RE: RE: Amazing but true (funny)

From: p729@cox.net
Date: Fri Feb 28 2003 - 04:17:05 GMT-3

• Next message: Tom Young: "RE: arrange the NVRAM"
• Previous message: Brian Dennis: "RE: arrange the NVRAM"
• Maybe in reply to: Michael Snyder: "RE: RE: Amazing but true (funny)"
• Next in thread: Joseph Ezerski: "RE: RE: Amazing but true (funny)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

LOL. Sounds like an ESL problem. The security hole is using PAP.

Regards,

Mas Kato
https://ecardfile.com/id/mkato

============================================================
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
Date: 2003/02/27 Thu PM 08:04:19 EST
To: "'OhioHondo'" <ohiohondo@columbus.rr.com>
CC: <ccielab@groupstudy.com>
Subject: RE: RE: Amazing but true (funny)

Ok, yes I was using ppp pap sent-username last year in my configs. I
didn't remember doing so.

Here's what I just did, tried chap with transposed passwords. Worked

Changed to to pap. Left password alone. No go.

Then untransposed passwords. No go.

(very surprised, the router doesn't use it's host name, otherwise this
would work. PPP pap sent-username must be required for pap. I just
learned something.

Then used ppp pap sent-username, set it to host name of router. It
worked.

So, I stand corrected. I wasn't telling the whole story, in fact I was
doing things correctly I didn't know I was doing.

Furthermore, I just got the funniest warning message I have ever saw
from Cisco!

R2(config-if)#ppp pap sent-username R2 password pass2
PPP: Warning: You have chosen a username/password combination that
               is valid for CHAP. This is a potential security hole.
R2(config-if)#

My coworkers think I'm nuts, because I'm sitting here at my desk
laughing ever time I read it.

-----Original Message-----
From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
Sent: Thursday, February 27, 2003 6:28 PM
To: Michael Snyder; 'OhioHondo'
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true

Mike

I also tried to lab out PAP. I have not been able to get PAP to work on
my
IOS unless I use the PAP "sent username" command. I know from reading
some
old documentation (11.x) that PAP also uses the hostname, I'm not sure
where
it finds a password to send. I tried your config and it did not work!!!

All I can think of is that PAP needs to use the "ppp pap sent-username"
command under the interface on my IOS. I was using a serial link if that
makes a difference.

FYI ----

-----Original Message-----
From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
Sent: Thursday, February 27, 2003 7:10 PM
To: 'OhioHondo'
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true

I assumed that both usernames was not being used at the same time.

I never dived into it enough to figure out which ones were not needed.

You have to admit that it's a quick way to do it.

Two users, two passwords, keep them straight for pap.

Two users, two passwords, transverse them for chap.

Thanks for labbing it out. :) One more mystery solved.

-----Original Message-----
From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
Sent: Thursday, February 27, 2003 5:57 PM
To: Michael Snyder; p729@cox.net
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true

I labbed this up and I came out with the following:

When a router sends the initial challenge of the 3 way hanshake out it
uses
its' own hostname and the password of the remote router which is found
in
the username config statement. So from your config, router A sends out
'A
with a hash based on a password of 2'.

The return response does the same thing. The name sent is B and it
creates
the hash from the password of the remote routers username entry in
router
B's config. So this is 'B with a hash based on a password of 2'.

They are using the same "secret" password.

Username A on router A and Username B on router B are not used in the
process. They are not needed.

The PAP authentication is one-way, something like a simple logon into
the
router with the remote device providing a username and password. There
must
be extra, unneeded statements in the PAP configuration also.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Michael Snyder
Sent: Thursday, February 27, 2003 1:39 PM
To: p729@cox.net
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true

>In order to derive the same hash, the passwords MUST be the SAME for a
>given username. Don't be fooled by claims of being able to use
different >
>passwords on each end with CHAP

Are you sure were talking about the same thing? My posted template
works, feel free to try both my chap and pap templates.

How do you reconcile your statement with my working config?

Router A

Username A password 0 pass1
Username B password 0 pass2

Router B

Username A password 0 pass2
Username B password 0 pass1

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
p729@cox.net
Sent: Thursday, February 27, 2003 10:44 AM
To: Michael Snyder; 'ccie2be'
Cc: ccielab@groupstudy.com
Subject: Re: RE: Amazing but true

Michael,

With PAP, the password is sent across the wire in plain-text,
effectively: "here is my username and password, authenticate me." The
authenticator simply does a lookup. What's important is the PAP
sent-username and password and the username and password on the
authenticator match. The username and password on the authenticatee
(side requesting to be authenticated is superflurous.

With CHAP, the password itself is never actually sent over the wire,
only a hashed version of it. All the authenticator knows is "who am I
authenticating?" Somehow, the authenticator must derive the same hash
that the authenticatee sent so the results of a comparison will be a
match. In order to derive the same hash, the passwords MUST be the SAME
for a given username. Don't be fooled by claims of being able to use
different passwords on each end with CHAP. In reality, different
USERNAMES and passwords are being used--it's the only way it can work.

Regards,

Mas Kato
https://ecardfile.com/mkato

============================================================
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
Date: 2003/02/26 Wed PM 08:24:45 EST
To: "'ccie2be'" <ccie2be@nyc.rr.com>
CC: <ccielab@groupstudy.com>
Subject: RE: Amazing but true

I've come to conclusion that the number of responses you get from
groupstudy plotted out looks like a bell curve.

The closer you are getting to passing the lab, the number of responses
decreases.

Here's a good example, I asked this last year and never got a reponse.

Why with PAP does the user passwords stay the same on both isdn routers.

Router A

Username A password 0 pass1
Username B password 0 pass2

Router B

Username A password 0 pass1
Username B password 0 pass2

And with CHAP, you transpose the passwords on one of the routers?

Router A

Username A password 0 pass1
Username B password 0 pass2

Router B

Username A password 0 pass2
Username B password 0 pass1

I understand the CHAP and PAP processes, I have watched the debugs many
times.

Still why would cisco program the isdn functionality that you have to
change the user password arrangement depending on chap vs pap?

-----Ori
ginal Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, February 26, 2003 1:50 PM
To: Group Study
Subject: Amazing but true

Hi everyone,

Over the past few weeks, several times I've posted a question regarding
the
two types of care-of-addresses used with Mobile IP. My question
concerned
what detemines which type of address is used and whether the type used
is
something that's configured on the router or determined by some other
means -
perhaps the software installed on the mobile client.

What surprises me though is that there hasn't been one single response!
I
don't understand how that could be. I've searched thru both the Group
Study
archieves and Cisco's documentation and found nothing addressing this
question. I also know that mobile IP is fair game for the lab, so I'm
amazed
that this question continues to go unanswered.

And, though I can't understand why that is I've come up with 2 theories:

a) nobody knows
b) nobody cares

I can't imagine that nobody on groupstudy knows this - this is probably
the
most knowledgable group of networking professional in the world - so
let's nix
that idea.

Could it be that nobody cares? That's also hard to imagine. Everyday,
questions seemingly far more esoteric are posted and responded to.
Besides,
there must be at least a few people who might need to implement Mobile
IP in
the near future and they would certainly need to know about this. And,
even
if nobody at the moment needed to know about this for work, most people
on
group study seemed to be very intellectually curious So, let's nix this
theory
as well.

Well, I hope this sparks some discussion, and maybe, in the process,
generates
the answer to the original question.

What do you think?

Jim
============================================================
============================================================

• Next message: Tom Young: "RE: arrange the NVRAM"
• Previous message: Brian Dennis: "RE: arrange the NVRAM"
• Maybe in reply to: Michael Snyder: "RE: RE: Amazing but true (funny)"
• Next in thread: Joseph Ezerski: "RE: RE: Amazing but true (funny)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:39 GMT-3