sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Resource Management and Network Services 

Previous Previous     Contents     Index     Next Next
Chapter 29

Setting Up PPP Authentication (Tasks)

This chapter contains tasks for setting up PPP authentication. Subjects that are covered include the following:

The procedures show how to implement authentication over a dial-up link because dial-up links are more likely to be configured for authentication than leased-line links. You can configure authentication over leased lines if authentication is required by your corporate security policy. For leased-line authentication, use the tasks in this chapter as guidelines.

If you want to use PPP authentication but are not sure which protocol to use, review the section Why Use PPP Authentication?. More detailed information about PPP authentication is in the pppd(1M) man page and in Authenticating Callers on a Link.

Configuring PPP Authentication (Task Map)

This section contains task maps to help you quickly access procedures for PPP authentication.

Table 29-1 Task Map for General PPP Authentication

Task

For Instructions

Configure PAP authentication

Setting Up PAP Authentication (Task Maps)

Configure CHAP authentication

Setting Up CHAP Authentication (Task Maps)

Configuring PAP Authentication

The tasks in this section explain how to implement authentication on a PPP link by using the Password Authentication Protocol (PAP). The tasks use the example that is shown in Example--PPP Authentication Configurations to illustrate a working PAP scenario for a dial-up link. Use the instructions as the basis for implementing PAP authentication at your site.

Before you perform the next procedures, you must have done the following:

  • Set up and tested the dial-up link between the dial-in server and dial-out machines that belong to trusted callers

  • Ideally, for dial-in server authentication, obtained superuser permission for the machine where the network password database is administered, for example, in LDAP, NIS, or local files

  • Obtained superuser authority for the local machine, either dial-in server or dial-out machine

Setting Up PAP Authentication (Task Maps)

Use the next task maps to quickly access PAP-related tasks for the dial-in server and trusted callers on dial-out machines.

Table 29-2 Task Map for PAP Authentication (Dial-in Server)

Task

Description

For Instructions

1. Gather preconfiguration information

Collect user names and other data that is needed for authentication.

Planning for Authentication on a Link

2. Update the password database, if necessary

Ensure that all potential callers are in the server's password database.

How to Create a PAP Credentials Database (Dial-in Server)

3. Create the PAP database

Create security credentials for all prospective callers in /etc/ppp/pap-secrets.

How to Create a PAP Credentials Database (Dial-in Server)

4. Modify the PPP configuration files

Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files.

How to Add PAP Support to the PPP Configuration Files (Dial-in Server)

Table 29-3 Task Map for PAP Authentication (Dial-out Machine)

Task

Description

For Instructions

1. Gather preconfiguration information

Collect user names and other data that is needed for authentication.

Planning for Authentication on a Link

2. Create the PAP database for the trusted caller's machine

Create the security credentials for the trusted caller and, if necessary, security credentials for other users who call the dial-out machine, in /etc/ppp/pap-secrets.

How to Configure PAP Authentication Credentials for the Trusted Callers

3. Modify the PPP configuration files

Add options specific to PAP to the /etc/ppp/options and /etc/ppp/peers/peer-name files.

How to Add PAP Support to the PPP Configuration Files (Dial-out Machine)

Configuring PAP Authentication on the Dial-in Server

To set up PAP authentication, you must do the following:

  • Create a PAP credentials database

  • Modify PPP configuration files for PAP support

ProcedureHow to Create a PAP Credentials Database (Dial-in Server)

This procedure modifies the /etc/ppp/pap-secrets file, which contains the PAP security credentials that are used to authenticate callers on the link. /etc/ppp/pap-secrets must exist on both machines on a PPP link.

The sample PAP configuration that was introduced in Figure 26-3 uses the login option of PAP. If you plan to use this option, you might also need to update your network's password database. For more information on the login option, refer to Using the login Option With /etc/ppp/pap-secrets.

  1. Assemble a list of all potential trusted callers. Trusted callers are people to be granted permission to call the dial-in server from their remote machines.

  2. Verify that each trusted caller already has a UNIX user name and password in the dial-in server's password database.

    Note - Verification is particularly important for the sample PAP configuration, which uses the login option of PAP to authenticate callers. If you choose not to implement login for PAP, the callers' PAP user names do not have to correspond with their UNIX user names. For information on standard /etc/ppp/pap-secrets, refer to /etc/ppp/pap-secrets File.

    Do the following if a potential trusted caller does not have a UNIX user name and password:

    1. Verify with their managers that callers whom you do not know personally have permission to access the dial-in server.

    2. Create UNIX user names and passwords for these callers in the manner that is directed by your corporate security policy.

  3. Become superuser on the dial-in server, and edit the /etc/ppp/pap-secrets file.

    Solaris PPP 4.0 provides a pap-secrets file in /etc/ppp that contains comments about how to use PAP authentication but no options. You can add the following options at the end of the comments.

    # 
user1      myserver        ""          *
user2      myserver        ""          *
myserver   user2           serverpass  *

    To use the login option of /etc/ppp/pap-secrets, you must type the UNIX user name of each trusted caller. Wherever a set of double quotes ("") appears in the third field, the password for the caller is looked up in the server's password database.

    The entry myserver * serverpass * contains the PAP user name and password for the dial-in server. In Figure 26-3, the trusted caller user2 requires authentication from remote peers. Therefore, myserver's /etc/ppp/pap-secrets file contains PAP credentials for use when a link is established with user2.

Where to Go From Here

Task

For Instructions

Modify the PPP configuration files to support PAP authentication

Modifying the PPP Configuration Files for PAP (Dial-in Server)

Set up PAP authentication on the dial-out machines of trusted callers

Configuring PAP Authentication for Trusted Callers (Dial-out Machines)

Modifying the PPP Configuration Files for PAP (Dial-in Server)

The tasks in this section explain how to update any existing PPP configuration files to support PAP authentication on the dial-in server.

ProcedureHow to Add PAP Support to the PPP Configuration Files (Dial-in Server)

The procedure uses the PPP configuration files that were introduced in How to Define Communications Over the Serial Line (Dial-in Server) as examples.

  1. Log in to the dial-in server as superuser.

  2. Add authentication options to the /etc/ppp/options file.

    For example, you would add the options in bold to an existing /etc/ppp/options file to implement PAP authentication:

    lock
idle 120
nodefaultroute
name myserver
auth
require-pap
user myserver
remotename user2
login

    name myserver

    Sets myserver as the PAP name of the user on the local machine. If the login option is used, the PAP name must be the same as the user's UNIX user name in the password database.

    auth

    States that the server must authenticate callers before establishing the link.

    require-pap

    Requires callers to provide PAP credentials.

    user myserver

    Defines myserver as the user name of the local machine.

    remotename user2

    Defines user2 as a peer that requires authentication credentials from the local machine.

    login

    Specifies that the local machine must use the login option of PAP for authentication wherever login is called for in the /etc/ppp/pap-secrets file.

  3. Create an /etc/ppp/options.ttyname file, as described in How to Define Communications Over the Serial Line.

  4. Set up the $HOME/.ppprc file for each remote caller, as explained in How to Configure Users of the Dial-in Server.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems