Yes, it is really, really true.
>passwords anywhere, so i am a little incredulous. i (obviously) don't
>know a whole lot about the specifics of Chap, but is there any way
>around this without hacking source code?
You can't even get around it with hacking source.
CHAP *MUST* have the user password available in clear text. Period.
End of story. That's how the protocol works. You can store them in
a reversible encryption format (MD5 hash maybe) but the key must be stored
where RADIUS can get to it. So anyone with enough access to get the
passwords will almost certainly get the key. But in the end CHAP must have
access to the password in its original, clear text form.
Chap cannot (never, no way, don't bother) be used with one way encrypted
passwords, like UNIX passwords.
-MZ
-- Livingston Enterprises - Chair, Department of Interstitial Affairs Phone: 800-458-9966 510-737-2100 FAX: 510-737-2110 megazone@livingston.com For support requests: support@livingston.com <http://www.livingston.com/> Snail mail: 4464 Willow Road, Pleasanton, CA 94588