DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

pppauth(SFF)

pppauth -- point-to-point authentication database

Format

name password

Description

SCO OpenServer's PPP implementation supports either of two authentication protocols: Password Authentication Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP), as well as the Microsoft extension to the CHAP protocol, MSCHAP. The /etc/pppauth file holds the authentication information used by these protocols since the protocols extract this information from the same format.

The authentication protocol used is selectable on a PPP link basis through the link configuration entries in the /etc/ppphosts file. The local host requires authentication on a link and uses PAP if the auth authentication option is set to pap for that link. The local host requires authentication on a link and uses CHAP if the auth authentication option is set to chap for that link. If neither pap nor chap is specified for a link, the local host does not require authentication on that link. Additionally, each link configuration may specify an authentication timeout value and may specify the entry in the /etc/pppauth file to use for a local host lookup.


name
is either a name for the local host or a name for a peer host. For a peer this is often, but not necessarily, the peer's host name. More than one entry may exist for the local host. For example, a different local host ``name password'' pair may exist for use with each remote host for which authentication will occur. The entry in /etc/pppauth to use for the local host is selectable on a PPP link basis through the name authentication parameter in the /etc/ppphosts file. If no entry is specified but a local host lookup is required, the entry beginning with a ``*'' is used for the local host by default.

For PAP, this field corresponds with the ``Peer-ID'' field of a PAP Authentication-Request message. For CHAP, this field corresponds with the ``Name'' field of a CHAP Challenge or Response message.


password
is a value that must be known by both hosts in the PPP authentication negotiation. For PAP, this field corresponds with the ``Password'' field of a PAP Authentication-Request message. For CHAP, this field is the ``secret'' used to compute the ``Value'' field of a CHAP Response message.

Each entry must be a single line in the format shown above. Each entry can contain up to 2048 characters. A ``#'' indicates the beginning of a comment; characters appearing after ``#'' are ignored. Fields are separated by ``white space'' or a tab.

How PAP works

If PAP is specified, pppd(ADMN), during the PPP authentication negotiation stage, will request that the remote host send name and password elements that identify the remote host for comparison with those stored in /etc/pppauth. If the comparison done by pppd does not return a match, pppd refuses the connection request. If the remote host requests PAP authentication, pppd sends the elements that identify the local host. If PAP is used, these elements are sent as is, without encryption, and are therefore not very secure.

An entry must exist for the local host if any remote hosts will request authentication. An entry must exist for any remote hosts for whom the local host will request authentication.

How CHAP and MSCHAP work

If CHAP or MSCHAP is specified, pppd, during the PPP authentication negotiation stage, will send a CHAP request packet to the remote host. The CHAP request packet contains the local host name and a random string generated by the local host. The remote host computes a ``result'' based on the request packet id, the random string, and the ``secret'' (password) value associated with the received (i.e. local host) name. The remote host sends the ``result'' to the local host. The local host performs the same computation using the ``secret'' value for the local host found in its /etc/pppauth file. The local host compares its computation ``result'' with the ``result'' sent by the remote host. If the results match, the local host continues the establishment of the connection with the remote host; if the results do not match, the local host refuses the connection. If a remote host requests CHAP authentication, the local host responds as described above for a remote host. Because of the computation method used by CHAP, it provides a higher level of security than PAP.

An entry must exist for the local host if the local host will request authentication. An entry must exist for any remote hosts that will request authentication. In cases where the CHAP name of the remote host is dynamic (as with an ISP using a pool of hosts), a wildcard entry can be added to the /etc/pppauth file (see ``Examples'').

MSCHAP is an extention to the CHAP standard with essentially the same challenge-response architecture. The most significant difference is in hashing algorithms; CHAP uses MD4 while MSCHAP uses MD5.

Examples

A typical /etc/pppauth file: 
   #
   #PPPauth - PPP authentication name/secret file	
   #Name			Password	
   #
   *krusty.i88.isc.com	Bull	/* default local host ID/password */			
   smith.i88.isc.com	Blanket	/* second local host ID/password */
   laiout.i88.isc.com	Blazer	/* remote host ID/password */
   *	MyChApSeCrEt	/* wildcard for dynamic CHAP */

Files


/etc/pppauth
PPP authentication database file

/etc/ppphosts
PPP link configuration file

See also

pppd(ADMN), hosts(SFF), ppphosts(SFF)

RFC 1334 RFC 1877

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003