The CHAP database is implemented in the /etc/ppp/chap-secrets file. Machines on both sides of the PPP link must have each others' CHAP credentials in their /etc/ppp/chap-secrets files for successful authentication.
Unlike PAP, the shared secret must be in the clear on both peers. You cannot use crypt, PAM, or the PPP login option with CHAP.
The /etc/ppp/chap-secrets file has the following syntax.
myclient myserver secret5748 * |
The parameters have the following meanings:
CHAP user name of the caller. This name can be the same as or different from the caller's UNIX user name.
Name of the remote machine, often a dial-in server.
Caller's CHAP secret.
Unlike PAP passwords, CHAP secrets are never sent over the link. Rather, CHAP secrets are used when the local machines compute the response.
IP address that is associated with the caller. Use an asterisk (*) to indicate any IP address.