Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    25.03.b.20250306.0140 - if_pppoe kernel module chap failure

    Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots (Retired)
    21 Posts 7 Posters 1.6k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      femtosize @kprovost
      last edited by

      @kprovost OK. I've uploaded the capture.

      K 1 Reply Last reply Reply Quote 1
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Thanks, we are checking...

        1 Reply Last reply Reply Quote 0
        • K Offline
          kprovost @femtosize
          last edited by

          @femtosize I've tried to reproduce this locally, and found that this challenge length just works.
          I've also tweaked the test setup to resemble yours a bit more by using the same username.

          Here's the capture for that: https://www.codepro.be/files/197026.pcap
          That just worked.

          Just about the only thing I can think right now is that the password is actually wrong. It may be worth trying with this pppoe package: https://www.codepro.be/files/if_pppoe-kmod-2.8.0.b.20250404.1200.1500029.pkg . This one will copy the password back to userspace so pppcfg pppoe0 will show the password, allowing you to check if it actually has the correct password.

          F 1 Reply Last reply Reply Quote 1
          • F Offline
            femtosize @kprovost
            last edited by

            @kprovost Sorry, I can't try that pkg as I'm on arm64. Could that be the problem? Different alignment requirements?
            The password should be correct as I'm not changing any config when flipping between mpd5 and if_pppoe and back again. Always works with mpd5, always fails with if_pppoe.

            K 1 Reply Last reply Reply Quote 1
            • K Offline
              kprovost @femtosize
              last edited by

              @femtosize Ah, yeah, an amd64 (and CE) kernel module won't work on arm64, of course.

              I don't expect there to be alignment issues in this particular code. That's one thing that might be going wrong, but it's also possible there are issues in how the PHP passes the password via pppcfg, so it's worth checking this anyway.

              I'll make an arm64 build, but that might not happen until Monday.

              F 1 Reply Last reply Reply Quote 1
              • F Offline
                femtosize @kprovost
                last edited by femtosize

                @kprovost I've figured it out. There's been a space at the start of the password since I entered it years ago. The mdp5 code path writes it to a config file with no quotes around it so it just worked.
                The if_pppoe path uses it on a command line surrounded by quotes and so it fails until I remove the space.

                This does make me think it might be interesting if my username or password had / " or ; in it.

                M K 2 Replies Last reply Reply Quote 2
                • M Offline
                  Mission-Ghost @femtosize
                  last edited by

                  @femtosize said in 25.03.b.20250306.0140 - if_pppoe kernel module chap failure:

                  @kprovost I've figured it out. There's been a space at the start of the password since I entered it years ago. The mdp5 code path writes it to a config file with no quotes around it so it just worked.
                  The if_pppoe path uses it on a command line surrounded by quotes and so it fails until I remove the space.

                  This does make me think it might be interesting if my username or password had / " or ; in it.

                  Seems like a bug to me for pfSense to inconsistently handle non-printing characters at the beginning or end of any string.

                  1 Reply Last reply Reply Quote 2
                  • K Offline
                    kprovost @femtosize
                    last edited by

                    @femtosize Ah, thanks for figuring that out.

                    I'll add a Redmine for this, and a reminder to check for escaping things like " and ' and .

                    1 Reply Last reply Reply Quote 1
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      For reference: https://redmine.pfsense.org/issues/16128

                      1 Reply Last reply Reply Quote 0
                      • C Offline
                        chevybeef
                        last edited by chevybeef

                        I'm getting the same error.

                        My password begins with an exclamation mark.

                        This is on the release version of pfsense 2.8 CE

                        F 1 Reply Last reply Reply Quote 1
                        • F Offline
                          femtosize @chevybeef
                          last edited by

                          The proper fix would be to base64 encode the password before passing it to the command line and so avoid all the escaping issues.
                          The command would then do the decode before passing it to the kernel module.
                          In theory PPP passwords could contain all sorts of mad characters as all bytes are valid. Passing them directly as a command line argument will always be dangerous.
                          Having the connection not work is probably the least worst thing that could happen.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            You should probably comment on the bug report for better visibility.

                            1 Reply Last reply Reply Quote 1
                            • A Offline
                              azalea
                              last edited by azalea

                              If "if_pppoe" is enabled, PPPoE connection fails with a username containing the "$" symbol. (2.8.0-RELEASE)

                              The following log is output repeatedly.
                              if_pppoe: pppoe0: chap failure

                              1 Reply Last reply Reply Quote 2
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator
                                last edited by

                                Have you opened a bug for that?

                                F 1 Reply Last reply Reply Quote 0
                                • F Offline
                                  femtosize @stephenw10
                                  last edited by

                                  @stephenw10 This is just another example of what I tried to explain in

                                  https://redmine.pfsense.org/issues/16128

                                  Passing passwords as command line arguments is always going to result in failures like this.
                                  It needs to be addressed as a security issue.

                                  I've not tried it but I bet a password with

                                  ;rm -rf /;

                                  in it would be pretty destructive.

                                  RobbieTTR 1 Reply Last reply Reply Quote 3
                                  • RobbieTTR Offline
                                    RobbieTT @femtosize
                                    last edited by

                                    @femtosize said in 25.03.b.20250306.0140 - if_pppoe kernel module chap failure:

                                    It needs to be addressed as a security issue.
                                    ;rm -rf /;

                                    ... in it would be pretty destructive.

                                    Stuff of nightmares 👻

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.

                                      1 Reply Last reply Reply Quote 2
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.