1 | .\" manual page [] for pppd 2.3 |
---|
2 | .\" $Id$ |
---|
3 | .\" SH section heading |
---|
4 | .\" SS subsection heading |
---|
5 | .\" LP paragraph |
---|
6 | .\" IP indented paragraph |
---|
7 | .\" TP hanging label |
---|
8 | .TH PPPD 8 |
---|
9 | .SH NAME |
---|
10 | pppd \- Point to Point Protocol daemon |
---|
11 | .SH SYNOPSIS |
---|
12 | .B pppd |
---|
13 | [ |
---|
14 | .I tty_name |
---|
15 | ] [ |
---|
16 | .I speed |
---|
17 | ] [ |
---|
18 | .I options |
---|
19 | ] |
---|
20 | .SH DESCRIPTION |
---|
21 | .LP |
---|
22 | The Point-to-Point Protocol (PPP) provides a method for transmitting |
---|
23 | datagrams over serial point-to-point links. PPP |
---|
24 | is composed of three parts: a method for encapsulating datagrams over |
---|
25 | serial links, an extensible Link Control Protocol (LCP), and |
---|
26 | a family of Network Control Protocols (NCP) for establishing |
---|
27 | and configuring different network-layer protocols. |
---|
28 | .LP |
---|
29 | The encapsulation scheme is provided by driver code in the kernel. |
---|
30 | Pppd provides the basic LCP, authentication support, and an NCP for |
---|
31 | establishing and configuring the Internet Protocol (IP) (called the IP |
---|
32 | Control Protocol, IPCP). |
---|
33 | .SH FREQUENTLY USED OPTIONS |
---|
34 | .TP |
---|
35 | .I <tty_name> |
---|
36 | Communicate over the named device. The string "/dev/" is prepended if |
---|
37 | necessary. If no device name is given, or if the name of the terminal |
---|
38 | connected to the standard input is given, pppd will use that terminal, |
---|
39 | and will not fork to put itself in the background. A value for this |
---|
40 | option from a privileged source cannot be overridden by a |
---|
41 | non-privileged user. |
---|
42 | .TP |
---|
43 | .I <speed> |
---|
44 | Set the baud rate to <speed> (a decimal number). On systems such as |
---|
45 | 4.4BSD and NetBSD, any speed can be specified. Other systems |
---|
46 | (e.g. SunOS) allow only a limited set of speeds. |
---|
47 | .TP |
---|
48 | .B asyncmap \fI<map> |
---|
49 | Set the async character map to <map>. This map describes which |
---|
50 | control characters cannot be successfully received over the serial |
---|
51 | line. Pppd will ask the peer to send these characters as a 2-byte |
---|
52 | escape sequence. The argument is a 32 bit hex number with each bit |
---|
53 | representing a character to escape. Bit 0 (00000001) represents the |
---|
54 | character 0x00; bit 31 (80000000) represents the character 0x1f or ^_. |
---|
55 | If multiple \fIasyncmap\fR options are given, the values are ORed |
---|
56 | together. If no \fIasyncmap\fR option is given, no async character |
---|
57 | map will be negotiated for the receive direction; the peer should then |
---|
58 | escape \fIall\fR control characters. To escape transmitted |
---|
59 | characters, use the \fIescape\fR option. |
---|
60 | .TP |
---|
61 | .B auth |
---|
62 | Require the peer to authenticate itself before allowing network |
---|
63 | packets to be sent or received. This option is the default if the |
---|
64 | system has a default route. If neither this option nor the |
---|
65 | \fInoauth\fR option is specified, pppd will only allow the peer to use |
---|
66 | IP addresses to which the system does not already have a route. |
---|
67 | .TP |
---|
68 | .B call \fIname |
---|
69 | Read options from the file /etc/ppp/peers/\fIname\fR. This file may |
---|
70 | contain privileged options, such as \fInoauth\fR, even if pppd |
---|
71 | is not being run by root. The \fIname\fR string may not begin with / |
---|
72 | or include .. as a pathname component. The format of the options file |
---|
73 | is described below. |
---|
74 | .TP |
---|
75 | .B connect \fIscript |
---|
76 | Use the executable or shell command specified by \fIscript\fR to set |
---|
77 | up the serial line. This script would typically use the chat(8) |
---|
78 | program to dial the modem and start the remote ppp session. A value |
---|
79 | for this option from a privileged source cannot be overridden by a |
---|
80 | non-privileged user. |
---|
81 | .TP |
---|
82 | .B crtscts |
---|
83 | Use hardware flow control (i.e. RTS/CTS) to control the flow of |
---|
84 | data on the serial port. If neither the \fIcrtscts\fR, the |
---|
85 | \fInocrtscts\fR, the \fIcdtrcts\fR nor the \fInocdtrcts\fR option |
---|
86 | is given, the hardware flow control setting for the serial port is |
---|
87 | left unchanged. |
---|
88 | Some serial ports (such as Macintosh serial ports) lack a true |
---|
89 | RTS output. Such serial ports use this mode to implement |
---|
90 | unidirectional flow control. The serial port will |
---|
91 | suspend transmission when requested by the modem (via CTS) |
---|
92 | but will be unable to request the modem stop sending to the |
---|
93 | computer. This mode retains the ability to use DTR as |
---|
94 | a modem control line. |
---|
95 | .TP |
---|
96 | .B defaultroute |
---|
97 | Add a default route to the system routing tables, using the peer as |
---|
98 | the gateway, when IPCP negotiation is successfully completed. |
---|
99 | This entry is removed when the PPP connection is broken. This option |
---|
100 | is privileged if the \fInodefaultroute\fR option has been specified. |
---|
101 | .TP |
---|
102 | .B disconnect \fIscript |
---|
103 | Run the executable or shell command specified by \fIscript\fR after |
---|
104 | pppd has terminated the link. This script could, for example, issue |
---|
105 | commands to the modem to cause it to hang up if hardware modem control |
---|
106 | signals were not available. The disconnect script is not run if the |
---|
107 | modem has already hung up. A value for this option from a privileged |
---|
108 | source cannot be overridden by a non-privileged user. |
---|
109 | .TP |
---|
110 | .B escape \fIxx,yy,... |
---|
111 | Specifies that certain characters should be escaped on transmission |
---|
112 | (regardless of whether the peer requests them to be escaped with its |
---|
113 | async control character map). The characters to be escaped are |
---|
114 | specified as a list of hex numbers separated by commas. Note that |
---|
115 | almost any character can be specified for the \fIescape\fR option, |
---|
116 | unlike the \fIasyncmap\fR option which only allows control characters |
---|
117 | to be specified. The characters which may not be escaped are those |
---|
118 | with hex values 0x20 - 0x3f or 0x5e. |
---|
119 | .TP |
---|
120 | .B file \fIname |
---|
121 | Read options from file \fIname\fR (the format is described below). |
---|
122 | The file must be readable by the user who has invoked pppd. |
---|
123 | .TP |
---|
124 | .B init \fIscript |
---|
125 | Run the executable or shell command specified by \fIscript\fR to |
---|
126 | initialize the serial line. This script would typically use the |
---|
127 | chat(8) program to configure the modem to enable auto answer. A value |
---|
128 | for this option from a privileged source cannot be overridden by a |
---|
129 | non-privileged user. |
---|
130 | .TP |
---|
131 | .B lock |
---|
132 | Specifies that pppd should create a UUCP-style lock file for the |
---|
133 | serial device to ensure exclusive access to the device. |
---|
134 | .TP |
---|
135 | .B mru \fIn |
---|
136 | Set the MRU [Maximum Receive Unit] value to \fIn\fR. Pppd |
---|
137 | will ask the peer to send packets of no more than \fIn\fR bytes. The |
---|
138 | minimum MRU value is 128. The default MRU value is 1500. A value of |
---|
139 | 296 is recommended for slow links (40 bytes for TCP/IP header + 256 |
---|
140 | bytes of data). (Note that for IPv6 MRU must be at least 1280) |
---|
141 | .TP |
---|
142 | .B mtu \fIn |
---|
143 | Set the MTU [Maximum Transmit Unit] value to \fIn\fR. Unless the |
---|
144 | peer requests a smaller value via MRU negotiation, pppd will |
---|
145 | request that the kernel networking code send data packets of no more |
---|
146 | than \fIn\fR bytes through the PPP network interface. (Note that for |
---|
147 | IPv6 MTU must be at least 1280) |
---|
148 | .TP |
---|
149 | .B passive |
---|
150 | Enables the "passive" option in the LCP. With this option, pppd will |
---|
151 | attempt to initiate a connection; if no reply is received from the |
---|
152 | peer, pppd will then just wait passively for a valid LCP packet from |
---|
153 | the peer, instead of exiting, as it would without this option. |
---|
154 | .SH OPTIONS |
---|
155 | .TP |
---|
156 | .I <local_IP_address>\fB:\fI<remote_IP_address> |
---|
157 | Set the local and/or remote interface IP addresses. Either one may be |
---|
158 | omitted. The IP addresses can be specified with a host name or in |
---|
159 | decimal dot notation (e.g. 150.234.56.78). The default local |
---|
160 | address is the (first) IP address of the system (unless the |
---|
161 | \fInoipdefault\fR |
---|
162 | option is given). The remote address will be obtained from the peer |
---|
163 | if not specified in any option. Thus, in simple cases, this option is |
---|
164 | not required. If a local and/or remote IP address is specified with |
---|
165 | this option, pppd |
---|
166 | will not accept a different value from the peer in the IPCP |
---|
167 | negotiation, unless the \fIipcp-accept-local\fR and/or |
---|
168 | \fIipcp-accept-remote\fR options are given, respectively. |
---|
169 | .TP |
---|
170 | .B ipv6 \fI<local_interface_identifier>\fR,\fI<remote_interface_identifier> |
---|
171 | Set the local and/or remote 64-bit interface identifier. Either one may be |
---|
172 | omitted. The identifier must be specified in standard ascii notation of |
---|
173 | IPv6 addresses (e.g. ::dead:beef). If the |
---|
174 | \fIipv6cp-use-ipaddr\fR |
---|
175 | option is given, the local identifier is the local IPv4 address (see above). |
---|
176 | On systems which supports a unique persistent id, such as EUI-48 derived |
---|
177 | from the Ethernet MAC address, \fIipv6cp-use-persistent\fR option can be |
---|
178 | used to replace the \fIipv6 <local>,<remote>\fR option. Otherwise the |
---|
179 | identifier is randomized. |
---|
180 | .TP |
---|
181 | .B active-filter \fIfilter-expression |
---|
182 | Specifies a packet filter to be applied to data packets to determine |
---|
183 | which packets are to be regarded as link activity, and therefore reset |
---|
184 | the idle timer, or cause the link to be brought up in demand-dialling |
---|
185 | mode. This option is useful in conjunction with the |
---|
186 | \fBidle\fR option if there are packets being sent or received |
---|
187 | regularly over the link (for example, routing information packets) |
---|
188 | which would otherwise prevent the link from ever appearing to be idle. |
---|
189 | The \fIfilter-expression\fR syntax is as described for tcpdump(1), |
---|
190 | except that qualifiers which are inappropriate for a PPP link, such as |
---|
191 | \fBether\fR and \fBarp\fR, are not permitted. Generally the filter |
---|
192 | expression should be enclosed in single-quotes to prevent whitespace |
---|
193 | in the expression from being interpreted by the shell. This option |
---|
194 | is currently only available under NetBSD, and then only |
---|
195 | if both the kernel and pppd were compiled with PPP_FILTER defined. |
---|
196 | .TP |
---|
197 | .B allow-ip \fIaddress(es) |
---|
198 | Allow peers to use the given IP address or subnet without |
---|
199 | authenticating themselves. The parameter is parsed as for each |
---|
200 | element of the list of allowed IP addresses in the secrets files (see |
---|
201 | the AUTHENTICATION section below). |
---|
202 | .TP |
---|
203 | .B bsdcomp \fInr,nt |
---|
204 | Request that the peer compress packets that it sends, using the |
---|
205 | BSD-Compress scheme, with a maximum code size of \fInr\fR bits, and |
---|
206 | agree to compress packets sent to the peer with a maximum code size of |
---|
207 | \fInt\fR bits. If \fInt\fR is not specified, it defaults to the value |
---|
208 | given for \fInr\fR. Values in the range 9 to 15 may be used for |
---|
209 | \fInr\fR and \fInt\fR; larger values give better compression but |
---|
210 | consume more kernel memory for compression dictionaries. |
---|
211 | Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables |
---|
212 | compression in the corresponding direction. Use \fInobsdcomp\fR or |
---|
213 | \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. |
---|
214 | .TP |
---|
215 | .B cdtrcts |
---|
216 | Use a non-standard hardware flow control (i.e. DTR/CTS) to control |
---|
217 | the flow of data on the serial port. If neither the \fIcrtscts\fR, |
---|
218 | the \fInocrtscts\fR, the \fIcdtrcts\fR nor the \fInocdtrcts\fR |
---|
219 | option is given, the hardware flow control setting for the serial |
---|
220 | port is left unchanged. |
---|
221 | Some serial ports (such as Macintosh serial ports) lack a true |
---|
222 | RTS output. Such serial ports use this mode to implement true |
---|
223 | bi-directional flow control. The sacrifice is that this flow |
---|
224 | control mode does not permit using DTR as a modem control line. |
---|
225 | .TP |
---|
226 | .B chap-interval \fIn |
---|
227 | If this option is given, pppd will rechallenge the peer every \fIn\fR |
---|
228 | seconds. |
---|
229 | .TP |
---|
230 | .B chap-max-challenge \fIn |
---|
231 | Set the maximum number of CHAP challenge transmissions to \fIn\fR |
---|
232 | (default 10). |
---|
233 | .TP |
---|
234 | .B chap-restart \fIn |
---|
235 | Set the CHAP restart interval (retransmission timeout for challenges) |
---|
236 | to \fIn\fR seconds (default 3). |
---|
237 | .TP |
---|
238 | .B connect-delay \fIn |
---|
239 | Wait for up \fIn\fR milliseconds after the connect script finishes for |
---|
240 | a valid PPP packet from the peer. At the end of this time, or when a |
---|
241 | valid PPP packet is received from the peer, pppd will commence |
---|
242 | negotiation by sending its first LCP packet. The default value is |
---|
243 | 1000 (1 second). This wait period only applies if the \fBconnect\fR |
---|
244 | or \fBpty\fR option is used. |
---|
245 | .TP |
---|
246 | .B debug |
---|
247 | Enables connection debugging facilities. |
---|
248 | If this option is given, pppd will log the contents of all |
---|
249 | control packets sent or received in a readable form. The packets are |
---|
250 | logged through syslog with facility \fIdaemon\fR and level |
---|
251 | \fIdebug\fR. This information can be directed to a file by setting up |
---|
252 | /etc/syslog.conf appropriately (see syslog.conf(5)). |
---|
253 | .TP |
---|
254 | .B default-asyncmap |
---|
255 | Disable asyncmap negotiation, forcing all control characters to be |
---|
256 | escaped for both the transmit and the receive direction. |
---|
257 | .TP |
---|
258 | .B default-mru |
---|
259 | Disable MRU [Maximum Receive Unit] negotiation. With this option, |
---|
260 | pppd will use the default MRU value of 1500 bytes for both the |
---|
261 | transmit and receive direction. |
---|
262 | .TP |
---|
263 | .B deflate \fInr,nt |
---|
264 | Request that the peer compress packets that it sends, using the |
---|
265 | Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and |
---|
266 | agree to compress packets sent to the peer with a maximum window size |
---|
267 | of \fI2**nt\fR bytes. If \fInt\fR is not specified, it defaults to |
---|
268 | the value given for \fInr\fR. Values in the range 8 to 15 may be used |
---|
269 | for \fInr\fR and \fInt\fR; larger values give better compression but |
---|
270 | consume more kernel memory for compression dictionaries. |
---|
271 | Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables |
---|
272 | compression in the corresponding direction. Use \fInodeflate\fR or |
---|
273 | \fIdeflate 0\fR to disable Deflate compression entirely. (Note: pppd |
---|
274 | requests Deflate compression in preference to BSD-Compress if the peer |
---|
275 | can do either.) |
---|
276 | .TP |
---|
277 | .B demand |
---|
278 | Initiate the link only on demand, i.e. when data traffic is present. |
---|
279 | With this option, the remote IP address must be specified by the user |
---|
280 | on the command line or in an options file. Pppd will initially |
---|
281 | configure the interface and enable it for IP traffic without |
---|
282 | connecting to the peer. When traffic is available, pppd will |
---|
283 | connect to the peer and perform negotiation, authentication, etc. |
---|
284 | When this is completed, pppd will commence passing data packets |
---|
285 | (i.e., IP packets) across the link. |
---|
286 | |
---|
287 | The \fIdemand\fR option implies the \fIpersist\fR option. If this |
---|
288 | behaviour is not desired, use the \fInopersist\fR option after the |
---|
289 | \fIdemand\fR option. The \fIidle\fR and \fIholdoff\fR |
---|
290 | options are also useful in conjuction with the \fIdemand\fR option. |
---|
291 | .TP |
---|
292 | .B domain \fId |
---|
293 | Append the domain name \fId\fR to the local host name for authentication |
---|
294 | purposes. For example, if gethostname() returns the name porsche, but |
---|
295 | the fully qualified domain name is porsche.Quotron.COM, you could |
---|
296 | specify \fIdomain Quotron.COM\fR. Pppd would then use the name |
---|
297 | \fIporsche.Quotron.COM\fR for looking up secrets in the secrets file, |
---|
298 | and as the default name to send to the peer when authenticating itself |
---|
299 | to the peer. This option is privileged. |
---|
300 | .TP |
---|
301 | .B hide-password |
---|
302 | When logging the contents of PAP packets, this option causes pppd to |
---|
303 | exclude the password string from the log. This is the default. |
---|
304 | .TP |
---|
305 | .B holdoff \fIn |
---|
306 | Specifies how many seconds to wait before re-initiating the link after |
---|
307 | it terminates. This option only has any effect if the \fIpersist\fR |
---|
308 | or \fIdemand\fR option is used. The holdoff period is not applied if |
---|
309 | the link was terminated because it was idle. |
---|
310 | .TP |
---|
311 | .B idle \fIn |
---|
312 | Specifies that pppd should disconnect if the link is idle for \fIn\fR |
---|
313 | seconds. The link is idle when no data packets (i.e. IP packets) are |
---|
314 | being sent or received. Note: it is not advisable to use this option |
---|
315 | with the \fIpersist\fR option without the \fIdemand\fR option. |
---|
316 | If the \fBactive-filter\fR |
---|
317 | option is given, data packets which are rejected by the specified |
---|
318 | activity filter also count as the link being idle. |
---|
319 | .TP |
---|
320 | .B ipcp-accept-local |
---|
321 | With this option, pppd will accept the peer's idea of our local IP |
---|
322 | address, even if the local IP address was specified in an option. |
---|
323 | .TP |
---|
324 | .B ipcp-accept-remote |
---|
325 | With this option, pppd will accept the peer's idea of its (remote) IP |
---|
326 | address, even if the remote IP address was specified in an option. |
---|
327 | .TP |
---|
328 | .B ipcp-max-configure \fIn |
---|
329 | Set the maximum number of IPCP configure-request transmissions to |
---|
330 | \fIn\fR (default 10). |
---|
331 | .TP |
---|
332 | .B ipcp-max-failure \fIn |
---|
333 | Set the maximum number of IPCP configure-NAKs returned before starting |
---|
334 | to send configure-Rejects instead to \fIn\fR (default 10). |
---|
335 | .TP |
---|
336 | .B ipcp-max-terminate \fIn |
---|
337 | Set the maximum number of IPCP terminate-request transmissions to |
---|
338 | \fIn\fR (default 3). |
---|
339 | .TP |
---|
340 | .B ipcp-restart \fIn |
---|
341 | Set the IPCP restart interval (retransmission timeout) to \fIn\fR |
---|
342 | seconds (default 3). |
---|
343 | .TP |
---|
344 | .B ipparam \fIstring |
---|
345 | Provides an extra parameter to the ip-up and ip-down scripts. If this |
---|
346 | option is given, the \fIstring\fR supplied is given as the 6th |
---|
347 | parameter to those scripts. |
---|
348 | .TP |
---|
349 | .B ipv6cp-max-configure \fIn |
---|
350 | Set the maximum number of IPv6CP configure-request transmissions to |
---|
351 | \fIn\fR (default 10). |
---|
352 | .TP |
---|
353 | .B ipv6cp-max-failure \fIn |
---|
354 | Set the maximum number of IPv6CP configure-NAKs returned before starting |
---|
355 | to send configure-Rejects instead to \fIn\fR (default 10). |
---|
356 | .TP |
---|
357 | .B ipv6cp-max-terminate \fIn |
---|
358 | Set the maximum number of IPv6CP terminate-request transmissions to |
---|
359 | \fIn\fR (default 3). |
---|
360 | .TP |
---|
361 | .B ipv6cp-restart \fIn |
---|
362 | Set the IPv6CP restart interval (retransmission timeout) to \fIn\fR |
---|
363 | seconds (default 3). |
---|
364 | .TP |
---|
365 | .B ipx |
---|
366 | Enable the IPXCP and IPX protocols. This option is presently only |
---|
367 | supported under Linux, and only if your kernel has been configured to |
---|
368 | include IPX support. |
---|
369 | .TP |
---|
370 | .B ipx-network \fIn |
---|
371 | Set the IPX network number in the IPXCP configure request frame to |
---|
372 | \fIn\fR, a hexadecimal number (without a leading 0x). There is no |
---|
373 | valid default. If this option is not specified, the network number is |
---|
374 | obtained from the peer. If the peer does not have the network number, |
---|
375 | the IPX protocol will not be started. |
---|
376 | .TP |
---|
377 | .B ipx-node \fIn\fB:\fIm |
---|
378 | Set the IPX node numbers. The two node numbers are separated from each |
---|
379 | other with a colon character. The first number \fIn\fR is the local |
---|
380 | node number. The second number \fIm\fR is the peer's node number. Each |
---|
381 | node number is a hexadecimal number, at most 10 digits long. The node |
---|
382 | numbers on the ipx-network must be unique. There is no valid |
---|
383 | default. If this option is not specified then the node numbers are |
---|
384 | obtained from the peer. |
---|
385 | .TP |
---|
386 | .B ipx-router-name \fI<string> |
---|
387 | Set the name of the router. This is a string and is sent to the peer |
---|
388 | as information data. |
---|
389 | .TP |
---|
390 | .B ipx-routing \fIn |
---|
391 | Set the routing protocol to be received by this option. More than one |
---|
392 | instance of \fIipx-routing\fR may be specified. The '\fInone\fR' |
---|
393 | option (0) may be specified as the only instance of ipx-routing. The |
---|
394 | values may be \fI0\fR for \fINONE\fR, \fI2\fR for \fIRIP/SAP\fR, and |
---|
395 | \fI4\fR for \fINLSP\fR. |
---|
396 | .TP |
---|
397 | .B ipxcp-accept-local |
---|
398 | Accept the peer's NAK for the node number specified in the ipx-node |
---|
399 | option. If a node number was specified, and non-zero, the default is |
---|
400 | to insist that the value be used. If you include this option then you |
---|
401 | will permit the peer to override the entry of the node number. |
---|
402 | .TP |
---|
403 | .B ipxcp-accept-network |
---|
404 | Accept the peer's NAK for the network number specified in the |
---|
405 | ipx-network option. If a network number was specified, and non-zero, the |
---|
406 | default is to insist that the value be used. If you include this |
---|
407 | option then you will permit the peer to override the entry of the node |
---|
408 | number. |
---|
409 | .TP |
---|
410 | .B ipxcp-accept-remote |
---|
411 | Use the peer's network number specified in the configure request |
---|
412 | frame. If a node number was specified for the peer and this option was |
---|
413 | not specified, the peer will be forced to use the value which you have |
---|
414 | specified. |
---|
415 | .TP |
---|
416 | .B ipxcp-max-configure \fIn |
---|
417 | Set the maximum number of IPXCP configure request frames which the |
---|
418 | system will send to \fIn\fR. The default is 10. |
---|
419 | .TP |
---|
420 | .B ipxcp-max-failure \fIn |
---|
421 | Set the maximum number of IPXCP NAK frames which the local system will |
---|
422 | send before it rejects the options. The default value is 3. |
---|
423 | .TP |
---|
424 | .B ipxcp-max-terminate \fIn |
---|
425 | Set the maximum nuber of IPXCP terminate request frames before the |
---|
426 | local system considers that the peer is not listening to them. The |
---|
427 | default value is 3. |
---|
428 | .TP |
---|
429 | .B kdebug \fIn |
---|
430 | Enable debugging code in the kernel-level PPP driver. The argument |
---|
431 | \fIn\fR is a number which is the sum of the following values: 1 to |
---|
432 | enable general debug messages, 2 to request that the contents of |
---|
433 | received packets be printed, and 4 to request that the contents of |
---|
434 | transmitted packets be printed. On most systems, messages printed by |
---|
435 | the kernel are logged by syslog(1) to a file as directed in the |
---|
436 | /etc/syslog.conf configuration file. |
---|
437 | .TP |
---|
438 | .B ktune |
---|
439 | Enables pppd to alter kernel settings as appropriate. Under Linux, |
---|
440 | pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward |
---|
441 | to 1) if the \fIproxyarp\fR option is used, and will enable the |
---|
442 | dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to |
---|
443 | 1) in demand mode if the local address changes. |
---|
444 | .TP |
---|
445 | .B lcp-echo-failure \fIn |
---|
446 | If this option is given, pppd will presume the peer to be dead |
---|
447 | if \fIn\fR LCP echo-requests are sent without receiving a valid LCP |
---|
448 | echo-reply. If this happens, pppd will terminate the |
---|
449 | connection. Use of this option requires a non-zero value for the |
---|
450 | \fIlcp-echo-interval\fR parameter. This option can be used to enable |
---|
451 | pppd to terminate after the physical connection has been broken |
---|
452 | (e.g., the modem has hung up) in situations where no hardware modem |
---|
453 | control lines are available. |
---|
454 | .TP |
---|
455 | .B lcp-echo-interval \fIn |
---|
456 | If this option is given, pppd will send an LCP echo-request frame to |
---|
457 | the peer every \fIn\fR seconds. Normally the peer should respond to |
---|
458 | the echo-request by sending an echo-reply. This option can be used |
---|
459 | with the \fIlcp-echo-failure\fR option to detect that the peer is no |
---|
460 | longer connected. |
---|
461 | .TP |
---|
462 | .B lcp-max-configure \fIn |
---|
463 | Set the maximum number of LCP configure-request transmissions to |
---|
464 | \fIn\fR (default 10). |
---|
465 | .TP |
---|
466 | .B lcp-max-failure \fIn |
---|
467 | Set the maximum number of LCP configure-NAKs returned before starting |
---|
468 | to send configure-Rejects instead to \fIn\fR (default 10). |
---|
469 | .TP |
---|
470 | .B lcp-max-terminate \fIn |
---|
471 | Set the maximum number of LCP terminate-request transmissions to |
---|
472 | \fIn\fR (default 3). |
---|
473 | .TP |
---|
474 | .B lcp-restart \fIn |
---|
475 | Set the LCP restart interval (retransmission timeout) to \fIn\fR |
---|
476 | seconds (default 3). |
---|
477 | .TP |
---|
478 | .B linkname \fIname\fR |
---|
479 | Sets the logical name of the link to \fIname\fR. Pppd will create a |
---|
480 | file named \fBppp-\fIname\fB.pid\fR in /var/run (or /etc/ppp on some |
---|
481 | systems) containing its process ID. This can be useful in determining |
---|
482 | which instance of pppd is responsible for the link to a given peer |
---|
483 | system. This is a privileged option. |
---|
484 | .TP |
---|
485 | .B local |
---|
486 | Don't use the modem control lines. With this option, pppd will ignore |
---|
487 | the state of the CD (Carrier Detect) signal from the modem and will |
---|
488 | not change the state of the DTR (Data Terminal Ready) signal. |
---|
489 | .TP |
---|
490 | .B logfd \fIn |
---|
491 | Send log messages to file descriptor \fIn\fR. Pppd will send log |
---|
492 | messages to at most one file or file descriptor (as well as sending |
---|
493 | the log messages to syslog), so this option and the \fBlogfile\fR |
---|
494 | option are mutually exclusive. The default is for pppd to send log |
---|
495 | messages to stdout (file descriptor 1), unless the serial port is |
---|
496 | already open on stdout. |
---|
497 | .TP |
---|
498 | .B logfile \fIfilename |
---|
499 | Append log messages to the file \fIfilename\fR (as well as sending the |
---|
500 | log messages to syslog). The file is opened with the privileges of |
---|
501 | the user who invoked pppd, in append mode. |
---|
502 | .TP |
---|
503 | .B login |
---|
504 | Use the system password database for authenticating the peer using |
---|
505 | PAP, and record the user in the system wtmp file. Note that the peer |
---|
506 | must have an entry in the /etc/ppp/pap-secrets file as well as the |
---|
507 | system password database to be allowed access. |
---|
508 | .TP |
---|
509 | .B maxconnect \fIn |
---|
510 | Terminate the connection when it has been available for network |
---|
511 | traffic for \fIn\fR seconds (i.e. \fIn\fR seconds after the first |
---|
512 | network control protocol comes up). |
---|
513 | .TP |
---|
514 | .B maxfail \fIn |
---|
515 | Terminate after \fIn\fR consecutive failed connection attempts. A |
---|
516 | value of 0 means no limit. The default value is 10. |
---|
517 | .TP |
---|
518 | .B modem |
---|
519 | Use the modem control lines. This option is the default. With this |
---|
520 | option, pppd will wait for the CD (Carrier Detect) signal from the |
---|
521 | modem to be asserted when opening the serial device (unless a connect |
---|
522 | script is specified), and it will drop the DTR (Data Terminal Ready) |
---|
523 | signal briefly when the connection is terminated and before executing |
---|
524 | the connect script. On Ultrix, this option implies hardware flow |
---|
525 | control, as for the \fIcrtscts\fR option. |
---|
526 | .TP |
---|
527 | .B ms-dns \fI<addr> |
---|
528 | If pppd is acting as a server for Microsoft Windows clients, this |
---|
529 | option allows pppd to supply one or two DNS (Domain Name Server) |
---|
530 | addresses to the clients. The first instance of this option specifies |
---|
531 | the primary DNS address; the second instance (if given) specifies the |
---|
532 | secondary DNS address. (This option was present in some older |
---|
533 | versions of pppd under the name \fBdns-addr\fR.) |
---|
534 | .TP |
---|
535 | .B ms-wins \fI<addr> |
---|
536 | If pppd is acting as a server for Microsoft Windows or "Samba" |
---|
537 | clients, this option allows pppd to supply one or two WINS (Windows |
---|
538 | Internet Name Services) server addresses to the clients. The first |
---|
539 | instance of this option specifies the primary WINS address; the second |
---|
540 | instance (if given) specifies the secondary WINS address. |
---|
541 | .TP |
---|
542 | .B name \fIname |
---|
543 | Set the name of the local system for authentication purposes to |
---|
544 | \fIname\fR. This is a privileged option. With this option, pppd will |
---|
545 | use lines in the secrets files which have \fIname\fR as the second |
---|
546 | field when looking for a secret to use in authenticating the peer. In |
---|
547 | addition, unless overridden with the \fIuser\fR option, \fIname\fR |
---|
548 | will be used as the name to send to the peer when authenticating the |
---|
549 | local system to the peer. (Note that pppd does not append the domain |
---|
550 | name to \fIname\fR.) |
---|
551 | .TP |
---|
552 | .B netmask \fIn |
---|
553 | Set the interface netmask to \fIn\fR, a 32 bit netmask in "decimal dot" |
---|
554 | notation (e.g. 255.255.255.0). If this option is given, the value |
---|
555 | specified is ORed with the default netmask. The default netmask is |
---|
556 | chosen based on the negotiated remote IP address; it is the |
---|
557 | appropriate network mask for the class of the remote IP address, ORed |
---|
558 | with the netmasks for any non point-to-point network interfaces in the |
---|
559 | system which are on the same network. (Note: on some platforms, pppd |
---|
560 | will always use 255.255.255.255 for the netmask, if that is the only |
---|
561 | appropriate value for a point-to-point interface.) |
---|
562 | .TP |
---|
563 | .B noaccomp |
---|
564 | Disable Address/Control compression in both directions (send and |
---|
565 | receive). |
---|
566 | .TP |
---|
567 | .B noauth |
---|
568 | Do not require the peer to authenticate itself. This option is |
---|
569 | privileged. |
---|
570 | .TP |
---|
571 | .B nobsdcomp |
---|
572 | Disables BSD-Compress compression; \fBpppd\fR will not request or |
---|
573 | agree to compress packets using the BSD-Compress scheme. |
---|
574 | .TP |
---|
575 | .B noccp |
---|
576 | Disable CCP (Compression Control Protocol) negotiation. This option |
---|
577 | should only be required if the peer is buggy and gets confused by |
---|
578 | requests from pppd for CCP negotiation. |
---|
579 | .TP |
---|
580 | .B nocrtscts |
---|
581 | Disable hardware flow control (i.e. RTS/CTS) on the serial port. |
---|
582 | If neither the \fIcrtscts\fR nor the \fInocrtscts\fR nor the |
---|
583 | \fIcdtrcts\fR nor the \fInodtrcts\fR option is given, the hardware |
---|
584 | flow control setting for the serial port is left unchanged. |
---|
585 | .TP |
---|
586 | .B nodtrcts |
---|
587 | This option is a synonym for \fInocrtscts\fR. Either of these options will |
---|
588 | disable both forms of hardware flow control. |
---|
589 | .TP |
---|
590 | .B nodefaultroute |
---|
591 | Disable the \fIdefaultroute\fR option. The system administrator who |
---|
592 | wishes to prevent users from creating default routes with pppd |
---|
593 | can do so by placing this option in the /etc/ppp/options file. |
---|
594 | .TP |
---|
595 | .B nodeflate |
---|
596 | Disables Deflate compression; pppd will not request or agree to |
---|
597 | compress packets using the Deflate scheme. |
---|
598 | .TP |
---|
599 | .B nodetach |
---|
600 | Don't detach from the controlling terminal. Without this option, if a |
---|
601 | serial device other than the terminal on the standard input is |
---|
602 | specified, pppd will fork to become a background process. |
---|
603 | .TP |
---|
604 | .B noip |
---|
605 | Disable IPCP negotiation and IP communication. This option should |
---|
606 | only be required if the peer is buggy and gets confused by requests |
---|
607 | from pppd for IPCP negotiation. |
---|
608 | .TP |
---|
609 | .B noipv6 |
---|
610 | Disable IPv6CP negotiation and IPv6 communication. This option should |
---|
611 | only be required if the peer is buggy and gets confused by requests |
---|
612 | from pppd for IPv6CP negotiation. |
---|
613 | .TP |
---|
614 | .B noipdefault |
---|
615 | Disables the default behaviour when no local IP address is specified, |
---|
616 | which is to determine (if possible) the local IP address from the |
---|
617 | hostname. With this option, the peer will have to supply the local IP |
---|
618 | address during IPCP negotiation (unless it specified explicitly on the |
---|
619 | command line or in an options file). |
---|
620 | .TP |
---|
621 | .B noipx |
---|
622 | Disable the IPXCP and IPX protocols. This option should only be |
---|
623 | required if the peer is buggy and gets confused by requests from pppd |
---|
624 | for IPXCP negotiation. |
---|
625 | .TP |
---|
626 | .B noktune |
---|
627 | Opposite of the \fIktune\fR option; disables pppd from changing system |
---|
628 | settings. |
---|
629 | .TP |
---|
630 | .B nolog |
---|
631 | Do not send log messages to a file or file descriptor. This option |
---|
632 | cancels the \fBlogfd\fR and \fBlogfile\fR options. |
---|
633 | .B nomagic |
---|
634 | Disable magic number negotiation. With this option, pppd cannot |
---|
635 | detect a looped-back line. This option should only be needed if the |
---|
636 | peer is buggy. |
---|
637 | .TP |
---|
638 | .B nopcomp |
---|
639 | Disable protocol field compression negotiation in both the receive and |
---|
640 | the transmit direction. |
---|
641 | .TP |
---|
642 | .B nopersist |
---|
643 | Exit once a connection has been made and terminated. This is the |
---|
644 | default unless the \fIpersist\fR or \fIdemand\fR option has been |
---|
645 | specified. |
---|
646 | .TP |
---|
647 | .B nopredictor1 |
---|
648 | Do not accept or agree to Predictor-1 compression. |
---|
649 | .TP |
---|
650 | .B noproxyarp |
---|
651 | Disable the \fIproxyarp\fR option. The system administrator who |
---|
652 | wishes to prevent users from creating proxy ARP entries with pppd can |
---|
653 | do so by placing this option in the /etc/ppp/options file. |
---|
654 | .TP |
---|
655 | .B notty |
---|
656 | Normally, pppd requires a terminal device. With this option, pppd |
---|
657 | will allocate itself a pseudo-tty master/slave pair and use the slave |
---|
658 | as its terminal device. Pppd will create a child process to act as a |
---|
659 | `character shunt' to transfer characters between the pseudo-tty master |
---|
660 | and its standard input and output. Thus pppd will transmit characters |
---|
661 | on its standard output and receive characters on its standard input |
---|
662 | even if they are not terminal devices. This option increases the |
---|
663 | latency and CPU overhead of transferring data over the ppp interface |
---|
664 | as all of the characters sent and received must flow through the |
---|
665 | character shunt process. An explicit device name may not be given if |
---|
666 | this option is used. |
---|
667 | .TP |
---|
668 | .B novj |
---|
669 | Disable Van Jacobson style TCP/IP header compression in both the |
---|
670 | transmit and the receive direction. |
---|
671 | .TP |
---|
672 | .B novjccomp |
---|
673 | Disable the connection-ID compression option in Van Jacobson style |
---|
674 | TCP/IP header compression. With this option, pppd will not omit the |
---|
675 | connection-ID byte from Van Jacobson compressed TCP/IP headers, nor |
---|
676 | ask the peer to do so. |
---|
677 | .TP |
---|
678 | .B papcrypt |
---|
679 | Indicates that all secrets in the /etc/ppp/pap-secrets file which are |
---|
680 | used for checking the identity of the peer are encrypted, and thus |
---|
681 | pppd should not accept a password which, before encryption, is |
---|
682 | identical to the secret from the /etc/ppp/pap-secrets file. |
---|
683 | .TP |
---|
684 | .B pap-max-authreq \fIn |
---|
685 | Set the maximum number of PAP authenticate-request transmissions to |
---|
686 | \fIn\fR (default 10). |
---|
687 | .TP |
---|
688 | .B pap-restart \fIn |
---|
689 | Set the PAP restart interval (retransmission timeout) to \fIn\fR |
---|
690 | seconds (default 3). |
---|
691 | .TP |
---|
692 | .B pap-timeout \fIn |
---|
693 | Set the maximum time that pppd will wait for the peer to authenticate |
---|
694 | itself with PAP to \fIn\fR seconds (0 means no limit). |
---|
695 | .TP |
---|
696 | .B pass-filter \fIfilter-expression |
---|
697 | Specifies a packet filter to applied to data packets being sent or |
---|
698 | received to determine which packets should be allowed to pass. |
---|
699 | Packets which are rejected by the filter are silently discarded. This |
---|
700 | option can be used to prevent specific network daemons (such as |
---|
701 | routed) using up link bandwidth, or to provide a basic firewall |
---|
702 | capability. |
---|
703 | The \fIfilter-expression\fR syntax is as described for tcpdump(1), |
---|
704 | except that qualifiers which are inappropriate for a PPP link, such as |
---|
705 | \fBether\fR and \fBarp\fR, are not permitted. Generally the filter |
---|
706 | expression should be enclosed in single-quotes to prevent whitespace |
---|
707 | in the expression from being interpreted by the shell. Note that it |
---|
708 | is possible to apply different constraints to incoming and outgoing |
---|
709 | packets using the \fBinbound\fR and \fBoutbound\fR qualifiers. This |
---|
710 | option is currently only available under NetBSD, and then only if both |
---|
711 | the kernel and pppd were compiled with PPP_FILTER defined. |
---|
712 | .TP |
---|
713 | .B persist |
---|
714 | Do not exit after a connection is terminated; instead try to reopen |
---|
715 | the connection. |
---|
716 | .TP |
---|
717 | .B plugin \fIfilename |
---|
718 | Load the shared library object file \fIfilename\fR as a plugin. This |
---|
719 | is a privileged option. |
---|
720 | .TP |
---|
721 | .B predictor1 |
---|
722 | Request that the peer compress frames that it sends using Predictor-1 |
---|
723 | compression, and agree to compress transmitted frames with Predictor-1 |
---|
724 | if requested. This option has no effect unless the kernel driver |
---|
725 | supports Predictor-1 compression. |
---|
726 | .TP |
---|
727 | .B privgroup \fIgroup-name |
---|
728 | Allows members of group \fIgroup-name\fR to use privileged options. |
---|
729 | This is a privileged option. Use of this option requires care as |
---|
730 | there is no guarantee that members of \fIgroup-name\fR cannot use pppd |
---|
731 | to become root themselves. Consider it equivalent to putting the |
---|
732 | members of \fIgroup-name\fR in the kmem or disk group. |
---|
733 | .TP |
---|
734 | .B proxyarp |
---|
735 | Add an entry to this system's ARP [Address Resolution Protocol] table |
---|
736 | with the IP address of the peer and the Ethernet address of this |
---|
737 | system. This will have the effect of making the peer appear to other |
---|
738 | systems to be on the local ethernet. |
---|
739 | .TP |
---|
740 | .B pty \fIscript |
---|
741 | Specifies that the command \fIscript\fR is to be used to communicate |
---|
742 | rather than a specific terminal device. Pppd will allocate itself a |
---|
743 | pseudo-tty master/slave pair and use the slave as its terminal |
---|
744 | device. The \fIscript\fR will be run in a child process with the |
---|
745 | pseudo-tty master as its standard input and output. An explicit |
---|
746 | device name may not be given if this option is used. (Note: if the |
---|
747 | \fIrecord\fR option is used in conjuction with the \fIpty\fR option, |
---|
748 | the child process will have pipes on its standard input and output.) |
---|
749 | .TP |
---|
750 | .B receive-all |
---|
751 | With this option, pppd will accept all control characters from the |
---|
752 | peer, including those marked in the receive asyncmap. Without this |
---|
753 | option, pppd will discard those characters as specified in RFC1662. |
---|
754 | This option should only be needed if the peer is buggy. |
---|
755 | .TP |
---|
756 | .B record \fIfilename |
---|
757 | Specifies that pppd should record all characters sent and received to |
---|
758 | a file named \fIfilename\fR. This file is opened in append mode, |
---|
759 | using the user's user-ID and permissions. This option is implemented |
---|
760 | using a pseudo-tty and a process to transfer characters between the |
---|
761 | pseudo-tty and the real serial device, so it will increase the latency |
---|
762 | and CPU overhead of transferring data over the ppp interface. The |
---|
763 | characters are stored in a tagged format with timestamps, which can be |
---|
764 | displayed in readable form using the pppdump(8) program. |
---|
765 | .TP |
---|
766 | .B remotename \fIname |
---|
767 | Set the assumed name of the remote system for authentication purposes |
---|
768 | to \fIname\fR. |
---|
769 | .TP |
---|
770 | .B refuse-chap |
---|
771 | With this option, pppd will not agree to authenticate itself to the |
---|
772 | peer using CHAP. |
---|
773 | .TP |
---|
774 | .B refuse-pap |
---|
775 | With this option, pppd will not agree to authenticate itself to the |
---|
776 | peer using PAP. |
---|
777 | .TP |
---|
778 | .B require-chap |
---|
779 | Require the peer to authenticate itself using CHAP [Challenge |
---|
780 | Handshake Authentication Protocol] authentication. |
---|
781 | .TP |
---|
782 | .B require-pap |
---|
783 | Require the peer to authenticate itself using PAP [Password |
---|
784 | Authentication Protocol] authentication. |
---|
785 | .TP |
---|
786 | .B show-password |
---|
787 | When logging the contents of PAP packets, this option causes pppd to |
---|
788 | show the password string in the log message. |
---|
789 | .TP |
---|
790 | .B silent |
---|
791 | With this option, pppd will not transmit LCP packets to initiate a |
---|
792 | connection until a valid LCP packet is received from the peer (as for |
---|
793 | the `passive' option with ancient versions of pppd). |
---|
794 | .TP |
---|
795 | .B sync |
---|
796 | Use synchronous HDLC serial encoding instead of asynchronous. |
---|
797 | The device used by pppd with this option must have sync support. |
---|
798 | Currently supports Microgate SyncLink adapters |
---|
799 | under Linux and FreeBSD 2.2.8 and later. |
---|
800 | .TP |
---|
801 | .B updetach |
---|
802 | With this option, pppd will detach from its controlling terminal once |
---|
803 | it has successfully established the ppp connection (to the point where |
---|
804 | the first network control protocol, usually the IP control protocol, |
---|
805 | has come up). |
---|
806 | .TP |
---|
807 | .B usehostname |
---|
808 | Enforce the use of the hostname (with domain name appended, if given) |
---|
809 | as the name of the local system for authentication purposes (overrides |
---|
810 | the \fIname\fR option). This option is not normally needed since the |
---|
811 | \fIname\fR option is privileged. |
---|
812 | .TP |
---|
813 | .B usepeerdns |
---|
814 | Ask the peer for up to 2 DNS server addresses. The addresses supplied |
---|
815 | by the peer (if any) are passed to the /etc/ppp/ip-up script in the |
---|
816 | environment variables DNS1 and DNS2. In addition, pppd will create an |
---|
817 | /etc/ppp/resolv.conf file containing one or two nameserver lines with |
---|
818 | the address(es) supplied by the peer. |
---|
819 | .TP |
---|
820 | .B user \fIname |
---|
821 | Sets the name used for authenticating the local system to the peer to |
---|
822 | \fIname\fR. |
---|
823 | .TP |
---|
824 | .B vj-max-slots \fIn |
---|
825 | Sets the number of connection slots to be used by the Van Jacobson |
---|
826 | TCP/IP header compression and decompression code to \fIn\fR, which |
---|
827 | must be between 2 and 16 (inclusive). |
---|
828 | .TP |
---|
829 | .B welcome \fIscript |
---|
830 | Run the executable or shell command specified by \fIscript\fR before |
---|
831 | initiating PPP negotiation, after the connect script (if any) has |
---|
832 | completed. A value for this option from a privileged source cannot be |
---|
833 | overridden by a non-privileged user. |
---|
834 | .TP |
---|
835 | .B xonxoff |
---|
836 | Use software flow control (i.e. XON/XOFF) to control the flow of data on |
---|
837 | the serial port. |
---|
838 | .SH OPTIONS FILES |
---|
839 | Options can be taken from files as well as the command line. Pppd |
---|
840 | reads options from the files /etc/ppp/options, ~/.ppprc and |
---|
841 | /etc/ppp/options.\fIttyname\fR (in that order) before processing the |
---|
842 | options on the command line. (In fact, the command-line options are |
---|
843 | scanned to find the terminal name before the options.\fIttyname\fR |
---|
844 | file is read.) In forming the name of the options.\fIttyname\fR file, |
---|
845 | the initial /dev/ is removed from the terminal name, and any remaining |
---|
846 | / characters are replaced with dots. |
---|
847 | .PP |
---|
848 | An options file is parsed into a series of words, delimited by |
---|
849 | whitespace. Whitespace can be included in a word by enclosing the |
---|
850 | word in double-quotes ("). A backslash (\\) quotes the following character. |
---|
851 | A hash (#) starts a comment, which continues until the end of the |
---|
852 | line. There is no restriction on using the \fIfile\fR or \fIcall\fR |
---|
853 | options within an options file. |
---|
854 | .SH SECURITY |
---|
855 | .I pppd |
---|
856 | provides system administrators with sufficient access control that PPP |
---|
857 | access to a server machine can be provided to legitimate users without |
---|
858 | fear of compromising the security of the server or the network it's |
---|
859 | on. This control is provided through restrictions on which IP |
---|
860 | addresses the peer may use, based on its authenticated identity (if |
---|
861 | any), and through restrictions on which options a non-privileged user |
---|
862 | may use. Several of pppd's options are privileged, in particular |
---|
863 | those which permit potentially insecure configurations; these options |
---|
864 | are only accepted in files which are under the control of the system |
---|
865 | administrator, or if pppd is being run by root. |
---|
866 | .PP |
---|
867 | The default behaviour of pppd is to allow an unauthenticated peer to |
---|
868 | use a given IP address only if the system does not already have a |
---|
869 | route to that IP address. For example, a system with a |
---|
870 | permanent connection to the wider internet will normally have a |
---|
871 | default route, and thus all peers will have to authenticate themselves |
---|
872 | in order to set up a connection. On such a system, the \fIauth\fR |
---|
873 | option is the default. On the other hand, a system where the |
---|
874 | PPP link is the only connection to the internet will not normally have |
---|
875 | a default route, so the peer will be able to use almost any IP address |
---|
876 | without authenticating itself. |
---|
877 | .PP |
---|
878 | As indicated above, some security-sensitive options are privileged, |
---|
879 | which means that they may not be used by an ordinary non-privileged |
---|
880 | user running a setuid-root pppd, either on the command line, in the |
---|
881 | user's ~/.ppprc file, or in an options file read using the \fIfile\fR |
---|
882 | option. Privileged options may be used in /etc/ppp/options file or in |
---|
883 | an options file read using the \fIcall\fR option. If pppd is being |
---|
884 | run by the root user, privileged options can be used without |
---|
885 | restriction. |
---|
886 | .PP |
---|
887 | When opening the device, pppd uses either the invoking user's user ID |
---|
888 | or the root UID (that is, 0), depending on whether the device name was |
---|
889 | specified by the user or the system administrator. If the device name |
---|
890 | comes from a privileged source, that is, /etc/ppp/options or an |
---|
891 | options file read using the \fIcall\fR option, pppd uses full root |
---|
892 | privileges when opening the device. Thus, by creating an appropriate |
---|
893 | file under /etc/ppp/peers, the system administrator can allow users to |
---|
894 | establish a ppp connection via a device which they would not normally |
---|
895 | have permission to access. Otherwise pppd uses the invoking user's |
---|
896 | real UID when opening the device. |
---|
897 | .SH AUTHENTICATION |
---|
898 | Authentication is the process whereby one peer convinces the other of |
---|
899 | its identity. This involves the first peer sending its name to the |
---|
900 | other, together with some kind of secret information which could only |
---|
901 | come from the genuine authorized user of that name. In such an |
---|
902 | exchange, we will call the first peer the "client" and the other the |
---|
903 | "server". The client has a name by which it identifies itself to the |
---|
904 | server, and the server also has a name by which it identifies itself |
---|
905 | to the client. Generally the genuine client shares some secret (or |
---|
906 | password) with the server, and authenticates itself by proving that it |
---|
907 | knows that secret. Very often, the names used for authentication |
---|
908 | correspond to the internet hostnames of the peers, but this is not |
---|
909 | essential. |
---|
910 | .LP |
---|
911 | At present, pppd supports two authentication protocols: the Password |
---|
912 | Authentication Protocol (PAP) and the Challenge Handshake |
---|
913 | Authentication Protocol (CHAP). PAP involves the client sending its |
---|
914 | name and a cleartext password to the server to authenticate itself. |
---|
915 | In contrast, the server initiates the CHAP authentication exchange by |
---|
916 | sending a challenge to the client (the challenge packet includes the |
---|
917 | server's name). The client must respond with a response which |
---|
918 | includes its name plus a hash value derived from the shared secret and |
---|
919 | the challenge, in order to prove that it knows the secret. |
---|
920 | .LP |
---|
921 | The PPP protocol, being symmetrical, allows both peers to require the |
---|
922 | other to authenticate itself. In that case, two separate and |
---|
923 | independent authentication exchanges will occur. The two exchanges |
---|
924 | could use different authentication protocols, and in principle, |
---|
925 | different names could be used in the two exchanges. |
---|
926 | .LP |
---|
927 | The default behaviour of pppd is to agree to authenticate if |
---|
928 | requested, and to not require authentication from the peer. However, |
---|
929 | pppd will not agree to authenticate itself with a particular protocol |
---|
930 | if it has no secrets which could be used to do so. |
---|
931 | .LP |
---|
932 | Pppd stores secrets for use in authentication in secrets |
---|
933 | files (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP). |
---|
934 | Both secrets files have the same format. The secrets files can |
---|
935 | contain secrets for pppd to use in authenticating itself to other |
---|
936 | systems, as well as secrets for pppd to use when authenticating other |
---|
937 | systems to itself. |
---|
938 | .LP |
---|
939 | Each line in a secrets file contains one secret. A given secret is |
---|
940 | specific to a particular combination of client and server - it can |
---|
941 | only be used by that client to authenticate itself to that server. |
---|
942 | Thus each line in a secrets file has at least 3 fields: the name of |
---|
943 | the client, the name of the server, and the secret. These fields may |
---|
944 | be followed by a list of the IP addresses that the specified client |
---|
945 | may use when connecting to the specified server. |
---|
946 | .LP |
---|
947 | A secrets file is parsed into words as for a options file, so the |
---|
948 | client name, server name and secrets fields must each be one word, |
---|
949 | with any embedded spaces or other special characters quoted or |
---|
950 | escaped. Note that case is significant in the client and server names |
---|
951 | and in the secret. |
---|
952 | .LP |
---|
953 | If the secret starts with an `@', what follows is assumed to be the |
---|
954 | name of a file from which to read the secret. A "*" as the client or |
---|
955 | server name matches any name. When selecting a secret, pppd takes the |
---|
956 | best match, i.e. the match with the fewest wildcards. |
---|
957 | .LP |
---|
958 | Any following words on the same line are taken to be a list of |
---|
959 | acceptable IP addresses for that client. If there are only 3 words on |
---|
960 | the line, or if the first word is "-", then all IP addresses are |
---|
961 | disallowed. To allow any address, use "*". A word starting with "!" |
---|
962 | indicates that the specified address is \fInot\fR acceptable. An |
---|
963 | address may be followed by "/" and a number \fIn\fR, to indicate a |
---|
964 | whole subnet, i.e. all addresses which have the same value in the most |
---|
965 | significant \fIn\fR bits. In this form, the address may be followed |
---|
966 | by a plus sign ("+") to indicate that one address from the subnet is |
---|
967 | authorized, based on the ppp network interface unit number in use. |
---|
968 | In this case, the host part of the address will be set to the unit |
---|
969 | number plus one. |
---|
970 | .LP |
---|
971 | Thus a secrets file contains both secrets for use in authenticating |
---|
972 | other hosts, plus secrets which we use for authenticating ourselves to |
---|
973 | others. When pppd is authenticating the peer (checking the peer's |
---|
974 | identity), it chooses a secret with the peer's name in the first |
---|
975 | field and the name of the local system in the second field. The |
---|
976 | name of the local system defaults to the hostname, with the domain |
---|
977 | name appended if the \fIdomain\fR option is used. This default can be |
---|
978 | overridden with the \fIname\fR option, except when the |
---|
979 | \fIusehostname\fR option is used. |
---|
980 | .LP |
---|
981 | When pppd is choosing a secret to use in authenticating itself to the |
---|
982 | peer, it first determines what name it is going to use to identify |
---|
983 | itself to the peer. This name can be specified by the user with the |
---|
984 | \fIuser\fR option. If this option is not used, the name defaults to |
---|
985 | the name of the local system, determined as described in the previous |
---|
986 | paragraph. Then pppd looks for a secret with this name in the first |
---|
987 | field and the peer's name in the second field. Pppd will know the |
---|
988 | name of the peer if CHAP authentication is being used, because the |
---|
989 | peer will have sent it in the challenge packet. However, if PAP is being |
---|
990 | used, pppd will have to determine the peer's name from the options |
---|
991 | specified by the user. The user can specify the peer's name directly |
---|
992 | with the \fIremotename\fR option. Otherwise, if the remote IP address |
---|
993 | was specified by a name (rather than in numeric form), that name will |
---|
994 | be used as the peer's name. Failing that, pppd will use the null |
---|
995 | string as the peer's name. |
---|
996 | .LP |
---|
997 | When authenticating the peer with PAP, the supplied password is first |
---|
998 | compared with the secret from the secrets file. If the password |
---|
999 | doesn't match the secret, the password is encrypted using crypt() and |
---|
1000 | checked against the secret again. Thus secrets for authenticating the |
---|
1001 | peer can be stored in encrypted form if desired. If the |
---|
1002 | \fIpapcrypt\fR option is given, the first (unencrypted) comparison is |
---|
1003 | omitted, for better security. |
---|
1004 | .LP |
---|
1005 | Furthermore, if the \fIlogin\fR option was specified, the username and |
---|
1006 | password are also checked against the system password database. Thus, |
---|
1007 | the system administrator can set up the pap-secrets file to allow PPP |
---|
1008 | access only to certain users, and to restrict the set of IP addresses |
---|
1009 | that each user can use. Typically, when using the \fIlogin\fR option, |
---|
1010 | the secret in /etc/ppp/pap-secrets would be "", which will match any |
---|
1011 | password supplied by the peer. This avoids the need to have the same |
---|
1012 | secret in two places. |
---|
1013 | .LP |
---|
1014 | Authentication must be satisfactorily completed before IPCP (or any |
---|
1015 | other Network Control Protocol) can be started. If the peer is |
---|
1016 | required to authenticate itself, and fails to do so, pppd will |
---|
1017 | terminated the link (by closing LCP). If IPCP negotiates an |
---|
1018 | unacceptable IP address for the remote host, IPCP will be closed. IP |
---|
1019 | packets can only be sent or received when IPCP is open. |
---|
1020 | .LP |
---|
1021 | In some cases it is desirable to allow some hosts which can't |
---|
1022 | authenticate themselves to connect and use one of a restricted set of |
---|
1023 | IP addresses, even when the local host generally requires |
---|
1024 | authentication. If the peer refuses to authenticate itself when |
---|
1025 | requested, pppd takes that as equivalent to authenticating with PAP |
---|
1026 | using the empty string for the username and password. Thus, by adding |
---|
1027 | a line to the pap-secrets file which specifies the empty string for |
---|
1028 | the client and password, it is possible to allow restricted access to |
---|
1029 | hosts which refuse to authenticate themselves. |
---|
1030 | .SH ROUTING |
---|
1031 | .LP |
---|
1032 | When IPCP negotiation is completed successfully, pppd will inform the |
---|
1033 | kernel of the local and remote IP addresses for the ppp interface. |
---|
1034 | This is sufficient to create a host route to the remote end of the |
---|
1035 | link, which will enable the peers to exchange IP packets. |
---|
1036 | Communication with other machines generally requires further |
---|
1037 | modification to routing tables and/or ARP (Address Resolution |
---|
1038 | Protocol) tables. In most cases the \fIdefaultroute\fR and/or |
---|
1039 | \fIproxyarp\fR options are sufficient for this, but in some cases |
---|
1040 | further intervention is required. The /etc/ppp/ip-up script can be |
---|
1041 | used for this. |
---|
1042 | .LP |
---|
1043 | Sometimes it is desirable to add a default route through the remote |
---|
1044 | host, as in the case of a machine whose only connection to the |
---|
1045 | Internet is through the ppp interface. The \fIdefaultroute\fR option |
---|
1046 | causes pppd to create such a default route when IPCP comes up, and |
---|
1047 | delete it when the link is terminated. |
---|
1048 | .LP |
---|
1049 | In some cases it is desirable to use proxy ARP, for example on a |
---|
1050 | server machine connected to a LAN, in order to allow other hosts to |
---|
1051 | communicate with the remote host. The \fIproxyarp\fR option causes |
---|
1052 | pppd to look for a network interface on the same subnet as the remote |
---|
1053 | host (an interface supporting broadcast and ARP, which is up and not a |
---|
1054 | point-to-point or loopback interface). If found, pppd creates a |
---|
1055 | permanent, published ARP entry with the IP address of the remote host |
---|
1056 | and the hardware address of the network interface found. |
---|
1057 | .LP |
---|
1058 | When the \fIdemand\fR option is used, the interface IP addresses have |
---|
1059 | already been set at the point when IPCP comes up. If pppd has not |
---|
1060 | been able to negotiate the same addresses that it used to configure |
---|
1061 | the interface (for example when the peer is an ISP that uses dynamic |
---|
1062 | IP address assignment), pppd has to change the interface IP addresses |
---|
1063 | to the negotiated addresses. This may disrupt existing connections, |
---|
1064 | and the use of demand dialling with peers that do dynamic IP address |
---|
1065 | assignment is not recommended. |
---|
1066 | .SH EXAMPLES |
---|
1067 | .LP |
---|
1068 | The following examples assume that the /etc/ppp/options file contains |
---|
1069 | the \fIauth\fR option (as in the default /etc/ppp/options file in the |
---|
1070 | ppp distribution). |
---|
1071 | .LP |
---|
1072 | Probably the most common use of pppd is to dial out to an ISP. This |
---|
1073 | can be done with a command such as |
---|
1074 | .IP |
---|
1075 | pppd call isp |
---|
1076 | .LP |
---|
1077 | where the /etc/ppp/peers/isp file is set up by the system |
---|
1078 | administrator to contain something like this: |
---|
1079 | .IP |
---|
1080 | ttyS0 19200 crtscts |
---|
1081 | .br |
---|
1082 | connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp' |
---|
1083 | .br |
---|
1084 | noauth |
---|
1085 | .LP |
---|
1086 | In this example, we are using chat to dial the ISP's modem and go |
---|
1087 | through any logon sequence required. The /etc/ppp/chat-isp file |
---|
1088 | contains the script used by chat; it could for example contain |
---|
1089 | something like this: |
---|
1090 | .IP |
---|
1091 | ABORT "NO CARRIER" |
---|
1092 | .br |
---|
1093 | ABORT "NO DIALTONE" |
---|
1094 | .br |
---|
1095 | ABORT "ERROR" |
---|
1096 | .br |
---|
1097 | ABORT "NO ANSWER" |
---|
1098 | .br |
---|
1099 | ABORT "BUSY" |
---|
1100 | .br |
---|
1101 | ABORT "Username/Password Incorrect" |
---|
1102 | .br |
---|
1103 | "" "at" |
---|
1104 | .br |
---|
1105 | OK "at&d0&c1" |
---|
1106 | .br |
---|
1107 | OK "atdt2468135" |
---|
1108 | .br |
---|
1109 | "name:" "^Umyuserid" |
---|
1110 | .br |
---|
1111 | "word:" "\\qmypassword" |
---|
1112 | .br |
---|
1113 | "ispts" "\\q^Uppp" |
---|
1114 | .br |
---|
1115 | "~-^Uppp-~" |
---|
1116 | .LP |
---|
1117 | See the chat(8) man page for details of chat scripts. |
---|
1118 | .LP |
---|
1119 | Pppd can also be used to provide a dial-in ppp service for users. If |
---|
1120 | the users already have login accounts, the simplest way to set up the |
---|
1121 | ppp service is to let the users log in to their accounts and run pppd |
---|
1122 | (installed setuid-root) with a command such as |
---|
1123 | .IP |
---|
1124 | pppd proxyarp |
---|
1125 | .LP |
---|
1126 | To allow a user to use the PPP facilities, you need to allocate an IP |
---|
1127 | address for that user's machine and create an entry in |
---|
1128 | /etc/ppp/pap-secrets or /etc/ppp/chap-secrets (depending on which |
---|
1129 | authentication method the PPP implementation on the user's machine |
---|
1130 | supports), so that the user's |
---|
1131 | machine can authenticate itself. For example, if Joe has a machine |
---|
1132 | called "joespc" which is to be allowed to dial in to the machine |
---|
1133 | called "server" and use the IP address joespc.my.net, you would add an |
---|
1134 | entry like this to /etc/ppp/pap-secrets or /etc/ppp/chap-secrets: |
---|
1135 | .IP |
---|
1136 | joespc server "joe's secret" joespc.my.net |
---|
1137 | .LP |
---|
1138 | Alternatively, you can create a username called (for example) "ppp", |
---|
1139 | whose login shell is pppd and whose home directory is /etc/ppp. |
---|
1140 | Options to be used when pppd is run this way can be put in |
---|
1141 | /etc/ppp/.ppprc. |
---|
1142 | .LP |
---|
1143 | If your serial connection is any more complicated than a piece of |
---|
1144 | wire, you may need to arrange for some control characters to be |
---|
1145 | escaped. In particular, it is often useful to escape XON (^Q) and |
---|
1146 | XOFF (^S), using \fIasyncmap a0000\fR. If the path includes a telnet, |
---|
1147 | you probably should escape ^] as well (\fIasyncmap 200a0000\fR). If |
---|
1148 | the path includes an rlogin, you will need to use the \fIescape ff\fR |
---|
1149 | option on the end which is running the rlogin client, since many |
---|
1150 | rlogin implementations are not transparent; they will remove the |
---|
1151 | sequence [0xff, 0xff, 0x73, 0x73, followed by any 8 bytes] from the |
---|
1152 | stream. |
---|
1153 | .SH DIAGNOSTICS |
---|
1154 | .LP |
---|
1155 | Messages are sent to the syslog daemon using facility LOG_DAEMON. |
---|
1156 | (This can be overriden by recompiling pppd with the macro |
---|
1157 | LOG_PPP defined as the desired facility.) In order to see the error |
---|
1158 | and debug messages, you will need to edit your /etc/syslog.conf file |
---|
1159 | to direct the messages to the desired output device or file. |
---|
1160 | .LP |
---|
1161 | The \fIdebug\fR option causes the contents of all control packets sent |
---|
1162 | or received to be logged, that is, all LCP, PAP, CHAP or IPCP packets. |
---|
1163 | This can be useful if the PPP negotiation does not succeed or if |
---|
1164 | authentication fails. |
---|
1165 | If debugging is enabled at compile time, the \fIdebug\fR option also |
---|
1166 | causes other debugging messages to be logged. |
---|
1167 | .LP |
---|
1168 | Debugging can also be enabled or disabled by sending a SIGUSR1 signal |
---|
1169 | to the pppd process. This signal acts as a toggle. |
---|
1170 | .SH EXIT STATUS |
---|
1171 | The exit status of pppd is set to indicate whether any error was |
---|
1172 | detected, or the reason for the link being terminated. The values |
---|
1173 | used are: |
---|
1174 | .TP |
---|
1175 | .B 0 |
---|
1176 | Pppd has detached, or otherwise the connection was successfully |
---|
1177 | established and terminated at the peer's request. |
---|
1178 | .TP |
---|
1179 | .B 1 |
---|
1180 | An immediately fatal error of some kind occurred, such as an essential |
---|
1181 | system call failing, or running out of virtual memory. |
---|
1182 | .TP |
---|
1183 | .B 2 |
---|
1184 | An error was detected in processing the options given, such as two |
---|
1185 | mutually exclusive options being used. |
---|
1186 | .TP |
---|
1187 | .B 3 |
---|
1188 | Pppd is not setuid-root and the invoking user is not root. |
---|
1189 | .TP |
---|
1190 | .B 4 |
---|
1191 | The kernel does not support PPP, for example, the PPP kernel driver is |
---|
1192 | not included or cannot be loaded. |
---|
1193 | .TP |
---|
1194 | .B 5 |
---|
1195 | Pppd terminated because it was sent a SIGINT, SIGTERM or SIGHUP |
---|
1196 | signal. |
---|
1197 | .TP |
---|
1198 | .B 6 |
---|
1199 | The serial port could not be locked. |
---|
1200 | .TP |
---|
1201 | .B 7 |
---|
1202 | The serial port could not be opened. |
---|
1203 | .TP |
---|
1204 | .B 8 |
---|
1205 | The connect script failed (returned a non-zero exit status). |
---|
1206 | .TP |
---|
1207 | .B 9 |
---|
1208 | The command specified as the argument to the \fIpty\fR option could |
---|
1209 | not be run. |
---|
1210 | .TP |
---|
1211 | .B 10 |
---|
1212 | The PPP negotiation failed, that is, it didn't reach the point where |
---|
1213 | at least one network protocol (e.g. IP) was running. |
---|
1214 | .TP |
---|
1215 | .B 11 |
---|
1216 | The peer system failed (or refused) to authenticate itself. |
---|
1217 | .TP |
---|
1218 | .B 12 |
---|
1219 | The link was established successfully and terminated because it was |
---|
1220 | idle. |
---|
1221 | .TP |
---|
1222 | .B 13 |
---|
1223 | The link was established successfully and terminated because the |
---|
1224 | connect time limit was reached. |
---|
1225 | .TP |
---|
1226 | .B 14 |
---|
1227 | Callback was negotiated and an incoming call should arrive shortly. |
---|
1228 | .TP |
---|
1229 | .B 15 |
---|
1230 | The link was terminated because the peer is not responding to echo |
---|
1231 | requests. |
---|
1232 | .TP |
---|
1233 | .B 16 |
---|
1234 | The link was terminated by the modem hanging up. |
---|
1235 | .TP |
---|
1236 | .B 17 |
---|
1237 | The PPP negotiation failed because serial loopback was detected. |
---|
1238 | .TP |
---|
1239 | .B 18 |
---|
1240 | The init script failed (returned a non-zero exit status). |
---|
1241 | .TP |
---|
1242 | .B 19 |
---|
1243 | We failed to authenticate ourselves to the peer. |
---|
1244 | .SH SCRIPTS |
---|
1245 | Pppd invokes scripts at various stages in its processing which can be |
---|
1246 | used to perform site-specific ancillary processing. These scripts are |
---|
1247 | usually shell scripts, but could be executable code files instead. |
---|
1248 | Pppd does not wait for the scripts to finish. The scripts are |
---|
1249 | executed as root (with the real and effective user-id set to 0), so |
---|
1250 | that they can do things such as update routing tables or run |
---|
1251 | privileged daemons. Be careful that the contents of these scripts do |
---|
1252 | not compromise your system's security. Pppd runs the scripts with |
---|
1253 | standard input, output and error redirected to /dev/null, and with an |
---|
1254 | environment that is empty except for some environment variables that |
---|
1255 | give information about the link. The environment variables that pppd |
---|
1256 | sets are: |
---|
1257 | .TP |
---|
1258 | .B DEVICE |
---|
1259 | The name of the serial tty device being used. |
---|
1260 | .TP |
---|
1261 | .B IFNAME |
---|
1262 | The name of the network interface being used. |
---|
1263 | .TP |
---|
1264 | .B IPLOCAL |
---|
1265 | The IP address for the local end of the link. This is only set when |
---|
1266 | IPCP has come up. |
---|
1267 | .TP |
---|
1268 | .B IPREMOTE |
---|
1269 | The IP address for the remote end of the link. This is only set when |
---|
1270 | IPCP has come up. |
---|
1271 | .TP |
---|
1272 | .B PEERNAME |
---|
1273 | The authenticated name of the peer. This is only set if the peer |
---|
1274 | authenticates itself. |
---|
1275 | .TP |
---|
1276 | .B SPEED |
---|
1277 | The baud rate of the tty device. |
---|
1278 | .TP |
---|
1279 | .B ORIG_UID |
---|
1280 | The real user-id of the user who invoked pppd. |
---|
1281 | .TP |
---|
1282 | .B PPPLOGNAME |
---|
1283 | The username of the real user-id that invoked pppd. This is always set. |
---|
1284 | .P |
---|
1285 | For the ip-down and auth-down scripts, pppd also sets the following |
---|
1286 | variables giving statistics for the connection: |
---|
1287 | .TP |
---|
1288 | .B CONNECT_TIME |
---|
1289 | The number of seconds from when the PPP negotiation started until the |
---|
1290 | connection was terminated. |
---|
1291 | .TP |
---|
1292 | .B BYTES_SENT |
---|
1293 | The number of bytes sent (at the level of the serial port) during the |
---|
1294 | connection. |
---|
1295 | .TP |
---|
1296 | .B BYTES_RCVD |
---|
1297 | The number of bytes received (at the level of the serial port) during |
---|
1298 | the connection. |
---|
1299 | .TP |
---|
1300 | .B LINKNAME |
---|
1301 | The logical name of the link, set with the \fIlinkname\fR option. |
---|
1302 | .P |
---|
1303 | Pppd invokes the following scripts, if they exist. It is not an error |
---|
1304 | if they don't exist. |
---|
1305 | .TP |
---|
1306 | .B /etc/ppp/auth-up |
---|
1307 | A program or script which is executed after the remote system |
---|
1308 | successfully authenticates itself. It is executed with the parameters |
---|
1309 | .IP |
---|
1310 | \fIinterface-name peer-name user-name tty-device speed\fR |
---|
1311 | .IP |
---|
1312 | Note that this script is not executed if the peer doesn't authenticate |
---|
1313 | itself, for example when the \fInoauth\fR option is used. |
---|
1314 | .TP |
---|
1315 | .B /etc/ppp/auth-down |
---|
1316 | A program or script which is executed when the link goes down, if |
---|
1317 | /etc/ppp/auth-up was previously executed. It is executed in the same |
---|
1318 | manner with the same parameters as /etc/ppp/auth-up. |
---|
1319 | .TP |
---|
1320 | .B /etc/ppp/ip-up |
---|
1321 | A program or script which is executed when the link is available for |
---|
1322 | sending and receiving IP packets (that is, IPCP has come up). It is |
---|
1323 | executed with the parameters |
---|
1324 | .IP |
---|
1325 | \fIinterface-name tty-device speed local-IP-address |
---|
1326 | remote-IP-address ipparam\fR |
---|
1327 | .TP |
---|
1328 | .B /etc/ppp/ip-down |
---|
1329 | A program or script which is executed when the link is no longer |
---|
1330 | available for sending and receiving IP packets. This script can be |
---|
1331 | used for undoing the effects of the /etc/ppp/ip-up script. It is |
---|
1332 | invoked in the same manner and with the same parameters as the ip-up |
---|
1333 | script. |
---|
1334 | .TP |
---|
1335 | .B /etc/ppp/ipv6-up |
---|
1336 | Like /etc/ppp/ip-up, except that it is executed when the link is available |
---|
1337 | for sending and receiving IPv6 packets. It is executed with the parameters |
---|
1338 | .IP |
---|
1339 | \fIinterface-name tty-device speed local-link-local-address |
---|
1340 | remote-link-local-address ipparam\fR |
---|
1341 | .TP |
---|
1342 | .B /etc/ppp/ipv6-down |
---|
1343 | Similar to /etc/ppp/ip-down, but it is executed when IPv6 packets can no |
---|
1344 | longer be transmitted on the link. It is executed with the same parameters |
---|
1345 | as the ipv6-up script. |
---|
1346 | .TP |
---|
1347 | .B /etc/ppp/ipx-up |
---|
1348 | A program or script which is executed when the link is available for |
---|
1349 | sending and receiving IPX packets (that is, IPXCP has come up). It is |
---|
1350 | executed with the parameters |
---|
1351 | .IP |
---|
1352 | \fIinterface-name tty-device speed network-number local-IPX-node-address |
---|
1353 | remote-IPX-node-address local-IPX-routing-protocol remote-IPX-routing-protocol |
---|
1354 | local-IPX-router-name remote-IPX-router-name ipparam pppd-pid\fR |
---|
1355 | .IP |
---|
1356 | The local-IPX-routing-protocol and remote-IPX-routing-protocol field |
---|
1357 | may be one of the following: |
---|
1358 | .IP |
---|
1359 | NONE to indicate that there is no routing protocol |
---|
1360 | .br |
---|
1361 | RIP to indicate that RIP/SAP should be used |
---|
1362 | .br |
---|
1363 | NLSP to indicate that Novell NLSP should be used |
---|
1364 | .br |
---|
1365 | RIP NLSP to indicate that both RIP/SAP and NLSP should be used |
---|
1366 | .TP |
---|
1367 | .B /etc/ppp/ipx-down |
---|
1368 | A program or script which is executed when the link is no longer |
---|
1369 | available for sending and receiving IPX packets. This script can be |
---|
1370 | used for undoing the effects of the /etc/ppp/ipx-up script. It is |
---|
1371 | invoked in the same manner and with the same parameters as the ipx-up |
---|
1372 | script. |
---|
1373 | .SH FILES |
---|
1374 | .TP |
---|
1375 | .B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others) |
---|
1376 | Process-ID for pppd process on ppp interface unit \fIn\fR. |
---|
1377 | .TP |
---|
1378 | .B /var/run/ppp-\fIname\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp-\fIname\fB.pid \fR(others) |
---|
1379 | Process-ID for pppd process for logical link \fIname\fR (see the |
---|
1380 | \fIlinkname\fR option). |
---|
1381 | .TP |
---|
1382 | .B /etc/ppp/pap-secrets |
---|
1383 | Usernames, passwords and IP addresses for PAP authentication. This |
---|
1384 | file should be owned by root and not readable or writable by any other |
---|
1385 | user. Pppd will log a warning if this is not the case. |
---|
1386 | .TP |
---|
1387 | .B /etc/ppp/chap-secrets |
---|
1388 | Names, secrets and IP addresses for CHAP authentication. As for |
---|
1389 | /etc/ppp/pap-secrets, this file should be owned by root and not |
---|
1390 | readable or writable by any other user. Pppd will log a warning if |
---|
1391 | this is not the case. |
---|
1392 | .TP |
---|
1393 | .B /etc/ppp/options |
---|
1394 | System default options for pppd, read before user default options or |
---|
1395 | command-line options. |
---|
1396 | .TP |
---|
1397 | .B ~/.ppprc |
---|
1398 | User default options, read before /etc/ppp/options.\fIttyname\fR. |
---|
1399 | .TP |
---|
1400 | .B /etc/ppp/options.\fIttyname |
---|
1401 | System default options for the serial port being used, read after |
---|
1402 | ~/.ppprc. In forming the \fIttyname\fR part of this |
---|
1403 | filename, an initial /dev/ is stripped from the port name (if |
---|
1404 | present), and any slashes in the remaining part are converted to |
---|
1405 | dots. |
---|
1406 | .TP |
---|
1407 | .B /etc/ppp/peers |
---|
1408 | A directory containing options files which may contain privileged |
---|
1409 | options, even if pppd was invoked by a user other than root. The |
---|
1410 | system administrator can create options files in this directory to |
---|
1411 | permit non-privileged users to dial out without requiring the peer to |
---|
1412 | authenticate, but only to certain trusted peers. |
---|
1413 | .SH SEE ALSO |
---|
1414 | .TP |
---|
1415 | .B RFC1144 |
---|
1416 | Jacobson, V. |
---|
1417 | \fICompressing TCP/IP headers for low-speed serial links.\fR |
---|
1418 | February 1990. |
---|
1419 | .TP |
---|
1420 | .B RFC1321 |
---|
1421 | Rivest, R. |
---|
1422 | .I The MD5 Message-Digest Algorithm. |
---|
1423 | April 1992. |
---|
1424 | .TP |
---|
1425 | .B RFC1332 |
---|
1426 | McGregor, G. |
---|
1427 | .I PPP Internet Protocol Control Protocol (IPCP). |
---|
1428 | May 1992. |
---|
1429 | .TP |
---|
1430 | .B RFC1334 |
---|
1431 | Lloyd, B.; Simpson, W.A. |
---|
1432 | .I PPP authentication protocols. |
---|
1433 | October 1992. |
---|
1434 | .TP |
---|
1435 | .B RFC1661 |
---|
1436 | Simpson, W.A. |
---|
1437 | .I The Point\-to\-Point Protocol (PPP). |
---|
1438 | July 1994. |
---|
1439 | .TP |
---|
1440 | .B RFC1662 |
---|
1441 | Simpson, W.A. |
---|
1442 | .I PPP in HDLC-like Framing. |
---|
1443 | July 1994. |
---|
1444 | .TP |
---|
1445 | .B RFC2472 |
---|
1446 | Haskin, D. |
---|
1447 | .I IP Version 6 over PPP |
---|
1448 | December 1998. |
---|
1449 | .SH NOTES |
---|
1450 | The following signals have the specified effect when sent to pppd. |
---|
1451 | .TP |
---|
1452 | .B SIGINT, SIGTERM |
---|
1453 | These signals cause pppd to terminate the link (by closing LCP), |
---|
1454 | restore the serial device settings, and exit. |
---|
1455 | .TP |
---|
1456 | .B SIGHUP |
---|
1457 | This signal causes pppd to terminate the link, restore the serial |
---|
1458 | device settings, and close the serial device. If the \fIpersist\fR or |
---|
1459 | \fIdemand\fR option has been specified, pppd will try to reopen the |
---|
1460 | serial device and start another connection (after the holdoff period). |
---|
1461 | Otherwise pppd will exit. If this signal is received during the |
---|
1462 | holdoff period, it causes pppd to end the holdoff period immediately. |
---|
1463 | .TP |
---|
1464 | .B SIGUSR1 |
---|
1465 | This signal toggles the state of the \fIdebug\fR option. |
---|
1466 | .TP |
---|
1467 | .B SIGUSR2 |
---|
1468 | This signal causes pppd to renegotiate compression. This can be |
---|
1469 | useful to re-enable compression after it has been disabled as a result |
---|
1470 | of a fatal decompression error. (Fatal decompression errors generally |
---|
1471 | indicate a bug in one or other implementation.) |
---|
1472 | |
---|
1473 | .SH AUTHORS |
---|
1474 | Paul Mackerras (Paul.Mackerras@cs.anu.edu.au), based on earlier work by |
---|
1475 | Drew Perkins, |
---|
1476 | Brad Clements, |
---|
1477 | Karl Fox, |
---|
1478 | Greg Christy, |
---|
1479 | and |
---|
1480 | Brad Parker. |
---|