Date: Wed, 12 Nov 1997 02:35:24 +0000 From: Brian Somers <brian@awfulhak.org> To: Alex <garbanzo@hooked.net> Cc: Greg Fraize <greg@oz.plymouth.edu>, questions <questions@FreeBSD.ORG> Subject: Re: ppp.secret Message-ID: <199711120235.CAA25048@awfulhak.demon.co.uk> In-Reply-To: Your message of "Tue, 11 Nov 1997 16:53:41 PST." <Pine.BSF.3.96.971111164137.299G-100000@zippy.dyn.ml.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>
>
> On Tue, 11 Nov 1997, Greg Fraize wrote:
>
> > ppp -ddial home
>
> Which will put ppp in the background.
>
> > II keep getting error abour some file called ppp.secret...
> > what is that file used for ..and what should I put in
> > it...thanks
>
> When ppp is run, it by default listens to port 3000+tunnel device id
> (usually 0). By telneting into that port, you can control ppp, run
> commands, etc, etc, and since it is run as root, this could pose a big
> security problem. To combat this, you need to edit ppp.secret, and add a
> line in there with the name of your computer (not the fqdn), a tab, and a
> password. Without this, you'll get an error, and it won't listen to port
> 3000. With the entry, whomever tries to telnet to port 3000 to access
> your/control your ppp program, they'll need to enter a password before
> gaining access to any significant commands.
[cross-posted to comp.unix.bsd.freebsd.misc]
And now that everyone knows the rules.... they've been updated :-I
The reasoning is that too many people had problems with the security
model. Although it was a reasonable default, there was no way to
allow easy access (if that's what a sysadm really wants).
Here are the new essentials (completed as of today). There pretty
much the same as the proposal I posted to -hackers on Nov 3:
1. The command "set users user-list" is introduced where user-list
is a list of user names. The default is empty. If users are
included in this list (or if your uid is 0), they may run ppp
The check is done *before* the ppp section is loaded (and may
be part of the default label). User "*" means anyone.
2. The command "set modes mode-list" is introduced where mode-list
is a list of allowable modes from "auto", "background", "ddial",
"direct", "interactive", "dedicated" and "*". This command
augments ``1.'' as the super-user may set up profiles that may
not be altered. The default is "all modes".
3. Permissions stay the same. You've gotta be group network to have
a chance of running ppp at all. This means that the default is
root only 'cos of file system permissions.
4. No socket is created by default.
1. You *must* set a password in /etc/ppp/ppp.secrets or on the
"set server" command line:
set server|socket TcpPort|LocalName|none [passwd] [mask]
2. If you specify an empty password, you don't need to use the
``passwd'' command.
3. You can -USR1 ppp to re-open the socket on
AF_INET:3000+tunno, but only if you've specified a password
(which may be empty) in ppp.secret. You can -USR2 ppp to
stop ppp from listening to diagnostic connections.
5. Pppctl can already handle the ppp prompt when it doesn't want a
password (ppp doesn't prompt or require the -p option).
6. Pppctl has an ``interactive'' mode, taking away ``telnet''s
attraction. Interactive mode uses libedit, allowing command line
editing. Be careful though, due to a bug in -stable before
today, libedit dumps core when reading ~/.editrc.
7. $HOME/.ppp.* are removed. The "!include" command is added
instead, which understands ``~'' and environment variables.
8. ID0 logging is available so that you can see what's being done as
user id 0.
9. There's a pile of new examples in ppp.conf.sample.
As ever, all this is available on http://www.freebsd.org/~brian.
Things seem to work ok, and there's even a working -dedicated mode
now. I have no plans to change any of this again if it's any
consolation to people - I know it's a pain in the arse when this sort
of thing changes.....
> - alex
>
--
Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <bri@OpenBSD.org>
<http://www.Awfulhak.org>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711120235.CAA25048>