| Previous | Table of Contents | Next |
Again, you will have an entry for each remote machine you may need to authenticate. You can see that you will end up having mirror-image entries for the client and server fields for each machine you connect to (as either end may require authentication at any time). A simple /etc/ppp/chap-secrets file, however, looks like this:
# client server string addresses merlin.tpci.com big_guy.big_net.com “I hate DOS” big_guy.big_net.com merlin.tpci.com “Size isn’t everything” merlin.tpci.com chatton.cats.com “Meow, Meow, Meow” chatton.cats.com merlin.tpci.com “Here, Kitty, Kitty” merlin.tpci.com roy.sailing.ca “Hoist the spinnaker” roy.sailing.ca merlin.tpci.com “Man overboard”
The size of the file can get quite large, so CHAP allows you to use a wildcard match, usually only for your local machine:
# client server string addresses merlin.tpci.com big_guy.big_net.com “I hate DOS” big_guy.big_net.com merlin.tpci.com “Size isn’t everything” merlin.tpci.com chatton.cats.com “Meow, Meow, Meow” chatton.cats.com merlin.tpci.com “Here, Kitty, Kitty” merlin.tpci.com roy.sailing.ca “Hoist the spinnaker” * merlin.tpci.com “Man overboard”
In this /etc/pp/chap-secrets file, the last entry allows any other machine connecting to the local host and requiring authentication to use the same string. Of course, the remote must have the same string in its chap-secrets file. This is a little less secure than a dedicated string for each remote, but can be a handy timesaver when using a number of machines only rarely.
The addresses field, which isn’t used in the samples above, lets you list either symbolic names or IP addresses for the clients. This is necessary if the remote wants to use an IP address other than its normal one, which would typically cause the authentication to fail. If the address field is empty (as they all are in the samples), any IP address is allowed. A hyphen in the field disallows all IP addresses with that client.
The /etc/ppp/pap-secrets file is much the same as thechap-secrets file. The fields in the pap-secrets file are the client (called a user in the pap-secrets format) and server names, a secret string, and valid address aliases. However, the look of the file is different because the client and server names are not full domain names and the secret string is a single block of text. A sample pap-secrets file looks like this:
# /etc/ppp/pap-secrets # user server string addresses merlin darkstar yG55Sj29 darkstar.big_net.com darkstar merlin 5Srg7S merlin.tpci.com merlin chatton MeowMeow chatton.cats.com chatton merlin 73wrh6s merlin.tpci.com
In this example, the first two lines show a connection to the machine darkstar. The first line is how to authenticate a request from darkstar and the second how to authenticate a request from us to them. The username in the first column is the name to send to the remote, while the server field is their identification to us. This poses a problem: The pppd daemon has no way of knowing the remote host’s name—all it gets is an IP address. You can put the IP address in the addresses column of the file or specify the remote hostname at the end of the pppd command line like this:
pppd ….. remotename chatton user merlin
This shows that the remote is called chatton, and our local host is merlin. The last portion giving the local hostname overrides the default values, if specified.
If you are using SLIP or PPP to connect to the Internet for more than simple tasks (such as downloading email and news), you will probably want to use DNS. The easiest method of using DNS for your SLIP and PPP connections is to put the IP address of a name server you can access in the /etc/resolv.conf file. For example, if you can access a name server with an IP address of 145.2.12.1, make the following addition to your /etc/resolv.conf file:
# /etc/resolv.conf domain merlin.com # the local domain nameserver 145.2.12.1 # the Internet name server
After this entry has been established, SLIP or PPP sends requests for address resolution to the name server and waits for replies. The more accessible the name server is, the better the performance is. For this reason, choose a name server that is relatively close (in network terms).
Using this approach has a problem, however: All address resolution attempts must go out over the SLIP or PPP line. This can slow down applications, as well as increase the amount of network traffic over your SLIP or PPP line, sometimes to the detriment of other applications.
A way around this problem is to set up a cache-only name server on your machine. To set up a cache-only name server, you need to modify the /etc/named.boot file. To set your local machine up as a cache-only name server, your named.boot file will look like this:
; /etc/named.boot directory /var/named cache .db.cache ; cache-only primary 0.0.147.in-addr-arpa db.cache ; loopback
The preceding file uses the local network name in IN-ADDR-ARPA format to specify the loopback driver, and the cache points to the file db.cache, which contains a list of root name servers.
Configuring PPP and SLIP on a Linux machine is not overly complex, although it does require proper attention to details as you modify files. After they’re set up, though, PPP and SLIP can be used for Internet access, as well as access to other machines on a one-to-one basis. For more information on this subject, check out the following chapters:
| Previous | Table of Contents | Next |