From owner-freebsd-security  Fri Dec 29 00:42:01 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id AAA07554
          for security-outgoing; Fri, 29 Dec 1995 00:42:01 -0800 (PST)
Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id AAA07548
          for <freebsd-security@freebsd.org>; Fri, 29 Dec 1995 00:41:57 -0800 (PST)
Received: by agora.rdrop.com (Smail3.1.29.1 #17)
	id m0tVaNo-000AlEC; Fri, 29 Dec 95 00:41 PST
Message-Id: <m0tVaNo-000AlEC@agora.rdrop.com>
From: batie@agora.rdrop.com (Alan Batie)
Subject: Secure PPP configuration?
To: freebsd-security@freebsd.org
Date: Fri, 29 Dec 1995 00:41:48 -0800 (PST)
X-Mailer: ELM [version 2.4 PL24 ME8a]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
Precedence: bulk

I'm trying to get PPP services working on my public access system (until
now, it's only supported SLIP).  After reviewing the documentation, I find
there are altogether too many options and configuration files for me to be
comfortable that my users can't override them somehow, so I would like some
guidance.

Design Goal:

1.  IP address assigned based on tty
2.  Authenticate user via password file
3.  Allow negotiation of TCP/IP parameters which don't affect security,
    in particular, VJ compression
4.  Disallow all others, in particular IP address, netmask and defaultroute.

Strategy:

Set all options in options.ttyxx file, which seems to get read last:

auth
crtscts
mtu xxx
mru xxx
netmask xxx
localip:remoteip
-all
+pap
login
noipdefault

Questionable options:

-defaultroute
ac
pc
vj

The above all have the reverse use of the "-" as the man page suggests
(i.e. defaultroute tells it to install a default route, but doesn't say
the using the - explicitly tells it not to, and similarly, -vj disables
vj compression negotiation, but doesn't say that "vj" enables it.)

I want to use PAP instead of CHAP because I do not want any cleartext
password files online.

Each user will run pppd under their own uid, so that it's easier to track
logins.  As a result, they will be able to install ~/.ppprc files if they
want.

Is there something I've overlooked, misinterpreted or just plain screwed up?

Thanks...

-- 
Alan Batie                            ______
batie@agora.rdrop.com                 \    /      Freedom for me to be and do
+1 503 452-0960                        \  /       only what *you* approve of
45 28 59 N / 122 43 20 W / 440' MSL     \/        is no freedom at all.

It is my policy to avoid purchase of any products from companies which use
unrequested email advertisements or telephone solicitation.