Point-to-Point Protocol (PPP) authentication
SCO's PPP implementation supports two authentication protocols
defined in RFC 1334: the Password Authentication Protocol
(PAP) and the Challenge-Handshake Authentication Protocol
(CHAP). The use of these protocols on the local host (the
authenticator) to authenticate a remote system (the peer) is controlled
by the requirepap and requirechap keywords in
individual bundle and global bundle definitions
in the PPP configuration (see
PPP configuration also stores the authentication information used
by these protocols as name-secret pairs in auth definitions.
These definitions are also used if a remote system (the authenticator)
requires that the local host (the peer) authenticate with it.
If PAP is specified
during the PPP authentication negotiation stage, the peer
to be authenticated sends a PAP authentication request
to the authenticator. The message contains a password
for comparison with the one stored in the authentication database.
If the password is correct, the authenticator sends an
authentication-ack reply and accepts the connection.
If the password is incorrect, the authenticator sends an
authentication-nak reply and refuses the connection.
PAP sends passwords in unencrypted clear text,
and is therefore not very secure.
If CHAP is specified during the PPP
authentication negotiation stage,
the authenticator sends a CHAP challenge to the peer
that is to be authenticated.
The challenge contains a random value generated by the authenticator.
The peer computes a result based on the random value and the
secret stored in its authentication database.
The peer sends the result to the authenticator in a response packet.
The authenticator then computes a result using the secret
associated with the peer and the original random value.
If the results match, the authenticator sends a success packet to the
peer and accepts the connection.
If the results do not match, the authenticator sends a failure packet to
the peer and the connection is refused.
CHAP provides a higher level of security than PAP
because the secret is not sent openly, and the random value protects
against replay attacks.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004