On Wed, 18 Aug 1999, Paul Mackerras wrote:
> Catalin BOIE <[EMAIL PROTECTED]> wrote:
>
> > Yes, I agree. But a user can login first, and then run pppd. It is
> > authenticated! He/she don't need pap!
>
> Fine, you don't need/want the user to authenticate again, but you do
> need to control the IP address the peer uses. You can do that either
> using /etc/ppp/options.ttyXXX files, or using the new IP address
> syntax in /etc/ppp/pap-secrets. I would suggest an entry like this in
I use options.ttyXXX. It's enough?
> /etc/ppp/pap-secrets (for example):
>
> "" * "" 123.45.67.0/26+
>
> > rcvd [PAP AuthReq id=0x1 user="linux" password=<hidden>]
> > sent [PAP AuthAck id=0x1 "Login ok"]
> > ... (the user connects ok)
> >
> > Pay atention here!
> > The "linux" user don't even exist in my /etc/passwd file!!!
>
> Do you use the `login' option? If not, the /etc/passwd file is
> irrelevant.
No if a user run pppd from shell.
>
> > And pppd says that the login it's ok!
> > This log is after i ask user "co" to put "* * "" *" in
> > /etc/ppp/pap-secrets.
>
> On which machine? His or yours? What does he have in his
> /etc/ppp/pap-secrets? Or is he using something other than linux?
He use Linux. ISP pppd says that login it's ok. The change from 2.3.8 to
2.3.9 is that on our server (it has a default route) put "<auth pap>" in
LCP message. This is why many clients don't manage to enter ("peer refuse
to authenticate"). If this users put "* * "" *" in their
pap-secrets they can login.
>
> > Without it I get "peer refuse to authenticate" in my logs.
>
> What do you have in your /etc/ppp/pap-secrets? (I don't need to see
> the actual passwords, of course.)
* * "" *
If a user use PAP I put login and auth as parameters (mgetty - Auto_PPP).
If a user login first and after that run /usr/sbin/pppd I don't put
"login" para in /etc/ppp/options. BUt pppd-2.3.9 insist to authenticate
with PAP, but I don't specified anywhere to do so!
>
> > The point is that if a user login in my system with "Terminal window"
> > using win95 and enters the username, password and after that press "F7",
> > it's not necesary to auth again with PAP. Anyway, if the username and
> > password are wrong, a user still can login. pppd-2.3.9 want PAP but if a
> > user is authenticated already, it ignores the username and the password.
>
> Not exactly, if you have an entry like `"" * "" *' in pap-secrets, it
> means any username can log in with any password and use any IP
> address. I just had another look at the sources and I see that pppd
> requires the first field to be the null string in this case, not `*'.
>
> I think that having a privileged `allow-ip' option to express this
> would probably be better than a funny /etc/ppp/pap-secrets entry.
>
> The only change in ppp-2.3.9 vs. 2.3.8 that is relevant is that I
> changed the way the PAP checking is done in the case where you are
> using the login option and the password field of an entry in
> pap-secrets is "". This change certainly shouldn't have produced the
> effects you are describing, but it's possible I goofed somewhere
> there.
>
> Paul.
>
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
