Before pppd parses its command-line arguments, it scans
several files for default options. These files may contain any valid
command-line arguments spread out across an arbitrary number of lines.
Hash signs introduce comments.
The first options file is /etc/ppp/options, which is
always scanned when pppd starts up. Using it to set some
global defaults is a good idea, because it allows you to keep your users from
doing several things that may compromise security. For instance, to make
pppd require some kind of authentication (either PAP or
CHAP) from the peer, you add the auth option to this
file. This option cannot be overridden by the user, so it becomes impossible
to establish a PPP connection with any system that is not in your
authentication databases. Note, however, that some options can be overridden;
the connect string is a good example.
The other options file, which is read after
/etc/ppp/options, is .ppprc in the
user's home directory. It allows each user to specify her own set of default
options.
A sample /etc/ppp/options file might look like this:
# Global options for pppd running on vlager.vbrew.com
lock # use UUCP-style device locking
auth # require authentication
usehostname # use local hostname for CHAP
domain vbrew.com # our domain name |
The lock keyword makes
pppd comply to the standard UUCP method of device locking.
With this convention, each process that accesses a serial device, say
/dev/ttyS3, creates a lock file with a name like
LCK..ttyS3 in a special lock-file directory to signal that
the device is in use. This is necessary to prevent signal other programs, such as
minicom or uucico, from opening the
serial device while it is used by PPP.
The next three options relate to authentication and, therefore,
to system security. The authentication options are best placed in the global
configuration file because they are “privileged” and cannot
be overridden by users' ~/.ppprc options files.