[Japanese]
[日本語]
This document explains how a Linux client can establish PPP over Ethernet (PPPoE) connection using MS-CHAP authentication. Sometimes a PPPoE server (possibly running Windows NT or 2000 server) does accept only MS-CHAP authentication, and does not accept other authentication methods such as PAP and CHAP for security reasons.
この文書が使ってどのようにLinuxクライアントがイーサネット(PPPoE)コネクションを越えてPPPを確立することができるかを説明するMS-奴認証。時々PPPoEサーバー(Windows NTまたはWindows 2000サーバーをおそらくは実行している)が本当に単に承諾するMS-奴認証、そして安全上の理由により乳首と顎といった他の認証方法を受け入れない。
On Debian GNU/Linux 3.0 (woody), pppd with MS-CHAP patch (pppd-2.4.1.uus-4) is installed, but it didn't work with the PPPoE server as far as I had tested.
Debian GNU/Linux 3.0(森林がある)、pppdででMS-奴パッチ(pppd-2.4.1。uus-4)インストールされてしかしそれだ私が試験をしたのと同じほど遠いPPPoEサーバーで動作しなかった。
<lal:NoTranslation> Feb 2 21:24:21 localhost pppd[789]: pppd 2.4.1 started by root, uid 0
Feb 2 21:24:21 localhost pppd[789]: Serial connection established.
Feb 2 21:24:21 localhost pppd[789]: using channel 26
Feb 2 21:24:21 localhost pppd[789]: Using interface ppp0
Feb 2 21:24:21 localhost pppoe[790]: PADS: Service-Name: ''
Feb 2 21:24:21 localhost pppoe[790]: PPP session is 3
Feb 2 21:24:21 localhost pppd[789]: Connect: ppp0 <--> /dev/pts/2
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfReq id=0x1 <auth 0xc227> <magic 0xe0f12d4a>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x88d74619> <pcomp> <accomp>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfNak id=0x1 <auth chap MD5>]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfReq id=0x2 <magic 0x88d74619>]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfReq id=0x2 <auth chap MD5> <magic 0xe0f12d4a>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP ConfAck id=0x2 <auth chap MD5> <magic 0xe0f12d4a>]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP ConfAck id=0x2 <magic 0x88d74619>]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP EchoReq id=0x0 magic=0x88d74619]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP EchoReq id=0x0 magic=0xe0f12d4a]
Feb 2 21:24:21 localhost pppd[789]: sent [LCP EchoRep id=0x0 magic=0x88d74619]
Feb 2 21:24:21 localhost pppd[789]: rcvd [CHAP Challenge id=0xaa <dbb9b0fda9d8172e165ad6bee7f0aa59>, name = "server"]
Feb 2 21:24:21 localhost pppd[789]: No CHAP secret found for authenticating us to server
Feb 2 21:24:21 localhost pppd[789]: sent [CHAP Response id=0xaa <57bd3a5dc2a6ab287efe4d1ff3f437ff>, name = "username"]
Feb 2 21:24:21 localhost pppd[789]: rcvd [LCP EchoRep id=0x0 magic=0xe0f12d4a]
Feb 2 21:24:24 localhost pppd[789]: sent [CHAP Response id=0xaa <57bd3a5dc2a6ab287efe4d1ff3f437ff>, name = "username"]
Feb 2 21:24:25 localhost pppd[789]: rcvd [CHAP Failure id=0xaa "\37777777604\37777777631\004\010\37777777700\37777777772\37777777777\37777777677"]
Feb 2 21:24:25 localhost pppd[789]: Remote message: M-^DM-^Y^D^HM-@M-zM-^?M-?
Feb 2 21:24:25 localhost pppd[789]: CHAP authentication failed
Feb 2 21:24:25 localhost pppd[789]: sent [LCP TermReq id=0x3 "Failed to authenticate ourselves to peer"]
Feb 2 21:24:25 localhost pppd[789]: rcvd [LCP TermReq id=0x3 "Authentication failed"]
Feb 2 21:24:25 localhost pppd[789]: sent [LCP TermAck id=0x3]
Feb 2 21:24:25 localhost pppd[789]: rcvd [LCP TermAck id=0x3]
Feb 2 21:24:25 localhost pppd[789]: Connection terminated.</lal:NoTranslation>The reason was a mismatch of the authentication method. The PPPoE client first proposes CHAP MD5 as an authentication method. The PPPoE server then agrees using CHAP MD5 even though the PPPoE server does accept only MS-CHAP! A simple workaround for this problem is to modify pppd for using MS-CHAP by default.
理由は、認証方法のまずい組み合わせだった。PPPoEクライアントは、認証方法として第1に奴MD5を提案する。たとえPPPoEサーバーが本当に単に承諾するとしても、PPPoEサーバーがその時に使っている奴MD5を認めるMS-奴!この問題のためのシンプルな回避策が使うためのpppdを修正することだMS-奴デフォルトまでに。
<lal:NoTranslation> Feb 3 01:03:19 localhost pppd[6041]: pppd 2.4.1 started by root, uid 0
Feb 3 01:03:19 localhost pppd[6041]: Serial connection established.
Feb 3 01:03:19 localhost pppd[6041]: using channel 112
Feb 3 01:03:19 localhost pppd[6041]: Using interface ppp0
Feb 3 01:03:19 localhost pppd[6041]: Connect: ppp0 <--> /dev/pts/3
Feb 3 01:03:19 localhost pppoe[6042]: PADS: Service-Name: ''
Feb 3 01:03:19 localhost pppoe[6042]: PPP session is 96
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfReq id=0x1 <auth 0xc227> <magic 0x6b400f1>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7530bdc8> <pcomp> <accomp>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfNak id=0x1 <auth chap m$oft>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0> <pcomp> <accomp>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfReq id=0x2 <magic 0x7530bdc8>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfReq id=0x2 <auth chap m$oft> <magic 0x6b400f1>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP ConfAck id=0x2 <auth chap m$oft> <magic 0x6b400f1>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP ConfAck id=0x2 <magic 0x7530bdc8>]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP EchoReq id=0x0 magic=0x7530bdc8]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP EchoReq id=0x0 magic=0x6b400f1]
Feb 3 01:03:19 localhost pppd[6041]: sent [LCP EchoRep id=0x0 magic=0x7530bdc8]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CHAP Challenge id=0xb8 <f347890f0c1e0781>, name = "server"]
Feb 3 01:03:19 localhost pppd[6041]: sent [CHAP Response id=0xb8 <000000000000000000000000000000000000000000000000cb2e4b575e0c7931ce7aa2cb99020624b9a189d65cdb200001>, name = "username"]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [LCP EchoRep id=0x0 magic=0x6b400f1]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CHAP Success id=0xb8 "\37777777604\37777777631\004\010\37777777700\37777777772\37777777777\37777777677"]
Feb 3 01:03:19 localhost pppd[6041]: Remote message: M-^DM-^Y^D^HM-@M-zM-^?M-?
Feb 3 01:03:19 localhost pppd[6041]: kernel does not support PPP filtering
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <compress VJ 0f 01>]
Feb 3 01:03:19 localhost kernel: PPP BSD Compression module registered
Feb 3 01:03:19 localhost kernel: PPP Deflate Compression module registered
Feb 3 01:03:19 localhost pppd[6041]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfReq id=0x1 <addr 172.31.192.2>]
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfAck id=0x1 <addr 172.31.192.2>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfReq id=0x2 <addr 0.0.0.0>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CCP ConfReq id=0x1]
Feb 3 01:03:19 localhost pppd[6041]: sent [CCP ConfAck id=0x1]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Feb 3 01:03:19 localhost pppd[6041]: sent [CCP ConfReq id=0x2]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfNak id=0x2 <addr 172.31.192.105>]
Feb 3 01:03:19 localhost pppd[6041]: sent [IPCP ConfReq id=0x3 <addr 172.31.192.105>]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [CCP ConfAck id=0x2]
Feb 3 01:03:19 localhost pppd[6041]: rcvd [IPCP ConfAck id=0x3 <addr 172.31.192.105>]
Feb 3 01:03:19 localhost pppd[6041]: Cannot determine ethernet address for proxy ARP
Feb 3 01:03:19 localhost pppd[6041]: local IP address 172.31.192.105
Feb 3 01:03:19 localhost pppd[6041]: remote IP address 172.31.192.2
Feb 3 01:03:19 localhost pppd[6041]: Script /etc/ppp/ip-up started (pid 6047)
Feb 3 01:03:20 localhost pppd[6041]: Script /etc/ppp/ip-up finished (pid 6047), status = 0x1
Feb 3 01:03:39 localhost pppd[6041]: sent [LCP EchoReq id=0x1 magic=0x7530bdc8]
Feb 3 01:03:39 localhost pppd[6041]: rcvd [LCP EchoRep id=0x1 magic=0x6b400f1]
Feb 3 01:03:59 localhost pppd[6041]: rcvd [LCP EchoReq id=0x1 magic=0x6b400f1]</lal:NoTranslation>The detailed procedure is explained as follows.
以下のように、詳細なプロシージャは説明される。
1. Edit /etc/ppp/chap-secrets to have valid username and password.
1. /etc/ppp/chap-secretsをエディットして妥当なユーザー名とパスワードを持っていよ。
<lal:NoTranslation> username server password
server username password</lal:NoTranslation>2. Edit /etc/ppp/peer/dsl-provider to have valid username and remotename.
2. /etc/ppp/peer/dsl-providerをエディットして妥当なユーザー名とremotenameを持っていよ。
An example of /etc/ppp/peer/dsl-provider is shown below.
/etc/ppp/peer/dsl-providerの例が見せられるの下に。
<lal:NoTranslation> # Configuration file for PPP, using PPP over Ethernet
# to connect to a DSL provider.
#
# See the manual page pppd(8) for information on all the options.
##
# Section 1
#
# Stuff to configure...
# MUST CHANGE: Uncomment the following line, replacing the user@provider.net
# by the DSL user name given to your by your DSL provider.
# (There should be a matching entry in /etc/ppp/pap-secrets with the password.)
user username
# Use the pppoe program to send the ppp packets over the Ethernet link
# This line should work fine if this computer is the only one accessing
# the Internet through this DSL connection. This is the right line to use
# for most people.
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1452"
# If the computer connected to the Internet using pppoe is not being used
# by other computers as a gateway to the Internet, you can try the following
# line instead, for a small gain in speed:
#pty "/usr/sbin/pppoe -I eth0 -T 80"
# An even more conservative version of the previous line, if things
# don't work using -m 1452...
#pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1412"
# The following two options should work fine for most DSL users.
# Assumes that your IP address is allocated dynamically
# by your DSL provider...
noipdefault
# Comment out if you already have the correct default route installed
defaultroute
##
# Section 2
#
# Uncomment if your DSL provider charges by minute connected
# and you want to use demand-dialing.
#
# Disconnect after 300 seconds (5 minutes) of idle time.
#demand
#idle 300
##
# Section 3
#
# You shouldn't need to change these options...
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
# Override any connect script that may have been set in /etc/ppp/options.
connect /bin/true
noauth
persist
mtu 1492
remotename server</lal:NoTranslation>3. Apply the following patch and recompile pppd-2.4.1.uus-4.
3. 以下のパッチを適用して、そしてpppd-2.4.1を再コンパイルする。uus-4。
<lal:NoTranslation> --- pppd/lcp.c.orig Thu Mar 8 14:11:14 2001
+++ pppd/lcp.c Thu Feb 3 01:39:40 2005
@@ -327,7 +327,7 @@
wo->neg_mru = 1;
wo->mru = DEFMRU;
wo->neg_asyncmap = 1;
- wo->chap_mdtype = CHAP_DIGEST_MD5;
+ wo->chap_mdtype = CHAP_MICROSOFT;
wo->neg_magicnumber = 1;
wo->neg_pcompression = 1;
wo->neg_accompression = 1;
@@ -337,7 +337,7 @@
ao->mru = MAXMRU;
ao->neg_asyncmap = 1;
ao->neg_chap = 1;
- ao->chap_mdtype = CHAP_DIGEST_MD5;
+ ao->chap_mdtype = CHAP_MICROSOFT;
ao->neg_upap = 1;
ao->neg_magicnumber = 1;
ao->neg_pcompression = 1;</lal:NoTranslation>Hey! The above document had some coding errors, which are explained below:
やあ!幾分持たれていた上記の文書が誤りを暗号化すると、以下の下にどちらが説明されるか:
You can't have =items (as at line 109) unless the first thing after the =over is an =item
あなたが=項目(回線109でのように)を持っていることができないことがない限り船尾の最初の物その=を越えて=項目だ