16.2. The PAP/CHAP secrets file

If you are using pap or chap authentication, then you also need to create the secrets file. These are:

/etc/ppp/pap-secrets /etc/ppp/chap-secrets

They must be owned by user root, group root and have file permissions 740 for security.

The first point to note about PAP and CHAP is that they are designed to authenticate computer systems not users.

Huh? What's the difference? I hear you ask.

Well now, once your computer has made its PPP connection to the server, ANY user on your system can use that connection - not just you. This is why you can set up a WAN (wide area network) link that joins two LANs (local area networks) using PPP.

PAP can (and for CHAP DOES) require bidirectional authentication - that is a valid name and secret is required on each computer for the other computer involved. However, this is NOT the way most PPP servers offering dial-up PPP PAP-authenticated connections operate.

That being said, your ISP will probably have given you a user name and password to allow you to connect to their system and thence the Internet. Your ISP is not interested in your computer's name at all, so you will probably need to use the user name at your ISP as the name for your computer.

This is done using the name user name option to pppd. So, if you are to use the user name given you by your ISP, add the line

name your_user name_at_your_ISP

to your /etc/ppp/options file.

Technically, you should really use user our_user name_at_your_ISP for PAP, but pppd is sufficiently intelligent to interpret name as user if it is required to use PAP. The advantage of using the name option is that this is also valid for CHAP.

As PAP is for authenticating computers, technically you need also to specify a remote computer name. However, as most people only have one ISP, you can use a wild card (*) for the remote host name in the secrets file.

It is also worth noting that many ISPs operate multiple modem banks connected to different terminal servers - each with a different name, but ACCESSED from a single (rotary) dial in number. It can therefore be quite difficult in some circumstances to know ahead of time what the name of the remote computer is, as this depends on which terminal server you connect to!