On Mon, 17 Aug 1998, Crease wrote:
> And what entry COULD be made for the ISP in pap-secrets? I've
> seen ISPs say "user=none password=none" but that wouldn't be valid,
> would it?
>
> Is the only choice not using +pap?
>
> I find the HOWTO a bit vague on this part: i had been led to believe
> that you HAD to authenticate the peer. Thanks for the enlightment.
Even though I >believe< that I understand the PAP authentication fairly
well (I run Linux dialin for work and dialout for home using PAP and the
login option), I suspect that my explanation would be more confusing than
what is already written in the HOWTO and man page. But here goes anyway!
;)
PAP authentication works from both ends, so both peers (user and ISP) must
have reciprocal entries in pap-secrets. Only one side needs to request
pap to verify entries on both. If the other side requests PAP too, you
would need another entry on each end (because the server and client roles
are reversed). Yeech! I suppose you would do this if you were paranoid
(in which case you would be using CHAP, anyway), but it's really
unnecessary, and, as you noted, will fail with ISPs.
In other words, if one side requests PAP, the peers authenticate each
other. If the UserID or secret in pap-secrets on either side is wrong,
the connection won't be made.
For the sake of technical argument, though, you should be able to specify
wildcards in your pap-secrets in place of "user=none password=none". It's
rather pointless, though.
(Now awaiting corrections from Al Longyear/Paul Mackerras :)
Geof
DISCLAIMER: The comments above are my own and may not represent the views
of my employer.
+-------------------------------+-------------------------------------------+
: Geoffrey P. Goodrum : US Department of Commerce :
: +1-301-457-5100 : NOAA/NESDIS National Climatic Data Center :
: [EMAIL PROTECTED]: Satellite Services Branch :
+-------------------------------+-------------------------------------------+
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
