From owner-freebsd-questions Mon Apr 7 05:37:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id FAA11981 for questions-outgoing; Mon, 7 Apr 1997 05:37:43 -0700 (PDT) Received: from net1.netview.net (netview.net [199.3.74.250]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA11975 for ; Mon, 7 Apr 1997 05:37:40 -0700 (PDT) Received: from net2 ([206.223.98.8]) by net1.netview.net (8.7.5/8.6.12) with SMTP id HAA25262; Mon, 7 Apr 1997 07:36:29 -0500 (EST) Message-Id: <3.0.1.32.19970407073741.00ac7e10@199.3.74.250> X-Sender: jrclark@199.3.74.250 X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Mon, 07 Apr 1997 07:37:41 To: Nadav Eiron From: John Clark Subject: Re: pppd vs. getty with inetd, security Cc: questions@freebsd.org In-Reply-To: <3348E63A.27B2@barcode.co.il> References: <3.0.1.32.19970407065957.00ab4100@199.3.74.250> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 03:19 PM 4/7/97 +0300, Nadav Eiron wrote: >John Clark wrote: >> >> Hello, >> >> I have a modem on a FreeBSD host that I use to establish a PPP connection >> with remote clients. Currently, I have getty monitoring serial port 1 for >> incoming calls: >> >> ttyd1 "/usr/libexec/getty std.57600" dialup on insecure >> >> After logging in, I just start 'pppd' and all is well. However, this seems >> to be a waste of resources (a shell), and also adds another layer of >> software between the modem and the pppd code. Therefore, I have been >> experimenting with the following line in /etc/ttys: >> >> cuaa1 "/usr/sbin/pppd /dev/cuaa1 57600 -detach" unknown on >> >> This really works great, but there is no security here -- anyone can call >> in without login confirmation. How do I implement security with this >> approach? You say CHAP / PAP? Well, I have never used either -- the >> password protection of the shell has been sufficient to date. I also need >> to login with various clients which may not have such advanced protocols. >> Is there a way to have pppd prompt for a login/password? >> >> Any advice on this issue would be appreciated... >> >> Thanks, >> >> John Clark >> [email@john.net] > >Have a user whose shell is pppd (or more appropriatly a script that >calls pppd with the right parameters), and use getty as you use now. >This would make the login sequence the same, only you won't have the >option of doing anything other than running pppd with that user. > >Nadav Yes, of course. Thanks. John Clark [email@john.net]