> Not true - the plaintext password in PAP is readily displayable
> in the pppd debug logs, even if the ISP keeps it in /etc/passwd for
> example.
Only if the ISP elects to log it. My point is not that this prevents
the ISP from knowing your password; nothing can prevent that. It
just *allows* the ISP to avoid keeping cleartext copies of it around
if the ISP so chooses.
> So with PAP, not only is your ISP guaranteed to know your
> password, so is anyone tapping the phone line, serial link,...
True enough, though I don't think phone line tapping is likely,
and serial link tapping would probably be quite noticable under
most circumstances.
> ...or sniffing
> the ethernet between the access server and the Radius/TACACS/password
> server :-)
I take it you've found some way to decrypt RADIUS packets without
the key? I'd appreciate a reference to this. Otherwise sniffing
the Ethernet won't do much good in most circumstances.
cjs
Curt Sampson cjs@portal.ca Info at http://www.portal.ca/
Internet Portal Services, Inc. Through infinite mist, software reverberates
Vancouver, BC (604) 257-9400 In code possess'd of invisible folly.