| .\" manual page [] for pppd 2.4 |
| .\" $Id: pppd.8,v 1.83 2004/11/13 12:22:49 paulus Exp $ |
| .\" SH section heading |
| .\" SS subsection heading |
| .\" LP paragraph |
| .\" IP indented paragraph |
| .\" TP hanging label |
| .\" |
| .\" Copyright (c) 1993-2003 Paul Mackerras <paulus@samba.org> |
| .\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
| .\" purpose with or without fee is hereby granted, provided that the above |
| .\" copyright notice and this permission notice appear in all copies. |
| .\" |
| .\" THIS SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES |
| .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .\" |
| .TH PPPD 8 |
| .SH NAME |
| pppd \- Point-to-Point Protocol Daemon |
| .SH SYNOPSIS |
| .B pppd |
| [ |
| .I options |
| ] |
| .SH DESCRIPTION |
| .LP |
| PPP is the protocol used for establishing internet links over dial-up |
| modems, DSL connections, and many other types of point-to-point |
| links. The \fIpppd\fR daemon works together with the kernel PPP |
| driver to establish and maintain a PPP link with another system |
| (called the \fIpeer\fR) and to negotiate Internet Protocol (IP) |
| addresses for each end of the link. Pppd can also authenticate the |
| peer and/or supply authentication information to the peer. PPP can be |
| used with other network protocols besides IP, but such use is becoming |
| increasingly rare. |
| .SH FREQUENTLY USED OPTIONS |
| .TP |
| .I ttyname |
| Use the serial port called \fIttyname\fR to communicate with the |
| peer. The string "/dev/" is prepended to \fIttyname\fR to form the |
| name of the device to open. If no device name is given, or if the |
| name of the terminal |
| connected to the standard input is given, pppd will use that terminal, |
| and will not fork to put itself in the background. A value for this |
| option from a privileged source cannot be overridden by a |
| non-privileged user. |
| .TP |
| .I speed |
| An option that is a decimal number is taken as the desired baud rate |
| for the serial device. On systems such as |
| 4.4BSD and NetBSD, any speed can be specified. Other systems |
| (e.g. Linux, SunOS) only support the commonly-used baud rates. |
| .TP |
| .B asyncmap \fImap |
| This option sets the Async-Control-Character-Map (ACCM) for this end |
| of the link. The ACCM is a set of 32 bits, one for each of the |
| ASCII control characters with values from 0 to 31, where a 1 bit |
| indicates that the corresponding control character should not be used |
| in PPP packets sent to this system. The map is encoded as a |
| hexadecimal number (without a leading 0x) where the least significant |
| bit (00000001) represents character 0 and the most significant bit |
| (80000000) represents character 31. |
| Pppd will ask the peer to send these characters as a 2-byte |
| escape sequence. |
| If multiple \fIasyncmap\fR options are given, the values are ORed |
| together. If no \fIasyncmap\fR option is given, the default is zero, |
| so pppd will ask the peer not to escape any control characters. |
| To escape transmitted characters, use the \fIescape\fR option. |
| .TP |
| .B auth |
| Require the peer to authenticate itself before allowing network |
| packets to be sent or received. This option is the default if the |
| system has a default route. If neither this option nor the |
| \fInoauth\fR option is specified, pppd will only allow the peer to use |
| IP addresses to which the system does not already have a route. |
| .TP |
| .B call \fIname |
| Read options from the file /etc/ppp/peers/\fIname\fR. This file may |
| contain privileged options, such as \fInoauth\fR, even if pppd |
| is not being run by root. The \fIname\fR string may not begin with / |
| or include .. as a pathname component. The format of the options file |
| is described below. |
| .TP |
| .B connect \fIscript |
| Usually there is something which needs to be done to prepare the link |
| before the PPP protocol can be started; for instance, with a dial-up |
| modem, commands need to be sent to the modem to dial the appropriate |
| phone number. This option specifies an command for pppd to execute |
| (by passing it to a shell) before attempting to start PPP negotiation. |
| The chat (8) program is often useful here, as it provides a way to |
| send arbitrary strings to a modem and respond to received characters. |
| A value |
| for this option from a privileged source cannot be overridden by a |
| non-privileged user. |
| .TP |
| .B crtscts |
| Specifies that pppd should set the serial port to use hardware flow |
| control using the RTS and CTS signals in the RS-232 interface. |
| If neither the \fIcrtscts\fR, the |
| \fInocrtscts\fR, the \fIcdtrcts\fR nor the \fInocdtrcts\fR option |
| is given, the hardware flow control setting for the serial port is |
| left unchanged. |
| Some serial ports (such as Macintosh serial ports) lack a true |
| RTS output. Such serial ports use this mode to implement |
| unidirectional flow control. The serial port will |
| suspend transmission when requested by the modem (via CTS) |
| but will be unable to request the modem to stop sending to the |
| computer. This mode retains the ability to use DTR as |
| a modem control line. |
| .TP |
| .B defaultroute |
| Add a default route to the system routing tables, using the peer as |
| the gateway, when IPCP negotiation is successfully completed. |
| This entry is removed when the PPP connection is broken. This option |
| is privileged if the \fInodefaultroute\fR option has been specified. |
| .TP |
| .B disconnect \fIscript |
| Execute the command specified by \fIscript\fR, by passing it to a |
| shell, after |
| pppd has terminated the link. This command could, for example, issue |
| commands to the modem to cause it to hang up if hardware modem control |
| signals were not available. The disconnect script is not run if the |
| modem has already hung up. A value for this option from a privileged |
| source cannot be overridden by a non-privileged user. |
| .TP |
| .B escape \fIxx,yy,... |
| Specifies that certain characters should be escaped on transmission |
| (regardless of whether the peer requests them to be escaped with its |
| async control character map). The characters to be escaped are |
| specified as a list of hex numbers separated by commas. Note that |
| almost any character can be specified for the \fIescape\fR option, |
| unlike the \fIasyncmap\fR option which only allows control characters |
| to be specified. The characters which may not be escaped are those |
| with hex values 0x20 - 0x3f or 0x5e. |
| .TP |
| .B file \fIname |
| Read options from file \fIname\fR (the format is described below). |
| The file must be readable by the user who has invoked pppd. |
| .TP |
| .B init \fIscript |
| Execute the command specified by \fIscript\fR, by passing it to a shell, to |
| initialize the serial line. This script would typically use the |
| chat(8) program to configure the modem to enable auto answer. A value |
| for this option from a privileged source cannot be overridden by a |
| non-privileged user. |
| .TP |
| .B lock |
| Specifies that pppd should create a UUCP-style lock file for the |
| serial device to ensure exclusive access to the device. |
| .TP |
| .B mru \fIn |
| Set the MRU [Maximum Receive Unit] value to \fIn\fR. Pppd |
| will ask the peer to send packets of no more than \fIn\fR bytes. |
| The value of \fIn\fR must be between 128 and 16384; the default is 1500. |
| A value of |
| 296 works well on very slow links (40 bytes for TCP/IP header + 256 |
| bytes of data). |
| Note that for the IPv6 protocol, the MRU must be at least 1280. |
| .TP |
| .B mtu \fIn |
| Set the MTU [Maximum Transmit Unit] value to \fIn\fR. Unless the |
| peer requests a smaller value via MRU negotiation, pppd will |
| request that the kernel networking code send data packets of no more |
| than \fIn\fR bytes through the PPP network interface. Note that for |
| the IPv6 protocol, the MTU must be at least 1280. |
| .TP |
| .B passive |
| Enables the "passive" option in the LCP. With this option, pppd will |
| attempt to initiate a connection; if no reply is received from the |
| peer, pppd will then just wait passively for a valid LCP packet from |
| the peer, instead of exiting, as it would without this option. |
| .SH OPTIONS |
| .TP |
| .I <local_IP_address>\fB:\fI<remote_IP_address> |
| Set the local and/or remote interface IP addresses. Either one may be |
| omitted. The IP addresses can be specified with a host name or in |
| decimal dot notation (e.g. 150.234.56.78). The default local |
| address is the (first) IP address of the system (unless the |
| \fInoipdefault\fR |
| option is given). The remote address will be obtained from the peer |
| if not specified in any option. Thus, in simple cases, this option is |
| not required. If a local and/or remote IP address is specified with |
| this option, pppd |
| will not accept a different value from the peer in the IPCP |
| negotiation, unless the \fIipcp\-accept\-local\fR and/or |
| \fIipcp\-accept\-remote\fR options are given, respectively. |
| .TP |
| .B ipv6 \fI<local_interface_identifier>\fR,\fI<remote_interface_identifier> |
| Set the local and/or remote 64-bit interface identifier. Either one may be |
| omitted. The identifier must be specified in standard ascii notation of |
| IPv6 addresses (e.g. ::dead:beef). If the |
| \fIipv6cp\-use\-ipaddr\fR |
| option is given, the local identifier is the local IPv4 address (see above). |
| On systems which supports a unique persistent id, such as EUI\-48 derived |
| from the Ethernet MAC address, \fIipv6cp\-use\-persistent\fR option can be |
| used to replace the \fIipv6 <local>,<remote>\fR option. Otherwise the |
| identifier is randomized. |
| .TP |
| .B active\-filter \fIfilter\-expression |
| Specifies a packet filter to be applied to data packets to determine |
| which packets are to be regarded as link activity, and therefore reset |
| the idle timer, or cause the link to be brought up in demand-dialling |
| mode. This option is useful in conjunction with the |
| \fBidle\fR option if there are packets being sent or received |
| regularly over the link (for example, routing information packets) |
| which would otherwise prevent the link from ever appearing to be idle. |
| The \fIfilter\-expression\fR syntax is as described for tcpdump(1), |
| except that qualifiers which are inappropriate for a PPP link, such as |
| \fBether\fR and \fBarp\fR, are not permitted. Generally the filter |
| expression should be enclosed in single-quotes to prevent whitespace |
| in the expression from being interpreted by the shell. This option |
| is currently only available under Linux, and requires that the kernel |
| was configured to include PPP filtering support (CONFIG_PPP_FILTER). |
| Note that it |
| is possible to apply different constraints to incoming and outgoing |
| packets using the \fBinbound\fR and \fBoutbound\fR qualifiers. |
| .TP |
| .B allow\-ip \fIaddress(es) |
| Allow peers to use the given IP address or subnet without |
| authenticating themselves. The parameter is parsed as for each |
| element of the list of allowed IP addresses in the secrets files (see |
| the AUTHENTICATION section below). |
| .TP |
| .B allow\-number \fInumber |
| Allow peers to connect from the given telephone number. A trailing |
| `*' character will match all numbers beginning with the leading part. |
| .TP |
| .B bsdcomp \fInr,nt |
| Request that the peer compress packets that it sends, using the |
| BSD-Compress scheme, with a maximum code size of \fInr\fR bits, and |
| agree to compress packets sent to the peer with a maximum code size of |
| \fInt\fR bits. If \fInt\fR is not specified, it defaults to the value |
| given for \fInr\fR. Values in the range 9 to 15 may be used for |
| \fInr\fR and \fInt\fR; larger values give better compression but |
| consume more kernel memory for compression dictionaries. |
| Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables |
| compression in the corresponding direction. Use \fInobsdcomp\fR or |
| \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. |
| .TP |
| .B cdtrcts |
| Use a non-standard hardware flow control (i.e. DTR/CTS) to control |
| the flow of data on the serial port. If neither the \fIcrtscts\fR, |
| the \fInocrtscts\fR, the \fIcdtrcts\fR nor the \fInocdtrcts\fR |
| option is given, the hardware flow control setting for the serial |
| port is left unchanged. |
| Some serial ports (such as Macintosh serial ports) lack a true |
| RTS output. Such serial ports use this mode to implement true |
| bi-directional flow control. The sacrifice is that this flow |
| control mode does not permit using DTR as a modem control line. |
| .TP |
| .B chap\-interval \fIn |
| If this option is given, pppd will rechallenge the peer every \fIn\fR |
| seconds. |
| .TP |
| .B chap\-max\-challenge \fIn |
| Set the maximum number of CHAP challenge transmissions to \fIn\fR |
| (default 10). |
| .TP |
| .B chap\-restart \fIn |
| Set the CHAP restart interval (retransmission timeout for challenges) |
| to \fIn\fR seconds (default 3). |
| .TP |
| .B child\-timeout \fIn |
| When exiting, wait for up to \fIn\fR seconds for any child processes |
| (such as the command specified with the \fBpty\fR command) to exit |
| before exiting. At the end of the timeout, pppd will send a SIGTERM |
| signal to any remaining child processes and exit. A value of 0 means |
| no timeout, that is, pppd will wait until all child processes have |
| exited. |
| .TP |
| .B connect\-delay \fIn |
| Wait for up to \fIn\fR milliseconds after the connect script finishes for |
| a valid PPP packet from the peer. At the end of this time, or when a |
| valid PPP packet is received from the peer, pppd will commence |
| negotiation by sending its first LCP packet. The default value is |
| 1000 (1 second). This wait period only applies if the \fBconnect\fR |
| or \fBpty\fR option is used. |
| .TP |
| .B debug |
| Enables connection debugging facilities. |
| If this option is given, pppd will log the contents of all |
| control packets sent or received in a readable form. The packets are |
| logged through syslog with facility \fIdaemon\fR and level |
| \fIdebug\fR. This information can be directed to a file by setting up |
| /etc/syslog.conf appropriately (see syslog.conf(5)). |
| .TP |
| .B default\-asyncmap |
| Disable asyncmap negotiation, forcing all control characters to be |
| escaped for both the transmit and the receive direction. |
| .TP |
| .B default\-mru |
| Disable MRU [Maximum Receive Unit] negotiation. With this option, |
| pppd will use the default MRU value of 1500 bytes for both the |
| transmit and receive direction. |
| .TP |
| .B deflate \fInr,nt |
| Request that the peer compress packets that it sends, using the |
| Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and |
| agree to compress packets sent to the peer with a maximum window size |
| of \fI2**nt\fR bytes. If \fInt\fR is not specified, it defaults to |
| the value given for \fInr\fR. Values in the range 9 to 15 may be used |
| for \fInr\fR and \fInt\fR; larger values give better compression but |
| consume more kernel memory for compression dictionaries. |
| Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables |
| compression in the corresponding direction. Use \fInodeflate\fR or |
| \fIdeflate 0\fR to disable Deflate compression entirely. (Note: pppd |
| requests Deflate compression in preference to BSD-Compress if the peer |
| can do either.) |
| .TP |
| .B demand |
| Initiate the link only on demand, i.e. when data traffic is present. |
| With this option, the remote IP address must be specified by the user |
| on the command line or in an options file. Pppd will initially |
| configure the interface and enable it for IP traffic without |
| connecting to the peer. When traffic is available, pppd will |
| connect to the peer and perform negotiation, authentication, etc. |
| When this is completed, pppd will commence passing data packets |
| (i.e., IP packets) across the link. |
| |
| The \fIdemand\fR option implies the \fIpersist\fR option. If this |
| behaviour is not desired, use the \fInopersist\fR option after the |
| \fIdemand\fR option. The \fIidle\fR and \fIholdoff\fR |
| options are also useful in conjuction with the \fIdemand\fR option. |
| .TP |
| .B domain \fId |
| Append the domain name \fId\fR to the local host name for authentication |
| purposes. For example, if gethostname() returns the name porsche, but |
| the fully qualified domain name is porsche.Quotron.COM, you could |
| specify \fIdomain Quotron.COM\fR. Pppd would then use the name |
| \fIporsche.Quotron.COM\fR for looking up secrets in the secrets file, |
| and as the default name to send to the peer when authenticating itself |
| to the peer. This option is privileged. |
| .TP |
| .B dryrun |
| With the \fBdryrun\fR option, pppd will print out all the option |
| values which have been set and then exit, after parsing the command |
| line and options files and checking the option values, but before |
| initiating the link. The option values are logged at level info, and |
| also printed to standard output unless the device on standard output |
| is the device that pppd would be using to communicate with the peer. |
| .TP |
| .B dump |
| With the \fBdump\fR option, pppd will print out all the option values |
| which have been set. This option is like the \fBdryrun\fR option |
| except that pppd proceeds as normal rather than exiting. |
| .TP |
| .B endpoint \fI<epdisc> |
| Sets the endpoint discriminator sent by the local machine to the peer |
| during multilink negotiation to \fI<epdisc>\fR. The default is to use |
| the MAC address of the first ethernet interface on the system, if any, |
| otherwise the IPv4 address corresponding to the hostname, if any, |
| provided it is not in the multicast or locally-assigned IP address |
| ranges, or the localhost address. The endpoint discriminator can be |
| the string \fBnull\fR or of the form \fItype\fR:\fIvalue\fR, where |
| type is a decimal number or one of the strings \fBlocal\fR, \fBIP\fR, |
| \fBMAC\fR, \fBmagic\fR, or \fBphone\fR. The value is an IP address in |
| dotted-decimal notation for the \fBIP\fR type, or a string of bytes in |
| hexadecimal, separated by periods or colons for the other types. For |
| the MAC type, the value may also be the name of an ethernet or similar |
| network interface. This option is currently only available under |
| Linux. |
| .TP |
| .B eap\-interval \fIn |
| If this option is given and pppd authenticates the peer with EAP |
| (i.e., is the server), pppd will restart EAP authentication every |
| \fIn\fR seconds. For EAP SRP\-SHA1, see also the \fBsrp\-interval\fR |
| option, which enables lightweight rechallenge. |
| .TP |
| .B eap\-max\-rreq \fIn |
| Set the maximum number of EAP Requests to which pppd will respond (as |
| a client) without hearing EAP Success or Failure. (Default is 20.) |
| .TP |
| .B eap\-max\-sreq \fIn |
| Set the maximum number of EAP Requests that pppd will issue (as a |
| server) while attempting authentication. (Default is 10.) |
| .TP |
| .B eap\-restart \fIn |
| Set the retransmit timeout for EAP Requests when acting as a server |
| (authenticator). (Default is 3 seconds.) |
| .TP |
| .B eap\-timeout \fIn |
| Set the maximum time to wait for the peer to send an EAP Request when |
| acting as a client (authenticatee). (Default is 20 seconds.) |
| .TP |
| .B hide\-password |
| When logging the contents of PAP packets, this option causes pppd to |
| exclude the password string from the log. This is the default. |
| .TP |
| .B holdoff \fIn |
| Specifies how many seconds to wait before re-initiating the link after |
| it terminates. This option only has any effect if the \fIpersist\fR |
| or \fIdemand\fR option is used. The holdoff period is not applied if |
| the link was terminated because it was idle. |
| .TP |
| .B idle \fIn |
| Specifies that pppd should disconnect if the link is idle for \fIn\fR |
| seconds. The link is idle when no data packets (i.e. IP packets) are |
| being sent or received. Note: it is not advisable to use this option |
| with the \fIpersist\fR option without the \fIdemand\fR option. |
| If the \fBactive\-filter\fR |
| option is given, data packets which are rejected by the specified |
| activity filter also count as the link being idle. |
| .TP |
| .B ipcp\-accept\-local |
| With this option, pppd will accept the peer's idea of our local IP |
| address, even if the local IP address was specified in an option. |
| .TP |
| .B ipcp\-accept\-remote |
| With this option, pppd will accept the peer's idea of its (remote) IP |
| address, even if the remote IP address was specified in an option. |
| .TP |
| .B ipcp\-max\-configure \fIn |
| Set the maximum number of IPCP configure-request transmissions to |
| \fIn\fR (default 10). |
| .TP |
| .B ipcp\-max\-failure \fIn |
| Set the maximum number of IPCP configure-NAKs returned before starting |
| to send configure-Rejects instead to \fIn\fR (default 10). |
| .TP |
| .B ipcp\-max\-terminate \fIn |
| Set the maximum number of IPCP terminate-request transmissions to |
| \fIn\fR (default 3). |
| .TP |
| .B ipcp\-restart \fIn |
| Set the IPCP restart interval (retransmission timeout) to \fIn\fR |
| seconds (default 3). |
| .TP |
| .B ipparam \fIstring |
| Provides an extra parameter to the ip\-up and ip\-down scripts. If this |
| option is given, the \fIstring\fR supplied is given as the 6th |
| parameter to those scripts. |
| .TP |
| .B ipv6cp\-max\-configure \fIn |
| Set the maximum number of IPv6CP configure-request transmissions to |
| \fIn\fR (default 10). |
| .TP |
| .B ipv6cp\-max\-failure \fIn |
| Set the maximum number of IPv6CP configure-NAKs returned before starting |
| to send configure-Rejects instead to \fIn\fR (default 10). |
| .TP |
| .B ipv6cp\-max\-terminate \fIn |
| Set the maximum number of IPv6CP terminate-request transmissions to |
| \fIn\fR (default 3). |
| .TP |
| .B ipv6cp\-restart \fIn |
| Set the IPv6CP restart interval (retransmission timeout) to \fIn\fR |
| seconds (default 3). |
| .TP |
| .B ipx |
| Enable the IPXCP and IPX protocols. This option is presently only |
| supported under Linux, and only if your kernel has been configured to |
| include IPX support. |
| .TP |
| .B ipx\-network \fIn |
| Set the IPX network number in the IPXCP configure request frame to |
| \fIn\fR, a hexadecimal number (without a leading 0x). There is no |
| valid default. If this option is not specified, the network number is |
| obtained from the peer. If the peer does not have the network number, |
| the IPX protocol will not be started. |
| .TP |
| .B ipx\-node \fIn\fB:\fIm |
| Set the IPX node numbers. The two node numbers are separated from each |
| other with a colon character. The first number \fIn\fR is the local |
| node number. The second number \fIm\fR is the peer's node number. Each |
| node number is a hexadecimal number, at most 10 digits long. The node |
| numbers on the ipx\-network must be unique. There is no valid |
| default. If this option is not specified then the node numbers are |
| obtained from the peer. |
| .TP |
| .B ipx\-router\-name \fI<string> |
| Set the name of the router. This is a string and is sent to the peer |
| as information data. |
| .TP |
| .B ipx\-routing \fIn |
| Set the routing protocol to be received by this option. More than one |
| instance of \fIipx\-routing\fR may be specified. The '\fInone\fR' |
| option (0) may be specified as the only instance of ipx\-routing. The |
| values may be \fI0\fR for \fINONE\fR, \fI2\fR for \fIRIP/SAP\fR, and |
| \fI4\fR for \fINLSP\fR. |
| .TP |
| .B ipxcp\-accept\-local |
| Accept the peer's NAK for the node number specified in the ipx\-node |
| option. If a node number was specified, and non-zero, the default is |
| to insist that the value be used. If you include this option then you |
| will permit the peer to override the entry of the node number. |
| .TP |
| .B ipxcp\-accept\-network |
| Accept the peer's NAK for the network number specified in the |
| ipx\-network option. If a network number was specified, and non-zero, the |
| default is to insist that the value be used. If you include this |
| option then you will permit the peer to override the entry of the node |
| number. |
| .TP |
| .B ipxcp\-accept\-remote |
| Use the peer's network number specified in the configure request |
| frame. If a node number was specified for the peer and this option was |
| not specified, the peer will be forced to use the value which you have |
| specified. |
| .TP |
| .B ipxcp\-max\-configure \fIn |
| Set the maximum number of IPXCP configure request frames which the |
| system will send to \fIn\fR. The default is 10. |
| .TP |
| .B ipxcp\-max\-failure \fIn |
| Set the maximum number of IPXCP NAK frames which the local system will |
| send before it rejects the options. The default value is 3. |
| .TP |
| .B ipxcp\-max\-terminate \fIn |
| Set the maximum nuber of IPXCP terminate request frames before the |
| local system considers that the peer is not listening to them. The |
| default value is 3. |
| .TP |
| .B kdebug \fIn |
| Enable debugging code in the kernel-level PPP driver. The argument |
| values depend on the specific kernel driver, but in general a value of |
| 1 will enable general kernel debug messages. (Note that these |
| messages are usually only useful for debugging the kernel driver |
| itself.) For the Linux 2.2.x kernel driver, the value is a sum of |
| bits: 1 to |
| enable general debug messages, 2 to request that the contents of |
| received packets be printed, and 4 to request that the contents of |
| transmitted packets be printed. On most systems, messages printed by |
| the kernel are logged by syslog(1) to a file as directed in the |
| /etc/syslog.conf configuration file. |
| .TP |
| .B ktune |
| Enables pppd to alter kernel settings as appropriate. Under Linux, |
| pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward |
| to 1) if the \fIproxyarp\fR option is used, and will enable the |
| dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to |
| 1) in demand mode if the local address changes. |
| .TP |
| .B lcp\-echo\-failure \fIn |
| If this option is given, pppd will presume the peer to be dead |
| if \fIn\fR LCP echo\-requests are sent without receiving a valid LCP |
| echo\-reply. If this happens, pppd will terminate the |
| connection. Use of this option requires a non-zero value for the |
| \fIlcp\-echo\-interval\fR parameter. This option can be used to enable |
| pppd to terminate after the physical connection has been broken |
| (e.g., the modem has hung up) in situations where no hardware modem |
| control lines are available. |
| .TP |
| .B lcp\-echo\-interval \fIn |
| If this option is given, pppd will send an LCP echo\-request frame to |
| the peer every \fIn\fR seconds. Normally the peer should respond to |
| the echo\-request by sending an echo\-reply. This option can be used |
| with the \fIlcp\-echo\-failure\fR option to detect that the peer is no |
| longer connected. |
| .TP |
| .B lcp\-max\-configure \fIn |
| Set the maximum number of LCP configure-request transmissions to |
| \fIn\fR (default 10). |
| .TP |
| .B lcp\-max\-failure \fIn |
| Set the maximum number of LCP configure-NAKs returned before starting |
| to send configure-Rejects instead to \fIn\fR (default 10). |
| .TP |
| .B lcp\-max\-terminate \fIn |
| Set the maximum number of LCP terminate-request transmissions to |
| \fIn\fR (default 3). |
| .TP |
| .B lcp\-restart \fIn |
| Set the LCP restart interval (retransmission timeout) to \fIn\fR |
| seconds (default 3). |
| .TP |
| .B linkname \fIname\fR |
| Sets the logical name of the link to \fIname\fR. Pppd will create a |
| file named \fBppp\-\fIname\fB.pid\fR in /var/run (or /etc/ppp on some |
| systems) containing its process ID. This can be useful in determining |
| which instance of pppd is responsible for the link to a given peer |
| system. This is a privileged option. |
| .TP |
| .B local |
| Don't use the modem control lines. With this option, pppd will ignore |
| the state of the CD (Carrier Detect) signal from the modem and will |
| not change the state of the DTR (Data Terminal Ready) signal. |
| .TP |
| .B logfd \fIn |
| Send log messages to file descriptor \fIn\fR. Pppd will send log |
| messages to at most one file or file descriptor (as well as sending |
| the log messages to syslog), so this option and the \fBlogfile\fR |
| option are mutually exclusive. The default is for pppd to send log |
| messages to stdout (file descriptor 1), unless the serial port is |
| already open on stdout. |
| .TP |
| .B logfile \fIfilename |
| Append log messages to the file \fIfilename\fR (as well as sending the |
| log messages to syslog). The file is opened with the privileges of |
| the user who invoked pppd, in append mode. |
| .TP |
| .B login |
| Use the system password database for authenticating the peer using |
| PAP, and record the user in the system wtmp file. Note that the peer |
| must have an entry in the /etc/ppp/pap\-secrets file as well as the |
| system password database to be allowed access. |
| .TP |
| .B maxconnect \fIn |
| Terminate the connection when it has been available for network |
| traffic for \fIn\fR seconds (i.e. \fIn\fR seconds after the first |
| network control protocol comes up). |
| .TP |
| .B maxfail \fIn |
| Terminate after \fIn\fR consecutive failed connection attempts. A |
| value of 0 means no limit. The default value is 10. |
| .TP |
| .B modem |
| Use the modem control lines. This option is the default. With this |
| option, pppd will wait for the CD (Carrier Detect) signal from the |
| modem to be asserted when opening the serial device (unless a connect |
| script is specified), and it will drop the DTR (Data Terminal Ready) |
| signal briefly when the connection is terminated and before executing |
| the connect script. On Ultrix, this option implies hardware flow |
| control, as for the \fIcrtscts\fR option. |
| .TP |
| .B mp |
| Enables the use of PPP multilink; this is an alias for the `multilink' |
| option. This option is currently only available under Linux. |
| .TP |
| .B mppe\-stateful |
| Allow MPPE to use stateful mode. Stateless mode is still attempted first. |
| The default is to disallow stateful mode. |
| .TP |
| .B mpshortseq |
| Enables the use of short (12-bit) sequence numbers in multilink |
| headers, as opposed to 24-bit sequence numbers. This option is only |
| available under Linux, and only has any effect if multilink is |
| enabled (see the multilink option). |
| .TP |
| .B mrru \fIn |
| Sets the Maximum Reconstructed Receive Unit to \fIn\fR. The MRRU is |
| the maximum size for a received packet on a multilink bundle, and is |
| analogous to the MRU for the individual links. This option is |
| currently only available under Linux, and only has any effect if |
| multilink is enabled (see the multilink option). |
| .TP |
| .B ms\-dns \fI<addr> |
| If pppd is acting as a server for Microsoft Windows clients, this |
| option allows pppd to supply one or two DNS (Domain Name Server) |
| addresses to the clients. The first instance of this option specifies |
| the primary DNS address; the second instance (if given) specifies the |
| secondary DNS address. (This option was present in some older |
| versions of pppd under the name \fBdns\-addr\fR.) |
| .TP |
| .B ms\-wins \fI<addr> |
| If pppd is acting as a server for Microsoft Windows or "Samba" |
| clients, this option allows pppd to supply one or two WINS (Windows |
| Internet Name Services) server addresses to the clients. The first |
| instance of this option specifies the primary WINS address; the second |
| instance (if given) specifies the secondary WINS address. |
| .TP |
| .B multilink |
| Enables the use of the PPP multilink protocol. If the peer also |
| supports multilink, then this link can become part of a bundle between |
| the local system and the peer. If there is an existing bundle to the |
| peer, pppd will join this link to that bundle, otherwise pppd will |
| create a new bundle. See the MULTILINK section below. This option is |
| currently only available under Linux. |
| .TP |
| .B name \fIname |
| Set the name of the local system for authentication purposes to |
| \fIname\fR. This is a privileged option. With this option, pppd will |
| use lines in the secrets files which have \fIname\fR as the second |
| field when looking for a secret to use in authenticating the peer. In |
| addition, unless overridden with the \fIuser\fR option, \fIname\fR |
| will be used as the name to send to the peer when authenticating the |
| local system to the peer. (Note that pppd does not append the domain |
| name to \fIname\fR.) |
| .TP |
| .B noaccomp |
| Disable Address/Control compression in both directions (send and |
| receive). |
| .TP |
| .B noauth |
| Do not require the peer to authenticate itself. This option is |
| privileged. |
| .TP |
| .B nobsdcomp |
| Disables BSD-Compress compression; \fBpppd\fR will not request or |
| agree to compress packets using the BSD-Compress scheme. |
| .TP |
| .B noccp |
| Disable CCP (Compression Control Protocol) negotiation. This option |
| should only be required if the peer is buggy and gets confused by |
| requests from pppd for CCP negotiation. |
| .TP |
| .B nocrtscts |
| Disable hardware flow control (i.e. RTS/CTS) on the serial port. |
| If neither the \fIcrtscts\fR nor the \fInocrtscts\fR nor the |
| \fIcdtrcts\fR nor the \fInocdtrcts\fR option is given, the hardware |
| flow control setting for the serial port is left unchanged. |
| .TP |
| .B nocdtrcts |
| This option is a synonym for \fInocrtscts\fR. Either of these options will |
| disable both forms of hardware flow control. |
| .TP |
| .B nodefaultroute |
| Disable the \fIdefaultroute\fR option. The system administrator who |
| wishes to prevent users from creating default routes with pppd |
| can do so by placing this option in the /etc/ppp/options file. |
| .TP |
| .B nodeflate |
| Disables Deflate compression; pppd will not request or agree to |
| compress packets using the Deflate scheme. |
| .TP |
| .B nodetach |
| Don't detach from the controlling terminal. Without this option, if a |
| serial device other than the terminal on the standard input is |
| specified, pppd will fork to become a background process. |
| .TP |
| .B noendpoint |
| Disables pppd from sending an endpoint discriminator to the peer or |
| accepting one from the peer (see the MULTILINK section below). This |
| option should only be required if the peer is buggy. |
| .TP |
| .B noip |
| Disable IPCP negotiation and IP communication. This option should |
| only be required if the peer is buggy and gets confused by requests |
| from pppd for IPCP negotiation. |
| .TP |
| .B noipv6 |
| Disable IPv6CP negotiation and IPv6 communication. This option should |
| only be required if the peer is buggy and gets confused by requests |
| from pppd for IPv6CP negotiation. |
| .TP |
| .B noipdefault |
| Disables the default behaviour when no local IP address is specified, |
| which is to determine (if possible) the local IP address from the |
| hostname. With this option, the peer will have to supply the local IP |
| address during IPCP negotiation (unless it specified explicitly on the |
| command line or in an options file). |
| .TP |
| .B noipx |
| Disable the IPXCP and IPX protocols. This option should only be |
| required if the peer is buggy and gets confused by requests from pppd |
| for IPXCP negotiation. |
| .TP |
| .B noktune |
| Opposite of the \fIktune\fR option; disables pppd from changing system |
| settings. |
| .TP |
| .B nolog |
| Do not send log messages to a file or file descriptor. This option |
| cancels the \fBlogfd\fR and \fBlogfile\fR options. |
| .TP |
| .B nomagic |
| Disable magic number negotiation. With this option, pppd cannot |
| detect a looped-back line. This option should only be needed if the |
| peer is buggy. |
| .TP |
| .B nomp |
| Disables the use of PPP multilink. This option is currently only |
| available under Linux. |
| .TP |
| .B nomppe |
| Disables MPPE (Microsoft Point to Point Encryption). This is the default. |
| .TP |
| .B nomppe\-40 |
| Disable 40-bit encryption with MPPE. |
| .TP |
| .B nomppe\-128 |
| Disable 128-bit encryption with MPPE. |
| .TP |
| .B nomppe\-stateful |
| Disable MPPE stateful mode. This is the default. |
| .TP |
| .B nompshortseq |
| Disables the use of short (12-bit) sequence numbers in the PPP |
| multilink protocol, forcing the use of 24-bit sequence numbers. This |
| option is currently only available under Linux, and only has any |
| effect if multilink is enabled. |
| .TP |
| .B nomultilink |
| Disables the use of PPP multilink. This option is currently only |
| available under Linux. |
| .TP |
| .B nopcomp |
| Disable protocol field compression negotiation in both the receive and |
| the transmit direction. |
| .TP |
| .B nopersist |
| Exit once a connection has been made and terminated. This is the |
| default unless the \fIpersist\fR or \fIdemand\fR option has been |
| specified. |
| .TP |
| .B nopredictor1 |
| Do not accept or agree to Predictor\-1 compression. |
| .TP |
| .B noproxyarp |
| Disable the \fIproxyarp\fR option. The system administrator who |
| wishes to prevent users from creating proxy ARP entries with pppd can |
| do so by placing this option in the /etc/ppp/options file. |
| .TP |
| .B notty |
| Normally, pppd requires a terminal device. With this option, pppd |
| will allocate itself a pseudo-tty master/slave pair and use the slave |
| as its terminal device. Pppd will create a child process to act as a |
| `character shunt' to transfer characters between the pseudo-tty master |
| and its standard input and output. Thus pppd will transmit characters |
| on its standard output and receive characters on its standard input |
| even if they are not terminal devices. This option increases the |
| latency and CPU overhead of transferring data over the ppp interface |
| as all of the characters sent and received must flow through the |
| character shunt process. An explicit device name may not be given if |
| this option is used. |
| .TP |
| .B novj |
| Disable Van Jacobson style TCP/IP header compression in both the |
| transmit and the receive direction. |
| .TP |
| .B novjccomp |
| Disable the connection-ID compression option in Van Jacobson style |
| TCP/IP header compression. With this option, pppd will not omit the |
| connection-ID byte from Van Jacobson compressed TCP/IP headers, nor |
| ask the peer to do so. |
| .TP |
| .B papcrypt |
| Indicates that all secrets in the /etc/ppp/pap\-secrets file which are |
| used for checking the identity of the peer are encrypted, and thus |
| pppd should not accept a password which, before encryption, is |
| identical to the secret from the /etc/ppp/pap\-secrets file. |
| .TP |
| .B pap\-max\-authreq \fIn |
| Set the maximum number of PAP authenticate-request transmissions to |
| \fIn\fR (default 10). |
| .TP |
| .B pap\-restart \fIn |
| Set the PAP restart interval (retransmission timeout) to \fIn\fR |
| seconds (default 3). |
| .TP |
| .B pap\-timeout \fIn |
| Set the maximum time that pppd will wait for the peer to authenticate |
| itself with PAP to \fIn\fR seconds (0 means no limit). |
| .TP |
| .B pass\-filter \fIfilter\-expression |
| Specifies a packet filter to applied to data packets being sent or |
| received to determine which packets should be allowed to pass. |
| Packets which are rejected by the filter are silently discarded. This |
| option can be used to prevent specific network daemons (such as |
| routed) using up link bandwidth, or to provide a very basic firewall |
| capability. |
| The \fIfilter\-expression\fR syntax is as described for tcpdump(1), |
| except that qualifiers which are inappropriate for a PPP link, such as |
| \fBether\fR and \fBarp\fR, are not permitted. Generally the filter |
| expression should be enclosed in single-quotes to prevent whitespace |
| in the expression from being interpreted by the shell. Note that it |
| is possible to apply different constraints to incoming and outgoing |
| packets using the \fBinbound\fR and \fBoutbound\fR qualifiers. This |
| option is currently only available under Linux, and requires that the |
| kernel was configured to include PPP filtering support (CONFIG_PPP_FILTER). |
| .TP |
| .B password \fIpassword\-string |
| Specifies the password to use for authenticating to the peer. Use |
| of this option is discouraged, as the password is likely to be visible |
| to other users on the system (for example, by using ps(1)). |
| .TP |
| .B persist |
| Do not exit after a connection is terminated; instead try to reopen |
| the connection. The \fBmaxfail\fR option still has an effect on |
| persistent connections. |
| .TP |
| .B plugin \fIfilename |
| Load the shared library object file \fIfilename\fR as a plugin. This |
| is a privileged option. If \fIfilename\fR does not contain a slash |
| (/), pppd will look in the \fB/usr/lib/pppd/\fIversion\fR directory |
| for the plugin, where |
| \fIversion\fR is the version number of pppd (for example, 2.4.2). |
| .TP |
| .B predictor1 |
| Request that the peer compress frames that it sends using Predictor-1 |
| compression, and agree to compress transmitted frames with Predictor-1 |
| if requested. This option has no effect unless the kernel driver |
| supports Predictor-1 compression. |
| .TP |
| .B privgroup \fIgroup\-name |
| Allows members of group \fIgroup\-name\fR to use privileged options. |
| This is a privileged option. Use of this option requires care as |
| there is no guarantee that members of \fIgroup\-name\fR cannot use pppd |
| to become root themselves. Consider it equivalent to putting the |
| members of \fIgroup\-name\fR in the kmem or disk group. |
| .TP |
| .B proxyarp |
| Add an entry to this system's ARP [Address Resolution Protocol] table |
| with the IP address of the peer and the Ethernet address of this |
| system. This will have the effect of making the peer appear to other |
| systems to be on the local ethernet. |
| .TP |
| .B pty \fIscript |
| Specifies that the command \fIscript\fR is to be used to communicate |
| rather than a specific terminal device. Pppd will allocate itself a |
| pseudo-tty master/slave pair and use the slave as its terminal |
| device. The \fIscript\fR will be run in a child process with the |
| pseudo-tty master as its standard input and output. An explicit |
| device name may not be given if this option is used. (Note: if the |
| \fIrecord\fR option is used in conjuction with the \fIpty\fR option, |
| the child process will have pipes on its standard input and output.) |
| .TP |
| .B receive\-all |
| With this option, pppd will accept all control characters from the |
| peer, including those marked in the receive asyncmap. Without this |
| option, pppd will discard those characters as specified in RFC1662. |
| This option should only be needed if the peer is buggy. |
| .TP |
| .B record \fIfilename |
| Specifies that pppd should record all characters sent and received to |
| a file named \fIfilename\fR. This file is opened in append mode, |
| using the user's user-ID and permissions. This option is implemented |
| using a pseudo-tty and a process to transfer characters between the |
| pseudo-tty and the real serial device, so it will increase the latency |
| and CPU overhead of transferring data over the ppp interface. The |
| characters are stored in a tagged format with timestamps, which can be |
| displayed in readable form using the pppdump(8) program. |
| .TP |
| .B remotename \fIname |
| Set the assumed name of the remote system for authentication purposes |
| to \fIname\fR. |
| .TP |
| .B remotenumber \fInumber |
| Set the assumed telephone number of the remote system for authentication |
| purposes to \fInumber\fR. |
| .TP |
| .B refuse\-chap |
| With this option, pppd will not agree to authenticate itself to the |
| peer using CHAP. |
| .TP |
| .B refuse\-mschap |
| With this option, pppd will not agree to authenticate itself to the |
| peer using MS\-CHAP. |
| .TP |
| .B refuse\-mschap\-v2 |
| With this option, pppd will not agree to authenticate itself to the |
| peer using MS\-CHAPv2. |
| .TP |
| .B refuse\-eap |
| With this option, pppd will not agree to authenticate itself to the |
| peer using EAP. |
| .TP |
| .B refuse\-pap |
| With this option, pppd will not agree to authenticate itself to the |
| peer using PAP. |
| .TP |
| .B require\-chap |
| Require the peer to authenticate itself using CHAP [Challenge |
| Handshake Authentication Protocol] authentication. |
| .TP |
| .B require\-mppe |
| Require the use of MPPE (Microsoft Point to Point Encryption). This |
| option disables all other compression types. This option enables |
| both 40-bit and 128-bit encryption. In order for MPPE to successfully |
| come up, you must have authenticated with either MS\-CHAP or MS\-CHAPv2. |
| This option is presently only supported under Linux, and only if your |
| kernel has been configured to include MPPE support. |
| .TP |
| .B require\-mppe\-40 |
| Require the use of MPPE, with 40-bit encryption. |
| .TP |
| .B require\-mppe\-128 |
| Require the use of MPPE, with 128-bit encryption. |
| .TP |
| .B require\-mschap |
| Require the peer to authenticate itself using MS\-CHAP [Microsoft Challenge |
| Handshake Authentication Protocol] authentication. |
| .TP |
| .B require\-mschap\-v2 |
| Require the peer to authenticate itself using MS\-CHAPv2 [Microsoft Challenge |
| Handshake Authentication Protocol, Version 2] authentication. |
| .TP |
| .B require\-eap |
| Require the peer to authenticate itself using EAP [Extensible |
| Authentication Protocol] authentication. |
| .TP |
| .B require\-pap |
| Require the peer to authenticate itself using PAP [Password |
| Authentication Protocol] authentication. |
| .TP |
| .B show\-password |
| When logging the contents of PAP packets, this option causes pppd to |
| show the password string in the log message. |
| .TP |
| .B silent |
| With this option, pppd will not transmit LCP packets to initiate a |
| connection until a valid LCP packet is received from the peer (as for |
| the `passive' option with ancient versions of pppd). |
| .TP |
| .B srp\-interval \fIn |
| If this parameter is given and pppd uses EAP SRP\-SHA1 to authenticate |
| the peer (i.e., is the server), then pppd will use the optional |
| lightweight SRP rechallenge mechanism at intervals of \fIn\fR |
| seconds. This option is faster than \fBeap\-interval\fR |
| reauthentication because it uses a hash\-based mechanism and does not |
| derive a new session key. |
| .TP |
| .B srp\-pn\-secret \fIstring |
| Set the long-term pseudonym-generating secret for the server. This |
| value is optional and if set, needs to be known at the server |
| (authenticator) side only, and should be different for each server (or |
| poll of identical servers). It is used along with the current date to |
| generate a key to encrypt and decrypt the client's identity contained |
| in the pseudonym. |
| .TP |
| .B srp\-use\-pseudonym |
| When operating as an EAP SRP\-SHA1 client, attempt to use the pseudonym |
| stored in ~/.ppp_psuedonym first as the identity, and save in this |
| file any pseudonym offered by the peer during authentication. |
| .TP |
| .B sync |
| Use synchronous HDLC serial encoding instead of asynchronous. |
| The device used by pppd with this option must have sync support. |
| Currently supports Microgate SyncLink adapters |
| under Linux and FreeBSD 2.2.8 and later. |
| .TP |
| .B unit \fInum |
| Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound |
| connections. |
| .TP |
| .B updetach |
| With this option, pppd will detach from its controlling terminal once |
| it has successfully established the ppp connection (to the point where |
| the first network control protocol, usually the IP control protocol, |
| has come up). |
| .TP |
| .B usehostname |
| Enforce the use of the hostname (with domain name appended, if given) |
| as the name of the local system for authentication purposes (overrides |
| the \fIname\fR option). This option is not normally needed since the |
| \fIname\fR option is privileged. |
| .TP |
| .B usepeerdns |
| Ask the peer for up to 2 DNS server addresses. The addresses supplied |
| by the peer (if any) are passed to the /etc/ppp/ip\-up script in the |
| environment variables DNS1 and DNS2, and the environment variable |
| USEPEERDNS will be set to 1. In addition, pppd will create an |
| /etc/ppp/resolv.conf file containing one or two nameserver lines with |
| the address(es) supplied by the peer. |
| .TP |
| .B user \fIname |
| Sets the name used for authenticating the local system to the peer to |
| \fIname\fR. |
| .TP |
| .B vj\-max\-slots \fIn |
| Sets the number of connection slots to be used by the Van Jacobson |
| TCP/IP header compression and decompression code to \fIn\fR, which |
| must be between 2 and 16 (inclusive). |
| .TP |
| .B welcome \fIscript |
| Run the executable or shell command specified by \fIscript\fR before |
| initiating PPP negotiation, after the connect script (if any) has |
| completed. A value for this option from a privileged source cannot be |
| overridden by a non-privileged user. |
| .TP |
| .B xonxoff |
| Use software flow control (i.e. XON/XOFF) to control the flow of data on |
| the serial port. |
| .SH OPTIONS FILES |
| Options can be taken from files as well as the command line. Pppd |
| reads options from the files /etc/ppp/options, ~/.ppprc and |
| /etc/ppp/options.\fIttyname\fR (in that order) before processing the |
| options on the command line. (In fact, the command-line options are |
| scanned to find the terminal name before the options.\fIttyname\fR |
| file is read.) In forming the name of the options.\fIttyname\fR file, |
| the initial /dev/ is removed from the terminal name, and any remaining |
| / characters are replaced with dots. |
| .PP |
| An options file is parsed into a series of words, delimited by |
| whitespace. Whitespace can be included in a word by enclosing the |
| word in double-quotes ("). A backslash (\\) quotes the following character. |
| A hash (#) starts a comment, which continues until the end of the |
| line. There is no restriction on using the \fIfile\fR or \fIcall\fR |
| options within an options file. |
| .SH SECURITY |
| .I pppd |
| provides system administrators with sufficient access control that PPP |
| access to a server machine can be provided to legitimate users without |
| fear of compromising the security of the server or the network it's |
| on. This control is provided through restrictions on which IP |
| addresses the peer may use, based on its authenticated identity (if |
| any), and through restrictions on which options a non-privileged user |
| may use. Several of pppd's options are privileged, in particular |
| those which permit potentially insecure configurations; these options |
| are only accepted in files which are under the control of the system |
| administrator, or if pppd is being run by root. |
| .PP |
| The default behaviour of pppd is to allow an unauthenticated peer to |
| use a given IP address only if the system does not already have a |
| route to that IP address. For example, a system with a |
| permanent connection to the wider internet will normally have a |
| default route, and thus all peers will have to authenticate themselves |
| in order to set up a connection. On such a system, the \fIauth\fR |
| option is the default. On the other hand, a system where the |
| PPP link is the only connection to the internet will not normally have |
| a default route, so the peer will be able to use almost any IP address |
| without authenticating itself. |
| .PP |
| As indicated above, some security-sensitive options are privileged, |
| which means that they may not be used by an ordinary non-privileged |
| user running a setuid-root pppd, either on the command line, in the |
| user's ~/.ppprc file, or in an options file read using the \fIfile\fR |
| option. Privileged options may be used in /etc/ppp/options file or in |
| an options file read using the \fIcall\fR option. If pppd is being |
| run by the root user, privileged options can be used without |
| restriction. |
| .PP |
| When opening the device, pppd uses either the invoking user's user ID |
| or the root UID (that is, 0), depending on whether the device name was |
| specified by the user or the system administrator. If the device name |
| comes from a privileged source, that is, /etc/ppp/options or an |
| options file read using the \fIcall\fR option, pppd uses full root |
| privileges when opening the device. Thus, by creating an appropriate |
| file under /etc/ppp/peers, the system administrator can allow users to |
| establish a ppp connection via a device which they would not normally |
| have permission to access. Otherwise pppd uses the invoking user's |
| real UID when opening the device. |
| .SH AUTHENTICATION |
| Authentication is the process whereby one peer convinces the other of |
| its identity. This involves the first peer sending its name to the |
| other, together with some kind of secret information which could only |
| come from the genuine authorized user of that name. In such an |
| exchange, we will call the first peer the "client" and the other the |
| "server". The client has a name by which it identifies itself to the |
| server, and the server also has a name by which it identifies itself |
| to the client. Generally the genuine client shares some secret (or |
| password) with the server, and authenticates itself by proving that it |
| knows that secret. Very often, the names used for authentication |
| correspond to the internet hostnames of the peers, but this is not |
| essential. |
| .LP |
| At present, pppd supports three authentication protocols: the Password |
| Authentication Protocol (PAP), Challenge Handshake Authentication |
| Protocol (CHAP), and Extensible Authentication Protocol (EAP). PAP |
| involves the client sending its name and a cleartext password to the |
| server to authenticate itself. In contrast, the server initiates the |
| CHAP authentication exchange by sending a challenge to the client (the |
| challenge packet includes the server's name). The client must respond |
| with a response which includes its name plus a hash value derived from |
| the shared secret and the challenge, in order to prove that it knows |
| the secret. EAP supports CHAP-style authentication, and also includes |
| the SRP\-SHA1 mechanism, which is resistant to dictionary-based attacks |
| and does not require a cleartext password on the server side. |
| .LP |
| The PPP protocol, being symmetrical, allows both peers to require the |
| other to authenticate itself. In that case, two separate and |
| independent authentication exchanges will occur. The two exchanges |
| could use different authentication protocols, and in principle, |
| different names could be used in the two exchanges. |
| .LP |
| The default behaviour of pppd is to agree to authenticate if |
| requested, and to not require authentication from the peer. However, |
| pppd will not agree to authenticate itself with a particular protocol |
| if it has no secrets which could be used to do so. |
| .LP |
| Pppd stores secrets for use in authentication in secrets |
| files (/etc/ppp/pap\-secrets for PAP, /etc/ppp/chap\-secrets for CHAP, |
| MS\-CHAP, MS\-CHAPv2, and EAP MD5-Challenge, and /etc/ppp/srp\-secrets |
| for EAP SRP\-SHA1). |
| All secrets files have the same format. The secrets files can |
| contain secrets for pppd to use in authenticating itself to other |
| systems, as well as secrets for pppd to use when authenticating other |
| systems to itself. |
| .LP |
| Each line in a secrets file contains one secret. A given secret is |
| specific to a particular combination of client and server - it can |
| only be used by that client to authenticate itself to that server. |
| Thus each line in a secrets file has at least 3 fields: the name of |
| the client, the name of the server, and the secret. These fields may |
| be followed by a list of the IP addresses that the specified client |
| may use when connecting to the specified server. |
| .LP |
| A secrets file is parsed into words as for a options file, so the |
| client name, server name and secrets fields must each be one word, |
| with any embedded spaces or other special characters quoted or |
| escaped. Note that case is significant in the client and server names |
| and in the secret. |
| .LP |
| If the secret starts with an `@', what follows is assumed to be the |
| name of a file from which to read the secret. A "*" as the client or |
| server name matches any name. When selecting a secret, pppd takes the |
| best match, i.e. the match with the fewest wildcards. |
| .LP |
| Any following words on the same line are taken to be a list of |
| acceptable IP addresses for that client. If there are only 3 words on |
| the line, or if the first word is "\-", then all IP addresses are |
| disallowed. To allow any address, use "*". A word starting with "!" |
| indicates that the specified address is \fInot\fR acceptable. An |
| address may be followed by "/" and a number \fIn\fR, to indicate a |
| whole subnet, i.e. all addresses which have the same value in the most |
| significant \fIn\fR bits. In this form, the address may be followed |
| by a plus sign ("+") to indicate that one address from the subnet is |
| authorized, based on the ppp network interface unit number in use. |
| In this case, the host part of the address will be set to the unit |
| number plus one. |
| .LP |
| Thus a secrets file contains both secrets for use in authenticating |
| other hosts, plus secrets which we use for authenticating ourselves to |
| others. When pppd is authenticating the peer (checking the peer's |
| identity), it chooses a secret with the peer's name in the first |
| field and the name of the local system in the second field. The |
| name of the local system defaults to the hostname, with the domain |
| name appended if the \fIdomain\fR option is used. This default can be |
| overridden with the \fIname\fR option, except when the |
| \fIusehostname\fR option is used. (For EAP SRP\-SHA1, see the |
| srp\-entry(8) utility for generating proper validator entries to be |
| used in the "secret" field.) |
| .LP |
| When pppd is choosing a secret to use in authenticating itself to the |
| peer, it first determines what name it is going to use to identify |
| itself to the peer. This name can be specified by the user with the |
| \fIuser\fR option. If this option is not used, the name defaults to |
| the name of the local system, determined as described in the previous |
| paragraph. Then pppd looks for a secret with this name in the first |
| field and the peer's name in the second field. Pppd will know the |
| name of the peer if CHAP or EAP authentication is being used, because |
| the peer will have sent it in the challenge packet. However, if PAP |
| is being used, pppd will have to determine the peer's name from the |
| options specified by the user. The user can specify the peer's name |
| directly with the \fIremotename\fR option. Otherwise, if the remote |
| IP address was specified by a name (rather than in numeric form), that |
| name will be used as the peer's name. Failing that, pppd will use the |
| null string as the peer's name. |
| .LP |
| When authenticating the peer with PAP, the supplied password is first |
| compared with the secret from the secrets file. If the password |
| doesn't match the secret, the password is encrypted using crypt() and |
| checked against the secret again. Thus secrets for authenticating the |
| peer can be stored in encrypted form if desired. If the |
| \fIpapcrypt\fR option is given, the first (unencrypted) comparison is |
| omitted, for better security. |
| .LP |
| Furthermore, if the \fIlogin\fR option was specified, the username and |
| password are also checked against the system password database. Thus, |
| the system administrator can set up the pap\-secrets file to allow PPP |
| access only to certain users, and to restrict the set of IP addresses |
| that each user can use. Typically, when using the \fIlogin\fR option, |
| the secret in /etc/ppp/pap\-secrets would be "", which will match any |
| password supplied by the peer. This avoids the need to have the same |
| secret in two places. |
| .LP |
| Authentication must be satisfactorily completed before IPCP (or any |
| other Network Control Protocol) can be started. If the peer is |
| required to authenticate itself, and fails to do so, pppd will |
| terminated the link (by closing LCP). If IPCP negotiates an |
| unacceptable IP address for the remote host, IPCP will be closed. IP |
| packets can only be sent or received when IPCP is open. |
| .LP |
| In some cases it is desirable to allow some hosts which can't |
| authenticate themselves to connect and use one of a restricted set of |
| IP addresses, even when the local host generally requires |
| authentication. If the peer refuses to authenticate itself when |
| requested, pppd takes that as equivalent to authenticating with PAP |
| using the empty string for the username and password. Thus, by adding |
| a line to the pap\-secrets file which specifies the empty string for |
| the client and password, it is possible to allow restricted access to |
| hosts which refuse to authenticate themselves. |
| .SH ROUTING |
| .LP |
| When IPCP negotiation is completed successfully, pppd will inform the |
| kernel of the local and remote IP addresses for the ppp interface. |
| This is sufficient to create a host route to the remote end of the |
| link, which will enable the peers to exchange IP packets. |
| Communication with other machines generally requires further |
| modification to routing tables and/or ARP (Address Resolution |
| Protocol) tables. In most cases the \fIdefaultroute\fR and/or |
| \fIproxyarp\fR options are sufficient for this, but in some cases |
| further intervention is required. The /etc/ppp/ip\-up script can be |
| used for this. |
| .LP |
| Sometimes it is desirable to add a default route through the remote |
| host, as in the case of a machine whose only connection to the |
| Internet is through the ppp interface. The \fIdefaultroute\fR option |
| causes pppd to create such a default route when IPCP comes up, and |
| delete it when the link is terminated. |
| .LP |
| In some cases it is desirable to use proxy ARP, for example on a |
| server machine connected to a LAN, in order to allow other hosts to |
| communicate with the remote host. The \fIproxyarp\fR option causes |
| pppd to look for a network interface on the same subnet as the remote |
| host (an interface supporting broadcast and ARP, which is up and not a |
| point-to-point or loopback interface). If found, pppd creates a |
| permanent, published ARP entry with the IP address of the remote host |
| and the hardware address of the network interface found. |
| .LP |
| When the \fIdemand\fR option is used, the interface IP addresses have |
| already been set at the point when IPCP comes up. If pppd has not |
| been able to negotiate the same addresses that it used to configure |
| the interface (for example when the peer is an ISP that uses dynamic |
| IP address assignment), pppd has to change the interface IP addresses |
| to the negotiated addresses. This may disrupt existing connections, |
| and the use of demand dialling with peers that do dynamic IP address |
| assignment is not recommended. |
| .SH MULTILINK |
| Multilink PPP provides the capability to combine two or more PPP links |
| between a pair of machines into a single `bundle', which appears as a |
| single virtual PPP link which has the combined bandwidth of the |
| individual links. Currently, multilink PPP is only supported under |
| Linux. |
| .LP |
| Pppd detects that the link it is controlling is connected to the same |
| peer as another link using the peer's endpoint discriminator and the |
| authenticated identity of the peer (if it authenticates itself). The |
| endpoint discriminator is a block of data which is hopefully unique |
| for each peer. Several types of data can be used, including |
| locally-assigned strings of bytes, IP addresses, MAC addresses, |
| randomly strings of bytes, or E\-164 phone numbers. The endpoint |
| discriminator sent to the peer by pppd can be set using the endpoint |
| option. |
| .LP |
| In some circumstances the peer may send no endpoint discriminator or a |
| non-unique value. The bundle option adds an extra string which is |
| added to the peer's endpoint discriminator and authenticated identity |
| when matching up links to be joined together in a bundle. The bundle |
| option can also be used to allow the establishment of multiple bundles |
| between the local system and the peer. Pppd uses a TDB database in |
| /var/run/pppd2.tdb to match up links. |
| .LP |
| Assuming that multilink is enabled and the peer is willing to |
| negotiate multilink, then when pppd is invoked to bring up the first |
| link to the peer, it will detect that no other link is connected to |
| the peer and create a new bundle, that is, another ppp network |
| interface unit. When another pppd is invoked to bring up another link |
| to the peer, it will detect the existing bundle and join its link to |
| it. |
| .LP |
| If the first link terminates (for example, because of a hangup or a |
| received LCP terminate-request) the bundle is not destroyed unless |
| there are no other links remaining in the bundle. Rather than |
| exiting, the first pppd keeps running after its link terminates, until |
| all the links in the bundle have terminated. If the first pppd |
| receives a SIGTERM or SIGINT signal, it will destroy the bundle and |
| send a SIGHUP to the pppd processes for each of the links in the |
| bundle. If the first pppd receives a SIGHUP signal, it will terminate |
| its link but not the bundle. |
| .LP |
| Note: demand mode is not currently supported with multilink. |
| .SH EXAMPLES |
| .LP |
| The following examples assume that the /etc/ppp/options file contains |
| the \fIauth\fR option (as in the default /etc/ppp/options file in the |
| ppp distribution). |
| .LP |
| Probably the most common use of pppd is to dial out to an ISP. This |
| can be done with a command such as |
| .IP |
| pppd call isp |
| .LP |
| where the /etc/ppp/peers/isp file is set up by the system |
| administrator to contain something like this: |
| .IP |
| ttyS0 19200 crtscts |
| .br |
| connect '/usr/sbin/chat \-v \-f /etc/ppp/chat\-isp' |
| .br |
| noauth |
| .LP |
| In this example, we are using chat to dial the ISP's modem and go |
| through any logon sequence required. The /etc/ppp/chat\-isp file |
| contains the script used by chat; it could for example contain |
| something like this: |
| .IP |
| ABORT "NO CARRIER" |
| .br |
| ABORT "NO DIALTONE" |
| .br |
| ABORT "ERROR" |
| .br |
| ABORT "NO ANSWER" |
| .br |
| ABORT "BUSY" |
| .br |
| ABORT "Username/Password Incorrect" |
| .br |
| "" "at" |
| .br |
| OK "at&d0&c1" |
| .br |
| OK "atdt2468135" |
| .br |
| "name:" "^Umyuserid" |
| .br |
| "word:" "\\qmypassword" |
| .br |
| "ispts" "\\q^Uppp" |
| .br |
| "~\-^Uppp\-~" |
| .LP |
| See the chat(8) man page for details of chat scripts. |
| .LP |
| Pppd can also be used to provide a dial-in ppp service for users. If |
| the users already have login accounts, the simplest way to set up the |
| ppp service is to let the users log in to their accounts and run pppd |
| (installed setuid-root) with a command such as |
| .IP |
| pppd proxyarp |
| .LP |
| To allow a user to use the PPP facilities, you need to allocate an IP |
| address for that user's machine and create an entry in |
| /etc/ppp/pap\-secrets, /etc/ppp/chap\-secrets, or /etc/ppp/srp\-secrets |
| (depending on which authentication method the PPP implementation on |
| the user's machine supports), so that the user's machine can |
| authenticate itself. For example, if Joe has a machine called |
| "joespc" that is to be allowed to dial in to the machine called |
| "server" and use the IP address joespc.my.net, you would add an entry |
| like this to /etc/ppp/pap\-secrets or /etc/ppp/chap\-secrets: |
| .IP |
| joespc server "joe's secret" joespc.my.net |
| .LP |
| (See srp\-entry(8) for a means to generate the server's entry when |
| SRP\-SHA1 is in use.) |
| Alternatively, you can create a username called (for example) "ppp", |
| whose login shell is pppd and whose home directory is /etc/ppp. |
| Options to be used when pppd is run this way can be put in |
| /etc/ppp/.ppprc. |
| .LP |
| If your serial connection is any more complicated than a piece of |
| wire, you may need to arrange for some control characters to be |
| escaped. In particular, it is often useful to escape XON (^Q) and |
| XOFF (^S), using \fIasyncmap a0000\fR. If the path includes a telnet, |
| you probably should escape ^] as well (\fIasyncmap 200a0000\fR). If |
| the path includes an rlogin, you will need to use the \fIescape ff\fR |
| option on the end which is running the rlogin client, since many |
| rlogin implementations are not transparent; they will remove the |
| sequence [0xff, 0xff, 0x73, 0x73, followed by any 8 bytes] from the |
| stream. |
| .SH DIAGNOSTICS |
| .LP |
| Messages are sent to the syslog daemon using facility LOG_DAEMON. |
| (This can be overridden by recompiling pppd with the macro |
| LOG_PPP defined as the desired facility.) See the syslog(8) |
| documentation for details of where the syslog daemon will write the |
| messages. On most systems, the syslog daemon uses the |
| /etc/syslog.conf file to specify the destination(s) for syslog |
| messages. You may need to edit that file to suit. |
| .LP |
| The \fIdebug\fR option causes the contents of all control packets sent |
| or received to be logged, that is, all LCP, PAP, CHAP, EAP, or IPCP packets. |
| This can be useful if the PPP negotiation does not succeed or if |
| authentication fails. |
| If debugging is enabled at compile time, the \fIdebug\fR option also |
| causes other debugging messages to be logged. |
| .LP |
| Debugging can also be enabled or disabled by sending a SIGUSR1 signal |
| to the pppd process. This signal acts as a toggle. |
| .SH EXIT STATUS |
| The exit status of pppd is set to indicate whether any error was |
| detected, or the reason for the link being terminated. The values |
| used are: |
| .TP |
| .B 0 |
| Pppd has detached, or otherwise the connection was successfully |
| established and terminated at the peer's request. |
| .TP |
| .B 1 |
| An immediately fatal error of some kind occurred, such as an essential |
| system call failing, or running out of virtual memory. |
| .TP |
| .B 2 |
| An error was detected in processing the options given, such as two |
| mutually exclusive options being used. |
| .TP |
| .B 3 |
| Pppd is not setuid-root and the invoking user is not root. |
| .TP |
| .B 4 |
| The kernel does not support PPP, for example, the PPP kernel driver is |
| not included or cannot be loaded. |
| .TP |
| .B 5 |
| Pppd terminated because it was sent a SIGINT, SIGTERM or SIGHUP |
| signal. |
| .TP |
| .B 6 |
| The serial port could not be locked. |
| .TP |
| .B 7 |
| The serial port could not be opened. |
| .TP |
| .B 8 |
| The connect script failed (returned a non-zero exit status). |
| .TP |
| .B 9 |
| The command specified as the argument to the \fIpty\fR option could |
| not be run. |
| .TP |
| .B 10 |
| The PPP negotiation failed, that is, it didn't reach the point where |
| at least one network protocol (e.g. IP) was running. |
| .TP |
| .B 11 |
| The peer system failed (or refused) to authenticate itself. |
| .TP |
| .B 12 |
| The link was established successfully and terminated because it was |
| idle. |
| .TP |
| .B 13 |
| The link was established successfully and terminated because the |
| connect time limit was reached. |
| .TP |
| .B 14 |
| Callback was negotiated and an incoming call should arrive shortly. |
| .TP |
| .B 15 |
| The link was terminated because the peer is not responding to echo |
| requests. |
| .TP |
| .B 16 |
| The link was terminated by the modem hanging up. |
| .TP |
| .B 17 |
| The PPP negotiation failed because serial loopback was detected. |
| .TP |
| .B 18 |
| The init script failed (returned a non-zero exit status). |
| .TP |
| .B 19 |
| We failed to authenticate ourselves to the peer. |
| .SH SCRIPTS |
| Pppd invokes scripts at various stages in its processing which can be |
| used to perform site-specific ancillary processing. These scripts are |
| usually shell scripts, but could be executable code files instead. |
| Pppd does not wait for the scripts to finish. The scripts are |
| executed as root (with the real and effective user-id set to 0), so |
| that they can do things such as update routing tables or run |
| privileged daemons. Be careful that the contents of these scripts do |
| not compromise your system's security. Pppd runs the scripts with |
| standard input, output and error redirected to /dev/null, and with an |
| environment that is empty except for some environment variables that |
| give information about the link. The environment variables that pppd |
| sets are: |
| .TP |
| .B DEVICE |
| The name of the serial tty device being used. |
| .TP |
| .B IFNAME |
| The name of the network interface being used. |
| .TP |
| .B IPLOCAL |
| The IP address for the local end of the link. This is only set when |
| IPCP has come up. |
| .TP |
| .B IPREMOTE |
| The IP address for the remote end of the link. This is only set when |
| IPCP has come up. |
| .TP |
| .B PEERNAME |
| The authenticated name of the peer. This is only set if the peer |
| authenticates itself. |
| .TP |
| .B SPEED |
| The baud rate of the tty device. |
| .TP |
| .B ORIG_UID |
| The real user-id of the user who invoked pppd. |
| .TP |
| .B PPPLOGNAME |
| The username of the real user-id that invoked pppd. This is always set. |
| .P |
| For the ip-down and auth-down scripts, pppd also sets the following |
| variables giving statistics for the connection: |
| .TP |
| .B CONNECT_TIME |
| The number of seconds from when the PPP negotiation started until the |
| connection was terminated. |
| .TP |
| .B BYTES_SENT |
| The number of bytes sent (at the level of the serial port) during the |
| connection. |
| .TP |
| .B BYTES_RCVD |
| The number of bytes received (at the level of the serial port) during |
| the connection. |
| .TP |
| .B LINKNAME |
| The logical name of the link, set with the \fIlinkname\fR option. |
| .TP |
| .B DNS1 |
| If the peer supplies DNS server addresses, this variable is set to the |
| first DNS server address supplied. |
| .TP |
| .B DNS2 |
| If the peer supplies DNS server addresses, this variable is set to the |
| second DNS server address supplied. |
| .P |
| Pppd invokes the following scripts, if they exist. It is not an error |
| if they don't exist. |
| .TP |
| .B /etc/ppp/auth\-up |
| A program or script which is executed after the remote system |
| successfully authenticates itself. It is executed with the parameters |
| .IP |
| \fIinterface\-name peer\-name user\-name tty\-device speed\fR |
| .IP |
| Note that this script is not executed if the peer doesn't authenticate |
| itself, for example when the \fInoauth\fR option is used. |
| .TP |
| .B /etc/ppp/auth\-down |
| A program or script which is executed when the link goes down, if |
| /etc/ppp/auth\-up was previously executed. It is executed in the same |
| manner with the same parameters as /etc/ppp/auth\-up. |
| .TP |
| .B /etc/ppp/ip\-up |
| A program or script which is executed when the link is available for |
| sending and receiving IP packets (that is, IPCP has come up). It is |
| executed with the parameters |
| .IP |
| \fIinterface\-name tty\-device speed local\-IP\-address |
| remote\-IP\-address ipparam\fR |
| .TP |
| .B /etc/ppp/ip\-down |
| A program or script which is executed when the link is no longer |
| available for sending and receiving IP packets. This script can be |
| used for undoing the effects of the /etc/ppp/ip\-up script. It is |
| invoked in the same manner and with the same parameters as the ip\-up |
| script. |
| .TP |
| .B /etc/ppp/ipv6\-up |
| Like /etc/ppp/ip\-up, except that it is executed when the link is available |
| for sending and receiving IPv6 packets. It is executed with the parameters |
| .IP |
| \fIinterface\-name tty\-device speed local\-link\-local\-address |
| remote\-link\-local\-address ipparam\fR |
| .TP |
| .B /etc/ppp/ipv6\-down |
| Similar to /etc/ppp/ip\-down, but it is executed when IPv6 packets can no |
| longer be transmitted on the link. It is executed with the same parameters |
| as the ipv6\-up script. |
| .TP |
| .B /etc/ppp/ipx\-up |
| A program or script which is executed when the link is available for |
| sending and receiving IPX packets (that is, IPXCP has come up). It is |
| executed with the parameters |
| .IP |
| \fIinterface\-name tty\-device speed network\-number local\-IPX\-node\-address |
| remote\-IPX\-node\-address local\-IPX\-routing\-protocol remote\-IPX\-routing\-protocol |
| local\-IPX\-router\-name remote\-IPX\-router\-name ipparam pppd\-pid\fR |
| .IP |
| The local\-IPX\-routing\-protocol and remote\-IPX\-routing\-protocol field |
| may be one of the following: |
| .IP |
| NONE to indicate that there is no routing protocol |
| .br |
| RIP to indicate that RIP/SAP should be used |
| .br |
| NLSP to indicate that Novell NLSP should be used |
| .br |
| RIP NLSP to indicate that both RIP/SAP and NLSP should be used |
| .TP |
| .B /etc/ppp/ipx\-down |
| A program or script which is executed when the link is no longer |
| available for sending and receiving IPX packets. This script can be |
| used for undoing the effects of the /etc/ppp/ipx\-up script. It is |
| invoked in the same manner and with the same parameters as the ipx\-up |
| script. |
| .SH FILES |
| .TP |
| .B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others) |
| Process-ID for pppd process on ppp interface unit \fIn\fR. |
| .TP |
| .B /var/run/ppp\-\fIname\fB.pid \fR(BSD or Linux), |
| \fB/etc/ppp/ppp\-\fIname\fB.pid \fR(others) |
| Process-ID for pppd process for logical link \fIname\fR (see the |
| \fIlinkname\fR option). |
| .TP |
| .B /var/run/pppd2.tdb |
| Database containing information about pppd processes, interfaces and |
| links, used for matching links to bundles in multilink operation. May |
| be examined by external programs to obtain information about running |
| pppd instances, the interfaces and devices they are using, IP address |
| assignments, etc. |
| .B /etc/ppp/pap\-secrets |
| Usernames, passwords and IP addresses for PAP authentication. This |
| file should be owned by root and not readable or writable by any other |
| user. Pppd will log a warning if this is not the case. |
| .TP |
| .B /etc/ppp/chap\-secrets |
| Names, secrets and IP addresses for CHAP/MS\-CHAP/MS\-CHAPv2 authentication. |
| As for /etc/ppp/pap\-secrets, this file should be owned by root and not |
| readable or writable by any other user. Pppd will log a warning if |
| this is not the case. |
| .TP |
| .B /etc/ppp/srp\-secrets |
| Names, secrets, and IP addresses for EAP authentication. As for |
| /etc/ppp/pap\-secrets, this file should be owned by root and not |
| readable or writable by any other user. Pppd will log a warning if |
| this is not the case. |
| .TP |
| .B ~/.ppp_pseudonym |
| Saved client-side SRP\-SHA1 pseudonym. See the \fIsrp\-use\-pseudonym\fR |
| option for details. |
| .TP |
| .B /etc/ppp/options |
| System default options for pppd, read before user default options or |
| command-line options. |
| .TP |
| .B ~/.ppprc |
| User default options, read before /etc/ppp/options.\fIttyname\fR. |
| .TP |
| .B /etc/ppp/options.\fIttyname |
| System default options for the serial port being used, read after |
| ~/.ppprc. In forming the \fIttyname\fR part of this |
| filename, an initial /dev/ is stripped from the port name (if |
| present), and any slashes in the remaining part are converted to |
| dots. |
| .TP |
| .B /etc/ppp/peers |
| A directory containing options files which may contain privileged |
| options, even if pppd was invoked by a user other than root. The |
| system administrator can create options files in this directory to |
| permit non-privileged users to dial out without requiring the peer to |
| authenticate, but only to certain trusted peers. |
| .SH SEE ALSO |
| .TP |
| .B RFC1144 |
| Jacobson, V. |
| \fICompressing TCP/IP headers for low-speed serial links.\fR |
| February 1990. |
| .TP |
| .B RFC1321 |
| Rivest, R. |
| .I The MD5 Message-Digest Algorithm. |
| April 1992. |
| .TP |
| .B RFC1332 |
| McGregor, G. |
| .I PPP Internet Protocol Control Protocol (IPCP). |
| May 1992. |
| .TP |
| .B RFC1334 |
| Lloyd, B.; Simpson, W.A. |
| .I PPP authentication protocols. |
| October 1992. |
| .TP |
| .B RFC1661 |
| Simpson, W.A. |
| .I The Point-to-Point Protocol (PPP). |
| July 1994. |
| .TP |
| .B RFC1662 |
| Simpson, W.A. |
| .I PPP in HDLC-like Framing. |
| July 1994. |
| .TP |
| .B RFC2284 |
| Blunk, L.; Vollbrecht, J., |
| .I PPP Extensible Authentication Protocol (EAP). |
| March 1998. |
| .TP |
| .B RFC2472 |
| Haskin, D. |
| .I IP Version 6 over PPP |
| December 1998. |
| .TP |
| .B RFC2945 |
| Wu, T., |
| .I The SRP Authentication and Key Exchange System |
| September 2000. |
| .TP |
| .B draft\-ietf\-pppext\-eap\-srp\-03.txt |
| Carlson, J.; et al., |
| .I EAP SRP\-SHA1 Authentication Protocol. |
| July 2001. |
| .SH NOTES |
| Some limited degree of control can be exercised over a running pppd |
| process by sending it a signal from the list below. |
| .TP |
| .B SIGINT, SIGTERM |
| These signals cause pppd to terminate the link (by closing LCP), |
| restore the serial device settings, and exit. |
| .TP |
| .B SIGHUP |
| This signal causes pppd to terminate the link, restore the serial |
| device settings, and close the serial device. If the \fIpersist\fR or |
| \fIdemand\fR option has been specified, pppd will try to reopen the |
| serial device and start another connection (after the holdoff period). |
| Otherwise pppd will exit. If this signal is received during the |
| holdoff period, it causes pppd to end the holdoff period immediately. |
| .TP |
| .B SIGUSR1 |
| This signal toggles the state of the \fIdebug\fR option. |
| .TP |
| .B SIGUSR2 |
| This signal causes pppd to renegotiate compression. This can be |
| useful to re-enable compression after it has been disabled as a result |
| of a fatal decompression error. (Fatal decompression errors generally |
| indicate a bug in one or other implementation.) |
| |
| .SH AUTHORS |
| Paul Mackerras (paulus@samba.org), based on earlier work by |
| Drew Perkins, |
| Brad Clements, |
| Karl Fox, |
| Greg Christy, |
| and |
| Brad Parker. |
| |
| .SH COPYRIGHT |
| Pppd is copyrighted and made available under conditions which provide |
| that it may be copied and used in source or binary forms provided that |
| the conditions listed below are met. Portions of pppd are covered by |
| the following copyright notices: |
| .LP |
| Copyright (c) 1984-2000 Carnegie Mellon University. All rights |
| reserved. |
| .br |
| Copyright (c) 1993-2004 Paul Mackerras. All rights reserved. |
| .br |
| Copyright (c) 1995 Pedro Roque Marques. All rights reserved. |
| .br |
| Copyright (c) 1995 Eric Rosenquist. All rights reserved. |
| .br |
| Copyright (c) 1999 Tommi Komulainen. All rights reserved. |
| .br |
| Copyright (C) Andrew Tridgell 1999 |
| .br |
| Copyright (c) 2000 by Sun Microsystems, Inc. All rights reserved. |
| .br |
| Copyright (c) 2001 by Sun Microsystems, Inc. All rights reserved. |
| .br |
| Copyright (c) 2002 Google, Inc. All rights reserved. |
| .LP |
| The copyright notices contain the following statements. |
| .LP |
| Redistribution and use in source and binary forms, with or without |
| modification, are permitted provided that the following conditions |
| are met: |
| .LP |
| 1. Redistributions of source code must retain the above copyright |
| notice, this list of conditions and the following disclaimer. |
| .LP |
| 2. Redistributions in binary form must reproduce the above copyright |
| notice, this list of conditions and the following disclaimer in |
| the documentation and/or other materials provided with the |
| distribution. |
| .LP |
| 3. The name "Carnegie Mellon University" must not be used to |
| endorse or promote products derived from this software without |
| prior written permission. For permission or any legal |
| details, please contact |
| .br |
| Office of Technology Transfer |
| .br |
| Carnegie Mellon University |
| .br |
| 5000 Forbes Avenue |
| .br |
| Pittsburgh, PA 15213-3890 |
| .br |
| (412) 268-4387, fax: (412) 268-7395 |
| .br |
| tech-transfer@andrew.cmu.edu |
| .LP |
| 3b. The name(s) of the authors of this software must not be used to |
| endorse or promote products derived from this software without |
| prior written permission. |
| .LP |
| 4. Redistributions of any form whatsoever must retain the following |
| acknowledgments: |
| .br |
| "This product includes software developed by Computing Services |
| at Carnegie Mellon University (http://www.cmu.edu/computing/)." |
| .br |
| "This product includes software developed by Paul Mackerras |
| <paulus@samba.org>". |
| .br |
| "This product includes software developed by Pedro Roque Marques |
| <pedro_m@yahoo.com>". |
| .br |
| "This product includes software developed by Tommi Komulainen |
| <Tommi.Komulainen@iki.fi>". |
| .LP |
| CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO |
| THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
| AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE |
| FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN |
| AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING |
| OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .LP |
| THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO |
| THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
| AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY |
| SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN |
| AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING |
| OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |