Mpd 5.0b1 User Manual : Internals : Authentication
Previous: ToDo
Next: RADIUS authentication

8.2. Authentication

This chapter describes implementation specific details of MPD.

Authentication protocols - a short overview

Currently MPD supports these authentication protocols: PAP, MD5-CHAP, MS-CHAPv1, MS-CHAPv2 and EAP.

When using PAP, the password is sent as plaintext over the network, therefore PAP should be avoided, if the link between the peers is not secure. On the other hand, PAP allows using any kind of password database on the server, even if the passwords are stored in non-reversible hashed format.

The traditional CHAP-MD5 needs the plaintext password stored on the server. The password hash is computed like this: md5(id + password + challenge), where the id is incremented after each authentication attempt. The challenge is generated by the server and then sent to the client (peer). The peer sends the hash to the server and the server genrates himself the hash using the plaintext password. If both hash are the same, the authentication succeeds.

MS-CHAP doesen't need plaintext passwords on the server, but does need the hashed password either as NT-Hash or as LAN-Manager-Hash (the LAN-Manager-Hash is weak and shouldn't be used). MS-CHAPv1 uses DES as hashing algorithm and is weak, therefore don't use it! MS-CHAPv2 uses a peer challenge and a server challenge and uses SHA1 as hashing algorithm, so it's much more secure then MS-CHAPv1. MS-CHAPv2 requires the NT-Hash be available.

Usualy UNIX systems have a different non-revertable hashing algorithm for passwords, therefore it is not possible to use the traditional UNIX password database if you want to use any CHAP algorithm, with the exception that FreeBSD versions 5.1 and later support the NT-Hash format in the password database (configurable via login.conf: passwd_format=nth). However MPD doesen't currently support authentication against the UNIX password database.

EAP is an Extensible Authentication Protocol. Mpd supports natively only the EAP-Type MD5; other EAP-Types may be used in conjunction with a RADIUS server.

Note: in order for MPPE to work, MS-CHAPv1 or MS-CHAPv2 is mandatory, because the MPPE keys are generated using the results from authentication.

Authentication protocol negotiation

Starting with MPD 3.14, MPD behaves more intelligently when negotiating authentication protocols. MPD searches an internal list of protocols, from most to least secure, until a mutually agreeable protocol is found. If the link is a PPTP link, then MS-CHAP is most preferrable, otherwise MD5-CHAP is most preferrable.


Mpd 5.0b1 User Manual : Internals : Authentication
Previous: ToDo
Next: RADIUS authentication