-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attention!!!! If you use poptop vpn server AND you use the patch for ppp which allows you to use smbpasswd for chap-secrets logins, then this is for you. The following security issue has come up! If you use the smbpasswd patch for ppp, and you ONLY specify * * &/home/samba/smbpasswd * in your chap-secrets file, YOU ARE WIDE OPEN!!! I am running 2.2.16, ppp-2.4.0, and using that very patch, as well as mppe, require-mppe, and mschapstripdomain, and in testing I found that if you have just that entry, ANYONE CAN LOGIN USING A BLANK USERNAME AND PASSWORD. If they specify a username that does not exist, IT STILL WORKS!!!! Also, if you for some reason have a user listed in chap-secrets that is NOT in smbpasswd, THEY CAN STILL LOG IN!!! The ONLY "secure" method I have found so far is by explicitly listing ONLY the users you want to have vpn access in chap-screts, and for each user using the &/home/samba/smbpasswd or wherever your file is. This was discovered by another member on the poptop user list, I am just forwarding that info here in case anyone uses this method of authentication, as I am. Luckily they found it. Who knows what systems have already been "penetrated" I did NOT do any testing of access rights with any "false" logins, so there may not be as big a security issue, but ANY login without a valid user is a BIG problem in my book. Again, only specify VALID users with the smbpasswd patch!!! Share and enjoy... P.S. Sorry to post this so much, but I was not previously aware of this problem, so I dont' think others are either, and they NEED to be... -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOp9FExeamMdwy9TXEQLzAACg8pAkEq5fa/MNlV/GThpMnE1cfAwAn3fE v4h3xpH4kx3I0Qy4fpO1mpw5 =ywpk -----END PGP SIGNATURE----- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list