[src/trunk]: src/usr.sbin/pppd/doc new docs

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/de898c5a1840
branches:  trunk
changeset: 475755:de898c5a1840
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Aug 25 03:10:28 1999 +0000

description:
new docs

diffstat:

 usr.sbin/pppd/doc/FAQ    |  116 ++++++++++++++++-----
 usr.sbin/pppd/doc/README |  246 ++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 317 insertions(+), 45 deletions(-)

diffs (truncated from 480 to 300 lines):

diff -r 3880a7622cdc -r de898c5a1840 usr.sbin/pppd/doc/FAQ
--- a/usr.sbin/pppd/doc/FAQ     Wed Aug 25 03:00:12 1999 +0000
+++ b/usr.sbin/pppd/doc/FAQ     Wed Aug 25 03:10:28 1999 +0000
@@ -11,22 +11,24 @@
 /dev/tty02.  The modem uses hardware (CTS/RTS) flow control, and the
 serial port is run at 38400 baud.  The ISP assigns our IP address.
 
-The ppp connection is initiated by running the following script,
-called (say) dial-isp, and placed somewhere in your path:
+To configure pppd for this connection, create a file under
+/etc/ppp/peers called (say) my-isp containing the following:
+
+tty02 crtscts 38400
+connect 'chat -v -f /etc/ppp/chat/my-isp'
+defaultroute
 
-#!/bin/sh
-PATH=/usr/sbin:$PATH
-pppd tty02 crtscts 38400 connect 'chat -v -f /etc/ppp/chat-isp' \
-  defaultroute
+The ppp connection is then initiated using the following command:
+
+pppd call my-isp
 
-(Don't forget to make the script executable with `chmod +x dial-isp'.)
-On some systems, you will need to change /usr/sbin to /usr/local/bin
-or /usr/local/etc (wherever the pppd and chat binaries have been
-installed.)
+Of course, if the directory containing pppd is not in your path, you
+will need to give the full pathname for pppd, for example,
+/usr/sbin/pppd.
 
 When you run this, pppd will use the chat program to dial the ISP and
 invoke its ppp service.  Chat will read the file specified with -f,
-namely /etc/ppp/chat-isp, to find a list of strings to expect to
+namely /etc/ppp/chat/my-isp, to find a list of strings to expect to
 receive, and strings to send.  This file would contain something like
 this:
 
@@ -83,7 +85,7 @@
 /etc/ppp/options contains:
 
 auth           # require the peer to authenticate itself
-usehostname    # only use our hostname for looking up peer's secret
+lock
 # other options can go here if desired
 
 /etc/ppp/chap-secrets contains:
@@ -103,17 +105,15 @@
 home   office  "beware the frub-jub"   -
 office home    "bird, my son!%&*"      office
 
-Create a script called /etc/ppp/dial-office containing the following,
-and make it executable:
+Create a file called /etc/ppp/peers/office containing the following:
 
-#!/bin/sh
-PATH=/usr/sbin:$PATH
-pppd tty02 crtscts 38400 connect 'chat -v -f /etc/ppp/chat-office' \
-  defaultroute
+tty02 crtscts 38400
+connect 'chat -v -f /etc/ppp/chat/office'
+defaultroute
 
 (You may need to change some of the details here.)
 
-Create the /etc/ppp/chat-office file containing the following:
+Create the /etc/ppp/chat/office file containing the following:
 
 ABORT "NO CARRIER"
 ABORT "NO DIALTONE"
@@ -133,6 +133,9 @@
 second-last line is expecting the shell prompt after a successful
 login - you may need to change it to "%" or something else.
 
+You then initiate the connection (from home) with the command:
+
+pppd call office
 
 ------------------------------------------------------------------------
 
@@ -230,19 +233,23 @@
 message saying something like "peer authentication required but no
 authentication files accessible".
 
-A: When pppd is installed on a machine which already has a connection
-to the Internet (or to be more precise, one which has a default route
-in its routing table), it is set up to require all peers to
-authenticate themselves.  The reason for this is that if you don't
-require authentication, you have a security hole, because the peer can
+A: When pppd is used on a machine which already has a connection to
+the Internet (or to be more precise, one which has a default route in
+its routing table), it will require all peers to authenticate
+themselves.  The reason for this is that if you don't require
+authentication, you have a security hole, because the peer can
 basically choose any IP address it wants, even the IP address of some
 trusted host (for example, a host mentioned in some .rhosts file).
 
-On machines which don't have a default route, the default ppp
-installation does not require the peer to authenticate itself.  The
-reason is that such machines would mostly be using pppd to dial out to
-an ISP which will refuse to authenticate itself.  (Yes, it's still a
-security hole, which will hopefully be fixed in the next version.)
+On machines which don't have a default route, pppd does not require
+the peer to authenticate itself.  The reason is that such machines
+would mostly be using pppd to dial out to an ISP which will refuse to
+authenticate itself.  In that case the peer can use any IP address as
+long as the system does not already have a route to that address.
+For example, if you have a local ethernet network, the peer can't use
+an address on that network.  (In fact it could if it authenticated
+itself and it was permitted to use that address by the pap-secrets or
+chap-secrets file.)
 
 There are 3 ways around the problem:
 
@@ -261,12 +268,12 @@
 example above with the IP address(es) that the peer may use.  You can
 use either hostnames or numeric IP addresses.
 
-3. You can remove the `auth' option from the /etc/ppp/options file.
+3. You can add the `noauth' option to the /etc/ppp/options file.
 Pppd will then not ask the peer to authenticate itself.  If you do
 this, I *strongly* recommend that you remove the set-uid bit from the
 permissions on the pppd executable, with a command like this:
 
-       chmod u-s /usr/local/etc/pppd
+       chmod u-s /usr/sbin/pppd
 
 Then, an intruder could only use pppd maliciously if they had already
 become root, in which case they couldn't do any more damage using pppd
@@ -578,3 +585,50 @@
 hosts on your local LAN listed, and /etc/resolv.conf and/or
 /etc/nsswitch.conf files to make sure you resolve hostnames from
 /etc/hosts if possible before trying to contact a nameserver.
+
+
+------------------------------------------------------------------------
+
+Q: Since I installed ppp-2.3.6, dialin users to my server have been
+getting this message when they run pppd:
+
+peer authentication required but no suitable secret(s) found for 
+authenticating any peer to us (ispserver)
+
+A: In 2.3.6, the default is to let an unauthenticated peer only use IP
+addresses to which the machine doesn't already have a route.  So on a
+machine with a default route, everyone has to authenticate.  If you
+really don't want that, you can put `noauth' in the /etc/ppp/options
+file.  Note that there is then no check on who is using which IP
+address.  IMHO, this is undesirably insecure, but I guess it may be
+tolerable as long as you don't use any .rhosts files or anything like
+that.  I recommend that you require dialin users to authenticate, even
+if just with PAP using their login password (using the `login' option
+to pppd).  If you do use `noauth', you should at least have a pppusers
+group and set the permissions on pppd to allow only user and group to
+execute it.
+
+------------------------------------------------------------------------
+
+Q: When running pppd as a dial-in server, I often get the message
+"LCP: timeout sending Config-Requests" from pppd.  It seems to be
+random, but dial-out always works fine.  What is wrong?
+
+A: Most modern modems auto-detects the speed of the serial line
+between the modem and the computer.  This auto-detection occurs when
+the computer sends characters to the modem, when the modem is in
+command mode.  It does not occur when the modem is in data mode.
+Thus, if you send commands to the modem at 2400 bps, and then change
+the serial port speed to 115200 bps, the modem will not detect this
+change until something is transmitted from the computer to the modem.
+When running pppd in dial-in mode (i.e. without a connect script),
+pppd sets the speed of the serial port, but does not transmit
+anything.  If the modem was already running at the specified speed,
+everything is fine, but if not, you will just receive garbage from the
+modem.  To cure this, use an init script such as the following:
+
+       pppd ttyS0 115200 modem crtscts init "chat '' AT OK"
+
+To reset the modem and enable auto-answer, use:
+
+       pppd ttyS0 115200 modem crtscts init "chat '' ATZ OK ATS0=1 OK"
diff -r 3880a7622cdc -r de898c5a1840 usr.sbin/pppd/doc/README
--- a/usr.sbin/pppd/doc/README  Wed Aug 25 03:00:12 1999 +0000
+++ b/usr.sbin/pppd/doc/README  Wed Aug 25 03:10:28 1999 +0000
@@ -34,19 +34,21 @@
 that system.  The supported systems, and the corresponding README
 files, are:
 
+       Linux                           README.linux
+       Solaris 2                       README.sol2
        Digital Unix (OSF/1)            README.osf
-       Linux                           README.linux
        NetBSD, FreeBSD                 README.bsd
        NeXTStep                        README.next
-       Solaris 2                       README.sol2
        SunOS 4.x                       README.sunos4
        System V Release 4              README.svr4
        Ultrix 4.x                      README.ultrix
 
-Unfortunately, AIX 4 is no longer supported, since I don't have a
-maintainer for the AIX 4 port.  If you want to volunteer, contact me.
-The Ultrix port is untested, as I no longer have access to an Ultrix
-box.
+In fact, only the Linux and Solaris 2 ports have been tested in this
+release.  Code for the other systems is still included; if you use it,
+let me know how it works.  If I don't hear from anyone it will
+probably get dropped in a subsequent release.  AIX 4 is no longer
+supported, since I don't have a maintainer for the AIX 4 port.  If you
+want to volunteer, contact me.
 
 In each case you start by running the ./configure script.  This works
 out which operating system you are using and creates symbolic links to
@@ -67,9 +69,210 @@
 authenticating itself to you, of course.)
 
 
-What's new in ppp-2.3.4.
+What's new in ppp-2.3.9.
 ************************
 
+* Support for the new generic PPP layer under development for the
+  Linux kernel.
+
+* You can now place extra options to apply to specific users at the
+  end of the line with their password in the pap-secrets or
+  chap-secrets file, separated from the IP address(es) with a "--"
+  separator.  These options are parsed after the peer is authenticated
+  but before network protocol (IPCP, IPXCP) or CCP negotiation
+  commences.
+
+* Pppd will apply the holdoff period if the link was terminated by the
+  peer.  It doesn't apply it if the link was terminated because the
+  local pppd thought it was idle.
+
+* Synchronous support for Solaris has been added, thanks to John
+  Morrison, and for FreeBSD, thanks to Paul Fulghum.
+
+* IPV6 support has been merged in, from Tommi Komulainen.  At the
+  moment it only supports Linux and it is not tested by me.
+
+* The `nodefaultip' option can be used in demand mode to say that pppd
+  should not suggest its local IP address to the peer.
+
+* The `init' option has been added; this causes pppd to run a script
+  to initialize the serial device (e.g. by sending an init string to
+  the modem).  Unlike the connect option, this can be used in a
+  dial-in situation.  (Thanks to Tobias Ringstrom.)
+
+* There is a new `logfile' option to send log messages to a file as
+  well as syslog.
+
+* There is a new, privileged `linkname' option which sets a logical
+  name for the link.  Pppd will create a /var/run/ppp-<linkname>.pid
+  file containing its process ID.
+
+* There is a new `maxfail' option which specifies how many consecutive
+  failed connection attempts are permitted before pppd will exit.  The
+  default value is 10, and 0 means infinity. :-)
+
+* Sundry bugs fixed.
+
+
+What was new in ppp-2.3.8.
+**************************
+
+* The exit status of pppd will now indicate whether the link was
+  successfully established, or if not, what error was encountered.
+
+* Pppd has two new options: fdlog <n> will send log messages to file
+  descriptor <n> instead of standard output, and nofdlog will stop log
+  messages from being sent to any file descriptor (they will still be
+  sent to syslog).  Pppd now will not send log messages to a file
+  descriptor if the serial port is open on that file descriptor.
+
+* Pppd sets an environment variable called PPPLOGNAME for scripts that
+  it runs, indicating the login name of the user who invoked pppd.
+
+* Pppd sets environment variables CONNECT_TIME, BYTES_SENT and
+  BYTES_RCVD for the ip-down and auth-down scripts indicating the
+  statistics for the connection just terminated.  (CONNECT_TIME is in
+  seconds.)
+
+* If the user has the serial device open on standard input and
+  specifies a symbolic link to the serial device on the command line,
+  pppd will detect this and behave correctly (i.e. not detach from its
+  controlling terminal).  Furthermore, if the serial port is open for
+  reading and writing on standard input, pppd will assume that it is
+  locked by its invoker and not lock it itself.
+
+* Chat now has a feature where if a string to be sent begins with an
+  at sign (@), the rest of the string is taken as the name of a file
+  (regular file or named pipe), and the actual string to send is taken
+  from that file.
+
+* Support for FreeBSD-2.2.8 and 3.0 has been added, thanks to Paul
+  Fulghum.
+
+* The Tru64 (aka Digital Unix aka OSF/1) port has been updated.
+
+* The system panics on Solaris SMP systems related to PPP connections