README
1This is the README file for ppp-2.4, a package which implements the
2Point-to-Point Protocol (PPP) to provide Internet connections over
3serial lines.
4
5
6Introduction.
7*************
8
9The Point-to-Point Protocol (PPP) provides a standard way to establish
10a network connection over a serial link. At present, this package
11supports IP and IPV6 and the protocols layered above them, such as TCP
12and UDP. The Linux port of this package also has support for IPX.
13
14This PPP implementation consists of two parts:
15
16- Kernel code, which establishes a network interface and passes
17packets between the serial port, the kernel networking code and the
18PPP daemon (pppd). This code is implemented using STREAMS modules on
19Solaris, and as a line discipline under Linux.
20
21- The PPP daemon (pppd), which negotiates with the peer to establish
22the link and sets up the ppp network interface. Pppd includes support
23for authentication, so you can control which other systems may make a
24PPP connection and what IP addresses they may use.
25
26The platforms supported by this package are Linux and Solaris. I have
27code for NeXTStep, FreeBSD, SunOS 4.x, SVR4, Tru64 (Digital Unix), AIX
28and Ultrix but no active maintainers for these platforms. Code for
29all of these except AIX is included in the ppp-2.3.11 release.
30
31The kernel code for Linux is no longer distributed with this package,
32since the relevant kernel code is in the official Linux kernel source
33(and has been for many years) and is included in all reasonably modern
34Linux distributions. The Linux kernel code supports using PPP over
35things other than serial ports, such as PPP over Ethernet and PPP over
36ATM.
37
38
39Installation.
40*************
41
42The file SETUP contains general information about setting up your
43system for using PPP. There is also a README file for each supported
44system, which contains more specific details for installing PPP on
45that system. The supported systems, and the corresponding README
46files, are:
47
48 Linux README.linux
49 Solaris README.sol2
50
51In each case you start by running the ./configure script. This works
52out which operating system you are using and creates the appropriate
53makefiles. You then run `make' to compile the user-level code, and
54(as root) `make install' to install the user-level programs pppd, chat
55and pppstats.
56
57N.B. Since 2.3.0, leaving the permitted IP addresses column of the
58pap-secrets or chap-secrets file empty means that no addresses are
59permitted. You need to put a "*" in that column to allow the peer to
60use any IP address. (This only applies where the peer is
61authenticating itself to you, of course.)
62
63
64What's new in ppp-2.4.7.
65************************
66
67* Fixed a potential security issue in parsing option files (CVE-2014-3158).
68
69* There is a new "stop-bits" option, which takes an argument of 1 or 2,
70 indicating the number of stop bits to use for async serial ports.
71
72* Various bug fixes.
73
74
75What was new in ppp-2.4.6.
76**************************
77
78* Man page updates.
79
80* Several bug fixes.
81
82* Options files can now set and unset environment variables for
83 scripts.
84
85* The timeout for chat scripts can now be taken from an environment
86 variable.
87
88* There is a new option, master_detach, which allows pppd to detach
89 from the controlling terminal when it is the multilink bundle master
90 but its own link has terminated, even if the nodetach option has
91 been given.
92
93
94What was new in ppp-2.4.5.
95**************************
96
97* Under Linux, pppd can now operate in a mode where it doesn't request
98 the peer's IP address, as some peers refuse to supply an IP address.
99 Since Linux supports device routes as well as gateway routes, it's
100 possible to have no remote IP address assigned to the ppp interface
101 and still route traffic over it.
102
103* Pppd now works better with 3G modems that do strange things such as
104 sending IPCP Configure-Naks with the same values over and over again.
105
106* The PPP over L2TP plugin is included, which works with the pppol2tp
107 PPP channel code in the Linux kernel. This allows pppd to be used
108 to set up tunnels using the Layer 2 Tunneling Protocol.
109
110* A new 'enable-session' option has been added, which enables session
111 accounting via PAM or wtwp/wtmpx, as appropriate. See the pppd man
112 page for details.
113
114* Several bugs have been fixed.
115
116
117What was new in ppp-2.4.4.
118**************************
119
120* Pppd will now run /etc/ppp/ip-pre-up, if it exists, after creating
121 the ppp interface and configuring its IP addresses but before
122 bringing it up. This can be used, for example, for adding firewall
123 rules for the interface.
124
125* Lots of bugs fixed, particularly in the area of demand-dialled and
126 persistent connections.
127
128* The rp-pppoe plugin now accepts any interface name (that isn't an
129 existing pppd option name) without putting "nic-" on the front of
130 it, not just eth*, nas*, tap* and br*.
131
132
133What was new in ppp-2.4.3.
134**************************
135
136* The configure script now accepts --prefix and --sysconfdir options.
137 These default to /usr/local and /etc. If you want pppd put in
138 /usr/sbin as before, use ./configure --prefix=/usr.
139
140* Doing `make install' no longer puts example configuration files in
141 /etc/ppp. Use `make install-etcppp' if you want that.
142
143* The code has been updated to work with version 0.8.3 of libpcap.
144 Unfortunately the libpcap maintainers removed support for the
145 "inbound" and "outbound" keywords on PPP links, meaning that if you
146 link pppd with libpcap-0.8.3, you can't use those keywords in the
147 active-filter and pass-filter expressions. The support has been
148 reinstated in the CVS version and should be in future libpcap
149 releases. If you need the in/outbound keywords, use a later release
150 than 0.8.3, or get the CVS version from http://www.tcpdump.org.
151
152* There is a new option, child-timeout, which sets the length of time
153 that pppd will wait for child processes (such as the command
154 specified with the pty option) to exit before exiting itself. It
155 defaults to 5 seconds. After the timeout, pppd will send a SIGTERM
156 to any remaining child processes and exit. A value of 0 means no
157 timeout.
158
159* Various bugs have been fixed, including some CBCP packet parsing
160 bugs that could lead to the peer being able to crash pppd if CBCP
161 support is enabled.
162
163* Various fixes and enhancements to the radius and rp-pppoe plugins
164 have been added.
165
166* There is a new winbind plugin, from Andrew Bartlet of the Samba
167 team, which provides the ability to authenticate the peer against an
168 NT domain controller using MS-CHAP or MS-CHAPV2.
169
170* There is a new pppoatm plugin, by various authors, sent in by David
171 Woodhouse.
172
173* The multilink code has been substantially reworked. The first pppd
174 for a bundle still controls the ppp interface, but it doesn't exit
175 until all the links in the bundle have terminated. If the first
176 pppd is signalled to exit, it signals all the other pppds
177 controlling links in the bundle.
178
179* The TDB code has been updated to the latest version. This should
180 eliminate the problem that some people have seen where the database
181 file (/var/run/pppd.tdb) keeps on growing. Unfortunately, however,
182 the new code uses an incompatible database format. For this reason,
183 pppd now uses /var/run/pppd2.tdb as the database filename.
184
185
186What was new in ppp-2.4.2.
187**************************
188
189* The CHAP code has been rewritten. Pppd now has support for MS-CHAP
190 V1 and V2 authentication, both as server and client. The new CHAP
191 code is cleaner than the old code and avoids some copyright problems
192 that existed in the old code.
193
194* MPPE (Microsoft Point-to-Point Encryption) support has been added,
195 although the current implementation shouldn't be considered
196 completely secure. (There is no assurance that the current code
197 won't ever transmit an unencrypted packet.)
198
199* James Carlson's implementation of the Extensible Authentication
200 Protocol (EAP) has been added.
201
202* Support for the Encryption Control Protocol (ECP) has been added.
203
204* Some new plug-ins have been included:
205 - A plug-in for kernel-mode PPPoE (PPP over Ethernet)
206 - A plug-in for supplying the PAP password over a pipe from another
207 process
208 - A plug-in for authenticating using a Radius server.
209
210* Updates and bug-fixes for the Solaris port.
211
212* The CBCP (Call Back Control Protocol) code has been updated. There
213 are new options `remotenumber' and `allow-number'.
214
215* Extra hooks for plugins to use have been added.
216
217* There is now a `maxoctets' option, which causes pppd to terminate
218 the link once the number of bytes passed on the link exceeds a given
219 value.
220
221* There are now options to control whether pppd can use the IPCP
222 IP-Address and IP-Addresses options: `ipcp-no-address' and
223 `ipcp-no-addresses'.
224
225* Fixed several bugs, including potential buffer overflows in chat.
226
227
228What was new in ppp-2.4.1.
229**************************
230
231* Pppd can now print out the set of options that are in effect. The
232 new `dump' option causes pppd to print out the option values after
233 option parsing is complete. The `dryrun' option causes pppd to
234 print the options and then exit.
235
236* The option parsing code has been fixed so that options in the
237 per-tty options file are parsed correctly, and don't override values
238 from the command line in most cases.
239
240* The plugin option now looks in /usr/lib/pppd/<pppd-version> (for
241 example, /usr/lib/pppd/2.4.1b1) for shared objects for plugins if
242 there is no slash in the plugin name.
243
244* When loading a plugin, pppd will now check the version of pppd for
245 which the plugin was compiled, and refuse to load it if it is
246 different to pppd's version string. To enable this, the plugin
247 source needs to #include "pppd.h" and have a line saying:
248 char pppd_version[] = VERSION;
249
250* There is a bug in zlib, discovered by James Carlson, which can cause
251 kernel memory corruption if Deflate is used with the lowest setting,
252 8. As a workaround pppd will now insist on using at least 9.
253
254* Pppd should compile on Solaris and SunOS again.
255
256* Pppd should now set the MTU correctly on demand-dialled interfaces.
257
258
259What was new in ppp-2.4.0.
260**************************
261
262* Multilink: this package now allows you to combine multiple serial
263 links into one logical link or `bundle', for increased bandwidth and
264 reduced latency. This is currently only supported under the
265 2.4.x and later Linux kernels.
266
267* All the pppd processes running on a system now write information
268 into a common database. I used the `tdb' code from samba for this.
269
270* New hooks have been added.
271
272For a list of the changes made during the 2.3 series releases of this
273package, see the Changes-2.3 file.
274
275
276Compression methods.
277********************
278
279This package supports two packet compression methods: Deflate and
280BSD-Compress. Other compression methods which are in common use
281include Predictor, LZS, and MPPC. These methods are not supported for
282two reasons - they are patent-encumbered, and they cause some packets
283to expand slightly, which pppd doesn't currently allow for.
284BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
285ever expand packets.
286
287
288Contacts.
289*********
290
291The comp.protocols.ppp newsgroup is a useful place to get help if you
292have trouble getting your ppp connections to work. Please do not send
293me questions of the form "please help me get connected to my ISP" -
294I'm sorry, but I simply do not have the time to answer all the
295questions like this that I get.
296
297If you find bugs in this package, please report them to the maintainer
298for the port for the operating system you are using:
299
300Linux Paul Mackerras <paulus@samba.org>
301Solaris James Carlson <carlson@workingcode.com>
302
303
304Copyrights:
305***********
306
307All of the code can be freely used and redistributed. The individual
308source files each have their own copyright and permission notice.
309Pppd, pppstats and pppdump are under BSD-style notices. Some of the
310pppd plugins are GPL'd. Chat is public domain.
311
312
313Distribution:
314*************
315
316The primary site for releases of this software is:
317
318 ftp://ftp.samba.org/pub/ppp/
319
320
321
README.cbcp
1 Microsoft Call Back Configuration Protocol.
2 by Pedro Roque Marques
3 (updated by Paul Mackerras)
4
5The CBCP is a method by which the Microsoft Windows NT Server may
6implement additional security. It is possible to configure the server
7in such a manner so as to require that the client systems which
8connect with it are required that following a valid authentication to
9leave a method by which the number may be returned call.
10
11It is a requirement of servers to be so configured that the protocol be
12exchanged.
13
14So, this set of patches may be applied to the pppd process to enable
15the cbcp client *only* portion of the specification. It is primarily
16meant to permit connection with Windows NT Servers.
17
18The ietf-working specification may be obtained from ftp.microsoft.com
19in the developr/rfc directory.
20
21The ietf task group has decided to recommend that the LCP sequence be
22extended to permit the callback operation. For this reason, these
23patches are not 'part' of pppd but are an adjunct to the code.
24
25To enable CBCP support, all that is required is to uncomment the line
26in Makefile.linux that sets CBCP=y and recompile pppd.
27
28I use such script to make a callback:
29
30pppd debug nodetach /dev/modem 115200 crtscts modem \
31callback 222222 name NAME remotename SERVER \
32connect 'chat -v "" atz OK atdt111111 CONNECT ""'
33sleep 1
34pppd debug /dev/modem 115200 crtscts modem \
35name NAME remotename SERVER defaultroute \
36connect 'chat -v RING ATA CONNECT "\c"'
37
38First we invoke pppd with 'nodetach' option in order to not detach from
39the controlling terminal and 'callback NUMBER' option, then wait for
401 second and invoke pppd again which waits for a callback (RING) and
41then answers (ATA). Number 222222 is a callback number, i.e. server will
42call us back at this number, while number 111111 is the number we are
43calling to.
44
45You have to put in /etc/ppp/chap-secrets the following two lines:
46
47NAME SERVER PASSWORD
48SERVER NAME PASSWORD
49
50You have to use your real login name, remote server name and password.
51
52
README.eap-srp
1EAP with MD5-Challenge and SRP-SHA1 support
2by James Carlson, Sun Microsystems
3Version 2, September 22nd, 2002
4
5
61. What it does
7
8 The Extensible Authentication Protocol (EAP; RFC 2284) is a
9 security protocol that can be used with PPP. It provides a means
10 to plug in multiple optional authentication methods.
11
12 This implementation includes the required default MD5-Challenge
13 method, which is similar to CHAP (RFC 1994), as well as the new
14 SRP-SHA1 method. This latter method relies on an exchange that is
15 not vulnerable to dictionary attacks (as is CHAP), does not
16 require the server to keep a cleartext copy of the secret (as in
17 CHAP), supports identity privacy, and produces a temporary shared
18 key that could be used for data encryption.
19
20 The SRP-SHA1 method is based on draft-ietf-pppext-eap-srp-03.txt,
21 a work in progress.
22
232. Required libraries
24
25 Two other packages are required first. Download and install
26 OpenSSL and Thomas Wu's SRP implementation.
27
28 http://www.openssl.org/ (or ftp://ftp.openssl.org/source/)
29 http://srp.stanford.edu/
30
31 Follow the directions in each package to install the SSL and SRP
32 libraries. Once SRP is installed, you may run tconf as root to
33 create known fields, if desired. (This step is not required.)
34
353. Installing the patch
36
37 The EAP-SRP patch described here is integrated into this version
38 of pppd. The following patch may be used with older pppd sources:
39
40 ftp://playground.sun.com/carlsonj/eap/ppp-2.4.1-eap-1.tar.gz
41
42 Configure, compile, and install as root. You may want to edit
43 pppd/Makefile after configuring to enable or disable optional
44 features.
45
46 % ./configure
47 % make
48 % su
49 # make install
50
51 If you use csh or tcsh, run "rehash" to pick up the new commands.
52
53 If you're using Solaris, and you run into trouble with the
54 pseudonym feature on the server side ("no DES here" shows in the
55 log file), make sure that you have the "domestic" versions of the
56 DES libraries linked. You should see "crypt_d" in "ldd
57 /usr/local/bin/pppd". If you see "crypt_i" instead, then make
58 sure that /usr/lib/libcrypt.* links to /usr/lib/libcrypt_d.*. (If
59 you have the international version of Solaris, then you won't have
60 crypt_d. You might want to find an alternative DES library.)
61
624. Adding the secrets
63
64 On the EAP SRP-SHA1 client side, access to the cleartext secret is
65 required. This can be done in two ways:
66
67 - Enter the client name, server name, and password in the
68 /etc/ppp/srp-secrets file. This file has the same format as
69 the existing chap-secrets and pap-secrets files.
70
71 clientname servername "secret here"
72
73 - Use the "password" option in any of the standard
74 configuration files (or the command line) to specify the
75 secret.
76
77 password "secret here"
78
79 On the EAP SRP-SHA1 server side, a secret verifier is required.
80 This is a one-way hash of the client's name and password. To
81 generate this value, run the srp-entry program (see srp-entry(8)).
82 This program prompts for the client name and the passphrase (the
83 secret). The output will be an entry, such as the following,
84 suitable for use in the server's srp-secrets file. Note that if
85 this is transferred by cut-and-paste, the entry must be a single
86 line of text in the file.
87
88pppuser srpserver 0:LFDpwg4HBLi4/kWByzbZpW6pE95/iIWBSt7L.DAkHsvwQphtiq0f6reoUy/1LC1qYqjcrV97lCDmQHQd4KIACGgtkhttLdP3KMowvS0wLXLo25FPJeG2sMAUEWu/HlJPn2/gHyh9aT.ZxUs5MsoQ1E61sJkVBc.2qze1CdZiQGTK3qtWRP6DOpM1bfhKtPoVm.g.MiCcTMWzc54xJUIA0mgKtpthE3JrqCc81cXUt4DYi5yBzeeGTqrI0z2/Gj8Jp7pS4Fkq3GmnYjMxnKfQorFXNwl3m7JSaPa8Gj9/BqnorJOsnSMlIhBe6dy4CYytuTbNb4Wv/nFkmSThK782V:2cIyMp1yKslQgE *
89
90 The "secret" field consists of three entries separated by colons.
91 The first entry is the index of the modulus and generator from
92 SRP's /etc/tpasswd.conf. If the special value 0 is used, then the
93 well-known modulus/generator value is used (this is recommended,
94 because it is much faster). The second value is the verifier
95 value. The third is the password "salt." These latter two values
96 are encoded in base64 notation.
97
98 For EAP MD5-Challenge, both client and server use the existing
99 /etc/ppp/chap-secrets file.
100
1015. Configuration options
102
103 There are two main options relating to EAP available for the
104 client. These are:
105
106 refuse-eap - refuse to authenticate with EAP
107 srp-use-pseudonym - use the identity privacy if
108 offered by server
109
110 The second option stores a pseudonym, if offered by the EAP
111 SRP-SHA1 server, in the $HOME/.ppp_pseudonym file. The pseudonym
112 is typically an encrypted version of the client identity. During
113 EAP start-up, the pseudonym stored in this file is offered to the
114 peer as the identity. If this is accepted by the peer, then
115 eavesdroppers will be unable to determine the identity of the
116 client. Each time the client is authenticated, the server will
117 offer a new pseudoname to the client using an obscured (reversibly
118 encrypted) message. Thus, access across successive sessions
119 cannot be tracked.
120
121 There are two main options for EAP on the server:
122
123 require-eap - require client to use EAP
124 srp-pn-secret "string" - set server's pseudoname secret
125
126 The second option sets the long-term secret used on the server to
127 encrypt the user's identity to produce pseudonames. The
128 pseudoname is constructed by hashing this string with the current
129 date (to the nearest day) with SHA1, then using this hash as the
130 key for a DES encryption of the client's name. The date is added
131 to the hash for two reasons. First, this allows the pseudonym to
132 change daily. Second, it allows the server to decode any previous
133 pseudonym by trying previous dates.
134
135 See the pppd(8) man page for additional options.
136
1376. Comments welcome!
138
139 This is still an experimental implementation. It has been tested
140 and reviewed carefully for correctness, but may still be
141 incomplete or have other flaws. All comments are welcome. Please
142 address them to the author:
143
144 james.d.carlson@sun.com
145
146 or, for EAP itself or the SRP extensions to EAP, to the IETF PPP
147 Extensions working group:
148
149 ietf-ppp@merit.edu
150
README.linux
1 PPP for Linux
2 -------------
3
4 Paul Mackerras
5 8 March 2001
6
7 for ppp-2.4.2
8 Updated for ppp-2.4.5, Sep 08
9
101. Introduction
11---------------
12
13The Linux PPP implementation includes both kernel and user-level
14parts. This package contains the user-level part, which consists of
15the PPP daemon (pppd) and associated utilities. In the past this
16package has contained updated kernel drivers. This is no longer
17necessary, as the current kernel sources contain up-to-date drivers
18(and have done since the 2.4.x kernel series).
19
20The Linux PPP implementation is capable of being used both for
21initiating PPP connections (as a `client') or for handling incoming
22PPP connections (as a `server'). Note that this is an operational
23distinction, based on how the connection is created, rather than a
24distinction that is made in the PPP protocols themselves.
25
26Mostly this package is used for PPP connections over modems connected
27via asynchronous serial ports, so this guide concentrates on this
28situation.
29
30The PPP protocol consists of two parts. One is a scheme for framing
31and encoding packets, the other is a series of protocols called LCP,
32IPCP, PAP and CHAP, for negotiating link options and for
33authentication. This package similarly consists of two parts: a
34kernel module which handles PPP's low-level framing protocol, and a
35user-level program called pppd which implements PPP's negotiation
36protocols.
37
38The kernel module assembles/disassembles PPP frames, handles error
39detection, and forwards packets between the serial port and either the
40kernel network code or the user-level program pppd. IP packets go
41directly to the kernel network code. So once pppd has negotiated the
42link, it in practice lies completely dormant until you want to take
43the link down, when it negotiates a graceful disconnect.
44
45
462. Installation
47---------------
48
492.1 Kernel driver
50
51Assuming you are running a recent 2.4 or 2.6 (or later) series kernel,
52the kernel source code will contain an up-to-date kernel PPP driver.
53If the PPP driver was included in your kernel configuration when your
54kernel was built, then you only need to install the user-level
55programs. Otherwise you will need to get the source tree for your
56kernel version, configure it with PPP included, and recompile. Most
57Linux distribution vendors ship kernels with PPP included in the
58configuration.
59
60The PPP driver can be either compiled into the kernel or compiled as a
61kernel module. If it is compiled into the kernel, the PPP driver is
62included in the kernel image which is loaded at boot time. If it is
63compiled as a module, the PPP driver is present in one or more files
64under /lib/modules and is loaded into the kernel when needed.
65
66The 2.2 series kernels contain an older version of the kernel PPP
67driver, one which doesn't support multilink. If you want multilink,
68you need to run a 2.4 or 2.6 series kernel. The kernel PPP driver
69was completely rewritten for the 2.4 series kernels to support
70multilink and to allow it to operate over diverse kinds of
71communication medium (the 2.2 driver only operates over serial ports
72and devices which look like serial ports, such as pseudo-ttys).
73
74Under the 2.2 kernels, if PPP is compiled as a module, the PPP driver
75modules should be present in the /lib/modules/`uname -r`/net directory
76(where `uname -r` represents the kernel version number). The PPP
77driver module itself is called ppp.o, and there will usually be
78compression modules there, ppp_deflate.o and bsd_comp.o, as well as
79slhc.o, which handles TCP/IP header compression. If the PPP driver is
80compiled into the kernel, the compression code will still be compiled
81as modules, for kernels before 2.2.17pre12. For 2.2.17pre12 and later,
82if the PPP driver is compiled in, the compression code will also.
83
84Under the 2.4 kernels, there are two PPP modules, ppp_generic.o and
85ppp_async.o, plus the compression modules (ppp_deflate.o, bsd_comp.o
86and slhc.o). If the PPP generic driver is compiled into the kernel,
87the other four can then be present either as modules or compiled into
88the kernel. There is a sixth module, ppp_synctty.o, which is used for
89synchronous tty devices such as high-speed WAN adaptors.
90
91
922.2 User-level programs
93
94If you obtained this package in .rpm or .deb format, you simply follow
95the usual procedure for installing the package.
96
97If you are using the .tar.gz form of this package, then cd into the
98ppp-2.4.5 directory you obtained by unpacking the archive and issue
99the following commands:
100
101$ ./configure
102$ make
103# make install
104
105The `make install' has to be done as root. This makes and installs
106four programs and their man pages: pppd, chat, pppstats and pppdump.
107If the /etc/ppp configuration directory doesn't exist, the `make
108install' step will create it and install some default configuration
109files.
110
111
1122.3 System setup for 2.4 kernels
113
114Under the 2.4 series kernels, pppd needs to be able to open /dev/ppp,
115character device (108,0). If you are using udev (as most distributions
116do), the /dev/ppp node should be created by udevd.
117
118Otherwise you may need to create a /dev/ppp device node with the
119commands:
120
121# mknod /dev/ppp c 108 0
122# chmod 600 /dev/ppp
123
124
1252.4 System setup under 2.2 series kernels
126
127Under the 2.2 series kernels, you should add the following to your
128/etc/modules.conf or /etc/conf.modules:
129
130alias tty-ldisc-3 ppp
131alias ppp-compress-21 bsd_comp
132alias ppp-compress-24 ppp_deflate
133alias ppp-compress-26 ppp_deflate
134
135
1363. Getting help with problems
137-----------------------------
138
139If you have problems with your PPP setup, or you just want to ask some
140questions, or better yet if you can help others with their PPP
141questions, then you should join the linux-ppp mailing list. Send an
142email to majordomo@vger.kernel.org with a line in the body saying
143
144subscribe linux-ppp
145
146To leave the mailing list, send an email to majordomo@vger.kernel.org
147with a line in the body saying
148
149unsubscribe linux-ppp
150
151To send a message to the list, email it to linux-ppp@vger.kernel.org.
152You don't have to be subscribed to send messages to the list.
153
154You can also email me (paulus@samba.org) but I am overloaded with
155email and I can't respond to most messages I get in a timely fashion.
156
157There are also several relevant news groups, such as comp.protocols.ppp,
158comp.os.linux.networking, or comp.os.linux.setup.
159
160
1614. Configuring your dial-out PPP connections
162--------------------------------------------
163
164Some Linux distribution makers include tools in their distributions
165for setting up PPP connections. For example, for Red Hat Linux and
166derivatives, you should probably use linuxconf or netcfg to set up
167your PPP connections.
168
169The two main windowing environments for Linux, KDE and Gnome, both
170come with GUI utilities for configuring and controlling PPP dial-out
171connections. They are convenient and relatively easy to configure.
172
173A third alternative is to use a PPP front-end package such as wvdial
174or ezppp. These also will handle most of the details of talking to
175the modem and setting up the PPP connection for you.
176
177Assuming that you don't want to use any of these tools, you want to
178set up the configuration manually yourself, then read on. This
179document gives a brief description and example. More details can be
180found by reading the pppd and chat man pages and the PPP-HOWTO.
181
182We assume that you have a modem that uses the Hayes-compatible AT
183command set connected to an async serial port (e.g. /dev/ttyS0) and
184that you are dialling out to an ISP.
185
186The trickiest and most variable part of setting up a dial-out PPP
187connection is the part which involves getting the modem to dial and
188then invoking PPP service at the far end. Generally, once both ends
189are talking PPP the rest is relatively straightforward.
190
191Now in fact pppd doesn't know anything about how to get modems to dial
192or what you have to say to the system at the far end to get it to talk
193PPP. That's handled by an external program such as chat, specified
194with the connect option to pppd. Chat takes a series of strings to
195expect from the modem interleaved with a series of strings to send to
196the modem. See the chat man page for more information. Here is a
197simple example for connecting to an ISP, assuming that the ISP's
198system starts talking PPP as soon as it answers the phone:
199
200pppd connect 'chat -v "" AT OK ATDT5551212 ~' \
201 /dev/ttyS0 57600 crtscts debug defaultroute
202
203Going through pppd's options in order:
204 connect 'chat ...' This gives a command to run to contact the
205 PPP server. Here the supplied 'chat' program is used to dial a
206 remote computer. The whole command is enclosed in single quotes
207 because pppd expects a one-word argument for the 'connect' option.
208 The options to 'chat' itself are:
209
210 -v verbose mode; log what we do to syslog
211 "" don't wait for any prompt, but instead...
212 AT send the string "AT"
213 OK expect the response "OK", then
214 ATDT5551212 dial the modem, then
215 ~ wait for a ~ character, indicating the start
216 of a PPP frame from the server
217
218 /dev/ttyS0 specifies which serial port the modem is connected to
219 57600 specifies the baud rate to use
220 crtscts use hardware flow control using the RTS & CTS signals
221 debug log the PPP negotiation with syslog
222 defaultroute add default network route via the PPP link
223
224Pppd will write error messages and debugging logs to the syslogd
225daemon using the facility name "daemon". These messages may already
226be logged to the console or to a file like /var/log/messages; consult
227your /etc/syslog.conf file to see. If you want to make all pppd
228messages go to a file such as /var/log/ppp-debug, add the line
229
230daemon.* /var/log/ppp-debug
231 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
232 This is one or more tabs. Do not use spaces.
233
234to syslog.conf; make sure to put one or more TAB characters (not
235spaces!) between the two fields. Then you need to create an empty
236/var/log/ppp-debug file with a command such as
237
238 touch /var/log/ppp-debug
239
240and then restart syslogd, usually by sending it a SIGHUP signal with a
241command like this:
242
243 killall -HUP syslogd
244
245
2464.1 Is the link up?
247
248The main way to tell if your PPP link is up and operational is the
249ifconfig ("interface configuration") command. Type
250
251 /sbin/ifconfig
252
253at a shell prompt. It should print a list of interfaces including one
254like this example:
255
256ppp0 Link encap Point-to-Point Protocol
257 inet addr 192.76.32.3 P-t-P 129.67.1.165 Mask 255.255.255.0
258 UP POINTOPOINT RUNNING MTU 1500 Metric 1
259 RX packets 33 errors 0 dropped 0 overrun 0
260 TX packets 42 errors 0 dropped 0 overrun 0
261
262Assuming that ifconfig shows the ppp network interface, you can test
263the link using the ping command like this:
264
265 /sbin/ping -c 3 129.67.1.165
266
267where the address you give is the address shown as the P-t-P address
268in the ifconfig output. If the link is operating correctly, you
269should see output like this:
270
271 PING 129.67.1.165 (129.67.1.165): 56 data bytes
272 64 bytes from 129.67.1.165: icmp_seq=0 ttl=255 time=268 ms
273 64 bytes from 129.67.1.165: icmp_seq=1 ttl=255 time=247 ms
274 64 bytes from 129.67.1.165: icmp_seq=2 ttl=255 time=266 ms
275 --- 129.67.1.165 ping statistics ---
276 3 packets transmitted, 3 packets received, 0% packet loss
277 round-trip min/avg/max = 247/260/268 ms
278
279
README.MPPE
1PPP Support for MPPE (Microsoft Point to Point Encryption)
2==========================================================
3
4Frank Cusack frank@google.com
5Mar 19, 2002
6
7Updated by Paul Mackerras, Sep 2008
8
9
10DISCUSSION
11
12MPPE is Microsoft's encryption scheme for PPP links. It is pretty much
13solely intended for use with PPP over Internet links -- if you have a true
14point to point link you have little need for encryption. It is generally
15used with PPTP.
16
17MPPE is negotiated within CCP (Compression Control Protocol) as option
1818. In order for MPPE to work, both peers must agree to do it. This
19complicates things enough that I chose to implement it as strictly a binary
20option, off by default. If you turn it on, all other compression options
21are disabled and MPPE *must* be negotiated successfully in both directions
22(CCP is unidirectional) or the link will be disconnected. I think this is
23reasonable since, if you want encryption, you want encryption. That is,
24I am not convinced that optional encryption is useful.
25
26While PPP regards MPPE as a "compressor", it actually expands every frame
27by 4 bytes, the MPPE overhead (encapsulation).
28
29Because of the data expansion, you'll see that ppp interfaces get their
30mtu reduced by 4 bytes whenever MPPE is negotiated. This is because
31when MPPE is active, it is *required* that *every* packet be encrypted.
32PPPD sets the mtu = MIN(peer mru, configured mtu). To ensure that
33MPPE frames are not larger than the peer's mru, we reduce the mtu by 4
34bytes so that the network layer never sends ppp a packet that's too large.
35
36There is an option to compress the data before encrypting (MPPC), however
37the algorithm is patented and requires execution of a license with Hifn.
38MPPC as an RFC is a complete farce. I have no further details on MPPC.
39
40Some recommendations:
41
42- Use stateless mode. Stateful mode is disabled by default. Unfortunately,
43 stateless mode is very expensive as the peers must rekey for every packet.
44- Use 128-bit encryption.
45- Use MS-CHAPv2 only.
46
47Reference documents:
48
49 <http://www.ietf.org/rfc/rfc3078.txt> MPPE
50 <http://www.ietf.org/rfc/rfc3079.txt> MPPE Key Derivation
51 <http://www.ietf.org/rfc/rfc2118.txt> MPPC
52 <http://www.ietf.org/rfc/rfc2637.txt> PPTP
53 <http://www.ietf.org/rfc/rfc2548.txt> MS RADIUS Attributes
54
55You might be interested in PoPToP, a Linux PPTP server. You can find it at
56<http://www.poptop.org/>
57
58RADIUS support for MPPE is from Ralf Hofmann, <ralf.hofmann@elvido.net>.
59
60
61BUILDING THE PPPD
62
63The userland component of PPPD has no additional requirements above
64those for MS-CHAP and MS-CHAPv2.
65
66MPPE support is now included in the mainline Linux kernel releases.
67
68
69CONFIGURATION
70
71See pppd(8) for the MPPE options. Under Linux, if your modutils is earlier
72than 2.4.15, you will need to add
73
74 alias ppp-compress-18 ppp_mppe
75
76to /etc/modules.conf.
77
78
79
README.MSCHAP80
1PPP Support for Microsoft's CHAP-80
2===================================
3
4Eric Rosenquist rosenqui@strataware.com
5(updated by Paul Mackerras)
6(updated by Al Longyear)
7(updated by Farrell Woods)
8(updated by Frank Cusack)
9
10INTRODUCTION
11
12Microsoft has introduced an extension to the Challenge/Handshake
13Authentication Protocol (CHAP) which avoids storing cleartext
14passwords on a server. (Unfortunately, this is not as secure as it
15sounds, because the encrypted password stored on a server can be used
16by a bogus client to gain access to the server just as easily as if
17the password were stored in cleartext.) The details of the Microsoft
18extensions can be found in the document:
19
20 <http://www.ietf.org/rfc/rfc2433.txt>
21
22In short, MS-CHAP is identified as <auth chap 80> since the hex value
23of 80 is used to designate Microsoft's scheme. Standard PPP CHAP uses
24a value of 5. If you enable PPP debugging with the "debug" option and
25see something like the following in your logs, the remote server is
26requesting MS-CHAP:
27
28 rcvd [LCP ConfReq id=0x2 <asyncmap 0x0> <auth MS> <magic 0x46a3>]
29 ^^^^^^^
30
31MS-CHAP is enabled by default under Linux in pppd/Makefile.linux by
32the line "CHAPMS=y".
33
34
35CONFIGURATION
36
37If you've never used PPPD with CHAP before, read the man page (type
38"man pppd") and read the description in there. Basically, you need to
39edit the "chap-secrets" file typically named /etc/ppp/chap-secrets.
40This should contain the following two lines for each system with which
41you use CHAP (with no leading blanks):
42
43 RemoteHost Account Secret
44 Account RemoteHost Secret
45
46Note that you need both lines and that item 1 and 2 are swapped in the
47second line. I'm not sure why you need it twice, but it works and I didn't
48have time to look into it further. The "RemoteHost" is a somewhat
49arbitrary name for the remote Windows NT system you're dialing. It doesn't
50have to match the NT system's name, but it *does* have to match what you
51use with the "remotename" parameter. The "Account" is the Windows NT
52account name you have been told to use when dialing, and the "Secret" is
53the password for that account. For example, if your service provider calls
54their machine "DialupNT" and tells you your account and password are
55"customer47" and "foobar", add the following to your chap-secrets file:
56
57 DialupNT customer47 foobar
58 customer47 DialupNT foobar
59
60The only other thing you need to do for MS-CHAP (compared to normal CHAP)
61is to always use the "remotename" option, either on the command line or in
62your "options" file (see the pppd man page for details). In the case of
63the above example, you would need to use the following command line:
64
65 pppd name customer47 remotename DialupNT <other options>
66
67or add:
68
69 name customer47
70 remotename DialupNT
71
72to your PPPD "options" file.
73
74The "remotename" option is required for MS-CHAP since Microsoft PPP servers
75don't send their system name in the CHAP challenge packet.
76
77
78E=691 (AUTHENTICATION_FAILURE) ERRORS WHEN YOU HAVE THE VALID SECRET (PASSWORD)
79
80If your RAS server is not the domain controller and is not a 'stand-alone'
81server then it must make a query to the domain controller for your domain.
82
83You need to specify the domain name with the user name when you attempt to
84use this type of a configuration. The domain name is specified with the
85local name in the chap-secrets file and with the option for the 'name'
86parameter.
87
88For example, the previous example would become:
89
90 DialupNT domain\\customer47 foobar
91 domain\\customer47 DialupNT foobar
92
93and
94
95 pppd name 'domain\\customer47' remotename DialupNT <other options>
96
97or add:
98
99 name domain\\customer47
100 remotename DialupNT
101
102when the Windows NT domain name is simply called 'domain'.
103
104
105TROUBLESHOOTING
106
107Assuming that everything else has been configured correctly for PPP and
108CHAP, the MS-CHAP-specific problems you're likely to encounter are mostly
109related to your Windows NT account and its settings. A Microsoft server
110returns error codes in its CHAP response. The following are extracted from
111RFC 2433:
112
113 646 ERROR_RESTRICTED_LOGON_HOURS
114 647 ERROR_ACCT_DISABLED
115 648 ERROR_PASSWD_EXPIRED
116 649 ERROR_NO_DIALIN_PERMISSION
117 691 ERROR_AUTHENTICATION_FAILURE
118 709 ERROR_CHANGING_PASSWORD
119
120You'll see these in your pppd log as a line similar to:
121
122 Remote message: E=649 R=0
123
124The "E=" is the error number from the table above, and the "R=" flag
125indicates whether the error is transient and the client should retry. If
126you consistently get error 691, then either you're using the wrong account
127name/password, or the DES library or MD4 hashing (in md4.c) aren't working
128properly. Verify your account name and password (use a Windows NT or
129Windows 95 system to dial-in if you have one available). If that checks
130out, test the DES library with the "destest" program included with the DES
131library. If DES checks out, the md4.c routines are probably failing
132(system byte ordering may be a problem) or my code is screwing up. I've
133only got access to a Linux system, so you're on your own for anything else.
134
135Another thing that might cause problems is that some RAS servers won't
136respond at all to LCP config requests without seeing the word "CLIENT"
137from the other end. If you see pppd sending out LCP config requests
138without getting any reply, try putting something in your chat script
139to send the word CLIENT after the modem has connected.
140
141STILL TO DO
142
143A site using only MS-CHAP to authenticate has no need to store cleartext
144passwords in the "chap-secrets" file. A utility that spits out the ASCII
145hex MD4 hash of a given password would be nice, and would allow that hash
146to be used in chap-secrets in place of the password. The code to do this
147could quite easily be lifted from chap_ms.c (you have to convert the
148password to Unicode before hashing it). The chap_ms.c file would also have
149to be changed to recognize a password hash (16 binary bytes == 32 ASCII hex
150characters) and skip the hashing stage. This would have no real security
151value as the hash is plaintext-equivalent.
152
README.MSCHAP81
1PPP Support for Microsoft's CHAP-81
2===================================
3
4Frank Cusack frank@google.com
5
6Some text verbatim from README.MSCHAP80,
7by Eric Rosenquist, rosenqui@strataware.com
8
9INTRODUCTION
10
11First, please read README.MSCHAP80; almost everything there applies here.
12MS-CHAP was basically devised by Microsoft because rather than store
13plaintext passwords, they (Microsoft) store the md4 hash of passwords.
14It provides no advantage over standard CHAP, since the hash is used
15as plaintext-equivalent. (Well, the Change-Password packet is arguably
16an advantage.) It does introduce a significant weakness if the LM hash
17is used. Additionally, the format of the failure packet potentially
18gives information to an attacker. The weakness of the LM hash is partly
19addressed in RFC 2433, which deprecates its use.
20
21MS-CHAPv2 adds 2 benefits to MS-CHAP. (1) The LM hash is no longer
22used. (2) Mutual authentication is required. Note that the mutual
23authentication in MS-CHAPv2 is different than the case where both PPP
24peers require authentication from the other; the former proves that
25the server has access to the client's password, the latter proves that
26the server has access to a secret which the client also has -- which
27may or may not be the same as the client's password (but should not be
28the same, per RFC 1994). Whether this provides any actual benefit is
29outside the scope of this document. The details of MS-CHAPv2 can be
30found in the document:
31
32 <http://www.ietf.org/rfc/rfc2759.txt>
33
34
35BUILDING THE PPPD
36
37In addition to the requirements for MS-CHAP, MS-CHAPv2 uses the SHA-1
38hash algorithm. A public domain implementation is provided with pppd.
39
40
41TROUBLESHOOTING
42
43Assuming that everything else has been configured correctly for PPP and
44CHAP, the MS-CHAPv2-specific problems you're likely to encounter are mostly
45related to your Windows NT account and its settings. A Microsoft server
46returns error codes in its CHAP response. The following are extracted from
47RFC 2759:
48
49 646 ERROR_RESTRICTED_LOGON_HOURS
50 647 ERROR_ACCT_DISABLED
51 648 ERROR_PASSWD_EXPIRED
52 649 ERROR_NO_DIALIN_PERMISSION
53 691 ERROR_AUTHENTICATION_FAILURE
54 709 ERROR_CHANGING_PASSWORD
55
56You'll see these in your pppd log as a line similar to:
57
58 Remote message: E=649 No dialin permission
59
60Previously, pppd would log this as:
61
62 Remote message: E=649 R=0
63
64Now, the text message is logged (both for MS-CHAP and MS-CHAPv2).
65
66
README.pppoe
1 PPPoE Support
2 -------------
3
4 Michal Ostrowski
5 8 August 2001
6
7 for ppp-2.4.2
8 Updated for ppp-2.4.5 by Paul Mackerras, Sep 08
9
101. Introduction
11---------------
12
13This document describes the support for PPP over Ethernet (PPPoE)
14included with this package. It is assumed that the reader is
15familiar with Linux PPP (as it pertains to tty/modem-based
16connections). In particular, users of PPP in the Linux 2.2 series
17kernels should ensure they are familiar with the changes to the PPP
18implementation in the 2.4 series kernels before attempting to use
19PPPoE features.
20
21If you are not familiar with PPP, I recommend looking at other
22packages which include end-user configuration tools, such as Roaring
23Penguin (http://www.roaringpenguin.com/pppoe).
24
25PPPoE is a protocol typically used by *DSL providers to manage IP
26addresses and authenticate users. Essentially, PPPoE provides for a
27PPP connection to be established not over a physical serial-line or
28modem, but over a logical connection between two unique MAC-addresses
29on an ethernet network. Once the PPPoE layer discovers the end-points
30to be used in the link and negotiates it, frames may be sent to and
31received from the PPPoE layer just as if the link was a serial line
32(or that is how it's supposed to be).
33
34With this in mind, the goal of the implementation of PPPoE support in
35Linux is to allow users to simply specify that the device they intend
36to use for the PPP connection is an ethernet device (e.g. "eth0") and
37the rest of the system should function as usual.
38
392. Using PPPoE
40--------------
41
42This section is a quick guide for getting PPPoE working, to allow one
43to connect to their ISP who is providing PPPoE based services.
44
451. Enable "Prompt for development and/or incomplete code/drivers" and
46 "PPP over Ethernet" in your kernel configuration. Most distributions
47 will include the kernel PPPoE module by default.
48
492. Compile and install your kernel.
50
513. Install the ppp package.
52
534. Add the following line to /etc/ppp/options:
54
55 plugin rp-pppoe.so
56
57 The effect of this line is simply to make "eth0", "eth1",
58 ....,"ethx" all valid device names for pppd (just like ttyS0,
59 ttyS1).
60
615. Add the necessary authentication options to your pppd
62 configuration (i.e. PAP/CHAP information). If you wish to
63 maintain seperate configurations for different devices you may
64 place configuration options in device-specific configuration
65 files: /etc/ppp/options.devname (devname=ttyS0, ttyS1, eth0, eth1
66 or any other valid device name).
67
686. Invoke pppd with the appropriate device name: e.g. "pppd eth0"
69
70
71Do not include any compression or flow control options in your PPPoE
72configuration. They will be ignored.
73
74Again, here it is assumed that the reader is familiar with the general
75process of configuring PPP. The steps outlined here refer only to the
76steps and configuration options which are PPPoE specific, and it is
77assumed that the reader will also configure other aspects of the system
78(e.g. PAP authentication parameters).
79
803. Advanced Functionality
81--------------------------
82
83For more advanced functionality (such as providing PPPoE services) and
84user configuration tools, look to the Roaring Penguin PPPoE software
85package (http://www.roaringpenguin.com/pppoe).
86
874. Credits
88-----------
89
90The PPPoE plugin included in this package is a component of the
91Roaring Penguin PPPoE package, included in this package courtesy of
92Roaring Penguin Software. (http://www.roaringpenguin.com).
93
94
README.pppol2tp
1PPPoL2TP plugin
2===============
3
4The pppol2tp plugin lets pppd use the Linux kernel driver pppol2tp.ko
5to pass PPP frames in L2TP tunnels. The driver was integrated into the
6kernel in the 2.6.23 release. For kernels before 2.6.23, an
7out-of-tree kernel module is available from the pppol2tp-kmod package
8in the OpenL2TP project.
9
10Note that pppd receives only PPP control frames over the PPPoL2TP
11socket; data frames are handled entirely by the kernel.
12
13The pppol2tp plugin adds extra arguments to pppd and uses the Linux kernel
14PPP-over-L2TP driver to set up each session's data path.
15
16Arguments are:-
17
18pppol2tp <fd> - FD for PPPoL2TP socket
19pppol2tp_lns_mode - PPPoL2TP LNS behavior. Default off.
20pppol2tp_send_seq - PPPoL2TP enable sequence numbers in
21 transmitted data packets. Default off.
22pppol2tp_recv_seq - PPPoL2TP enforce sequence numbers in
23 received data packets. Default off.
24pppol2tp_reorderto <millisecs> - PPPoL2TP data packet reorder timeout.
25 Default 0 (no reordering).
26pppol2tp_debug_mask <mask> - PPPoL2TP debug mask. Bitwise OR of
27 1 - verbose debug
28 2 - control
29 4 - kernel transport
30 8 - ppp packet data
31 Default: 0 (no debug).
32pppol2tp_ifname <ifname> - Name of PPP network interface visible
33 to "ifconfig" and "ip link".
34 Default: "pppN"
35pppol2tp_tunnel_id <id> - L2TP tunnel_id tunneling this PPP
36 session.
37pppol2tp_session_id <id> - L2TP session_id of this PPP session.
38 The tunnel_id/session_id pair is used
39 when sending event messages to openl2tpd.
40
41pppd will typically be started by an L2TP daemon for each L2TP sesion,
42supplying one or more of the above arguments as required. The pppd
43user will usually have no visibility of these arguments.
44
45Two hooks are exported by this plugin.
46
47void (*pppol2tp_send_accm_hook)(int tunnel_id, int session_id,
48 uint32_t send_accm, uint32_t recv_accm);
49void (*pppol2tp_ip_updown_hook)(int tunnel_id, int session_id, int up);
50
51Credits
52=======
53
54This plugin was developed by Katalix Systems as part of the OpenL2TP
55project, http://openl2tp.sourceforge.net. OpenL2TP is a full-featured
56L2TP client-server, suitable for use as an enterprise L2TP VPN server
57or a VPN client.
58
59Please copy problems to the OpenL2TP mailing list:
60openl2tp-users@lists.sourceforge.net.
61
62Maintained by:
63 James Chapman
64 jchapman@katalix.com
65 Katalix Systems Ltd
66 http://www.katalix.com
67
README.pwfd
1
2 Support to pass the password via a pipe to the pppd
3 ---------------------------------------------------
4
5 Arvin Schnell <arvin@suse.de>
6 2002-02-08
7
8
91. Introduction
10---------------
11
12Normally programs like wvdial or kppp read the online password from their
13config file and store them in the pap- and chap-secrets before they start the
14pppd and remove them afterwards. Sure they need special privileges to do so.
15
16The passwordfd feature offers a simpler and more secure solution. The program
17that starts the pppd opens a pipe and writes the password into it. The pppd
18simply reads the password from that pipe.
19
20This methods is used for quite a while on SuSE Linux by the programs wvdial,
21kppp and smpppd.
22
23
242. Example
25----------
26
27Here is a short C program that uses the passwordfd feature. It starts the pppd
28to buildup a pppoe connection.
29
30
31--snip--
32
33#include <stdio.h>
34#include <stdlib.h>
35#include <unistd.h>
36#include <signal.h>
37#include <string.h>
38#include <paths.h>
39
40#ifndef _PATH_PPPD
41#define _PATH_PPPD "/usr/sbin/pppd"
42#endif
43
44
45// Of course these values can be read from a configuration file or
46// entered in a graphical dialog.
47char *device = "eth0";
48char *username = "1122334455661122334455660001@t-online.de";
49char *password = "hello";
50
51pid_t pid = 0;
52
53
54void
55sigproc (int src)
56{
57 fprintf (stderr, "Sending signal %d to pid %d\n", src, pid);
58 kill (pid, src);
59 exit (EXIT_SUCCESS);
60}
61
62
63void
64sigchild (int src)
65{
66 fprintf (stderr, "Daemon died\n");
67 exit (EXIT_SUCCESS);
68}
69
70
71int
72start_pppd ()
73{
74 signal (SIGINT, &sigproc);
75 signal (SIGTERM, &sigproc);
76 signal (SIGCHLD, &sigchild);
77
78 pid = fork ();
79 if (pid < 0) {
80 fprintf (stderr, "unable to fork() for pppd: %m\n");
81 return 0;
82 }
83
84 if (pid == 0) {
85
86 int i, pppd_argc = 0;
87 char *pppd_argv[20];
88 char buffer[32] = "";
89 int pppd_passwdfd[2];
90
91 for (i = 0; i < 20; i++)
92 pppd_argv[i] = NULL;
93
94 pppd_argv[pppd_argc++] = "pppd";
95
96 pppd_argv[pppd_argc++] = "call";
97 pppd_argv[pppd_argc++] = "pwfd-test";
98
99 // The device must be after the call, since the call loads the plugin.
100 pppd_argv[pppd_argc++] = device;
101
102 pppd_argv[pppd_argc++] = "user";
103 pppd_argv[pppd_argc++] = username;
104
105 // Open a pipe to pass the password to pppd.
106 if (pipe (pppd_passwdfd) == -1) {
107 fprintf (stderr, "pipe failed: %m\n");
108 exit (EXIT_FAILURE);
109 }
110
111 // Of course this only works it the password is shorter
112 // than the pipe buffer. Otherwise you have to fork to
113 // prevent that your main program blocks.
114 write (pppd_passwdfd[1], password, strlen (password));
115 close (pppd_passwdfd[1]);
116
117 // Tell the pppd to read the password from the fd.
118 pppd_argv[pppd_argc++] = "passwordfd";
119 snprintf (buffer, 32, "%d", pppd_passwdfd[0]);
120 pppd_argv[pppd_argc++] = buffer;
121
122 if (execv (_PATH_PPPD, (char **) pppd_argv) < 0) {
123 fprintf (stderr, "cannot execl %s: %m\n", _PATH_PPPD);
124 exit (EXIT_FAILURE);
125 }
126 }
127
128 pause ();
129
130 return 1;
131}
132
133
134int
135main (int argc, char **argv)
136{
137 if (start_pppd ())
138 exit (EXIT_SUCCESS);
139
140 exit (EXIT_FAILURE);
141}
142
143---snip---
144
145
146Copy this file to /etc/ppp/peers/pwfd-test. The plugins can't be loaded on the
147command line (unless you are root) since the plugin option is privileged.
148
149
150---snip---
151
152#
153# PPPoE plugin for kernel 2.4
154#
155plugin pppoe.so
156
157#
158# This plugin enables us to pipe the password to pppd, thus we don't have
159# to fiddle with pap-secrets and chap-secrets. The user is also passed
160# on the command line.
161#
162plugin passwordfd.so
163
164noauth
165usepeerdns
166defaultroute
167hide-password
168nodetach
169nopcomp
170novjccomp
171noccp
172
173---snip---
174
175
README.sol2
1This file describes the installation process for ppp-2.4 on systems
2running Solaris. The Solaris and SVR4 ports share a lot of code but
3are not identical. The STREAMS kernel modules and driver for Solaris
4are in the solaris directory (and use some code from the modules
5directory).
6
7NOTE: Although the kernel driver and modules have been designed to
8operate correctly on SMP systems, they have not been extensively
9tested on SMP machines. Some users of SMP Solaris x86 systems have
10reported system problems apparently linked to the use of previous
11versions of this software. I believe these problems have been fixed.
12
13
14Installation.
15*************
16
171. Run the configure script and make the user-level programs and the
18 kernel modules.
19
20 ./configure
21 make
22
23 The configure script will automatically find Sun's cc if it's in
24 the standard location (/opt/SUNWspro/bin/cc). If you do not have
25 Sun's WorkShop compiler, configure will attempt to use 'gcc'. If
26 this is found and you have a 64 bit kernel, it will check that gcc
27 accepts the "-m64" option, which is required to build kernel
28 modules.
29
30 You should not have to edit the Makefiles for most ordinary cases.
31
322. Install the programs and kernel modules: as root, do
33
34 make install
35
36 This installs pppd, chat and pppstats in /usr/local/bin and the
37 kernel modules in /kernel/drv and /kernel/strmod, and creates the
38 /etc/ppp directory and populates it with default configuration
39 files. You can change the installation directories by editing
40 solaris/Makedefs. If you have a 64 bit kernel, the 64-bit drivers
41 are installed in /kernel/drv/sparcv9 and /kernel/strmod/sparcv9.
42
43 If your system normally has only one network interface at boot
44 time, the default Solaris system startup scripts will disable IP
45 forwarding in the IP kernel module. This will prevent the remote
46 machine from using the local machine as a gateway to access other
47 hosts. The solution is to create an /etc/ppp/ip-up script
48 containing something like this:
49
50 #!/bin/sh
51 /usr/sbin/ndd -set /dev/ip ip_forwarding 1
52
53 See the man page for ip(7p) for details.
54
55Integrated pppd
56***************
57
58 Solaris 8 07/01 (Update 5) and later have an integrated version of
59 pppd, known as "Solaris PPP 4.0," and is based on ppp-2.4.0. This
60 version comes with the standard Solaris software distribution and is
61 supported by Sun. It is fully tested in 64-bit and SMP modes, and
62 with bundled and unbundled synchronous drivers. Solaris 8 10/01
63 (Update 6) and later includes integrated PPPoE client and server
64 support, with kernel-resident data handling. See pppd(1M).
65
66 The feature is part of the regular full installation, and is
67 provided by these packages:
68
69 SUNWpppd - 32-bit mode kernel drivers
70 SUNWpppdr - root-resident /etc/ppp config samples
71 SUNWpppdu - /usr/bin/pppd itself, plus chat
72 SUNWpppdx - 64-bit mode kernel drivers
73 SUNWpppdt - PPPoE support
74 SUNWpppg - GPL'd optional 'pppdump' and plugins
75 SUNWpppgS - Source for GPL'd optional features
76
77 Use the open source version of pppd if you wish to recompile to add
78 new features or to experiment with the code. Production systems,
79 however, should run the Sun-supplied version, if at all possible.
80
81 You can run both versions on a single system if you wish. The
82 Solaris PPP 4.0 interfaces are named "spppN," while this open source
83 version names its interfaces as "pppN". The STREAMS modules are
84 similarly separated. The Sun-supplied pppd lives in /usr/bin/pppd,
85 while the open source version installs (by default) in
86 /usr/local/bin/pppd.
87
88Dynamic STREAMS Re-Plumbing Support.
89************************************
90
91 Solaris 8 (and later) includes dynamic re-plumbing support. With
92 this feature, modules below ip can be inserted, or removed, without
93 having the ip stream be unplumbed, and re-plumbed again. All state
94 in ip for the interface will be preserved as modules are added or
95 removed. Users can install (or upgrade) modules such as firewall,
96 bandwidth manager, cache manager, tunneling, etc., without shutting
97 the interface down.
98
99 To support this, ppp driver now uses /dev/udp instead of /dev/ip for
100 the ip stream. The interface stream (where ip module pushed on top
101 of ppp) is then I_PLINK'ed below the ip stream. /dev/udp is used
102 because STREAMS will not let a driver be PLINK'ed under itself, and
103 /dev/ip is typically the driver at the bottom of the tunneling
104 interfaces stream. The mux ids of the ip streams are then added
105 using SIOCSxIFMUXID ioctl.
106
107 Users will be able to see the modules on the interface stream by,
108 for example:
109
110 pikapon# ifconfig ppp modlist
111 0 ip
112 1 ppp
113
114 Or arbitrarily if bandwidth manager and firewall modules are installed:
115
116 pikapon# ifconfig hme0 modlist
117 0 arp
118 1 ip
119 2 ipqos
120 3 firewall
121 4 hme
122
123Snoop Support.
124**************
125
126 This version includes support for /usr/sbin/snoop. Tests have been
127 done on Solaris 7 through 9. Only IPv4 and IPv6 packets will be sent
128 up to stream(s) marked as promiscuous (i.e., those used by snoop).
129
130 Users will be able to see the packets on the ppp interface by, for
131 example:
132
133 snoop -d ppp0
134
135 See the man page for snoop(1M) for details.
136
137IPv6 Support.
138*************
139
140 This is for Solaris 8 and later.
141
142 This version has been tested under Solaris 8 and 9 running IPv6.
143 Interoperability testing has only been done between Solaris machines
144 in terms of the IPV6 NCP. An additional command line option for the
145 pppd daemon has been added: ipv6cp-use-persistent.
146
147 By default, compilation for IPv6 support is not enabled. Uncomment
148 the necessary lines in pppd/Makefile.sol2 to enable it. Once done,
149 the quickest way to get IPv6 running is to add the following
150 somewhere in the command line option:
151
152 +ipv6 ipv6cp-use-persistent
153
154 The persistent id for the link-local address was added to conform to
155 RFC 2472; such that if there's an EUI-48 available, use that to make
156 up the EUI-64. As of now, the Solaris implementation extracts the
157 EUI-48 id from the Ethernet's MAC address (the ethernet interface
158 needs to be up). Future work might support other ways of obtaining
159 a unique yet persistent id, such as EEPROM serial numbers, etc.
160
161 There need not be any up/down scripts for ipv6,
162 e.g. /etc/ppp/ipv6-up or /etc/ppp/ipv6-down, to trigger IPv6
163 neighbor discovery for auto configuration and routing. The in.ndpd
164 daemon will perform all of the necessary jobs in the
165 background. /etc/inet/ndpd.conf can be further customized to enable
166 the machine as an IPv6 router. See the man page for in.ndpd(1M) and
167 ndpd.conf(4) for details.
168
169 Below is a sample output of "ifconfig -a" with persistent link-local
170 address. Note the UNNUMBERED flag is set because hme0 and ppp0 both
171 have identical link-local IPv6 addresses:
172
173lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
174 inet 127.0.0.1 netmask ff000000
175hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
176 inet 129.146.86.248 netmask ffffff00 broadcast 129.146.86.255
177 ether 8:0:20:8d:38:c1
178lo0: flags=2000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6> mtu 8252 index 1
179 inet6 ::1/128
180hme0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2
181 ether 8:0:20:8d:38:c1
182 inet6 fe80::a00:20ff:fe8d:38c1/10
183hme0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2
184 inet6 fec0::56:a00:20ff:fe8d:38c1/64
185hme0:2: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2
186 inet6 2000::56:a00:20ff:fe8d:38c1/64
187hme0:3: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2
188 inet6 2::56:a00:20ff:fe8d:38c1/64
189ppp0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1500 index 12
190 inet 172.16.1.1 --> 172.16.1.2 netmask ffffff00
191ppp0: flags=2202851<UP,POINTOPOINT,RUNNING,MULTICAST,UNNUMBERED,NONUD,IPv6> mtu 1500 index 12
192 inet6 fe80::a00:20ff:fe8d:38c1/10 --> fe80::a00:20ff:fe7a:24fb
193
194 Note also that a plumbed ipv6 interface stream will exist throughout
195 the entire PPP session in the case where the peer rejects IPV6CP,
196 which further causes the interface state to stay down. Unplumbing
197 will happen when the daemon exits. This is done by design and is not
198 a bug.
199
20064-bit Support.
201***************
202
203 This version has been tested under Solaris 7 through 9 in both 32-
204 and 64-bit environments (Ultra class machines). Installing the
205 package by executing "make install" will result in additional files
206 residing in /kernel/drv/sparcv9 and /kernel/strmod/sparcv9
207 subdirectories.
208
209 64-bit modules and driver have been compiled and tested using Sun's
210 cc and gcc.
211
212Synchronous Serial Support.
213***************************
214
215 This version has working but limited support for the on-board
216 synchronous HDLC interfaces. It has been tested with the
217 /dev/se_hdlc, /dev/zsh, HSI/S, and HSI/P drivers. Synchronous mode
218 was tested with a Cisco router.
219
220 The ppp daemon does not directly support controlling the serial
221 interface. It relies on the /usr/sbin/syncinit command to
222 initialize HDLC mode and clocking.
223
224 There is a confirmed bug with NRZ/NRZI mode in the /dev/se_hdlc
225 driver, and Solaris patch 104596-11 is needed to correct it.
226 (However this patch seems to introduce other serial problems. If
227 you don't apply the patch, the workaround is to change the nrzi mode
228 to yes or no, whichever works.)
229
230 How to start pppd with synchronous support:
231
232 #!/bin/sh
233
234 local=1.1.1.1 # your ip address here
235 baud=38400 # needed, but ignored by serial driver
236
237 # Change to the correct serial driver/port
238 #dev=/dev/zsh0
239 dev=/dev/se_hdlc0
240
241 # Change the driver, nrzi mode, speed and clocking to match
242 # your setup.
243 # This configuration is for external clocking from the DCE
244 connect="syncinit se_hdlc0 nrzi=no speed=64000 txc=rxc rxc=rxc"
245
246 /usr/sbin/pppd $dev sync $baud novj noauth $local: connect "$connect"
247
248 Sample Cisco router config excerpt:
249
250 !
251 ! Cisco router setup as DCE with RS-232 DCE cable
252 !
253 !
254 interface Serial0
255 ip address 1.1.1.2 255.255.255.0
256 encapsulation ppp
257 clockrate 64000
258 no nrzi-encoding
259 no shutdown
260 !
261