comment on papcrypt

diff --git a/pppd/pppd.8 b/pppd/pppd.8
index a684e661f51d54ad9c3d5d39acd0d15ce9235f90..4f4cf66aa14a05d65ef1c07755b56f9758328fae 100644 (file)
--- a/pppd/pppd.8
+++ b/pppd/pppd.8
@@ -1,5 +1,5 @@
 .\" manual page [] for pppd 2.0
 .\" manual page [] for pppd 2.0

-.\" $Id: pppd.8,v 1.9 1995/04/24 05:53:35 paulus Exp $
+.\" $Id: pppd.8,v 1.10 1995/05/01 01:43:54 paulus Exp $

 .\" SH section heading
 .\" SS subsection heading
 .\" LP paragraph
 .\" SH section heading
 .\" SS subsection heading
 .\" LP paragraph


@@ -309,6 +309,12 @@ option).
 Set the assumed name of the remote system for authentication purposes
 to <n>.
 .TP
 Set the assumed name of the remote system for authentication purposes
 to <n>.
 .TP

+.B papcrypt
+Indicates that all secrets in the /etc/ppp/pap-secrets file which
+are used for checking the identity of the peer are encrypted, and thus
+pppd should not accept a password which (before encryption) is
+identical to the secret from the /etc/ppp/pap-secrets file.
+.TP

 .B proxyarp
 Add an entry to this system's ARP [Address Resolution Protocol] table
 with the IP address of the peer and the Ethernet address of this
 .B proxyarp
 Add an entry to this system's ARP [Address Resolution Protocol] table
 with the IP address of the peer and the Ethernet address of this


@@ -454,7 +460,7 @@ directions if desired.
 .LP
 A secrets file is parsed into words as for a options file.  A secret
 is specified by a line containing at least 3 words, in the order
 .LP
 A secrets file is parsed into words as for a options file.  A secret
 is specified by a line containing at least 3 words, in the order

-client, server, secret.  Any following words on the same line are
+client name, server name, secret.  Any following words on the same line are

 taken to be a list of acceptable IP addresses for that client.  If
 there are only 3 words on the line, it is assumed that any IP address
 is OK; to disallow all IP addresses, use "-".  If the secret starts
 taken to be a list of acceptable IP addresses for that client.  If
 there are only 3 words on the line, it is assumed that any IP address
 is OK; to disallow all IP addresses, use "-".  If the secret starts


@@ -510,11 +516,16 @@ When authenticating the peer with PAP, a secret of "" matches any
 password supplied by the peer.  If the password doesn't match the
 secret, the password is encrypted using crypt() and checked against
 the secret again; thus secrets for authenticating the peer can be
 password supplied by the peer.  If the password doesn't match the
 secret, the password is encrypted using crypt() and checked against
 the secret again; thus secrets for authenticating the peer can be

-stored in encrypted form.  If the \fBlogin\fR option was specified, the
+stored in encrypted form.  If the \fBpapcrypt\fR option is given, the
+first (unencrypted) comparison is omitted, for better security.
+.LP
+If the \fBlogin\fR option was specified, the

 username and password are also checked against the system password
 database.  Thus, the system administrator can set up the pap-secrets
 file to allow PPP access only to certain users, and to restrict the
 username and password are also checked against the system password
 database.  Thus, the system administrator can set up the pap-secrets
 file to allow PPP access only to certain users, and to restrict the

-set of IP addresses that each user can use.
+set of IP addresses that each user can use.  Typically, when using the
+\fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to
+avoid the need to have the same secret in two places.

 .LP
 Secrets are selected from the CHAP secrets file as follows:
 .TP 2
 .LP
 Secrets are selected from the CHAP secrets file as follows:
 .TP 2