OS X VPN Server Authentication Cracked—What are Secure Alternatives?
Now that MS-CHAPv2 authentication has been completely pwned [http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/], Mountain/Lion VPN Server must be considered cracked and insecure, as well as WPA2 and Open Directory authentications that a set to use the default MS-CHAPv2. As I recall, Snow Leopard Server's VPN service had a Keberos authentication option, but Apple removed this option in Lion, as well as MIT Kerberos.
What are the options to get a secure VPN service running between OS X Server and iOS? Is there a serveradmin command line setting for Kerberos authentication? Is there iOS client support for OpenVPN if you stand up an OVPN server? What other OS X Server functions depend on the cracked MS-CHAPv2, and how can these be cut out as we wait for Apple to rework OS X Server security?
Here's how to check if your VPN server uses MS-CHAPv2:
$ sudo serveradmin fullstatus vpn
Password:
vpn:servicePortsAreRestricted = "YES"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProt
ocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections
= 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPP
EKeySize128"
vpn:servers:com.apple.ppp.pptp:startedTime = "201
2-07-28 15:52:48 +0000"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugi
ns = "DSAuth"
vpn:servers:com.apple.ppp.pptp:pid = 98
vpn:servers:com.apple.ppp.l2tp:AuthenticationProt
ocol = "MSCHAP2"
Mac mini Server (Mid 2010), Mac OS X (10.7.4), Lion Server, EyeTV HD, Turbo.264 HD