Tải bản đầy đủ
[Appendix A] A.2 The PPP Daemon

[Appendix A] A.2 The PPP Daemon

Tải bản đầy đủ

[Appendix A] A.2 The PPP Daemon

Disables all LCP and IPCP negotiations.
-am
Disables asyncmap negotiation. Sends all control characters as two-character escape
sequences.
asyncmap map
Defines the ASCII control characters that must be sent as two-character escape sequences. The
first 32 ASCII characters are control characters. map is a 32-bit hex number with each bit
representing a control character. Bit 0 (00000001) represents the character 0x00; bit 31
(80000000) represents the character 0x1f. If a bit is on in map, the character represented by
that bit must be sent as an escape sequence. If no asyncmap option is specified, all control
characters are sent as escape sequences. The asyncmap option can also be written in the form as map.
auth
Requires the use of an authentication protocol. See Chapter 6 for a discussion of the
authentication protocols CHAP and PAP.
bsdcomp receive,transmit
Enables the BSD-Compress scheme to compress packets. The maximum length code word
used to compress packets accepted by this host is receive bits long. The maximum code
word length used to compress packets sent by this host is transmit bits long. Acceptable
code word length is 9 to 15 bits. Disable compression when receiving or transmitting by
placing a 0 in receive or transmit, respectively.
-bsdcomp
Disables BSD-Compress compression.
+chap
Requires the use of the Challenge Handshake Authentication Protocol (CHAP).
-chap
Disables the use of CHAP. This is a bad idea.
chap-interval
Tells system to use CHAP to reauthenticate the remote system every n seconds.
chap-max-challenge n
Tells system to send the CHAP challenge to the remote system a maximum of n times until the
remote system responds. The default is 10.
chap-restart n
Tells system to wait n seconds before retransmitting a CHAP challenges when the remote
system fails to respond. The default is 3 seconds.
file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (2 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

connect script
Invokes a script to create the serial connection. Any scripting language can be used, but
chat is the most common. See Chapter 6 for an example of using connect to invoke an inline
chat script.
crtscts
Enables hardware flow control (RTS/CTS).
-crtscts
Disables hardware flow control (RTS/CTS).
debug
Logs all control packets sent or received using syslogd with facility daemon and level debug.
The debug option can also be written as -d.
defaultroute
Defines the PPP link as the default route. The route is removed when the connection is closed.
-defaultroute
Prevents users from creating a default route using the defaultroute option.
-detach
Prevents pppd from running as a background process. See the example in Chapter 6.
disconnect script
Invokes a script to gracefully shut down the serial connection. Any scripting language can
be used, but chat is the most common.
domain name
Defines the name of the local domain. Use this if hostname does not return a fully qualified
name for the local system.
escape x,x,...
Specifies characters that should be transmitted as two-character escape sequences. The
characters are specified in a comma-separated list of hex numbers. Any character except 0x20 0x3f and 0x5e can be escaped.
file file
Defines another options file, where file is the name of the new file. Options are normally
read for /etc/ppp/options, ~/.ppprc, the command line, and /etc/ppp/options.device. See the
description of these files earlier in this section.
-ip

file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (3 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

Disables IP address negotiation. When used, the remote IP address must be explicitly defined
by a pppd option.
+ip-protocol
Enables the IPCP and IP protocols, which is the default.
-ip-protocol
Disables the IPCP and IP protocols. This should never be used on a TCP/IP network. It is for
pure IPX networks.
ipcp-accept-local
Tells system to use the local IP address provided by the remote server even if it is defined
locally.
ipcp-accept-remote
Tells system to use the remote IP address provided by the remote server even if it is defined
locally.
ipcp-max-configure n
Tells system to send the IPCP configure-request packet a maximum of n times. The default is
10.
ipcp-max-failure n
Tells system to accept up to n IPCP configure-NAKs before sending a configure-reject. The
default is 10.
ipcp-max-terminate n
Tells system to send no more than n IPCP terminate-request packets without receiving an
acknowledgment. The default is 3.
ipcp-restart n
Tells system to wait n seconds before resending an IPCP configure-request packet. The default
is 3.
ipparam string
Passes string to the ip-up and ip-down scripts. /etc/ppp/ip-up is a shell script executed by
pppd when the link comes up. /etc/ppp/ip-down is a shell script executed by pppd when the
link is brought down.
kdebug n
Enables kernel-level debugging. n is 1 to print general debugging messages, 2 to print received
packets, and 4 to print transmitted packets.
lcp-echo-failure n
Tells system to terminate the connection if no reply is received to n LCP echo-requests.
file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (4 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

Normally echo-requests are not used for this purpose because "link down" conditions are
determined by the modem hardware.
lcp-echo-interval n
Tells system to wait n seconds before sending another LCP echo-request when the remote
system fails to reply.
lcp-max-configure n
Tells system to send the LCP configure-request packet a maximum of n times. The default is
10.
lcp-max-failure n
Tells system to accept up to n LCP configure-NAKs before sending a configure-reject. The
default is 10.
lcp-max-terminate n
Tells system to send no more than n LCP terminate-request transmissions without receiving an
acknowledgment. The default is 3.
lcp-restart n
Tells system to wait n seconds before resending a LCP configure-request packet. The default is
3.
local
Tells system to ignore the DCD (Data Carrier Detect) and DTR (Data Terminal Ready) modem
control lines.
lock
Tells system to use a UUCP-style lock file to ensure that pppd has exclusive access to the
serial device.
login
Tells system to use the /etc/passwd file to authenticate PAP users. Records the login in the
wtmp file.
modem
Tells system to use the DCD (Data Carrier Detect) and DTR (Data Terminal Ready) modem
control lines; wait for the DCD signal before opening the serial device; and drop the DTR
signal when terminating a connection.
-mn
Disables magic number negotiation.
mru n
Sets the Maximum Receive Unit (MRU) to n bytes. MRU is used to tell the remote system the
file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (5 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

maximum packet size the local system can accept. The minimum is 128. The default is 1500.
-mru
Disables Maximum Receive Unit (MRU) negotiation.
mtu n
Sets the Maximum Transmission Unit (MTU) to n bytes. MTU defines the maximum length of
a packet that can be sent. The smaller of the local MTU and the remote MRU is used to define
the maximum packet length.
name name
Tells system to use name as the name of the local system for authentication purposes.
netmask mask
Defines the subnet mask.
noipdefault
Instructs system not to use hostname to determine the local IP address. The address must be
obtained from the remote system or explicitly set by an option.
+pap
Requires the use of the Password Authentication Protocol (PAP).
-pap
Disables the use of PAP.
papcrypt
Instructs system not to accept passwords that are identical to those in the /etc/ppp/pap-secrets
file because the ones in the file are encrypted. Therefore the transmitted password should not
match an entry in the pap-secrets file until it is also encrypted.
pap-max-authreq n
Tells system to transmit no more than n PAP authenticate-requests if the remote system does
not respond. The default is 10.
pap-restart n
Tells system to wait n seconds before retransmitting a PAP authenticate-request. The default is
3 seconds.
pap-timeout n
Tells system to wait no more than n seconds for the remote system to authenticate itself. When
n is 0, there is no time limit.
passive

file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (6 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

Tells system to wait for a Link Control Protocol (LCP) packet from the remote system even if
that system does not reply to the initial LCP packet sent by the local system. Without this
option the local system aborts the connection when it does not receive a reply. The passive
option can also be written as -p.
-pc
Disables protocol field compression negotiation. By default, protocol field compression is not
used. Setting this option means that even if the remote end requests it, it will not be used.
persist
Tells system to reopen the connection if it was terminated by a SIGHUP signal.
pred1comp
Tells system to ask the remote system to use Predictor-1 compression.
-pred1comp
Tells system not to use Predictor-1 compression.
proxyarp
Tells system to enable proxy ARP. This adds a proxy ARP entry for the remote system to the
local system's ARP table.
-proxyarp
Disables the proxyarp option, preventing users from creating proxy ARP entries with pppd.
remotename name
Tells system to use name as the remote system's name for authentication purposes.
silent
Tells system to wait for an LCP packet from the remote system. Do not send the first LCP
packet.
usehostname
Disables the name option, forcing the local hostname to be used for authentication purposes.
user username
Tells system to use username for PAP authentication when challenged by a remote host.
-vj
Disables Van Jacobson header compression.
-vjccomp
Disables the connection-ID compression option in Van Jacobson header compression.
vj-max-slots n

file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (7 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

Tells system to use n connection slots for Van Jacobson header compression. n must be a
number from 2 to 16.
Several of the options listed above concern PPP security. One of the strengths of PPP is its security.
The Challenge Handshake Authentication Protocol (CHAP) is the preferred PPP security protocol.
The Password Authentication Protocol (PAP) is less secure and only provided for compatibility with
less capable systems. The usernames, IP addresses, and secret keys used for these protocols are
defined in the /etc/ppp/chap-secrets file and the /etc/ppp/pap-secrets file. Chapter 6 shows the format
of these files and describes their use.
It is very important that the directory /etc/ppp and the files in that directory not be world- or groupwritable. Modifications to the chap-secrets, pap-secrets, or options files could compromise system
security. In addition, the script files /etc/ppp/ip-up and /etc/ppp/ip-down may run with root privilege.
If pppd finds a file with the name ip-up in the /etc/ppp directory, it executes it as soon as the PPP
connection is established. The ip-up script is used to modify the routing table, process the sendmail
queue, or do other tasks that depend on the presences of the network connection. The ip-down script is
executed by pppd after the PPP connection is closed and is used to terminate processes that depend
on the link. Clearly these scripts and the /etc/ppp directory must be protected.

A.2.1 Signal processing
pppd handles the following signals:
SIGUSR1
This signal toggles debugging on or off. The first SIGUSR1 signal received by pppd turns on
debugging and begins logging diagnostic messages through syslogd with facility set to daemon
and level set to debug. The second SIGUSR1 signal turns off debugging and closes the log file.
See the debug option described above.
SIGUSR2
This signal causes pppd to renegotiate compression. It has limited applicability because it is
only needed to restart compression after a fatal error has occurred. Most people close the PPP
connection and open a new one after a fatal error.
SIGHUP
This signal closes the PPP connection, returns the serial device to its normal operating mode,
and terminates pppd. If the persist option is specified, pppd opens an new connection instead
of terminating.
SIGINT
This signal, or the SIGTERM signal, closes the PPP connection, returns the serial device to its
normal operating mode, and terminates pppd. The persist option has no effect.

file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (8 of 9) [2001-10-15 09:19:10]

[Appendix A] A.2 The PPP Daemon

Previous: A.1 Dial-Up IP
A.1 Dial-Up IP

TCP/IP Network
Administration
Book Index

Next: A.3 chat
A.3 chat

[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]

file:///C|/mynapster/Downloads/warez/tcpip/appa_02.htm (9 of 9) [2001-10-15 09:19:10]

[Appendix A] A.3 chat

Previous: A.2 The PPP
Daemon

Appendix A
PPP Tools

Next: B. A gated Reference

A.3 chat
chat is a general-purpose scripting language that is used to control the modem, dial the remote server,
and perform the remote system login. chat is less powerful than dip but is widely used. The
"expect/send" structure of a chat script is the fundamental structure used in most scripting languages.
A chat script is composed of expect/send pairs. These pairs consist of the string expected from the
remote system, separated by whitespace from the response that is sent to the remote host when the
expected string is received. If no string is expected from the remote system, two quotes ("") or two
apostrophes (") are used to "expect nothing." A simple chat script is:
"" \r name> jane word> TOga!toGA
The script expects nothing ("") until it sends the remote system a carriage return (\r). Then the script
expects the remote system to send the string name>, which is part of the system's Username>
prompt. In response to this prompt, the script sends the username jane. Finally the script waits for
part of the Password> prompt and responds with TOga!toGA. A script this simple can be defined
directly on the chat command line:
% chat -v -t30 "" \r name> jane word> TOga!toGA
This command runs chat in verbose mode, sets the length of time the script waits for an expected
string to 30 seconds, and then executes the simple login script described above.
The syntax of the chat command is:
chat [options] [script]
The chat command options are:
-v
Runs the chat script in verbose mode. Verbose mode logs informational messages via syslogd.
-V
file:///C|/mynapster/Downloads/warez/tcpip/appa_03.htm (1 of 4) [2001-10-15 09:19:11]

[Appendix A] A.3 chat

Runs the chat script in stderr verbose mode. The stderr verbose mode displays informational
messages on the stderr device. See Chapter 6 for an example of this being used with pppd.
-t timeout
Sets the maximum time to wait for an expected string. If the expected string is not received in
timeout seconds, the reply string is not sent and the script
terminates—unless an alternate send is defined. If defined, the alternate
send (more about this later) is sent and the remote system is given one more timeout period
to respond. If this fails, the script is terminated with a nonzero error code. By default, the
timeout period is 45 seconds.
-f scriptfile
Reads the chat script from the scriptfile instead of from the command line. Multiple
lines of expect/send pairs are permitted in the file.
-r reportfile
Writes the output generated by REPORT strings to the reportfile. By default, REPORT
strings are written to stderr. The REPORT keyword is covered below.
In order to make the scripts more useful and robust, chat provides special keywords, escape
sequences, and alternate send/expect pairs that can be used in the script. First let's look at the five chat
keywords.
Two keywords transmit special signals to the remote system. The keyword EOT sends the End of
Transmission character. On UNIX systems this is usually the End of File character, which is a CTRLD. The BREAK keyword sends a line break to the remote system. The three remaining keywords
define processing characteristics for the script itself.
The TIMEOUT keyword defines the amount of time to wait for an expected string. Because it is
defined inside the script, the timeout value can be changed for each expected string. For example,
assume you want to allow the remote server 30 seconds to display the initial Username> prompt but
only 5 seconds to display Password> once the username has been sent. Enter this script command:
TIMEOUT 30 name> karen TIMEOUT 5 word> beach%PARTY
The ABORT keyword and the REPORT keyword are similar. They both define strings that, when
received, cause a special action to take place. The ABORT keyword defines strings that cause the
script to abort if they are received when the system is expecting the string CONNECT from the
modem. The REPORT keyword defines substrings that determine what messages received on the
serial port should be written to stderr or the report file. A sample chat script file illustrates both of
these keywords:
REPORT CONNECT
ABORT BUSY
file:///C|/mynapster/Downloads/warez/tcpip/appa_03.htm (2 of 4) [2001-10-15 09:19:11]