From owner-freebsd-questions Mon Apr 7 05:21:17 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA11443 for questions-outgoing; Mon, 7 Apr 1997 05:21:17 -0700 (PDT) Received: from gatekeeper.barcode.co.il (gatekeeper.barcode.co.il [192.116.93.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA11436 for ; Mon, 7 Apr 1997 05:21:10 -0700 (PDT) Received: (from smap@localhost) by gatekeeper.barcode.co.il (8.8.5/8.6.12) id PAA20651; Mon, 7 Apr 1997 15:19:52 +0300 (IDT) X-Authentication-Warning: gatekeeper.barcode.co.il: smap set sender to using -f Received: from localhost.barcode.co.il(127.0.0.1) by gatekeeper.barcode.co.il via smap (V1.3) id sma020649; Mon Apr 7 15:19:33 1997 Message-ID: <3348E63A.27B2@barcode.co.il> Date: Mon, 07 Apr 1997 15:19:06 +0300 From: Nadav Eiron X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.5 sun4m) MIME-Version: 1.0 To: John Clark CC: questions@freebsd.org Subject: Re: pppd vs. getty with inetd, security References: <3.0.1.32.19970407065957.00ab4100@199.3.74.250> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk John Clark wrote: > > Hello, > > I have a modem on a FreeBSD host that I use to establish a PPP connection > with remote clients. Currently, I have getty monitoring serial port 1 for > incoming calls: > > ttyd1 "/usr/libexec/getty std.57600" dialup on insecure > > After logging in, I just start 'pppd' and all is well. However, this seems > to be a waste of resources (a shell), and also adds another layer of > software between the modem and the pppd code. Therefore, I have been > experimenting with the following line in /etc/ttys: > > cuaa1 "/usr/sbin/pppd /dev/cuaa1 57600 -detach" unknown on > > This really works great, but there is no security here -- anyone can call > in without login confirmation. How do I implement security with this > approach? You say CHAP / PAP? Well, I have never used either -- the > password protection of the shell has been sufficient to date. I also need > to login with various clients which may not have such advanced protocols. > Is there a way to have pppd prompt for a login/password? > > Any advice on this issue would be appreciated... > > Thanks, > > John Clark > [email@john.net] Have a user whose shell is pppd (or more appropriatly a script that calls pppd with the right parameters), and use getty as you use now. This would make the login sequence the same, only you won't have the option of doing anything other than running pppd with that user. Nadav