573-575.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Special Edition Using Linux, Fourth Edition:Using SLIP and PPP</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0789717468//-->
<!--TITLE=Special Edition Using Linux, Fourth Edition//-->
<!--AUTHOR=Jack Tackett//-->
<!--AUTHOR=Jr.//-->
<!--AUTHOR=Steve Burnett//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=29//-->
<!--PAGES=573-575//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="571-573.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch30/577-579.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><TT>pppd</TT> reads this file and processes the options it finds within. Any text following a # character is treated as a comment and ignored.</P>
<P>The following <TT>chat</TT> script sets a number of <TT>abort</TT> strings, dials the phone number, waits for a login prompt, and logs the ppp user in to the remote host with password ppp-word:</P>
<!-- CODE SNIP //-->
<PRE>
abort &#145;NO CARRIER&#146;
abort &#145;BUSY&#146;
abort &#145;VOICE&#146;
abort &#145;CARRIER 2400&#146;
&#147;&#148; ATDT555-1234
CONNECT &#145;\c&#146;
ogin:-BREAK-ogin: ppp
word: ppp-word
</PRE>
<!-- END CODE SNIP //-->
<H4 ALIGN="LEFT"><A NAME="Heading12"></A><FONT COLOR="#000077">Providing PPP Service</FONT></H4>
<P>Configuring your Linux machine to be a PPP server is even easier than setting up a SLIP server. It requires only one new account and a shell script that properly runs the <TT>pppd</TT> program.</P>
<P>Create an account called <TT>ppp</TT> with an /etc/passwd entry that looks like this:</P>
<!-- CODE SNIP //-->
<PRE>
$ ppp:*:501:300:PPP Account:/tmp:/etc/ppp/ppplogin
</PRE>
<!-- END CODE SNIP //-->
<P>and set the passwd appropriately. The uid (501) and gid (300) numbers need not be the same. You can also assign one account to each PPP client you have, if you want. The /etc/ppp/ppplogin file should be an executable script such as the following:
</P>
<!-- CODE SNIP //-->
<PRE>
#!/bin/sh
# PPP Server Login Script
# Turn off messages to this terminal
mesg n
# Turn off echoing
stty -echo
# Run pppd on top of this sh process
exec pppd -detach silent modem crtscts
</PRE>
<!-- END CODE SNIP //-->
<P>This script executes <TT>pppd</TT> with the <TT>-detach</TT> argument, to keep <TT>pppd</TT> from detaching itself from the tty it&#146;s on. If <TT>pppd</TT> detaches, the script exits, causing the dial-up connection to close. The <TT>silent</TT> option makes <TT>pppd</TT> wait for the remote <TT>pppd</TT> daemon to initiate the link. The <TT>modem</TT> options make <TT>pppd</TT> monitor the modem control lines, and <TT>crtscts</TT> makes <TT>pppd</TT> use hardware flow control.</P>
<P>That&#146;s all there is to it. When a user logs in to your machine with the proper user ID and password, the PPP link is established automatically on your box.</P>
<H4 ALIGN="LEFT"><A NAME="Heading13"></A><FONT COLOR="#000077">Keeping Your PPP Link Secure</FONT></H4>
<P>Keeping your PPP link secure is very important. Allowing anyone to connect your machine to a PPP server or allowing anyone to connect to your PPP server is as bad as letting anyone to put a machine directly on your network. PPP provides a direct IP connection, effectively putting the machines on both ends of the link on the same network.
</P>
<P>Two authentication protocols have been developed to make PPP more secure&#151;Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). While a PPP connection is being established, each machine can request the other to authenticate itself. This allows complete control of who can use your PPP service. CHAP is the more secure protocol and is discussed here.</P>
<P>CHAP uses a set of <I>secret keys</I>, which are text strings that are kept secret by the owners of the machines using CHAP and an encrypted challenge system to authenticate each other. A useful feature of CHAP is that it periodically issues challenge requests as long as the PPP link is up. This, for example, can detect intruders who have replaced the legitimate user by switching phone lines.</P>
<P>The secret keys for CHAP are stored in /etc/ppp/chap-secrets. To use authentication on your PPP link, you add the <TT>auth</TT> option to the call to <TT>pppd</TT> and add the appropriate information for the host being authenticated into the chap-secrets file. The following is a sample chap-secrets file for linux2.burwell.com:</P>
<!-- CODE SNIP //-->
<PRE>
# linux2.burwell.com CHAP secrets file
# client/server/secret/IP addr
linux2.burwell.com linux1.burwell.com &#147;It&#146;s Full of Stars&#148;
[ccc]linux2.burwell.com
linux1.burwell.com linux2.burwell.com &#147;three stars&#148; linux1.burwell.com
* linux2.burwell.com &#147;three stars&#148; burwell.com
</PRE>
<!-- END CODE SNIP //-->
<P>Each line contains up to four fields: the client host name, the server host name, the secret key, and an optional list of IP addresses that this client can request be assigned to it. The client and server designations in this file are determined by the host that makes the authentication request (the server). The client has to respond to the request.
</P>
<P>This file defines three different CHAP secrets. The first line is used when linux1.burwell.com requests CHAP authentication from linux2.burwell.com; the second is used for the reverse situation. The last line defines a wildcard situation for the client. This allows any machine that knows the proper secret key to make a PPP link to linux2.burwell.com. The wildcard designator (*) can be used in the client or server field.</P>
<P>Careful management of the chap-secrets file allows you complete control over the machines that can access your PPP server and the machines that you can access with PPP.</P>
<H3><A NAME="Heading14"></A><FONT COLOR="#000077">From Here&#133;</FONT></H3>
<P>SLIP and PPP are low-cost alternatives to a leased-line IP connectivity solution. You&#146;ve looked at the requirements for running SLIP and PPP and at how to automate SLIP and PPP links by using the <TT>dip</TT> and <TT>chat</TT> commands. You&#146;ve learned how to configure Linux as a SLIP or PPP server and how to enhance the security of PPP using the CHAP protocol. You can find complete documentation for <TT>dip</TT>, <TT>chat</TT>, and <TT>pppd</TT> in the man pages.</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Chapter 10, &#147;Managing User Accounts,&#148; shows you how to add and delete user accounts.
<DD><B>&#149;</B>&nbsp;&nbsp;Chapter 23, &#147;Understanding the TCP/IP Protocol Suite,&#148; explains what TCP/IP is and how the protocols work.
<DD><B>&#149;</B>&nbsp;&nbsp;Chapter 24, &#147;Configuring a TCP/IP Network,&#148; shows you how to set up a Linux machine for use on a network.
<DD><B>&#149;</B>&nbsp;&nbsp;Chapter 25, &#147;Configuring Domain Name Service,&#148; shows you how to make Linux use DNS.
</DL>
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="571-573.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="../ch30/577-579.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>