Debian PPP package notes
========================
Table of contents:
+ Upgrading from versions older than 2.4.1[.uus-3]
+ Upgrading from versions older than 2.3.9 *important*
+ Upgrading from versions older than 2.3.5-2
+ Upgrading from versions older than 2.3.1
+ PAM support (needed for inbound PAP)
+ Provided user space scripts
+ Outbound dialing setup
+ Inbound setup combined with mgetty
+ Permissions
+ Demand dial-up links
+ Syslog facility level
+ Not implemented
+ Kernel 2.0.x update
Upgrading from versions older than 2.4.1[.uus-3]:
-------------------------------------------------
PPP packet filtering has been enabled since 2.4.1.uus-2, which is available
by using the "active-filter" option. See pppd(8) for more information.
The CONFIG_PPP_FILTER option is required in the kernel. (If this is not
enabled, the following warning will be sent to the syslog, but ppp will
continue to function:
pppd[pid]: Couldn't set pass-filter in kernel: Invalid argument )
IPV6 support has also been enabled, for usage, see the pppd(8) manpage.
Upgrading from versions older than 2.3.9:
-----------------------------------------
Default value for number of redial attempts with `persist' option was
changed from infinity to 10, by introducing a new `maxfail' option.
If you used the `persist' option in your pppd settings, you will have to
add `maxfail 0' to get the old behaviour back.
(Possible) Rationale: some people had ISDN dial-on-demand routers that were
dialing but failing to authenticate. Because of the pppd setting to dial
infinitely, it happened about once a second, so after a month or two, the
phone bill was several thousand pounds! This is clearly unacceptable, so the
default was changed from infinity to 10 to prevent this and all similar cases.
Upgrading from versions older than 2.3.5-2:
-------------------------------------------
Debian package had included an incorrect example of /etc/ppp/pap-secrets
in the inbound connection section. The old wrong example was this:
# Every regular user can use PPP and has to use passwords from /etc/passwd
* molec3 ""
This was fixed in ppp package version 2.3.5-2, to:
# Every regular user can use PPP and has to use passwords from /etc/passwd
*hostname""*
Note: the string "hostname" must be replaced with the output of `hostname`
on your system. It will be done by the post-installation scripts, but you
should check it's done nonetheless.
Upgrading from versions older than 2.3.1:
-----------------------------------------
The default setup in /etc/ppp/options is to turn authentication on.
This may cause you not to be able to log into your ISP any more, if they do
not support PAP or CHAP authentication. All you need to do is set ``noauth''
either on pppd's command line or in /etc/ppp/peers/provider, in order to switch
it off for this connection.
[Don't just turn it off again in the options file, since it is better to deny
access by default for security reasons.]
PAM support (needed for inbound PAP):
-------------------------------------
pppd with PAM support for inbound PAP logins is now available in the
normal `ppp' package, marking the `ppp-pam' package obsolete. The
packaging system should automatically remove the old package on upgrade.
Provided user space scripts:
----------------------------
Since release 2.3.1, the ppp package provides scripts to conveniently
control PPP from user space. Note that the scripts only work with the
proper setup in /etc/ppp. Edit the configuration files and test the
operation of your link in superuser mode first.
ponBring link up. Executes pppd (you may specify the ISP name
on the command line), and will immediately return the
command prompt while still dialing.
plog Shows the last lines of the pppd log. Basically, does
tail ppp.log.
poffBring link down. Terminates connection by killing pppd.
Please read the manual page pon(1) for specific descriptions of these
commands.
Outbound and inbound dialing setup:
-----------------------------------
pppd attempts to handle both inbound and outbound through one set of
configuration files. The /etc/ppp/options file has been set up for the
most common setups.
If it isn't absolutely necessary, please don't edit the file, but specify
parameters on the commandline. If you find a change that would be beneficial
to all users, then please inform the package maintainer about it.
Outbound dialing setup:
-----------------------
Edit the file /etc/chatscripts/provider and make sure it contains what
you need to dial-up into your server and eventually start up PPP on the
remote machine. I.e. replace strings in brackets with appropriate values
like telephone number, login name, and password.
Edit the file /etc/ppp/peers/provider and put all options in it that you need
to connect to your server. The most common options are already provided for
you. If you need the common PAP password authentication then add
`user <username>' to it. Otherwise you might also change the system name to
be like your username. The systemname is used for authentication if you do
not provide the "user" directive. See also pppd(8) manual page.
Note: If you are NOT using PAP or CHAP authentication, you need to put
`noauth' in /etc/ppp/peers/provider to allow a connection to be made.
Edit the file /etc/ppp/pap-secrets and put your password into the designated
location.
You should then be able to start the PPP connection with pon.
If you want to have PPP on bootup then rename the file
/etc/ppp/no_ppp_on_boot to /etc/ppp/ppp_on_boot. If you wish to further
customize it, mark it executable and edit it (it's a shell script).
For more advanced usage of PPP outbound connections install pppconfig.
Inbound setup combined with mgetty:
-----------------------------------
Note: for this to work you need to have mgetty version >= 0.99 with its
AutoPPP feature turned on.
Edit the /etc/ppp/options file and uncomment the nameserver lines. Provide
the IP addresses that you want the users to use for their name services.
To have one options file for each serial port you run mgetty on, use
the files /etc/ppp/options.ttyXX. Give each serial port an IP address
in those files. That way that port is locked into using that IP number.
Think what consequences that assignment might have for outbound use...
That should be enough for dial-up from a Win9x or NT Server. The
username/password on those system is used for a PAP authentication.
The /etc/ppp/pap-secrets is already set up for such a situation. Mgetty is
preconfigured to call pppd with parameters so that the PAP verification will
be done through the /etc/passwd file.
All your users should now be able to establish PPP connections by just
specifying phone number, username, and password from Win9x.
Inbound dial-up using dial-up scripts:
A PPP session can be established from the regular Linux prompt by executing
/usr/sbin/pppd. The user is limited to use the assigned IP adddress in
/etc/ppp/options.ttyname and will not be able to override it.
Note: there is support for callback, it can be done through scripts
(see /usr/share/doc/ppp/examples/scripts/*callback), and with mgetty's
`callback' program (see callback(8) manual page).
Permissions:
------------
Access to PPPD is controlled via the membership in the "dip" group.
Demand dial-up links:
---------------------
Note: if you use an older kernel version (older 2.0.x), you need to patch
the kernel itself, in order to support demand dial-up with the patches for
PPP 2.3.
Add the following options to /etc/ppp/peers/provider:
demand idle 600 holdoff 20
to set up demand dialing. 600 seconds (=10 minutes) idle time disconnects.
20 seconds between attempts to connect. This setup implies the "persist"
option. You might also want to enable PPP on boot up so you won't have to
worry about the PPP connection at all.
Syslog facility level:
----------------------
The default level of LOG_DAEMON has been overridden (as described in the
pppd(8) man page), to be LOG_LOCAL2. The intent being that local2 be sent
to /var/log/ppp.log for use by plog, if you add the following line to your
/etc/syslog.conf file:
local2.*-/var/log/ppp.log
Not implemented:
----------------
Password expiration was once implemented with a direct call to a
non-exported function in libshadow, but isn't anymore. Why are
they doing such things?
Kernel 2.0.x update:
--------------------
As of version 2.3.1 the kernel stuff is broken for some old 2.0.x kernels.
See the file called "kernel.fix-2.0.30-2" in this directory.
-- Christoph Lameter <clameter@debian.org>, 22 July 1997
Phil Hands <phil@hands.com>
Josip Rodin <jrodin@jagor.srce.hr>, 27 November 1999.