RE: user <user> secret <password> and CHAP doubt

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Mon Jul 25 2005 - 14:12:17 GMT-3

• Next message: Gustavo Novais: "RE: user <user> secret <password> and CHAP doubt"
• Previous message: Gustavo Novais: "RE: Virtual template with IPv6 addressing"
• Maybe in reply to: Gustavo Novais: "user <user> secret <password> and CHAP doubt"
• Next in thread: Gustavo Novais: "RE: user <user> secret <password> and CHAP doubt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Gustavo,

<cco>
        MD5 encryption is a one-way hash function that makes reversal of
an encrypted password impossible, providing strong encryption
protection. Using MD5 encryption, you cannot retrieve clear text
passwords. Thus, MD5 encrypted passwords cannot be used with protocols
that require the clear text password to be retrievable, such as
Challenge Handshake Authentication Protocol (CHAP).
</cco>

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft
/122t/122t8/ft_md5.htm

        This question isn't in the Internetwork Expert lab workbook is
it?

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Gustavo Novais
> Sent: Sunday, July 24, 2005 11:31 AM
> To: lab
> Subject: user <user> secret <password> and CHAP doubt
>
> Hello
>
> I'm doing a lab on which the requirement is that we use CHAP
> authentication, but on one of the involved routers the username for
the
> remote must be stored as such you shouldn't be able to decode the
> password from the config.
>
> This points me to user XXX secret pass, which encrypts the pass with
> MD5.
> The thing is, as stated on
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
> /121limit/121e/121e8/8e_md5.htm
>
> CHAP doesn't "like" that we store the passwords as MD5, It needs them
to
> be on plain text so he can derive its own md5 challenge.
>
> I can turn around the issue by simply not authenticating the remote
> side, thus no need of local username, and then it can be whatever I
> want. But I think this ugly...
>
> this appeared on IPexpert challenge 26, ISDN question.
>
> Any thoughts?
>
> TIA
>
> Gustavo
>
> PS. I can also see what is the hash of the password and use the hash
> instead of the password, and store it as plain text, but this would be
> even uglier...
>
>

• Next message: Gustavo Novais: "RE: user <user> secret <password> and CHAP doubt"
• Previous message: Gustavo Novais: "RE: Virtual template with IPv6 addressing"
• Maybe in reply to: Gustavo Novais: "user <user> secret <password> and CHAP doubt"
• Next in thread: Gustavo Novais: "RE: user <user> secret <password> and CHAP doubt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3