System Administration Guide: Network Services

Challenge-Handshake Authentication Protocol (CHAP)

CHAP authentication uses the notion of the challenge and response, which means that the peer (authenticator) challenges the caller (authenticatee) to prove its identity. The challenge includes a random number and a unique ID that is generated by the authenticator. The caller must use the ID, random number, and its CHAP security credentials to generate the proper response (handshake) to send to the peer.

CHAP security credentials include a CHAP user name and a CHAP “secret.” The CHAP secret is an arbitrary string that is known to both the caller and the peer before they negotiate a PPP link. You configure CHAP security credentials in the CHAP database, /etc/ppp/chap-secrets.

/etc/ppp/chap-secrets File

The CHAP database is implemented in the /etc/ppp/chap-secrets file. Machines on both sides of the PPP link must have each others' CHAP credentials in their /etc/ppp/chap-secrets files for successful authentication.

Note –

Unlike PAP, the shared secret must be in the clear on both peers. You cannot use crypt, PAM, or the PPP login option with CHAP.

The /etc/ppp/chap-secrets file has the following syntax.

myclient myserver secret5748 *

The parameters have the following meanings:


CHAP user name of the caller. This name can be the same as or different from the caller's UNIX user name.


Name of the remote machine, often a dial-in server.


Caller's CHAP secret.

Note –

Unlike PAP passwords, CHAP secrets are never sent over the link. Rather, CHAP secrets are used when the local machines compute the response.


IP address that is associated with the caller. Use an asterisk (*) to indicate any IP address.

What Happens During CHAP Authentication

CHAP authentication occurs in the following sequence.

Figure 22–2 CHAP Authentication Sequence

The following context describes the sequence that is
shown in the flow diagram.

  1. Two peers that are about to initiate communications agree on a secret to be used for authentication during negotiation of a PPP link.

  2. The administrators of both machines add the secret, CHAP user names, and other CHAP credentials to the /etc/ppp/chap-secrets database of their respective machines.

  3. The caller (authenticatee) calls the remote peer (authenticator).

  4. The authenticator generates a random number and an ID, and sends this data to the authenticatee as a challenge.

  5. The authenticatee looks up the peer's name and secret in its /etc/ppp/chap-secrets database.

  6. The authenticatee calculates a response by applying the MD5 computational algorithm to the secret and the peer's random number challenge. Then the authenticatee sends the results as its response to the authenticator.

  7. The authenticator looks up the authenticatee's name and secret in its /etc/ppp/chap-secrets database.

  8. The authenticator calculates its own figure by applying MD5 to the number that was generated as the challenge and the secret for the authenticatee in /etc/ppp/chap-secrets.

  9. The authenticator compares its results with the response from the caller. If the two numbers are the same, the peer has successfully authenticated the caller, and link negotiation continues. Otherwise the link is dropped.