Date: Fri, 29 Dec 1995 00:41:48 -0800 (PST) From: batie@agora.rdrop.com (Alan Batie) To: freebsd-security@freebsd.org Subject: Secure PPP configuration? Message-ID: <m0tVaNo-000AlEC@agora.rdrop.com>
next in thread | raw e-mail | index | archive | help
I'm trying to get PPP services working on my public access system (until now, it's only supported SLIP). After reviewing the documentation, I find there are altogether too many options and configuration files for me to be comfortable that my users can't override them somehow, so I would like some guidance. Design Goal: 1. IP address assigned based on tty 2. Authenticate user via password file 3. Allow negotiation of TCP/IP parameters which don't affect security, in particular, VJ compression 4. Disallow all others, in particular IP address, netmask and defaultroute. Strategy: Set all options in options.ttyxx file, which seems to get read last: auth crtscts mtu xxx mru xxx netmask xxx localip:remoteip -all +pap login noipdefault Questionable options: -defaultroute ac pc vj The above all have the reverse use of the "-" as the man page suggests (i.e. defaultroute tells it to install a default route, but doesn't say the using the - explicitly tells it not to, and similarly, -vj disables vj compression negotiation, but doesn't say that "vj" enables it.) I want to use PAP instead of CHAP because I do not want any cleartext password files online. Each user will run pppd under their own uid, so that it's easier to track logins. As a result, they will be able to install ~/.ppprc files if they want. Is there something I've overlooked, misinterpreted or just plain screwed up? Thanks... -- Alan Batie ______ batie@agora.rdrop.com \ / Freedom for me to be and do +1 503 452-0960 \ / only what *you* approve of 45 28 59 N / 122 43 20 W / 440' MSL \/ is no freedom at all. It is my policy to avoid purchase of any products from companies which use unrequested email advertisements or telephone solicitation.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0tVaNo-000AlEC>