Bug#126406: kppp: Alternative for using noauth as suggested by README

To: Dominique Devriese <dominique.devriese@student.kuleuven.ac.be>
Cc: 126406@bugs.debian.org
Subject: Bug#126406: kppp: Alternative for using noauth as suggested by README
From: Ernst Kloppenburg <ernst.kloppenburg@gmx.de>
Date: Fri, 16 Apr 2004 23:14:19 +0200
Message-id: <[🔎] 20040416211419.GA3855@rechner4.zuhause.de>
Reply-to: Ernst Kloppenburg <ernst.kloppenburg@gmx.de>, 126406@bugs.debian.org
In-reply-to: <[🔎] 871xmpd803.fsf@student.kuleuven.ac.be>
References: <[🔎] E1BDqpY-0000z2-00@rechner4.zuhause.de> <[🔎] 871xmpd803.fsf@student.kuleuven.ac.be>

Hello,

On Thu, Apr 15, 2004 at 09:18:20 +0200, Dominique Devriese wrote:
> Ernst Kloppenburg writes:
> 
> > Package: kppp Version: 4:3.1.5-1 Severity: normal Followup-For: Bug
> > #126406
> 
> > as the original bug reporter says, /usr/share/doc/kppp/README.Debian
> > gives the very questionable advice to set "noauth" in
> > /etc/ppp/options
> 
> Are you sure that you know what this option does ?  It does not mean
> that all users are allowed to change ppp settings.  It means that the
> ppp client does not try to check the authentication of the ppp server
> of your ISP.  Quite a lot of ISPs have broken authentication configs
> on their servers, because windows clients never check them anyway.

I think I clearly understand the noauth option:
- if noauth is given, your pppd does not require the ppp server of the
  ISP to authenticate (which would not be possible)
- there is a second case, where noauth applies: when somebody dials
  into your machine (which may be wanted or not).

It is for this second case, that putting 'noauth' into the options
file is not recommended.

Therefore, normally all provider configurations in
/etc/ppp/peers do contain 'noauth'.

Putting noauth into the kppp configuration normally is not possible,
because noauth is a privileged option. This is solved by 'privgroup dip'.

> 
> > I found a different solution to make kppp work: add the following to
> > /usr/share/doc/kppp/README.Debian
> 
> > privgroup dip
> 
> > And put the people in dip that should be able to use kppp.
> 
> > w.r.t. to security this is better, but not optimal, of course
> 
> Since noone is allowed to execute kppp unless they're in the dip
> group, this would be pretty pointless, no ?  If you read
> /usr/share/doc/kppp/README.Debian again, you'll see that the dip group
> and its meaning is already explained there.
> 

I admit that I unnecessarily mentioned that people should be put in
the group dip because they already need to be.

But my point (which you may have missed) was to add 'privgroup dip' to
the configuration file. Because this enables everybody who is in the
group dip to add the priviledged option 'noauth' to their kppp
configuration. Thus putting 'noauth' into /etc/ppp/options can be
avoided.

-- 
Ernst Kloppenburg
Stuttgart, Germany

Reply to:

Follow-Ups:
- Bug#126406: kppp: Alternative for using noauth as suggested by README
  - From: Dominique Devriese <dominique.devriese@student.kuleuven.ac.be>

References:
- Bug#126406: kppp: Alternative for using noauth as suggested by README
  - From: Ernst Kloppenburg <ernst.kloppenburg@gmx.de>
- Bug#126406: kppp: Alternative for using noauth as suggested by README
  - From: Dominique Devriese <dominique.devriese@student.kuleuven.ac.be>

Prev by Date: Bug#241259: kdemultimedia: [m68k/unstable] cp: cannot stat `./debian/tmp/usr/lib/kde3/kfile_flac.la': No such file or directory
Next by Date: Bug#241259: kdemultimedia: [m68k/unstable] cp: cannot stat `./debian/tmp/usr/lib/kde3/kfile_flac.la': No such file or directory
Previous by thread: Bug#126406: kppp: Alternative for using noauth as suggested by README
Next by thread: Bug#126406: kppp: Alternative for using noauth as suggested by README
Index(es):
- Date
- Thread