From b7584d925557989213dc44dd2ce0fb9e36dffbd5 Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Mon, 1 May 1995 01:43:54 +0000 Subject: [PATCH] comment on papcrypt --- pppd/pppd.8 | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/pppd/pppd.8 b/pppd/pppd.8 index a684e66..4f4cf66 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -1,5 +1,5 @@ .\" manual page [] for pppd 2.0 -.\" $Id: pppd.8,v 1.9 1995/04/24 05:53:35 paulus Exp $ +.\" $Id: pppd.8,v 1.10 1995/05/01 01:43:54 paulus Exp $ .\" SH section heading .\" SS subsection heading .\" LP paragraph @@ -309,6 +309,12 @@ option). Set the assumed name of the remote system for authentication purposes to . .TP +.B papcrypt +Indicates that all secrets in the /etc/ppp/pap-secrets file which +are used for checking the identity of the peer are encrypted, and thus +pppd should not accept a password which (before encryption) is +identical to the secret from the /etc/ppp/pap-secrets file. +.TP .B proxyarp Add an entry to this system's ARP [Address Resolution Protocol] table with the IP address of the peer and the Ethernet address of this @@ -454,7 +460,7 @@ directions if desired. .LP A secrets file is parsed into words as for a options file. A secret is specified by a line containing at least 3 words, in the order -client, server, secret. Any following words on the same line are +client name, server name, secret. Any following words on the same line are taken to be a list of acceptable IP addresses for that client. If there are only 3 words on the line, it is assumed that any IP address is OK; to disallow all IP addresses, use "-". If the secret starts @@ -510,11 +516,16 @@ When authenticating the peer with PAP, a secret of "" matches any password supplied by the peer. If the password doesn't match the secret, the password is encrypted using crypt() and checked against the secret again; thus secrets for authenticating the peer can be -stored in encrypted form. If the \fBlogin\fR option was specified, the +stored in encrypted form. If the \fBpapcrypt\fR option is given, the +first (unencrypted) comparison is omitted, for better security. +.LP +If the \fBlogin\fR option was specified, the username and password are also checked against the system password database. Thus, the system administrator can set up the pap-secrets file to allow PPP access only to certain users, and to restrict the -set of IP addresses that each user can use. +set of IP addresses that each user can use. Typically, when using the +\fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to +avoid the need to have the same secret in two places. .LP Secrets are selected from the CHAP secrets file as follows: .TP 2 -- 2.39.2