Linux Network Administrator Manual (8)
2000-07-29 10:40
Publisher: NetBull Readings: 1180 Translation: Zhao Wei gohigh@shtdu.edu.cn Chapter 8 Point Association Protocol 8.1 Unveiled the P Letter is like SLIP, PPP is a protocol that sends a dataset on a serial connection, but improved There are several shortcomings in the former. It allows both parties of communication to negotiate options such as IP addresses and maximum data reports at the beginning and provide authorization (permissions) for customers. For each such function, PPP has an independent protocol. Below, we will summarize these basic creation block diagrams of PPP. The discussion here is not complete; if you want more to know PPP, it is recommended to read the specification instructions in RFC-1548, and many related RFCs. [1] The bottom layer of PPP is the high-level data link control protocol. The abbreviation is HDLC, [2] which defines the boundaries of a single PPP frame and provides 16-bit checks and. A PPP frame is capable of accommodating other protocols other than IP, such as Novell IPX, or AppleTalk. PPP uses this function to identify the type of the package carried by the frame by adding a protocol field on the basic HDLC frame. LCP, Link Control Protocol, Used for upper layers of HDLC, used to negotiate options for data links, such as pointing to maximum data report size for the link to agree to the maximum data report size (MRU) . One step in the configuration phase of the PPP connection is that the customer authorization (permission). Although not forced, it is almost necessary for dialing lines. Typically, the called host (server) requires customers to authenticate yourself by verifying whether the customer knows a secret key value. If the caller cannot give the correct secret key value, the connection is interrupted. With PPP, authorization work is both sides; that is, the caller can also ask the server to authenticate yourself. These certification processes are completely independent of both parties. There are two protocols for different authentication types, we will discuss it further below. They are named Password Authentication Protocol, or a PAP and Charging Handshake Authentication Protocol, or CHAP. Routing through each network protocol of the data link, such as IP, AppleTalk, etc., using the corresponding network control protocol (NCP) is dynamically configured. For example, to send IP datagrams through the link, the two sides of PPP first must negotiate the IP address used by both parties. Control protocols for this purpose are IPCP, ie Internet Protocol Control Protocol. In addition to the IP datagram, PPP also supports the VAN Jacobson header compression of the IP datagram. This is a technique that narrows TCP headers to only three bytes. It is also used for CSLIP and is often referred to as VJ head compression. Whether to use compression can also be determined by IPCP negotiation at the beginning. 8.2 PPP on Linux In Linux, the function of PPP is divided into two parts, one is the low HDLC driver section of the kernel, and the other is the PPPD background program for processing various control protocols.
Linux's PPP current release is Linux-PPP-1.0.0, which contains kernel PPP modules, PPPD, and a program for dialing to remote systems called Chat. The PPP kernel driver is compiled by Michael Callahan. PPPD is derived from a free PPP implementation for Sun and 386BSD machines, which is compiled by Drew Perkins and others and is maintained by Paul Mackerras. It is transplanted from Al Longyear [3] to Linux. Chat is prepared by Karl Fox. [4] Just as SLIP, PPP is implemented by a special line procedure. To use a serial line with a PPP connection, you first have to establish a connection through MODEM, then convert the line into PPP mode. In this mode, all the incoming data is transmitted to the PPP driver, the driver checks the validity of the incoming HDLC frame (each HDLC frame has a 16-bit inspection and unspeakable Distribute them. Currently, it can handle IP datagrams, optionally use Van Jacobson header compression. In order to support IPX, the PPP driver will also be extended to process IPX packages. The kernel's driver is a PPPD, a PPP background program, assisting work, and before performing the necessary entire initialization and authentication process before the actual network communication can be performed on the link. PPPD behavior can be adjusted using some options. Since PPP is very complicated, it is impossible to explain all things in one chapter. So this book does not intend to cover all aspects of PPPD, but just give you a presentation. For more information, please refer to the online manual page and the READMES in the PPPD Original release, which will help solve most of the problems discussed in this chapter. If your problem has not been resolved after reading all the documents, you should go to the newsgroup comp.protocols.ppp to seek help, where you can contact most people including PPPD developers. 8.3 Running PPPD When you want to connect to the Internet via a PPP connection, you must set basic network features, such as returning devices and parsers. Both have been discussed in the previous chapters. There are also explanations for using DNS on a serial link; refer to this description in the SLIP chapter. As a geotette example of how PPPD creates a PPP connection, assume you again in the VLAGER. You have dial to the PPP server, C3PO, and log in into the PPP account. C3PO has launched its PPP driver. After exiting the communication program for dialing, you do the following command: # PPPD / dev / Cua3 38400 CRTSCTS DEFAULTROUTE This will convert the serial line CUA3 to the PPP mode and create an IP connection to C3PO. The transmission speed used for serial port will be 38400 bps. The CRTSCTS option opens the hardware handshake function of the port, which is absolutely necessary for speeds above 9600 bps. After starting, the first thing to PPPD is to use the LCP to negotiate several connection features, usually, the default option set tried by PPPD will work, so we don't plan to consider these here. We will discuss the LCP in detail in the later sections. At this point, we also assume that C3PO does not need to obtain any authentication from us, so the configuration phase is successfully completed. The PPPD will then use IPCP, IP Control Protocol, with its peer negotiation IP parameters. Since we didn't specify any special IP addresses for PPPD. It will try to find the address obtained by the local hostname through the parser. Thereafter, both will declare their address to the other party. Usually, these default settings have no errors. Even if your machine is on an Ethernet, you can use the same IP address for Ethernet and PPP interfaces. Of course, PPPD allows you to use different addresses or request the other party to use a particular address. These options will be described in later chapters.
After passing the IPCP setting phase, the PPPD will prepare your host's network layer to use the PPP connection. It first configures the PPP network interface as a point-to-point connection, using PPP connections to the first active PPP connection, using PPP1 for the second, and push it according to the second class. Next, it will set a routing table entry for the other end of the link. In the example shown above, PPPD will make the default network route point to C3PO because we have given it a default option. [5] This makes all data newspapers that are not in the local network to be sent to C3PO. PPPD also supports several different route options, which will be discussed in detail later in this chapter. 8.4 Using the Options File Before PPPD analysis Its command line parameters, in order to find the default option it scan several files. These files may contain effective command line parameters, which are distributed on any line. The comment statement is starting by "#". The first option file is / etc / ppp / options, will always scan it when PPPD is started. Use it to set some global defaults is a good idea because it allows you to prevent your users from doing certain things that endanger. For example, to make PPPDs ask for some authorization authentication (PAP or CHAP), you should join the Auth option in this file. The user can't overwrite this option, so it is impossible to establish a PPP connection with any system that is not in our license database. Other options files read after the / etc / ppp / options file are .ppprc in the user's home directory. It allows each user to specify her own default option set. A sample / etc / ppp / options file can be like this: # Global options for pppd running on vlager.vbrew.com auth # require authentication usehostname # use local hostname for CHAP lock # use UUCP-style device locking domain vbrew.com # Our domain name These options are two of these options for permission authentication and will be given below. The LOCK keyword makes PPPD complies with the standard UUCP device lock method. According to this convention, each access to the serial device, such as / dev / cua3, create a lock file called LCK..CUA3 in the UUCP Spool directory, which is used to indicate that the device is being used. This is a serial device that avoids any other programs such as Minicom or UUCICO to open PPP is being used. The reason for providing these options in the global profile is that the options shown above are not covered, so it provides a reasonable security level. However, please note that some options can be overwritten later; such an example is a CONNECT string. 8.5 One of the things that use CHAT to make you feel inconvenient in the previous example is that you must establish a connection in hand before you can start PPPD. Not like DIP, PPPD For dial-up to remote systems, and log in without their own scripting language, it is necessary to do these things on some external programs or shell scripts. The command to be executed can give PPPD with the Connect command line option. PPPD will redirect the standard input and output to the serial line. For this useful program is Expect, it is written by Don Libes. It has a very powerful language based on TCL and is explicitly designed for such applications. The PPPD software package has a program that is also called Chat, is a session script for specifying a UUCP-style. Beliefly, a session script is the interactive string sequence we expect from remote systems and the response string sequence we send. We will call them as desired strings and send strings. This is an excerpt from a typical session script: OGIN: B11FF SSWORD: S3kr3t This tells CHAT to wait for the remote system to send to login prompts and return to login B1FF.
We just wait OGIN: So login prompts are uppercase or lowercase, and it doesn't have to manage if it is completely correct. The next day is an expected string which makes the Chat waiting for the password input prompt and then issues your password. This is basically, the above is what you want to do. Of course, the full script dialing to a PPP server must also include the appropriate MODEM command. Suppose your MODEM uses the hayes command set, and the phone number of the server is 318714. Then to create a connection with C3PO is $ chat -v "" ATZ OK ATDT318714 Connect "OGIN: PPP Word: Gagarin Depending on the definition, the first string must be a desired string, but before we start MODEM, MODEM will not issue anything, so we skip the first desired string by specifying an empty string. Then we continue to issue ATZ, Hayes is compatible with the MODEM's reset command, and wait for its response (OK). The next string sends a dial command and phone number to the CHAT and expects to get the response of the Connect message. Next is an empty string, because we don't want to send any information now, but waiting for the appearance of the login prompt. The work made by the remaining CHAT scripts is entirely like the same as described above. The -v option allows CHAT to record all activities in Local2 of the Syslog background program. [6] Writing a session script on the command line will assume a certain risk because the user can use the PS command to observe the command line of the process. You can put a session script in a file, such as Dial-C3PO, to avoid this risk. By following this file name, you can make Chat from the command line from the command line from the file. Now the complete PPPD command is like this: # PPPD Connect "chat -f Dial-C3PO" / dev / cur3 38400 -detach / crtscts Modem DefAULTROUTE adds two options on the command line: -detach- Inform PPPD Do not separate from the console and become a background process. The MODEM keyword makes the PPPD executes some modem-specific actions on the serial device, just before and after the dialing, the line is hanged. If you don't use this keyword, the PPPD will not monitor the DCD line of the port, so it will not detect whether the distal scales hang up. The example given above is very simple; CHAT allows for a more complex session script. A very useful feature is to specify a message that is aborted. A typical suspension string is like a message busy, or no carrier, this is the number of MODEM when the number dial is busy, or when it is not mentioned, your MODEM is generated. To make Chat quickly identify these suspenders, instead of waiting for timeout, you can use the Abort key to specify them at the beginning of the script: $ Chat -v Abort Busy Abort "No Carrier" "" ATZ OK ... The way you can change the timeout value in the session section by inserting the Timeout option. For details, see the man page of Chat (8). Sometimes you want to have a part of the session script. For example, when you do not receive a login prompt, you may want to send a BREAK, or a Enter key. You can do a sub-script by adding a string to the expected string. It consists of a series of sends and expect strings, and the entire script itself, it is separated by a linked font. The sub-script is executed whenever the additional desired string is not received in time.
In the above example, we have to modify the session script as below: OGIN: -Break-Ogin: PPP Ssword: Gagarin Now, the child script is executed when CHAT does not receive the login prompt sent by the remote system, first send one Break, then wait for the appearance of the login prompt. If the script will continue when prompted, the script will continue, otherwise, it will be deactivated. 8.6 Debugging Your PPP setting Default, PPPD will record any warnings and error messages to the Daemon facilities of Syslog. You have to add an entry to syslog.conf so that these messages are redirected into a file, or even on the console, otherwise syslog will easily discard these messages. Below this entry sent all messages to / var / ppp-log: daemon. * / Var / log / ppp-log If your PPP settings cannot work immediately, see this log file will give you something wrong. prompt. If this doesn't help, you can open additional debug output information using the debug option. This causes PPPD to record the contents of all transmitted and received control packets into syslog. All messages will be incorporated into the Daemon facility. Finally, the most fierce method is to activate the internal nuclear layer debugging by using the option kdebug. After this option, it is the value of the bit or calculation of the following value: 1 Represents a general debug message, 2 indicates that the contents of printing all incoming HDLC frames are printed, and the driver prints all outgoing HDLC frames. To capture the kernel debug message, you must or run the syslogd background program for the read / proc / kmsg file, or the Klogd background program. Both of these will direct the debug information of the kernel to the Kernel facility of Syslog. 8.7 IP Configuration Options During connection configuration, IPCP is used to coordinate several IP parameters. Typically, each endpoint will issue an IPCP configuration request package, pointing out what default, what is the value it wants to change. At the receiver, the distal end checks each option in turn, or agrees to change or reject. About PPPD will try to coordinate which IPCP options, PPPD gives you a lot of control. You can adjust these options through the command line option, we will discuss them below. 8.7.1 Select the IP address in the above example, we use PPPD to Dial to C3PO and establish an IP connection. There is no preparation at both ends of the connection to select a specific IP address. Instead, using the address of the VLAGER as the local IP address and let C3PO give themselves. However, it is useful to control the address to be used at one or both ends of the connection. PPPD supports several variations of this control. To request a specific address, you want to provide the following options to PPPD: local_addr: remove_addr Here, local_addr and remove_addr can be represented by point four group representations, or with hostnames. [7] This makes the PPPD attempt to use the first address as its own IP address, and the second as a peer. If the other party rejects the address of one of the addresses when IPCP negotiations, then IP connection is not established. [8] If you just want to set up your local address and accept the address used by any peer, you just don't use the Remote_addr section. For example, to make the VLAGER use IP address 130.83.4.27 without using its own IP address, you need to give 130.83.4.27 on the command line: Similarly, if you just want to set the address of the remote endpoint, you just need to empty the local_addr field. At this point, default, PPPD will use the address corresponding to your host.
Some of the PPP servers that handle many client sites dynamically assign addresses: only assign addresses to the client system when dialing comes in, and when the customer exits it again. When dialing to this server, you must confirm that PPPD does not require any specific IP address from the server, but accept the address that the server allows you to use. This means you don't have to specify the local_addr parameter. Alternatively, you must use the NOIPDEFAULT option, which allows PPPD to wait for the IP address to replace the address of the local host. 8.7.2 Routing through the PPP connection After setting the network interface, PPPD usually sets only the host's route to the remote endpoint it is connected. If the remote host is on a LAN, you certainly want to be able to connect to other hosts of the network where the remote host is located; that is, a network route must be set. Above, we already know that you can use the DEFAULTROUTE option to request PPPD to set the default route. If your dial-up is the server, this option will be very useful. Conversely, your system is also easy to do as a gateway of the loneliness host. For example, suppose an employee of a virtual winery, his machine is called loner. When connected to the VLAger via PPP, he uses the address of the winery subnet. In the VLAGER, we can now give the PPPD a proxyARP option, which will install a proxy ARP entry for LONER. This will automatically make LONER to access all the hosts of the winery and winery. However, things are not always like that, for example, when connecting two local area networks. This often requires an additional special network route because these networks can have their own default routes. In addition, the two endpoints use the PPP connection as the default route will generate a loop, and the package that the unknown destination will be transferred back and forth between the two endpoints until they pass the survival period. As an example, it is assumed that the virtual winery has opened a branch in some other cities. This subsidiary is running a IP network number 191.72.3.0, which is its own Ethernet, which is a subnet 3 of the British Class B network. They want to connect to the PPP to renew the customer's database, and so on. Again, the VLAGER will be a gateway; its far end point is called Sub-ETHA and the IP address is 192.72.3.1. When Sub-ETHA is connected to the VLAGER, it will make the default route to the VLAGER as usual. However, on the VLAGER, we must install a network route for subnet 3 through Sub-Etha. To do this, we have not discussed the feature -IP-UP commands that have not been discussed so far. This is a shell script or program located in / etc / ppp, which is executed after the PPP interface is configured. When used, it is called by the following parameters: IP-UP IFACE DEVICE SPEED LOCAL ADDR Remote AddR Here, IFACE specifies the interface used, Device is the serial device file used (if using stdin / stdout, then / dev / tty) path name, Speed is the speed of the device. Local_addr and remote_addr give an IP address that represents two endpoints in a point four groups. In this case, the IP-UP script can contain the following code segment: #! / Bin / sh copy $ 5 in 191.72.3.1) # this is sub-etha route add -net 191.72.3.0 GW 191.72.3.1 ;; ESAC EXIT 0 With a similar manner, / etc / ppp / ip-down is used to cancel all IP-UP activities after the PPP connection is disconnected again. However, the routing option has not been completed.
We have set up routing selection table entries on both PPP hosts, but now, all other hosts on two online about PPP connections. If all hosts in the subsidiary, there is a default route to the Sub-ETHA, and all the hosts of the brewery are routed by the VLAger by default, this is not a big problem. If this is not the case, then your only choice is to use a route selection background program like a Gated. After the network route is created on the VLAGER, the routing background program will broadcast this new route to hosts on all subnet. 8.8 Link Control Options, we have encountered an LCP, which is a link control protocol, which is used to coordinate link features and test links. Two important options coordinated through LCP are maximum receiving units, and asynchronous control character mappings. There are still many other LCP configuration options, but they are too special, and it will not be described here. Please refer to the explanation of them in RFC1548. Asynchronous control character mapping table, commonly known as an asynchronous table, is a control character that must be modified (replaced with a special two-character sequence) on the asynchronous link of the telephone line. For example, you might want to avoid the XON and XOFF characters for the software handshake signal, as some configurable modems may be attached when receiving an Xoff. Other control characters include Ctrl -] (TELENT Creme). The PPP allows you to exchange code from any characters in ASCII code 0 to 31 by specifying these control characters in the asynchronous table. Asynchronous table is a 32-bit width bitmap, the lowest bit is corresponding to the ASCII NUL character, the highest bit bit corresponds to the ASCII code 31. If a bit is position, it indicates that the corresponding character must be escaping (emit code) before sending to the link. Initially, the asynchronous table is set to 0xffffffffff, which means that all control characters will be essential. In order to tell your peer, you don't need to exchange all control characters, but you only need to escape, you can use the AsyncMap option to specify a new asynchronous mapping for PPPD. For example, if only ^ s and ^ q (ASCII 17 and ASCII 19, usually used as XON and XOFF) must be escaping, then use the following options: asyncMap 0x000A0000 maximum receiving unit (Maximum Receive Unit), or MRU, notification The maximum length of the HDLC frame we want to receive. Although this will make you think of the value of the MTU (maximum transmission unit Maximum Transfer Unit), this is rarely common. The MTU is a parameter of the kernel network device, which describes the size of the maximum frame that the interface can process. The MRU is only a suggestion that does not have any greater than the MRU value for the far end point; in any case, the interface must be able to receive a frame of up to 1500 bytes. Therefore, how to choose an MRU is not very related to the transmission capacity of the link, but related to how to achieve maximum throughput. If you plan to run an interactive application on the link, set the MRU value to 296 is a good idea, such an accidental big data package (for example, from a FTP session) will not make you The cursor "beating". To tell the PPPD request a 296 MRU, you must give it an option MRU 296. However, small MRUS is only meaningful when you do not have VJ head compression (it is activated by default). PPPD can also understand that some LCP options for setting the overall behavior of the coordination process, such as the maximum number of request configurations that can be exchanged before the link termination. Unless you know what you are doing, don't change them. Finally, there are two options for LCP echo messages.
PPP defines two types of messages, echo regues and echo response. PPPD uses this feature to check if a link is still running. You can activate this feature by using the LCP-Echo-Interval option and a second time value. If the frame is not received from the remote host in this time interval, the PPPD generates an Echo Reguest and cuts the right point to return to an Echo response. If the peer does not generate a response, then the link is stopped after a certain number of requests. This number can be set with the LCP-Echo-Failure option. By default, this feature is all prohibited. 8.9 General Safety Consider an inappropriate PPP background program can become a destructive security gap. It is bad to allow anyone to access his machine to your Ethernet (this is very bad). In this section, we will discuss some methods that enable you safely configure PPP. One problem with PPPD is to configure the network device and the routing table require root privilege. Means to solve this problem are to run it setuid root. However, PPPD allows users to set various kinds of security-related options. In order to avoid attacks that may be initiated by the user, it is recommended that you set some default values in the global / etc / ppp / options file, as shown in an example of using an option file. Some of them, such as authorization certification options users can't overwrite, so it has a certain protection role in operation. Of course, you also need to protect yourself for systems you use PPP. To block the host's host, you should always check your right authorization certification. In addition, you should not allow external hosts to use any IP addresses they choose, but limit them can only use several addresses. The following section will involve these issues. 8.10 PPP Authorization Certification 8.10.1 CHAP and PAP For PPP, each system can require it to use one of the two authorization authentication protocols to authenticate yourself. These two protocols are the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). After a connection is created, both ends can request the other party to authenticate themselves, regardless of whether it is a caller or a caller. Below I want to distinguish between authentication systems and certificates, I will easily use "customers" and "servers". A PPP background program is capable of requesting its peer to authenticate by sending another LCP configuration request to determine the desired authentication protocol. PAP is basically the same as the working principle of the usual login process. The customer is compared to their secret database by sending a username and a (can be encrypted) password to the server. This technology is vulnerable to those attacks who have access to the password and the attack of the Trial and Error, this technology is vulnerable. CHAP does not have these shortcomings. For the CHAP, the authenticator (that is, the server) sends a randomly generated "changing" string and its host name to the customer. The customer uses the host name to query the appropriate secret code (password), together with the challenge to form a string, and encrypt the string using a single-way (mixed) hash function. The result value returns to the server with your host name. Now the server performs the same calculation, and if the same result is obtained, the customer is recognized. Another feature of CHAP is that it not only requests customers to authenticate themselves, but also sends a challenge every other time to confirm that the customer is not replaced by the intruder, for example by switching the telephone line.
PPPD stores the secret key values of CHAP and PAP in two different files, called / etc / ppp / chap-seconds, and PAP-SecRS, enters the remote host by using one or another file, you can be very good. The control is to use CHAP or PAP to authenticate our own, but also. By default, PPPD does not have to be certified from the remote, but agree to the authentication request from the remote end. Since Chap is more secure and strong than PAP, PPPD will use the former as much as possible. If the other party does not support it, or PPPD does not find a CHAP secret (password) of the remote system in its chap-secrets file, it will come back to use PAP. If it is not for the peer PAP password, it refuses to do any certification. As a result, the connection is closed. This behavior can be modified from several aspects. For example, when gives the Auth key value, the PPPD will request the other party to authenticate yourself. If the PPPD has a password for this peer in the CHAP or PAP database, PPPD will agree to use CHAP or PAP. There is also an option that can open or close a specific authentication protocol, but we will no longer describe them. For more information, please refer to the PPPD (8) man page. If all the systems that make PPP conversations agree to you yourself, you should put the Auth option in the global / etc / ppp / options file and define passwords in the chap-secrets file for each system. If a system does not support CHAP, an entry is added to the PAP-SecRS file. This way, you can confirm that any system connected to your host is certified. The two PPP password files, PAP-SecRS, and Chap-Secrets are described in two sides. They are located in / etc / ppp, including values of customers, servers, and passwords three for a set, and can also post an optional IP address list. The interpretation of customers and server fields is different for CHAP and PAP, which is done in whether we have to authenticate our own, or ask the server to certify us. 8.10.2 CHAP Secret File When PPPD must authenticate yourself for some Server using CHAP, PPPD is looking for a customer field in the PAP-Secrets file, the server field is the same as the local host name, the remote host sent in the chap chase The same entry. This rule is just simply when it is required to authenticate itself. At this point, the PPPD looks for the customer field as the remote host name (from the customer's CHAP response), the server field is the same entry with the local host name. Here is a sample of Vlager chap-secrets file: [9] # chap secrets for vlager.vbrew.com # # Client Server Secret AddRS # -------------------- ----------------------------------------------- Vlager.vbrew .com c3po.lucas.com "Use the source Luke" VLAGER.VBR C3PO.LUCAS.com VLAGER.VBrew.com "Riverrun, Pasteve" c3po.lucas * vlager.vbrew.com "VerystupidPassword" Pub.vbrew. When with C3PO. When a PPP connection is established, the C3PO requires VLAGER to authenticate yourself by sending a chap question. Then the PPPD scans the customer field in the chap-secrets file is equal to the entry of VLAGER.vbrew.com, the server field is equal to C3PO.LUCAS.com, and [10] found the first line above.
Then it generates a chap response from the query string and password, and is sent to C3PO. At the same time, PPPD is combined into a CHAP question in C3PO, which contains a unique question string and its wholly-owned hostname VLAGER.vbrew.com. C3PO constitutes a CHAP response in the way we discussed, and return it to the VLAGER. Now, PPPD acquires the customer's hostname (c3po.vbrew.com) from the response, and finds the customer field in the chap-secrets file for the C3PO, the server field is a line of VLAGER. This is exactly the second line above, so PPPD combines the CHAP challenge and the password of the row and encrypts, and compares the results with C3PO's CHAP response. Optional fourth fields list a list of IP addresses of the client in the first field. This address can be given to the host name that can also be found with the parser with a point-in group representation. For example, if C3PO requests to use an IP address in this list in an IPCP negotiation, request will be rejected, and IPCP will be turned off. Therefore, in the sample file shown above, C3PO is limited to only use its own IP address. If the address field is empty, then any address is allowed; if the field is not empty, the IP address used by the customer is limited. The third line of the sample Chap-Secrets file allows any host to establish a PPP link with the VLAGER because one is the *-owned customer or server field matches any hostname. The only limit is that these hosts must know the secret code and use the address pub.vbrew.com. Any entry for host names can be used anywhere in the secret file, because PPPD always uses server / customers to match the most matching entry. There are some ways to find the host name in the secret file in the secret file. As explained earlier, the remote hostname is always provided by a pair of CHAP challenges or responses. The local hostname default is to be obtained by calling the gethostname (2) function. If you have set the system name to your non-limiting hostname, this, you must use the Domain option to give a domain name for PPPD: # pppd ... domain vbrew.com This will make activities for all relevant authorized authentication While adding the domain name of the winery to the VLAGER. Others modify the progpppd of the local host name is UsehostName and Name. When you use "local: varRemote" (Local is not the name of the four sets of points) gives a local IP address on the command line, and the PPPD will use it as a local hostname. See the man page of PPPD (8) for more information. 8.10.3 PAP Secret File PAP Secret Files are very similar to CHAP. The first two fields always contain a username and a server name; the third field contains a PAP password. When a remote transmission is sent to an authentication request, the PPPD uses the server field equal to the local host name, the user field is equal to the entries of the username sent from the request. When you authenticate yourself for your peer, PPPD is equal to the local username, the server field is equal to the line of the remote hostname. A sample PAP secret file is like this: # / etc / ppp / pap-secrets # # user server secret addrs vlager-pap c3po cresspahl vlager.vbrew.com c3po vlager donaldgnuth c3po.lucas.com The first line for and C3PO Certified us in your dialogue. The second line indicates that a user named C3PO must be certified to us. The first column of name VLAGER-PAP is the username we sent to C3PO.
By default, PPPD will use the local hostname as the username, but you can also specify a different name by following a name after giving the USER option. When an entry is selected from the PAP-SecRS file in order to authenticate with the peer, PPPD must know the name of the remote host. Since it can't find the name, you must use the RemoteName keyword to specify it with the host name of the right point on the command line. For example, to use the above entry with C3PO authentication, we must add the following options on the PPPD command line: / # {} PPPD ... Remotename C3PO User Vlager-Pap in the fourth field (and all the layers), you You can specify the IP address allowed by a particular host, just as in the CHAP secret file. This way, the peer can only request an address from that list. In the sample file, we ask C3PO to use its true IP address. Note that PAP is a very weak authentication method, so it is recommended to use CHAP as much as possible. Therefore, we will not detail the PAP here; if you are interested in the use of PAP, you can find many features about PAP in the man page of PPD (8). 8.11 Configuring a PPP server Running PPPD in a server mode Simply add some appropriate options on the command line. In principle, you have to create a special account, such as PPP, and give it a script or program as a login shell with these options to call PPPD. For example, you have to join the following line in / etc / passwd: PPP: *: 500: 200: Public PPP Account: / TMP: / etc / ppp / ppplogin, of course, you can use the UIDs and GIDs from the above. You must also use the passwd command to set your password. Then, the PPPLogin script can be like this: #! / Bin / sh # PPPLogin - Script to fire up pppd on login Mesg n stty-echo exec PPPD-Detach Silent Modem CRTSCTS MESG command is used to prevent other users to write information, such as use Write command. The stty command turns off character backup function. This is a must, otherwise any information sent by the right point will return back. The most important PPPD options given above are -detac because it prevents PPPD from being detached from TTY. If we don't specify this option, it will enter the background so that the shell script exits. As a result, the serial line will be hanged and the connection is aborted. The SILENT option allows PPPD to wait until it receives a packet from the call system. This prevents timeouts that are transmitted when the call system is slowly launched. The MODEM option is used to make the PPPD monitor DTR lead to observe whether the right point has been dropped, and the CRTSCTS option is used to open the hardware handshake signal. In addition to these options, you can forced to use certain authorization certifications, such as by specifying Auth on the PPPD command line or in the global option file. For more options to open and disable various certification protocols, see the online manual. Note [1] The RFCS column is listed in the specified reference book behind this book. [2] In fact, HDLC is a very general agreement design by the International Standardization Organization (ISO). [3] The two authors have said that they will be busy in the future. If you have any general questions about PPP, you'd better ask people on the NET channel of Linux active molecular mailing list. [4] Karl@morningstar.com. [5] The default network route is only established yet.
[6] If you edit syslog.conf to redirect these login information to a file, please sure this file is unreadable because Chat defaults to record the entire session script - including passwords and all other information. [7] For the CHAP permission authentication method, it is its causal relationship with the hostname in this option. See the CHAP section below. [8] With the PPPD of the option IPCP-Accept-local and IPCP-Accept-Remote, you can allow remote to overwrite your ideas for using IP addresses. Please refer to the manual for details. [9] Double quotes are not part of the password, they are just used to indicate spaces in the password. [10] This host name is obtained from a chap question. source:
Linux free pigeon