PPP DialUp Server Configuration

There are three techniques for creating a dial-up PPP server. The key for two of them is the /etc/ passwd file. One technique is to create a shell script, often named /etc/ppp/ppplogin, and use it as the login shell for dial-up PPP users, as in this example:

jane:x:522:100:Jane Resnick:/tmp:/etc/ppp/ppplogin

This looks exactly like any other /etc/passwd entry, and functions in exactly the same way. The PPP user is prompted for a username—jane in this case—and a password. After the user successfully logs in, she is assigned the home directory /tmp. The /tmp directory is commonly used for PPP users. The system then starts the user's login shell. In this case, the login shell is /etc/ppp/ ppplogin, which is actually a shell script that starts the PPP server. Here is a sample ppplogin script:

#!/bin/sh mesg -n stty -echo exec /sbin/pppd crtscts modem passive auth

Your ppplogin script will not necessarily look like this example; you create your own ppplogin script. The mesg and stty commands are primarily to show you that you can put whatever you think is necessary in the ppplogin script. The mesg -n line prevents users from sending messages to this terminal with programs such as talk and write. Clearly, you don't want extraneous data being sent over the PPP connection.

The stty -echo command turns off character echo. When echo is on, the characters typed by the remote user are echoed back to the remote computer by the local computer. This was used on old Teletype terminals so that the user could monitor the quality of the dial-up line. If the characters were garbled as they appeared on the screen, the user knew that they should disconnect and redial to get a clear line. Of course, those days are long gone. Echoing characters across a PPP line is never used.

The real purpose of the script is, of course, to start the PPP daemon, and that is exactly what the last line does. There are definite differences between the pppd command that you execute here and the one that you saw in the previous section for dedicated lines. First, this command does not specify a device name. That's intentional. When pppd is started without a device name, it attaches to the controlling terminal, and runs in background mode. The controlling terminal is the terminal that login was servicing when it launched the ppplogin script. This permits you to use the same ppplogin script for every serial port. Likewise, this pppd command does not specify a line speed. In this case, the line speed is taken from the configuration of the serial port, again allowing you to use the same script for every serial port.

The remaining four items on the pppd command line are options:

• The crtscts option turns on hardware flow control, as discussed earlier.

• The modem option tells the PPP daemon to monitor the modem's Data Carrier Detect (DCD) indicator. By monitoring DCD, the local system can tell if the remote system drops the line. This is useful because it is not always possible for the remote system to gracefully close the connection.

• The passive option tells pppd to wait until it receives a valid Link Control Protocol (LCP) packet from the remote system. Normally, the PPP daemon attempts to initiate a connection by sending the appropriate LCP packets. If it doesn't receive a proper reply from the remote system, it drops the connection. Using passive gives the remote system time to initiate its own PPP daemon. With passive set, pppd holds the line open until the remote system sends an LCP packet.

• The auth option requires the remote system to authenticate itself. This is not the username and password authentication required by login, and it does not replace login security. PPP security is additional security designed to authenticate the user and the computer at the other end of the PPP connection.

An alternative to the ppplogin script is to use pppd as a login shell for dial-in PPP users. In this case, a modified /etc/passwd entry might contain ed:wJxX.iPuPzg:101:100:Ed Oz:/etc/ppp:/usr/sbin/pppd

Here, the home directory is /etc/ppp and the login shell is the full path of the pppd program. When the server is started in this manner, server options are generally placed in the /etc/ppp/.ppprc file.

The final technique for running PPP as a server is to allow the user to start the server from the shell prompt. To do this, pppd must be installed setuid root, which is not the default installation. After pppd is setuid root, a user with a standard login account can log in and then issue the following command:

$ pppd proxyarp

This command starts the PPP daemon. After the client is authenticated, a proxy ARP entry for the client is placed in the server's ARP table so that the client appears to other systems to be located on the local network.

Of these three approaches, I prefer to create a shell script that is invoked by login as the user's login shell. With this approach, I don't have to install pppd setuid root. I don't have to place the burden of running pppd on the user. And I get all of the power of the pppd command plus all of the power of a shell script.

Was this article helpful?

0 0

Post a comment