pppauth(SFF)
pppauth --
point-to-point authentication database
Format
name password
Description
SCO OpenServer's PPP implementation supports either of two authentication
protocols:
Password Authentication Protocol (PAP)
and Challenge-Handshake Authentication Protocol (CHAP),
as well as the Microsoft extension to the CHAP
protocol, MSCHAP.
The /etc/pppauth file holds the authentication information
used by these protocols since the protocols extract this
information from the same format.
The authentication protocol used is selectable on a PPP
link basis through the link configuration entries in the
/etc/ppphosts file.
The local host requires authentication on a link and uses PAP if
the auth authentication option is set to pap for that
link.
The local host requires authentication on a link and uses CHAP
if the auth authentication option is set to chap for
that link.
If neither pap nor chap is specified for a link, the local
host does not require authentication on that link.
Additionally, each link configuration may specify an authentication
timeout value and may specify the entry
in the /etc/pppauth file
to use for a local host lookup.
name-
is either a name for the local host
or a name
for a peer host. For a peer this is often, but not
necessarily, the peer's host name.
More than one entry may exist for the local host. For example,
a different local host ``name password'' pair may exist
for use with each remote host for which authentication will occur.
The entry in /etc/pppauth to use for the local host is
selectable on a PPP link
basis through the name authentication parameter in the
/etc/ppphosts file.
If no entry is specified but a local host lookup is required, the
entry beginning with a ``'' is used for the local host by default.
For PAP, this field corresponds with the ``Peer-ID''
field of a PAP Authentication-Request message.
For CHAP, this field corresponds with the ``Name'' field
of a CHAP Challenge or Response message.
password-
is a value that must be known by both hosts in the PPP
authentication negotiation.
For PAP, this field corresponds with the ``Password''
field of a PAP Authentication-Request message.
For CHAP, this field is the ``secret'' used to compute
the ``Value'' field of a CHAP Response message.
Each entry must be a single line in the format shown above.
Each entry can contain up to 2048 characters.
A ``#'' indicates the beginning of a comment;
characters appearing after ``#'' are ignored.
Fields are separated by ``white space'' or a tab.
How PAP works
If PAP is specified,
pppd(ADMN),
during the PPP authentication negotiation stage,
will request that the remote host send name
and password elements that identify the remote host
for comparison with those stored
in /etc/pppauth.
If the comparison done by pppd does not return a match,
pppd refuses the connection request.
If the remote host requests PAP authentication,
pppd sends the elements that identify the local host.
If PAP is used, these elements are sent as is, without encryption,
and are therefore not very secure.
An entry must exist for the local host if any remote hosts will
request authentication.
An entry must exist for any remote hosts for whom the local
host will request authentication.
How CHAP and MSCHAP work
If CHAP or MSCHAP is specified, pppd,
during the PPP authentication negotiation stage,
will send a CHAP request packet to the remote host.
The CHAP request packet contains the local host name and
a random string generated by the local host.
The remote host computes a ``result'' based on the request packet id,
the random string, and the ``secret'' (password)
value associated with the received (i.e. local host) name.
The remote host sends the ``result'' to the local host.
The local host performs the same computation using the ``secret''
value for the local host found in its /etc/pppauth file.
The local host compares its computation ``result'' with
the ``result'' sent by the remote host.
If the results match, the local host continues the establishment of the
connection with the remote host;
if the results do not match, the local host
refuses the connection. If a remote host requests CHAP
authentication, the local host responds as described above for a
remote host.
Because of the computation method used by CHAP, it provides a
higher level of security than PAP.
An entry must exist for the local host if
the local host will request authentication.
An entry must exist for any remote hosts that
will request authentication. In cases where the CHAP
name of the remote host is dynamic (as with an ISP using
a pool of hosts), a wildcard entry can be added to the
/etc/pppauth file (see ``Examples'').
MSCHAP is an extention to the CHAP standard with
essentially the same challenge-response architecture.
The most significant difference is in hashing algorithms; CHAP
uses MD4 while MSCHAP uses MD5.
Examples
A typical /etc/pppauth file:
#
#PPPauth - PPP authentication name/secret file
#Name Password
#
*krusty.i88.isc.com Bull /* default local host ID/password */
smith.i88.isc.com Blanket /* second local host ID/password */
laiout.i88.isc.com Blazer /* remote host ID/password */
* MyChApSeCrEt /* wildcard for dynamic CHAP */
Files
/etc/pppauth-
PPP authentication database file
/etc/ppphosts-
PPP link configuration file
See also
pppd(ADMN),
hosts(SFF),
ppphosts(SFF)
RFC 1334
RFC 1877
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003