Bug#126406: kppp: Alternative for using noauth as suggested by README
On Thu, Apr 15, 2004 at 09:18:20 +0200, Dominique Devriese wrote:
> Ernst Kloppenburg writes:
> > Package: kppp Version: 4:3.1.5-1 Severity: normal Followup-For: Bug
> > #126406
> > as the original bug reporter says, /usr/share/doc/kppp/README.Debian
> > gives the very questionable advice to set "noauth" in
> > /etc/ppp/options
> Are you sure that you know what this option does ? It does not mean
> that all users are allowed to change ppp settings. It means that the
> ppp client does not try to check the authentication of the ppp server
> of your ISP. Quite a lot of ISPs have broken authentication configs
> on their servers, because windows clients never check them anyway.
I think I clearly understand the noauth option:
- if noauth is given, your pppd does not require the ppp server of the
ISP to authenticate (which would not be possible)
- there is a second case, where noauth applies: when somebody dials
into your machine (which may be wanted or not).
It is for this second case, that putting 'noauth' into the options
file is not recommended.
Therefore, normally all provider configurations in
/etc/ppp/peers do contain 'noauth'.
Putting noauth into the kppp configuration normally is not possible,
because noauth is a privileged option. This is solved by 'privgroup dip'.
> > I found a different solution to make kppp work: add the following to
> > /usr/share/doc/kppp/README.Debian
> > privgroup dip
> > And put the people in dip that should be able to use kppp.
> > w.r.t. to security this is better, but not optimal, of course
> Since noone is allowed to execute kppp unless they're in the dip
> group, this would be pretty pointless, no ? If you read
> /usr/share/doc/kppp/README.Debian again, you'll see that the dip group
> and its meaning is already explained there.
I admit that I unnecessarily mentioned that people should be put in
the group dip because they already need to be.
But my point (which you may have missed) was to add 'privgroup dip' to
the configuration file. Because this enables everybody who is in the
group dip to add the priviledged option 'noauth' to their kppp
configuration. Thus putting 'noauth' into /etc/ppp/options can be