Configuring CHAP and PAP Authentication

The pppd on your system has to authenticate itself to the ISP's PPP server before the PPP connection is up and running. Authentication requires proving that you have a valid account with the ISP and essentially involves providing a user name and a secret (password). PPP specifies two ways of exchanging the authentication information between the two ends of the connection:

♦ CHAP: Challenge Handshake Authentication Protocol (CHAP) requires the remote end to send a randomly generated challenge string along with the remote server's name. The local system looks up the secret using the server's name and sends back a response that includes its name and a value that combines the secret and the challenge by using a one-way hash function. The remote system then checks that value against its own calculation of the expected hash value. If the values match, the authentication succeeds; otherwise, the remote system terminates the connection. In this case, the name and secret are stored in the /etc/ppp/chap-secrets file. Note that the remote system can repeat the CHAP authentication any time while the PPP link is up.

♦ PAP: Password Authentication Protocol (PAP) is like the normal login process. When using PAP, the local system repeatedly sends a user name (name) and password (secret) until the remote system acknowledges the authentication or ends the connection. The name and secret are stored in the /etc/ppp/ pap-secrets file. Note that the user name and password are sent in the clear in unencrypted plain text form so that anyone intercepting the data can read it.

The Linux pppd server supports both types of authentication. For both PAP and CHAP, the information that the pppd server needs is a name and a secret—a user-namepassword pair. This authentication information is stored in the following configuration files:

• /etc/ppp/chap-secrets stores the information for CHAP. Here's what a typical chap-secrets file looks like:

# Secrets for authentication using CHAP

# client server secret IP addresses "naba" * "mypassword"


• /etc/ppp/pap-secrets stores the information for PAP. Here's a typical pap-secrets file:

# Secrets for authentication using PAP

# client server secret IP addresses "naba" * "mypassword"

As you can see, the format of entries is the same for both chap-secrets and pap-

secrets. There are four fields in each line, in the following order:

1. client: This field contains the name to be used during authentication. This is the user name that you get from the ISP.

2. server: This field contains the name of the remote system to which you are authenticating the local system. If you don't know the server's name, put an asterisk to indicate any server.

3. secret: This field is the secret that your system's pppd has to send to the remote system to authenticate itself. This is the password you received from the ISP.

4. IP addresses: This optional field can contain a list of the IP addresses that the local system may use when connecting to the specified server. Typically, this field is left blank because the local system usually gets a dynamic IP address from the server and, therefore, does not know what IP address it would use.

Was this article helpful?

0 0
Make Money Writing

Make Money Writing

This Report Will Show You How To Make Money By Providing Writing Services To Other Internet Marketers. Learn how to make money by writing the right way. Grab your copy of this report now and learn. Why writing is a great way to earn money. How to compete with cheap writers, even if you charge a lot more money.

Get My Free Ebook

Post a comment