pppd-2.1.1 release notes Paul Mackerras 27 May 1994 This file details the new and changed features in pppd since version 1.3. Briefly: - the protocol code has been updated to conform with RFCs 1548, 1549, 1332 and 1334 - security has been improved - functionality has been improved in various ways. NEW FEATURES * The option negotiation automaton has been updated to RFC1548. LCP now rejects the Quality Protocol option, since LQR is not implemented yet. IPCP now uses the IP-Address option, and falls back to the old IP-Addresses option if the IP-Address option is rejected. IPCP also uses the new form of the VJ-Compression option. RFC1548 defines the "passive" option to mean that the automaton outputs configure-request packets initially, but does not close down if no answer is received. A valid configure-request received will restart the negotiation. The "silent" option has been added with the old meaning of "passive", i.e. the automaton will not output configure-requests until it receives a valid one from the peer. * More systems are supported: in addition to SunOS 4.x and BSD/Net-2 derived systems, Ultrix and Linux are supported, thanks to Robert Olsson, Per Sundstrom, Michael Callahan and Al Longyear. * Options can be taken from files as well as the command line. pppd reads options from the files /etc/ppp/options and ~/.ppprc before looking at the command line, and /etc/ppp/options. after interpreting the options on the command line. An options file is parsed into a series of words, delimited by whitespace. Whitespace can be included in a word by enclosing the word in quotes ("). Backslash (\) quotes the following character. A hash (#) starts a comment, which continues until the end of the line. In addition, the `file' option causes pppd to read options from a file. pppd will report and error and exit if ~/.ppprc or the file given as the argument to the `file' option cannot be read by the user who invoked pppd. * On those systems, such as NetBSD, where the serial line speed is stored in the termios structure in bits per second (i.e. B9600 == 9600), it is possible to set any speed. * If desired, pppd will output LCP echo-request frames periodically while the link is up, and take the link down if no replies are received to a user-configurable number of echo-requests. This can be used to detect that the serial connection has been broken on those systems which don't have hardware modem control lines. AUTHENTICATION Previous versions of pppd have provided no control over which IP addresses the peer can use. Thus it is possible for the peer to impersonate another host on the local network, leading to various security holes. In addition, the authentication mechanisms were quite weak: if the peer refused to agree to authenticate, pppd would print a warning message but still allow the link to come up. The CHAP implementation also appeared to be quite broken (has anybody actually used it?). This new version of pppd addresses these problems. My aim has been to provide system administrators with sufficient access control that PPP access to a server machine can be provided to legitimate users without fear of compromising the security of the server or the network it's on. In part this is provided by the /etc/ppp/options file, where the administrator can place options to require authentication which cannot be disabled by users. Thus the new pppd can made setuid-root and run by users. The behaviour where pppd refuses to run unless the /etc/ppp/options file is present and readable by pppd is now the default behaviour. If you really want pppd to run without the presence of the /etc/ppp/options file, you will have to include -DREQ_SYSOPTIONS=0 on the compilation command line. The options related to authentication are: auth Require authentication from the peer. If neither +chap or +pap is also given, either CHAP or PAP authentication will be accepted. +chap Require CHAP authentication from the peer. +pap Require PAP authentication from the peer. -chap Don't agree to authenticate ourselves with the peer using CHAP. -pap Don't agree to authenticate ourselves using PAP. +ua Get username and password for authenticating ourselves with the peer using PAP from file . name Use as the local name for authentication. usehostname Use this machine's hostname as the local name for authentication. remotename Use as the name of the peer for authentication. login If the peer authenticates using PAP, check the supplied username and password against the system password database, and make a wtmp entry. user Use as the username for authenticating ourselves using PAP. The defaults are to agree to authenticate if requested, and to not require authentication from the peer. However, pppd will not agree to authenticate itself with a particular protocol if it has no secrets which could be used to do so. Authentication is based on secrets, which are selected from secrets files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP). Both secrets files have the same format, and both can store secrets for several combinations of server (authenticating peer) and client (peer being authenticated). Note that each end can be both a server and client, and that different protocols can be used in the two directions if desired. A secrets file is parsed into words as for a options file. A secret is specified by a line containing at least 3 words, in the order client, server, secret. Any following words on the same line are taken to be a list of acceptable IP addresses for that client. If there are only 3 words on the line, it is assumed that any IP address is OK; to disallow all IP addresses, use "-". If the secret starts with an `@', what follows is assumed to be the name of a file from which to read the secret. A "*" as the client or server name matches any name. When selecting a secret, pppd takes the best match, i.e. the match with the fewest wildcards. Thus a secrets file contains both secrets for use in authenticating other hosts, plus secrets which we use for authenticating ourselves to others. Which secret to use is chosen based on the names of the host (the `local name') and its peer (the `remote name'). The local name is set as follows: if the `usehostname' option is given, then the local name is the hostname of this machine (with the domain appended, if given) else if the `name' option is given, then use the argument of the first `name' option seen else if the local IP address is specified with a host name (e.g. `sirius:') then use that host name else use the hostname of this machine (with the domain appended, if given) When authenticating ourselves using PAP, there is also a `username' which is the local name by default, but can be set with the `user' option or the `+ua' option. The remote name is set as follows: if the `remotename' option is given, then use the argument of the last `remotename' option seen else if the remote IP address is specified with a host name (e.g. `avago:') then use that host name else the remote name is the null string "". Secrets are selected from the PAP secrets file as follows: - For authenticating the peer, look for a secret with client == username specified in the PAP authenticate-request, and server == local name. - For authenticating ourselves to the peer, look for a secret with client == our username, server == remote name. When authenticating the peer with PAP, a secret of "" matches any password supplied by the peer. If the password doesn't match the secret, the password is encrypted using crypt() and checked against the secret again; thus secrets for authenticating the peer can be stored in encrypted form. If the `login' option was specified, the username and password are also checked against the system password database. Thus, the system administrator can set up the pap-secrets file to allow PPP access only to certain users, and to restrict the set of IP addresses that each user can use. Secrets are selected from the CHAP secrets file as follows: - For authenticating the peer, look for a secret with client == name specified in the CHAP-Response message, and server == local name. - For authenticating ourselves to the peer, look for a secret with client == local name, and server == name specified in the CHAP-Challenge message. Authentication must be satisfactorily completed before IPCP (or any other Network Control Protocol) can be started. If authentication fails, pppd will terminated the link (by closing LCP). If IPCP negotiates an unacceptable IP address for the remote host, IPCP will be closed. IP packets cannot be sent or received until IPCP is successfully opened. (some examples needed here perhaps) ROUTING Setting the addresses on a ppp interface is sufficient to create a host route to the remote end of the link. Sometimes it is desirable to add a default route through the remote host, as in the case of a machine whose only connection to the Internet is through the ppp interface. The `defaultroute' option causes pppd to create such a default route when IPCP comes up, and delete it when the link is terminated. In some cases it is desirable to use proxy ARP, for example on a server machine connected to a LAN, in order to allow other hosts to communicate with the remote host. The `proxyarp' option causes pppd to look for a network interface (an interface supporting broadcast and ARP, which is up and not a point-to-point or loopback interface) on the same subnet as the remote host. If found, pppd creates a permanent, published ARP entry with the IP address of the remote host and the hardware address of the network interface found. OTHER NEW AND CHANGED OPTIONS modem Use modem control lines (not fully implemented yet) local Don't use modem control lines persist Keep reopening connection (not fully implemented yet) lcp-restart Set timeout for LCP retransmissions to seconds (default 3 seconds) lcp-max-terminate Set maximum number of LCP terminate-request transmissions (default 2) lcp-max-configure Set maximum number of LCP configure-request transmissions (default 10) lcp-max-failure Set maximum number of LCP configure-Naks sent before converting to configure-rejects (default 10) ipcp-restart Set timeout for IPCP retransmissions to seconds (default 3 seconds) ipcp-max-terminate Set maximum number of IPCP terminate-request transmissions (default 2) ipcp-max-configure Set maximum number of IPCP configure-request transmissions (default 10) ipcp-max-failure Set maximum number of IPCP configure-Naks sent before converting to configure-rejects (default 10) upap-restart Set timeout for PAP retransmissions to seconds (default 3 seconds) upap-max-authreq Set maximum number of Authenticate-request retransmissions (default 10) chap-restart Set timeout for CHAP retransmissions to seconds (default 3 seconds) chap-max-challenge Set maximum number of CHAP Challenge retransmissions (default 10) chap-interval Set the interval between CHAP rechallenges (default 0, meaning infinity) The -ua option no longer exists. SOFTWARE RESTRUCTURING Many of the source files for pppd have changed significantly from ppp-1.3, upon which it is based. In particular: - the macros for system-dependent operations in pppd.h have mostly been removed. Instead these operations are performed by procedures in sys-bsd.c (for BSD-4.4ish systems like NetBSD, 386BSD, etc.) or sys-str.c (for SunOS-based systems using STREAMS). (I got sick of having to recompile everything every time I wanted to change one of those horrible macros.) - most of the system-dependent code in main.c has also been removed to sys-bsd.c and sys-str.c. - the option processing code in main.c has been removed to options.c. - the authentication code in main.c has been removed to auth.c, which also contains substantial amounts of new code. - fsm.c has changed significantly, and lcp.c, ipcp.c, and upap.c have changed somewhat. chap.c has also changed significantly. STILL TO DO * sort out appropriate modem control and implement the persist option properly; add an `answer' option for auto-answering a modem. * add an inactivity timeout and demand dialing. * implement link quality monitoring. * implement other network control protocols.