406 lines
12 KiB
Groff
406 lines
12 KiB
Groff
.\" $NetBSD: pppoectl.8,v 1.27 2010/03/31 04:17:23 joerg Exp $
|
|
.\"
|
|
.\" Copyright (C) 1997 by Joerg Wunsch, Dresden
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
|
|
.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
|
|
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" From: spppcontrol.1,v 1.1.1.1 1997/10/11 11:30:30 joerg Exp
|
|
.\"
|
|
.\" $Id: pppoectl.8,v 1.27 2010/03/31 04:17:23 joerg Exp $
|
|
.\"
|
|
.\" last edit-date: [Thu Aug 31 10:47:33 2000]
|
|
.\"
|
|
.Dd October 2, 2003
|
|
.Dt PPPOECTL 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm pppoectl ,
|
|
.Nm ipppctl
|
|
.Nd "display or set parameters for an pppoe or isdn ppp (ippp) interface"
|
|
.Sh SYNOPSIS
|
|
.Nm pppoectl
|
|
.Op Fl v
|
|
.Ar ifname
|
|
.Op Ar parameter Ns Op \&= Ns Ar value
|
|
.Op Ar ...
|
|
.Pp
|
|
.Nm ipppctl
|
|
.Op Fl v
|
|
.Ar ifname
|
|
.Op Ar parameter Ns Op \&= Ns Ar value
|
|
.Op Ar ...
|
|
.Pp
|
|
.Nm pppoectl
|
|
.Fl e Ar ethernet-ifname
|
|
.Op Fl s Ar service-name
|
|
.Op Fl a Ar access-concentrator-name
|
|
.Op Fl d
|
|
.Op Fl n Ar 1 \&| 2
|
|
.Ar ifname
|
|
.Pp
|
|
.Nm pppoectl
|
|
.Fl f Ar config-file
|
|
.Ar ifname
|
|
.Op Ar ...
|
|
.Sh DESCRIPTION
|
|
There are two basic modes of operation: configuring security related
|
|
parameters and attaching a PPPoE interface to its ethernet interface,
|
|
optionally passing in additional parameters for the PPPoE encapsulation.
|
|
.Pp
|
|
The later usage is indicated by the presence of the
|
|
.Fl e
|
|
option, which takes the name of the ethernet interface as its argument.
|
|
.Pp
|
|
.Bl -tag -width indent
|
|
.It Fl e
|
|
specifies the ethernet interface used to communicate with the
|
|
access concentrator (typically via a DSL modem).
|
|
.It Fl a
|
|
specifies the name of the access concentrator.
|
|
.It Fl s
|
|
specifies the name of the service connected to.
|
|
.It Fl d
|
|
dump the current connection state information (this parameter is typically
|
|
used alone, for informational purposes, not during interface configuration).
|
|
.It Fl n Ar 1 \&| 2
|
|
print the IP address of the primary or secondary DNS name server for this
|
|
PPP connection.
|
|
This is only available if DNS query is enabled, see
|
|
.Ar query-dns .
|
|
.It Fl f
|
|
parse
|
|
.Ar config-file
|
|
for
|
|
.Ar parameter Ns Op \&= Ns Ar value
|
|
pairs, one per line, as if they had been specified on the command line.
|
|
This allows the password to be not passed as a command line argument.
|
|
Unless escaped by \e, comments starting with # to the end of the current line
|
|
are ignored.
|
|
.El
|
|
.Pp
|
|
Typically, not both the access concentrator name and the service name are
|
|
specified.
|
|
.Pp
|
|
The
|
|
.Xr ippp 4
|
|
or the
|
|
.Xr pppoe 4
|
|
drivers require a number of additional arguments or optional
|
|
parameters besides the settings that can be adjusted with
|
|
.Xr ifconfig 8 .
|
|
These are things like authentication protocol parameters, but also
|
|
other tunable configuration variables.
|
|
The
|
|
.Nm
|
|
utility can be used to display the current settings, or adjust these
|
|
parameters as required.
|
|
.Pp
|
|
For whatever intent
|
|
.Nm
|
|
is being called, at least the parameter
|
|
.Ar ifname
|
|
needs to be specified, naming the interface for which the settings
|
|
are to be performed or displayed.
|
|
Use
|
|
.Xr ifconfig 8
|
|
or
|
|
.Xr netstat 1
|
|
to see which interfaces are available.
|
|
.Pp
|
|
If no other parameter is given,
|
|
.Nm
|
|
will just list the current settings for
|
|
.Ar ifname
|
|
and exit.
|
|
The reported settings include the current PPP phase the
|
|
interface is in, which can be one of the names
|
|
.Em dead ,
|
|
.Em establish ,
|
|
.Em authenticate ,
|
|
.Em network ,
|
|
or
|
|
.Em terminate .
|
|
If an authentication protocol is configured for the interface, the
|
|
name of the protocol to be used, as well as the system name to be used
|
|
or expected will be displayed, plus any possible options to the
|
|
authentication protocol if applicable.
|
|
Note that the authentication
|
|
secrets (sometimes also called
|
|
.Em keys )
|
|
are not being returned by the underlying system call, and are thus not
|
|
displayed.
|
|
.Pp
|
|
If any additional parameter is supplied, superuser privileges are
|
|
required, and the command works in
|
|
.Ql set
|
|
mode.
|
|
This is normally done quietly, unless the option
|
|
.Fl v
|
|
is also enabled, which will cause a final printout of the settings as
|
|
described above once all other actions have been taken.
|
|
Use of this mode will be rejected if the interface is currently in any
|
|
other phase than
|
|
.Em dead .
|
|
Note that you can force an interface into
|
|
.Em dead
|
|
phase by calling
|
|
.Xr ifconfig 8
|
|
with the parameter
|
|
.Ql down .
|
|
.Pp
|
|
The currently supported parameters include:
|
|
.Bl -tag -width xxxxxxxxxxxxxxxxxxxxxxxxx
|
|
.It Ar authproto Ns \&= Ns Em protoname
|
|
Set both his and my authentication protocol to
|
|
.Em protoname .
|
|
The protocol name can be one of
|
|
.Ql chap ,
|
|
.Ql pap ,
|
|
or
|
|
.Ql none .
|
|
In the latter case, the use of an authentication protocol will be
|
|
turned off for the named interface.
|
|
This has the side-effect of
|
|
clearing the other authentication-related parameters for this
|
|
interface as well (i.
|
|
e., system name and authentication secret will
|
|
be forgotten).
|
|
.It Ar myauthproto Ns \&= Ns Em protoname
|
|
Same as above, but only for my end of the link.
|
|
I.e., this is the protocol when remote is authenticator,
|
|
and I am the peer required to authenticate.
|
|
.It Ar hisauthproto Ns \&= Ns Em protoname
|
|
Same as above, but only for his end of the link.
|
|
.It Ar myauthname Ns \&= Ns Em name
|
|
Set my system name for the authentication protocol.
|
|
.It Ar hisauthname Ns \&= Ns Em name
|
|
Set his system name for the authentication protocol.
|
|
For CHAP, this will only be used as a hint, causing
|
|
a warning message if remote did supply a different name.
|
|
For PAP, it's the name remote must use to
|
|
authenticate himself (in connection with his secret).
|
|
.It Ar myauthsecret Ns \&= Ns Em secret
|
|
Set my secret (key, password) for use in the authentication phase.
|
|
For CHAP, this will be used to compute the response hash value, based
|
|
on remote's challenge.
|
|
For PAP, it will be transmitted as plaintext
|
|
together with the system name.
|
|
Don't forget to quote the secrets from
|
|
the shell if they contain shell metacharacters (or whitespace).
|
|
.It Ar myauthkey Ns \&= Ns Em secret
|
|
Same as above.
|
|
.It Ar hisauthsecret Ns \&= Ns Em secret
|
|
Same as above, to be used if we are authenticator and the remote peer
|
|
needs to authenticate.
|
|
.It Ar hisauthkey Ns \&= Ns Em secret
|
|
Same as above.
|
|
.It Ar callin
|
|
Require remote to authenticate himself only when he's calling in, but
|
|
not when we are caller.
|
|
This is required for some peers that do not
|
|
implement the authentication protocols symmetrically (like Ascend
|
|
routers, for example).
|
|
.It Ar always
|
|
The opposite of
|
|
.Ar callin .
|
|
Require remote to always authenticate, regardless of which side is
|
|
placing the call.
|
|
This is the default, and will not be explicitly displayed in
|
|
.Ql list
|
|
mode.
|
|
.It Ar norechallenge
|
|
Only meaningful with CHAP.
|
|
Do not re-challenge peer once the initial
|
|
CHAP handshake was successful.
|
|
Used to work around broken peer implementations that can't grok
|
|
being re-challenged once the connection is up.
|
|
.It Ar rechallenge
|
|
With CHAP, send re-challenges at random intervals while the connection
|
|
is in network phase.
|
|
(The intervals are currently in the range of 300
|
|
through approximately 800 seconds.)
|
|
This is the default, and will not be explicitly displayed in
|
|
.Ql list
|
|
mode.
|
|
.It Ar idle-timeout Ns \&= Ns Em idle-seconds
|
|
For services that are charged by connection time the interface can optionally
|
|
disconnect after a configured idle time.
|
|
If set to 0, this feature is disabled.
|
|
Note: for ISDN devices, it is preferable to use the
|
|
.Xr isdnd 8
|
|
based timeout mechanism, as isdnd can predict the next charging unit for
|
|
ISDN connections and optimize the timeout with this information.
|
|
.It Ar lcp-timeout Ns \&= Ns Em timeout-value
|
|
Allows to change the value of the LCP timeout.
|
|
The default value of the LCP timeout is currently set to 1 second.
|
|
The timeout-value must be specified in milliseconds.
|
|
.It Ar max-noreceive Ns \&= Ns Em sec
|
|
Sets the number of seconds after last reception of data from the peer before
|
|
the line state is probed by sending LCP echo requests.
|
|
The
|
|
.Em sec
|
|
interval is not used verbatim, the first echo request might be delayed upto
|
|
10 seconds after the configured interval.
|
|
.It Ar max-alive-missed Ns \&= Ns Em count
|
|
Sets the number of unanswered LCP echo requests that we will tolerate before
|
|
considering a connection to be dead.
|
|
LCP echo requests are sent in 10 seconds interval after the configured
|
|
.Em max-noreceive
|
|
interval has passed with no data received from the peer.
|
|
.It Ar max-auth-failure Ns \&= Ns Em count
|
|
Since some ISPs disable accounts after too many unsuccessful authentication
|
|
attempts, there is a maximum number of authentication failures before we will
|
|
stop retrying without manual intervention.
|
|
Manual intervention is either changing the authentication data
|
|
(name, password) or setting the maximum retry count.
|
|
If
|
|
.Em count
|
|
is set to
|
|
.Em 0
|
|
this feature is disabled.
|
|
.It Ar clear-auth-failure
|
|
If an authentication failure has been caused by remote problems and you want
|
|
to retry connecting using unchanged local settings, this command can be used
|
|
to reset the failure count to zero.
|
|
.It Ar query-dns Ns \&= Ns Em flags
|
|
During PPP protocol negotiation we can query the peer
|
|
for addresses of two name servers.
|
|
If
|
|
.Ar flags
|
|
is
|
|
.Em 1
|
|
only the first server address will be requested, if
|
|
.Ar flags
|
|
is
|
|
.Em 2
|
|
the second will be requested.
|
|
Setting
|
|
.Ar flags
|
|
to
|
|
.Em 3
|
|
queries both.
|
|
.Pp
|
|
The result of the negotiation can be retrieved with the
|
|
.Fl n
|
|
option.
|
|
.El
|
|
.Sh EXAMPLES
|
|
.Bd -literal
|
|
# ipppctl ippp0
|
|
ippp0: phase=dead
|
|
myauthproto=chap myauthname="uriah"
|
|
hisauthproto=chap hisauthname="ifb-gw" norechallenge
|
|
lcp timeout: 3.000 s
|
|
.Ed
|
|
.Pp
|
|
Display the settings for ippp0.
|
|
The interface is currently in
|
|
.Em dead
|
|
phase, i.e. the LCP layer is down, and no traffic is possible.
|
|
Both ends of the connection use the CHAP protocol,
|
|
my end tells remote the system name
|
|
.Ql uriah ,
|
|
and remote is expected to authenticate by the name
|
|
.Ql ifb-gw .
|
|
Once the initial CHAP handshake was successful, no further CHAP
|
|
challenges will be transmitted.
|
|
There are supposedly some known CHAP
|
|
secrets for both ends of the link which are not being shown.
|
|
.Pp
|
|
.Bd -literal
|
|
# ipppctl ippp0 \e
|
|
authproto=chap \e
|
|
myauthname=uriah myauthsecret='some secret' \e
|
|
hisauthname=ifb-gw hisauthsecret='another' \e
|
|
norechallenge
|
|
.Ed
|
|
.Pp
|
|
A possible call to
|
|
.Nm
|
|
that could have been used to bring the interface into the state shown
|
|
by the previous example.
|
|
.Pp
|
|
The following example is the complete sequence of commands to bring
|
|
a PPPoE connection up:
|
|
.Bd -literal
|
|
# Need ethernet interface UP (or it won't send any packets)
|
|
ifconfig ne0 up
|
|
|
|
# Let pppoe0 use ne0 as its ethernet interface
|
|
pppoectl -e ne0 pppoe0
|
|
|
|
# Configure authentication
|
|
pppoectl pppoe0 \e
|
|
myauthproto=pap \e
|
|
myauthname=XXXXX \e
|
|
myauthsecret=YYYYY \e
|
|
hisauthproto=none
|
|
|
|
# Configure the pppoe0 interface itself. These addresses are magic,
|
|
# meaning we don't care about either address and let the remote
|
|
# ppp choose them.
|
|
ifconfig pppoe0 0.0.0.0 0.0.0.1 netmask 0xffffffff up
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr netstat 1 ,
|
|
.Xr ippp 4 ,
|
|
.Xr pppoe 4 ,
|
|
.Xr ifconfig 8 ,
|
|
.Xr ifwatchd 8
|
|
.Rs
|
|
.%A B. Lloyd
|
|
.%A W. Simpson
|
|
.%T "PPP Authentication Protocols"
|
|
.%O RFC 1334
|
|
.Re
|
|
.Rs
|
|
.%A W. Simpson, Editor
|
|
.%T "The Point-to-Point Protocol (PPP)"
|
|
.%O RFC 1661
|
|
.Re
|
|
.Rs
|
|
.%A W. Simpson
|
|
.%T "PPP Challenge Handshake Authentication Protocol (CHAP)"
|
|
.%O RFC 1994
|
|
.Re
|
|
.Rs
|
|
.%A L. Mamakos
|
|
.%A K. Lidl
|
|
.%A J. Evarts
|
|
.%A D. Carrel
|
|
.%A D. Simone
|
|
.%A R. Wheeler
|
|
.%T "A Method for Transmitting PPP Over Ethernet (PPPoE)"
|
|
.%O RFC 2516
|
|
.Re
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
utility is based on the
|
|
.Ic spppcontrol
|
|
utility which appeared in
|
|
.Fx 3.0 .
|
|
.Sh AUTHORS
|
|
The program was written by J\(:org Wunsch, Dresden,
|
|
and modified for PPPoE support by Martin Husemann.
|