More fun & games with ppp setup

Brian Somers brian at freebsd-services.com
Mon Jan 7 19:11:13 GMT 2002


> On Jan  2, John Rochester <john at jrochester.org> wrote:
> 
> > Neither PAP nor CHAP prompt for login: and password: - they are not
> > human-readable protocols, at least according to RFC1334.
> 
> Every correctly configured modem rack I've ever seen prompts like that and 
> then goes and does it's magic in the background. I think we're getting 
> confused as to where the PAP and so forth is beginning. Either way, ppp 
> should be able to handle that without problems, and with the regular 'dial' 
> or 'auto-dial' configs - or at least it does on our callshare number - 0845 
> 6621075 - on the modem racks I used to admin (CVX1800).
> 
> Anyway, like I say, I can't test his config here right now, but the normal 
> default chat script should 'just work' - he can try the above number and see 
> what he gets with username 'fbsduktest' and password the same.

FWIW you're both right.

Many servers present a login prompt, but the getty will ``detect'' a 
ppp packet and just kick off a ppp process (that insists on pap/chap 
authentication) when they see one.  When ppp is run with 
authentication, it makes its own entry in utmp/wtmp.

If there's actually an entry in passwd, then a terminal login can be 
used, and ppp is usually then invoked by the users profile using a 
ppp profile that doesn't want any authentication.

Of course everything's configurable and not everything is necessarily 
configured :*)

Of all of the authentication methods, chap is the most secure as it's 
challenge based (no plain text passwords), but of course this means 
that the ppp server has the password stored in plain text....  I'm 
wandering off on a tangent now though!

So the chap approach should be taken first - ie, don't ``set login'' 
in your profile and ``deny pap'' if you can get away with it.  If 
that doesn't work, remove the ``deny pap'' line.  If that doesn't 
work, add the ``set login'' line.

The ``set login'' line should use \\P and be accompanied by a ``set 
authkey'' line - that way, when logging is enabled, ppp doesn't log 
the password.

Chat script logging is enabled on the screen with ``set log local 
+chat'' and to the log file with ``set log +chat''.  Most ``chat 
script failure'' problems are due to missing or extraneous spaces - 
ie, the expect string is being interpreted as a send string and vice 
versa.

> -- 
> Paul Robinson

-- 
Brian <brian at freebsd-services.com>                <brian at Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>






More information about the Ukfreebsd mailing list