this is pretty much how I do it with wildcards: ive not enabled ipcp-allow-local and ipcp-allow-remote so the client tell me what their ip is. the server will allocate an ip, but the client can not.
----- Original Message ----- From: "Jacco de Leeuw" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 20, 2003 9:05 PM Subject: Re: ip allocation bug > > Tim Warnock wrote: > > > is there a way of having it do it, and even allocate > > static ip addresses to users? > > Perhaps something like this (/etc/ppp/chap-secrets) might work: > > # Secrets for authentication using CHAP > # client server secret IP addresses > jacco * "mysecret" 210.8.120.129 > * jacco "mysecret" 210.8.120.129 > tim * "rumpelstiltskin" 210.8.120.130 > * tim "rumpelstiltskin" 210.8.120.130 > > This touches upon another issue. It seems that when dynamic > IP addresses are used in combination with the "*" wildcard > in chap-secrets, the user can configure _any_ static IP address > that he wants. L2tpd/pppd will happily assign it to him, even > if the address falls outside the allowed "ip range". Scary. > > Perhaps it would be better to specifiy the allowed IP range > in chap-secrets as well? (Or use static IP addresses, as > mentioned above). For example: > > # Secrets for authentication using CHAP > # client server secret IP addresses > jacco * "mysecret" 210.8.120.129/27 > * jacco "mysecret" 210.8.120.129/27 > tim * "rumpelstiltskin" 210.8.120.129/27 > * tim "rumpelstiltskin" 210.8.120.129/27 > > The passwords will be valid only for the 210.8.120.129/27 subnet, > i.e. 32 addresses starting from .129. > > What do you guys think of it? Wildcards considered harmful? > > Jacco > -- > Jacco de Leeuw mailto:[EMAIL PROTECTED] > Zaandam, The Netherlands http://www.jacco2.dds.nl > Coffee is not my cup of tea.
