-->
Previous | Table of Contents | Next |
pppd reads this file and processes the options it finds within. Any text following a # character is treated as a comment and ignored.
The following chat script sets a number of abort strings, dials the phone number, waits for a login prompt, and logs the ppp user in to the remote host with password ppp-word:
abort NO CARRIER abort BUSY abort VOICE abort CARRIER 2400 ATDT555-1234 CONNECT \c ogin:-BREAK-ogin: ppp word: ppp-word
Configuring your Linux machine to be a PPP server is even easier than setting up a SLIP server. It requires only one new account and a shell script that properly runs the pppd program.
Create an account called ppp with an /etc/passwd entry that looks like this:
$ ppp:*:501:300:PPP Account:/tmp:/etc/ppp/ppplogin
and set the passwd appropriately. The uid (501) and gid (300) numbers need not be the same. You can also assign one account to each PPP client you have, if you want. The /etc/ppp/ppplogin file should be an executable script such as the following:
#!/bin/sh # PPP Server Login Script # Turn off messages to this terminal mesg n # Turn off echoing stty -echo # Run pppd on top of this sh process exec pppd -detach silent modem crtscts
This script executes pppd with the -detach argument, to keep pppd from detaching itself from the tty its on. If pppd detaches, the script exits, causing the dial-up connection to close. The silent option makes pppd wait for the remote pppd daemon to initiate the link. The modem options make pppd monitor the modem control lines, and crtscts makes pppd use hardware flow control.
Thats all there is to it. When a user logs in to your machine with the proper user ID and password, the PPP link is established automatically on your box.
Keeping your PPP link secure is very important. Allowing anyone to connect your machine to a PPP server or allowing anyone to connect to your PPP server is as bad as letting anyone to put a machine directly on your network. PPP provides a direct IP connection, effectively putting the machines on both ends of the link on the same network.
Two authentication protocols have been developed to make PPP more securePassword Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). While a PPP connection is being established, each machine can request the other to authenticate itself. This allows complete control of who can use your PPP service. CHAP is the more secure protocol and is discussed here.
CHAP uses a set of secret keys, which are text strings that are kept secret by the owners of the machines using CHAP and an encrypted challenge system to authenticate each other. A useful feature of CHAP is that it periodically issues challenge requests as long as the PPP link is up. This, for example, can detect intruders who have replaced the legitimate user by switching phone lines.
The secret keys for CHAP are stored in /etc/ppp/chap-secrets. To use authentication on your PPP link, you add the auth option to the call to pppd and add the appropriate information for the host being authenticated into the chap-secrets file. The following is a sample chap-secrets file for linux2.burwell.com:
# linux2.burwell.com CHAP secrets file # client/server/secret/IP addr linux2.burwell.com linux1.burwell.com Its Full of Stars [ccc]linux2.burwell.com linux1.burwell.com linux2.burwell.com three stars linux1.burwell.com * linux2.burwell.com three stars burwell.com
Each line contains up to four fields: the client host name, the server host name, the secret key, and an optional list of IP addresses that this client can request be assigned to it. The client and server designations in this file are determined by the host that makes the authentication request (the server). The client has to respond to the request.
This file defines three different CHAP secrets. The first line is used when linux1.burwell.com requests CHAP authentication from linux2.burwell.com; the second is used for the reverse situation. The last line defines a wildcard situation for the client. This allows any machine that knows the proper secret key to make a PPP link to linux2.burwell.com. The wildcard designator (*) can be used in the client or server field.
Careful management of the chap-secrets file allows you complete control over the machines that can access your PPP server and the machines that you can access with PPP.
SLIP and PPP are low-cost alternatives to a leased-line IP connectivity solution. Youve looked at the requirements for running SLIP and PPP and at how to automate SLIP and PPP links by using the dip and chat commands. Youve learned how to configure Linux as a SLIP or PPP server and how to enhance the security of PPP using the CHAP protocol. You can find complete documentation for dip, chat, and pppd in the man pages.
Previous | Table of Contents | Next |