Catalin BOIE <[EMAIL PROTECTED]> wrote:
> Yes, I agree. But a user can login first, and then run pppd. It is
> authenticated! He/she don't need pap!
Fine, you don't need/want the user to authenticate again, but you do
need to control the IP address the peer uses. You can do that either
using /etc/ppp/options.ttyXXX files, or using the new IP address
syntax in /etc/ppp/pap-secrets. I would suggest an entry like this in
/etc/ppp/pap-secrets (for example):
"" * "" 123.45.67.0/26+
> rcvd [PAP AuthReq id=0x1 user="linux" password=<hidden>]
> sent [PAP AuthAck id=0x1 "Login ok"]
> ... (the user connects ok)
>
> Pay atention here!
> The "linux" user don't even exist in my /etc/passwd file!!!
Do you use the `login' option? If not, the /etc/passwd file is
irrelevant.
> And pppd says that the login it's ok!
> This log is after i ask user "co" to put "* * "" *" in
> /etc/ppp/pap-secrets.
On which machine? His or yours? What does he have in his
/etc/ppp/pap-secrets? Or is he using something other than linux?
> Without it I get "peer refuse to authenticate" in my logs.
What do you have in your /etc/ppp/pap-secrets? (I don't need to see
the actual passwords, of course.)
> The point is that if a user login in my system with "Terminal window"
> using win95 and enters the username, password and after that press "F7",
> it's not necesary to auth again with PAP. Anyway, if the username and
> password are wrong, a user still can login. pppd-2.3.9 want PAP but if a
> user is authenticated already, it ignores the username and the password.
Not exactly, if you have an entry like `"" * "" *' in pap-secrets, it
means any username can log in with any password and use any IP
address. I just had another look at the sources and I see that pppd
requires the first field to be the null string in this case, not `*'.
I think that having a privileged `allow-ip' option to express this
would probably be better than a funny /etc/ppp/pap-secrets entry.
The only change in ppp-2.3.9 vs. 2.3.8 that is relevant is that I
changed the way the PAP checking is done in the case where you are
using the login option and the password field of an entry in
pap-secrets is "". This change certainly shouldn't have produced the
effects you are describing, but it's possible I goofed somewhere
there.
Paul.
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
