I have a VPN server set up on a debian (lenny) machine. I get an error, 778: "it was not possible to verify the identity of the server", every time I try to connect. I checked the configuration against this site, and set up a replica machine to set it up and test it there as well. On both debian machines, I get a 778.
The wierd thing is, I don't get this error when using a CHAP secrets file; only when using winbind (so as to authenticate over active directory). But we need AD authentication to ensure security in our environment. I have found no literature on this subject other than to update my certificates:
# dpkg-reconfigure ca-certificates
which I did.
To pose the question, why am I getting the 778 error and how do I fix the error on a Debian machine?
EDIT: I found this at http://www.schneier.com/paper-pptpv2.pdf . How MS-CHAPv2 works:
- Client requests a login challenge from the Server.
- The Server sends back a 16-byte random challenge.
- The Client
generates a random 16-byte number, called the "Peer Authenticator
Challenge."- The Client generates an 8-byte challenge by hashing
the 16-byte challenge received in step (2), the 16-byte Peer
Authenticator Challenge generated in step (4), and the Client's
username.- The Client creates a 24-byte reply, using the Windows NT hash function and the 8-byte
challenge generated in step (4). This process is identical to
MS-CHAPv1.- The Client sends the Server the results of steps (3)
and (5).- The Server uses the hashes of the Client's password,
stored in a database, to decrypt the replies. If the decrypted blocks
match the challenge, the Client is authenticated.- The Server uses
the 16-byte Peer Authenticator Challenge from the client, as well as
the Client's hashed password, to create a 20-byte \Authenticator
Response."- The Client also computes the Authenticator Response. If the
computed response matches the received response, the Server is
authenticated.
I suppose then that the Debian machine is not sending the 16-byte Authenticator Challenge or that it is not working correctly. Is there any reason why it would have that problem, and if so, what do I do to fix it?
Best Answer
I found it! There error is a SAMBA bug, detailed here. Both
squeeze
andlenny
machines use samba 3.4.8 . I updated via http://backports.debian.org and it worked!