From patchwork Mon Nov 20 00:47:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1552 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 0C7DC60CB6 for ; Sun, 19 Nov 2017 14:47:41 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 48BAF3490; Sun, 19 Nov 2017 14:47:40 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [188.68.43.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 763722A08 for ; Sun, 19 Nov 2017 14:47:37 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id DA4EB40123 for ; Sun, 19 Nov 2017 14:47:31 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 60F879F34D for ; Sun, 19 Nov 2017 14:47:31 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1511099251; bh=IMova8YqFR/wTuaNoEVfXoUXRvci0bQG9qoU8VqZPvo=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=WPkM2TeFlcE0mvnsIpmH6mqRQKQzbgfAOzXyDlfUsqJrfw4bBBou2RwXlPI1Oz5Nj 49NQdwwOfzR2hbk4Dv0bPI5tJ/nq5RGcHVbjICKBlEcvaOIkhJIqb5xOpXa//Cbhad K/1WTwuvvy5LhDWUgvGRYHFxfVZ1ee21/ti4YVMoCh8TS9yjzvZZXbTXxFtDNgAL3f /thi5xrvTqcqDx1Ko149gUMZDew4tLx9wMOZHBX44qAxNTJAsk243pqcVl3NC3SVeC bcfRe5nZlxg9OwjMJ2cpJA+xxd7cFGtDJxWWH2qz8cIRPLGS2k835er02CTfB2imTJ JHKwhcfsv8yag== Date: Sun, 19 Nov 2017 14:47:30 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH] use CHAP for dial-in as default Message-ID: <20171119144730.1dca97e2.peter.mueller@link38.eu> Organization: Link38 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Use CHAP as default setting for PPPoE dial-in connections. Although CHAP does not provide strong transport security at all, it is better than submitting credentials in plain text. Enforcing CHAP prevents the system from silently falling down to no encryption (MITM attack!). Existing installations remain untouched. Signed-off-by: Peter Müller --- html/cgi-bin/pppsetup.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/pppsetup.cgi b/html/cgi-bin/pppsetup.cgi index 4b45ee50c..a96dce9df 100644 --- a/html/cgi-bin/pppsetup.cgi +++ b/html/cgi-bin/pppsetup.cgi @@ -1042,7 +1042,7 @@ sub initprofile $pppsettings{'HOLDOFF'} = 30; $pppsettings{'TIMEOUT'} = 15; $pppsettings{'MODULATION'} = 'AUTO'; - $pppsettings{'AUTH'} = 'pap-or-chap'; + $pppsettings{'AUTH'} = 'chap'; $pppsettings{'DNS'} = 'Automatic'; $pppsettings{'DEBUG'} = 'off'; $pppsettings{'BACKUPPROFILE'} = $pppsettings{'PROFILE'};