Re: ppp security problem?
Sorry to follow up my own post, but I thought I'd provide some more
info. Logins that were attempted with just "password" as the password
were working with the default options file. I uncommented the login
option and these logins now fail.
I'm not real concerned because I'm using ppp in an ssh tunnel to set up
a vpn. I suppose I'm relying on ssh when ppp could provide an additional
layer of security for opening the connection. It's a setup similar to
that described in the VPN mini HOWTO.
I would definitely investigate this problem more thoroughly if I had a
On Tue, Jul 20, 1999 at 11:22:48PM -0400, Lee Bradshaw wrote:
> I just removed and reinstalled ppp and ppp-pam to check this problem
> wasn't caused by me modifying the configuration. The pap-secrets file
> claims that the options file should have the login option enabled or
> users will be able to login without a password. The options file does
> not have the option enabled. The options file does claim that mgetty
> provides this option. It seems like the descriptions need to be changed
> or there is a security problem. Any comments before I file a bug?
> # ATTENTION: The definitions here can allow users to login without a
> # password if you dont use the login option of pppd!
> # The /etc/ppp/options file installed has the login option enabled
> # Use the system password database for authenticating the peer using
> # PAP. Note: mgetty already provides this option. If this is specified
> # then dialin from users using a script under Linux to fire up ppp wont work.
> # login
> Lee Bradshaw lee@sectionIV.com (preferred)
> Alantro Communications firstname.lastname@example.org
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Lee Bradshaw lee@sectionIV.com (preferred)
Alantro Communications email@example.com