GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: user <user> secret <password> and CHAP doubt posted 07/24/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I know, the problem is that you can decode the encrypted password in
about 3 seconds (time to open one of many pass decoders that exist,
insert what you see on config, and that's it - 3 Sec flat)

The purpose of the exercise was to use user secret, but they forgot it
doesn't work with CHAP...


-----Original Message-----
From: Arun Arumuganainar [mailto:aarumuga@xxxxxxxxxxx] 
Sent: domingo, 24 de Julho de 2005 18:07
To: Gustavo Novais; lab
Subject: Re: user <user> secret <password> and CHAP doubt

Turn on " Service password-encryption "

What this actually does . Is it will encrypt it so that any one who have
access to running configuration will not be able to make out .

This will work with PPP perfectly fine .

Thanks and Regards
Arun
----- Original Message -----
From: "Gustavo Novais" <gustavo.novais@xxxxxxxxxxx>
To: "lab" <ccielab@xxxxxxxxxxxxxx>
Sent: Sunday, July 24, 2005 10:01 PM
Subject: user <user> secret <password> and CHAP doubt


> Hello
>
> I'm doing a lab on which the requirement is that we use CHAP 
> authentication, but on one of the involved routers the username for 
> the remote must be stored as such you shouldn't be able to decode the 
> password from the config.
>
> This points me to user XXX secret pass, which encrypts the pass with 
> MD5.
>  The thing is, as stated on
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121new
> ft
> /121limit/121e/121e8/8e_md5.htm
>
> CHAP doesn't "like" that we store the passwords as MD5, It needs them 
> to be on plain text so he can derive its own md5 challenge.
>
> I can turn around the issue by simply not authenticating the remote 
> side, thus no need of local username, and then it can be whatever I 
> want. But I think this ugly...
>
> this appeared on IPexpert challenge 26, ISDN question.
>
> Any thoughts?
>
> TIA
>
> Gustavo
>
> PS. I can also see what is the hash of the password and use the hash 
> instead of the password, and store it as plain text, but this would be

> even uglier...
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html