 
Next Previous Table of Contents
Starting with version 0.9.1 kppp supports directly the most commonly used form of PAP authentification. The section 'PAP and CHAP with kppp' will descripe how to make PAP and CHAP work with kppp in general, while the section 'PAP with kppp' will describe in detail how to take advantage of kppp's build in support for the most commonly encountered version of PAP wich is widely used by commercial Internet Service Providers (ISP).
There are two different ways to use PAP:
This variant is used by many commercial ISPīs. It basically means that you (or your computer) must authenticate yourself to the ISPīs PPP server. The PPP server must not authenticate himself to your computer, but typically this is not necessary since you know which computer you are connected to (because the connection was established by yourself). So this is no major security issue. kppp supports this variant directly. See below for instruction how use this one.
If your ISP just gives you a username and a password and tells you to use PAP authentication you must use this variant.
 
Same as above, but your computer requires the
ISP PPP server to authenticate himself. In order to establish a connection, 
you must choose the authentication method Script based,
not PAP, and you will have to manually edit
/etc/ppp/pap-secrets. While kppp doesn't provide build in support
for this variant -- it is nevertheless easy to establish a connection
using this variant of PAP with kppp. The details are described in the
previous section 'Using PAP and CHAP with kppp'.
/etc/ppp/options (and ~/.ppprc if
you do have such a file) does not contain one of the arguments:
It is very unlikely that one of those arguments is already in there, but just to be sure.
The following is based on an email by Keith Brown and explains how to make kppp work for a generic PAP or CHAP account. If your ISP just gave you a user id and a password for a PAP account the odds are that you can skip this section and that you will get by just reading the next one entitled 'PAP with kppp'.
PAP seems a lot more complicated at first glance than it really is.
The server (the machine you are connecting to) basically tells the client
(your machine) to authenticate using PAP. The client (pppd) looks in a
specific file for an entry that contains a matching server name and client's
name for this connection, and then sends the password it finds there. That's
about it! Now, here's how to make that happen. I am assuming a pppd version
of 2.2.0 and a standard installation of configuration files under /etc/ppp.
For the purposes of illustration, pretend that I have an Internet account
with 'glob.net', under the user name 'booger', and a password of 'foobar'.
First, I need to add all this to the file /etc/ppp/pap-secrets . 
The format of an entry for our purposes, is:
USERNAME  SERVERNAME   PASSWORD
so I add the line:
booger  glob  foobar
to the file and save it. Note: I can use any name for the server I wish as long as I use the same name in the pppd arguments, as we'll see shortly. I have shortened it to 'glob'. This name is just used to locate the correct password.
Now, I need to set up my connection in kppp. The basics are the same
as any other connection, and I won't go into details here, except to say
that you probably want to make sure that the /etc/ppp/options, is empty,
and you probably don't want any login script either. Now, in the settings
dialog, at the bottom, is the pppd arguments button. This brings up a dialog
similar to the one used for editing the login script. Here we enter values that
will be sent to pppd as command line arguments, and in the case of multiple-value
arguments, we need to enter each value as a separate entry in the listbox,
in the correct order.
We can put any other arguments in here we want first. Now we need to add arguments that pppd needs to handle PAP authentication. In this example I am going to add 'user', 'booger', 'remotename', 'glob', in that order. The user argument tells pppd what user name to look for in pap-secrets, and send to the server. The remotename is only used by pppd to match the entry in the pap-secrets file, and is not sent to the server, so once again, it can be anything I want as long as it is consistent with the entry in the pap-secrets file.
That's all there is to it. You should now be able to set up your own connection to a server with PAP authentication. CHAP should not be much different. See the Linux Network Administrators' Guide for chap-secrets file format and pppd arguments used. The rest should be gravy, but...your mileage, ah you know the rest.
Richard Birchall provided us with details about how he configured kppp to connect to a NT RAS server that required MS-CHAP authentication:
Instructions on how to patch pppd and install the DES library can be found in the PPP-NT-HOWTO and in README.MSCHAP80 from the pppd package.
If your NT RAS server is not a PDC (primary domain controller), it is necessary to include the NT domain name as part of the username, separated by a backslash. Because the "\" character has a special meaning to pppd, it is necessary to use "\\". This is explained here: http://metalab.unc.edu/LDP/FAQ/PPP-FAQ.html#ss12.2
My kppp settings:
My /etc/ppp/chap-secrets file:
NTDOMAIN\\username   *       password
My /etc/ppp/options file:
debug
name 'NTDOMAIN\\username'
remotename *
Next Previous Table of Contents