Yet another geeky entry…
So, I decided I was not happy with sending pptp connections into an internal box as I noted yesterday. As such, I became bound and determined to ‘fix’ this.
First stop, MPPE and open directory.
I dug deep into the freeradius source and found that Apple wrote the plugin for handing opendirectory authentication. However, they failed to provide any kind of mechanism for sending MPPE keys or policy back to the NAS. I’m sure this makes sense somewhere, but… I really needed those keys.
As per the RFC, it seems that the keys are computed using the nt_password hash. However, since we are authenticating out of opendirectory, we don’t exactly have a nt_password hash to work with. Well, we do, but it’s tucked safely away in Kerberos, and I don’t have the enegry to dig for it there. This is probably why Apple is not adding in this information. I hacked the radius source code (with a goto, no less, *shudder*) to compute a MPPE send/recv keys based on pretty much randomness. A little recompile and we had a ‘working’ radius server on OSX.
Now onto the NAS. I configured it to use Radius, and attempted to connect. Success! However, packets sent and received are not getting decrypted properly, so both ends are seeing a ton of ‘unsupported protocol’ errors via pppd. I hacked the pppd source to print me the MPPE send/recv keys. It showed the key that Radius gave me, but still no dice. I changed back to local auth, and things worked again.
Digging deeper, now using a Linux pptp client with my special debug pppd running, I discovered something interesting: when I use my Radius MPPE keys, depsite the NAS saying it is using them, it sends some other key entirely to the remote station. When I take Radius out of the loop, the keys match and it’s happy.
I dug deeper, and I think what is going on is that the MPPE keys are not actually even being sent over the wire, which… would be the smart thing. So, the calling station computes some keys with a salt, the NAS does the same, and then it should work. My hack, though, does not compute proper keys, which are based on the user password, which we don’t actually know.
So, I’ve decided to trudge down a different path and give up on pptpd and try using IPSec and L2TP, which should be a better way to do anyway, I think. We’ll see how that goes.
leave a reply