Configuring PAP Authentication
The tasks in this section explain how to implement authentication on a PPP link
by using the Password Authentication Protocol (PAP). The tasks use the example that is shown
in Examples of PPP Authentication Configurations to illustrate a working PAP scenario for a dial-up link. Use the
instructions as the basis for implementing PAP authentication at your site.
Before you perform the next procedures, you must have done the following:
Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers
Ideally, for dial-in server authentication, obtained superuser permission for the machine where the network password database is administered, for example, in LDAP, NIS, or local files
Obtained superuser authority for the local machine, either dial-in server or dial-out machine
Setting Up PAP Authentication (Task Maps)
Use the next task maps to quickly access PAP-related tasks for the dial-in server
and trusted callers on dial-out machines.
Table 19-2 Task Map for PAP Authentication (Dial-in Server)
Table 19-3 Task Map for PAP Authentication (Dial-out Machine)
Configuring PAP Authentication on the Dial-in Server
To set up PAP authentication, you must do the following:
How to Create a PAP Credentials Database (Dial-in Server)
This procedure modifies the /etc/ppp/pap-secrets file, which contains the PAP security credentials that are
used to authenticate callers on the link. /etc/ppp/pap-secrets must exist on both machines on
a PPP link.
The sample PAP configuration that was introduced in Figure 16-3 uses the login option
of PAP. If you plan to use this option, you might also need to
update your network's password database. For more information about the login option, refer to Using the login Option With /etc/ppp/pap-secrets.
- Assemble a list of all potential trusted callers. Trusted callers are people to be
granted permission to call the dial-in server from their remote machines.
- Verify that each trusted caller already has a UNIX user name and password in
the dial-in server's password database.
Note - Verification is particularly important for the sample PAP configuration, which uses the login option of
PAP to authenticate callers. If you choose not to implement login for PAP,
the callers' PAP user names do not have to correspond with their UNIX user
names. For information about standard /etc/ppp/pap-secrets, refer to /etc/ppp/pap-secrets File.
Do the following if a potential trusted caller does not have a UNIX user
name and password:
- Confirm with their managers that callers whom you do not know personally have permission
to access the dial-in server.
- Create UNIX user names and passwords for these callers in the manner that is
directed by your corporate security policy.
- Become superuser on the dial-in server or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure
a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Edit the /etc/ppp/pap-secrets file.
Solaris PPP 4.0 provides a pap-secrets file in /etc/ppp that contains comments about how to
use PAP authentication but no options. You can add the following options at the end
of the comments.
user1 myserver "" *
user2 myserver "" *
myserver user2 serverpass *
To use the login option of /etc/ppp/pap-secrets, you must type the UNIX user name
of each trusted caller. Wherever a set of double quotes (““) appears in the third
field, the password for the caller is looked up in the server's password database.
The entry myserver * serverpass * contains the PAP user name and password for the dial-in server. In
Figure 16-3, the trusted caller user2 requires authentication from remote peers. Therefore, myserver's /etc/ppp/pap-secrets
file contains PAP credentials for use when a link is established with user2.
See Also
The following list provides references to related information.
Modifying the PPP Configuration Files for PAP (Dial-in Server)
The tasks in this section explain how to update any existing PPP configuration files
to support PAP authentication on the dial-in server.
How to Add PAP Support to the PPP Configuration Files (Dial-in Server)
The procedure uses as examples the PPP configuration files that were introduced in How to Define Communications Over the Serial Line (Dial-in Server).
- Log in as superuser on the dial-in server or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure
a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Add authentication options to the /etc/ppp/options file.
For example, you would add the options in bold to an existing /etc/ppp/options
file to implement PAP authentication:
lock
auth
login
nodefaultroute
proxyarp
ms-dns 10.0.0.1
idle 120
- auth
Specifies that the server must authenticate callers before establishing the link.
- login
Specifies that the remote caller be authenticated by using the standard UNIX user authentication services.
- nodefaultroute
Indicates that no pppd session on the local system can establish a default route without root privileges.
- proxyarp
Adds an entry to the system's Address Resolution Protocol (ARP) table that specifies the IP address of the peer and the Ethernet address of the system. With this option the peer appears to be on the local Ethernet to other systems.
- ms-dns 10.0.0.1
Enables pppd to supply a Domain Name Server (DNS) address, 10.0.0.1, for the client
- idle 120
Specifies that idle users are disconnected after two minutes.
- In the /etc/ppp/options.cua.a file, add the following address for the cua/a user.
:10.0.0.2
- In the /etc/ppp/options.cua.b file, add the following address for the cua/b user.
:10.0.0.3
- In the /etc/ppp/pap-secrets file, add the following entry.
* * "" *
Note - The login option, as previously described, supplies the necessary user authentication. This entry in the
/etc/ppp/pap-secrets file is the standard way of enabling PAP with the login option.
See Also
To configure PAP authentication credentials for trusted callers of the dial-in server, refer to
Configuring PAP Authentication for Trusted Callers (Dial-out Machines).
Configuring PAP Authentication for Trusted Callers (Dial-out Machines)
This section contains tasks for setting up PAP authentication on the dial-out machines of
trusted callers. As system administrator, you can set up PAP authentication on the systems before
distribution to prospective callers. Or, if the remote callers already have their machines, you
can give these callers the tasks in this section.
Configuring PAP for trusted callers involves two tasks:
How to Configure PAP Authentication Credentials for the Trusted Callers
This procedure shows how to set up PAP credentials for two trusted callers, one
of which requires authentication credentials from remote peers. The steps in the procedure assume
that you, the system administrator, are creating the PAP credentials on the trusted callers' dial-out
machines.
- Become superuser on a dial-out machine or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure
a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Using the sample PAP configuration that was introduced in Figure 16-3, assume that the dial-out machine
belongs to user1.
- Modify the pap-secrets database for the caller.
Solaris PPP 4.0 provides an /etc/ppp/pap-secrets file that contains helpful comments but no options. You
can add the following options to this /etc/ppp/pap-secrets file.
user1 myserver pass1 *
Note that user1's password pass1 is passed in readable ASCII form over the link. myserver
is caller user1's name for the peer.
- Become superuser on another dial-out machine or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure
a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration
Using the PAP authentication example, assume that this dial-out machine belongs to the caller
user2.
- Modify the pap-secrets database for the caller.
You can add the next options to the end of the existing /etc/ppp/pap-secrets file.
user2 myserver pass2 *
myserver user2 serverpass *
In this example, /etc/ppp/pap-secrets has two entries. The first entry contains the PAP
security credentials that user2 passes to dial-in server myserver for authentication.
user2 requires PAP credentials from the dial-in server as part of link negotiation. Therefore,
the /etc/ppp/pap-secrets also contains PAP credentials that are expected from myserver on the second line.
Note - Because most ISPs do not supply authentication credentials, the previous scenario might be
unrealistic for communications with an ISP.
See Also
The following list provides references to related information.
Modifying PPP Configuration Files for PAP (Dial-out Machine)
The following tasks explain how to update existing PPP configuration files to support PAP
authentication on the dial-out machines of trusted callers.
The procedure uses the following parameters to configure PAP authentication on the dial-out machine
that belongs to user2, who was introduced in Figure 16-3. user2 requires incoming callers to authenticate, including
calls from dial-in myserver.
How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)
This procedure uses as examples the PPP configuration files that were introduced in How to Define Communications Over the Serial Line
. The procedure configures the dial-out machine that belongs to user2, as shown in Figure 16-3.
- Log in to the dial-out machine as superuser.
- Modify the /etc/ppp/options file.
The next /etc/ppp/options file contains options for PAP support, which are shown in bold.
# cat /etc/ppp/options
lock
name user2
auth
require-pap
- name user2
Sets user2 as the PAP name of the user on the local machine. If the login option is used, the PAP name must be the same as the user's UNIX user name in the password database.
- auth
States that the dial-out machine must authenticate callers before establishing the link.
Note - This dial-out machine demands authentication from its peers, even though most dial-out machines do not make this demand. Either way is acceptable.
- require-pap
Demands PAP credentials from the peer.
- Create an /etc/ppp/peers/peer-name file for the remote machine myserver.
The next example shows how to add PAP support to the existing /etc/ppp/peers/myserver file
that was created in How to Define the Connection With an Individual Peer.
# cat /etc/ppp/peers/myserver
/dev/cua/a
57600
noipdefault
defaultroute
idle 120
user user2
remotename myserver
connect "chat -U 'mypassword' -f /etc/ppp/mychat"
The new options in bold add PAP requirements for peer myserver.
- user user2
Defines user2 as the user name of the local machine
- remotename myserver
Defines myserver as a peer that requires authentication credentials from the local machine
See Also
The following list provides references to related information.
