Configuring PAP Authentication

The tasks in this section explain how to implement authentication on a PPP link by using the Password Authentication Protocol (PAP). The tasks use the example that is shown in Example—PPP Authentication Configurations to illustrate a working PAP scenario for a dial-up link. Use the instructions as the basis for implementing PAP authentication at your site.

Before you perform the next procedures, you must have done the following:

• Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers

• Ideally, for dial-in server authentication, obtained superuser permission for the machine where the network password database (in LDAP, NIS, NIS+, or local files) is administered

• Obtained superuser authority for the local machine, either dial-in server or dial-out machine

Setting Up PAP Authentication (Task Maps)

Use the next task maps to quickly access PAP-related tasks for the dial-in server and trusted callers on dial-out machines.

Table 33–2 Task Map for PAP Authentication (Dial-in Server)

Task	Description	For Instructions
1. Gather preconfiguration information	Collect data, such as user names, that is needed for authentication.	Planning for Authentication on a Link
2. Update the password database, if necessary	Ensure that all potential callers are in the server's password database.	How to Create a PAP Credentials Database (Dial-in Server)
3. Create the PAP database	Create security credentials for all prospective callers in /etc/ppp/pap-secrets.	How to Create a PAP Credentials Database (Dial-in Server)
4. Modify the PPP configuration files	Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files.	How to Add PAP Support to the PPP Configuration Files (Dial-in Server)

Table 33–3 Task Map for PAP Authentication (Dial-out Machine)

Task	Description	For Instructions
1. Gather preconfiguration information	Collect data, such as user names that is needed for authentication.	Planning for Authentication on a Link
2. Create the PAP database for the trusted caller's machine	Create the security credentials for the trusted caller and, if necessary, security credentials for other users who call the dial-out machine, in /etc/ppp/pap-secrets.	How to Configure PAP Authentication Credentials for the Trusted Callers
3. Modify the PPP configuration files	Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files.	How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)

Configuring PAP Authentication on the Dial-in Server

To set up PAP authentication, you must do the following:

• Create a PAP credentials database

• Modify PPP configuration files for PAP support

How to Create a PAP Credentials Database (Dial-in Server)

This procedure modifies the /etc/ppp/pap-secrets file, which contains the PAP security credentials that are used to authenticate callers on the link. /etc/ppp/pap-secrets must exist on both machines on a PPP link.

The sample PAP configuration that was introduced in Figure 30–3 uses the login option of PAP. If you plan to use this option, you might also need to update your network's password database. For more information on the login option, refer to Using the login Option With /etc/ppp/pap-secrets.

1. Assemble a list of all potential trusted callers—people to be granted permission to call the dial-in server from their remote machines.

2. Verify that each trusted caller already has a UNIX user name and password in the dial-in server's password database.

   ---

   Note –

   This is particularly important for the sample PAP configuration, which uses login option of PAP to authenticate callers. If you choose not to implement login for PAP, the callers' PAP user names do not have to correspond with their UNIX user names. For information on standard /etc/ppp/pap-secrets, refer to /etc/ppp/pap-secrets File.

   ---

   Do the following if a potential trusted caller does not have a UNIX user name and password:

   1. For callers that you do not know, confirm with their managers or other system administrators that these remote users are permitted to access the dial-in server.

   2. Create UNIX user names and passwords for these callers in the manner that is directed by your corporate security policy.

3. Become superuser on the dial-in server, and edit the /etc/ppp/pap-secrets file.

   Solaris PPP 4.0 provides a pap-secrets file in /etc/ppp that contains comments about how to use PAP authentication but no options. You can add the following options at the end of the comments.

   # user1 myserver "" * user2 myserver "" * myserver user2 serverpass *

   To use the login option of /etc/ppp/pap-secrets, you must type the UNIX user name of each trusted caller. Wherever a set of double quotes (““) appears in the third field, the password for the caller is looked up in the server's password database.

   The entry myserver * serverpass * contains the PAP user name and password for the dial-in server. In Figure 30–3, the trusted caller user2 requires authentication from remote peers. Therefore, myserver's /etc/ppp/pap-secrets file contains PAP credentials for use when a link is established with user2.

Where to Go From Here

Task	For Instructions
Modify the PPP configuration files to support PAP authentication	Modifying the PPP Configuration Files for PAP (Dial-in Server)
Set up PAP authentication on the dial-out machines of trusted callers	Configuring PAP Authentication for Trusted Callers (Dial-out Machines)

Modifying the PPP Configuration Files for PAP (Dial-in Server)

The tasks in this section explain how to update existing PPP configuration files to support PAP authentication on the dial-in server.

How to Add PAP Support to the PPP Configuration Files (Dial-in Server)

The procedure uses the PPP configuration files that were introduced in How to Define Communications Over the Serial Line (Dial-in Server) as examples.

1. Log in to the dial-in server as superuser.

2. Add authentication options to the /etc/ppp/options file.

   For example, you would add the options in bold to an existing /etc/ppp/optionsfile to implement PAP authentication:

   lock idle 120 nodefaultroute name myserver auth require-pap user myserver remotename user2 login

   name myserver	Sets myserver as the PAP name of the user on the local machine. If the login option is used, the PAP name must be the same as the user's UNIX user name in the password database.
   auth	States that the server must authenticate callers before establishing the link.
   require-pap	Requires callers to provide PAP credentials.
   user myserver	Defines myserver as the user name of the local machine.
   remotename user2	Defines user2 as a peer that requires authentication credentials from the local machine.
   login	Specifies that the local machine must use the login option of PAP for authentication, wherever it is called for in the /etc/ppp/pap-secrets file.

3. Create an /etc/ppp/options.ttyname file, as described in How to Define Communications Over the Serial Line.

4. Set up the $HOME/.ppprc file for each remote caller, as explained in How to Configure Users of the Dial-in Server.

Where to Go From Here

Task	For Instructions
Configure PAP authentication credentials for trusted callers of the dial-in server	Configuring PAP Authentication for Trusted Callers (Dial-out Machines)

Configuring PAP Authentication for Trusted Callers (Dial-out Machines)

This section contains tasks for setting up PAP authentication on the dial-out machines of trusted callers. As system administrator, you can set up PAP authentication on the machines before distributing them to the prospective callers. Or, if the remote callers already have their machines, you can give them the tasks in this section.

Configuring PAP for trusted callers involves two tasks:

• Configuring the callers' PAP security credentials

• Configuring the callers' dial-out machines to support PAP authentication

How to Configure PAP Authentication Credentials for the Trusted Callers

This procedure shows how to set up PAP credentials for two trusted callers, one of which requires authentication credentials from remote peers. The steps in the procedure assume that you, the system administrator, are creating the PAP credentials on the trusted callers' dial-out machines.

1. Become superuser on a dial-out machine.

   Using the sample PAP configuration that was introduced in Figure 30–3, assume that the dial-out machine belongs to user1.

2. Modify the pap-secrets database for the caller.

   Solaris PPP 4.0 provides an /etc/ppp/pap-secrets file that contains helpful comments but no options. You can add the following options to this /etc/ppp/pap-secrets file.

   # user1 myserver pass1 *

   Note that user1's password pass1 is passed in readable ASCII form over the link. myserver is caller user1's name for the peer.

3. Become superuser on another dial-out machine.

   Using the PAP authentication example, assume that this dial-out machine belongs to the caller user2.

4. Modify the pap-secrets database for the caller.

   You can add the next options to the end of the existing /etc/ppp/pap-secrets file.

   # user2 myserver pass2 * myserver user2 serverpass *

   In this example, /etc/ppp/pap-secrets has two entries. The first entry contains the PAP security credentials that user2 passes to dial-in server myserver for authentication.

   user2 requires PAP credentials from the dial-in server as part of link negotiation. Therefore, the /etc/ppp/pap-secrets also contains PAP credentials that are expected from myserver on the second line.

   ---

   Note –

   Most ISPs do not supply authentication credentials, so the scenario just discussed is not realistic for them.

   ---

Where to Go From Here

Task	Instructions
Create PAP credentials for additional callers	How to Create a PAP Credentials Database (Dial-in Server)
Configure a dial-out machine to support PAP authentication	How to Configure PAP Authentication Credentials for the Trusted Callers

Modifying PPP Configuration Files for PAP (Dial-out Machine)

The tasks in this section explain how to update existing PPP configuration files to support PAP authentication on the dial-out machines of trusted callers.

The procedure uses the following parameters to configure PAP authentication on the dial-out machine that belongs to user2, who was introduced in Figure 30–3. user2 requires incoming callers to authenticate, including calls from dial-in myserver.

How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)

This procedure uses the PPP configuration files that were introduced in How to Define Communications Over the Serial Line as examples. The procedure configures the dial-out machine that belongs to user2, as shown in Figure 30–3.

1. Log in to the dial-out machine as superuser.

2. Modify the /etc/ppp/options file.

   The next /etc/ppp/options file contains options for PAP support, which are shown in bold.

   #vi /etc/ppp/options lock nodefaultroute name user2 auth require-pap

   name user2	Sets user2 as the PAP name of the user on the local machine. If the login option is used, the PAP name must be the same as the user's UNIX user name in the password database.
   auth	States that the dial-out machine must authenticate callers before establishing the link.
   require-pap	Requires peers to provide PAP credentials when returning the call from the dial-out machine.

3. Create an /etc/ppp/peers/peer-name file for the remote machine myserver.

   The next sample shows how to add PAP support to the existing /etc/ppp/peers/myserver file that was created in How to Define the Connection With an Individual Peer.

   # cd /etc/ppp # mkdir peers # cd peers # vi myserver /dev/cua/a 57600 noipdefault defaultroute idle 120 user user2 remotename myserver connect "chat -U 'mypassword' -f /etc/ppp/mychat"

   The new options in bold add PAP requirements for peer myserver.

   user user2	Defines user2 as the user name of the local machine
   remotename myserver	Defines myserver as a peer that requires authentication credentials from the local machine

Where to Go From Here

Task	For Instructions
Test the PAP authentication setup by calling the dial-in server	Procedures for calling the dial-in server, How to Call the Dial-in Server
Learn more about PAP authentication	Password Authentication Protocol (PAP)