pppauth -- Point-to-Point Protocol (PPP) authentication


SCO's PPP implementation supports two authentication protocols defined in RFC 1334: the Password Authentication Protocol (PAP) and the Challenge-Handshake Authentication Protocol (CHAP). The use of these protocols on the local host (the authenticator) to authenticate a remote system (the peer) is controlled by the requirepap and requirechap keywords in individual bundle and global bundle definitions in the PPP configuration (see ppptalk(1M)). PPP configuration also stores the authentication information used by these protocols as name-secret pairs in auth definitions. These definitions are also used if a remote system (the authenticator) requires that the local host (the peer) authenticate with it.

PAP operation

If PAP is specified during the PPP authentication negotiation stage, the peer to be authenticated sends a PAP authentication request to the authenticator. The message contains a password for comparison with the one stored in the authentication database. If the password is correct, the authenticator sends an authentication-ack reply and accepts the connection. If the password is incorrect, the authenticator sends an authentication-nak reply and refuses the connection.

PAP sends passwords in unencrypted clear text, and is therefore not very secure.

CHAP operation

If CHAP is specified during the PPP authentication negotiation stage, the authenticator sends a CHAP challenge to the peer that is to be authenticated. The challenge contains a random value generated by the authenticator. The peer computes a result based on the random value and the secret stored in its authentication database. The peer sends the result to the authenticator in a response packet. The authenticator then computes a result using the secret associated with the peer and the original random value. If the results match, the authenticator sends a success packet to the peer and accepts the connection. If the results do not match, the authenticator sends a failure packet to the peer and the connection is refused.

CHAP provides a higher level of security than PAP because the secret is not sent openly, and the random value protects against replay attacks.



RFC 1334

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004