The PAP database is implemented in the /etc/ppp/pap-secrets file. Machines on both sides of the PPP link must have properly configured PAP credentials in their /etc/ppp/pap-secrets files for successful authentication. The caller (authenticatee) supplies credentials in the user and password columns of the /etc/ppp/pap-secrets file or in the obsolete +ua file. The server (authenticator) validates these credentials against information in /etc/ppp/pap-secrets, through the UNIX passwd database, or the PAM facility.
The /etc/ppp/pap-secrets file has the following syntax.
Table 36–5 Syntax of /etc/ppp/pap-secrets
Caller |
Server |
Password |
IP Addresses |
---|---|---|---|
myclient |
ISP-server |
mypassword |
* |
The parameters have the following meaning:
myclient |
PAP user name of the caller. Often this name is identical to the caller's UNIX user name, particularly if the dial-in server uses the login option of PAP. |
ISP-server |
Name of the remote machine, often a dial-in server. |
mypassword |
Caller's PAP password. |
IP address |
IP address that is associated with the caller. Use an asterisk (*) to indicate any IP address. |
PAP passwords are sent over the link in the clear (in readable ASCII format). For the caller (authenticatee), the PAP password must be stored in the clear in any of the following locations:
In /etc/ppp/pap-secrets
In another external file
In a named pipe through the pap-secrets @ feature
As an option to pppd, either on the command line or in a PPP configuration file
Through the +ua file
On the server (authenticator), the PAP password can be hidden by doing one of the following:
Specifying papcrypt and using passwords that are hashed by crypt(3C) in the pap-secrets file.
Specifying the login option to pppd and omitting the password from the pap-secrets file by placing double quotes ("") in the password column. In this instance, authentication is done through the UNIX passwd database or the pam(3pam) mechanism.