800 lines
29 KiB
Groff
800 lines
29 KiB
Groff
.\" manual page [] for pppd 2.0
|
|
.\" $Id: pppd.8,v 1.10 1996/02/02 20:17:53 scottr Exp $
|
|
.\" SH section heading
|
|
.\" SS subsection heading
|
|
.\" LP paragraph
|
|
.\" IP indented paragraph
|
|
.\" TP hanging label
|
|
.TH PPPD 8
|
|
.SH NAME
|
|
pppd \- Point to Point Protocol daemon
|
|
.SH SYNOPSIS
|
|
.B pppd
|
|
[
|
|
.I tty_name
|
|
] [
|
|
.I speed
|
|
] [
|
|
.I options
|
|
]
|
|
.SH DESCRIPTION
|
|
.LP
|
|
The Point-to-Point Protocol (PPP) provides a method for transmitting
|
|
datagrams over serial point-to-point links. PPP
|
|
is composed of three parts: a method for encapsulating datagrams over
|
|
serial links, an extensible Link Control Protocol (LCP), and
|
|
a family of Network Control Protocols (NCP) for establishing
|
|
and configuring different network-layer protocols.
|
|
.LP
|
|
The encapsulation scheme is provided by driver code in the kernel.
|
|
.B pppd
|
|
provides the basic LCP, authentication support, and an
|
|
NCP for establishing and configuring the Internet Protocol (IP)
|
|
(called the IP Control Protocol, IPCP).
|
|
.SH FREQUENTLY USED OPTIONS
|
|
.TP
|
|
.I <tty_name>
|
|
Communicate over the named device. The string "/dev/"
|
|
is prepended if necessary. If no device name is given,
|
|
or if the name of the controlling terminal is given,
|
|
.I pppd
|
|
will use the controlling terminal, and will not fork to put itself in
|
|
the background.
|
|
.TP
|
|
.I <speed>
|
|
Set the baud rate to <speed> (a decimal number). On systems such as
|
|
4.4BSD and NetBSD, any speed can be specified. Other systems
|
|
(e.g. SunOS) allow only a limited set of speeds.
|
|
.TP
|
|
.B asyncmap \fI<map>
|
|
Set the async character map to <map>.
|
|
This map describes which control characters cannot be successfully
|
|
received over the serial line.
|
|
.I pppd
|
|
will ask the peer to send these characters as a 2-byte escape sequence.
|
|
The argument is a 32 bit hex number
|
|
with each bit representing a character to escape.
|
|
Bit 0 (00000001) represents the character 0x00;
|
|
bit 31 (80000000) represents the character 0x1f or ^_.
|
|
If multiple \fBasyncmap\fR options are
|
|
given, the values are ORed together.
|
|
If no \fBasyncmap\fR option is given, no async character map will be
|
|
negotiated for the receive direction; the peer should then escape
|
|
\fIall\fR control characters.
|
|
.TP
|
|
.B auth
|
|
Require the peer to authenticate itself before allowing network
|
|
packets to be sent or received.
|
|
.TP
|
|
.B connect \fI<p>
|
|
Use the executable or shell command specified by \fI<p>\fR to set up the
|
|
serial line. This script would typically use the chat(8) program to
|
|
dial the modem and start the remote ppp session.
|
|
.TP
|
|
.B crtscts
|
|
Use hardware flow control (i.e. RTS/CTS) to control the flow of data
|
|
on the serial port. If neither the \fBcrtscts\fR nor the
|
|
\fB\-crtscts\fR option is given, the hardware flow control setting for
|
|
the serial port is left unchanged.
|
|
.TP
|
|
.B defaultroute
|
|
Add a default route to the system routing tables, using the peer as
|
|
the gateway, when IPCP negotiation is successfully completed.
|
|
This entry is removed when the PPP connection is broken.
|
|
.TP
|
|
.B disconnect \fI<p>
|
|
Run the executable or shell command specified by \fI<p>\fR after
|
|
\fIpppd\fR has terminated the link. This script could, for example,
|
|
issue commands to the modem to cause it to hang up if hardware modem
|
|
control signals were not available.
|
|
.TP
|
|
.B escape \fIxx,yy,...
|
|
Specifies that certain characters should be escaped on transmission
|
|
(regardless of whether the peer requests them to be escaped with its
|
|
async control character map). The characters to be escaped are
|
|
specified as a list of hex numbers separated by commas. Note that
|
|
almost any character can be specified for the \fBescape\fR option,
|
|
unlike the \fBasyncmap\fR option which only allows control characters
|
|
to be specified. The characters which may not be escaped are those
|
|
with hex values 0x20 - 0x3f or 0x5e.
|
|
.TP
|
|
.B file \fI<f>
|
|
Read options from file <f> (the format is described below).
|
|
.TP
|
|
.B lock
|
|
Specifies that \fIpppd\fR should create a UUCP-style lock file for the
|
|
serial device to ensure exclusive access to the device.
|
|
.TP
|
|
.B mru \fI<n>
|
|
Set the MRU [Maximum Receive Unit] value to <n> for negotiation.
|
|
.I pppd
|
|
will ask the peer to send packets of no more than <n> bytes. The
|
|
minimum MRU value is 128. The default MRU value is 1500. A value of
|
|
296 is recommended for slow links (40 bytes for TCP/IP header + 256
|
|
bytes of data).
|
|
.TP
|
|
.B mtu \fI<n>
|
|
Set the MTU [Maximum Transmit Unit] value to \fI<n>\fR. Unless the
|
|
peer requests a smaller value via MRU negotiation, \fIpppd\fR will
|
|
request that the kernel networking code send data packets of no more
|
|
than \fIn\fR bytes through the PPP network interface.
|
|
.TP
|
|
.B netmask \fI<n>
|
|
Set the interface netmask to <n>, a 32 bit netmask in "decimal dot"
|
|
notation (e.g. 255.255.255.0). If this option is given, the value
|
|
specified is ORed with the default netmask. The default netmask is
|
|
chosen based on the negotiated remote IP address; it is the
|
|
appropriate network mask for the class of the remote IP address, ORed
|
|
with the netmasks for any non point-to-point network interfaces in the
|
|
system which are on the same network.
|
|
.TP
|
|
.B passive
|
|
Enables the "passive" option in the LCP. With this option,
|
|
.I pppd
|
|
will attempt to initiate a connection; if no reply is received from
|
|
the peer,
|
|
.I pppd
|
|
will then just wait passively for a valid LCP packet from the peer
|
|
(instead of exiting, as it does without this option).
|
|
.TP
|
|
.B silent
|
|
With this option,
|
|
.I pppd
|
|
will not transmit LCP packets to initiate a connection until a valid
|
|
LCP packet is received from the peer (as for the `passive' option with
|
|
ancient versions of \fIpppd\fR).
|
|
.SH OPTIONS
|
|
.TP
|
|
.I <local_IP_address>\fB:\fI<remote_IP_address>
|
|
Set the local and/or remote interface IP addresses. Either one may be
|
|
omitted. The IP addresses can be specified with a host name or in
|
|
decimal dot notation (e.g. 150.234.56.78). The default local
|
|
address is the (first) IP address of the system (unless the
|
|
.B noipdefault
|
|
option is given). The remote address will be obtained from the peer
|
|
if not specified in any option. Thus, in simple cases, this option is
|
|
not required. If a local and/or remote IP address is specified with
|
|
this option,
|
|
.I pppd
|
|
will not accept a different value from the peer in the IPCP
|
|
negotiation, unless the
|
|
.B ipcp-accept-local
|
|
and/or
|
|
.B ipcp-accept-remote
|
|
options are given, respectively.
|
|
.TP
|
|
.B -ac
|
|
Disable Address/Control compression negotiation (use default, i.e.
|
|
address/control field compression disabled).
|
|
.TP
|
|
.B -all
|
|
Don't request or allow negotiation of any options for LCP and IPCP (use
|
|
default values).
|
|
.TP
|
|
.B -am
|
|
Disable asyncmap negotiation (use the default asyncmap, i.e. escape
|
|
all control characters).
|
|
.TP
|
|
.B -as \fI<n>
|
|
Same as
|
|
.B asyncmap \fI<n>
|
|
.TP
|
|
.B bsdcomp \fInr,nt
|
|
Request that the peer compress packets that it sends, using the
|
|
BSD-Compress scheme, with a maximum code size of \fInr\fR bits, and
|
|
agree to compress packets sent to the peer with a maximum code size of
|
|
\fInt\fR bits. If \fInt\fR is not specified, it defaults to the value
|
|
given for \fInr\fR. Values in the range 9 to 15 may be used for
|
|
\fInr\fR and \fInt\fR; larger values give better compression but
|
|
consume more kernel memory for compression dictionaries.
|
|
Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
|
|
compression in the corresponding direction.
|
|
.TP
|
|
.B \-bsdcomp
|
|
Disables compression; \fBpppd\fR will not request or agree to compress
|
|
packets using the BSD-Compress scheme.
|
|
.TP
|
|
.B +chap
|
|
Require the peer to authenticate itself using CHAP [Cryptographic
|
|
Handshake Authentication Protocol] authentication.
|
|
.TP
|
|
.B -chap
|
|
Don't agree to authenticate using CHAP.
|
|
.TP
|
|
.B chap-interval \fI<n>
|
|
If this option is given,
|
|
.I pppd
|
|
will rechallenge the peer every <n> seconds.
|
|
.TP
|
|
.B chap-max-challenge \fI<n>
|
|
Set the maximum number of CHAP challenge transmissions to <n> (default
|
|
10).
|
|
.TP
|
|
.B chap-restart \fI<n>
|
|
Set the CHAP restart interval (retransmission timeout for challenges)
|
|
to <n> seconds (default 3).
|
|
.TP
|
|
.B -crtscts
|
|
Disable hardware flow control (i.e. RTS/CTS) on the serial port. If
|
|
neither the \fBcrtscts\fR nor the \fB\-crtscts\fR option is given,
|
|
the hardware flow control setting for the serial port is left
|
|
unchanged.
|
|
.TP
|
|
.B -d
|
|
Increase debugging level (same as the \fBdebug\fR option).
|
|
.TP
|
|
.B debug
|
|
Increase debugging level (same as \fB\-d\fR).
|
|
If this
|
|
option is given, \fIpppd\fR will log the contents of all control
|
|
packets sent or received in a readable form. The packets are logged
|
|
through syslog with facility \fIdaemon\fR and level \fIdebug\fR. This
|
|
information can be directed to a file by setting up /etc/syslog.conf
|
|
appropriately (see syslog.conf(5)).
|
|
.TP
|
|
.B \-defaultroute
|
|
Disable the \fBdefaultroute\fR option. The system administrator who
|
|
wishes to prevent users from creating default routes with \fIpppd\fR
|
|
can do so by placing this option in the /etc/ppp/options file.
|
|
.TP
|
|
.B -detach
|
|
Don't fork to become a background process (otherwise
|
|
.I pppd
|
|
will do so if a serial device other than its controlling terminal is
|
|
specified).
|
|
.TP
|
|
.B domain \fI<d>
|
|
Append the domain name <d> to the local host name for authentication
|
|
purposes. For example, if gethostname() returns the name porsche, but the
|
|
fully qualified domain name is porsche.Quotron.COM, you would use the
|
|
domain option to set the domain name to Quotron.COM.
|
|
.TP
|
|
.B -ip
|
|
Disable IP address negotiation. If this option is used, the remote IP
|
|
address must be specified with an option on the command line or in an
|
|
options file.
|
|
.TP
|
|
.B ipcp-accept-local
|
|
With this option,
|
|
.I pppd
|
|
will accept the peer's idea of our local IP address, even if the
|
|
local IP address was specified in an option.
|
|
.TP
|
|
.B ipcp-accept-remote
|
|
With this option,
|
|
.I pppd
|
|
will accept the peer's idea of its (remote) IP address, even if the
|
|
remote IP address was specified in an option.
|
|
.TP
|
|
.B ipcp-max-configure \fI<n>
|
|
Set the maximum number of IPCP configure-request transmissions to <n>
|
|
(default 10).
|
|
.TP
|
|
.B ipcp-max-failure \fI<n>
|
|
Set the maximum number of IPCP configure-NAKs returned before starting
|
|
to send configure-Rejects instead to <n> (default 10).
|
|
.TP
|
|
.B ipcp-max-terminate \fI<n>
|
|
Set the maximum number of IPCP terminate-request transmissions to <n>
|
|
(default 3).
|
|
.TP
|
|
.B ipcp-restart \fI<n>
|
|
Set the IPCP restart interval (retransmission timeout) to <n> seconds
|
|
(default 3).
|
|
.TP
|
|
.B ipparam \fIstring
|
|
Provides an extra parameter to the ip-up and ip-down scripts. If this
|
|
option is given, the \fIstring\fR supplied is given as the 6th
|
|
parameter to those scripts.
|
|
.TP
|
|
.B kdebug \fIn
|
|
Enable debugging code in the kernel-level PPP driver. The argument
|
|
\fIn\fR is a number which is the sum of the following values: 1 to
|
|
enable general debug messages, 2 to request that the contents of
|
|
received packets be printed, and 4 to request that the contents of
|
|
transmitted packets be printed.
|
|
.TP
|
|
.B lcp-echo-failure \fI<n>
|
|
If this option is given, \fIpppd\fR will presume the peer to be dead
|
|
if \fIn\fR LCP echo-requests are sent without receiving a valid LCP
|
|
echo-reply. If this happens, \fIpppd\fR will terminate the
|
|
connection. Use of this option requires a non-zero value for the
|
|
\fIlcp-echo-interval\fR parameter. This option can be used to enable
|
|
\fIpppd\fR to terminate after the physical connection has been broken
|
|
(e.g., the modem has hung up) in situations where no hardware modem
|
|
control lines are available.
|
|
.TP
|
|
.B lcp-echo-interval \fI<n>
|
|
If this option is given, \fIpppd\fR will send an LCP echo-request
|
|
frame to the peer every \fIn\fR seconds. Under Linux, the
|
|
echo-request is sent when no packets have been received from the peer
|
|
for \fIn\fR seconds. Normally the peer should respond to the
|
|
echo-request by sending an echo-reply. This option can be used with
|
|
the \fIlcp-echo-failure\fR option to detect that the peer is no longer
|
|
connected.
|
|
.TP
|
|
.B lcp-max-configure \fI<n>
|
|
Set the maximum number of LCP configure-request transmissions to <n>
|
|
(default 10).
|
|
.TP
|
|
.B lcp-max-failure \fI<n>
|
|
Set the maximum number of LCP configure-NAKs returned before starting
|
|
to send configure-Rejects instead to <n> (default 10).
|
|
.TP
|
|
.B lcp-max-terminate \fI<n>
|
|
Set the maximum number of LCP terminate-request transmissions to <n>
|
|
(default 3).
|
|
.TP
|
|
.B lcp-restart \fI<n>
|
|
Set the LCP restart interval (retransmission timeout) to <n> seconds
|
|
(default 3).
|
|
.TP
|
|
.B local
|
|
Don't use the modem control lines. With this option,
|
|
.B pppd
|
|
will ignore the state of the CD (Carrier Detect) signal from the modem and
|
|
will not change the state of the DTR (Data Terminal Ready) signal.
|
|
.TP
|
|
.B login
|
|
Use the system password database for authenticating the peer using
|
|
PAP, and record the user in the system wtmp file.
|
|
.TP
|
|
.B modem
|
|
Use the modem control lines. This option is the default. With this
|
|
option,
|
|
.B pppd
|
|
will wait for the CD (Carrier Detect) signal from the modem to be asserted
|
|
when opening the serial device
|
|
(unless a connect script is specified), and it will drop the DTR (Data
|
|
Terminal Ready) signal briefly when the connection is terminated and before
|
|
executing the connect script.
|
|
On Ultrix, this option implies hardware
|
|
flow control, as for the \fBcrtscts\fR option.
|
|
.TP
|
|
.B -mn
|
|
Disable magic number negotiation. With this option,
|
|
.I pppd
|
|
cannot detect a looped-back line.
|
|
.TP
|
|
.B -mru
|
|
Disable MRU [Maximum Receive Unit] negotiation. With this option,
|
|
\fIpppd\fR will use the default MRU value of 1500 bytes.
|
|
.TP
|
|
.B name \fI<n>
|
|
Set the name of the local system for authentication purposes to <n>.
|
|
.TP
|
|
.B noipdefault
|
|
Disables the default behaviour when no local IP address is specified,
|
|
which is to determine (if possible) the local IP address from the
|
|
hostname. With this option, the peer will have to supply the local IP
|
|
address during IPCP negotiation (unless it specified explicitly on the
|
|
command line or in an options file).
|
|
.TP
|
|
.B -p
|
|
Same as the
|
|
.B passive
|
|
option.
|
|
.TP
|
|
.B +pap
|
|
Require the peer to authenticate itself using PAP.
|
|
.TP
|
|
.B -pap
|
|
Don't agree to authenticate using PAP.
|
|
.TP
|
|
.B papcrypt
|
|
Indicates that all secrets in the /etc/ppp/pap-secrets file which
|
|
are used for checking the identity of the peer are encrypted, and thus
|
|
pppd should not accept a password which (before encryption) is
|
|
identical to the secret from the /etc/ppp/pap-secrets file.
|
|
.TP
|
|
.B pap-max-authreq \fI<n>
|
|
Set the maximum number of PAP authenticate-request transmissions to
|
|
<n> (default 10).
|
|
.TP
|
|
.B pap-restart \fI<n>
|
|
Set the PAP restart interval (retransmission timeout) to <n> seconds
|
|
(default 3).
|
|
.TP
|
|
.B pap-timeout \fI<n>
|
|
Set the maximum time that
|
|
.I pppd
|
|
will wait for the peer to authenticate itself with PAP to
|
|
<n> seconds (0 means no limit).
|
|
.TP
|
|
.B -pc
|
|
Disable protocol field compression negotiation (use default, i.e.
|
|
protocol field compression disabled).
|
|
.TP
|
|
.B persist
|
|
Do not exit after a connection is terminated; instead try to reopen
|
|
the connection.
|
|
.TP
|
|
.B proxyarp
|
|
Add an entry to this system's ARP [Address Resolution Protocol] table
|
|
with the IP address of the peer and the Ethernet address of this
|
|
system.
|
|
.TP
|
|
.B \-proxyarp
|
|
Disable the \fBproxyarp\fR option. The system administrator who
|
|
wishes to prevent users from creating proxy ARP entries with
|
|
\fIpppd\fR can do so by placing this option in the /etc/ppp/options
|
|
file.
|
|
.TP
|
|
.B remotename \fI<n>
|
|
Set the assumed name of the remote system for authentication purposes
|
|
to <n>.
|
|
.TP
|
|
.B +ua \fI<p>
|
|
Agree to authenticate using PAP [Password Authentication Protocol] if
|
|
requested by the peer, and
|
|
use the data in file <p> for the user and password to send to the
|
|
peer. The file contains the remote user name, followed by a newline,
|
|
followed by the remote password, followed by a newline. This option
|
|
is obsolescent.
|
|
.TP
|
|
.B usehostname
|
|
Enforce the use of the hostname as the name of the local system for
|
|
authentication purposes (overrides the
|
|
.B name
|
|
option).
|
|
.TP
|
|
.B user \fI<u>
|
|
Set the user name to use for authenticating this machine with the peer
|
|
using PAP to <u>.
|
|
.TP
|
|
.B -vj
|
|
Disable negotiation of Van Jacobson style TCP/IP header compression (use
|
|
default, i.e. no compression).
|
|
.TP
|
|
.B -vjccomp
|
|
Disable the connection-ID compression option in Van Jacobson style
|
|
TCP/IP header compression. With this option, \fIpppd\fR will not omit
|
|
the connection-ID byte from Van Jacobson compressed TCP/IP headers,
|
|
nor ask the peer to do so.
|
|
.TP
|
|
.B vj-max-slots \fIn
|
|
Sets the number of connection slots to be used by the Van Jacobson
|
|
TCP/IP header compression and decompression code to \fIn\fR, which
|
|
must be between 2 and 16 (inclusive).
|
|
.TP
|
|
.B xonxoff
|
|
Use software flow control (i.e. XON/XOFF) to control the flow of data on
|
|
the serial port. This option is only implemented on Linux systems
|
|
at present.
|
|
.SH OPTIONS FILES
|
|
Options can be taken from files as well as the command line.
|
|
.I pppd
|
|
reads options from the files /etc/ppp/options and ~/.ppprc before
|
|
looking at the command line. An options file is parsed into a series
|
|
of words, delimited by whitespace. Whitespace can be included in a
|
|
word by enclosing the word in quotes ("). A backslash (\\) quotes the
|
|
following character. A hash (#) starts a comment, which continues
|
|
until the end of the line.
|
|
.SH AUTHENTICATION
|
|
.I pppd
|
|
provides system administrators with sufficient access control that PPP
|
|
access to a server machine can be provided to legitimate users without
|
|
fear of compromising the security of the server or the network it's
|
|
on. In part this is provided by the /etc/ppp/options file, where the
|
|
administrator can place options to require authentication whenever
|
|
.I pppd
|
|
is run, and in part by the PAP and CHAP secrets files, where the
|
|
administrator can restrict the set of IP addresses which individual
|
|
users may use.
|
|
.LP
|
|
The default behaviour of
|
|
.I pppd
|
|
is to agree to authenticate if requested, and to not
|
|
require authentication from the peer. However,
|
|
.I pppd
|
|
will not agree to
|
|
authenticate itself with a particular protocol if it has no secrets
|
|
which could be used to do so.
|
|
.LP
|
|
Authentication is based on secrets, which are selected from secrets
|
|
files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP).
|
|
Both secrets files have the same format, and both can store secrets
|
|
for several combinations of server (authenticating peer) and client
|
|
(peer being authenticated). Note that
|
|
.I pppd
|
|
can be both a server
|
|
and client, and that different protocols can be used in the two
|
|
directions if desired.
|
|
.LP
|
|
A secrets file is parsed into words as for a options file. A secret
|
|
is specified by a line containing at least 3 words, in the order
|
|
client name, server name, secret. Any following words on the same line are
|
|
taken to be a list of acceptable IP addresses for that client. If
|
|
there are only 3 words on the line, it is assumed that any IP address
|
|
is OK; to disallow all IP addresses, use "-". If the secret starts
|
|
with an `@', what follows is assumed to be the name of a file from
|
|
which to read the secret. A "*" as the client or server name matches
|
|
any name. When selecting a secret, \fIpppd\fR takes the best match, i.e.
|
|
the match with the fewest wildcards.
|
|
.LP
|
|
Thus a secrets file contains both secrets for use in authenticating
|
|
other hosts, plus secrets which we use for authenticating ourselves to
|
|
others. Which secret to use is chosen based on the names of the host
|
|
(the `local name') and its peer (the `remote name'). The local name
|
|
is set as follows:
|
|
.TP 3
|
|
if the \fBusehostname\fR option is given,
|
|
then the local name is the hostname of this machine
|
|
(with the domain appended, if given)
|
|
.TP 3
|
|
else if the \fBname\fR option is given,
|
|
then use the argument of the first \fBname\fR option seen
|
|
.TP 3
|
|
else if the local IP address is specified with a hostname,
|
|
then use that name
|
|
.TP 3
|
|
else use the hostname of this machine (with the domain appended, if given)
|
|
.LP
|
|
When authenticating ourselves using PAP, there is also a `username'
|
|
which is the local name by default, but can be set with the \fBuser\fR
|
|
option or the \fB+ua\fR option.
|
|
.LP
|
|
The remote name is set as follows:
|
|
.TP 3
|
|
if the \fBremotename\fR option is given,
|
|
then use the argument of the last \fBremotename\fR option seen
|
|
.TP 3
|
|
else if the remote IP address is specified with a hostname,
|
|
then use that host name
|
|
.TP 3
|
|
else the remote name is the null string "".
|
|
.LP
|
|
Secrets are selected from the PAP secrets file as follows:
|
|
.TP 2
|
|
*
|
|
For authenticating the peer, look for a secret with client ==
|
|
username specified in the PAP authenticate-request, and server ==
|
|
local name.
|
|
.TP 2
|
|
*
|
|
For authenticating ourselves to the peer, look for a secret with
|
|
client == our username, server == remote name.
|
|
.LP
|
|
When authenticating the peer with PAP, a secret of "" matches any
|
|
password supplied by the peer. If the password doesn't match the
|
|
secret, the password is encrypted using crypt() and checked against
|
|
the secret again; thus secrets for authenticating the peer can be
|
|
stored in encrypted form. If the \fBpapcrypt\fR option is given, the
|
|
first (unencrypted) comparison is omitted, for better security.
|
|
.LP
|
|
If the \fBlogin\fR option was specified, the
|
|
username and password are also checked against the system password
|
|
database. Thus, the system administrator can set up the pap-secrets
|
|
file to allow PPP access only to certain users, and to restrict the
|
|
set of IP addresses that each user can use. Typically, when using the
|
|
\fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to
|
|
avoid the need to have the same secret in two places.
|
|
.LP
|
|
Secrets are selected from the CHAP secrets file as follows:
|
|
.TP 2
|
|
*
|
|
For authenticating the peer, look for a secret with client == name
|
|
specified in the CHAP-Response message, and server == local name.
|
|
.TP 2
|
|
*
|
|
For authenticating ourselves to the peer, look for a secret with
|
|
client == local name, and server == name specified in the
|
|
CHAP-Challenge message.
|
|
.LP
|
|
Authentication must be satisfactorily completed before IPCP (or any
|
|
other Network Control Protocol) can be started. If authentication
|
|
fails, \fIpppd\fR will terminated the link (by closing LCP). If IPCP
|
|
negotiates an unacceptable IP address for the remote host, IPCP will
|
|
be closed. IP packets can only be sent or received when IPCP is open.
|
|
.LP
|
|
In some cases it is desirable to allow some hosts which can't
|
|
authenticate themselves to connect and use one of a restricted set of
|
|
IP addresses, even when the local host generally requires
|
|
authentication. If the peer refuses to authenticate itself when
|
|
requested, \fIpppd\fR takes that as equivalent to authenticating with
|
|
PAP using the empty string for the username and password. Thus, by
|
|
adding a line to the pap-secrets file which specifies the empty string
|
|
for the client and password, it is possible to allow restricted access
|
|
to hosts which refuse to authenticate themselves.
|
|
.SH ROUTING
|
|
.LP
|
|
When IPCP negotiation is completed successfully,
|
|
.I pppd
|
|
will inform the kernel of the local and remote IP addresses for the
|
|
ppp interface. This is sufficient to create a
|
|
host route to the remote end of the link, which will enable the peers
|
|
to exchange IP packets. Communication with other machines generally
|
|
requires further modification to routing tables and/or ARP (Address
|
|
Resolution Protocol) tables. In some cases this will be done
|
|
automatically through the actions of the \fIrouted\fR or \fIgated\fR
|
|
daemons, but in most cases some further intervention is required.
|
|
.LP
|
|
Sometimes it is desirable
|
|
to add a default route through the remote host, as in the case of a
|
|
machine whose only connection to the Internet is through the ppp
|
|
interface. The \fBdefaultroute\fR option causes \fIpppd\fR to create such a
|
|
default route when IPCP comes up, and delete it when the link is
|
|
terminated.
|
|
.LP
|
|
In some cases it is desirable to use proxy ARP, for example on a
|
|
server machine connected to a LAN, in order to allow other hosts to
|
|
communicate with the remote host. The \fBproxyarp\fR option causes \fIpppd\fR
|
|
to look for a network interface on the same subnet as the remote host
|
|
(an interface supporting broadcast and ARP, which is up and not a
|
|
point-to-point or loopback interface). If found, \fIpppd\fR creates a
|
|
permanent, published ARP entry with the IP address of the remote host
|
|
and the hardware address of the network interface found.
|
|
.SH EXAMPLES
|
|
.LP
|
|
In the simplest case, you can connect the serial ports of two machines
|
|
and issue a command like
|
|
.IP
|
|
pppd /dev/ttya 9600 passive
|
|
.LP
|
|
to each machine, assuming there is no \fIgetty\fR running on the
|
|
serial ports. If one machine has a \fIgetty\fR running, you can use
|
|
\fIkermit\fR or \fItip\fR on the other machine to log in to the first
|
|
machine and issue a command like
|
|
.IP
|
|
pppd passive
|
|
.LP
|
|
Then exit from the communications program (making sure the connection
|
|
isn't dropped), and issue a command like
|
|
.IP
|
|
pppd /dev/ttya 9600
|
|
.LP
|
|
The process of logging in to the other machine and starting \fIpppd\fR
|
|
can be automated by using the \fBconnect\fR option to run \fIchat\fR,
|
|
for example:
|
|
.IP
|
|
pppd /dev/ttya 38400 connect 'chat "" "" "login:" "username"
|
|
"Password:" "password" "% " "exec pppd passive"'
|
|
.LP
|
|
(Note however that running chat like this will leave the password
|
|
visible in the parameter list of pppd and chat.)
|
|
.LP
|
|
If your serial connection is any more complicated than a piece of
|
|
wire, you may need to arrange for some control characters to be
|
|
escaped. In particular, it is often useful to escape XON (^Q) and
|
|
XOFF (^S), using \fBasyncmap a0000\fR. If the path includes a telnet,
|
|
you probably should escape ^] as well (\fBasyncmap 200a0000\fR).
|
|
If the path includes an rlogin, you will need to use the \fBescape
|
|
ff\fR option on the end which is running the rlogin client, since many
|
|
rlogin implementations are not
|
|
transparent; they will remove the sequence [0xff, 0xff, 0x73, 0x73,
|
|
followed by any 8 bytes] from the stream.
|
|
.SH DIAGNOSTICS
|
|
.LP
|
|
Messages are sent to the syslog daemon using facility LOG_DAEMON.
|
|
(This can be overriden by recompiling \fIpppd\fR with the macro
|
|
LOG_PPP defined as the desired facility.) In order to see the error
|
|
and debug messages, you will need to edit your /etc/syslog.conf file
|
|
to direct the messages to the desired output device or file.
|
|
.LP
|
|
The \fBdebug\fR option causes the contents of all control packets sent
|
|
or received to be logged, that is, all LCP, PAP, CHAP or IPCP packets.
|
|
This can be useful if the PPP negotiation does not succeed.
|
|
If debugging is enabled at compile time, the \fBdebug\fR option also
|
|
causes other debugging messages to be logged.
|
|
.LP
|
|
Debugging can also be enabled or disabled by sending a
|
|
SIGUSR1 to the
|
|
.I pppd
|
|
process. This signal acts as a toggle.
|
|
.SH FILES
|
|
.TP
|
|
.B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others)
|
|
Process-ID for \fIpppd\fR process on ppp interface unit \fIn\fR.
|
|
.TP
|
|
.B /etc/ppp/ip-up
|
|
A program or script which is executed when the link is available for
|
|
sending and receiving IP packets (that is, IPCP has come up). It is
|
|
executed with the parameters
|
|
.IP
|
|
\fIinterface-name tty-device speed local-IP-address
|
|
remote-IP-address\fR
|
|
.IP
|
|
and with its standard input,
|
|
output and error streams redirected to \fB/dev/null\fR.
|
|
.IP
|
|
This program or script is executed with the same real and effective
|
|
user-ID as \fIpppd\fR, that is, at least the effective user-ID and
|
|
possibly the real user-ID will be \fBroot\fR. This is so that it can
|
|
be used to manipulate routes, run privileged daemons (e.g.
|
|
\fBsendmail\fR), etc. Be careful that the contents of the
|
|
/etc/ppp/ip-up and /etc/ppp/ip-down scripts do not compromise your
|
|
system's security.
|
|
.IP
|
|
This program or script is executed without an environment, so you
|
|
must either specify a PATH or use full pathnames (e.g. \fI/sbin/route\fR,
|
|
as opposed to \fIroute\fR).
|
|
.TP
|
|
.B /etc/ppp/ip-down
|
|
A program or script which is executed when the link is no longer
|
|
available for sending and receiving IP packets. This script can be
|
|
used for undoing the effects of the /etc/ppp/ip-up script. It is
|
|
invoked with the same parameters as the ip-up script, and the same
|
|
security considerations apply, since it is executed with the same
|
|
effective and real user-IDs as \fIpppd\fR.
|
|
.TP
|
|
.B /etc/ppp/pap-secrets
|
|
Usernames, passwords and IP addresses for PAP authentication.
|
|
.TP
|
|
.B /etc/ppp/chap-secrets
|
|
Names, secrets and IP addresses for CHAP authentication.
|
|
.TP
|
|
.B /etc/ppp/options
|
|
System default options for
|
|
.I pppd,
|
|
read before user default options or command-line options.
|
|
.TP
|
|
.B ~/.ppprc
|
|
User default options, read before command-line options.
|
|
.TP
|
|
.B /etc/ppp/options.\fIttyname
|
|
System default options for the serial port being used, read after
|
|
command-line options.
|
|
.SH SEE ALSO
|
|
.TP
|
|
.B RFC1144
|
|
Jacobson, V.
|
|
.I Compressing TCP/IP headers for low-speed serial links.
|
|
1990 February.
|
|
.TP
|
|
.B RFC1321
|
|
Rivest, R.
|
|
.I The MD5 Message-Digest Algorithm.
|
|
1992 April.
|
|
.TP
|
|
.B RFC1332
|
|
McGregor, G.
|
|
.I PPP Internet Protocol Control Protocol (IPCP).
|
|
1992 May.
|
|
.TP
|
|
.B RFC1334
|
|
Lloyd, B.; Simpson, W.A.
|
|
.I PPP authentication protocols.
|
|
1992 October.
|
|
.TP
|
|
.B RFC1548
|
|
Simpson, W.A.
|
|
.I The Point\-to\-Point Protocol (PPP).
|
|
1993 December.
|
|
.TP
|
|
.B RFC1549
|
|
Simpson, W.A.
|
|
.I PPP in HDLC Framing.
|
|
1993 December
|
|
.SH NOTES
|
|
The following signals have the specified effect when sent to the
|
|
.I pppd
|
|
process.
|
|
.TP
|
|
.B SIGINT, SIGTERM
|
|
These signals cause \fBpppd\fR to terminate the link (by closing LCP),
|
|
restore the serial device settings, and exit.
|
|
.TP
|
|
.B SIGHUP
|
|
This signal causes \fBpppd\fR to terminate the link, restore the
|
|
serial device settings, and close the serial device. If the
|
|
\fBpersist\fR option has been specified, \fBpppd\fR will try to reopen
|
|
the serial device and start another connection. Otherwise \fBpppd\fR
|
|
will exit.
|
|
.TP
|
|
.B SIGUSR2
|
|
This signal causes
|
|
.B pppd
|
|
to renegotiate compression. This can be useful to re-enable
|
|
compression after it has been disabled as a result of a fatal
|
|
decompression error. With the BSD Compress scheme, fatal
|
|
decompression errors generally indicate a bug in one or other
|
|
implementation.
|
|
|
|
.SH AUTHORS
|
|
Drew Perkins,
|
|
Brad Clements,
|
|
Karl Fox,
|
|
Greg Christy,
|
|
Brad Parker,
|
|
Paul Mackerras (paulus@cs.anu.edu.au).
|