|
Hylafax Mailing List Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
Re: Hylafax and PPP?
> > Also, doesn't CHAP require keeping a clear-text copy of the password
> > in a file somewhere? I'm not at all convinced that is a good idea.
>
> So does the protocol used within Microsoft peer networking (SMB) and used
> as the preferred authentication protocol by many dialin NT systems.
> (It hashes the password at the sending end, then uses a CHAP like
> protocol; if you have compromised the password file, you can inject the
> hashed password without needing to know the corresponding clear text,
> given only the ability to bypass the user interface.)
I thought Kevin Mitnick demonstrated pretty clearly that keeping anything
secret in a readable computer file was a bad idea.
> Really, it depends on the nature of the threat that you see. If the
> threat is one of compromise of the "server" system you probably want
> to use clear text passwords. ISPs are probably more worried about
> compromising all of their passwords at once, so probably prefer that
> option. If you are more worried about packet sniffing, line tapping,
> or someone spoofing the "server", you should use challenge response,
> or one time systems.
Actually it is the threat you don't forsee that gets you. But in this
case I would like to continue to allow shell logins via cleartext
passwords, so I don't see any increased threat by simultaneously
allowing PAP against the password file, but there might be one
from the additional file needed to allow CHAP.
Les Mikesell
les@mcs.com
