PAP, CHAP or PPP ?

PAP, CHAP or PPP ?

Post by Wael Sedk » Sun, 06 Dec 1998 04:00:00



For 2 weeks I thought that my provider was using PAP or CHAP, because
whenever I tried to login manually using minicom, the system gave me an
authentication failure.

Today when I called them, their tech support said that he is sure it is PPP.
Is there a way to know for sure?

 
 
 

PAP, CHAP or PPP ?

Post by Graham K. Glove » Sun, 06 Dec 1998 04:00:00



> For 2 weeks I thought that my provider was using PAP or CHAP, because
> whenever I tried to login manually using minicom, the system gave me an
> authentication failure.

> Today when I called them, their tech support said that he is sure it is PPP.
> Is there a way to know for sure?

Well, you certainly won't know from calling tech support.  Newbie or
otherwise, you already know more than they do.

Obviously you are connecting thru Windows.  There is a feature burried
within the ppp setup that will allow you to log ppp transactions.  This
is *not* the modem log; that's another within Windows.  If you activate
it and then connect to your ISP, it should record the authentication
protocol, among other things.  Here's a short section of an old log of
mine:

12-03-1996 18:41:56.49 - PAP : Layer started.
12-03-1996 18:41:56.79 - PAP : Login was successful.
12-03-1996 18:41:56.79 - PAP : Layer up.

My guess would be your ISP uses PAP.  Set up for PAP and try it; you've
nothing to lose but a bit of time, and my guess is that you'll get into
your ISP.

Good luck!

--
Graham

I can't be a *; they use Windows.
http://www.veryComputer.com/

 
 
 

PAP, CHAP or PPP ?

Post by Blaine Lupulac » Sun, 06 Dec 1998 04:00:00



> For 2 weeks I thought that my provider was using PAP or CHAP, because
> whenever I tried to login manually using minicom, the system gave me an
> authentication failure.

> Today when I called them, their tech support said that he is sure it is PPP.
> Is there a way to know for sure?

Huh?

The "Tech Support" guy doesn't appear to know what he's talking about.

PPP is just point-to-point protocol, for setting up communication over a serial
connection. It's a more advanced method than SLIP ( Serial Line Interface
Protocol )

For authentication, you have PAP ( password authentication protocol ) or CHAP (
common handshaking protocol ).

As CHAP is *very* weak security wise, nobody uses it anymore. PAP is almost
certainly what's being used.

Blaine

 
 
 

PAP, CHAP or PPP ?

Post by j.. » Mon, 07 Dec 1998 04:00:00


Quote:Wael Sedky writes:
> For 2 weeks I thought that my provider was using PAP or CHAP, because
> whenever I tried to login manually using minicom, the system gave me an
> authentication failure.

ISP's using PAP or CHAP usually start sending PPP packets as soon as the
connection is made.  In minicom these will appear a s 'garbage', usually
with lots of curly brackets in it.

Quote:> Today when I called them, their tech support said that he is sure it is
> PPP.  Is there a way to know for sure?

I'd say that you now know for sure that their tech support is useless.  PPP
is the protocol that all ISP's use.  PAP and CHAP are PPP authentication
protocols.

Just try setting your system up for PAP and see if it works.
--
John Hasler

Dancing Horse Hill
Elmwood, WI

 
 
 

PAP, CHAP or PPP ?

Post by Todd Knar » Mon, 07 Dec 1998 04:00:00



> As CHAP is *very* weak security wise, nobody uses it anymore. PAP is almost
> certainly what's being used.

Huh? Check me if I'm wrong, but PAP ( standard PAP, not the MSCHAP80
mutation of it ) passes passwords in the clear and only allows the
server to authenticate the client. CHAP encrypts the passwords and
allows the client to also authenticate the server. It seems to me like
CHAP is _more_ secure than PAP, but harder to set up ( and less common
in Windows PPP implementations, which is probably why most ISPs still
use PAP ).

--
We won, didn't we? Cope!
                                -- Mimi, Reality Check #8

 
 
 

PAP, CHAP or PPP ?

Post by Wael Sedk » Mon, 07 Dec 1998 04:00:00


Thank you for replying. Can you tell me where I can find this log file.
Maybe I should note that I have "Client for Microsoft Networks" installed
and when I remove that from my windows dialup networking, I have to enter
the password by hand (unless I setup windows for multiple users). Does that
mean anything?


>My guess would be your ISP uses PAP.  Set up for PAP and try it; you've
>nothing to lose but a bit of time, and my guess is that you'll get into
>your ISP.

http://www.geocities.com/BourbonStreet/5174
 
 
 

PAP, CHAP or PPP ?

Post by Roge » Mon, 07 Dec 1998 04:00:00


On Sat, 05 Dec 1998 19:17:18 -0800, Blaine Lupulack


>For authentication, you have PAP ( password authentication protocol ) or CHAP (
>common handshaking protocol ).

CHAP = Challenge Handshake Authentication Protocol (see RFC1994)

Quote:>As CHAP is *very* weak security wise, nobody uses it anymore.

If an MD5 hash of a unique string sent by the server plus your
password is "*very* weak" then what is sending your password in
plain text (which is what PAP does)?

Because you don't know any ISP using CHAP doesn't mean that it
isn't being used. (I can name one. But only one!)

Quote:>                                                              PAP is almost
>certainly what's being used.

By all means try PAP first.
--
Roger
 
 
 

PAP, CHAP or PPP ?

Post by brian moo » Mon, 07 Dec 1998 04:00:00


On 6 Dec 1998 05:36:53 GMT,


> > As CHAP is *very* weak security wise, nobody uses it anymore. PAP is almost
> > certainly what's being used.

> Huh? Check me if I'm wrong, but PAP ( standard PAP, not the MSCHAP80
> mutation of it ) passes passwords in the clear and only allows the
> server to authenticate the client. CHAP encrypts the passwords and
> allows the client to also authenticate the server. It seems to me like
> CHAP is _more_ secure than PAP, but harder to set up ( and less common
> in Windows PPP implementations, which is probably why most ISPs still
> use PAP ).

Depends.

PAP allows for the Unix method of hashes in the password file.  CHAP
doesn't: the server needs to be able to access the real password.

If your phone line is tapped, use CHAP.  If there's a possibility of
compromise of the authentication server, use PAP.

--
Brian Moore                       | "The Zen nature of a spammer resembles
      Sysadmin, C/Perl Hacker     |  a*roach, except that the*roach
      Usenet Vandal               |  is higher up on the evolutionary chain."
      Netscum, Bane of Elves.                 Peter Olson, Delphi Postmaster

 
 
 

PAP, CHAP or PPP ?

Post by Graham K. Glove » Mon, 07 Dec 1998 04:00:00



> Thank you for replying. Can you tell me where I can find this log file.
> Maybe I should note that I have "Client for Microsoft Networks" installed
> and when I remove that from my windows dialup networking, I have to enter
> the password by hand (unless I setup windows for multiple users). Does that
> mean anything?

Nah, it shouldn't.

Here's where you can set up your system to record the log file.

Using the Win95 rats maze, go Start> Settings> Control Panel.  Open
Network, select "Dial-up adapter", hit the Properties button, go to the
Advanced tab, and select "Record a log file".  Change the entry to Yes.
NOTE that you must eventually change this to No.  If you do not, the log
file will continue to grow with each connection.

The file created by this is ppplog.txt.  Though I think it is located in
the Windows directory, you'll have to look.

--
Graham

I can't be a *; they use Windows.
http://www.veryComputer.com/

 
 
 

PAP, CHAP or PPP ?

Post by Simon Kinaha » Fri, 11 Dec 1998 04:00:00



> Huh? The PAP protocol doesn't specify a thing about how the password
> is stored on the system. My pppd allows for encrypted passwords in the
> pap-secrets file, and for fallback to the system password database, but
> those are not part of PAP itself ( and I know of PPP implementations that
> don't allow them ).

No, but the *protocol* allows for encrypted (or preferably one-way-hashed)
passwords on the server. CHAP does not, because the passwords have already
been hashed, you need the plain text on the server to verify their
correctness, or the hash result would in effect become the password.

Quote:> Even when the PAP secrets are encrypted, if the authentication server is
> compromised the attacker has everything he needs. Remember that he doesn't
> need the cleartext of the secret to authenticate, only the encrypted form
> and a slightly-hacked pppd. That's a generic problem with shared-secret
> systems.

You would need to hack the pppd on the server to overcome PAP using only
the hashed version of the password, because it uses the plaintext password,
to get past it from the client, you need the plaintext password.

For CHAP, because it is challenge-authenticate, you need to use the correct
salt, so grabbing the secrets exchanged on a particlar occasion does not
work.

As for which is best, I think CHAP is a slightly superior protocol, since
it does not transmit in plaintext, but then the chances of a server
security breach are probably rather greater than those on a bugged serial
connections (which required either a telephone line bug, or a very serious
(ie physical or kernel level) breach of server security).

Simon

 
 
 

PAP, CHAP or PPP ?

Post by Peter Flyn » Wed, 16 Dec 1998 04:00:00


Quote:Wael Sedky writes:
> For 2 weeks I thought that my provider was using PAP or CHAP, because
> whenever I tried to login manually using minicom, the system gave me an
> authentication failure.

If you were able to get a login prompt then your ISP is using neither PAPnor
CHAP but regular shell login instead. This is very common: you login
as for a terminal job, but the system then either (a) starts running PPP
immediately (pppd is the login shell) or (b) you get prompted for what
you want (shell session, ppp, slip, something else). In this latter case
you need a script.

Note that netcfg is fatally broken in the case of shell logins which
need poking with a newline or CRLF. It will handle "expected" strings
from the ISP, but cannot handle the case where the client needs to
transmit a newline or CRLF _first_, in order to trigger the server
into starting the login sequence. In this case you must use a script
(and BTW I'm still trying to find out how you tell a script to send
this initial newline or CRLF).

Quote:> > Today when I called them, their tech support said that he is sure it is
> > PPP.  Is there a way to know for sure?

I'm sure he's sure it's PPP. If he doesn't know what PAP and CHAP are,he
shouldn't be in tech support for an ISP.

///Peter

 
 
 

PAP, CHAP or PPP ?

Post by j.. » Wed, 16 Dec 1998 04:00:00


Quote:Peter writes:
> I'm still trying to find out how you tell a script to send this initial
> newline or CRLF

From the chat man page:

       ''     Expects  or sends a null string. If you send a null
              string then it will still send the  return  charac-
              ter. This sequence may either be a pair of apostro-
              phe or quote characters.

--
John Hasler                This posting is in the public domain.

Dancing Horse Hill         Make money from it if you can; I don't mind.
Elmwood, Wisconsin         Do not send email adverti*ts to this address.

 
 
 

1. pppd - PAP, CHAP, MS-CHAP, MS-CHAP-v2 protocol negotiation

Hi,

We have clients connecting to pppd 2.4.2b1.
Clients are able to connect using PAP, CHAP, MS-CHAP, MS-CHAP-v2 if
the pppd configuration is set up to require a specific protocol, eg:

If we change /etc/ppp/options to not request a specific protocol,
clients can only connect using PAP or MS-CHAP-V2. Client trying to
connect through CHAP or MS-CHAP fail and Pppd logs the error "peer
refused to authenticate: terminating link"

pppd configuration:

We'd like our clients to be able to connect using PAP, CHAP, MS-CHAP
or MS-CHAP-v2, the protocol being negotiated by server and client...

I suppose it's a pppd configuration issue; any help is highly
appreciated.
Thx.
dan

2. Trouble using Trident cyber9320 on X server

3. Howto dial ISP running NT4 - chap, pap, ms-chap?

4. Good ISP in U.K.

5. SWBell PPP/PAP/CHAP/Whatthehell? RH 5.0

6. Wall Street Journal: Linux gains corporate respectability

7. PPP script for client callback with PAP/CHAP

8. remote printer for other unix...lpd, host.lpd, etc

9. PPP, PAP, CHAP in plain english

10. Setting up PPP (possibly using PAP/CHAP) on Redhat 7.1

11. Solaris 2.5 PPP and Win95 PAP/CHAP Question

12. PPP using CHAP not PAP

13. ppp and chap/pap