Password Authentication Protocol is vulnerable to all of the attacks of any reusable password system. PAP is better than no security, but not by much. PAP sends the PPP the client name and the password as clear text at the beginning of the connection setup. After this initial authentication, the client is not reauthenticated. Although spying on a serial line is much more difficult than spying on an Ethernet, PAP clear-text passwords can still be stolen by someone spying on your network traffic. Additionally, an established session can be hijacked by a system spoofing addresses.
Because of these weaknesses, use PAP only when you must—for example, if you have to support a client that can only provide PAP authentication. Unfortunately, PAP is still very widely used, and may be your only choice.
To configure PAP, make appropriate password entries in the /etc/ppp/pap-secrets file. A pap-secrets file might contain the following:
Listing 2.3: A Sample pap-secrets File
# Secrets for authentication using PAP
# client server secret crow wren Wherearethestrong? wren crow Whoarethetrusted?
Given the configuration shown in Listing 2.3, crow sends the PPP client name crow and the password Wherearethestrong? when asked for authentication by wren. wren sends the client name wren and the password Whoarethetrusted? when asked for authentication by crow. Both systems have the same entries in their pap-secrets files. These two entries provide authentication for both ends of the PPP connection.
The IP address field at the end of each entry defines the address from which the client name and the password are valid. Thus, only the host at address 172.16.5.5 can use the client name crow and the password Wherearethestrong?. Even though this is a valid client name and password combination, if it comes from any other address, it will be rejected.
The auth option on the pppd command line forces the PPP daemon to require authentication. If it must, it will fall back to PAP, but first it will try to use CHAP.
Was this article helpful?