AutoPPP Secure Dialin (Linux RedHat 5.0) By David Efflandt 6/5/98 (updated 6/7/00) This is an example of how I set up secure auto ppp dialin using pap authentication. Win95 clients can just enter their name and password in the DUN connect box with no login script required. It works for any user with a normal login password, and refuses connection for invalid or blank password. Including root in the exclusion list did not prevent root from initiating auto ppp with a proper password, but pppd is safely run suid root anyway. Users can also log into the shell manually or with a login script and then start pppd. # /etc/inittab (mgetty line for dialup on COM3): # (after section) "Run gettys in standard runlevels" S2:2345:respawn:/sbin/mgetty ttyS2 # /etc/mgetty+sendfax/login.config (/AutoPPP/ entry): # Automatic PPP startup on receipt of LCP configure request (AutoPPP). /AutoPPP/ - a_ppp /usr/sbin/pppd call mydialin # /etc/ppp/peers/mydialin (mydunsrv & mydialin are in /etc/hosts) # Customize any options for your system. For multiple modems the IP's # or hostnames might be in /etc/ppp/options.ttySn for that device. # For connecting to a LAN use 'proxyarp' instead of 'defaultroute' # and enable /proc/sys/net/ipv4/ip_forward (change from 0 to 1). asyncmap 0 defaultroute mydunsrv:mydialin kdebug 7 auth login refuse-chap nodetach # /etc/ppp/pap-secrets (after dialout pap entries): # Secrets for authentication using PAP (dialout entries) # client server secret IP addresses # INBOUND CONNECTIONS #client hostname 192.168.1.1 # UserIDs that cannot use PPP at all. Check your /etc/passwd and add any # other accounts that should not be able to use pppd! Replace hostname # with your local hostname (or I used * for any local hostname). bin * "*" - daemon * "*" - adm * "*" - lp * "*" - sync * "*" - shutdown * "*" - halt * "*" - mail * "*" - news * "*" - uucp * "*" - operator * "*" - games * "*" - gopher * "*" - ftp * "*" - nobody * "*" - # If you add "auth login -chap +pap" to incoming pppd options, other # users in /etc/passwd can use their password for pap-authentication. # Example is for single dialin (IP for 'mydialin' is in /etc/hosts). * * "" mydialin # For multiple modems, IP list would be multiple or a range of IP's # end of /etc/pap-secrets Note added 6/7/00: I seem to remember having trouble using the +pap option because that was asking the other machine to authenticate itself. The auth and login options typically take care of user authentication. I know I excluded this option from the suggested pppd options, but not sure why I included it here. Maybe it works for a generic pap-secrets user if your machine name matches your username. But if you have trouble logging on, try removing the +pap.