Clifford Kite writes:

]Bill Unruh wrote:
]> phhs80@hotpop.com (Paul Smith) writes:

]> ]Dear All

]> ]I am trying to connect from Mandrake 10 to a MS Windows server, but I
]> ]get the following error:

]> ]sent [CHAP Response id=0x0
]> ]<9583b7807730dda2bd09ead7f8cb946e000000000000000051 f6dd93f4cdfa9ba20b77a91461689ff0cda01c60fcd5bc00>,
]> ]name = "unl\"\\\"psmith"]
]> ]rcvd [LCP TermReq id=0x3
]> ]"9\"\003\37777777615\000<\37777777715t\000\000\003\37777777642"]
]> ]LCP terminated by peer (9"^CM-^M^@
]> ]My username is unl\psmith (and yes, the slash belongs to my username).
]> ]Any ideas?

]> Are you sure that the system can handle the \? Also what is being sent is
]> unl"\"psmith, not unl\psmith. Why would you want a backslash in your
]> username anyway?

]1) Sometimes a name of that form is necessary for MS-CHAP, and he does
]seem to be sure about the form.

]2) Yes, it looks like ``unl"\"psmith'' is sent. His log showed
]unl\\psmith after he seemed to have followed James' advice, so I
]guess the "real" escapes really do appear in the log message.

]3) Read README.MSCHAP80 in the pppd source; it's an MS "Domain Server"
]thing.

]> What do you have as your username? and in /etc/ppp/chap-secrets?

]Good questions. Another that may be pertinent is whether he is using
]the "remotename" pppd option to identify the peer in the secrets line(s).

]If the OP has README.MSCHAP80 available then he should read it.
]Basically it says that two secrets lines are necessary - although
]the authors apparently don't know why (and neither do I), and two
]pppd options, name and remotename.

]A quote from that file:

] For example, if your service provider calls their machine "DialupNT"
] and tells you your account and password are "customer47" and "foobar",
] add the following to your chap-secrets file:

] DialupNT customer47 foobar
] customer47 DialupNT foobar

This has never been needed in anything I have done or heard of.
The username and remotename are for your system. They tell your system
which of the lines in chap-secrets to find the secret on. The remote system
is irrelevant. This would be if the remote system was also supposed to
authenticate itself to you, which never happens.



]For this example the pppd options suggested there are

]name customer47 remotename DialupNT
^^^^ user


]Also from the README.MSCHAP80 file:

] The "remotename" option is required for MS-CHAP since Microsoft PPP
] servers don't send their system name in the CHAP challenge packet.


That is only if you have more than one line with the same username AFAIK.
Ie, this should not matter.
If you have a number of systems on all of which you have the same user name
but different passwords, then you MUST use the remotename option or the
remote machine must send its name, and you list them in chap-secrets. Again
, this is rare and probably not his situation.

'unl\psmith' * password *
should work in chap-secrets.

but then he would need to give the user to pppd
user 'unl\psmith'
would do I think, but am not sure (ie I am note sure where the \ is
interpreted-- and it might be different if this was on the command line
where bash would remove the quotes or in /etc/ppp/options.

unruh@string.physics.ubc.ca (Bill Unruh) writes:
> ] For example, if your service provider calls their machine "DialupNT"
> ] and tells you your account and password are "customer47" and "foobar",
> ] add the following to your chap-secrets file:
>
> ] DialupNT customer47 foobar
> ] customer47 DialupNT foobar
>
> This has never been needed in anything I have done or heard of.
> The username and remotename are for your system. They tell your system
> which of the lines in chap-secrets to find the secret on.

Right. With standard CHAP, the remote system tells you its name as
part of the initial Challenge message. That means that if the peer
doing the authentication request (the "server") is named "joe," you
can do this in your /etc/ppp/chap-secrets file on the authenticatee
("client"):

unruh joe foobar

and then specify "user unruh" in your pppd configuration, if necessary
(not necessary if that's also the local system name).

With MS-CHAP, though, the remote system doesn't reveal its name. I
think the protocol _can_ do it, it's just never done. Thus *IFF* you
want to match on remote peer name on the "client" side, *THEN* you
must include the 'remotename' option, as there's no other way to know
which entry to match.

The same is true with PAP, for what it's worth. When we're
authenticating ourselves to a PAP peer, we don't know who that peer
is.

> The remote system
> is irrelevant. This would be if the remote system was also supposed to
> authenticate itself to you, which never happens.

Uh, no, that's an unrelated issue. Authentication in PPP can be
negotiated in either or both directions.

"remotename" is the "assume that the peer has this name for
authentication purposes, because the peer isn't going to identify
himself" option.

> ]For this example the pppd options suggested there are
>
> ]name customer47 remotename DialupNT
> ^^^^ user

Agreed.

> That is only if you have more than one line with the same username AFAIK.

That's right.

> Ie, this should not matter.

Depends on the configuration. I agree that it probably doesn't matter
much to most ordinary users.

> but then he would need to give the user to pppd
> user 'unl\psmith'
> would do I think, but am not sure (ie I am note sure where the \ is
> interpreted-- and it might be different if this was on the command line
> where bash would remove the quotes or in /etc/ppp/options.

The escaping rules for the two places are somewhat similar.

--
James Carlson, IP Systems Group
Sun Microsystems / 1 Network Drive 71.234W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.497N Fax +1 781 442 1677

phhs80@hotpop.com (Paul Smith) wrote in message
> I am trying to connect from Mandrake 10 to a MS Windows server, but I
> get the following error:
>
> sent [CHAP Response id=0x0
> <9583b7807730dda2bd09ead7f8cb946e000000000000000051 f6dd93f4cdfa9ba20b77a91461689ff0cda01c60fcd5bc00>,
> name = "unl\"\\\"psmith"]
> rcvd [LCP TermReq id=0x3
> "9\"\003\37777777615\000<\37777777715t\000\000\003\37777777642"]
> LCP terminated by peer (9"^CM-^M^@ >
> My username is unl\psmith (and yes, the slash belongs to my username).
> Any ideas?

Thanks to all for the ongoing discussion. The slash in my username is
really needed, as well as for FTP purposes and even for webmail. (Why
does my username need a slash, I cannot tell you, as it was a choice
of the system administrator at my work; he does not know anything
about Linux...) I can perfectly connect to the VPN server from MS
Windows, but I cannot do so from Linux. I would like to add that I am
using pptp client (http://pptpclient.sourceforge.net), under Linux,
for establishing the VPN connection.

Paul

Paul Smith wrote:

> Thanks to all for the ongoing discussion. The slash in my username is
> really needed, as well as for FTP purposes and even for webmail. (Why
> does my username need a slash, I cannot tell you, as it was a choice
> of the system administrator at my work; he does not know anything
> about Linux...) I can perfectly connect to the VPN server from MS
> Windows, but I cannot do so from Linux. I would like to add that I am
> using pptp client (http://pptpclient.sourceforge.net), under Linux,
> for establishing the VPN connection.

In several tests I've been unable to send a username with a single
back-slash in it. I *have* sent a username with two back-slashes,
just as you were able to do.

Perhaps someone can tell us both how to send one with only a single
back-slash, but anyone who responds needs to show us how. Personally,
I now strongly suspect there is something wrong with the way pppd
2.4.2 handles escaping an escape.

--
Clifford Kite Email: "echo xvgr_yvahk-ccc@ri1.arg|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* "PPPoE has many advantages for DSL service providers, and
practically none for DSL consumers."
- David F. Skoll */