Configuring PAP Authentication on the Dial-In Server

Language:

Perform the following tasks when setting up PAP-related tasks for the dial-in server:

Planning for Authentication on a Link – Collect user names and other data that is needed for authentication
How to Create a PAP Credentials Database for a Dial-In Server – Ensure that all potential callers are in the server's password databas and create security credentials for them in /etc/ppp/pap-secrets
How to Add PAP Support to the PPP Configuration Files on a Dial-In Server – Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files

How to Create a PAP Credentials Database for a Dial-In Server

Note - PPP was removed in the Oracle Solaris 11.4 SRU 24 release.

This procedure modifies the /etc/ppp/pap-secrets file, which contains the PAP security credentials that are used to authenticate callers on the link. /etc/ppp/pap-secrets must exist on both systems on a PPP link.

The sample PAP configuration that was introduced in Example of a PAP Authentication Scenario (Working From Home) uses the login option of PAP. If you plan to use this option, you might also need to update your network's password database. For more information about the login option, refer to Using the login Option With /etc/ppp/pap-secrets.

Assemble a list of all potential trusted callers.
Trusted callers are people to be granted permission to call the dial-in server from their remote systems.
Verify that each trusted caller already has a UNIX user name and password in the dial-in server's password database.
Note - Verification is particularly important for the sample PAP configuration, which uses the login option of PAP to authenticate callers. If you choose not to implement login for PAP, the callers' PAP user names do not have to correspond with their UNIX user names. For information about standard /etc/ppp/pap-secrets, refer to /etc/ppp/pap-secrets File.

Do the following if a potential trusted caller does not have a UNIX user name and password:
1. Confirm with their managers that callers whom you do not know personally have permission to access the dial-in server.
2. Create UNIX user names and passwords for these callers in the manner that is directed by your corporate security policy.
Become an administrator on the dial-in server.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Edit the /etc/ppp/pap-secrets file.
This release provides a pap-secrets file in /etc/ppp that contains comments about how to use PAP authentication but no options. You can add the following options at the end of the comments.
```
user1      myserver        ""          *
user2      myserver        ""          *
myserver   user2           serverpass  *
```
To use the login option of /etc/ppp/pap-secrets, you must type the UNIX user name of each trusted caller. Wherever a set of double quotes ("") appears in the third field, the password for the caller is looked up in the server's password database.

The entry myserver * serverpass * contains the PAP user name and password for the dial-in server. In Example of a PAP Authentication Scenario (Working From Home), the trusted caller user2 requires authentication from remote peers. Therefore, myserver's /etc/ppp/pap-secrets file contains PAP credentials for use when a link is established with user2.

See Also