Re: ppp security problem?
Sorry to follow up my own post, but I thought I'd provide some more
info. Logins that were attempted with just "password" as the password
were working with the default options file. I uncommented the login
option and these logins now fail.
I'm not real concerned because I'm using ppp in an ssh tunnel to set up
a vpn. I suppose I'm relying on ssh when ppp could provide an additional
layer of security for opening the connection. It's a setup similar to
that described in the VPN mini HOWTO.
I would definitely investigate this problem more thoroughly if I had a
modem connection.
On Tue, Jul 20, 1999 at 11:22:48PM -0400, Lee Bradshaw wrote:
> Hi,
>
> I just removed and reinstalled ppp and ppp-pam to check this problem
> wasn't caused by me modifying the configuration. The pap-secrets file
> claims that the options file should have the login option enabled or
> users will be able to login without a password. The options file does
> not have the option enabled. The options file does claim that mgetty
> provides this option. It seems like the descriptions need to be changed
> or there is a security problem. Any comments before I file a bug?
>
> /etc/ppp/pap-secrets:
> =====================
> # ATTENTION: The definitions here can allow users to login without a
> # password if you dont use the login option of pppd!
> # The /etc/ppp/options file installed has the login option enabled
>
> /etc/ppp/options:
> =================
> # Use the system password database for authenticating the peer using
> # PAP. Note: mgetty already provides this option. If this is specified
> # then dialin from users using a script under Linux to fire up ppp wont work.
> # login
>
> --
> Lee Bradshaw lee@sectionIV.com (preferred)
> Alantro Communications lee@alantro.com
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
--
Lee Bradshaw lee@sectionIV.com (preferred)
Alantro Communications lee@alantro.com
Reply to: