Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 Dec 1995 00:41:48 -0800 (PST)
From:      batie@agora.rdrop.com (Alan Batie)
To:        freebsd-security@freebsd.org
Subject:   Secure PPP configuration?
Message-ID:  <m0tVaNo-000AlEC@agora.rdrop.com>
index | next in thread | raw e-mail 

I'm trying to get PPP services working on my public access system (until
now, it's only supported SLIP).  After reviewing the documentation, I find
there are altogether too many options and configuration files for me to be
comfortable that my users can't override them somehow, so I would like some
guidance.

Design Goal:

1.  IP address assigned based on tty
2.  Authenticate user via password file
3.  Allow negotiation of TCP/IP parameters which don't affect security,
    in particular, VJ compression
4.  Disallow all others, in particular IP address, netmask and defaultroute.

Strategy:

Set all options in options.ttyxx file, which seems to get read last:

auth
crtscts
mtu xxx
mru xxx
netmask xxx
localip:remoteip
-all
+pap
login
noipdefault

Questionable options:

-defaultroute
ac
pc
vj

The above all have the reverse use of the "-" as the man page suggests
(i.e. defaultroute tells it to install a default route, but doesn't say
the using the - explicitly tells it not to, and similarly, -vj disables
vj compression negotiation, but doesn't say that "vj" enables it.)

I want to use PAP instead of CHAP because I do not want any cleartext
password files online.

Each user will run pppd under their own uid, so that it's easier to track
logins.  As a result, they will be able to install ~/.ppprc files if they
want.

Is there something I've overlooked, misinterpreted or just plain screwed up?

Thanks...

-- 
Alan Batie                            ______
batie@agora.rdrop.com                 \    /      Freedom for me to be and do
+1 503 452-0960                        \  /       only what *you* approve of
45 28 59 N / 122 43 20 W / 440' MSL     \/        is no freedom at all.

It is my policy to avoid purchase of any products from companies which use
unrequested email advertisements or telephone solicitation.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0tVaNo-000AlEC>