d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Document the use of PAP/CHAP properly.

Browse Source
This commit is contained in:
Brian Somers 1997-09-09 21:01:53 +00:00
parent d0ef76de67
commit 506474c87a
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=29250
2 changed files with 112 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
usr.sbin/ppp/ppp.8
View File

@ -1,4 +1,4 @@
.\" $Id: ppp.8,v 1.61 1997/09/04 00:38:20 brian Exp $
.\" $Id: ppp.8,v 1.62 1997/09/07 01:00:03 brian Exp $
.Dd 20 September 1995
.Os FreeBSD
.Dt PPP 8
@ -767,11 +767,22 @@ on ui-gate (the receiver) should contain the following:
ppp-in:
set timeout 0
set ifaddr 10.0.4.1 10.0.4.2
add 10.0.4.1 255.255.255.255 127.0.0.1
add 10.0.1.0 255.255.255.0 10.0.4.1
.Ed
You may also want to enable PAP or CHAP for security. The entry in
You may also want to enable PAP or CHAP for security. To enable PAP, add
the following line:
.Bd -literal -offset indent
enable PAP
.Ed
.Pp
You'll also need to create the following entry in
.Pa /etc/ppp/ppp.secret :
.Bd -literal -offset indent
MyAuthName MyAuthPasswd
.Ed
.Pp
The entry in
.Pa /etc/ppp/ppp.conf
on awfulhak (the initiator) should contain the following:
@ -783,9 +794,14 @@ ui-gate:
set timeout 30 5 4
set log Phase Chat Connect Carrier hdlc LCP IPCP CCP tun
set ifaddr 10.0.4.2 10.0.4.1
add 10.0.4.2 255.255.255.255 127.0.0.1
add 10.0.2.0 255.255.255.0 10.0.4.2
.Ed
.Pp
Again, if you're enabling PAP, you'll also need:
.Bd -literal -offset indent
set authname MyAuthName
set authkey MyAuthKey
.Ed
We're assigning the address of 10.0.4.1 to ui-gate, and the address
10.0.4.2 to awfulhak.
@ -1260,12 +1276,12 @@ the next lines to your
.Pa ppp.conf
file:
.Bd -literal -offset indent
enable pap (or enable chap)
disable chap (or disable pap)
set authname MyName
set authkey MyPassword
.Ed
.Pp
Both are accepted by default, so ppp will provide whatever your ISP
requires.
.El
Please refer to
@ -1404,16 +1420,22 @@ and compares the results. The advantage of this mechanism is that no
passwords are sent across the connection.
A challenge is made when the connection is first made. Subsequent
challenges may occur.
When using CHAP, an
challenges may occur. If you want to have your peer authenticate
itself, you must
.Dq enable chap .
in
.Pa ppp.conf ,
and have an entry in
.Pa ppp.secret
for the peer.
.Pp
When using CHAP as the client, you need only specify
.Dq AuthName
and an
and
.Dq AuthKey
must be specified either in
.Pa ppp.conf
or in
.Pa ppp.secret .
in
.Pa ppp.conf .
CHAP is accepted by default.
.It pap
Default: Disabled and Accepted. PAP stands for Password Authentication
@ -1423,17 +1445,23 @@ authentication is acknowledged or the connection is terminated. This
is a rather poor security mechanism. It is only performed when the
connection is first established.
When using PAP, an
.Dq AuthName
and an
.Dq AuthKey
must be specified either in
.Pa ppp.conf
or in
If you want to have your peer authenticate itself, you must
.Dq enable pap .
in
.Pa ppp.conf ,
and have an entry in
.Pa ppp.secret
(although see the
for the peer (although see the
.Dq passwdauth
option below).
.Pp
When using PAP as the client, you need only specify
.Dq AuthName
and
.Dq AuthKey
in
.Pa ppp.conf .
PAP is accepted by default.
.It acfcomp
Default: Enabled and Accepted. ACFComp stands for Address and Control
@ -1594,13 +1622,13 @@ not trigger a dial.
Refer to the section on PACKET FILTERING above for further details.
.It set authkey|key value
This sets the authentication key (or password) used in PAP or CHAP
negotiation to the given value. It can also be used to specify the
password to be used in the dial or login scripts, preventing the
actual password from being logged.
This sets the authentication key (or password) used in client mode
PAP or CHAP negotiation to the given value. It can also be used to
specify the password to be used in the dial or login scripts, preventing
the actual password from being logged.
.It set authname id
This sets the authentication id used in PAP or CHAP negotiation.
This sets the authentication id used in client mode PAP or CHAP negotiation.
.It set ctsrts
This sets hardware flow control and is the default.

84
usr.sbin/ppp/ppp.8.m4
View File

@ -1,4 +1,4 @@
.\" $Id: ppp.8,v 1.61 1997/09/04 00:38:20 brian Exp $
.\" $Id: ppp.8,v 1.62 1997/09/07 01:00:03 brian Exp $
.Dd 20 September 1995
.Os FreeBSD
.Dt PPP 8
@ -767,11 +767,22 @@ on ui-gate (the receiver) should contain the following:
ppp-in:
set timeout 0
set ifaddr 10.0.4.1 10.0.4.2
add 10.0.4.1 255.255.255.255 127.0.0.1
add 10.0.1.0 255.255.255.0 10.0.4.1
.Ed
You may also want to enable PAP or CHAP for security. The entry in
You may also want to enable PAP or CHAP for security. To enable PAP, add
the following line:
.Bd -literal -offset indent
enable PAP
.Ed
.Pp
You'll also need to create the following entry in
.Pa /etc/ppp/ppp.secret :
.Bd -literal -offset indent
MyAuthName MyAuthPasswd
.Ed
.Pp
The entry in
.Pa /etc/ppp/ppp.conf
on awfulhak (the initiator) should contain the following:
@ -783,9 +794,14 @@ ui-gate:
set timeout 30 5 4
set log Phase Chat Connect Carrier hdlc LCP IPCP CCP tun
set ifaddr 10.0.4.2 10.0.4.1
add 10.0.4.2 255.255.255.255 127.0.0.1
add 10.0.2.0 255.255.255.0 10.0.4.2
.Ed
.Pp
Again, if you're enabling PAP, you'll also need:
.Bd -literal -offset indent
set authname MyAuthName
set authkey MyAuthKey
.Ed
We're assigning the address of 10.0.4.1 to ui-gate, and the address
10.0.4.2 to awfulhak.
@ -1260,12 +1276,12 @@ the next lines to your
.Pa ppp.conf
file:
.Bd -literal -offset indent
enable pap (or enable chap)
disable chap (or disable pap)
set authname MyName
set authkey MyPassword
.Ed
.Pp
Both are accepted by default, so ppp will provide whatever your ISP
requires.
.El
Please refer to
@ -1404,16 +1420,22 @@ and compares the results. The advantage of this mechanism is that no
passwords are sent across the connection.
A challenge is made when the connection is first made. Subsequent
challenges may occur.
When using CHAP, an
challenges may occur. If you want to have your peer authenticate
itself, you must
.Dq enable chap .
in
.Pa ppp.conf ,
and have an entry in
.Pa ppp.secret
for the peer.
.Pp
When using CHAP as the client, you need only specify
.Dq AuthName
and an
and
.Dq AuthKey
must be specified either in
.Pa ppp.conf
or in
.Pa ppp.secret .
in
.Pa ppp.conf .
CHAP is accepted by default.
.It pap
Default: Disabled and Accepted. PAP stands for Password Authentication
@ -1423,17 +1445,23 @@ authentication is acknowledged or the connection is terminated. This
is a rather poor security mechanism. It is only performed when the
connection is first established.
When using PAP, an
.Dq AuthName
and an
.Dq AuthKey
must be specified either in
.Pa ppp.conf
or in
If you want to have your peer authenticate itself, you must
.Dq enable pap .
in
.Pa ppp.conf ,
and have an entry in
.Pa ppp.secret
(although see the
for the peer (although see the
.Dq passwdauth
option below).
.Pp
When using PAP as the client, you need only specify
.Dq AuthName
and
.Dq AuthKey
in
.Pa ppp.conf .
PAP is accepted by default.
.It acfcomp
Default: Enabled and Accepted. ACFComp stands for Address and Control
@ -1594,13 +1622,13 @@ not trigger a dial.
Refer to the section on PACKET FILTERING above for further details.
.It set authkey|key value
This sets the authentication key (or password) used in PAP or CHAP
negotiation to the given value. It can also be used to specify the
password to be used in the dial or login scripts, preventing the
actual password from being logged.
This sets the authentication key (or password) used in client mode
PAP or CHAP negotiation to the given value. It can also be used to
specify the password to be used in the dial or login scripts, preventing
the actual password from being logged.
.It set authname id
This sets the authentication id used in PAP or CHAP negotiation.
This sets the authentication id used in client mode PAP or CHAP negotiation.
.It set ctsrts
This sets hardware flow control and is the default.