1PPPD(8)                     System Manager's Manual                    PPPD(8)
2
3
4

NAME

6       pppd - Point-to-Point Protocol Daemon
7

SYNOPSIS

9       pppd [ options ]
10

DESCRIPTION

12       PPP  is  the protocol used for establishing internet links over dial-up
13       modems, DSL connections, and many other types of point-to-point  links.
14       The  pppd daemon works together with the kernel PPP driver to establish
15       and maintain a PPP link with another system (called the  peer)  and  to
16       negotiate  Internet  Protocol  (IP) addresses for each end of the link.
17       Pppd can also authenticate the peer and/or supply authentication infor‐
18       mation  to  the  peer.   PPP  can  be used with other network protocols
19       besides IP, but such use is becoming increasingly rare.
20

FREQUENTLY USED OPTIONS

22       ttyname
23              Use the serial port called ttyname to communicate with the peer.
24              If  ttyname  does not begin with a slash (/), the string "/dev/"
25              is prepended to ttyname to form the name of the device to  open.
26              If  no device name is given, or if the name of the terminal con‐
27              nected to the standard input is given, pppd will use that termi‐
28              nal, and will not fork to put itself in the background.  A value
29              for this option from a privileged source cannot be overridden by
30              a non-privileged user.
31
32       speed  An  option that is a decimal number is taken as the desired baud
33              rate for the serial device.  On systems such as 4.4BSD and  Net‐
34              BSD,  any  speed  can  be specified.  Other systems (e.g. Linux,
35              SunOS) only support the commonly-used baud rates.
36
37       asyncmap map
38              This option sets the Async-Control-Character-Map (ACCM) for this
39              end  of the link.  The ACCM is a set of 32 bits, one for each of
40              the ASCII control characters with values from 0 to 31, where a 1
41              bit  indicates  that  the corresponding control character should
42              not be used in PPP packets sent to  this  system.   The  map  is
43              encoded as a hexadecimal number (without a leading 0x) where the
44              least significant bit (00000001) represents character 0 and  the
45              most  significant  bit (80000000) represents character 31.  Pppd
46              will ask the peer to send these characters as  a  2-byte  escape
47              sequence.   If  multiple  asyncmap options are given, the values
48              are ORed together.  If no asyncmap option is given, the  default
49              is  zero,  so  pppd  will ask the peer not to escape any control
50              characters.  To escape transmitted characters,  use  the  escape
51              option.
52
53       auth   Require  the peer to authenticate itself before allowing network
54              packets to be sent or received.  This option is the  default  if
55              the  system has a default route.  If neither this option nor the
56              noauth option is specified, pppd will only allow the peer to use
57              IP addresses to which the system does not already have a route.
58
59       call name
60              Read additional options from the file /etc/ppp/peers/name.  This
61              file may contain privileged options, such  as  noauth,  even  if
62              pppd  is  not  being run by root.  The name string may not begin
63              with / or include .. as a pathname component.  The format of the
64              options file is described below.
65
66       connect script
67              Usually there is something which needs to be done to prepare the
68              link before the PPP protocol can be started; for instance,  with
69              a  dial-up  modem, commands need to be sent to the modem to dial
70              the appropriate phone number.  This option specifies an  command
71              for pppd to execute (by passing it to a shell) before attempting
72              to start PPP negotiation.  The chat (8) program is often  useful
73              here,  as it provides a way to send arbitrary strings to a modem
74              and respond to received characters.  A  value  for  this  option
75              from  a  privileged  source cannot be overridden by a non-privi‐
76              leged user.
77
78       crtscts
79              Specifies that pppd should set the serial port to  use  hardware
80              flow  control using the RTS and CTS signals in the RS-232 inter‐
81              face.  If neither the crtscts, the nocrtscts,  the  cdtrcts  nor
82              the nocdtrcts option is given, the hardware flow control setting
83              for the serial port is left unchanged.  Some serial ports  (such
84              as  Macintosh  serial ports) lack a true RTS output. Such serial
85              ports use this mode to implement  unidirectional  flow  control.
86              The  serial port will suspend transmission when requested by the
87              modem (via CTS) but will be unable to request the modem to  stop
88              sending  to  the  computer. This mode retains the ability to use
89              DTR as a modem control line.
90
91       defaultroute
92              Add a default route to the system routing tables, using the peer
93              as the gateway, when IPCP negotiation is successfully completed.
94              This entry is removed when the PPP connection is  broken.   This
95              option is privileged if the nodefaultroute option has been spec‐
96              ified.
97
98       disconnect script
99              Execute the command specified by script,  by  passing  it  to  a
100              shell,  after pppd has terminated the link.  This command could,
101              for example, issue commands to the modem to cause it to hang  up
102              if  hardware modem control signals were not available.  The dis‐
103              connect script is not run if the modem has already hung  up.   A
104              value  for  this option from a privileged source cannot be over‐
105              ridden by a non-privileged user.
106
107       escape xx,yy,...
108              Specifies that certain characters should be escaped on transmis‐
109              sion (regardless of whether the peer requests them to be escaped
110              with its async control character map).   The  characters  to  be
111              escaped are specified as a list of hex numbers separated by com‐
112              mas.  Note that almost any character can be  specified  for  the
113              escape option, unlike the asyncmap option which only allows con‐
114              trol characters to be specified.  The characters which  may  not
115              be escaped are those with hex values 0x20 - 0x3f or 0x5e.
116
117       file name
118              Read  options  from  file  name (the format is described below).
119              The file must be readable by the user who has invoked pppd.
120
121       init script
122              Execute the command specified by script,  by  passing  it  to  a
123              shell,  to  initialize the serial line.  This script would typi‐
124              cally use the chat(8) program to configure the modem  to  enable
125              auto  answer.   A value for this option from a privileged source
126              cannot be overridden by a non-privileged user.
127
128       lock   Specifies that pppd should create a UUCP-style lock file for the
129              serial  device  to  ensure  exclusive  access to the device.  By
130              default, pppd will not create a lock file.
131
132       mru n  Set the MRU [Maximum Receive Unit] value to n. Pppd will ask the
133              peer  to  send  packets of no more than n bytes.  The value of n
134              must be between 128 and 16384; the default is 1500.  A value  of
135              296  works well on very slow links (40 bytes for TCP/IP header +
136              256 bytes of data).  Note that for the IPv6  protocol,  the  MRU
137              must be at least 1280.
138
139       mtu n  Set the MTU [Maximum Transmit Unit] value to n.  Unless the peer
140              requests a smaller value via MRU negotiation, pppd will  request
141              that  the  kernel  networking  code send data packets of no more
142              than n bytes through the PPP network interface.  Note  that  for
143              the IPv6 protocol, the MTU must be at least 1280.
144
145       passive
146              Enables the "passive" option in the LCP.  With this option, pppd
147              will attempt to initiate a connection; if no reply  is  received
148              from  the  peer,  pppd will then just wait passively for a valid
149              LCP packet from the peer, instead of exiting, as it would  with‐
150              out this option.
151

OPTIONS

153       <local_IP_address>:<remote_IP_address>
154              Set  the local and/or remote interface IP addresses.  Either one
155              may be omitted.  The IP addresses can be specified with  a  host
156              name  or  in  decimal  dot  notation  (e.g. 150.234.56.78).  The
157              default local address is the (first) IP address  of  the  system
158              (unless  the  noipdefault  option is given).  The remote address
159              will be obtained from the peer if not specified in  any  option.
160              Thus,  in simple cases, this option is not required.  If a local
161              and/or remote IP address is specified  with  this  option,  pppd
162              will  not  accept  a  different  value from the peer in the IPCP
163              negotiation,     unless     the     ipcp-accept-local     and/or
164              ipcp-accept-remote options are given, respectively.
165
166       +ipv6  Enable the IPv6CP and IPv6 protocols.
167
168       ipv6 <local_interface_identifier>,<remote_interface_identifier>
169              Set  the local and/or remote 64-bit interface identifier. Either
170              one may be omitted. The identifier must be specified in standard
171              ASCII  notation  of  IPv6  addresses  (e.g. ::dead:beef). If the
172              ipv6cp-use-ipaddr option is given, the local identifier  is  the
173              local  IPv4  address  (see  above).  On systems which supports a
174              unique persistent id, such as EUI-48 derived from  the  Ethernet
175              MAC address, ipv6cp-use-persistent option can be used to replace
176              the ipv6 <local>,<remote> option. Otherwise  the  identifier  is
177              randomized.
178
179       active-filter filter-expression
180              Specifies  a  packet  filter  to  be  applied to data packets to
181              determine which packets are to be regarded as link activity, and
182              therefore  reset the idle timer, or cause the link to be brought
183              up in demand-dialling mode.  This option is useful  in  conjunc‐
184              tion  with  the  idle  option if there are packets being sent or
185              received regularly over the link (for example, routing  informa‐
186              tion  packets)  which would otherwise prevent the link from ever
187              appearing to  be  idle.   The  filter-expression  syntax  is  as
188              described for tcpdump(1), except that qualifiers which are inap‐
189              propriate for a PPP link, such as ether and arp, are not permit‐
190              ted.  Generally the filter expression should be enclosed in sin‐
191              gle-quotes to prevent whitespace in the  expression  from  being
192              interpreted  by  the shell. This option is currently only avail‐
193              able under Linux, and requires that the kernel was configured to
194              include PPP filtering support (CONFIG_PPP_FILTER).  Note that it
195              is possible to apply different constraints to incoming and  out‐
196              going packets using the inbound and outbound qualifiers.
197
198       allow-ip address(es)
199              Allow  peers  to  use  the  given  IP  address or subnet without
200              authenticating themselves.  The parameter is parsed as for  each
201              element of the list of allowed IP addresses in the secrets files
202              (see the AUTHENTICATION section below).
203
204       allow-number number
205              Allow peers to connect  from  the  given  telephone  number.   A
206              trailing `*' character will match all numbers beginning with the
207              leading part.
208
209       bsdcomp nr,nt
210              Request that the peer compress packets that it sends, using  the
211              BSD-Compress  scheme,  with  a maximum code size of nr bits, and
212              agree to compress packets sent to the peer with a  maximum  code
213              size  of  nt  bits.   If nt is not specified, it defaults to the
214              value given for nr.  Values in the range 9 to 15 may be used for
215              nr  and  nt;  larger  values give better compression but consume
216              more kernel memory for compression dictionaries.  Alternatively,
217              a  value  of  0  for nr or nt disables compression in the corre‐
218              sponding direction.  Use nobsdcomp or bsdcomp 0 to disable  BSD-
219              Compress compression entirely.
220
221       ca ca-file
222              (EAP-TLS)  Use the file ca-file as the X.509 Certificate Author‐
223              ity (CA) file (in PEM format), needed for setting up an  EAP-TLS
224              connection.   This option is used on the client-side in conjunc‐
225              tion with the cert and key options.
226
227       cdtrcts
228              Use a non-standard hardware flow control (i.e. DTR/CTS) to  con‐
229              trol  the  flow  of  data  on  the  serial port.  If neither the
230              crtscts, the nocrtscts, the cdtrcts nor the nocdtrcts option  is
231              given,  the hardware flow control setting for the serial port is
232              left unchanged.  Some serial ports  (such  as  Macintosh  serial
233              ports)  lack  a true RTS output. Such serial ports use this mode
234              to implement true bi-directional flow control. The sacrifice  is
235              that this flow control mode does not permit using DTR as a modem
236              control line.
237
238       cert certfile
239              (EAP-TLS) Use the file certfile as the X.509 certificate (in PEM
240              format),  needed  for  setting  up  an  EAP-TLS connection. This
241              option is used on the client-side in conjunction with the ca and
242              key options.
243
244       chap-interval n
245              If  this option is given, pppd will rechallenge the peer every n
246              seconds.
247
248       chap-max-challenge n
249              Set the maximum number of  CHAP  challenge  transmissions  to  n
250              (default 10).
251
252       chap-restart n
253              Set  the CHAP restart interval (retransmission timeout for chal‐
254              lenges) to n seconds (default 3).
255
256       child-timeout n
257              When exiting, wait for up to n seconds for any  child  processes
258              (such  as  the  command  specified with the pty command) to exit
259              before exiting.  At the end of the timeout,  pppd  will  send  a
260              SIGTERM  signal  to  any  remaining child processes and exit.  A
261              value of 0 means no timeout, that is, pppd will wait  until  all
262              child processes have exited.
263
264       connect-delay n
265              Wait  for up to n milliseconds after the connect script finishes
266              for a valid PPP packet from the peer.  At the end of this  time,
267              or  when a valid PPP packet is received from the peer, pppd will
268              commence negotiation by  sending  its  first  LCP  packet.   The
269              default value is 1000 (1 second).  This wait period only applies
270              if the connect or pty option is used.
271
272       crl filename
273              (EAP-TLS) Use the file filename as  the  Certificate  Revocation
274              List  to  check for the validity of the peer's certificate. This
275              option is not mandatory for setting up  an  EAP-TLS  connection.
276              Also see the crl-dir option.
277
278       crl-dir directory
279              (EAP-TLS)  Use  the directory directory to scan for CRL files in
280              has format ($hash.r0) to check for the validity  of  the  peer's
281              certificate.   This  option  is  not mandatory for setting up an
282              EAP-TLS connection.  Also see the crl option.
283
284       debug  Enables connection debugging  facilities.   If  this  option  is
285              given, pppd will log the contents of all control packets sent or
286              received in a readable form.  The  packets  are  logged  through
287              syslog  with  facility daemon and level debug.  This information
288              can be directed to a file by setting up /etc/syslog.conf  appro‐
289              priately (see syslog.conf(5)).
290
291       default-asyncmap
292              Disable  asyncmap negotiation, forcing all control characters to
293              be escaped for both the transmit and the receive direction.
294
295       default-mru
296              Disable MRU  [Maximum  Receive  Unit]  negotiation.   With  this
297              option,  pppd  will  use the default MRU value of 1500 bytes for
298              both the transmit and receive direction.
299
300       deflate nr,nt
301              Request that the peer compress packets that it sends, using  the
302              Deflate  scheme,  with a maximum window size of 2**nr bytes, and
303              agree to compress packets sent to the peer with a maximum window
304              size of 2**nt bytes.  If nt is not specified, it defaults to the
305              value given for nr.  Values in the range 9 to 15 may be used for
306              nr  and  nt;  larger  values give better compression but consume
307              more kernel memory for compression dictionaries.  Alternatively,
308              a  value  of  0  for nr or nt disables compression in the corre‐
309              sponding direction.  Use  nodeflate  or  deflate  0  to  disable
310              Deflate compression entirely.  (Note: pppd requests Deflate com‐
311              pression in preference  to  BSD-Compress  if  the  peer  can  do
312              either.)
313
314       demand Initiate  the  link  only  on  demand, i.e. when data traffic is
315              present.  With this option, the remote IP address may be  speci‐
316              fied  by  the user on the command line or in an options file, or
317              if not, pppd will use  an  arbitrary  address  in  the  10.x.x.x
318              range.   Pppd  will initially configure the interface and enable
319              it for IP traffic without connecting to the peer.  When  traffic
320              is available, pppd will connect to the peer and perform negotia‐
321              tion, authentication, etc.  When this is  completed,  pppd  will
322              commence  passing  data  packets  (i.e.,  IP packets) across the
323              link.
324
325              The demand option implies the persist option.  If this behaviour
326              is  not  desired,  use  the  nopersist  option  after the demand
327              option.  The idle and holdoff options are also  useful  in  con‐
328              junction with the demand option.
329
330       domain d
331              Append  the domain name d to the local host name for authentica‐
332              tion purposes.  For example, if gethostname() returns  the  name
333              porsche,    but    the    fully   qualified   domain   name   is
334              porsche.Quotron.COM, you could specify domain Quotron.COM.  Pppd
335              would  then  use  the  name  porsche.Quotron.COM  for looking up
336              secrets in the secrets file, and as the default name to send  to
337              the peer when authenticating itself to the peer.  This option is
338              privileged.
339
340       dryrun With the dryrun option, pppd will print out all the option  val‐
341              ues which have been set and then exit, after parsing the command
342              line and options files  and  checking  the  option  values,  but
343              before  initiating  the  link.   The option values are logged at
344              level info, and also  printed  to  standard  output  unless  the
345              device on standard output is the device that pppd would be using
346              to communicate with the peer.
347
348       dump   With the dump option, pppd will print out all the option  values
349              which  have  been  set.   This  option is like the dryrun option
350              except that pppd proceeds as normal rather than exiting.
351
352       enable-session
353              Enables session accounting via PAM or wtwp/wtmpx,  as  appropri‐
354              ate.   When PAM is enabled, the PAM "account" and "session" mod‐
355              ule stacks determine behavior,  and  are  enabled  for  all  PPP
356              authentication  protocols.   When  PAM  is  disabled, wtmp/wtmpx
357              entries are recorded regardless of whether the peer name identi‐
358              fies  a  valid user on the local system, making peers visible in
359              the last(1) log.  This feature is automatically enabled when the
360              pppd  login  option  is used.  Session accounting is disabled by
361              default.
362
363       endpoint <epdisc>
364              Sets the endpoint discriminator sent by the local machine to the
365              peer  during  multilink negotiation to <epdisc>.  The default is
366              to use the MAC address of the first ethernet  interface  on  the
367              system,  if any, otherwise the IPv4 address corresponding to the
368              hostname, if any,  provided  it  is  not  in  the  multicast  or
369              locally-assigned  IP  address  ranges, or the localhost address.
370              The endpoint discriminator can be the string null or of the form
371              type:value, where type is a decimal number or one of the strings
372              local, IP, MAC, magic, or phone.  The value is an IP address  in
373              dotted-decimal notation for the IP type, or a string of bytes in
374              hexadecimal, separated by periods or colons for the other types.
375              For  the MAC type, the value may also be the name of an ethernet
376              or similar network interface.  This  option  is  currently  only
377              available under Linux.
378
379       eap-interval n
380              If this option is given and pppd authenticates the peer with EAP
381              (i.e., is the server),  pppd  will  restart  EAP  authentication
382              every  n  seconds.   For EAP SRP-SHA1, see also the srp-interval
383              option, which enables lightweight rechallenge.
384
385       eap-max-rreq n
386              Set the maximum number  of  EAP  Requests  to  which  pppd  will
387              respond  (as  a  client) without hearing EAP Success or Failure.
388              (Default is 20.)
389
390       eap-max-sreq n
391              Set the maximum number of EAP Requests that pppd will issue  (as
392              a server) while attempting authentication.  (Default is 10.)
393
394       eap-restart n
395              Set  the  retransmit  timeout  for EAP Requests when acting as a
396              server (authenticator).  (Default is 3 seconds.)
397
398       eap-timeout n
399              Set the maximum time to wait for the peer to send an EAP Request
400              when  acting  as  a client (authenticatee).  (Default is 20 sec‐
401              onds.)
402
403       hide-password
404              When logging the contents of PAP  packets,  this  option  causes
405              pppd  to  exclude the password string from the log.  This is the
406              default.
407
408       holdoff n
409              Specifies how many seconds to wait before re-initiating the link
410              after  it  terminates.   This  option only has any effect if the
411              persist or demand option is used.  The  holdoff  period  is  not
412              applied if the link was terminated because it was idle.
413
414       idle n Specifies  that pppd should disconnect if the link is idle for n
415              seconds.  The link is idle when no data packets (i.e.  IP  pack‐
416              ets)  are  being sent or received.  Note: it is not advisable to
417              use this option with  the  persist  option  without  the  demand
418              option.   If  the  active-filter  option  is given, data packets
419              which are rejected by the specified activity filter  also  count
420              as the link being idle.
421
422       ipcp-accept-local
423              With  this option, pppd will accept the peer's idea of our local
424              IP address, even if the local IP address  was  specified  in  an
425              option.
426
427       ipcp-accept-remote
428              With  this  option,  pppd  will  accept  the  peer's idea of its
429              (remote) IP address, even if the remote IP address was specified
430              in an option.
431
432       ipcp-max-configure n
433              Set  the  maximum number of IPCP configure-request transmissions
434              to n (default 10).
435
436       ipcp-max-failure n
437              Set the maximum number of IPCP  configure-NAKs  returned  before
438              starting to send configure-Rejects instead to n (default 10).
439
440       ipcp-max-terminate n
441              Set  the  maximum number of IPCP terminate-request transmissions
442              to n (default 3).
443
444       ipcp-restart n
445              Set the IPCP restart interval (retransmission timeout) to n sec‐
446              onds (default 3).
447
448       ipparam string
449              Provides  an extra parameter to the ip-up, ip-pre-up and ip-down
450              scripts.  If this option is given, the string supplied is  given
451              as the 6th parameter to those scripts.
452
453       ipv6cp-accept-local
454              With  this option, pppd will accept the peer's idea of our local
455              IPv6 interface identifier, even  if  the  local  IPv6  interface
456              identifier was specified in an option.
457
458       ipv6cp-max-configure n
459              Set the maximum number of IPv6CP configure-request transmissions
460              to n (default 10).
461
462       ipv6cp-max-failure n
463              Set the maximum number of IPv6CP configure-NAKs returned  before
464              starting to send configure-Rejects instead to n (default 10).
465
466       ipv6cp-max-terminate n
467              Set the maximum number of IPv6CP terminate-request transmissions
468              to n (default 3).
469
470       ipv6cp-restart n
471              Set the IPv6CP restart interval (retransmission  timeout)  to  n
472              seconds (default 3).
473
474       ipx    Enable  the  IPXCP  and IPX protocols.  This option is presently
475              only supported under Linux, and only if  your  kernel  has  been
476              configured to include IPX support.
477
478       ipx-network n
479              Set  the IPX network number in the IPXCP configure request frame
480              to n, a hexadecimal number (without a leading 0x).  There is  no
481              valid  default.   If  this  option is not specified, the network
482              number is obtained from the peer.  If the peer does not have the
483              network number, the IPX protocol will not be started.
484
485       ipx-node n:m
486              Set  the  IPX  node  numbers. The two node numbers are separated
487              from each other with a colon character. The first  number  n  is
488              the  local  node  number. The second number m is the peer's node
489              number. Each node number is a hexadecimal  number,  at  most  10
490              digits long. The node numbers on the ipx-network must be unique.
491              There is no valid default. If this option is not specified  then
492              the node numbers are obtained from the peer.
493
494       ipx-router-name <string>
495              Set  the name of the router. This is a string and is sent to the
496              peer as information data.
497
498       ipx-routing n
499              Set the routing protocol to be received  by  this  option.  More
500              than  one  instance  of ipx-routing may be specified. The 'none'
501              option (0) may be specified as the only instance of ipx-routing.
502              The values may be 0 for NONE, 2 for RIP/SAP, and 4 for NLSP.
503
504       ipxcp-accept-local
505              Accept  the  peer's  NAK  for  the  node number specified in the
506              ipx-node option. If a node number was specified,  and  non-zero,
507              the  default is to insist that the value be used. If you include
508              this option then you will permit the peer to override the  entry
509              of the node number.
510
511       ipxcp-accept-network
512              Accept  the  peer's  NAK for the network number specified in the
513              ipx-network option. If a network number was specified, and  non-
514              zero,  the  default  is to insist that the value be used. If you
515              include this option then you will permit the  peer  to  override
516              the entry of the node number.
517
518       ipxcp-accept-remote
519              Use the peer's network number specified in the configure request
520              frame. If a node number was specified  for  the  peer  and  this
521              option  was  not  specified,  the peer will be forced to use the
522              value which you have specified.
523
524       ipxcp-max-configure n
525              Set the maximum number of IPXCP configure request  frames  which
526              the system will send to n. The default is 10.
527
528       ipxcp-max-failure n
529              Set  the maximum number of IPXCP NAK frames which the local sys‐
530              tem will send before it rejects the options. The  default  value
531              is 3.
532
533       ipxcp-max-terminate n
534              Set  the maximum number of IPXCP terminate request frames before
535              the local system considers that the peer  is  not  listening  to
536              them. The default value is 3.
537
538       kdebug n
539              Enable debugging code in the kernel-level PPP driver.  The argu‐
540              ment values depend on the specific kernel driver, but in general
541              a  value  of 1 will enable general kernel debug messages.  (Note
542              that these messages are usually only useful  for  debugging  the
543              kernel  driver  itself.)  For the Linux 2.2.x kernel driver, the
544              value is a sum of bits: 1 to enable general debug messages, 2 to
545              request  that the contents of received packets be printed, and 4
546              to request that the contents of transmitted packets be  printed.
547              On  most  systems,  messages printed by the kernel are logged by
548              syslog(1) to a file as directed in the /etc/syslog.conf configu‐
549              ration file.
550
551       key keyfile
552              (EAP-TLS)  Use  the file keyfile as the private key file (in PEM
553              format), needed for  setting  up  an  EAP-TLS  connection.  This
554              option is used on the client-side in conjunction with the ca and
555              cert options.
556
557       ktune  Enables pppd to alter kernel  settings  as  appropriate.   Under
558              Linux,    pppd    will    enable   IP   forwarding   (i.e.   set
559              /proc/sys/net/ipv4/ip_forward to 1) if the  proxyarp  option  is
560              used,  and  will  enable the dynamic IP address option (i.e. set
561              /proc/sys/net/ipv4/ip_dynaddr to 1) in demand mode if the  local
562              address changes.
563
564       lcp-echo-failure n
565              If  this  option is given, pppd will presume the peer to be dead
566              if n LCP echo-requests are sent without receiving  a  valid  LCP
567              echo-reply.   If  this  happens, pppd will terminate the connec‐
568              tion.  Use of this option requires  a  non-zero  value  for  the
569              lcp-echo-interval  parameter.  This option can be used to enable
570              pppd to terminate after the physical connection has been  broken
571              (e.g.,  the  modem  has hung up) in situations where no hardware
572              modem control lines are available.
573
574       lcp-echo-interval n
575              If this option is given, pppd  will  send  an  LCP  echo-request
576              frame  to  the  peer  every n seconds.  Normally the peer should
577              respond to the echo-request  by  sending  an  echo-reply.   This
578              option  can  be  used with the lcp-echo-failure option to detect
579              that the peer is no longer connected.
580
581       lcp-max-configure n
582              Set the maximum number of LCP configure-request transmissions to
583              n (default 10).
584
585       lcp-max-failure n
586              Set  the  maximum  number  of LCP configure-NAKs returned before
587              starting to send configure-Rejects instead to n (default 10).
588
589       lcp-max-terminate n
590              Set the maximum number of LCP terminate-request transmissions to
591              n (default 3).
592
593       lcp-restart n
594              Set  the LCP restart interval (retransmission timeout) to n sec‐
595              onds (default 3).
596
597       linkname name
598              Sets the logical name of the link to name.  Pppd will  create  a
599              file  named  ppp-name.pid  in /var/run (or /etc/ppp on some sys‐
600              tems) containing its process ID.  This can be useful  in  deter‐
601              mining  which  instance of pppd is responsible for the link to a
602              given peer system.  This is a privileged option.
603
604       local  Don't use the modem control lines.  With this option, pppd  will
605              ignore  the  state  of  the  CD (Carrier Detect) signal from the
606              modem and will not change the state of the  DTR  (Data  Terminal
607              Ready) signal.  This is the opposite of the modem option.
608
609       logfd n
610              Send log messages to file descriptor n.  Pppd will send log mes‐
611              sages to at most one file or file descriptor (as well as sending
612              the  log  messages  to  syslog),  so this option and the logfile
613              option are mutually exclusive.  The default is for pppd to  send
614              log  messages  to  stdout (file descriptor 1), unless the serial
615              port is already open on stdout.
616
617       logfile filename
618              Append log messages to the file filename (as well as sending the
619              log messages to syslog).  The file is opened with the privileges
620              of the user who invoked pppd, in append mode.
621
622       login  Use the system password database  for  authenticating  the  peer
623              using  PAP,  and  record the user in the system wtmp file.  Note
624              that the peer must have an  entry  in  the  /etc/ppp/pap-secrets
625              file  as  well  as  the  system  password database to be allowed
626              access.  See also the enable-session option.
627
628       master_detach
629              If multilink is enabled and this pppd process is  the  multilink
630              bundle master, and the link controlled by this pppd process ter‐
631              minates, this pppd process continues to run in order to maintain
632              the  bundle.   If  the master_detach option has been given, pppd
633              will detach from its controlling  terminal  in  this  situation,
634              even if the nodetach option has been given.
635
636       maxconnect n
637              Terminate  the connection when it has been available for network
638              traffic for n seconds (i.e. n seconds after  the  first  network
639              control protocol comes up).
640
641       maxfail n
642              Terminate  after  n  consecutive  failed connection attempts.  A
643              value of 0 means no limit.  The default value is 10.
644
645       modem  Use the modem control lines.  This option is the default.   With
646              this  option,  pppd will wait for the CD (Carrier Detect) signal
647              from the modem to be asserted when  opening  the  serial  device
648              (unless a connect script is specified), and it will drop the DTR
649              (Data Terminal Ready) signal briefly when the connection is ter‐
650              minated  and  before  executing  the connect script.  On Ultrix,
651              this option implies hardware flow control, as  for  the  crtscts
652              option.  This is the opposite of the local option.
653
654       mp     Enables the use of PPP multilink; this is an alias for the `mul‐
655              tilink' option.  This option is currently only  available  under
656              Linux.
657
658       mppe-stateful
659              Allow  MPPE  to  use  stateful  mode.   Stateless  mode is still
660              attempted first.  The default is to disallow stateful mode.
661
662       mpshortseq
663              Enables the use of short (12-bit) sequence numbers in  multilink
664              headers,  as opposed to 24-bit sequence numbers.  This option is
665              only available under Linux, and only has any effect if multilink
666              is enabled (see the multilink option).
667
668       mrru n Sets  the  Maximum Reconstructed Receive Unit to n.  The MRRU is
669              the maximum size for a received packet on  a  multilink  bundle,
670              and  is  analogous  to  the  MRU for the individual links.  This
671              option is currently only available under Linux, and only has any
672              effect if multilink is enabled (see the multilink option).
673
674       ms-dns <addr>
675              If  pppd  is  acting  as a server for Microsoft Windows clients,
676              this option allows pppd to supply one or two  DNS  (Domain  Name
677              Server)  addresses  to  the clients.  The first instance of this
678              option specifies the primary DNS address;  the  second  instance
679              (if  given)  specifies  the secondary DNS address.  (This option
680              was present in some  older  versions  of  pppd  under  the  name
681              dns-addr.)
682
683       ms-wins <addr>
684              If  pppd  is acting as a server for Microsoft Windows or "Samba"
685              clients, this option allows pppd to supply one or two WINS (Win‐
686              dows  Internet  Name  Services) server addresses to the clients.
687              The first instance of this option  specifies  the  primary  WINS
688              address;  the second instance (if given) specifies the secondary
689              WINS address.
690
691       multilink
692              Enables the use of the PPP multilink protocol.  If the peer also
693              supports  multilink,  then this link can become part of a bundle
694              between the local system and the peer.  If there is an  existing
695              bundle  to  the  peer,  pppd will join this link to that bundle,
696              otherwise pppd will create a new bundle.  See the MULTILINK sec‐
697              tion  below.   This  option  is  currently  only available under
698              Linux.
699
700       name name
701              Set the name of the local system for authentication purposes  to
702              name.  This is a privileged option.  With this option, pppd will
703              use lines in the secrets files which have  name  as  the  second
704              field  when  looking  for  a secret to use in authenticating the
705              peer.  In addition, unless overridden with the user option, name
706              will be used as the name to send to the peer when authenticating
707              the local system to the peer.  (Note that pppd does  not  append
708              the domain name to name.)
709
710       noaccomp
711              Disable Address/Control compression in both directions (send and
712              receive).
713
714       need-peer-eap
715              (EAP-TLS) Require the peer to verify our authentication  creden‐
716              tials.
717
718       noauth Do  not require the peer to authenticate itself.  This option is
719              privileged.
720
721       nobsdcomp
722              Disables BSD-Compress compression;  pppd  will  not  request  or
723              agree to compress packets using the BSD-Compress scheme.
724
725       noccp  Disable  CCP  (Compression  Control Protocol) negotiation.  This
726              option should only be required if the peer  is  buggy  and  gets
727              confused by requests from pppd for CCP negotiation.
728
729       nocrtscts
730              Disable hardware flow control (i.e. RTS/CTS) on the serial port.
731              If neither the crtscts nor the nocrtscts nor the cdtrcts nor the
732              nocdtrcts option is given, the hardware flow control setting for
733              the serial port is left unchanged.
734
735       nocdtrcts
736              This option is a synonym for nocrtscts. Either of these  options
737              will disable both forms of hardware flow control.
738
739       nodefaultroute
740              Disable  the  defaultroute option.  The system administrator who
741              wishes to prevent users from creating default routes  with  pppd
742              can do so by placing this option in the /etc/ppp/options file.
743
744       nodeflate
745              Disables  Deflate compression; pppd will not request or agree to
746              compress packets using the Deflate scheme.
747
748       nodetach
749              Don't  detach  from  the  controlling  terminal.   Without  this
750              option,  if a serial device other than the terminal on the stan‐
751              dard input is specified, pppd will fork to become  a  background
752              process.
753
754       noendpoint
755              Disables pppd from sending an endpoint discriminator to the peer
756              or accepting one  from  the  peer  (see  the  MULTILINK  section
757              below).   This  option  should  only  be required if the peer is
758              buggy.
759
760       noip   Disable IPCP negotiation  and  IP  communication.   This  option
761              should  only  be required if the peer is buggy and gets confused
762              by requests from pppd for IPCP negotiation.
763
764       noipv6 Disable IPv6CP negotiation and IPv6 communication.  This  option
765              should  only  be required if the peer is buggy and gets confused
766              by requests from pppd for IPv6CP negotiation.
767
768       noipdefault
769              Disables the default behaviour when no local IP address is spec‐
770              ified,  which is to determine (if possible) the local IP address
771              from the hostname.  With this option, the peer will have to sup‐
772              ply  the  local  IP  address  during IPCP negotiation (unless it
773              specified explicitly on the command line or in an options file).
774
775       noipx  Disable the IPXCP and IPX protocols.  This option should only be
776              required if the peer is buggy and gets confused by requests from
777              pppd for IPXCP negotiation.
778
779       noktune
780              Opposite of the ktune option; disables pppd from changing system
781              settings.
782
783       nolock Opposite of the lock option; specifies that pppd should not cre‐
784              ate a UUCP-style lock file for the serial device.   This  option
785              is privileged.
786
787       nolog  Do  not  send  log  messages to a file or file descriptor.  This
788              option cancels the logfd and logfile options.
789
790       nomagic
791              Disable magic number negotiation.  With this option, pppd cannot
792              detect a looped-back line.  This option should only be needed if
793              the peer is buggy.
794
795       nomp   Disables the use of PPP multilink.   This  option  is  currently
796              only available under Linux.
797
798       nomppe Disables  MPPE  (Microsoft  Point to Point Encryption).  This is
799              the default.
800
801       nomppe-40
802              Disable 40-bit encryption with MPPE.
803
804       nomppe-128
805              Disable 128-bit encryption with MPPE.
806
807       nomppe-stateful
808              Disable MPPE stateful mode.  This is the default.
809
810       nompshortseq
811              Disables the use of short (12-bit) sequence numbers in  the  PPP
812              multilink  protocol, forcing the use of 24-bit sequence numbers.
813              This option is currently only available under  Linux,  and  only
814              has any effect if multilink is enabled.
815
816       nomultilink
817              Disables  the  use  of  PPP multilink.  This option is currently
818              only available under Linux.
819
820       nopcomp
821              Disable protocol  field  compression  negotiation  in  both  the
822              receive and the transmit direction.
823
824       nopersist
825              Exit  once  a  connection has been made and terminated.  This is
826              the default unless the persist or demand option has been  speci‐
827              fied.
828
829       nopredictor1
830              Do not accept or agree to Predictor-1 compression.
831
832       noproxyarp
833              Disable  the  proxyarp  option.   The  system  administrator who
834              wishes to prevent users from creating  proxy  ARP  entries  with
835              pppd  can  do  so by placing this option in the /etc/ppp/options
836              file.
837
838       noremoteip
839              Allow pppd to operate without having an IP address for the peer.
840              This  option is only available under Linux.  Normally, pppd will
841              request the peer's IP address, and if the peer does  not  supply
842              it,  pppd  will use an arbitrary address in the 10.x.x.x subnet.
843              With this option, if the peer does not supply  its  IP  address,
844              pppd will not ask the peer for it, and will not set the destina‐
845              tion address of the ppp interface.  In this situation,  the  ppp
846              interface can be used for routing by creating device routes, but
847              the peer itself cannot be addressed directly for IP traffic.
848
849       notty  Normally, pppd requires a terminal device.   With  this  option,
850              pppd will allocate itself a pseudo-tty master/slave pair and use
851              the slave as its terminal device.   Pppd  will  create  a  child
852              process  to  act  as  a `character shunt' to transfer characters
853              between the pseudo-tty master and its standard input and output.
854              Thus  pppd  will  transmit characters on its standard output and
855              receive characters on its standard input even if  they  are  not
856              terminal  devices.   This  option  increases the latency and CPU
857              overhead of transferring data over the ppp interface as  all  of
858              the characters sent and received must flow through the character
859              shunt process.  An explicit device name may not be given if this
860              option is used.
861
862       novj   Disable Van Jacobson style TCP/IP header compression in both the
863              transmit and the receive direction.
864
865       novjccomp
866              Disable the connection-ID compression  option  in  Van  Jacobson
867              style  TCP/IP  header  compression.  With this option, pppd will
868              not omit the connection-ID byte  from  Van  Jacobson  compressed
869              TCP/IP headers, nor ask the peer to do so.
870
871       papcrypt
872              Indicates  that  all  secrets  in  the /etc/ppp/pap-secrets file
873              which are used  for  checking  the  identity  of  the  peer  are
874              encrypted,  and  thus  pppd  should not accept a password which,
875              before  encryption,  is  identical  to  the  secret   from   the
876              /etc/ppp/pap-secrets file.
877
878       pap-max-authreq n
879              Set the maximum number of PAP authenticate-request transmissions
880              to n (default 10).
881
882       pap-restart n
883              Set the PAP restart interval (retransmission timeout) to n  sec‐
884              onds (default 3).
885
886       pap-timeout n
887              Set the maximum time that pppd will wait for the peer to authen‐
888              ticate itself with PAP to n seconds (0 means no limit).
889
890       pass-filter filter-expression
891              Specifies a packet filter to applied to data packets being  sent
892              or  received  to  determine  which  packets should be allowed to
893              pass.  Packets which are rejected by  the  filter  are  silently
894              discarded.   This option can be used to prevent specific network
895              daemons (such as routed) using up link bandwidth, or to  provide
896              a  very basic firewall capability.  The filter-expression syntax
897              is as described for tcpdump(1), except that qualifiers which are
898              inappropriate  for  a  PPP  link, such as ether and arp, are not
899              permitted.  Generally the filter expression should  be  enclosed
900              in  single-quotes  to  prevent whitespace in the expression from
901              being interpreted by the shell.  Note that  it  is  possible  to
902              apply  different  constraints  to  incoming and outgoing packets
903              using the inbound and outbound qualifiers. This option  is  cur‐
904              rently  only available under Linux, and requires that the kernel
905              was configured to include PPP filtering support (CONFIG_PPP_FIL‐
906              TER).
907
908       password password-string
909              Specifies  the  password  to use for authenticating to the peer.
910              Use of this option is discouraged, as the password is likely  to
911              be  visible  to other users on the system (for example, by using
912              ps(1)).
913
914       persist
915              Do not exit after a connection is  terminated;  instead  try  to
916              reopen the connection. The maxfail option still has an effect on
917              persistent connections.
918
919       plugin filename
920              Load the shared library object file filename as a plugin.   This
921              is  a  privileged  option.  If filename does not contain a slash
922              (/), pppd will look in the /usr/lib/pppd/version  directory  for
923              the  plugin,  where  version  is the version number of pppd (for
924              example, 2.4.2).
925
926       predictor1
927              Request that the peer compress frames that it sends  using  Pre‐
928              dictor-1  compression,  and agree to compress transmitted frames
929              with Predictor-1 if requested.  This option has no effect unless
930              the kernel driver supports Predictor-1 compression.
931
932       privgroup group-name
933              Allows  members  of  group group-name to use privileged options.
934              This is a privileged option.  Use of this option  requires  care
935              as  there  is no guarantee that members of group-name cannot use
936              pppd to become  root  themselves.   Consider  it  equivalent  to
937              putting the members of group-name in the kmem or disk group.
938
939       proxyarp
940              Add  an entry to this system's ARP [Address Resolution Protocol]
941              table with the IP address of the peer and the  Ethernet  address
942              of  this  system.   This will have the effect of making the peer
943              appear to other systems to be on the local ethernet.
944
945       pty script
946              Specifies that the command script is to be used  to  communicate
947              rather  than  a  specific  terminal  device.  Pppd will allocate
948              itself a pseudo-tty master/slave pair and use the slave  as  its
949              terminal device.  The script will be run in a child process with
950              the pseudo-tty master as its  standard  input  and  output.   An
951              explicit  device  name  may not be given if this option is used.
952              (Note: if the record option is used in conjunction with the  pty
953              option,  the child process will have pipes on its standard input
954              and output.)
955
956       receive-all
957              With this option, pppd will accept all control  characters  from
958              the peer, including those marked in the receive asyncmap.  With‐
959              out this option, pppd will discard those characters as specified
960              in  RFC1662.   This  option should only be needed if the peer is
961              buggy.
962
963       record filename
964              Specifies that  pppd  should  record  all  characters  sent  and
965              received  to  a  file  named  filename.   This file is opened in
966              append mode, using the user's  user-ID  and  permissions.   This
967              option is implemented using a pseudo-tty and a process to trans‐
968              fer characters  between  the  pseudo-tty  and  the  real  serial
969              device,  so  it  will  increase  the latency and CPU overhead of
970              transferring data over the ppp interface.   The  characters  are
971              stored  in  a  tagged  format with timestamps, which can be dis‐
972              played in readable form using the pppdump(8) program.
973
974       remotename name
975              Set the assumed name of the  remote  system  for  authentication
976              purposes to name.
977
978       remotenumber number
979              Set  the  assumed  telephone  number  of  the  remote system for
980              authentication purposes to number.
981
982       refuse-chap
983              With this option, pppd will not agree to authenticate itself  to
984              the peer using CHAP.
985
986       refuse-mschap
987              With  this option, pppd will not agree to authenticate itself to
988              the peer using MS-CHAP.
989
990       refuse-mschap-v2
991              With this option, pppd will not agree to authenticate itself  to
992              the peer using MS-CHAPv2.
993
994       refuse-eap
995              With  this option, pppd will not agree to authenticate itself to
996              the peer using EAP.
997
998       refuse-pap
999              With this option, pppd will not agree to authenticate itself  to
1000              the peer using PAP.
1001
1002       require-chap
1003              Require  the  peer  to authenticate itself using CHAP [Challenge
1004              Handshake Authentication Protocol] authentication.
1005
1006       require-mppe
1007              Require the use of MPPE (Microsoft Point to  Point  Encryption).
1008              This  option  disables all other compression types.  This option
1009              enables both 40-bit and 128-bit encryption.  In order  for  MPPE
1010              to successfully come up, you must have authenticated with either
1011              MS-CHAP or MS-CHAPv2.  This option is presently  only  supported
1012              under  Linux,  and  only  if  your kernel has been configured to
1013              include MPPE support.
1014
1015       require-mppe-40
1016              Require the use of MPPE, with 40-bit encryption.
1017
1018       require-mppe-128
1019              Require the use of MPPE, with 128-bit encryption.
1020
1021       require-mschap
1022              Require the peer to authenticate itself using MS-CHAP [Microsoft
1023              Challenge Handshake Authentication Protocol] authentication.
1024
1025       require-mschap-v2
1026              Require  the peer to authenticate itself using MS-CHAPv2 [Micro‐
1027              soft Challenge Handshake  Authentication  Protocol,  Version  2]
1028              authentication.
1029
1030       require-eap
1031              Require  the  peer  to authenticate itself using EAP [Extensible
1032              Authentication Protocol] authentication.
1033
1034       require-pap
1035              Require the peer to  authenticate  itself  using  PAP  [Password
1036              Authentication Protocol] authentication.
1037
1038       set name=value
1039              Set  an  environment  variable  for  scripts that are invoked by
1040              pppd.  When set by a privileged source, the  variable  specified
1041              by  name  cannot  be changed by options contained in an unprivi‐
1042              leged source.  See also the unset  option  and  the  environment
1043              described in SCRIPTS.
1044
1045       show-password
1046              When  logging  the  contents  of PAP packets, this option causes
1047              pppd to show the password string in the log message.
1048
1049       silent With this option, pppd will not transmit LCP packets to initiate
1050              a  connection until a valid LCP packet is received from the peer
1051              (as for the `passive' option with ancient versions of pppd).
1052
1053       srp-interval n
1054              If this parameter is given and pppd uses EAP SRP-SHA1 to authen‐
1055              ticate  the  peer  (i.e., is the server), then pppd will use the
1056              optional lightweight SRP rechallenge mechanism at intervals of n
1057              seconds.   This option is faster than eap-interval reauthentica‐
1058              tion because it uses a hash-based mechanism and does not  derive
1059              a new session key.
1060
1061       srp-pn-secret string
1062              Set  the  long-term  pseudonym-generating secret for the server.
1063              This value is optional and if set, needs  to  be  known  at  the
1064              server  (authenticator)  side  only, and should be different for
1065              each server (or poll of identical servers).  It  is  used  along
1066              with  the  current date to generate a key to encrypt and decrypt
1067              the client's identity contained in the pseudonym.
1068
1069       srp-use-pseudonym
1070              When operating as an EAP SRP-SHA1 client,  attempt  to  use  the
1071              pseudonym  stored in ~/.ppp_pseudonym first as the identity, and
1072              save in this file any  pseudonym  offered  by  the  peer  during
1073              authentication.
1074
1075       sync   Use  synchronous  HDLC  serial encoding instead of asynchronous.
1076              The device used by pppd with this option must have sync support.
1077              Currently  supports  Microgate SyncLink adapters under Linux and
1078              FreeBSD 2.2.8 and later.
1079
1080       unit num
1081              Sets the ppp unit number (for a ppp0 or ppp1 etc interface name)
1082              for outbound connections.
1083
1084       unset name
1085              Remove a variable from the environment variable for scripts that
1086              are invoked by pppd.  When specified by a privileged source, the
1087              variable  name cannot be set by options contained in an unprivi‐
1088              leged source.  See also  the  set  option  and  the  environment
1089              described in SCRIPTS.
1090
1091       updetach
1092              With this option, pppd will detach from its controlling terminal
1093              once it has successfully established the ppp connection (to  the
1094              point  where  the first network control protocol, usually the IP
1095              control protocol, has come up).
1096
1097       usehostname
1098              Enforce the use of the hostname (with domain name  appended,  if
1099              given)  as  the name of the local system for authentication pur‐
1100              poses (overrides the name option).  This option is not  normally
1101              needed since the name option is privileged.
1102
1103       usepeerdns
1104              Ask  the  peer  for up to 2 DNS server addresses.  The addresses
1105              supplied by the peer (if any) are passed to  the  /etc/ppp/ip-up
1106              script in the environment variables DNS1 and DNS2, and the envi‐
1107              ronment variable USEPEERDNS will be set to 1.  In addition, pppd
1108              will  create  an /var/run/ppp/resolv.conf file containing one or
1109              two nameserver lines with the address(es) supplied by the peer.
1110
1111       user name
1112              Sets the name used for authenticating the local  system  to  the
1113              peer to name.
1114
1115       vj-max-slots n
1116              Sets the number of connection slots to be used by the Van Jacob‐
1117              son TCP/IP header compression and decompression code to n, which
1118              must be between 2 and 16 (inclusive).
1119
1120       welcome script
1121              Run  the  executable or shell command specified by script before
1122              initiating PPP negotiation, after the connect  script  (if  any)
1123              has completed.  A value for this option from a privileged source
1124              cannot be overridden by a non-privileged user.
1125
1126       xonxoff
1127              Use software flow control (i.e. XON/XOFF) to control the flow of
1128              data on the serial port.
1129

OPTIONS FILES

1131       Options  can  be  taken  from  files as well as the command line.  Pppd
1132       reads  options  from   the   files   /etc/ppp/options,   ~/.ppprc   and
1133       /etc/ppp/options.ttyname  (in that order) before processing the options
1134       on the command line.  (In fact, the command-line options are scanned to
1135       find  the  terminal  name before the options.ttyname file is read.)  In
1136       forming the name of the options.ttyname  file,  the  initial  /dev/  is
1137       removed  from  the  terminal  name,  and any remaining / characters are
1138       replaced with dots.
1139
1140       An options file is parsed into a series of words, delimited  by  white‐
1141       space.   Whitespace  can be included in a word by enclosing the word in
1142       double-quotes (").  A backslash (\) quotes the following character.   A
1143       hash  (#)  starts a comment, which continues until the end of the line.
1144       There is no restriction on using the file or  call  options  within  an
1145       options file.
1146

SECURITY

1148       pppd provides system administrators with sufficient access control that
1149       PPP access to a server machine can  be  provided  to  legitimate  users
1150       without  fear of compromising the security of the server or the network
1151       it's on.  This control is provided through  restrictions  on  which  IP
1152       addresses  the  peer  may  use, based on its authenticated identity (if
1153       any), and through restrictions on which options a  non-privileged  user
1154       may use.  Several of pppd's options are privileged, in particular those
1155       which permit potentially insecure  configurations;  these  options  are
1156       only accepted in files which are under the control of the system admin‐
1157       istrator, or if pppd is being run by root.
1158
1159       The default behaviour of pppd is to allow an  unauthenticated  peer  to
1160       use a given IP address only if the system does not already have a route
1161       to that IP address.  For example, a system with a permanent  connection
1162       to  the wider internet will normally have a default route, and thus all
1163       peers will have to authenticate themselves in order to set up a connec‐
1164       tion.   On such a system, the auth option is the default.  On the other
1165       hand, a system where the PPP link is the only connection to the  inter‐
1166       net will not normally have a default route, so the peer will be able to
1167       use almost any IP address without authenticating itself.
1168
1169       As indicated above, some  security-sensitive  options  are  privileged,
1170       which  means  that  they  may not be used by an ordinary non-privileged
1171       user running a setuid-root pppd, either on the  command  line,  in  the
1172       user's ~/.ppprc file, or in an options file read using the file option.
1173       Privileged options may be  used  in  /etc/ppp/options  file  or  in  an
1174       options  file  read using the call option.  If pppd is being run by the
1175       root user, privileged options can be used without restriction.
1176
1177       When opening the device, pppd uses either the invoking user's  user  ID
1178       or  the root UID (that is, 0), depending on whether the device name was
1179       specified by the user or the system administrator.  If the device  name
1180       comes from a privileged source, that is, /etc/ppp/options or an options
1181       file read using the call option, pppd uses full  root  privileges  when
1182       opening  the  device.   Thus,  by  creating  an  appropriate file under
1183       /etc/ppp/peers, the system administrator can allow users to establish a
1184       ppp  connection via a device which they would not normally have permis‐
1185       sion to access.  Otherwise pppd uses the invoking user's real UID  when
1186       opening the device.
1187

AUTHENTICATION

1189       Authentication  is  the process whereby one peer convinces the other of
1190       its identity.  This involves the first peer sending  its  name  to  the
1191       other,  together  with some kind of secret information which could only
1192       come from the genuine  authorized  user  of  that  name.   In  such  an
1193       exchange,  we  will  call the first peer the "client" and the other the
1194       "server".  The client has a name by which it identifies itself  to  the
1195       server, and the server also has a name by which it identifies itself to
1196       the client.  Generally the genuine client shares some secret (or  pass‐
1197       word)  with  the  server,  and  authenticates itself by proving that it
1198       knows that secret.  Very often, the names used for authentication  cor‐
1199       respond  to the internet hostnames of the peers, but this is not essen‐
1200       tial.
1201
1202       At present, pppd supports three authentication protocols: the  Password
1203       Authentication  Protocol (PAP), Challenge Handshake Authentication Pro‐
1204       tocol  (CHAP),  and  Extensible  Authentication  Protocol  (EAP).   PAP
1205       involves  the  client  sending its name and a cleartext password to the
1206       server to authenticate itself.  In contrast, the server  initiates  the
1207       CHAP  authentication exchange by sending a challenge to the client (the
1208       challenge packet includes the server's name).  The client must  respond
1209       with  a response which includes its name plus a hash value derived from
1210       the shared secret and the challenge, in order to prove  that  it  knows
1211       the  secret.  EAP supports CHAP-style authentication, and also includes
1212       the SRP-SHA1 mechanism, which is resistant to dictionary-based  attacks
1213       and does not require a cleartext password on the server side.
1214
1215       The  PPP  protocol, being symmetrical, allows both peers to require the
1216       other to authenticate itself.  In that case, two separate and  indepen‐
1217       dent  authentication exchanges will occur.  The two exchanges could use
1218       different authentication protocols, and in principle,  different  names
1219       could be used in the two exchanges.
1220
1221       The default behaviour of pppd is to agree to authenticate if requested,
1222       and to not require authentication from the peer.   However,  pppd  will
1223       not  agree  to authenticate itself with a particular protocol if it has
1224       no secrets which could be used to do so.
1225
1226       Pppd  stores  secrets  for  use  in  authentication  in  secrets  files
1227       (/etc/ppp/pap-secrets for PAP, /etc/ppp/chap-secrets for CHAP, MS-CHAP,
1228       MS-CHAPv2, and EAP  MD5-Challenge,  and  /etc/ppp/srp-secrets  for  EAP
1229       SRP-SHA1).   All secrets files have the same format.  The secrets files
1230       can contain secrets for pppd to use in authenticating itself  to  other
1231       systems,  as  well as secrets for pppd to use when authenticating other
1232       systems to itself.
1233
1234       Each line in a secrets file contains one secret.   A  given  secret  is
1235       specific to a particular combination of client and server - it can only
1236       be used by that client to authenticate itself  to  that  server.   Thus
1237       each  line  in  a  secrets  file has at least 3 fields: the name of the
1238       client, the name of the server, and the secret.  These  fields  may  be
1239       followed  by  a  list of the IP addresses that the specified client may
1240       use when connecting to the specified server.
1241
1242       A secrets file is parsed into words as  for  a  options  file,  so  the
1243       client name, server name and secrets fields must each be one word, with
1244       any embedded spaces or other  special  characters  quoted  or  escaped.
1245       Note that case is significant in the client and server names and in the
1246       secret.
1247
1248       If the secret starts with an `@', what follows is  assumed  to  be  the
1249       name  of  a file from which to read the secret.  A "*" as the client or
1250       server name matches any name.  When selecting a secret, pppd takes  the
1251       best match, i.e.  the match with the fewest wildcards.
1252
1253       Any  following words on the same line are taken to be a list of accept‐
1254       able IP addresses for that client.  If there are only 3  words  on  the
1255       line,  or  if  the  first word is "-", then all IP addresses are disal‐
1256       lowed.  To allow any address, use "*".  A word starting with "!"  indi‐
1257       cates  that the specified address is not acceptable.  An address may be
1258       followed by "/" and a number n, to indicate a whole  subnet,  i.e.  all
1259       addresses which have the same value in the most significant n bits.  In
1260       this form, the address may be followed by a plus sign ("+") to indicate
1261       that  one  address from the subnet is authorized, based on the ppp net‐
1262       work interface unit number in use.  In this case, the host part of  the
1263       address will be set to the unit number plus one.
1264
1265       Thus  a  secrets  file  contains both secrets for use in authenticating
1266       other hosts, plus secrets which we use for authenticating ourselves  to
1267       others.   When  pppd  is  authenticating  the peer (checking the peer's
1268       identity), it chooses a secret with the peer's name in the first  field
1269       and  the name of the local system in the second field.  The name of the
1270       local system defaults to the hostname, with the domain name appended if
1271       the  domain  option  is  used.  This default can be overridden with the
1272       name option, except when the usehostname  option  is  used.   (For  EAP
1273       SRP-SHA1,  see the srp-entry(8) utility for generating proper validator
1274       entries to be used in the "secret" field.)
1275
1276       When pppd is choosing a secret to use in authenticating itself  to  the
1277       peer,  it  first  determines  what  name it is going to use to identify
1278       itself to the peer.  This name can be specified by the  user  with  the
1279       user option.  If this option is not used, the name defaults to the name
1280       of the local system, determined as described in the previous paragraph.
1281       Then  pppd looks for a secret with this name in the first field and the
1282       peer's name in the second field.  Pppd will know the name of  the  peer
1283       if CHAP or EAP authentication is being used, because the peer will have
1284       sent it in the challenge packet.  However, if PAP is being  used,  pppd
1285       will  have  to  determine the peer's name from the options specified by
1286       the user.  The user can specify  the  peer's  name  directly  with  the
1287       remotename  option.   Otherwise, if the remote IP address was specified
1288       by a name (rather than in numeric form), that name will be used as  the
1289       peer's name.  Failing that, pppd will use the null string as the peer's
1290       name.
1291
1292       When authenticating the peer with PAP, the supplied password  is  first
1293       compared  with  the  secret  from  the  secrets  file.  If the password
1294       doesn't match the secret, the password is encrypted using  crypt()  and
1295       checked  against the secret again.  Thus secrets for authenticating the
1296       peer can be stored in encrypted  form  if  desired.   If  the  papcrypt
1297       option  is  given,  the  first (unencrypted) comparison is omitted, for
1298       better security.
1299
1300       Furthermore, if the login option was specified, the username and  pass‐
1301       word  are also checked against the system password database.  Thus, the
1302       system administrator can set up  the  pap-secrets  file  to  allow  PPP
1303       access  only  to certain users, and to restrict the set of IP addresses
1304       that each user can use.  Typically, when using the  login  option,  the
1305       secret  in /etc/ppp/pap-secrets would be "", which will match any pass‐
1306       word supplied by the peer.  This avoids  the  need  to  have  the  same
1307       secret in two places.
1308
1309       Authentication  must  be  satisfactorily  completed before IPCP (or any
1310       other Network Control  Protocol)  can  be  started.   If  the  peer  is
1311       required  to  authenticate itself, and fails to do so, pppd will termi‐
1312       nated the link (by closing LCP).  If IPCP negotiates an unacceptable IP
1313       address  for the remote host, IPCP will be closed.  IP packets can only
1314       be sent or received when IPCP is open.
1315
1316       In some cases it is desirable to allow some hosts which can't authenti‐
1317       cate  themselves  to  connect  and  use  one  of a restricted set of IP
1318       addresses, even when the local host generally requires  authentication.
1319       If  the  peer refuses to authenticate itself when requested, pppd takes
1320       that as equivalent to authenticating with PAP using  the  empty  string
1321       for  the  username  and  password.   Thus,  by  adding  a  line  to the
1322       pap-secrets file which specifies the empty string for  the  client  and
1323       password,  it  is  possible  to  allow restricted access to hosts which
1324       refuse to authenticate themselves.
1325

ROUTING

1327       When IPCP negotiation is completed successfully, pppd will  inform  the
1328       kernel  of  the  local  and  remote IP addresses for the ppp interface.
1329       This is sufficient to create a host route to  the  remote  end  of  the
1330       link,  which  will enable the peers to exchange IP packets.  Communica‐
1331       tion with other machines generally  requires  further  modification  to
1332       routing  tables  and/or  ARP  (Address Resolution Protocol) tables.  In
1333       most cases the defaultroute and/or proxyarp options are sufficient  for
1334       this,  but  in  some  cases  further  intervention  is  required.   The
1335       /etc/ppp/ip-up script can be used for this.
1336
1337       Sometimes it is desirable to add a default  route  through  the  remote
1338       host, as in the case of a machine whose only connection to the Internet
1339       is through the ppp interface.  The defaultroute option causes  pppd  to
1340       create  such a default route when IPCP comes up, and delete it when the
1341       link is terminated.
1342
1343       In some cases it is desirable to use proxy ARP, for example on a server
1344       machine  connected  to a LAN, in order to allow other hosts to communi‐
1345       cate with the remote host.  The proxyarp option causes pppd to look for
1346       a network interface on the same subnet as the remote host (an interface
1347       supporting broadcast and ARP, which is up and not a  point-to-point  or
1348       loopback interface).  If found, pppd creates a permanent, published ARP
1349       entry with the IP address of the remote host and the  hardware  address
1350       of the network interface found.
1351
1352       When the demand option is used, the interface IP addresses have already
1353       been set at the point when IPCP comes up.  If pppd has not been able to
1354       negotiate  the  same  addresses that it used to configure the interface
1355       (for example when the peer is an  ISP  that  uses  dynamic  IP  address
1356       assignment), pppd has to change the interface IP addresses to the nego‐
1357       tiated addresses.  This may disrupt existing connections, and  the  use
1358       of  demand dialling with peers that do dynamic IP address assignment is
1359       not recommended.
1360
1362       Multilink PPP provides the capability to combine two or more PPP  links
1363       between  a  pair of machines into a single `bundle', which appears as a
1364       single virtual PPP link which has the combined bandwidth of  the  indi‐
1365       vidual links.  Currently, multilink PPP is only supported under Linux.
1366
1367       Pppd  detects  that the link it is controlling is connected to the same
1368       peer as another link using the peer's endpoint  discriminator  and  the
1369       authenticated  identity  of the peer (if it authenticates itself).  The
1370       endpoint discriminator is a block of data which is hopefully unique for
1371       each  peer.   Several  types  of  data  can be used, including locally-
1372       assigned strings  of  bytes,  IP  addresses,  MAC  addresses,  randomly
1373       strings  of  bytes, or E-164 phone numbers.  The endpoint discriminator
1374       sent to the peer by pppd can be set using the endpoint option.
1375
1376       In some circumstances the peer may send no endpoint discriminator or  a
1377       non-unique  value.   The  bundle  option  adds an extra string which is
1378       added to the peer's endpoint discriminator and  authenticated  identity
1379       when  matching  up links to be joined together in a bundle.  The bundle
1380       option can also be used to allow the establishment of multiple  bundles
1381       between  the  local  system  and the peer.  Pppd uses a TDB database in
1382       /var/run/pppd2.tdb to match up links.
1383
1384       Assuming that multilink is enabled and the peer is willing to negotiate
1385       multilink,  then when pppd is invoked to bring up the first link to the
1386       peer, it will detect that no other link is connected to  the  peer  and
1387       create a new bundle, that is, another ppp network interface unit.  When
1388       another pppd is invoked to bring up another link to the peer,  it  will
1389       detect the existing bundle and join its link to it.
1390
1391       If  the  first  link  terminates (for example, because of a hangup or a
1392       received LCP terminate-request) the  bundle  is  not  destroyed  unless
1393       there are no other links remaining in the bundle.  Rather than exiting,
1394       the first pppd keeps running after its link terminates, until  all  the
1395       links  in  the  bundle  have  terminated.  If the first pppd receives a
1396       SIGTERM or SIGINT signal, it will destroy the bundle and send a  SIGHUP
1397       to  the  pppd  processes  for  each of the links in the bundle.  If the
1398       first pppd receives a SIGHUP signal, it will terminate its link but not
1399       the bundle.
1400
1401       Note: demand mode is not currently supported with multilink.
1402

EXAMPLES

1404       The  following  examples assume that the /etc/ppp/options file contains
1405       the auth option (as in the default /etc/ppp/options  file  in  the  ppp
1406       distribution).
1407
1408       Probably  the  most  common use of pppd is to dial out to an ISP.  This
1409       can be done with a command such as
1410
1411              pppd call isp
1412
1413       where the /etc/ppp/peers/isp file is set up by the system administrator
1414       to contain something like this:
1415
1416              ttyS0 19200 crtscts
1417              connect '/usr/sbin/chat -v -f /etc/ppp/chat-isp'
1418              noauth
1419
1420       In  this  example,  we  are  using  chat to dial the ISP's modem and go
1421       through any logon sequence required.  The /etc/ppp/chat-isp  file  con‐
1422       tains  the  script used by chat; it could for example contain something
1423       like this:
1424
1425              ABORT "NO CARRIER"
1426              ABORT "NO DIALTONE"
1427              ABORT "ERROR"
1428              ABORT "NO ANSWER"
1429              ABORT "BUSY"
1430              ABORT "Username/Password Incorrect"
1431              "" "at"
1432              OK "at&d0&c1"
1433              OK "atdt2468135"
1434              "name:" "^Umyuserid"
1435              "word:" "\qmypassword"
1436              "ispts" "\q^Uppp"
1437              "~-^Uppp-~"
1438
1439       See the chat(8) man page for details of chat scripts.
1440
1441       Pppd can also be used to provide a dial-in ppp service for  users.   If
1442       the  users  already have login accounts, the simplest way to set up the
1443       ppp service is to let the users log in to their accounts and  run  pppd
1444       (installed setuid-root) with a command such as
1445
1446              pppd proxyarp
1447
1448       To  allow  a user to use the PPP facilities, you need to allocate an IP
1449       address  for   that   user's   machine   and   create   an   entry   in
1450       /etc/ppp/pap-secrets,  /etc/ppp/chap-secrets,  or  /etc/ppp/srp-secrets
1451       (depending on which authentication method the PPP implementation on the
1452       user's  machine  supports), so that the user's machine can authenticate
1453       itself.  For example, if Joe has a machine called "joespc" that  is  to
1454       be  allowed  to  dial  in to the machine called "server" and use the IP
1455       address  joespc.my.net,  you  would  add  an   entry   like   this   to
1456       /etc/ppp/pap-secrets or /etc/ppp/chap-secrets:
1457
1458              joespc    server    "joe's secret" joespc.my.net
1459
1460       (See  srp-entry(8)  for  a  means  to  generate the server's entry when
1461       SRP-SHA1 is in use.)  Alternatively, you can create a  username  called
1462       (for example) "ppp", whose login shell is pppd and whose home directory
1463       is /etc/ppp.  Options to be used when pppd is run this way can  be  put
1464       in /etc/ppp/.ppprc.
1465
1466       If your serial connection is any more complicated than a piece of wire,
1467       you may need to arrange for some control characters to be escaped.   In
1468       particular,  it is often useful to escape XON (^Q) and XOFF (^S), using
1469       asyncmap a0000.  If the path includes a  telnet,  you  probably  should
1470       escape ^] as well (asyncmap 200a0000).  If the path includes an rlogin,
1471       you will need to use the escape ff option on the end which  is  running
1472       the  rlogin client, since many rlogin implementations are not transpar‐
1473       ent; they will remove the sequence [0xff, 0xff, 0x73, 0x73, followed by
1474       any 8 bytes] from the stream.
1475

DIAGNOSTICS

1477       Messages  are  sent  to  the  syslog  daemon using facility LOG_DAEMON.
1478       (This can be overridden by recompiling  pppd  with  the  macro  LOG_PPP
1479       defined  as the desired facility.)  See the syslog(8) documentation for
1480       details of where the syslog daemon will write the  messages.   On  most
1481       systems,  the  syslog  daemon uses the /etc/syslog.conf file to specify
1482       the destination(s) for syslog messages.  You may need to edit that file
1483       to suit.
1484
1485       The  debug  option  causes  the contents of all control packets sent or
1486       received to be logged, that is, all LCP, PAP, CHAP, EAP, or IPCP  pack‐
1487       ets.   This can be useful if the PPP negotiation does not succeed or if
1488       authentication fails.  If debugging is enabled  at  compile  time,  the
1489       debug option also causes other debugging messages to be logged.
1490
1491       Debugging  can  also be enabled or disabled by sending a SIGUSR1 signal
1492       to the pppd process.  This signal acts as a toggle.
1493

EXIT STATUS

1495       The exit status of pppd is  set  to  indicate  whether  any  error  was
1496       detected, or the reason for the link being terminated.  The values used
1497       are:
1498
1499       0      Pppd has detached, or otherwise the connection was  successfully
1500              established and terminated at the peer's request.
1501
1502       1      An  immediately  fatal  error  of some kind occurred, such as an
1503              essential system call failing, or running out of virtual memory.
1504
1505       2      An error was detected in processing the options given,  such  as
1506              two mutually exclusive options being used.
1507
1508       3      Pppd is not setuid-root and the invoking user is not root.
1509
1510       4      The  kernel  does  not  support PPP, for example, the PPP kernel
1511              driver is not included or cannot be loaded.
1512
1513       5      Pppd terminated because it was sent a SIGINT, SIGTERM or  SIGHUP
1514              signal.
1515
1516       6      The serial port could not be locked.
1517
1518       7      The serial port could not be opened.
1519
1520       8      The connect script failed (returned a non-zero exit status).
1521
1522       9      The  command  specified  as the argument to the pty option could
1523              not be run.
1524
1525       10     The PPP negotiation failed, that is, it didn't reach  the  point
1526              where at least one network protocol (e.g. IP) was running.
1527
1528       11     The peer system failed (or refused) to authenticate itself.
1529
1530       12     The  link was established successfully and terminated because it
1531              was idle.
1532
1533       13     The link was established successfully and terminated because the
1534              connect time limit was reached.
1535
1536       14     Callback  was  negotiated  and  an  incoming  call should arrive
1537              shortly.
1538
1539       15     The link was terminated because the peer is  not  responding  to
1540              echo requests.
1541
1542       16     The link was terminated by the modem hanging up.
1543
1544       17     The PPP negotiation failed because serial loopback was detected.
1545
1546       18     The init script failed (returned a non-zero exit status).
1547
1548       19     We failed to authenticate ourselves to the peer.
1549

SCRIPTS

1551       Pppd  invokes  scripts at various stages in its processing which can be
1552       used to perform site-specific ancillary processing.  These scripts  are
1553       usually  shell  scripts,  but  could  be executable code files instead.
1554       Pppd does not wait for the scripts to finish (except for the  ip-pre-up
1555       script).  The scripts are executed as root (with the real and effective
1556       user-id set to 0), so that they can do things such  as  update  routing
1557       tables  or  run  privileged  daemons.   Be careful that the contents of
1558       these scripts do not compromise your system's security.  Pppd runs  the
1559       scripts  with standard input, output and error redirected to /dev/null,
1560       and with an environment that is empty except for some environment vari‐
1561       ables  that give information about the link.  The environment variables
1562       that pppd sets are:
1563
1564       DEVICE The name of the serial tty device being used.
1565
1566       IFNAME The name of the network interface being used.
1567
1568       IPLOCAL
1569              The IP address for the local end of the link.  This is only  set
1570              when IPCP has come up.
1571
1572       IPREMOTE
1573              The IP address for the remote end of the link.  This is only set
1574              when IPCP has come up.
1575
1576       PEERNAME
1577              The authenticated name of the peer.  This is  only  set  if  the
1578              peer authenticates itself.
1579
1580       SPEED  The baud rate of the tty device.
1581
1582       ORIG_UID
1583              The real user-id of the user who invoked pppd.
1584
1585       PPPLOGNAME
1586              The  username  of  the  real  user-id that invoked pppd. This is
1587              always set.
1588
1589       For the ip-down and auth-down scripts, pppd  also  sets  the  following
1590       variables giving statistics for the connection:
1591
1592       CONNECT_TIME
1593              The  number  of  seconds  from  when the PPP negotiation started
1594              until the connection was terminated.
1595
1596       BYTES_SENT
1597              The number of bytes sent (at the level of the serial port)  dur‐
1598              ing the connection.
1599
1600       BYTES_RCVD
1601              The  number  of bytes received (at the level of the serial port)
1602              during the connection.
1603
1604       LINKNAME
1605              The logical name of the link, set with the linkname option.
1606
1607       DNS1   If the peer supplies DNS server addresses, this variable is  set
1608              to  the  first  DNS  server address supplied (whether or not the
1609              usepeerdns option was given).
1610
1611       DNS2   If the peer supplies DNS server addresses, this variable is  set
1612              to  the  second  DNS server address supplied (whether or not the
1613              usepeerdns option was given).
1614
1615       Pppd invokes the following scripts, if they exist.  It is not an  error
1616       if they don't exist.
1617
1618       /etc/ppp/auth-up
1619              A  program  or  script which is executed after the remote system
1620              successfully authenticates itself.   It  is  executed  with  the
1621              parameters
1622
1623              interface-name peer-name user-name tty-device speed
1624
1625              Note  that  this  script  is  not  executed  if the peer doesn't
1626              authenticate itself, for example when the noauth option is used.
1627
1628       /etc/ppp/auth-down
1629              A program or script which is executed when the link  goes  down,
1630              if  /etc/ppp/auth-up was previously executed.  It is executed in
1631              the same manner with the same parameters as /etc/ppp/auth-up.
1632
1633       /etc/ppp/ip-pre-up
1634              A program or script which is executed just before the  ppp  net‐
1635              work  interface  is  brought  up.   It is executed with the same
1636              parameters as the ip-up  script  (below).   At  this  point  the
1637              interface  exists  and  has  IP  addresses assigned but is still
1638              down.  This can be used to add  firewall  rules  before  any  IP
1639              traffic can pass through the interface.  Pppd will wait for this
1640              script to finish before  bringing  the  interface  up,  so  this
1641              script should run quickly.
1642
1643       /etc/ppp/ip-up
1644              A program or script which is executed when the link is available
1645              for sending and receiving IP packets (that  is,  IPCP  has  come
1646              up).  It is executed with the parameters
1647
1648              interface-name       tty-device      speed      local-IP-address
1649              remote-IP-address ipparam
1650
1651       /etc/ppp/ip-down
1652              A program or script which is executed when the link is no longer
1653              available for sending and receiving IP packets.  This script can
1654              be used for  undoing  the  effects  of  the  /etc/ppp/ip-up  and
1655              /etc/ppp/ip-pre-up  scripts.   It  is invoked in the same manner
1656              and with the same parameters as the ip-up script.
1657
1658       /etc/ppp/ipv6-up
1659              Like /etc/ppp/ip-up, except that it is executed when the link is
1660              available for sending and receiving IPv6 packets. It is executed
1661              with the parameters
1662
1663              interface-name   tty-device    speed    local-link-local-address
1664              remote-link-local-address ipparam
1665
1666       /etc/ppp/ipv6-down
1667              Similar  to /etc/ppp/ip-down, but it is executed when IPv6 pack‐
1668              ets can no longer be transmitted on the  link.  It  is  executed
1669              with the same parameters as the ipv6-up script.
1670
1671       /etc/ppp/ipx-up
1672              A program or script which is executed when the link is available
1673              for sending and receiving IPX packets (that is, IPXCP  has  come
1674              up).  It is executed with the parameters
1675
1676              interface-name       tty-device       speed       network-number
1677              local-IPX-node-address  remote-IPX-node-address  local-IPX-rout‐
1678              ing-protocol  remote-IPX-routing-protocol  local-IPX-router-name
1679              remote-IPX-router-name ipparam pppd-pid
1680
1681              The local-IPX-routing-protocol  and  remote-IPX-routing-protocol
1682              field may be one of the following:
1683
1684              NONE      to indicate that there is no routing protocol
1685              RIP       to indicate that RIP/SAP should be used
1686              NLSP      to indicate that Novell NLSP should be used
1687              RIP NLSP  to indicate that both RIP/SAP and NLSP should be used
1688
1689       /etc/ppp/ipx-down
1690              A program or script which is executed when the link is no longer
1691              available for sending and receiving IPX  packets.   This  script
1692              can  be  used  for  undoing  the  effects of the /etc/ppp/ipx-up
1693              script.  It is invoked in the same  manner  and  with  the  same
1694              parameters as the ipx-up script.
1695

FILES

1697       /var/run/pppn.pid (BSD or Linux), /etc/ppp/pppn.pid (others)
1698              Process-ID for pppd process on ppp interface unit n.
1699
1700       /var/run/ppp-name.pid (BSD or Linux),
1701              /etc/ppp/ppp-name.pid  (others)  Process-ID for pppd process for
1702              logical link name (see the linkname option).
1703
1704       /var/run/pppd2.tdb
1705              Database containing information about pppd processes, interfaces
1706              and links, used for matching links to bundles in multilink oper‐
1707              ation.  May be examined by external programs to obtain  informa‐
1708              tion  about  running  pppd instances, the interfaces and devices
1709              they    are    using,    IP    address     assignments,     etc.
1710              /etc/ppp/pap-secrets  Usernames,  passwords and IP addresses for
1711              PAP authentication.  This file should be owned by root  and  not
1712              readable or writable by any other user.  Pppd will log a warning
1713              if this is not the case.
1714
1715       /etc/ppp/chap-secrets
1716              Names,  secrets  and  IP  addresses  for  CHAP/MS-CHAP/MS-CHAPv2
1717              authentication.   As  for /etc/ppp/pap-secrets, this file should
1718              be owned by root and not readable or writable by any other user.
1719              Pppd will log a warning if this is not the case.
1720
1721       /etc/ppp/srp-secrets
1722              Names, secrets, and IP addresses for EAP authentication.  As for
1723              /etc/ppp/pap-secrets, this file should be owned by root and  not
1724              readable or writable by any other user.  Pppd will log a warning
1725              if this is not the case.
1726
1727       ~/.ppp_pseudonym
1728              Saved client-side SRP-SHA1 pseudonym.  See the srp-use-pseudonym
1729              option for details.
1730
1731       /etc/ppp/options
1732              System  default  options  for  pppd,  read  before  user default
1733              options or command-line options.
1734
1735       ~/.ppprc
1736              User default options, read before /etc/ppp/options.ttyname.
1737
1738       /etc/ppp/options.ttyname
1739              System default options for the  serial  port  being  used,  read
1740              after  ~/.ppprc.   In forming the ttyname part of this filename,
1741              an initial /dev/ is stripped from the port  name  (if  present),
1742              and any slashes in the remaining part are converted to dots.
1743
1744       /etc/ppp/peers
1745              A  directory  containing  options files which may contain privi‐
1746              leged options, even if pppd was invoked by  a  user  other  than
1747              root.  The system administrator can create options files in this
1748              directory to permit non-privileged users  to  dial  out  without
1749              requiring  the peer to authenticate, but only to certain trusted
1750              peers.
1751

SEE ALSO

1753       chat(8), pppstats(8)
1754
1755       RFC1144
1756              Jacobson, V.  Compressing TCP/IP headers  for  low-speed  serial
1757              links.  February 1990.
1758
1759       RFC1321
1760              Rivest, R.  The MD5 Message-Digest Algorithm.  April 1992.
1761
1762       RFC1332
1763              McGregor,  G.   PPP  Internet  Protocol Control Protocol (IPCP).
1764              May 1992.
1765
1766       RFC1334
1767              Lloyd, B.; Simpson, W.A.  PPP authentication protocols.  October
1768              1992.
1769
1770       RFC1661
1771              Simpson, W.A.  The Point-to-Point Protocol (PPP).  July 1994.
1772
1773       RFC1662
1774              Simpson, W.A.  PPP in HDLC-like Framing.  July 1994.
1775
1776       RFC2284
1777              Blunk,  L.; Vollbrecht, J., PPP Extensible Authentication Proto‐
1778              col (EAP).  March 1998.
1779
1780       RFC2472
1781              Haskin, D.  IP Version 6 over PPP December 1998.
1782
1783       RFC2945
1784              Wu, T., The SRP Authentication and Key Exchange System September
1785              2000.
1786
1787       draft-ietf-pppext-eap-srp-03.txt
1788              Carlson, J.; et al., EAP SRP-SHA1 Authentication Protocol.  July
1789              2001.
1790

NOTES

1792       Some limited degree of control can be exercised  over  a  running  pppd
1793       process by sending it a signal from the list below.
1794
1795       SIGINT, SIGTERM
1796              These signals cause pppd to terminate the link (by closing LCP),
1797              restore the serial device settings, and exit.  If a connector or
1798              disconnector  process  is  currently running, pppd will send the
1799              same signal to its process group, so as to terminate the connec‐
1800              tor or disconnector process.
1801
1802       SIGHUP This  signal  causes  pppd  to  terminate  the link, restore the
1803              serial device settings, and close the  serial  device.   If  the
1804              persist  or  demand  option has been specified, pppd will try to
1805              reopen the serial device and start another connection (after the
1806              holdoff  period).   Otherwise pppd will exit.  If this signal is
1807              received during the holdoff period, it causes pppd  to  end  the
1808              holdoff  period  immediately.   If  a  connector or disconnector
1809              process is running, pppd  will  send  the  same  signal  to  its
1810              process group.
1811
1812       SIGUSR1
1813              This signal toggles the state of the debug option.
1814
1815       SIGUSR2
1816              This signal causes pppd to renegotiate compression.  This can be
1817              useful to re-enable compression after it has been disabled as  a
1818              result  of  a  fatal  decompression error.  (Fatal decompression
1819              errors generally indicate a bug in one or other implementation.)
1820
1821

AUTHORS

1823       Paul Mackerras  (paulus@samba.org),  based  on  earlier  work  by  Drew
1824       Perkins, Brad Clements, Karl Fox, Greg Christy, and Brad Parker.
1825
1826
1828       Pppd  is  copyrighted and made available under conditions which provide
1829       that it may be copied and used in source or binary forms provided  that
1830       the  conditions  listed below are met.  Portions of pppd are covered by
1831       the following copyright notices:
1832
1833       Copyright  (c)  1984-2000  Carnegie  Mellon  University.   All   rights
1834       reserved.
1835       Copyright (c) 1993-2004 Paul Mackerras. All rights reserved.
1836       Copyright (c) 1995 Pedro Roque Marques.  All rights reserved.
1837       Copyright (c) 1995 Eric Rosenquist.  All rights reserved.
1838       Copyright (c) 1999 Tommi Komulainen.  All rights reserved.
1839       Copyright (C) Andrew Tridgell 1999
1840       Copyright (c) 2000 by Sun Microsystems, Inc.  All rights reserved.
1841       Copyright (c) 2001 by Sun Microsystems, Inc.  All rights reserved.
1842       Copyright (c) 2002 Google, Inc.  All rights reserved.
1843
1844       The copyright notices contain the following statements.
1845
1846       Redistribution and use in source and binary forms, with or without mod‐
1847       ification, are permitted provided that  the  following  conditions  are
1848       met:
1849
1850       1. Redistributions of source code must retain the above copyright
1851          notice, this list of conditions and the following disclaimer.
1852
1853       2. Redistributions in binary form must reproduce the above copyright
1854          notice, this list of conditions and the following disclaimer in
1855          the documentation and/or other materials provided with the
1856          distribution.
1857
1858       3. The name "Carnegie Mellon University" must not be used to
1859          endorse or promote products derived from this software without
1860          prior written permission. For permission or any legal
1861          details, please contact
1862            Office of Technology Transfer
1863            Carnegie Mellon University
1864            5000 Forbes Avenue
1865            Pittsburgh, PA  15213-3890
1866            (412) 268-4387, fax: (412) 268-7395
1867            tech-transfer@andrew.cmu.edu
1868
1869       3b. The name(s) of the authors of this software must not be used to
1870          endorse or promote products derived from this software without
1871          prior written permission.
1872
1873       4. Redistributions of any form whatsoever must retain the following
1874          acknowledgements:
1875          "This product includes software developed by Computing Services
1876           at Carnegie Mellon University (http://www.cmu.edu/computing/)."
1877          "This product includes software developed by Paul Mackerras
1878           <paulus@samba.org>".
1879          "This product includes software developed by Pedro Roque Marques
1880           <pedro_m@yahoo.com>".
1881          "This product includes software developed by Tommi Komulainen
1882           <Tommi.Komulainen@iki.fi>".
1883
1884       CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
1885       SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND  FIT‐
1886       NESS,  IN  NO  EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY
1887       SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR  ANY  DAMAGES  WHATSOEVER
1888       RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
1889       CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING  OUT  OF  OR  IN
1890       CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1891
1892       THE  AUTHORS  OF  THIS  SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
1893       THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY  AND
1894       FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, INDI‐
1895       RECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING  FROM
1896       LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLI‐
1897       GENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR  IN  CONNECTION  WITH
1898       THE USE OR PERFORMANCE OF THIS SOFTWARE.
1899
1900
1901
1902                                                                       PPPD(8)
Impressum