Configuring a PPP Server

Linux Operating System could be used as PPP Server for configuring both dedicated and dial up connections. For dedicated connections, you should configure pppd and pppd command is used for this. rc.local file is the startup file which is needed to be edited to configure PPP server for dedicated connection. Here you will find how to setup pppoe server on your Linux server. PPP application is installed on Linux server

pppd /dev/ttyS1 115700 crtscts

PPP daemon will be started with this command and will attach it to serial device ttS1 and it will adjust its speed to 115700 bps and crtscts option will turn on Request To Send and Clear To Send flow control.

Hardware flow is controlled along with PPP and its alternative is software flow control which forward. The pppd command for clients connected to dedicated links would be same but its has defaultroute option extra in that command.

pppd /dev/ttyS1 115700 crtscts defaultroute

Defaultroute will create a default route which will use remote PPP point to point server. This command is used on router with ppp server or on computer. This option is not used on server side for dedicated link and pppd command is used for connecting office network to enterprise network.

PPP Dial-Up Server Configuration

Configuring dial-up PPP server there are two techniques used one of them is to create shell script known as /etc/ppp/ppploging and use it as dial-up PPP user as shown in example

Sturat: x: 533:100: Jane Resnick: /tmp:/etc/ppp/ppplogin

It seems just like one more entry /etc/passwd and works in the same way. Stuart is the username and after logging in successfully user is assigned home directory /tmp which is a directory used for PPP users.

User login shell /etc/ppp/ppplogin is the script which starts PPP server. Here is sample of this script

#!/bin/sh

mesg -n

stty -echo

exec /sbin/pppd crtscts modem passive auth

ppplogin script will not seem like this example you should create your own ppplogin script and mesg and stty commands are basically used to show that you can put every thing you need this login script.

Mesg -n will prevent users to forward messages to terminal devices. The stty-echo command is used to turn off echo character because when echo is on characters are typed from remote users on remote computer.

Objective of this is to start PPP daemon and there is a specific difference between pppd command and command used for dedicated lines. In first command device name is not specified while the other pppd command is started without device name used to control terminal using same ppplogin script for each serial port.

Remaining four items in pppd command are optional.

The crtscts option will power on hardware flow control as discussed before which will tell PPP daemon to manage Data Carrier Detect and local system can use this DCD to find out if remote system drops the line.

The auth option above needs authentication of remote system including user name and password. PPP security is used to authenticate users and remote computers for PPP connection.

Alternative option for ppplogin script is to use pppd command in shell and for dial up users you need to edit /etc/passwd

ed:wJxX.iPuPyg:104:100:Ed Oz:/etc/ppp:/usr/sbin/pppd

When server is started these server options are stored in /etc/pp/.ppprc file and home directory /etc/ppp. You can also allow user to start PPP server from shell prompt. For this you need to install setuid and once it is an installed and configured user can directly login using this command.

$ pppd proxyarp

PPP Security

PPP consist of two protocols for authentication which are PAP and CHAP. PAP stands for Password Authentication Protocol and CHAP stands for Challenge Handshake Protocol. PAP is used for simple password security while CHAP is used for advance security like encryption of strings and keys to prevent hackers from accessing your server ports. PAP will sendPPP client name and password in decrypted format when connection is being setup. For PAP connection you need to enter password entries in /etc/pap-secrets file which contain these commands.

# Secrets for authentication using PAP

# Client server secret IP addresses

sturat ponting itissturat? 172.16.10.10 ponting sturat itissturat? 172.16.10.1

In the example shown above sturat sends PPP client name ponting along with password Given the configuration shown in Listing 2.3, crow sends the PPP client name crow and the password itissturat? When asked for authentication by ponting. Ponting sends the client name sturat and the password itissturat? When asked for authentication ponting. Both systems contain the same entries in their pap?secrets files. These two entries provide authentication for both ends of the PPP connection.

CHAP Security

CHAP is the known as default authentication protocol used by PPP and it provides more security with respect to PAP. PPP connection with CHAP is considered more secure and CHAP does not send clear password string. It sends a string of characters known as challenge string and this challenge string is encrypted using secret key /etc/pp/cahp-secrets file and return back this encrypted string to servers.

The chap-secrets file contains the following fields:

Respondent: It is name of computer which will respond to CHAP challenges. This is known as client field however PPP clients need to authenticate from clients.

Challenger: It is name of computer that challenges the other system to authenticate it.

Secret: It is known as secret key which is used to encrypt and decrypt challenge string. Challenge string is forward to the system for authentication. It is then encrypted and sends back to encrypted string.

Address: It is numeric address or IP address or hostname.

Here is a sample of chap-secrets File

# cat chap-secrets

# Secrets for authentication using CHAP

# client server secret IP addresses

mithchel clark youknowme clark.foobirds.org

mitchel clark ,iammad. mitchel.foobirds.org

When clark is challenged by mitchel using secret key youknowme to encrypt challenge string. When mitchel challenges clark it will see if clark use secret key iammad. Both computers are authenticated for communicating with remote systems.

Mitchel needs same entries in chap-secrets file and it is significant to protect /etc/ppp directory and only root user should be able to modify chap-secrets file or pap-secrets file And also root user should be able to write script files ip-up and ip-down because ip-up command is used to make PPP connection and ip-down command is used for closing connection.