Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Dec 1995 00:41:48 -0800 (PST)
From:      batie@agora.rdrop.com (Alan Batie)
To:        freebsd-security@freebsd.org
Subject:   Secure PPP configuration?
Message-ID:  <m0tVaNo-000AlEC@agora.rdrop.com>
next in thread | raw e-mail | index | archive | help 
I'm trying to get PPP services working on my public access system (until
now, it's only supported SLIP).  After reviewing the documentation, I find
there are altogether too many options and configuration files for me to be
comfortable that my users can't override them somehow, so I would like some
guidance.

Design Goal:

1.  IP address assigned based on tty
2.  Authenticate user via password file
3.  Allow negotiation of TCP/IP parameters which don't affect security,
    in particular, VJ compression
4.  Disallow all others, in particular IP address, netmask and defaultroute.

Strategy:

Set all options in options.ttyxx file, which seems to get read last:

auth
crtscts
mtu xxx
mru xxx
netmask xxx
localip:remoteip
-all
+pap
login
noipdefault

Questionable options:

-defaultroute
ac
pc
vj

The above all have the reverse use of the "-" as the man page suggests
(i.e. defaultroute tells it to install a default route, but doesn't say
the using the - explicitly tells it not to, and similarly, -vj disables
vj compression negotiation, but doesn't say that "vj" enables it.)

I want to use PAP instead of CHAP because I do not want any cleartext
password files online.

Each user will run pppd under their own uid, so that it's easier to track
logins.  As a result, they will be able to install ~/.ppprc files if they
want.

Is there something I've overlooked, misinterpreted or just plain screwed up?

Thanks...

-- 
Alan Batie                            ______
batie@agora.rdrop.com                 \    /      Freedom for me to be and do
+1 503 452-0960                        \  /       only what *you* approve of
45 28 59 N / 122 43 20 W / 440' MSL     \/        is no freedom at all.

It is my policy to avoid purchase of any products from companies which use
unrequested email advertisements or telephone solicitation.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0tVaNo-000AlEC>