Re: RE: Amazing but true (funny)

From: folivore (folivore@hotmail.com)
Date: Fri Feb 28 2003 - 19:55:55 GMT-3

Server storage and wire transfer are totally different issue, you can use
both CHAP and PAP with RADIUS/TACAS server, and you can store the password
encrypted on the server's database BUT that has nothing to do with either
CHAP or PAP protocol.
Besides, what OhioHondo think of CHAP is not correct too. The first
challenging message itself has nothing to do with any password. It's the
challenged party who use a password to generate a hash value and send it
back as a response.

----- Original Message -----
From: "Joseph Ezerski" <jezerski@broadcom.com>
To: <p729@cox.net>; "'Michael Snyder'" <msnyder@revolutioncomputer.com>;
"'OhioHondo'" <ohiohondo@columbus.rr.com>
Cc: <ccielab@groupstudy.com>
Sent: Friday, February 28, 2003 1:13 PM
Subject: RE: RE: Amazing but true (funny)

> In the spirit of offering a different perspective, I might disagree with
the
> thinking that PAP is insecure when thought of in terms of strict dial-up
> networking. My reasons? Consider that PAP encrpyts the user password in
> the server's database while CHAP only encrypts the sending of that info
> across the wire. Now, sticking with a pure dial-up scenario, let me ask
you
> this question. What would you consider would be easier to hack? A single
> phone line using analog signals, or a server with a clear text database
> connected to a public network? I propose the latter. Tapping a phone line
> and intercepting and decoding the analog signals without detroying the
> connection seems a rather complex affair. Also, if the line is
successfully
> tapped, a single password is compromised. If the server itself is hacked,
> ALL passwords can be had in clear text.
>
> Just some alternative thinking... I think sometimes we take what the
books
> say as gospel. Remember when everyone used ISL for trunks over 802.1q
> because the Cisco books always hyped ISL? Hey! I was guilty of that too!
>
> -Joe
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> p729@cox.net
> Sent: Thursday, February 27, 2003 11:17 PM
> To: Michael Snyder; 'OhioHondo'
> Cc: ccielab@groupstudy.com
> Subject: RE: RE: Amazing but true (funny)
>
>
> LOL. Sounds like an ESL problem. The security hole is using PAP.
>
> Regards,
>
> Mas Kato
> https://ecardfile.com/id/mkato
>
> ============================================================
> From: "Michael Snyder" <msnyder@revolutioncomputer.com>
> Date: 2003/02/27 Thu PM 08:04:19 EST
> To: "'OhioHondo'" <ohiohondo@columbus.rr.com>
> CC: <ccielab@groupstudy.com>
> Subject: RE: RE: Amazing but true (funny)
>
> Ok, yes I was using ppp pap sent-username last year in my configs. I
didn't
> remember doing so.
>
> Here's what I just did, tried chap with transposed passwords. Worked
>
> Changed to to pap. Left password alone. No go.
>
> Then untransposed passwords. No go.
>
> (very surprised, the router doesn't use it's host name, otherwise this
would
> work. PPP pap sent-username must be required for pap. I just learned
> something.
>
> Then used ppp pap sent-username, set it to host name of router. It
worked.
>
> So, I stand corrected. I wasn't telling the whole story, in fact I was
> doing things correctly I didn't know I was doing.
>
> Furthermore, I just got the funniest warning message I have ever saw from
> Cisco!
>
> R2(config-if)#ppp pap sent-username R2 password pass2
> PPP: Warning: You have chosen a username/password combination that
> is valid for CHAP. This is a potential security hole.
> R2(config-if)#
>
> My coworkers think I'm nuts, because I'm sitting here at my desk laughing
> ever time I read it.
>
>
>
>
> -----Original Message-----
> From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
> Sent: Thursday, February 27, 2003 6:28 PM
> To: Michael Snyder; 'OhioHondo'
> Cc: ccielab@groupstudy.com
> Subject: RE: RE: Amazing but true
>
> Mike
>
> I also tried to lab out PAP. I have not been able to get PAP to work on my
> IOS unless I use the PAP "sent username" command. I know from reading some
> old documentation (11.x) that PAP also uses the hostname, I'm not sure
where
> it finds a password to send. I tried your config and it did not work!!!
>
> All I can think of is that PAP needs to use the "ppp pap sent-username"
> command under the interface on my IOS. I was using a serial link if that
> makes a difference.
>
> FYI ----
>
>
> -----Original Message-----
> From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
> Sent: Thursday, February 27, 2003 7:10 PM
> To: 'OhioHondo'
> Cc: ccielab@groupstudy.com
> Subject: RE: RE: Amazing but true
>
>
> I assumed that both usernames was not being used at the same time.
>
> I never dived into it enough to figure out which ones were not needed.
>
> You have to admit that it's a quick way to do it.
>
> Two users, two passwords, keep them straight for pap.
>
> Two users, two passwords, transverse them for chap.
>
> Thanks for labbing it out. :) One more mystery solved.
>
>
> -----Original Message-----
> From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
> Sent: Thursday, February 27, 2003 5:57 PM
> To: Michael Snyder; p729@cox.net
> Cc: ccielab@groupstudy.com
> Subject: RE: RE: Amazing but true
>
> I labbed this up and I came out with the following:
>
> When a router sends the initial challenge of the 3 way hanshake out it
uses
> its' own hostname and the password of the remote router which is found in
> the username config statement. So from your config, router A sends out 'A
> with a hash based on a password of 2'.
>
> The return response does the same thing. The name sent is B and it creates
> the hash from the password of the remote routers username entry in router
> B's config. So this is 'B with a hash based on a password of 2'.
>
> They are using the same "secret" password.
>
> Username A on router A and Username B on router B are not used in the
> process. They are not needed.
>
>
> The PAP authentication is one-way, something like a simple logon into the
> router with the remote device providing a username and password. There
must
> be extra, unneeded statements in the PAP configuration also.
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Michael Snyder
> Sent: Thursday, February 27, 2003 1:39 PM
> To: p729@cox.net
> Cc: ccielab@groupstudy.com
> Subject: RE: RE: Amazing but true
>
>
> >In order to derive the same hash, the passwords MUST be the SAME for a
> >given username. Don't be fooled by claims of being able to use
> different >
> >passwords on each end with CHAP
>
>
> Are you sure were talking about the same thing? My posted template works,
> feel free to try both my chap and pap templates.
>
> How do you reconcile your statement with my working config?
>
>
>
> Router A
>
> Username A password 0 pass1
> Username B password 0 pass2
>
> Router B
>
> Username A password 0 pass2
> Username B password 0 pass1
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> p729@cox.net
> Sent: Thursday, February 27, 2003 10:44 AM
> To: Michael Snyder; 'ccie2be'
> Cc: ccielab@groupstudy.com
> Subject: Re: RE: Amazing but true
>
> Michael,
>
> With PAP, the password is sent across the wire in plain-text,
> effectively: "here is my username and password, authenticate me." The
> authenticator simply does a lookup. What's important is the PAP
> sent-username and password and the username and password on the
> authenticator match. The username and password on the authenticatee (side
> requesting to be authenticated is superflurous.
>
> With CHAP, the password itself is never actually sent over the wire, only
a
> hashed version of it. All the authenticator knows is "who am I
> authenticating?" Somehow, the authenticator must derive the same hash that
> the authenticatee sent so the results of a comparison will be a match. In
> order to derive the same hash, the passwords MUST be the SAME for a given
> username. Don't be fooled by claims of being able to use different
passwords
> on each end with CHAP. In reality, different USERNAMES and passwords are
> being used--it's the only way it can work.
>
> Regards,
>
> Mas Kato
> https://ecardfile.com/mkato
>
> ============================================================
> From: "Michael Snyder" <msnyder@revolutioncomputer.com>
> Date: 2003/02/26 Wed PM 08:24:45 EST
> To: "'ccie2be'" <ccie2be@nyc.rr.com>
> CC: <ccielab@groupstudy.com>
> Subject: RE: Amazing but true
>
> I've come to conclusion that the number of responses you get from
groupstudy
> plotted out looks like a bell curve.
>
> The closer you are getting to passing the lab, the number of responses
> decreases.
>
> Here's a good example, I asked this last year and never got a reponse.
>
> Why with PAP does the user passwords stay the same on both isdn routers.
>
> Router A
>
> Username A password 0 pass1
> Username B password 0 pass2
>
> Router B
>
> Username A password 0 pass1
> Username B password 0 pass2
>
> And with CHAP, you transpose the passwords on one of the routers?
>
> Router A
>
> Username A password 0 pass1
> Username B password 0 pass2
>
> Router B
>
> Username A password 0 pass2
> Username B password 0 pass1
>
> I understand the CHAP and PAP processes, I have watched the debugs many
> times.
>
> Still why would cisco program the isdn functionality that you have to
change
> the user password arrangement depending on chap vs pap?
>
>
>
>
>
> -----Ori
> ginal Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Wednesday, February 26, 2003 1:50 PM
> To: Group Study
> Subject: Amazing but true
>
> Hi everyone,
>
> Over the past few weeks, several times I've posted a question regarding
the
> two types of care-of-addresses used with Mobile IP. My question concerned
> what detemines which type of address is used and whether the type used is
> something that's configured on the router or determined by some other
means
> - perhaps the software installed on the mobile client.
>
> What surprises me though is that there hasn't been one single response! I
> don't understand how that could be. I've searched thru both the Group
Study
> archieves and Cisco's documentation and found nothing addressing this
> question. I also know that mobile IP is fair game for the lab, so I'm
> amazed that this question continues to go unanswered.
>
> And, though I can't understand why that is I've come up with 2 theories:
>
> a) nobody knows
> b) nobody cares
>
> I can't imagine that nobody on groupstudy knows this - this is probably
the
> most knowledgable group of networking professional in the world - so let's
> nix that idea.
>
> Could it be that nobody cares? That's also hard to imagine. Everyday,
> questions seemingly far more esoteric are posted and responded to.
Besides,
> there must be at least a few people who might need to implement Mobile IP
in
> the near future and they would certainly need to know about this. And,
even
> if nobody at the moment needed to know about this for work, most people on
> group study seemed to be very intellectually curious So, let's nix this
> theory as well.
>
> Well, I hope this sparks some discussion, and maybe, in the process,
> generates the answer to the original question.
>
> What do you think?
>
> Jim ============================================================
> ============================================================

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:40 GMT-3