windtear 追求完美

http://windtear.net/archives/2006/06/26/001013.html

研究 pptpd vpn 的用户认证部分 pppd auth

先说 pptp vpn 身份认证协议：
PAP:		不加密的密码
CHAP:		质询握手身份验证协议
MS-CHAP:	Microsoft CHAP
MS-CHAP v2:	Microsoft CHAP 版本 2

linux 下 pptpd 调用 pppd 进行身份认证

pppd/auth.c

使用PAP认证的话，可以用系统密码
# more /etc/ppp/pap-secrets 
# Secrets for authentication using PAP
# client        server  secret                  IP addresses
windtear        *       @login  *

/*
 * check_passwd - Check the user name and passwd against the PAP secrets
 * file.  If requested, also check against the system password database,
 * and login the user if OK.
 *
 * returns:
 *	UPAP_AUTHNAK: Authentication failed.
 *	UPAP_AUTHACK: Authentication succeeded.
 * In either case, msg points to an appropriate message.
 */
int
check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
	    int login_secret = strcmp(secret, "@login") == 0;
	    if (uselogin || login_secret) {
		/* login option or secret is @login */
		ret = plogin(user, passwd, msg);
	    }

/*
 * plogin - Check the user name and password against the system
 * password database, and login the user if OK.
 *
 * returns:
 *	UPAP_AUTHNAK: Login failed.
 *	UPAP_AUTHACK: Login succeeded.
 * In either case, msg points to an appropriate message.
 */

static int
plogin(user, passwd, msg)

这里面支持 PAM 所以如果想用RSA等认证也很方便


如果想 MS-CHAP v2 认证也用系统密码的话 只能大改了
之所以说大改 是因为正如前面提到 认证协议是定死的

MS-CHAP v2 是单向hash
系统密码也是单向hash

所以可以从系统密码这一块做手脚
让系统密码的 HASH 用 MS-CHAP v2 的 hash 算法

/*
 * have_chap_secret - check whether we have a CHAP file with a
 * secret that we could possibly use for authenticating `client'
 * on `server'.  Either can be the null string, meaning we don't
 * know the identity yet.
 */
static int
have_chap_secret(client, server, need_ip, lacks_ipp)

/*
 * get_secret - open the CHAP secret file and return the secret
 * for authenticating the given client on the given server.
 * (We could be either client or server).
 */
int
get_secret(unit, client, server, secret, secret_len, am_server)