1.\" $OpenBSD: pppd.8,v 1.30 2005/01/31 09:50:29 jmc Exp $ 2.\" Id: pppd.8,v 1.27 1998/03/31 04:31:08 paulus Exp $ 3.\" 4.\" Copyright (c) 1993-2003 Paul Mackerras <paulus@samba.org> 5.\" 6.\" Permission to use, copy, modify, and distribute this software for any 7.\" purpose with or without fee is hereby granted, provided that the above 8.\" copyright notice and this permission notice appear in all copies. 9.\" 10.\" THIS SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES 11.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" 18.Dd March 31, 1998 19.Dt PPPD 8 20.Os 21.Sh NAME 22.Nm pppd 23.Nd Point-to-Point Protocol daemon 24.Sh SYNOPSIS 25.Nm pppd 26.Op Ar tty_name 27.Op Ar speed 28.Op Ar options 29.Sh DESCRIPTION 30PPP is the protocol used for establishing internet links over dial-up 31modems, DSL connections, and many other types of point-to-point links. 32The 33.Nm 34daemon works together with the kernel 35.Xr ppp 4 36driver to establish and maintain a PPP link with another system 37(called the 38.Em peer ) 39and to negotiate Internet Protocol (IP) addresses for each end of the link. 40.Nm 41can also authenticate the peer and/or supply authentication information 42to the peer. 43PPP can be used with other network protocols besides IP, but such use 44is becoming increasingly rare. 45.Sh FREQUENTLY USED OPTIONS 46.Bl -tag -width Ds 47.It Ar tty_name 48Use the serial port called 49.Ar ttyname 50to communicate with the peer. 51The string 52.Dq /dev/ 53is prepended to 54.Ar ttyname 55to form the name of the device to open. 56If no device name is given, or if the name of the terminal 57connected to the standard input is given, 58.Nm 59will use that terminal, and will not fork to put itself in the background. 60This option is privileged if the 61.Cm noauth 62option is used. 63.It Ar speed 64An option that is a decimal number is taken as the desired baud rate 65for the serial device. 66On systems such as 67.Bx 4.4 68and 69.Ox , 70any speed can be specified. 71Other systems (e.g., Linux, SunOS) only support the commonly used 72baud-rates. 73.It Cm active-filter Ar filter-expression 74Specifies a packet filter to be applied to data packets to determine 75which packets are to be regarded as link activity, and therefore reset 76the idle timer, or cause the link to be brought up in demand-dialling 77mode. 78This option is useful in conjunction with the 79.Cm idle 80option if there are packets being sent or received regularly over the link 81(for example, routing information packets) 82which would otherwise prevent the link from ever appearing to be idle. 83The 84.Ar filter-expression 85syntax is as described for 86.Xr tcpdump 8 , 87except that qualifiers which are inappropriate for a PPP link, such as 88.Ar ether 89and 90.Ar arp , 91are not permitted. 92Generally the filter expression should be enclosed in single quotes to 93prevent whitespace in the expression from being interpreted by the shell. 94This option is currently only available under 95.Ox , 96and then only if both the kernel and 97.Nm 98were compiled with 99.Dv PPP_FILTER 100defined. 101.It Cm asyncmap Ar map 102This option sets the Async-Control-Character-Map (ACCM) for this end 103of the link. 104The ACCM is a set of 32 bits, one for each of the ASCII control characters 105with values from 0 to 31, where a 1 bit indicates that the corresponding 106control character should not be used in PPP packets sent to this system. 107The map is encoded as a hexadecimal number (without a leading 0x) where the 108least significant bit (00000001) represents character 0 and the 109most significant bit (80000000) represents character 31. 110.Nm 111will ask the peer to send these characters as a 2-byte escape sequence. 112If multiple 113.Cm asyncmap 114options are given, the values are ORed together. 115If no 116.Cm asyncmap 117option is given, no async character map will be negotiated for the receive 118direction; the peer should then escape 119.Em all 120control characters. 121To escape transmitted characters, use the 122.Cm escape 123option. 124.It Cm auth 125Require the peer to authenticate itself before allowing network 126packets to be sent or received. 127.Pp 128.It Cm call Ar name 129Read options from the file 130.Pa /etc/ppp/peers/name . 131This file may contain privileged options, such as 132.Cm noauth , 133even if 134.Nm 135is not being run by root. 136The 137.Ar name 138string may not begin with 139.Qq / 140or include 141.Qq .. 142as a pathname component. 143The format of the options file is described below. 144.It Cm connect Ar script 145Usually there is something which needs to be done to prepare the link 146before the PPP protocol can be started; for instance, with a dial-up 147modem, commands need to be sent to the modem to dial the appropriate 148phone number. 149This option specifies an command for 150.Nm 151to execute (by passing it to a shell) before attempting to start PPP 152negotiation. 153The 154.Xr chat 8 155program is often useful here, as it provides a way to send arbitrary strings 156to a modem and respond to received characters. 157This option is privileged if the 158.Cm noauth 159option is used. 160.It Cm crtscts 161Specifies that 162.Nm 163should set the serial port to use hardware flow control using the RTS and CTS 164signals in the RS-232 interface. 165If neither the 166.Cm crtscts 167nor the 168.Cm nocrtscts 169option is given, the hardware flow control setting for the serial port 170is left unchanged. 171.It Cm defaultroute 172Add a default route to the system routing tables, using the peer as 173the gateway, when IPCP negotiation is successfully completed. 174This entry is removed when the PPP connection is broken. 175This option is privileged if the 176.Cm nodefaultroute 177option has been specified. 178.It Cm disconnect Ar script 179Execute the command specified by 180.Ar script , 181by passing it to a shell, 182after 183.Nm 184has terminated the link. 185This command could, for example, issue commands to the modem to cause it 186to hang up if hardware modem control signals were not available. 187The disconnect script is not run if the modem has already hung up. 188This option is privileged if the 189.Cm noauth 190option is used. 191.It Cm escape Ar xx,yy,... 192Specifies that certain characters should be escaped on transmission 193(regardless of whether the peer requests them to be escaped with its 194async control character map). 195The characters to be escaped are specified as a list of hex numbers 196separated by commas. 197Note that almost any character can be specified for the 198.Cm escape 199option, unlike the 200.Cm asyncmap 201option which only allows control characters to be specified. 202The characters which may not be escaped are those with hex values 2030x20 \- 0x3f or 0x5e. 204.It Cm file Ar name 205Read options from file 206.Ar name 207(the format is described below). 208The file must be readable by the user who has invoked 209.Nm pppd . 210.It Cm lock 211Specifies that 212.Nm 213should create a UUCP-style lock file for the 214serial device to ensure exclusive access to the device. 215.It Cm mru Ar n 216Set the MRU (Maximum Receive Unit) value to 217.Ar n . 218.Nm 219will ask the peer to send packets of no more than 220.Ar n 221bytes. 222The value of 223.Ar n 224must be between 128 and 16384; the default is 1500. 225A value of 296 works well on very slow links 226(40 bytes for TCP/IP header + 256 bytes of data). 227Note that for the IPv6 protocol, the MRU must be at least 1280. 228.It Cm mtu Ar n 229Set the MTU (Maximum Transmit Unit) value to 230.Ar n . 231Unless the peer requests a smaller value via MRU negotiation, 232.Nm 233will request that the kernel networking code send data packets of no more than 234.Ar n 235bytes through the PPP network interface. 236Note that for the IPv6 protocol, the MTU must be at least 1280. 237.It Cm passive 238Enables the 239.Qq passive 240option in the LCP. 241With this option, 242.Nm 243will attempt to initiate a connection; if no reply is received from the peer, 244.Nm 245will then just wait passively for a valid LCP packet from the peer, 246instead of exiting, as it would without this option. 247.El 248.Sh OPTIONS 249.Bl -tag -width Ds 250.It Xo 251.Oo Ar local_IP_address Oc : Ns 252.Op Ar remote_IP_address 253.Xc 254Set the local and/or remote interface IP addresses. 255Either one may be omitted. 256The IP addresses can be specified with a host name or in 257decimal dot notation (e.g., 150.234.56.78). 258The default local address is the (first) IP address of the system (unless the 259.Cm noipdefault 260option is given). 261The remote address will be obtained from the peer 262if not specified in any option. 263Thus, in simple cases, this option is not required. 264If a local and/or remote IP address is specified with this option, 265.Nm 266will not accept a different value from the peer in the IPCP negotiation, 267unless the 268.Cm ipcp-accept-local 269and/or 270.Cm ipcp-accept-remote 271options are given, respectively. 272.It Cm bsdcomp Ar nr,nt 273Request that the peer compress packets that it sends, using the 274BSD-Compress scheme, with a maximum code size of 275.Ar nr 276bits, and agree to compress packets sent to the peer with 277a maximum code size of 278.Ar nt 279bits. 280If 281.Ar nt 282is not specified, it defaults to the value given for 283.Ar nr . 284Values in the range 9 to 15 may be used for 285.Ar nr 286and 287.Ar nt ; 288larger values give better compression but 289consume more kernel memory for compression dictionaries. 290Alternatively, a value of 0 for 291.Ar nr 292or 293.Ar nt 294disables compression in the corresponding direction. 295.Cm nobsdcomp 296or 297.Cm bsdcomp 0 298disables BSD-Compress compression entirely. 299.It Cm chap-interval Ar n 300If this option is given, 301.Nm 302will rechallenge the peer every 303.Ar n 304seconds. 305.It Cm chap-max-challenge Ar n 306Set the maximum number of CHAP challenge transmissions to 307.Ar n 308(default 10). 309.It Cm chap-restart Ar n 310Set the CHAP restart interval (retransmission timeout for challenges) to 311.Ar n 312seconds (default 3). 313.It Cm debug 314Enables connection debugging facilities. 315If this option is given, 316.Nm 317will log the contents of all control packets sent or received in a 318readable form. 319The packets are logged through 320.Xr syslogd 8 321with facility 322.Ar daemon 323and level 324.Ar debug . 325This information can be directed to a file by setting up 326.Pa /etc/syslog.conf 327appropriately (see 328.Xr syslog.conf 5 ) . 329.It Cm default-asyncmap 330Disable asyncmap negotiation, forcing all control characters to be 331escaped for both the transmit and the receive direction. 332.It Cm default-mru 333Disable MRU (Maximum Receive Unit) negotiation. 334With this option, 335.Nm 336will use the default MRU value of 1500 bytes for both the 337transmit and receive direction. 338.It Cm deflate Ar nr,nt 339Request that the peer compress packets that it sends, using the 340Deflate scheme, with a maximum window size of 341.Ar 2**nr 342bytes, and agree to compress packets sent to the peer with 343a maximum window size of 344.Ar 2**nt 345bytes. 346If 347.Ar nt 348is not specified, it defaults to the value given for 349.Ar nr . 350Values in the range 8 to 15 may be used for 351.Ar nr 352and 353.Ar nt ; 354larger values give better compression but consume more kernel memory 355for compression dictionaries. 356Alternatively, a value of 0 for 357.Ar nr 358or 359.Ar nt 360disables compression in the corresponding direction. 361Use 362.Cm nodeflate 363or 364.Cm deflate 0 365to disable Deflate compression entirely. 366(Note: 367.Nm 368requests Deflate compression in preference to BSD-Compress if the peer 369can do either.) 370.It Cm demand 371Initiate the link only on demand, i.e., when data traffic is present. 372With this option, the remote IP address must be specified by the user 373on the command line or in an options file. 374.Nm 375will initially configure the interface and enable it for IP traffic without 376connecting to the peer. 377When traffic is available, 378.Nm 379will connect to the peer and perform negotiation, authentication, etc. 380When this is completed, 381.Nm 382will commence passing data packets (i.e., IP packets) across the link. 383.Pp 384The 385.Cm demand 386option implies the 387.Cm persist 388option. 389If this behaviour is not desired, use the 390.Cm nopersist 391option after the 392.Cm demand 393option. 394The 395.Cm idle 396and 397.Cm holdoff 398options are also useful in conjunction with the 399.Cm demand 400option. 401.It Cm domain Ar d 402Append the domain name 403.Ar d 404to the local host name for authentication purposes. 405For example, if 406.Xr gethostname 3 407returns the name porsche, but the fully qualified domain name is 408porsche.Quotron.COM, you could specify 409.Cm domain Quotron.COM . 410.Nm 411would then use the name 412.Ar porsche.Quotron.COM 413for looking up secrets in the secrets file, and as the default name to 414send to the peer when authenticating itself to the peer. 415This option is privileged. 416.It Cm holdoff Ar n 417Specifies how many seconds to wait before re-initiating the link after 418it terminates. 419This option only has any effect if the 420.Cm persist 421or 422.Cm demand 423option is used. 424The holdoff period is not applied if the link was terminated 425because it was idle. 426.It Cm idle Ar n 427Specifies that 428.Nm 429should disconnect if the link is idle for 430.Ar n 431seconds. 432The link is idle when no data packets (i.e., IP packets) are 433being sent or received. 434Note: it is not advisable to use this option with the 435.Cm persist 436option without the 437.Cm demand 438option. 439If the 440.Cm active-filter 441option is given, data packets which are rejected by the specified 442activity filter also count as the link being idle. 443.It Cm ipcp-accept-local 444With this option, 445.Nm 446will accept the peer's idea of our local IP address, 447even if the local IP address was specified in an option. 448.It Cm ipcp-accept-remote 449With this option, 450.Nm 451will accept the peer's idea of its (remote) IP address, 452even if the remote IP address was specified in an option. 453.It Cm ipcp-max-configure Ar n 454Set the maximum number of IPCP configure-request transmissions to 455.Ar n 456(default 10). 457.It Cm ipcp-max-failure Ar n 458Set the maximum number of IPCP configure-NAKs returned before starting 459to send configure-Rejects to 460.Ar n 461(default 10). 462.It Cm ipcp-max-terminate Ar n 463Set the maximum number of IPCP terminate-request transmissions to 464.Ar n 465(default 3). 466.It Cm ipcp-restart Ar n 467Set the IPCP restart interval (retransmission timeout) to 468.Ar n 469seconds (default 3). 470.It Cm ipparam Ar string 471Provides an extra parameter to the ip-up and ip-down scripts. 472If this option is given, the 473.Ar string 474supplied is given as the 6th parameter to those scripts. 475.It Cm ipx 476Enable the IPXCP and IPX protocols. 477This option is presently only supported under Linux, 478and only if your kernel has been configured to include IPX support. 479.It Cm ipx-network Ar n 480Set the IPX network number in the IPXCP configure request frame to 481.Ar n , 482a hexadecimal number (without a leading 0x). 483There is no valid default. 484If this option is not specified, the network number is obtained from the peer. 485If the peer does not have the network number, the IPX protocol will not be 486started. 487.It Cm ipx-node Ar n Ns : Ns Ar m 488Set the IPX node numbers. 489The two node numbers are separated from each other with a colon character. 490The first number 491.Ar n 492is the local node number. 493The second number 494.Ar m 495is the peer's node number. 496Each node number is a hexadecimal number, at most 10 digits long. 497The node numbers on the ipx-network must be unique. 498There is no valid default. 499If this option is not specified then the node numbers are 500obtained from the peer. 501.It Cm ipx-router-name Op Ar string 502Set the name of the router. 503This is a string and is sent to the peer as information data. 504.It Cm ipx-routing Ar n 505Set the routing protocol to be received by this option. 506More than one instance of 507.Cm ipx-routing 508may be specified. 509The 510.Sq Cm none 511option (0) may be specified as the only instance of ipx-routing. 512The values may be 513.Ar 0 514for NONE, 515.Ar 2 516for RIP/SAP, and 517.Ar 4 518for NLSP. 519.It Cm ipxcp-accept-local 520Accept the peer's NAK for the node number specified in the ipx-node option. 521If a node number was specified, and non-zero, the default is 522to insist that the value be used. 523If you include this option then you will permit the peer to override 524the entry of the node number. 525.It Cm ipxcp-accept-network 526Accept the peer's NAK for the network number specified in the 527ipx-network option. 528If a network number was specified, and non-zero, 529the default is to insist that the value be used. 530If you include this option then you will permit the peer to override 531the entry of the node number. 532.It Cm ipxcp-accept-remote 533Use the peer's network number specified in the configure request frame. 534If a node number was specified for the peer and this option was 535not specified, the peer will be forced to use the value which you have 536specified. 537.It Cm ipxcp-max-configure Ar n 538Set the maximum number of IPXCP configure request frames which the 539system will send to 540.Ar n . 541The default is 10. 542.It Cm ipxcp-max-failure Ar n 543Set the maximum number of IPXCP NAK frames which the local system will 544send before it rejects the options. 545The default value is 3. 546.It Cm ipxcp-max-terminate Ar n 547Set the maximum number of IPXCP terminate request frames before the 548local system considers that the peer is not listening to them. 549The default value is 3. 550.It Cm kdebug Ar n 551Enable debugging code in the kernel-level PPP driver. 552The argument 553.Ar n 554is a number which is the sum of the following values: 5551 to enable general debug messages, 5562 to request that the contents of received packets be printed, 557and 4 to request that the contents of transmitted packets be printed. 558On most systems, messages printed by the kernel are logged by 559.Xr syslogd 8 560to a file as directed in the 561.Pa /etc/syslog.conf 562configuration file. 563.It Cm lcp-echo-failure Ar n 564If this option is given, 565.Nm 566will presume the peer to be dead if 567.Ar n 568LCP echo-requests are sent without receiving a valid LCP echo-reply. 569If this happens, 570.Nm 571will terminate the connection. 572Use of this option requires a non-zero value for the 573.Cm lcp-echo-interval 574parameter. 575This option can be used to enable 576.Nm 577to terminate after the physical connection has been broken 578(e.g., the modem has hung up) in situations where no hardware modem 579control lines are available. 580.It Cm lcp-echo-interval Ar n 581If this option is given, 582.Nm 583will send an LCP echo-request frame to the peer every 584.Ar n 585seconds. 586Normally the peer should respond to the echo-request by sending an echo-reply. 587This option can be used with the 588.Cm lcp-echo-failure 589option to detect that the peer is no longer connected. 590.It Cm lcp-max-configure Ar n 591Set the maximum number of LCP configure-request transmissions to 592.Ar n 593(default 10). 594.It Cm lcp-max-failure Ar n 595Set the maximum number of LCP configure-NAKs returned before starting 596to send configure-Rejects to 597.Ar n 598(default 10). 599.It Cm lcp-max-terminate Ar n 600Set the maximum number of LCP terminate-request transmissions to 601.Ar n 602(default 3). 603.It Cm lcp-restart Ar n 604Set the LCP restart interval (retransmission timeout) to 605.Ar n 606seconds (default 3). 607.It Cm local 608Don't use the modem control lines. 609With this option, 610.Nm 611will ignore the state of the CD (Carrier Detect) signal from the modem 612and will not change the state of the DTR (Data Terminal Ready) signal. 613.It Cm login 614Use the system password database for authenticating the peer using 615PAP, and record the user in the system wtmp file. 616Note that the peer must have an entry in the 617.Pa /etc/ppp/pap-secrets 618file as well as the system password database to be allowed access. 619.It Cm maxconnect Ar n 620Terminate the connection when it has been available for network 621traffic for 622.Ar n 623seconds (i.e., 624.Ar n 625seconds after the first network control protocol comes up). 626.It Cm modem 627Use the modem control lines. 628This option is the default. 629With this option, 630.Nm 631will wait for the CD (Carrier Detect) signal from the 632modem to be asserted when opening the serial device (unless a connect 633script is specified), and it will drop the DTR (Data Terminal Ready) 634signal briefly when the connection is terminated and before executing 635the connect script. 636On Ultrix, this option implies hardware flow control, as for the 637.Cm crtscts 638option. 639.It Cm modem_chat 640Use the modem control lines during the chat script. 641The default is to ignore the state of the CD (Carrier Detect) signal 642from the modem during the chat script. 643If you are using a 644.Xr cua 4 645device (as opposed to a 646.Xr tty 4 647device) 648you should set this option. 649You should not use this option with a dialback setup as it will cause 650the chat script to exit when carrier drops. 651.It Cm ms-dns Op Ar addr 652If 653.Nm 654is acting as a server for Microsoft Windows clients, this option allows 655.Nm 656to supply one or two DNS (Domain Name Server) addresses to the clients. 657The first instance of this option specifies the primary DNS address; 658the second instance (if given) specifies the secondary DNS address. 659(This option was present in some older versions of 660.Nm 661under the name 662.Cm dns-addr . ) 663.It Cm ms-wins Op Ar addr 664If 665.Nm 666is acting as a server for Microsoft Windows or 667.Qq Samba 668clients, 669this option allows 670.Nm 671to supply one or two WINS (Windows Internet Name Services) server addresses 672to the clients. 673The first instance of this option specifies the primary WINS address; 674the second instance (if given) specifies the secondary WINS address. 675.It Cm name Ar name 676Set the name of the local system for authentication purposes to 677.Ar name . 678This is a privileged option. 679With this option, 680.Nm 681will use lines in the secrets files which have 682.Ar name 683as the second field when looking for a secret to use 684in authenticating the peer. 685In addition, unless overridden with the 686.Cm user 687option, 688.Ar name 689will be used as the name to send to the peer when authenticating the 690local system to the peer. 691(Note that 692.Nm 693does not append the domain name to 694.Ar name . ) 695.It Cm netmask Ar n 696Set the interface netmask to 697.Ar n , 698a 32-bit netmask in 699.Dq decimal dot 700notation (e.g. 255.255.255.0). 701If this option is given, the value specified is ORed with the default netmask. 702The default netmask is chosen based on the negotiated remote IP address; 703it is the appropriate network mask for the class of the remote IP address, 704ORed with the netmasks for any non point-to-point network interfaces in the 705system which are on the same network. 706(Note: on some platforms, 707.Nm 708will always use 255.255.255.255 for the netmask, if that is the only 709appropriate value for a point-to-point interface.) 710.It Cm noaccomp 711Disable Address/Control compression in both directions (send and receive). 712.It Cm noauth 713Do not require the peer to authenticate itself. 714This option is privileged if the 715.Cm auth 716option is specified in 717.Pa /etc/ppp/options . 718.It Cm nobsdcomp 719Disables BSD-Compress compression; 720.Nm 721will not request or agree to compress packets using the BSD-Compress scheme. 722.It Cm noccp 723Disable CCP (Compression Control Protocol) negotiation. 724This option should only be required if the peer is buggy and gets confused by 725requests from 726.Nm 727for CCP negotiation. 728.It Cm nocrtscts 729Disable hardware flow control (i.e., RTS/CTS) on the serial port. 730If neither the 731.Cm crtscts 732nor the 733.Cm nocrtscts 734option is given, the hardware flow control setting for the serial port 735is left unchanged. 736.It Cm nodefaultroute 737Disable the 738.Cm defaultroute 739option. 740The system administrator who wishes to prevent users from creating 741default routes with 742.Nm 743can do so by placing this option in the 744.Pa /etc/ppp/options 745file. 746.It Cm nodeflate 747Disables Deflate compression; 748.Nm 749will not request or agree to compress packets using the Deflate scheme. 750.It Cm nodetach 751Don't detach from the controlling terminal. 752Without this option, if a serial device other than the terminal 753on the standard input is specified, 754.Nm 755will fork to become a background process. 756.It Cm noip 757Disable IPCP negotiation and IP communication. 758This option should only be required if the peer is buggy and gets confused 759by requests from 760.Nm 761for IPCP negotiation. 762.It Cm noipdefault 763Disables the default behaviour when no local IP address is specified, 764which is to determine (if possible) the local IP address from the hostname. 765With this option, the peer will have to supply the local IP 766address during IPCP negotiation (unless it was specified explicitly 767on the command line or in an options file). 768.It Cm noipx 769Disable the IPXCP and IPX protocols. 770This option should only be required if the peer is buggy and gets confused 771by requests from 772.Nm 773for IPXCP negotiation. 774.It Cm nomagic 775Disable magic number negotiation. 776With this option, 777.Nm 778cannot detect a looped-back line. 779This option should only be needed if the peer is buggy. 780.It Cm nopcomp 781Disable protocol field compression negotiation in both the receive and 782the transmit direction. 783.It Cm nopersist 784Exit once a connection has been made and terminated. 785This is the default unless the 786.Cm persist 787or 788.Cm demand 789option has been specified. 790.It Cm nopredictor1 791Do not accept or agree to Predictor-1 compression. 792.It Cm noproxyarp 793Disable the 794.Cm proxyarp 795option. 796The system administrator who wishes to prevent users from creating 797proxy ARP entries with 798.Nm 799can do so by placing this option in the 800.Pa /etc/ppp/options 801file. 802.It Cm novj 803Disable Van Jacobson style TCP/IP header compression in both the 804transmit and the receive direction. 805.It Cm novjccomp 806Disable the connection-ID compression option in Van Jacobson style 807TCP/IP header compression. 808With this option, 809.Nm 810will not omit the connection-ID byte from Van Jacobson compressed 811TCP/IP headers, nor ask the peer to do so. 812.It Cm papcrypt 813Indicates that all secrets in the 814.Pa /etc/ppp/pap-secrets 815file which are used for checking the identity of the peer are encrypted, 816and thus 817.Nm 818should not accept a password which, before encryption, 819is identical to the secret from the 820.Pa /etc/ppp/pap-secrets 821file. 822.It Cm pap-max-authreq Ar n 823Set the maximum number of PAP authenticate-request transmissions to 824.Ar n 825(default 10). 826.It Cm pap-restart Ar n 827Set the PAP restart interval (retransmission timeout) to 828.Ar n 829seconds (default 3). 830.It Cm pap-timeout Ar n 831Set the maximum time that 832.Nm 833will wait for the peer to authenticate itself with PAP to 834.Ar n 835seconds (0 means no limit). 836.It Cm pass-filter Ar filter-expression 837Specifies a packet filter to apply to data packets being sent or 838received to determine which packets should be allowed to pass. 839Packets which are rejected by the filter are silently discarded. 840This option can be used to prevent specific network daemons (such as 841.Xr routed 8 ) 842using up link bandwidth, or to provide a basic firewall capability. 843The 844.Ar filter-expression 845syntax is as described for 846.Xr tcpdump 8 , 847except that qualifiers which are inappropriate for a PPP link, such as 848.Ar ether 849and 850.Ar arp , 851are not permitted. 852Generally the filter expression should be enclosed in single quotes to prevent 853whitespace in the expression from being interpreted by the shell. 854Note that it is possible to apply different constraints to incoming and 855outgoing packets using the 856.Cm inbound 857and 858.Cm outbound 859qualifiers. 860This option is currently only available under 861.Ox , 862and then only if both the kernel and 863.Nm 864were compiled with 865.Dv PPP_FILTER 866defined. 867.It Cm persist 868Do not exit after a connection is terminated; instead try to reopen 869the connection. 870.It Cm predictor1 871Request that the peer compress frames that it sends using Predictor-1 872compression, and agree to compress transmitted frames with Predictor-1 873if requested. 874This option has no effect unless the kernel driver supports Predictor-1 875compression. 876.It Cm proxyarp 877Add an entry to this system's ARP (Address Resolution Protocol) table 878with the IP address of the peer and the Ethernet address of this system. 879This will have the effect of making the peer appear to other 880systems to be on the local Ethernet. 881.It Cm remotename Ar name 882Set the assumed name of the remote system for authentication purposes to 883.Ar name . 884.It Cm refuse-chap 885With this option, 886.Nm 887will not agree to authenticate itself to the peer using CHAP. 888.It Cm refuse-pap 889With this option, 890.Nm 891will not agree to authenticate itself to the peer using PAP. 892.It Cm require-chap 893Require the peer to authenticate itself using CHAP 894(Challenge Handshake Authentication Protocol) authentication. 895.It Cm require-pap 896Require the peer to authenticate itself using PAP 897(Password Authentication Protocol) authentication. 898.It Cm silent 899With this option, 900.Nm 901will not transmit LCP packets to initiate a connection until a valid LCP 902packet is received from the peer (as for the `passive' option with ancient 903versions of 904.Nm pppd ) . 905.It Cm usehostname 906Enforce the use of the hostname (with domain name appended, if given) 907as the name of the local system for authentication purposes (overrides the 908.Cm name 909option). 910.It Cm user Ar name 911Sets the name used for authenticating the local system to the peer to 912.Ar name . 913.It Cm vj-max-slots Ar n 914Sets the number of connection slots to be used by the Van Jacobson 915TCP/IP header compression and decompression code to 916.Ar n , 917which must be between 2 and 16, inclusive. 918.It Cm welcome Ar script 919Run the executable or shell command specified by 920.Ar script 921before initiating PPP negotiation, after the connect script (if any) has 922completed. 923This option is privileged if the 924.Cm noauth 925option is used. 926.It Cm xonxoff 927Use software flow control (i.e., XON/XOFF) to control the flow of data on 928the serial port. 929.El 930.Sh OPTIONS FILES 931Options can be taken from files as well as the command line. 932.Nm 933reads options from the files 934.Pa /etc/ppp/options , ~/.ppprc 935and 936.Pf /etc/ppp/options. Ns Ar ttyname 937(in that order) before processing the options on the command line. 938(In fact, the command-line options are scanned to find the terminal name 939before the 940.Pf options. Ns Ar ttyname 941file is read.) 942In forming the name of the 943.Pf options. Ns Ar ttyname 944file, 945the initial /dev/ is removed from the terminal name, and any remaining 946/ characters are replaced with dots. 947.Pp 948An options file is parsed into a series of words, delimited by whitespace. 949Whitespace can be included in a word by enclosing the word in double-quotes ("). 950A backslash (\\) quotes the following character. 951A hash (#) starts a comment, which continues until the end of the line. 952There is no restriction on using the 953.Cm file 954or 955.Cm call 956options within an options file. 957.Sh SECURITY 958Users must be in group 959.Qq network 960to be able to use 961.Nm pppd . 962.Pp 963.Nm 964provides system administrators with sufficient access control that PPP 965access to a server machine can be provided to legitimate users without 966fear of compromising the security of the server or the network it's on. 967In part this is provided by the 968.Pa /etc/ppp/options file , 969where the administrator can place options to restrict the ways in which 970.Nm 971can be used, and in part by the PAP and CHAP secrets files, where the 972administrator can restrict the set of IP addresses which individual 973users may use. 974.Pp 975The normal way that 976.Nm 977should be set up is to have the 978.Cm auth 979option in the 980.Pa /etc/ppp/options file . 981(This may become the default in later releases.) 982If users wish to use 983.Nm 984to dial out to a peer which will refuse to authenticate itself 985(such as an internet service provider), the system administrator should 986create an options file under 987.Pa /etc/ppp/peers 988containing the 989.Cm noauth 990option, the name of the serial port to use, and the 991.Cm connect 992option (if required), plus any other appropriate options. 993In this way, 994.Nm 995can be set up to allow non-privileged users to make unauthenticated 996connections only to trusted peers. 997.Pp 998As indicated above, some security-sensitive options are privileged, 999which means that they may not be used by an ordinary non-privileged 1000user running a setuid-root 1001.Nm pppd , 1002either on the command line, in the user's 1003.Pa ~/.ppprc 1004file, or in an options file read using the 1005.Cm file 1006option. 1007Privileged options may be used in the 1008.Pa /etc/ppp/options 1009file or in an options file read using the 1010.Cm call 1011option. 1012If 1013.Nm 1014is being run by the root user, privileged options can be used without 1015restriction. 1016.Sh AUTHENTICATION 1017Authentication is the process whereby one peer convinces the other of 1018its identity. 1019This involves the first peer sending its name to the other, 1020together with some kind of secret information which could only 1021come from the genuine authorized user of that name. 1022In such an exchange, we will call the first peer the 1023.Qq client 1024and the other the 1025.Qq server . 1026The client has a name by which it identifies itself to the server, 1027and the server also has a name by which it identifies itself to the client. 1028Generally the genuine client shares some secret (or password) with the server, 1029and authenticates itself by proving that it knows that secret. 1030Very often, the names used for authentication correspond to the internet 1031hostnames of the peers, but this is not essential. 1032.Pp 1033At present, 1034.Nm 1035supports two authentication protocols: 1036the Password Authentication Protocol (PAP) 1037and the Challenge Handshake Authentication Protocol (CHAP). 1038PAP involves the client sending its name and a cleartext password 1039to the server to authenticate itself. 1040In contrast, the server initiates the CHAP authentication exchange by 1041sending a challenge to the client (the challenge packet includes the 1042server's name). 1043The client must respond with a response which includes its name 1044plus a hash value derived from the shared secret and the challenge, 1045in order to prove that it knows the secret. 1046.Pp 1047The PPP protocol, being symmetrical, allows both peers to require the 1048other to authenticate itself. 1049In that case, two separate and independent authentication exchanges 1050will occur. 1051The two exchanges could use different authentication protocols, 1052and in principle, different names could be used in the two exchanges. 1053.Pp 1054The default behaviour of 1055.Nm 1056is to agree to authenticate if requested, and to not require authentication 1057from the peer. 1058However, 1059.Nm 1060will not agree to authenticate itself with a particular protocol 1061if it has no secrets which could be used to do so. 1062.Pp 1063.Nm 1064stores secrets for use in authentication in secrets files 1065.Pf ( Ns Pa /etc/ppp/pap-secrets 1066for PAP, 1067.Pa /etc/ppp/chap-secrets 1068for CHAP). 1069Both secrets files have the same format. 1070The secrets files can contain secrets for 1071.Nm 1072to use in authenticating itself to other systems, as well as secrets for 1073.Nm 1074to use when authenticating other systems to itself. 1075.Pp 1076Each line in a secrets file contains one secret. 1077Any following words on the same line are taken to be a list 1078of acceptable IP addresses for that client. 1079If there are only 3 words on the line, or if the first word is 1080.Qq \- , 1081then all IP addresses are disallowed. 1082To allow any address, use 1083.Qq * . 1084A word starting with 1085.Qq \&! 1086indicates that the specified address is 1087.Em not 1088acceptable. 1089An address may be followed by 1090.Qq / 1091and a number 1092.Ar n , 1093to indicate a whole subnet, i.e., all addresses which have the same value 1094in the most significant 1095.Ar n 1096bits. 1097Case is significant in the client and server names and in the secret. 1098.Pp 1099If the secret starts with an `@', what follows is assumed to be the 1100name of a file from which to read the secret. 1101A 1102.Qq * 1103as the client or server name matches any name. 1104When selecting a secret, 1105.Nm 1106takes the best match, i.e., the match with the fewest wildcards. 1107.Pp 1108Thus a secrets file contains both secrets for use in authenticating 1109other hosts, plus secrets which we use for authenticating ourselves to 1110others. 1111When 1112.Nm 1113is authenticating the peer (checking the peer's identity), it chooses a 1114secret with the peer's name in the first field and the name of the local 1115system in the second field. 1116The name of the local system defaults to the hostname, with the domain 1117name appended if the 1118.Cm domain 1119option is used. 1120This default can be overridden with the 1121.Cm name 1122option, except when the 1123.Cm usehostname 1124option is used. 1125.Pp 1126When 1127.Nm 1128is choosing a secret to use in authenticating itself to the peer, 1129it first determines what name it is going to use to identify 1130itself to the peer. 1131This name can be specified by the user with the 1132.Cm user 1133option. 1134If this option is not used, the name defaults to the name of the local system, 1135determined as described in the previous paragraph. 1136Then 1137.Nm 1138looks for a secret with this name in the first field and the peer's name 1139in the second field. 1140.Nm 1141will know the name of the peer if CHAP authentication is being used, because 1142the peer will have sent it in the challenge packet. 1143However, if PAP is being used, 1144.Nm 1145will have to determine the peer's name from the options specified by the user. 1146The user can specify the peer's name directly with the 1147.Cm remotename 1148option. 1149Otherwise, if the remote IP address was specified by a name 1150(rather than in numeric form), that name will be used as the peer's name. 1151Failing that, 1152.Nm 1153will use the null string as the peer's name. 1154.Pp 1155When authenticating the peer with PAP, the supplied password is first 1156compared with the secret from the secrets file. 1157If the password doesn't match the secret, the password is encrypted using 1158.Xr crypt 3 1159and checked against the secret again. 1160Thus secrets for authenticating the peer can be stored in encrypted form 1161if desired. 1162If the 1163.Cm papcrypt 1164option is given, the first (unencrypted) comparison is omitted, 1165for better security. 1166.Pp 1167Furthermore, if the 1168.Cm login 1169option was specified, the username and password are also checked against 1170the system password database. 1171Thus, the system administrator can set up the pap-secrets file to allow PPP 1172access only to certain users, and to restrict the set of IP addresses 1173that each user can use. 1174Typically, when using the 1175.Cm login 1176option, the secret in 1177.Pa /etc/ppp/pap-secrets 1178would be 1179.Qq , 1180which will match any password supplied by the peer. 1181This avoids the need to have the same secret in two places. 1182.Pp 1183Authentication must be satisfactorily completed before IPCP 1184(or any other Network Control Protocol) can be started. 1185If the peer is required to authenticate itself, and fails to do so, 1186.Nm 1187will terminate the link (by closing LCP). 1188If IPCP negotiates an unacceptable IP address for the remote host, 1189IPCP will be closed. 1190IP packets can only be sent or received when IPCP is open. 1191.Pp 1192In some cases it is desirable to allow some hosts which can't 1193authenticate themselves to connect and use one of a restricted set of 1194IP addresses, even when the local host generally requires authentication. 1195If the peer refuses to authenticate itself when requested, 1196.Nm 1197takes that as equivalent to authenticating with PAP 1198using the empty string for the username and password. 1199Thus, by adding a line to the pap-secrets file which specifies the empty 1200string for the client and password, it is possible to allow restricted 1201access to hosts which refuse to authenticate themselves. 1202.Sh ROUTING 1203When IPCP negotiation is completed successfully, 1204.Nm 1205will inform the kernel of the local and remote IP addresses for the PPP 1206interface. 1207This is sufficient to create a host route to the remote end of the 1208link, which will enable the peers to exchange IP packets. 1209Communication with other machines generally requires further 1210modification to routing tables and/or ARP 1211(Address Resolution Protocol) tables. 1212In most cases the 1213.Cm defaultroute 1214and/or 1215.Cm proxyarp 1216options are sufficient for this, but in some cases 1217further intervention is required. 1218The 1219.Pa /etc/ppp/ip-up 1220script can be used for this. 1221.Pp 1222Sometimes it is desirable to add a default route through the remote 1223host, as in the case of a machine whose only connection to the 1224Internet is through the PPP interface. 1225The 1226.Cm defaultroute 1227option causes 1228.Nm 1229to create such a default route when IPCP comes up, and 1230delete it when the link is terminated. 1231.Pp 1232In some cases it is desirable to use proxy ARP, for example on a 1233server machine connected to a LAN, in order to allow other hosts to 1234communicate with the remote host. 1235The 1236.Cm proxyarp 1237option causes 1238.Nm 1239to look for a network interface on the same subnet as the remote 1240host (an interface supporting broadcast and ARP, which is up and not a 1241point-to-point or loopback interface). 1242If found, 1243.Nm 1244creates a permanent, published ARP entry with the IP address of the remote host 1245and the hardware address of the network interface found. 1246.Pp 1247When the 1248.Cm demand 1249option is used, the interface IP addresses have 1250already been set at the point when IPCP comes up. 1251If 1252.Nm 1253has not been able to negotiate the same addresses that it used to configure 1254the interface (for example when the peer is an ISP that uses dynamic 1255IP address assignment), 1256.Nm 1257has to change the interface IP addresses to the negotiated addresses. 1258This may disrupt existing connections, and the use of demand dialling with 1259peers that do dynamic IP address assignment is not recommended. 1260.Sh EXAMPLES 1261The following examples assume that the 1262.Pa /etc/ppp/options 1263file contains the 1264.Cm auth 1265option (as in the default 1266.Pa /etc/ppp/options 1267file in the PPP distribution). 1268.Pp 1269Probably the most common use of 1270.Nm 1271is to dial out to an ISP. 1272This can be done with a command such as 1273.Pp 1274.Dl pppd call isp 1275.Pp 1276where the 1277.Pa /etc/ppp/peers/isp 1278file is set up by the system administrator to contain something like this: 1279.Bd -literal -offset indent 1280ttyS0 19200 crtscts 1281connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp' 1282noauth 1283.Ed 1284.Pp 1285In this example, we are using chat to dial the ISP's modem and go 1286through any logon sequence required. 1287The 1288.Pa /etc/ppp/chat-isp 1289file contains the script used by chat; it could for example contain 1290something like this: 1291.Bd -literal -offset indent 1292ABORT "NO CARRIER" 1293ABORT "NO DIALTONE" 1294ABORT "ERROR" 1295ABORT "NO ANSWER" 1296ABORT "BUSY" 1297ABORT "Username/Password Incorrect" 1298"" "at" 1299OK "at&d0&c1" 1300OK "atdt2468135" 1301"name:" "^Umyuserid" 1302"word:" "\\qmypassword" 1303"ispts" "\\q^Uppp" 1304"~-^Uppp-~" 1305.Ed 1306.Pp 1307See the 1308.Xr chat 8 1309man page for details of chat scripts. 1310.Pp 1311.Nm 1312can also be used to provide a dial-in PPP service for users. 1313If the users already have login accounts, the simplest way to set up the 1314PPP service is to let the users log in to their accounts and run 1315.Nm 1316(installed setuid-root) with a command such as 1317.Pp 1318.Dl pppd proxyarp 1319.Pp 1320To allow a user to use the PPP facilities, you need to allocate an IP 1321address for that user's machine and create an entry in 1322.Pa /etc/ppp/pap-secrets 1323or 1324.Pa /etc/ppp/chap-secrets 1325(depending on which authentication method the PPP implementation on the 1326user's machine supports), so that the user's 1327machine can authenticate itself. 1328For example, if Joe has a machine called 1329.Qq joespc 1330which is to be allowed to dial in to the machine called 1331.Qq server 1332and use the IP address joespc.my.net, you would add an entry like this to 1333.Pa /etc/ppp/pap-secrets 1334or 1335.Pa /etc/ppp/chap-secrets : 1336.Pp 1337.Dl joespc server "joe's secret" joespc.my.net 1338.Pp 1339Alternatively, you can create a username called (for example) 1340.Qq ppp , 1341whose login shell is 1342.Nm 1343and whose home directory is 1344.Pa /etc/ppp . 1345Options to be used when 1346.Nm 1347is run this way can be put in 1348.Pa /etc/ppp/.ppprc . 1349.Pp 1350If your serial connection is any more complicated than a piece of 1351wire, you may need to arrange for some control characters to be escaped. 1352In particular, it is often useful to escape XON (^Q) and 1353XOFF (^S), using 1354.Cm asyncmap a0000 . 1355If the path includes a telnet, you probably should escape ^] as well 1356.Pf ( Ns Cm asyncmap 200a0000 ) . 1357If the path includes an rlogin, you will need to use the 1358.Cm escape ff 1359option on the end which is running the rlogin client, since many 1360rlogin implementations are not transparent; they will remove the 1361sequence (0xff, 0xff, 0x73, 0x73, followed by any 8 bytes) from the stream. 1362.Sh DIAGNOSTICS 1363Messages are sent to the 1364.Xr syslogd 8 1365daemon using facility 1366.Dv LOG_DAEMON . 1367(This can be overriden by recompiling 1368.Nm 1369with the macro 1370.Dv LOG_PPP 1371defined as the desired facility.) 1372See the 1373.Xr syslogd 8 1374documentation for details of where the syslog daemon will write the 1375messages. 1376On most systems, the syslog daemon uses the 1377.Pa /etc/syslog.conf 1378file to specify the destination(s) for syslog messages. 1379You may need to edit that file to suit. 1380.Pp 1381The 1382.Cm debug 1383option causes the contents of all control packets sent 1384or received to be logged, that is, all LCP, PAP, CHAP or IPCP packets. 1385This can be useful if the PPP negotiation does not succeed or if 1386authentication fails. 1387If debugging is enabled at compile time, the 1388.Cm debug 1389option also causes other debugging messages to be logged. 1390.Pp 1391Debugging can also be enabled or disabled by sending a SIGUSR1 signal 1392to the 1393.Nm 1394process. 1395This signal acts as a toggle. 1396.Sh SCRIPTS 1397.Nm 1398invokes scripts at various stages in its processing which can be 1399used to perform site-specific ancillary processing. 1400These scripts are usually shell scripts, but could be executable code files 1401instead. 1402.Nm 1403does not wait for the scripts to finish. 1404The scripts are executed as root (with the real and effective user ID set to 0), 1405so that they can do things such as update routing tables or run 1406privileged daemons. 1407Be careful that the contents of these scripts do not compromise your system's 1408security. 1409.Nm 1410runs the scripts with standard input, output and error redirected to 1411.Pa /dev/null , 1412and with an environment that is empty except for some environment variables 1413that give information about the link. 1414The environment variables that 1415.Nm 1416sets are: 1417.Bl -tag -width "PEERNAME" 1418.It Ev DEVICE 1419The name of the serial tty device being used. 1420.It Ev IFNAME 1421The name of the network interface being used. 1422.It Ev IPLOCAL 1423The IP address for the local end of the link. 1424This is only set when IPCP has come up. 1425.It Ev IPREMOTE 1426The IP address for the remote end of the link. 1427This is only set when IPCP has come up. 1428.It Ev PEERNAME 1429The authenticated name of the peer. 1430This is only set if the peer authenticates itself. 1431.It Ev SPEED 1432The baud rate of the tty device. 1433.It Ev UID 1434The real user ID of the user who invoked 1435.Nm pppd . 1436.El 1437.Pp 1438.Nm 1439invokes the following scripts, if they exist. 1440It is not an error if they don't exist. 1441.Bl -tag -width Ds 1442.It Pa /etc/ppp/auth-up 1443A program or script which is executed after the remote system 1444successfully authenticates itself. 1445It is executed with the parameters 1446.Pp 1447.Ar interface-name peer-name user-name tty-device speed 1448.Pp 1449Note that this script is not executed if the peer doesn't authenticate 1450itself, for example when the 1451.Cm noauth 1452option is used. 1453.It Pa /etc/ppp/auth-down 1454A program or script which is executed when the link goes down, if 1455.Pa /etc/ppp/auth-up 1456was previously executed. 1457It is executed in the same manner with the same parameters as 1458.Pa /etc/ppp/auth-up . 1459.It Pa /etc/ppp/ip-up 1460A program or script which is executed when the link is available for 1461sending and receiving IP packets (that is, IPCP has come up). 1462It is executed with the parameters 1463.Pp 1464.Ar interface-name tty-device speed local-IP-address remote-IP-address ipparam 1465.It Pa /etc/ppp/ip-down 1466A program or script which is executed when the link is no longer 1467available for sending and receiving IP packets. 1468This script can be used for undoing the effects of the 1469.Pa /etc/ppp/ip-up 1470script. 1471It is invoked in the same manner and with the same parameters as the ip-up 1472script. 1473.It Pa /etc/ppp/ipx-up 1474A program or script which is executed when the link is available for 1475sending and receiving IPX packets (that is, IPXCP has come up). 1476It is executed with the parameters 1477.Pp 1478.Ar interface-name tty-device speed network-number local-IPX-node-address 1479.Ar remote-IPX-node-address local-IPX-routing-protocol 1480.Ar remote-IPX-routing-protocol local-IPX-router-name remote-IPX-router-name 1481.Ar ipparam pppd-pid 1482.Pp 1483The local-IPX-routing-protocol and remote-IPX-routing-protocol field 1484may be one of the following: 1485.Bl -tag -width "RIP NLSP" 1486.It NONE 1487to indicate that there is no routing protocol 1488.It RIP 1489to indicate that RIP/SAP should be used 1490.It NLSP 1491to indicate that Novell NLSP should be used 1492.It RIP NLSP 1493to indicate that both RIP/SAP and NLSP should be used 1494.El 1495.Pp 1496.It Pa /etc/ppp/ipx-down 1497A program or script which is executed when the link is no longer 1498available for sending and receiving IPX packets. 1499This script can be used for undoing the effects of the 1500.Pa /etc/ppp/ipx-up 1501script. 1502It is invoked in the same manner and with the same parameters as the ipx-up 1503script. 1504.El 1505.Sh FILES 1506.Bl -tag -width Ds 1507.It /var/run/ppp Ns Ar n Ns .pid 1508.\" (BSD or Linux), 1509.\" /etc/ppp/ppp Ns Ar n Ns .pid 1510.\" (others) 1511Process-ID for 1512.Nm 1513process on PPP interface unit 1514.Ar n . 1515.It /etc/ppp/pap-secrets 1516Usernames, passwords and IP addresses for PAP authentication. 1517This file should be owned by root and not readable or writable by any other 1518user. 1519.Nm 1520will log a warning if this is not the case. 1521.It /etc/ppp/chap-secrets 1522Names, secrets and IP addresses for CHAP authentication. 1523As for 1524.Pa /etc/ppp/pap-secrets , 1525this file should be owned by root and not readable or writable 1526by any other user. 1527.Nm 1528will log a warning if this is not the case. 1529.It /etc/ppp/options 1530System default options for 1531.Nm pppd , 1532read before user default options or command-line options. 1533.It ~/.ppprc 1534User default options, read before 1535.Pf /etc/ppp/options. Ns Ar ttyname . 1536.It /etc/ppp/options. Ns Ar ttyname 1537System default options for the serial port being used, read after 1538.Pa ~/.ppprc . 1539In forming the 1540.Ar ttyname 1541part of this filename, an initial /dev/ is stripped from the port name (if 1542present), and any slashes in the remaining part are converted to dots. 1543.It /etc/ppp/peers 1544A directory containing options files which may contain privileged 1545options, even if 1546.Nm 1547was invoked by a user other than root. 1548The system administrator can create options files in this directory to 1549permit non-privileged users to dial out without requiring the peer to 1550authenticate, but only to certain trusted peers. 1551.El 1552.Sh SEE ALSO 1553.Xr cua 4 , 1554.Xr ppp 4 , 1555.Xr tty 4 , 1556.Xr chat 8 , 1557.Xr ppp 8 , 1558.Xr syslogd 8 , 1559.Xr tcpdump 8 1560.Rs 1561.%B RFC 1144 1562.%A Jacobson, V. 1563.%T Compressing TCP/IP headers for low-speed serial links 1564.%D February 1990 1565.Re 1566.Rs 1567.%B RFC 1321 1568.%A Rivest, R. 1569.%T The MD5 Message-Digest Algorithm 1570.%D April 1992 1571.Re 1572.Rs 1573.%B RFC 1332 1574.%A McGregor, G. 1575.%T PPP Internet Protocol Control Protocol (IPCP) 1576.%D May 1992 1577.Re 1578.Rs 1579.%B RFC 1334 1580.%A Lloyd, B. 1581.%A Simpson, W.A. 1582.%T PPP authentication protocols 1583.%D October 1992 1584.Re 1585.Rs 1586.%B RFC 1661 1587.%A Simpson, W.A. 1588.%T The Point\-to\-Point Protocol (PPP) 1589.%D July 1994 1590.Re 1591.Rs 1592.%B RFC 1662 1593.%A Simpson, W.A. 1594.%T PPP in HDLC-like Framing 1595.%D July 1994 1596.Re 1597.Sh NOTES 1598Some limited degree of control can be exercised over a running 1599.Nm 1600process by sending it a signal from the list below. 1601.Bl -tag -width Ds 1602.It SIGINT , SIGTERM 1603These signals cause 1604.Nm 1605to terminate the link (by closing LCP), restore the serial device settings, 1606and exit. 1607.It SIGHUP 1608This signal causes 1609.Nm 1610to terminate the link, restore the serial device settings, 1611and close the serial device. 1612If the 1613.Cm persist 1614or 1615.Cm demand 1616option has been specified, 1617.Nm 1618will try to reopen the serial device and start another connection 1619(after the holdoff period). 1620Otherwise 1621.Nm 1622will exit. 1623If this signal is received during the holdoff period, it causes 1624.Nm 1625to end the holdoff period immediately. 1626.It SIGUSR1 1627This signal toggles the state of the 1628.Cm debug 1629option. 1630.It SIGUSR2 1631This signal causes 1632.Nm 1633to renegotiate compression. 1634This can be useful to re-enable compression after it has been disabled 1635as a result of a fatal decompression error. 1636(Fatal decompression errors generally indicate a bug 1637in one or other implementation.) 1638.El 1639.Sh AUTHORS 1640.An Paul Mackerras Aq Paul.Mackerras@samba.org , 1641based on earlier work by Drew Perkins, Brad Clements, Karl Fox, Greg Christy, 1642and Brad Parker. 1643