1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
<chapter id="chap-and-pap">
<title><acronym>PAP</acronym> and <acronym>CHAP</acronym></title>
<para>Starting with version 0.9.1, &kppp; has supported directly the most
commonly used form of <acronym>PAP</acronym> authentication. </para>
<sect1 id="pap-with-kppp">
<title><acronym>PAP</acronym> with &kppp;</title>
<para>There are two different ways to use <acronym>PAP</acronym>.</para>
<sect2 id="client-side-authentication">
<title>Client side authentication</title>
<para>This variant is used by many commercial <acronym>ISP</acronym>'s. It
basically means that you (or rather, your computer) must authenticate yourself
to the <acronym>ISP</acronym>'s <acronym>PPP</acronym> server. The
<acronym>PPP</acronym> server does not need to authenticate itself to your
computer. This is no security issue, as you should know which computer you just
tried to dial to.</para>
<para>If your <acronym>ISP</acronym> gives you a username and password, and
tells you to use <acronym>PAP</acronym> authentication, this is the variant you
should choose.</para>
</sect2>
<sect2 id="two-way-authentication">
<title>Two way authentication</title>
<para>As above, but in this case your computer requires the
<acronym>ISP</acronym> <acronym>PPP</acronym> server to authenticate itself. In
order to establish a connection, you must chose the authentication method
<guilabel>Script based</guilabel>, not <guilabel>PAP</guilabel>, and you will
have to manually edit <filename>/etc/ppp/pap-secrets</filename>. While &kppp;
doesn't provide built in support for this variant, it is nevertheless easy to
establish a connection.</para>
</sect2>
<sect2 id="preparing-kppp-for-pap">
<title>Preparing &kppp; for <acronym>PAP</acronym></title>
<procedure>
<step>
<para>Make sure that the file <filename>/etc/ppp/options</filename> (and
<filename>˜/.ppprc</filename> if it exists) do <emphasis>not</emphasis>
contain one of the following arguments:</para>
<itemizedlist>
<listitem>
<para><option>+pap</option></para>
</listitem>
<listitem>
<para><option>-pap</option></para>
</listitem>
<listitem>
<para><option>papcrypt</option></para>
</listitem>
<listitem>
<para><option>+chap</option></para>
</listitem>
<listitem>
<para><option>+chap</option></para>
</listitem>
<listitem>
<para><option>+ua</option></para>
</listitem>
<listitem>
<para><option>remotename</option></para>
</listitem>
</itemizedlist>
<para>It is very unlikely that any of these options are already there, but just
to be sure, please check.</para>
</step>
<step>
<para>Start &kppp;</para>
</step>
<step>
<para>Click <guibutton>Setup</guibutton></para>
</step>
<step>
<para>Choose the account you want to use <acronym>PAP</acronym> with and click
<guibutton>Edit</guibutton></para>
</step>
<step>
<para>Choose the <guilabel>Dial</guilabel> tab</para>
</step>
<step>
<para>Select <acronym>PAP</acronym> in the <guilabel>Authentication</guilabel>
drop down box.</para>
</step>
<step>
<para>If you do not want to retype the password each time you dial in, select
<guilabel>Store password</guilabel>. This will save the password to a file, so
make sure that nobody else has access to your account.</para>
</step>
<step>
<para>That's it. Close the dialogs, type in the username and password your
<acronym>ISP</acronym> supplied, and click
<guibutton>Connect</guibutton>.</para>
</step>
</procedure>
</sect2>
</sect1>
<sect1 id="pap-and-chap-alternate-method">
<title>An alternative method of using <acronym>PAP</acronym> and
<acronym>CHAP</acronym> with &kppp;</title>
<para>This section is based on an email from Keith Brown
<email>kbrown@pdq.net</email> and explains how to make &kppp; work with a
generic <acronym>PAP</acronym> or <acronym>CHAP</acronym> account. If your
<acronym>ISP</acronym> just gave you a user id and a password for an account,
you probably can skip this section, and the instructions in the previous one
will be all you need.</para>
<para><acronym>PAP</acronym> seems a lot more complicated at first glance than
it really is. The server (the machine you are connecting to) basically tells
the client (your machine) to authenticate using <acronym>PAP</acronym>. The
client (<application>pppd</application>) looks in a specific file for an entry
that contains a matching server name, and a client name for this connection, and
then sends the password it finds there. That's about it!</para>
<para>Now here's how to make that happen. I am assuming a
<acronym>pppd</acronym> version of 2.2.x or better and a standard installation
of configuration files under <filename
class="directory">/etc/ppp</filename>.</para>
<para>For the purposes of illustration, imagine that you have an internet
account with <systemitem>glob.net</systemitem> with the username
<systemitem>userbaz</systemitem> and the password
<literal>foobar</literal></para>
<para>First, you need to add all this to a file called
<filename>/etc/ppp/pap-secrets</filename>. The format of an entry for our
purposes is:</para>
<screen><userinput>USERNAME SERVERNAME PASSWORD</userinput></screen>
<para>So you would add the following line to
<filename>/etc/ppp/pap-secrets</filename> and then save it :</para>
<screen><userinput>userbaz glob foobar</userinput></screen>
<note>
<para>You can use any name for the server you wish, so long as you use the
same name in the <application>pppd</application> arguments, as you'll see
shortly. Here it's been shortened to <userinput>glob</userinput>, but this name
is only used to locate the correct password.</para>
</note>
<para>Next you need to set up the connection in &kppp;. The basics are the same
as any other connection, so we won't go into details here, except to say that
you probably want to make sure that <filename>/etc/ppp/options</filename> is
empty, and you don't want to create a login script either.</para>
<para>In the &kppp; settings dialog, at the bottom of the
<guilabel>Dial</guilabel> tab, is a <guibutton>pppd arguments</guibutton>
button. This brings up an editing dialog. Here you can enter values that will
be sent to <application>pppd</application> as command line arguments, and in the
case of multiple value arguments, you need to enter each value as a separate
entry in the listbox, in the correct order.</para>
<para>You can put in any other arguments you want first. Then add the arguments
that <application>pppd</application> uses to handle <acronym>PAP</acronym>
authentication. In this example, we are going to add
<userinput>user</userinput>, <userinput>userbaz</userinput>,
<userinput>remotename</userinput> and <userinput>glob</userinput> in that
order.</para>
<para>The <option>user</option> tells the <application>pppd</application> what
user name to look for in the <filename>pap-secrets</filename> file and then to
send to the server. The remotename is used by <application>pppd</application>
to match the entry in the <filename>pap-secrets</filename> file, so again, it
can be anything you want so long as it is consistent with the entry in the
<filename>pap-secrets</filename> file.</para>
<para>That's all there is to it, and you should now be able to set up your own
connection to a server with <acronym>PAP</acronym> authentication.
<acronym>CHAP</acronym> is not much different. You can see the &Linux; Network
Administrators Guide for a <filename>chap-secrets</filename> file format, and
the <application>pppd</application> arguments used, and the rest should be
simple.</para>
</sect1>
</chapter>
|
