This chapter contains tasks for setting up PPP authentication. Subjects that are covered include the following:
The procedures show how to implement authentication over a dial-up link because dial-up links are more likely to be configured for authentication than leased-line links. You can configure authentication over leased lines if authentication is required by your corporate security policy. For leased-line authentication, use the tasks in this chapter as guidelines.
If you want to use PPP authentication but are not sure which protocol to use, review the section Why Use PPP Authentication?. More detailed information about PPP authentication is in the pppd(1M) man page and in Authenticating Callers on a Link.
This section contains task maps to help you quickly access procedures for PPP authentication.
Table 33–1 Task Map for General PPP Authentication
Task |
For Instructions |
---|---|
Configure PAP authentication | |
Configure CHAP authentication |
The tasks in this section explain how to implement authentication on a PPP link by using the Password Authentication Protocol (PAP). The tasks use the example that is shown in Example—PPP Authentication Configurations to illustrate a working PAP scenario for a dial-up link. Use the instructions as the basis for implementing PAP authentication at your site.
Before you perform the next procedures, you must have done the following:
Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers
Ideally, for dial-in server authentication, obtained superuser permission for the machine where the network password database is administered, for example, in LDAP, NIS, or local files
Obtained superuser authority for the local machine, either dial-in server or dial-out machine
Use the next task maps to quickly access PAP-related tasks for the dial-in server and trusted callers on dial-out machines.
Table 33–2 Task Map for PAP Authentication (Dial-in Server)
Task |
Description |
For Instructions |
---|---|---|
1. Gather preconfiguration information |
Collect user names and other data that is needed for authentication. | |
2. Update the password database, if necessary |
Ensure that all potential callers are in the server's password database. | |
3. Create the PAP database |
Create security credentials for all prospective callers in /etc/ppp/pap-secrets. | |
4. Modify the PPP configuration files |
Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files. |
How to Add PAP Support to the PPP Configuration Files (Dial-in Server) |
Table 33–3 Task Map for PAP Authentication (Dial-out Machine)
Task |
Description |
For Instructions |
---|---|---|
1. Gather preconfiguration information |
Collect user names and other data that is needed for authentication. | |
2. Create the PAP database for the trusted caller's machine |
Create the security credentials for the trusted caller and, if necessary, security credentials for other users who call the dial-out machine, in /etc/ppp/pap-secrets. |
How to Configure PAP Authentication Credentials for the Trusted Callers |
3. Modify the PPP configuration files |
Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files. |
How to Add PAP Support to the PPP Configuration Files (Dial-out Machine) |
To set up PAP authentication, you must do the following:
Create a PAP credentials database
Modify PPP configuration files for PAP support
This procedure modifies the /etc/ppp/pap-secrets file, which contains the PAP security credentials that are used to authenticate callers on the link. /etc/ppp/pap-secrets must exist on both machines on a PPP link.
The sample PAP configuration that was introduced in Figure 30–3 uses the login option of PAP. If you plan to use this option, you might also need to update your network's password database. For more information on the login option, refer to Using the login Option With /etc/ppp/pap-secrets.
Assemble a list of all potential trusted callers. Trusted callers are people to be granted permission to call the dial-in server from their remote machines.
Verify that each trusted caller already has a UNIX user name and password in the dial-in server's password database.
Verification is particularly important for the sample PAP configuration, which uses the login option of PAP to authenticate callers. If you choose not to implement login for PAP, the callers' PAP user names do not have to correspond with their UNIX user names. For information on standard /etc/ppp/pap-secrets, refer to /etc/ppp/pap-secrets File.
Do the following if a potential trusted caller does not have a UNIX user name and password:
Become superuser on the dial-in server, and edit the /etc/ppp/pap-secrets file.
Solaris PPP 4.0 provides a pap-secrets file in /etc/ppp that contains comments about how to use PAP authentication but no options. You can add the following options at the end of the comments.
# user1 myserver "" * user2 myserver "" * myserver user2 serverpass * |
To use the login option of /etc/ppp/pap-secrets, you must type the UNIX user name of each trusted caller. Wherever a set of double quotes (““) appears in the third field, the password for the caller is looked up in the server's password database.
The entry myserver * serverpass * contains the PAP user name and password for the dial-in server. In Figure 30–3, the trusted caller user2 requires authentication from remote peers. Therefore, myserver's /etc/ppp/pap-secrets file contains PAP credentials for use when a link is established with user2.
Task |
For Instructions |
---|---|
Modify the PPP configuration files to support PAP authentication |
Modifying the PPP Configuration Files for PAP (Dial-in Server) |
Set up PAP authentication on the dial-out machines of trusted callers |
Configuring PAP Authentication for Trusted Callers (Dial-out Machines) |
The tasks in this section explain how to update any existing PPP configuration files to support PAP authentication on the dial-in server.
The procedure uses the PPP configuration files that were introduced in How to Define Communications Over the Serial Line (Dial-in Server) as examples.
Log in to the dial-in server as superuser.
Add authentication options to the /etc/ppp/options file.
For example, you would add the options in bold to an existing /etc/ppp/optionsfile to implement PAP authentication:
lock idle 120 nodefaultroute name myserver auth require-pap user myserver remotename user2 login |
Create an /etc/ppp/options.ttyname file, as described in How to Define Communications Over the Serial Line.
Set up the $HOME/.ppprc file for each remote caller, as explained in How to Configure Users of the Dial-in Server.
Task |
For Instructions |
---|---|
Configure PAP authentication credentials for trusted callers of the dial-in server |
Configuring PAP Authentication for Trusted Callers (Dial-out Machines) |
This section contains tasks for setting up PAP authentication on the dial-out machines of trusted callers. As system administrator, you can set up PAP authentication on the systems before distribution to prospective callers. Or, if the remote callers already have their machines, you can give these callers the tasks in this section.
Configuring PAP for trusted callers involves two tasks:
Configuring the callers' PAP security credentials
Configuring the callers' dial-out machines to support PAP authentication
This procedure shows how to set up PAP credentials for two trusted callers, one of which requires authentication credentials from remote peers. The steps in the procedure assume that you, the system administrator, are creating the PAP credentials on the trusted callers' dial-out machines.
Become superuser on a dial-out machine.
Using the sample PAP configuration that was introduced in Figure 30–3, assume that the dial-out machine belongs to user1.
Modify the pap-secrets database for the caller.
Solaris PPP 4.0 provides an /etc/ppp/pap-secrets file that contains helpful comments but no options. You can add the following options to this /etc/ppp/pap-secrets file.
# user1 myserver pass1 * |
Note that user1's password pass1 is passed in readable ASCII form over the link. myserver is caller user1's name for the peer.
Become superuser on another dial-out machine.
Using the PAP authentication example, assume that this dial-out machine belongs to the caller user2.
Modify the pap-secrets database for the caller.
You can add the next options to the end of the existing /etc/ppp/pap-secrets file.
# user2 myserver pass2 * myserver user2 serverpass * |
In this example, /etc/ppp/pap-secrets has two entries. The first entry contains the PAP security credentials that user2 passes to dial-in server myserver for authentication.
user2 requires PAP credentials from the dial-in server as part of link negotiation. Therefore, the /etc/ppp/pap-secrets also contains PAP credentials that are expected from myserver on the second line.
Because most ISPs do not supply authentication credentials, the previous scenario might be unrealistic for communications with an ISP.
Task |
Instructions |
---|---|
Create PAP credentials for additional callers | |
Configure a dial-out machine to support PAP authentication |
How to Configure PAP Authentication Credentials for the Trusted Callers |
The following tasks explain how to update existing PPP configuration files to support PAP authentication on the dial-out machines of trusted callers.
The procedure uses the following parameters to configure PAP authentication on the dial-out machine that belongs to user2, who was introduced in Figure 30–3. user2 requires incoming callers to authenticate, including calls from dial-in myserver.
This procedure uses the PPP configuration files that were introduced in How to Define Communications Over the Serial Line as examples. The procedure configures the dial-out machine that belongs to user2, as shown in Figure 30–3.
Log in to the dial-out machine as superuser.
Modify the /etc/ppp/options file.
The next /etc/ppp/options file contains options for PAP support, which are shown in bold.
#vi /etc/ppp/options lock nodefaultroute name user2 auth require-pap |
Create an /etc/ppp/peers/peer-name file for the remote machine myserver.
The next sample shows how to add PAP support to the existing /etc/ppp/peers/myserver file that was created in How to Define the Connection With an Individual Peer.
# cd /etc/ppp # mkdir peers # cd peers # vi myserver /dev/cua/a 57600 noipdefault defaultroute idle 120 user user2 remotename myserver connect "chat -U 'mypassword' -f /etc/ppp/mychat" |
The new options in bold add PAP requirements for peer myserver.
user user2 |
Defines user2 as the user name of the local machine |
remotename myserver |
Defines myserver as a peer that requires authentication credentials from the local machine |
Task |
For Instructions |
---|---|
Test the PAP authentication setup by calling the dial-in server |
Procedures for calling the dial-in server, How to Call the Dial-in Server |
Learn more about PAP authentication |
The tasks in this section explain how to implement authentication on a PPP link by using the Challenge-Handshake Authentication Protocol (CHAP). The tasks use the example that is shown in Figure 30–4 to illustrate a working CHAP scenario for dialing up a private network. Use the instructions as the basis for implementing CHAP authentication at your site.
Before you perform the next procedures, you must have done the following:
Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers
Obtained superuser permission for the local machine, either dial-in server or dial-out machine
Task |
Description |
For Instructions |
---|---|---|
1. Assign CHAP secrets to all trusted callers |
Create, or have the callers create, their CHAP secrets | |
2. Create the chap-secrets database |
Add the security credentials for all trusted callers to the /etc/ppp/chap-secrets file | |
3. Modify the PPP configuration files |
Add options specific to CHAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files |
How to Add CHAP Support to the PPP Configuration Files (Dial-in Server) |
Table 33–5 Task Map for CHAP Authentication (Dial-out Machine)
Task |
Description |
For Instructions |
---|---|---|
1. Create the CHAP database for the trusted caller's machine |
Create the security credentials for the trusted caller and, if necessary, security credentials for other users who call the dial-out machine, in /etc/ppp/chap-secrets. | |
2. Modify the PPP configuration files |
Add options specific to CHAP to the /etc/ppp/options file. |
How to Add CHAP Support to the PPP Configuration Files (Dial-out Machine) |
The first task in setting up CHAP authentication is modifying the /etc/ppp/chap-secrets file. This file contains the CHAP security credentials, including the CHAP secret, that are used to authenticate callers on the link.
UNIX or PAM authentication mechanisms do not work with CHAP. For example, you cannot use the PPP login option as described in How to Create a PAP Credentials Database (Dial-in Server). If your authentication scenario requires PAM or UNIX-style authentication, choose PAP instead.
The next procedure implements CHAP authentication for a dial-in server in a private network. The PPP link is the only connection to the outside world. The only callers who can access the network have been granted permission by managers of the network, possibly including the system administrator.
Assemble a list that contains the user names of all trusted callers. Trusted callers include all people who have been granted permission to call the private network.
Assign each user a CHAP secret.
Be sure to choose a good CHAP secret that is not easily guessed. No other restrictions are placed on the CHAP secret's contents.
The method for assigning CHAP secrets depends on your site's security policy. Either you have the responsibility for creating the secrets, or the callers must create their own secrets. If you are not responsible for CHAP secret assignment, be sure to get the CHAP secrets that were created by, or for, each trusted caller.
Become superuser on the dial-in server, and modify the /etc/ppp/chap-secrets file.
Solaris PPP 4.0 includes an /etc/ppp/chap-secrets file that contains helpful comments but no options. You can add the following options for the server CallServe at the end of the existing /etc/ppp/chap-secrets file.
account1 CallServe key123 * account2 CallServe key456 * |
key123 is the CHAP secret for trusted caller account1. key456 is the CHAP secret for trusted caller account2.
Task |
For Instructions |
---|---|
Create CHAP credentials for additional trusted callers | |
Update the PPP configuration files to support CHAP |
How to Add CHAP Support to the PPP Configuration Files (Dial-in Server) |
Set up CHAP authentication on the dial-out machines of trusted callers |
Configuring CHAP Authentication for Trusted Callers (Dial-out Machines) |
The task in this section explains how to update existing PPP configuration files to support CHAP authentication on the dial-in server.
Log in to the dial-in server as superuser.
Modify the /etc/ppp/options file.
Add the options that are shown in bold for CHAP support.
# vi /etc/ppp/options lock nodefaultroute name CallServe auth require-chap |
Create the remaining PPP configuration files to support the trusted callers.
See How to Configure Users of the Dial-in Server and How to Define Communications Over the Serial Line (Dial-in Server).
Task |
For Instructions |
---|---|
Configure CHAP authentication credentials for trusted callers |
This section contains tasks for setting up CHAP authentication on the dial-out machines of trusted callers. Depending on your site's security policy, either you or the trusted callers might be responsible for setting up CHAP authentication.
For remote callers to configure CHAP, ensure that the callers' local CHAP secrets match the callers' equivalent CHAP secrets in the dial-in server's /etc/ppp/chap-secrets file. Then give the callers the tasks in this section for configuring CHAP.
Configuring CHAP for trusted callers involves two tasks:
Creating the callers' CHAP security credentials
Configuring the callers' dial-out machines to support CHAP authentication
This procedure shows how to set up CHAP credentials for two trusted callers. The steps in the procedure assume that you, the system administrator, are creating the CHAP credentials on the trusted callers' dial-out machines.
Become superuser on a dial-out machine.
Using the sample CHAP configuration in Example—Configuration Using CHAP Authentication, assume that the dial-out machine belongs to trusted caller account1.
Modify the chap-secrets database for caller account1.
Solaris PPP 4.0 includes an /etc/ppp/chap-secrets file that has helpful comments but no options. You can add the following options to the existing /etc/ppp/chap-secrets file.
# account1 CallServe key123 * |
CallServe is the name for the peer that account1 is trying to reach. key123 is the CHAP secret to be used for links between account1 and CallServer.
Become superuser on another dial-out machine.
Assume that this machine belongs to caller account2.
Modify the /etc/ppp/chap-secrets database for caller account2.
# account2 CallServe key456 * |
Now, account2 has secret key456 as its CHAP credentials for use over links to peer CallServe.
Task |
For Instructions |
---|---|
Create CHAP credentials on the dial-out machines of trusted callers | |
Configure a dial-out machine to support CHAP authentication |
How to Configure CHAP Authentication Credentials for the Trusted Callers |
The next task configures the dial-out machine that belongs to caller account1, which is introduced in Example—Configuration Using CHAP Authentication.
Log in to the dial-out machine as superuser.
Ensure that the /etc/ppp/options file has the following options.
# vi /etc/ppp/options lock nodefaultroute |
Create an /etc/ppp/peers/peer-name file for the remote machine CallServe.
# mkdir /etc/ppp/peers # vi CallServe /dev/cua/a 57600 noipdefault defaultroute idle 120 user account1 connect "chat -U 'mypassword' -f /etc/ppp/mychat" |
The option user account1 sets account1 as the CHAP user name to be given to CallServe. For a description of the other options in the previous file, see the similar /etc/ppp/peers/myserver file in How to Define the Connection With an Individual Peer.
Task |
For Instructions |
---|---|
Test CHAP authentication by calling the dial-in server | |
Learn more about CHAP authentication |