How to Create a PAP Credentials Database (Dial-in Server)

This procedure modifies the /etc/ppp/pap-secrets file, which contains the PAP security credentials that are used to authenticate callers on the link. /etc/ppp/pap-secrets must exist on both machines on a PPP link.

The sample PAP configuration that was introduced in Figure 16–3 uses the login option of PAP. If you plan to use this option, you might also need to update your network's password database. For more information about the login option, refer to Using the login Option With /etc/ppp/pap-secrets.

1. Assemble a list of all potential trusted callers. Trusted callers are people to be granted permission to call the dial-in server from their remote machines.

2. Verify that each trusted caller already has a UNIX user name and password in the dial-in server's password database.

   ---

   Note –

   Verification is particularly important for the sample PAP configuration, which uses the login option of PAP to authenticate callers. If you choose not to implement login for PAP, the callers' PAP user names do not have to correspond with their UNIX user names. For information about standard /etc/ppp/pap-secrets, refer to /etc/ppp/pap-secrets File.

   ---

   Do the following if a potential trusted caller does not have a UNIX user name and password:

   1. Confirm with their managers that callers whom you do not know personally have permission to access the dial-in server.

   2. Create UNIX user names and passwords for these callers in the manner that is directed by your corporate security policy.

3. Become superuser on the dial-in server or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

4. Edit the /etc/ppp/pap-secrets file.

   Solaris PPP 4.0 provides a pap-secrets file in /etc/ppp that contains comments about how to use PAP authentication but no options. You can add the following options at the end of the comments.

   user1 myserver "" * user2 myserver "" * myserver user2 serverpass *

   To use the login option of /etc/ppp/pap-secrets, you must type the UNIX user name of each trusted caller. Wherever a set of double quotes (““) appears in the third field, the password for the caller is looked up in the server's password database.

   The entry myserver * serverpass * contains the PAP user name and password for the dial-in server. In Figure 16–3, the trusted caller user2 requires authentication from remote peers. Therefore, myserver's /etc/ppp/pap-secrets file contains PAP credentials for use when a link is established with user2.

See Also

The following list provides references to related information.

• Modifying the PPP Configuration Files for PAP (Dial-in Server)

• Configuring PAP Authentication for Trusted Callers (Dial-out Machines)