelerator Pack 1.1, Dial-Up
Networking 1.2, or similar programs installed, you will be asked whether
you want to keep a newer file (called SPAP.VXD) that already exists on
your hard disk. Answer Yes to this question to keep the newer version of
SPAP.VXD.

8. Click OK to close the Add/Remove Programs control panel dialog box
and finish the installation.

9. When a dialog box appears suggesting you need to restart the
computer, restart Windows by clicking Yes.

10. Create a new dialup connection.  The dialup number is <number
deleted>.  This number is connected to a modem pool of twelve 56K
modems.  You don't need the dialup window to pop up after the modem
connection is made.  Just enter you username and Passcode (PIN+SecurID
number) in the initial dialup window.

11. If you have the ISDN Accelerator Pack, and it  stops working after
you install the Shiva Security Pack, then reinstall the latest
Accelerator Pack from Microsoft (version 1.1 or higher) to continue
using both products.

Special Considerations

Be aware of the following special considerations when using this
product:

Microsoft ISDN Accelerator Pack Notes. If you use the Microsoft ISDN
Accelerator Pack, be aware of the following:

You must have the ISDN Accelerator Pack version 1.1 or higher
installed. Earlier versions will not work with the Shiva Security Pack.

If you use the ISDN accelerator pack, While installing the Shiva
Security Pack, you will be asked whether you want to keep a newer file
(called SPAP.VXD) that already exists on your hard disk. Answer Yes to
this question to keep the newer version of SPAP.VXD.

If the Accelerator Pack stops working after you install the Shiva
Security Pack, simply reinstall the latest Accelerator Pack from
Microsoft (version 1.1 or higher) to continue using both products.

Keep the Latest Version of SPAP.VXD. While installing the Shiva
Security Pack, you may be asked whether you want to keep a newer file
(called SPAP.VXD) that may already exists on your hard disk if you have
Dial-Up Networking version 1.2 or the ISDN Accelerator Pack version 1.1
(or higher versions of either) installed. Answer Yes to this question to
keep the newer version of SPAP.VXD.

Microsoft Plus Pack Interaction. The Shiva Security Pack is
incompatible with the scripting component installed with the Microsoft
Plus Pack for Windows 95. If you have installed the Microsoft Plus Pack
for Windows 95 and you are having problems with scripting or the
Security Pack features, upgrade your version of Dial-Up Networking to
version 1.1 or higher and reinstall the Shiva Security Pack to avoid
further problems.

: > I guess you are sure that PAP or CHAP must be used in this way
: > but it's new to me.

: I'm not sure. But I think it's a reasonable inference, based on the
: procedures for installing and using "Shiva Security Pack" that I have
: here. See below.

: > Sounds gruesome even for Shiva.

: Yep.  Shiva, as I'm certain you know, wrote something for Windows that
: does roughly the same thing that pppd does for Linux. But their
: authentication assumes that the user is authenticated, not the machine.

: Step 10 below is the kicker. The 4-digit passcode plus SecurID code are
: entered into a text field as a single string, and are used (apparently
: by SPAP, given the verbiage about spap.vxd) during authentication.  My
: hope is that the Shiva box will use PAP the same way.

Yes, I'd agree that it is the kicker.  I wish you luck but doubt that
you'll get to use PAP in the same way.  No one except a Shiva engineer
knows exactly what SPAP does but after reading this I'd guess that the
passcode, or perhaps just the SecurID code, is probably obscured in
some way by the Windows machine SPAP before sending it over the wire.
It seems doubtful that the security weenies would leave PAP as an option.

: BTW, I even went so far as to talk to an engineer at Shiva about this
: problem.  I gathered from his response that Shiva has no intention of
: ever supporting dial-up interoperability with any version of Unix,
: including Linux. (I hope that netadmins will note this for future
: product reviews.)

Microsoft and Shiva deserve each other.

--

/* I gave up on politics when no matter who I voted for, I regretted it.
 *    -- Pepper...and Salt, WSJ */

:: BTW, I even went so far as to talk to an engineer at Shiva
:: about this problem.  I gathered from his response that Shiva
:: has  no intention of ever supporting dial-up interoperability
:: with any version of Unix, including Linux. (I hope that
:: netadmins will note this for future product reviews.)

: Microsoft and Shiva deserve each other.

about some Intel seminar on VPNs. Of course, Micros~0 has been spamming
me for years.

MLMs, please note the address above in your mining operations.
]8-}

- Steve.
masticol scr siemens com

Reply address spamproofed.

its not very difficult to use a perlscript and a browser to make the
process of changing the password [key] in pap-secrets, so you can
connect from a lan to the shiva.

I do have problems to get the shiva to callback,
with pap it only sais: "dialin disabled" and thats all, even the modem
connect stays up, so I have to kill pppd by hand.

in win95 I dont need any -shiva- software to connect and to be called back,
works smoothly, aaawh...

Quote:

> 2. If so, is there a way to make a dial-up connection using a non-static
> password? My employer requires the use of a SecurID card, and therefore
> that the static passwords in the pap-secrets and chap-secrets files are
> apparently not going to work.

1) challenge-response key, get a 4 digit challenge from the server and use
that key to generate a 6-digit response as password,
in windows you need shiva software for this.
in linux you could use "expect" but its no fun.

2) time-generated 6-digit key usable as password, see above

Quote:

> Given that Shiva is probably under contractural obligation to M$ never
> to support Linux, I am not hopeful that the answer to either of these
> questions is positive.  But if I'm wrong, it should probably be in the
> PPP-Howto.

pher

#!/usr/bin/perl

$myname = "shiva";
$username = "<your name goes here>";
$password = $ARGV[0];
$pap_secrets = "/etc/ppp/pap-secrets";
$ENV{"PATH"} = "";
open(PAP_SECRETS, ">$pap_secrets")
    || die ("shiva: Can't open $pap_secrets for output");
print PAP_SECRETS "$username * $password\n";
close PAP_SECRETS;
system("/usr/sbin/pppd -d -detach /dev/modem 38400 user $username &");
exit 0;

To use this:

(1) Save the above script  as "shiva" somewhere on your path, owned by
root, with suid enabled This is necessary so that it can overwrite
pap-secrets.

(2) Set the following options in /etc/ppp/options:
        noauth
        defaultroute
        noipdefault
        -chap

(3) Dial up the LanRover using minicom, and exit without reset.

(4) At a shell prompt, say:
        shiva <passcode>

http://athena.shiva.com/prod/kbase/isdnconnectivity.html was helpful in
diagnosing some problems I ran into, although it's referring to ISDN
rather than POTS.

This is admittedly a very crude hack, and is only intended to
demonstrate that it is feasible to make the connection through the Shiva
box.  Dimitri Bouras is looking at how to automate some of the login
procedure here with his excellent X-ISP application. See
http://users.hol.gr/~dbouras/ .

BTW, it turns out that pppd used to have a command line option +ua that
would have eliminated the need to overwrite pap-secrets. I gather that
this was probably removed for security reasons, but it would eliminate
the need for much more dangerous practices, such as constantly diddling
with pap-secrets.  If the pppd maintainers are reading this, I'd
strongly encourage them to put the +ua option in to support dynamically
changing passwords the right way.

HTH, and thanks,

- Steve.
masticol scr siemens com

Reply address spamproofed.