25.03.b.20250306.0140 - if_pppoe kernel module chap failure

kprovost

@femtosize Ah, thanks for figuring that out.

I'll add a Redmine for this, and a reminder to check for escaping things like " and ' and .

stephenw10

For reference: https://redmine.pfsense.org/issues/16128

chevybeef

I'm getting the same error.

My password begins with an exclamation mark.

This is on the release version of pfsense 2.8 CE

femtosize

The proper fix would be to base64 encode the password before passing it to the command line and so avoid all the escaping issues.
The command would then do the decode before passing it to the kernel module.
In theory PPP passwords could contain all sorts of mad characters as all bytes are valid. Passing them directly as a command line argument will always be dangerous.
Having the connection not work is probably the least worst thing that could happen.

stephenw10

You should probably comment on the bug report for better visibility.

azalea

If "if_pppoe" is enabled, PPPoE connection fails with a username containing the "$" symbol. (2.8.0-RELEASE)

The following log is output repeatedly.
if_pppoe: pppoe0: chap failure

stephenw10

Have you opened a bug for that?

femtosize

@stephenw10 This is just another example of what I tried to explain in

https://redmine.pfsense.org/issues/16128

Passing passwords as command line arguments is always going to result in failures like this.
It needs to be addressed as a security issue.

I've not tried it but I bet a password with

;rm -rf /;

in it would be pretty destructive.

RobbieTT

@femtosize said in 25.03.b.20250306.0140 - if_pppoe kernel module chap failure:

It needs to be addressed as a security issue.
;rm -rf /;

... in it would be pretty destructive.

Stuff of nightmares

stephenw10

Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.