1pppd(1M) System Administration Commands pppd(1M)
2
6 pppd - point to point protocol daemon
7
9 pppd [tty_name] [speed] [options]
10
13 The point-to-point protocol (PPP) provides a method for transmitting
14 datagrams over serial point-to-point links. PPP is composed of three
15 components: a facility for encapsulating datagrams over serial links,
16 an extensible link control protocol (LCP), and a family of network con‐
17 trol protocols (NCP) for establishing and configuring different net‐
18 work-layer protocols.
19 The encapsulation scheme is provided by driver code in the kernel. pppd
22 provides the basic LCP authentication support and several NCPs for
23 establishing and configuring the Internet Protocol (referred to as the
24 IP Control Protocol or "IPCP") and IPv6 (IPV6CP).
25
27 The following sections discuss the pppd options:
28 Options Files
30 Options are taken from files and the command line. pppd reads options
31 from the files /etc/ppp/options, $HOME/.ppprc and /etc/ppp/options.tty‐
32 name (in that order) before processing the options on the command line.
33 (Command-line options are scanned for the terminal name before the
34 options.ttyname file is read.) To form the name of the options.ttyname
35 file, the initial /dev/ is removed from the terminal name, and any
36 remaining forward slash characters (/) are replaced with dots. For
37 example, with serial device /dev/cua/a, option file
38 /etc/ppp/options.cua.a is read.
39 An options file is parsed into a series of words that are delimited by
42 whitespace. Whitespace can be included in a word by enclosing the word
43 in double-quotes ("). A backslash (\) quotes the succeeding character.
44 A hash (#) starts a comment, which continues until the end of the line.
45 There is no restriction on using the file or call options within an
46 options file.
47 Frequently Used Options
49 <tty_name> Communicate over the named device. The string
50 /dev/ is prepended if necessary. If no device
51 name is given, or if the name of the terminal
52 connected to the standard input is given, pppd
53 uses that terminal and does not fork to put
54 itself in the background. A value for this
55 option from a privileged source cannot be over‐
56 ridden by a non-privileged user.
57 <speed> Set the baud rate to <speed> (a decimal number).
60 The default is to leave the baud rate unchanged.
61 This option is normally needed for dial-out
62 only.
63 asyncmap <map> Set the async character map to <map>. The map
66 describes which control characters cannot be
67 successfully received over the serial line. pppd
68 asks the peer to send these characters as a
69 2-byte escape sequence. The argument is a 32 bit
70 hex number, with each bit representing a charac‐
71 ter to escape. Bit 0 (00000001) represents the
72 character 0x00; bit 31 (80000000) represents the
73 character 0x1f or ^_. If multiple asyncmap
74 options are given, the values are ORed together.
75 If no asyncmap option is given, pppd attempts to
76 negotiate a value of 0. If the peer agrees, this
77 disables escaping of the standard control char‐
78 acters. Use the default-asyncmap option to dis‐
79 able negotiation and escape all control charac‐
80 ters.
81 auth Require the peer to authenticate itself before
84 allowing network packets to be sent or received.
85 This option is the default if the system has a
86 default route. If the auth or the noauth option
87 is not specified, pppd allows the peer to use
88 only those IP addresses to which the system does
89 not already have a route.
90 call name Read options from the file /etc/ppp/peers/name.
93 This file may contain privileged options,
94 including noauth, even if pppd is not being run
95 by root. The name string may not begin with a
96 slash ("/") or include consecutive periods
97 ("..") as a pathname component.
98 callback number Request a callback to the given telephone number
101 using Microsoft CBCP.
102 connect script Use the executable or shell command specified by
105 script to set up the serial line. This script
106 would typically use the chat(1M) program to dial
107 the modem and start the remote PPP session. A
108 value for this option originating from a privi‐
109 leged source cannot be overridden by a non-priv‐
110 ileged user.
111 crtscts Use hardware flow control, that is, RTS/CTS, to
114 control the flow of data on the serial port. If
115 the crtscts, nocrtscts, cdtrcts or nocdtrcts
116 option is not provided, the hardware flow con‐
117 trol setting for the serial port is left
118 unchanged. Some serial ports lack a true RTS
119 output and use this mode to implement unidirec‐
120 tional flow control. The serial port suspends
121 transmission when requested by the modem by
122 means of CTS but cannot request the modem to
123 stop sending to the computer. This mode allows
124 the use of DTR as a modem control line.
125 defaultroute Add a default route to the system routing tables
128 when IPCP negotiation successfully completes,
129 using the peer as the gateway. This entry is
130 removed when the PPP connection is broken. This
131 option is privileged if the nodefaultroute
132 option is specified.
133 disconnect script Run the executable or shell command specified by
136 script after pppd terminates the link. Typi‐
137 cally, this script is used to command the modem
138 to hang up if hardware modem control signals are
139 not available. disconnect is not run if the
140 modem has already hung up. A value for this
141 option originating from a privileged source can‐
142 not be overridden by a non-privileged user.
143 escape xx,yy,... Specifies that certain characters be escaped on
146 transmission regardless of whether the peer
147 requests them to be escaped with its async con‐
148 trol character map. The characters to be escaped
149 are specified as a list of hex numbers separated
150 by commas. Note that almost any character can be
151 specified for the escape option, unlike the
152 asyncmap option which allows only control char‐
153 acters to be specified. Characters that cannot
154 be escaped are those containing hex values 0x20
155 through 0x3f and 0x5e.
156 file name Read options from file name. If this option is
159 used on the command line or in $HOME/.ppprc, the
160 file must be readable by the user invoking pppd.
161 See for a list of files that pppd always reads,
162 regardless of the use of this option.
163 init script Run the executable or shell command specified by
166 script to initialize the serial line. This
167 script would typically use the chat(1M) program
168 to configure the modem to enable auto-answer. A
169 value for this option from a privileged source
170 cannot be overridden by a non-privileged user.
171 lock Directs pppd to create a UUCP-style lock file
174 for the serial device to ensure exclusive access
175 to the device.
176 mru n Set the Maximum Receive Unit (MRU) value to n.
179 pppd asks the peer to send packets of no more
180 than n bytes. Minimum MRU value is 128. Default
181 MRU value is 1500. A value of 296 is recommended
182 for slow links (40 bytes for TCP/IP header + 256
183 bytes of data). For IPv6, MRU must be at least
184 1280.
185 mtu n Set the Maximum Transmit Unit (MTU) value to n.
188 Unless the peer requests a smaller value via MRU
189 negotiation, pppd requests the kernel networking
190 code to send data packets of no more than n
191 bytes through the PPP network interface. For
192 IPv6, MTU must be at least 1280.
193 passive Enables the "passive" option in the LCP. With
196 this option, pppd attempts to initiate a connec‐
197 tion; if no reply is received from the peer,
198 pppd waits passively for a valid LCP packet
199 instead of exiting, as it would without this
200 option.
201 Options
204 <local_IP_address>:<remote_IP_address>
205 Set the local and/or remote interface IP addresses. Either one may
207 be omitted, but the colon is required. The IP addresses are speci‐
208 fied with a host name or in decimal dot notation, for example:
209 :10.1.2.3. The default local address is the first IP address of the
210 system unless the noipdefault option is provided. The remote
211 address is obtained from the peer if not specified in any option.
212 Thus, in simple cases, this option is not required. If a local
213 and/or remote IP address is specified with this option, pppd will
214 not accept a different value from the peer in the IPCP negotiation
215 unless the ipcp-accept-local and/or ipcp-accept-remote options are
216 given, respectively.
217 allow-fcs fcs-type
220 Set allowable FCS type(s) for data sent to the peer. The fcs-type
222 is a comma-separated list of "crc16", "crc32", "null", or integers.
223 By default, all known types are allowed. If this option is speci‐
224 fied and the peer requests a type not listed, a LCP Configure-Nak
225 is sent to request only the listed types.
226 allow-ip address(es)
229 Allow peers to use the given IP address or subnet without authenti‐
231 cating themselves. The parameter is parsed in the same manner as
232 each element of the list of allowed IP addresses is parsed in the
233 secrets files. See the section more more details.
234 bsdcomp nr,nt
237 Request that the peer compress packets that it sends using the BSD-
239 Compress scheme, with a maximum code size of nr bits, and agree to
240 compress packets sent to the peer with a maximum code size of nt
241 bits. If nt is not specified, it defaults to the value given for
242 nr. Values in the range 9 to 15 may be used for nr and nt; larger
243 values provide better compression but consume more kernel memory
244 for compression dictionaries. Alternatively, a value of 0 for nr or
245 nt disables compression in the corresponding direction. Use nobsd‐
246 comp or bsdcomp 0 to disable BSD-Compress compression entirely. If
247 this option is read from a privileged source, a nonprivileged user
248 may not specify a code size larger than the value from the privi‐
249 leged source.
250 cdtrcts
253 Use a non-standard hardware flow control such as DTR/CTS to control
255 the flow of data on the serial port. If the crtscts, nocrtscts,
256 cdtrcts or nocdtrcts option is not specified, the hardware flow
257 control setting for the serial port is left unchanged. Some serial
258 ports lack a true RTS output. Such serial ports use this mode to
259 implement true bi-directional flow control. Note that this flow
260 control mode does not permit using DTR as a modem control line.
261 chap-interval n
264 If this option is given, pppd will rechallenge the peer every n
266 seconds.
267 chap-max-challenge n
270 Set the maximum number of CHAP challenge transmissions to n
272 (default 10).
273 chap-restart n
276 Set the CHAP restart interval (retransmission timeout for chal‐
278 lenges) to n seconds. The default is 3.
279 connect-delay n
282 Wait for up to n milliseconds after the connect script finishes for
284 a valid PPP packet from the peer. When the wait period elapses or
285 when a valid PPP packet is received from the peer, pppd begins
286 negotiation by sending its first LCP packet. The default value is
287 1000 (1 second). A wait period applies only if the connect or pty
288 option is used.
289 datarate n
292 Set maximum data rate to n (in bytes per second) when using the
294 pty, notty, record, or socket options.
295 debug
298 Enables connection debugging facilities. If this option is given,
300 pppd logs the contents of all control packets sent or received in a
301 readable form. The packets are logged through syslog with facility
302 daemon and level debug. This information can be directed to a file
303 by configuring /etc/syslog.conf appropriately.
304 default-asyncmap
307 Disable asyncmap negotiation, forcing all control characters to be
309 escaped for both the transmit and the receive direction.
310 default-fcs
313 Disable FCS Alternatives negotiation entirely. By default, no FCS
315 Alternatives option is sent to the peer, but the option is
316 accepted. If this option is specified by the peer, then LCP Config‐
317 ure-Reject is sent.
318 default-mru
321 Disable MRU [Maximum Receive Unit] negotiation. With this option,
323 pppd uses the default MRU value of 1500 bytes for the transmit and
324 receive directions.
325 deflate nr,nt,e
328 Request that the peer compress packets that it sends, using the
330 deflate scheme, with a maximum window size of 2**nr bytes, and
331 agree to compress packets sent to the peer with a maximum window
332 size of 2**nt bytes and effort level of e (1 to 9). If nt is not
333 specified, it defaults to the value given for nr. If e is not spec‐
334 ified, it defaults to 6. Values in the range 9 to 15 may be used
335 for nr and nt; larger values provide better compression but consume
336 more kernel memory for compression dictionaries. (Value 8 is not
337 permitted due to a zlib bug.) Alternatively, a value of 0 for nr or
338 nt disables compression in the corresponding direction. Use node‐
339 flate or deflate 0 to disable deflate compression entirely. (Note:
340 pppd requests deflate compression in preference to BSD-Compress if
341 the peer can do either.) If this option is read from a privileged
342 source, a nonprivileged user may not specify a code size larger
343 than the value from the privileged source.
344 demand
347 Initiate the link only on demand, that is, when data traffic is
349 present. With this option, the remote IP address must be specified
350 by the user on the command line or in an options file. pppd ini‐
351 tially configures and enables the interface for IP traffic without
352 connecting to the peer. When traffic is available, pppd connects to
353 the peer and performs negotiation, authentication and other
354 actions. When completed, pppd passes data packets across the link.
355 The demand option implies the persist option. If this behavior is
356 not desired, use the nopersist option after the demand option. The
357 idle and holdoff options can be used in conjunction with the demand
358 option.
359 domain d
362 Append the domain name d to the local host name for authentication
364 purposes. For example, if gethostname() returns the name porsche,
365 but the fully qualified domain name is porsche.Quotron.COM, you
366 could specify domain Quotron.COM. With this configuration, pppd
367 uses the name porsche.Quotron.COM for accessing secrets in the
368 secrets file and as the default name when authenticating to the
369 peer. This option is privileged.
370 endpoint endpoint-value
373 Set the endpoint discriminator (normally used for RFC 1990 Multi‐
375 link PPP operation). The endpoint-value consists of a class identi‐
376 fier and a class-dependent value. The class identifier is one of
377 "null," "local," "IP," "MAC," "magic," "phone," or a decimal inte‐
378 ger. If present, the class-dependent value is separated from the
379 identifier by a colon (":") or period (".") . This value may be a
380 standard dotted-decimal IP address for class "IP," an optionally
381 colon-or-dot separated hex Ethernet address for class "MAC" (must
382 have 6 numbers), or an arbitrary string of bytes specified in hex
383 with optional colon or dot separators between bytes. Although this
384 option is available, this implementation does not support multi‐
385 link.
386 fcs fcs-type
389 Set FCS type(s) desired for data sent by the peer. The fcs-type is
391 a comma-separated list of crc16, crc32, null, or integers. By
392 default, an FCS Alternatives option is not specified, and the
393 medium-dependent FCS type is used. If this option is specified and
394 the peer sends an LCP Configure-Nak, only the listed types are
395 used. If none are in common, the FCS Alternatives option is omitted
396 from the next LCP Configure-Request to drop back to the default.
397 hide-password
400 When logging the contents of PAP packets, this option causes pppd
402 to exclude the password string from the log. This is the default.
403 holdoff n
406 Specifies how many seconds to wait before re-initiating the link
408 after it terminates. This option is effective only if the persist
409 or demand option is used. The holdoff period is not applied if the
410 link is terminated because it was idle.
411 ident string
414 Set the LCP Identification string. The default value is a version
416 string similar to that displayed by the --version option.
417 idle n
420 Specifies that pppd must disconnect if the link is idle for n sec‐
422 onds. The link is idle when no data packets (i.e. IP packets) are
423 being sent or received. Do not use this option with the persist
424 option but without the demand option.
425 ipcp-accept-local
428 With this option, pppd accepts the peer's idea of the local IP
430 address, even if the local IP address is specified in an option.
431 ipcp-accept-remote
434 With this option, pppd accepts the peer's idea of its remote IP
436 address, even if the remote IP address is specified in an option.
437 ipcp-max-configure n
440 Set the maximum number of IPCP Configure-Request transmissions to n
442 (default 10).
443 ipcp-max-failure n
446 Set the maximum number of IPCP Configure-NAKs sent before sending
448 Configure-Rejects instead to n (default 10).
449 ipcp-max-terminate n
452 Set the maximum number of IPCP terminate-request transmissions to n
454 (default 3).
455 ipcp-restart n
458 Set the IPCP restart interval (retransmission timeout) to n seconds
460 (default 3).
461 ipparam string
464 Provides an extra parameter to the ip-up and ip-down scripts. When
466 this option is given, the string supplied is given as the sixth
467 parameter to those scripts. See the section.
468 ipv6 <local_interface_identifier>,<remote_interface_identifier>
471 Set the local and/or remote 64-bit interface identifier. Either one
473 may be omitted. The identifier must be specified in standard ASCII
474 notation of IPv6 addresses (for example: ::dead:beef). If the
475 ipv6cp-use-ipaddr option is given, the local and remote identifiers
476 are derived from the respective IPv4 addresses (see above). The
477 ipv6cp-use-persistent option can be used instead of the ipv6
478 <local>,<remote> option.
479 ipv6cp-accept-local
482 Accept peer's interface identifier for the local link identifier.
484 ipv6cp-max-configure n
487 Set the maximum number of IPv6CP Configure-Request transmissions to
489 n (default 10).
490 ipv6cp-max-failure n
493 Set the maximum number of IPv6CP Configure-NAKs sent before sending
495 Configure-Rejects instead to n (default 10).
496 ipv6cp-max-terminate n
499 Set the maximum number of IPv6CP terminate-request transmissions to
501 n (default 3).
502 ipv6cp-restart n
505 Set the IPv6CP restart interval (retransmission timeout) to n sec‐
507 onds (default 3).
508 ipv6cp-use-ipaddr
511 If either the local or remote IPv6 address is unspecified, use the
513 corresponding configured IPv4 address as a default interface iden‐
514 tifier. (This option uses the configured addresses, not the negoti‐
515 ated addresses. Do not use it with ipcp-accept-local if the local
516 IPv6 identifier is unspecified or with ipcp-accept-remote if the
517 remote IPv6 identifier is unspecified.)
518 ipv6cp-use-persistent
521 Use uniquely-available persistent value for link local address.
523 kdebug n
526 Enable debugging code in the kernel-level PPP driver. Argument n is
528 the sum of the following values: 1 to enable general debug mes‐
529 sages, 2 to request that contents of received packets be printed,
530 and 4 to request contents of transmitted packets be printed. Mes‐
531 sages printed by the kernel are logged by syslogd(1M) to a file
532 directed in the /etc/syslog.conf configuration file. Do not use the
533 kdebug option to debug failed links. Use the debug option instead.
534 lcp-echo-failure n
537 If this option is given, pppd presumes the peer to be dead if n LCP
539 Echo-Requests are sent without receiving a valid LCP Echo-Reply. If
540 this happens, pppd terminates the connection. This option requires
541 a non-zero value for the lcp-echo-interval parameter. This option
542 enables pppd to terminate after the physical connection is broken
543 (for example, if the modem has hung up) in situations where no
544 hardware modem control lines are available.
545 lcp-echo-interval n
548 If this option is given, pppd sends an LCP Echo-Request frame to
550 the peer every n seconds. Normally the peer responds to the Echo-
551 Request by sending an Echo-Reply. This option can be used with the
552 lcp-echo-failure option to detect that the peer is no longer con‐
553 nected.
554 lcp-max-configure n
557 Set the maximum number of LCP Configure-Request transmissions to n
559 (default 10).
560 lcp-max-failure n
563 Set the maximum number of LCP Configure-NAKs sent before starting
565 to send Configure-Rejects instead to n (default 10).
566 lcp-max-terminate n
569 Set the maximum number of LCP Terminate-Request transmissions to n
571 (default 3).
572 lcp-restart n
575 Set the LCP restart interval (retransmission timeout) to n seconds
577 (default 3).
578 linkname name
581 Sets the logical name of the link to name. pppd creates a file
583 named ppp-name.pid in /var/run containing its process ID. This is
584 useful in determining which instance of pppd is responsible for the
585 link to a given peer system. This is a privileged option.
586 local
589 Do not use modem control lines. With this option, pppd ignores the
591 state of the CD (Carrier Detect) signal from the modem and does not
592 change the state of the DTR (Data Terminal Ready) signal.
593 logfd n
596 Send log messages to file descriptor n. pppd sends log messages to
598 (at most) one file or file descriptor (as well as sending the log
599 messages to syslog), so this option and the logfile option are
600 mutually exclusive. By default pppd sends log messages to stdout
601 (file descriptor 1) unless the serial port is open on stdout.
602 logfile filename
605 Append log messages to the file filename (and send the log messages
607 to syslog). The file is opened in append mode with the privileges
608 of the user who invoked pppd.
609 login
612 Use the system password database for authenticating the peer using
614 PAP, and record the user in the system wtmp file. Note that the
615 peer must have an entry in the /etc/ppp/pap-secrets file and the
616 system password database to be allowed access.
617 maxconnect n
620 Terminate the connection after it has been available for network
622 traffic for n seconds (that is, n seconds after the first network
623 control protocol starts). An LCP Time-Remaining message is sent
624 when the first NCP starts, and again when 5, 2, and 0.5 minutes are
625 remaining.
626 maxfail n
629 Terminate after n consecutive failed connection attempts. A value
631 of 0 means no limit. The default value is 10.
632 modem
635 Use the modem control lines. This option is the default. With this
637 option, pppd waits for the CD (Carrier Detect) signal from the
638 modem to be asserted when opening the serial device (unless a con‐
639 nect script is specified), and drops the DTR (Data Terminal Ready)
640 signal briefly when the connection is terminated and before execut‐
641 ing the connect script.
642 ms-dns <addr>
645 If pppd is acting as a server for Microsoft Windows clients, this
647 option allows pppd to supply one or two DNS (Domain Name Server)
648 addresses to the clients. The first instance of this option speci‐
649 fies the primary DNS address; the second instance (if given) speci‐
650 fies the secondary DNS address. If the first instance specifies a
651 name that resolves to multiple IP addresses, then the first two
652 addresses are used. (This option is present in some older versions
653 of pppd under the name dns-addr.)
654 ms-lanman
657 If pppd connects as a client to a Microsoft server and uses MS-
659 CHAPv1 for authentication, this option selects the LAN Manager
660 password style instead of Microsoft NT.
661 ms-wins <addr>
664 If pppd acts as a server for Microsoft Windows or Samba clients,
666 this option allows pppd to supply one or two WINS (Windows Internet
667 Name Services) server addresses to the clients. The first instance
668 of this option specifies the primary WINS address; the second
669 instance (if given) specifies the secondary WINS address. As with
670 ms-dns, if the name specified resolves to multiple IP addresses,
671 then the first two will be taken as primary and secondary.
672 name name
675 Set the name of the local system for authentication purposes to
677 name. This is a privileged option. With this option, pppd uses
678 lines in the secrets files that have name as the second field to
679 look for a secret to use in authenticating the peer. In addition,
680 unless overridden with the user option, name is used as the name to
681 send to the peer when authenticating the local system. (Note that
682 pppd does not append the domain name to name.)
683 no-accm-test
686 Disable use of asyncmap (ACCM) checking using LCP Echo-Request mes‐
688 sages. If the lcp-echo-failure is used on an asynchronous line,
689 pppd includes all control characters in the first n LCP Echo-
690 Request messages. If the asyncmap is set incorrectly, the link
691 drops rather than continue operation with random failures. This
692 option disables that feature.
693 noaccomp
696 Disable HDLC Address/Control compression in both directions (send
698 and receive).
699 noauth
702 Do not require the peer to authenticate itself. This option is
704 privileged.
705 nobsdcomp
708 Disables BSD-Compress compression; pppd will not request or agree
710 to compress packets using the BSD-Compress scheme. This option is
711 not necessary if noccp is specified.
712 noccp
715 Disable CCP (Compression Control Protocol) negotiation. This option
717 should only be required if the peer has bugs or becomes confused by
718 requests from pppd for CCP negotiation. If CCP is disabled, then
719 BSD and deflate compression do not need to be separately disabled.
720 nocrtscts
723 Disable hardware flow control (i.e. RTS/CTS) on the serial port. If
725 the crtscts, nocrtscts, cdtrcts or nocdtrcts options are not given,
726 the hardware flow control setting for the serial port is left
727 unchanged.
728 nocdtrcts
731 This option is a synonym for nocrtscts. Either option will disable
733 both forms of hardware flow control.
734 nodefaultroute
737 Disable the defaultroute option. You can prevent non-root users
739 from creating default routes with pppd by placing this option in
740 the /etc/ppp/options file.
741 nodeflate
744 Disables deflate compression; pppd will not request or agree to
746 compress packets using the deflate scheme. This option is not nec‐
747 essary if noccp is specified.
748 nodeflatedraft
751 Do not use Internet Draft (incorrectly assigned) algorithm number
753 for deflate compression. This option is not necessary if noccp is
754 specified.
755 nodetach
758 Do not detach from the controlling terminal. Without this option,
760 pppd forks to become a background process if a serial device other
761 than the terminal on the standard input is specified.
762 noendpoint
765 Do not send or accept the Multilink Endpoint Discriminator option.
767 noident
770 Disable use of LCP Identification. LCP Identification messages will
772 not be sent to the peer, but received messages will be logged.
773 (Specify this option twice to completely disable LCP Identifica‐
774 tion. In this case, pppd sends LCP Code-Reject in response to
775 received LCP Identification messages.)
776 noip
779 Disable IPCP negotiation and IP communication. Use this option only
781 if the peer has bugs or becomes confused by requests from pppd for
782 IPCP negotiation.
783 noipv6
786 Disable IPv6CP negotiation and IPv6 communication. IPv6 is not
788 enabled by default.
789 noipdefault
792 Disables the default behavior when no local IP address is speci‐
794 fied, which is to determine (if possible) the local IP address from
795 the hostname. With this option, the peer must supply the local IP
796 address during IPCP negotiation (unless it specified explicitly on
797 the command line or in an options file).
798 nolog
801 Do not send log messages to a file or file descriptor. This option
803 cancels the logfd and logfile options. nologfd acts as an alias for
804 this option.
805 nomagic
808 Disable magic number negotiation. With this option, pppd cannot
810 detect a looped-back line. Use this option only if the peer has
811 bugs. Do not use this option to work around the "Serial line is
812 looped back" error message.
813 nopam
816 This privileged option disables use of pluggable authentication
818 modules. If this option is specified, pppd reverts to standard
819 authentication mechanisms. The default is not to use PAM.
820 nopcomp
823 Disable protocol field compression negotiation in the receive and
825 the transmit direction.
826 nopersist
829 Exit once a connection has been made and terminated. This is the
831 default unless the persist or demand option is specified.
832 noplink
835 Cause pppd to use I_LINK instead of I_PLINK. This is the default.
837 When I_LINK is used, the system cleans up terminated interfaces
838 (even when SIGKILL is used) but does not allow ifconfig(1M) to
839 unplumb PPP streams or insert or remove modules dynamically. Use
840 the plink option if ifconfig(1M) modinsert, modremove or unplumb
841 support is needed.
842 nopredictor1
845 Do not accept or agree to Predictor-1 compression. (This option is
847 accepted for compatibility. The implementation does not support
848 Predictor-1 compression.)
849 noproxyarp
852 Disable the proxyarp option. If you want to prevent users from cre‐
854 ating proxy ARP entries with pppd, place this option in the
855 /etc/ppp/options file.
856 notty
859 Normally, pppd requires a terminal device. With this option, pppd
861 allocates itself a pseudo-tty master/slave pair and uses the slave
862 as its terminal device. pppd creates a child process to act as a
863 character shunt to transfer characters between the pseudo-tty mas‐
864 ter and its standard input and output. Thus, pppd transmits charac‐
865 ters on its standard output and receives characters on its standard
866 input even if they are not terminal devices. This option increases
867 the latency and CPU overhead of transferring data over the ppp
868 interface as all of the characters sent and received must flow
869 through the character shunt process. An explicit device name may
870 not be given if this option is used.
871 novj
874 Disable Van Jacobson style TCP/IP header compression in both the
876 transmit and the receive direction.
877 novjccomp
880 Disable the connection-ID compression option in Van Jacobson style
882 TCP/IP header compression. With this option, pppd does not omit the
883 connection-ID byte from Van Jacobson compressed TCP/IP headers, nor
884 does it ask the peer to do so. This option is unnecessary if novj
885 is specified.
886 pam
889 This privileged option enables use of PAM. If this is specified,
891 pppd uses the pam(3PAM) framework for user authentication with a
892 service name of "ppp" if the login option and PAP authentication
893 are used. The default is not to use PAM.
894 papcrypt
897 Indicates that pppd should not accept a password which, before
899 encryption, is identical to the secret from the /etc/ppp/pap-
900 secrets file. Use this option if the secrets in the pap-secrets
901 file are in crypt(3C) format.
902 pap-max-authreq n
905 Set the maximum number of PAP authenticate-request transmissions to
907 n (default 10).
908 pap-restart n
911 Set the PAP restart interval (retransmission timeout) to n seconds
913 (default 3).
914 pap-timeout n
917 Set the maximum time that pppd waits for the peer to authenticate
919 itself with PAP to n seconds (0= no limit). The default is 30 sec‐
920 onds.
921 password string
924 Password string for authentication to the peer.
926 persist
929 Do not exit after a connection is terminated; instead try to reopen
931 the connection.
932 plink
935 Cause pppd to use I_PLINK instead of I_LINK. The default is to use
937 I_LINK, which cleans up terminated interface (even if SIGKILL is
938 used), but does not allow ifconfig(1M) to unplumb PPP streams or
939 insert or remove modules dynamically. Use this option if ifcon‐
940 fig(1M) modinsert/modremove/unplumb support is needed. See also the
941 plumbed option.
942 plugin filename
945 Load the shared library object file filename as a plugin. This is a
947 privileged option. Unless the filename specifies an explicit path,
948 /etc/ppp/plugins and /usr/lib/inet/ppp will be searched for the
949 object to load in that order.
950 plumbed
953 This option indicates that pppd should find a plumbed interface and
955 use that for the session. If IPv4 addresses or IPv6 interface IDs
956 or link MTU are otherwise unspecified, they are copied from the
957 interface selected. This mode mimics some of the functionality of
958 the older aspppd implementation and may be helpful when pppd is
959 used with external applications that use ifconfig(1M).
960 pppmux timer
963 Enable PPP Multiplexing option negotiation and set transmit multi‐
965 plexing timeout to timer microseconds.
966 privgroup group-name
969 Allows members of group group-name to use privileged options. This
971 is a privileged option. Because there is no guarantee that members
972 of group-name cannot use pppd to become root themselves, you should
973 be careful using this option. Consider it equivalent to putting the
974 members of group-name in the root or sys group.
975 proxyarp
978 Add an entry to the system's Address Resolution Protocol (ARP) ta‐
980 ble with the IP address of the peer and the Ethernet address of
981 this system. When you use this option, the peer appears to other
982 systems to be on the local Ethernet. The remote address on the PPP
983 link must be in the same subnet as assigned to an Ethernet inter‐
984 face.
985 pty script
988 Specifies that the command script, and not a specific terminal
990 device is used for serial communication. pppd allocates itself a
991 pseudo-tty master/slave pair and uses the slave as its terminal
992 device. script runs in a child process with the pseudo-tty master
993 as its standard input and output. An explicit device name may not
994 be given if this option is used. (Note: if the record option is
995 used in conjunction with the pty option, the child process will
996 have pipes on its standard input and output.)
997 receive-all
1000 With this option, pppd accepts all control characters from the
1002 peer, including those marked in the receive asyncmap. Without this
1003 option, pppd discards those characters as specified in RFC 1662.
1004 This option should be used only if the peer has bugs, as is often
1005 found with dial-back implementations.
1006 record filename
1009 Directs pppd to record all characters sent and received to a file
1011 named filename. filename is opened in append mode, using the user's
1012 user-ID and permissions. Because this option uses a pseudo-tty and
1013 a process to transfer characters between the pseudo-tty and the
1014 real serial device, it increases the latency and CPU overhead of
1015 transferring data over the PPP interface. Characters are stored in
1016 a tagged format with timestamps that can be displayed in readable
1017 form using the pppdump(1M) program. This option is generally used
1018 when debugging the kernel portion of pppd (especially CCP compres‐
1019 sion algorithms) and not for debugging link configuration problems.
1020 See the debug option.
1021 remotename name
1024 Set the assumed name of the remote system for authentication pur‐
1026 poses to name. Microsoft WindowsNT does not provide a system name
1027 in its CHAP Challenge messages, and this option is often used to
1028 work around this problem.
1029 refuse-chap
1032 With this option, pppd will not agree to authenticate itself to the
1034 peer using standard Challenge Handshake Authentication Protocol
1035 (CHAP). (MS-CHAP is not affected.)
1036 refuse-mschap
1039 Do not agree to authenticate to peer with MS-CHAPv1. If this option
1041 is specified, requests for MS-CHAPv1 authentication from the peer
1042 are declined with LCP Configure-Nak. That option does not disable
1043 any other form of CHAP.
1044 refuse-mschapv2
1047 Do not agree to authenticate to peer with MS-CHAPv2. If specified,
1049 this option requests that MS-CHAPv2 authentication from the peer be
1050 declined with LCP Configure-Nak. That option does not disable any
1051 other form of CHAP.
1052 refuse-pap
1055 With this option, pppd will not agree to authenticate itself to the
1057 peer using Password Authentication Protocol (PAP).
1058 require-chap
1061 Require the peer to authenticate itself using standard CHAP authen‐
1063 tication. MS-CHAP is not affected.
1064 require-mschap
1067 Require the peer to authenticate itself using MS-CHAPv1 authentica‐
1069 tion.
1070 require-mschapv2
1073 Require the peer to authenticate itself using MS-CHAPv2 authentica‐
1075 tion.
1076 require-pap
1079 Require the peer to authenticate itself using PAP authentication.
1081 show-password
1084 When logging contents of PAP packets, this option causes pppd to
1086 show the password string in the log message.
1087 silent
1090 With this option, pppd will not transmit LCP packets to initiate a
1092 connection until a valid LCP packet is received from the peer. This
1093 is like the "passive" option with older versions of pppd and is
1094 retained for compatibility, but the current passive option is pre‐
1095 ferred.
1096 small-accm-test
1099 When checking the asyncmap (ACCM) setting, pppd uses all 256 possi‐
1101 ble values by default. See no-accm-test. This option restricts the
1102 test so that only the 32 values affected by standard ACCM negotia‐
1103 tion are tested. This option is useful on very slow links.
1104 socket host:port
1107 Connect to given host and port using TCP and run PPP over this con‐
1109 nection.
1110 sync
1113 Use synchronous HDLC serial encoding instead of asynchronous. The
1115 device used by pppd with this option must have sync support. Cur‐
1116 rently supports zs, se, and hsi drivers.
1117 unit n
1120 Set PPP interface unit number to n, if possible.
1122 updetach
1125 With this option, pppd detaches from its controlling terminal after
1127 establishing the PPP connection. When this is specified, messages
1128 sent to stderr by the connect script, usually chat(1M), and debug‐
1129 ging messages from the debug option are directed to pppd's standard
1130 output.
1131 usehostname
1134 Enforce the use of the hostname with domain name appended, if
1136 given, as the name of the local system for authentication purposes.
1137 This overrides the name option. Because the name option is privi‐
1138 leged, this option is normally not needed.
1139 usepeerdns
1142 Ask the peer for up to two DNS server addresses. Addresses supplied
1144 by the peer, if any, are passed to the /etc/ppp/ip-up script in the
1145 environment variables DNS1 and DNS2. In addition, pppd creates an
1146 /etc/ppp/resolv.conf file containing one or two nameserver lines
1147 with the address(es) supplied by the peer.
1148 user name
1151 Sets the name used for authenticating the local system to the peer
1153 to name.
1154 vj-max-slots n
1157 Sets the number of connection slots to be used by the Van Jacobson
1159 TCP/IP header compression and decompression code to n, which must
1160 be between 2 and 16 (inclusive).
1161 welcome script
1164 Run the executable or shell command specified by script before ini‐
1166 tiating PPP negotiation, after the connect script, if any, has com‐
1167 pleted. A value for this option from a privileged source cannot be
1168 overridden by a non-privileged user.
1169 xonxoff
1172 Use software flow control, that is, XON/XOFF, to control the flow
1174 of data on the serial port.
1175 Obsolete Options
1178 The following options are obsolete:
1179 +ua name Read a PAP user name and password from the file name.
1181 This file must have two lines for name and password. Name
1182 and password are sent to the peer when the peer requests
1183 PAP authentication.
1184 +ipv6 Enable IPv6 and IPv6CP without specifying interface iden‐
1187 tifiers.
1188 --version Show version number and exit.
1191 --help Show brief help message and exit.
1194
1197 The following sections discuss miscellaneous features of pppd:
1198 Security
1200 pppd allows system administrators to provide legitimate users with PPP
1201 access to a server machine without fear of compromising the security of
1202 the server or the network it runs on. Access control is provided by
1203 restricting IP addresses the peer may use based on its authenticated
1204 identity (if any), and through restrictions on options a non-privileged
1205 user may use. Options that permit potentially insecure configurations
1206 are privileged. Privileged options are accepted only in files that are
1207 under the control of the system administrator or when pppd is being run
1208 by root.
1209 By default, pppd allows an unauthenticated peer to use a given IP
1212 address only if the system does not already have a route to that IP
1213 address. For example, a system with a permanent connection to the wider
1214 Internet will normally have a default route, meaning all peers must
1215 authenticate themselves to set up a connection. On such a system, the
1216 auth option is the default. Conversely, a system with a PPP link that
1217 comprises the only connection to the Internet probably does not possess
1218 a default route, so the peer can use virtually any IP address without
1219 authenticating itself.
1220 Security-sensitive options are privileged and cannot be accessed by a
1223 non-privileged user running pppd, either on the command line, in the
1224 user's $HOME/.ppprc file, or in an options file read using the file
1225 option. Privileged options may be used in /etc/ppp/options file or in
1226 an options file read using the call option. If pppd is run by the root
1227 user, privileged options can be used without restriction. If the
1228 /etc/ppp/options file does not exist, then only root may invoke pppd.
1229 The /etc/ppp/options file must be created (but may be empty) to allow
1230 ordinary non-root users to access pppd.
1231 When opening the device, pppd uses the invoking user's user ID or the
1234 root UID (that is, 0), depending if the device name was specified by
1235 the user or the system administrator. If the device name comes from a
1236 privileged source, that is, /etc/ppp/options or an options file read
1237 using the call option, pppd uses full root privileges when opening the
1238 device. Thus, by creating an appropriate file under /etc/ppp/peers, the
1239 system administrator can allow users to establish a PPP connection via
1240 a device that they would not normally have access to. Otherwise
1241 pppd uses the invoking user's real UID when opening the device.
1242 Authentication
1244 During the authentication process, one peer convinces the other of its
1245 identity by sending its name and some secret information to the other.
1246 During authentication, the first peer becomes the "client" and the sec‐
1247 ond becomes the "server." Authentication names can (but are not
1248 required to) correspond to the peer's Internet hostnames.
1249 pppd supports four authentication protocols: the Password Authentica‐
1252 tion Protocol (PAP) and three forms of the Challenge Handshake Authen‐
1253 tication Protocol (CHAP). With the PAP protocol, the client sends its
1254 name and a cleartext password to the server to authenticate itself.
1255 With CHAP, the server initiates the authentication exchange by sending
1256 a challenge to the client who must respond with its name and a hash
1257 value derived from the shared secret and the challenge.
1258 The PPP protocol is symmetrical, meaning that each peer may be required
1261 to authenticate itself to the other. Different authentication protocols
1262 and names can be used for each exchange.
1263 By default, pppd authenticates if requested and does not require
1266 authentication from the peer. However, pppd does not authenticate
1267 itself with a specific protocol if it has no secrets that can do so.
1268 pppd stores authentication secrets in the /etc/ppp/pap-secrets (for
1271 PAP), and /etc/ppp/chap-secrets (for CHAP) files. Both files use the
1272 same format. pppd uses secrets files to authenticate itself to other
1273 systems and to authenticate other systems to itself.
1274 Secrets files contain one secret per line. Secrets are specific to a
1277 particular combination of client and server and can only be used by
1278 that client to authenticate itself to that server. Each line in a
1279 secrets file has a minimum of three fields that contain the client and
1280 server names followed by the secret. Often, these three fields are fol‐
1281 lowed by IP addresses that are used by clients to connect to a server.
1282 A secrets file is parsed into words, with client name, server name and
1285 secrets fields allocated one word each. Embedded spaces or other spe‐
1286 cial characters within a word must be quoted or escaped. Case is sig‐
1287 nificant in all three fields.
1288 A secret beginning with an at sign ("@") is followed by the name of a
1291 file containing the secret. An asterisk (*) as the client or server
1292 name matches any name. When choosing a match, pppd selects the one with
1293 the fewest wildcards. Succeeding words on a line are interpreted by
1294 pppd as acceptable IP addresses for that client. IP Addresses are dis‐
1295 allowed if they appear in lines that contain only three words or lines
1296 whose first word begins with a hyphen ("-"). To allow any address, use
1297 "*". An address starting with an exclamation point ("!") indicates that
1298 the specified address is not acceptable. An address may be followed by
1299 "/" and a number n to indicate a whole subnet (all addresses that have
1300 the same value in the most significant n bits). In this form, the
1301 address may be followed by a plus sign ("+") to indicate that one
1302 address from the subnet is authorized, based on the ppp network inter‐
1303 face unit number in use. In this case, the host part of the address is
1304 set to the unit number, plus one.
1305 When authenticating the peer, pppd chooses a secret with the peer's
1308 name in the first field of the secrets file and the name of the local
1309 system in the second field. The local system name defaults to the host‐
1310 name, with the domain name appended if the domain option is used. The
1311 default can be overridden with the name option unless the usehostname
1312 option is used.
1313 When authenticating to the peer, pppd first determines the name it will
1316 use to identify itself to the peer. This name is specified with the
1317 user option. If the user option is not used, the name defaults to the
1318 host name of the local system. pppd then selects a secret from the
1319 secrets file by searching for an entry with a local name in the first
1320 field and the peer's name in the second field. pppd will know the name
1321 of the peer if standard CHAP authentication is used because the peer
1322 will have sent it in the Challenge packet. However, if MS-CHAP or PAP
1323 is being used, pppd must determine the peer's name from the options
1324 specified by the user. The user can specify the peer's name directly
1325 with the remotename option. Otherwise, if the remote IP address was
1326 specified by a name, rather than in numeric form, that name will be
1327 used as the peer's name. If that fails, pppd uses the null string as
1328 the peer's name.
1329 When authenticating the peer with PAP, the supplied password is
1332 compared with data in the secrets file. If the password and secret do
1333 not match, the password is encrypted using crypt() and checked against
1334 the secret again. If the papcrypt option is given, the first unen‐
1335 crypted comparison is omitted for better security, and entries must
1336 thus be in encrypted crypt(3C) form.
1337 If the login option is specified, the username and password are also
1340 checked against the system password database. This allows you to set up
1341 the pap-secrets file to enable PPP access only to certain users, and to
1342 restrict the set of IP addresses available to users. Typically, when
1343 using the login option, the secret in /etc/ppp/pap-secrets would be "",
1344 which matches any password supplied by the peer. This makes having the
1345 same secret in two places unnecessary. When login is used, the pam
1346 option enables access control through pam(3PAM).
1347 Authentication must be completed before IPCP (or other network proto‐
1350 col) can be started. If the peer is required to authenticate itself and
1351 fails, pppd closes LCP and terminates the link. If IPCP negotiates an
1352 unacceptable IP address for the remote host, IPCP is closed. IP packets
1353 are sent or received only when IPCP is open.
1354 To allow hosts that cannot authenticate themselves to connect and
1357 use one of a restricted set of IP addresses, add a line to the pap-
1358 secrets file specifying the empty string for the client name and
1359 secret.
1360 Additional pppd options for a given peer may be specified by placing
1363 them at the end of the secrets entry, separated by two dashes (--). For
1364 example
1365 peername servername secret ip-address -- novj
1367 Routing
1370 When IPCP negotiation is complete, pppd informs the kernel of the local
1371 and remote IP addresses for the PPP interface and creates a host route
1372 to the remote end of the link that enables peers to exchange IP pack‐
1373 ets. Communication with other machines generally requires further modi‐
1374 fication to routing tables and/or Address Resolution Protocol (ARP)
1375 tables. In most cases the defaultroute and/or proxyarp options are suf‐
1376 ficient for this, but further intervention may be necessary. If further
1377 intervention is required, use the /etc/ppp/ip-up script or a routing
1378 protocol daemon.
1379 To add a default route through the remote host, use the defaultroute
1382 option. This option is typically used for "client" systems; that is,
1383 end-nodes that use the PPP link for access to the general Internet.
1384 In some cases it is desirable to use proxy ARP, for example on a server
1387 machine connected to a LAN, to allow other hosts to communicate with
1388 the remote host. proxyarp instructs pppd to look for a network inter‐
1389 face on the same subnet as the remote host. That is, an interface sup‐
1390 porting broadcast and ARP that is not a point-to-point or loopback
1391 interface and that is currently up. If found, pppd creates a permanent,
1392 published ARP entry with the IP address of the remote host and the
1393 hardware address of the network interface.
1394 When the demand option is used, the interface IP addresses are already
1397 set at the time when IPCP comes up. If pppd cannot negotiate the same
1398 addresses it used to configure the interface, it changes the interface
1399 IP addresses to the negotiated addresses. This may disrupt existing
1400 connections. Using demand dialing with peers that perform dynamic IP
1401 address assignment is not recommended.
1402 Scripts
1404 pppd invokes scripts at various stages during processing that are used
1405 to perform site-specific ancillary processing. These scripts may be
1406 shell scripts or executable programs. pppd does not wait for the
1407 scripts to finish. The scripts are executed as root (with the real and
1408 effective user-id set to 0), enabling them to update routing tables,
1409 run privileged daemons, or perform other tasks. Be sure that the con‐
1410 tents of these scripts do not compromise your system's security. pppd
1411 runs the scripts with standard input, output and error redirected to
1412 /dev/null, and with an environment that is empty except for some envi‐
1413 ronment variables that give information about the link. The pppd envi‐
1414 ronment variables are:
1415 DEVICE Name of the serial tty device.
1417 IFNAME Name of the network interface.
1420 IPLOCAL IP address for the link's local end. This is set only
1423 when IPCP has started.
1424 IPREMOTE IP address for the link's remote end. This is set only
1427 when IPCP has started.
1428 PEERNAME Authenticated name of the peer. This is set only if the
1431 peer authenticates itself.
1432 SPEED Baud rate of the tty device.
1435 ORIG_UID Real user-id of user who invoked pppd.
1438 PPPLOGNAME Username of the real user-id who invoked pppd. This is
1441 always set.
1442 pppd also sets the following variables for the ip-down and auth-down
1446 scripts:
1447 CONNECT_TIME Number of seconds between the start of PPP negotiation
1449 and connection termination.
1450 BYTES_SENT Number of bytes sent at the level of the serial port
1453 during the connection.
1454 BYTES_RCVD Number of bytes received at the level of the serial
1457 port during the connection.
1458 LINKNAME Logical name of the link, set with the linkname
1461 option.
1462 If they exist, pppd invokes the following scripts. It is not an error
1466 if they do not exist.
1467 /etc/ppp/auth-up Program or script executed after the remote sys‐
1469 tem successfully authenticates itself. It is
1470 executed with five command-line arguments:
1471 interface-name peer-name user-name tty-device
1472 speed. Note that this script is not executed if
1473 the peer does not authenticate itself, for exam‐
1474 ple, when the noauth option is used.
1475 /etc/ppp/auth-down Program or script executed when the link goes
1478 down if /etc/ppp/auth-up was previously exe‐
1479 cuted. It is executed in the same manner with
1480 the same parameters as /etc/ppp/auth-up.
1481 /etc/ppp/ip-up A program or script that is executed when the link
1484 is available for sending and receiving IP packets
1485 (that is, IPCP has come up). It is executed with
1486 six command-line arguments: interface-name tty-
1487 device speed local-IP-address remote-IP-address
1488 ipparam.
1489 /etc/ppp/ip-down A program or script which is executed when the
1492 link is no longer available for sending and
1493 receiving IP packets. This script can be used for
1494 undoing the effects of the /etc/ppp/ip-up script.
1495 It is invoked in the same manner and with the same
1496 parameters as the ip-up script.
1497 /etc/ppp/ipv6-up Similar to /etc/ppp/ip-up, except that it is exe‐
1500 cuted when the link is available for sending and
1501 receiving IPv6 packets. Executed with six command-
1502 line arguments: interface-name tty-device speed
1503 local-link-local-address remote-link-local-address
1504 ipparam.
1505 /etc/ppp/ipv6-down Similar to /etc/ppp/ip-down, but executed when
1508 IPv6 packets can no longer be transmitted on the
1509 link. Executed with the same parameters as the
1510 ipv6-up script.
1511
1514 Example 1 Using the auth Option
1515 The following examples assume that the /etc/ppp/options file contains
1518 the auth option.
1519 pppd is commonly used to dial out to an ISP. You can do this using the
1523 "pppd call isp" command where the /etc/ppp/peers/isp file is set up to
1524 contain a line similar to the following:
1525 cua/a 19200 crtscts connect '/usr/bin/chat -f /etc/ppp/chat-isp' noauth
1528 For this example, chat(1M) is used to dial the ISP's modem and process
1532 any login sequence required. The /etc/ppp/chat-isp file is used by chat
1533 and could contain the following:
1534 ABORT "NO CARRIER"
1537 ABORT "NO DIALTONE"
1538 ABORT "ERROR"
1539 ABORT "NO ANSWER"
1540 ABORT "BUSY"
1541 ABORT "Username/Password Incorrect"
1542 "" "at"
1543 OK "at&f&d2&c1"
1544 OK "atdt2468135"
1545 "name:" "^Umyuserid"
1546 "word:" "qmypassword"
1547 "ispts" "q^Uppp"
1548 "~-^Uppp-~"
1549 See the chat(1M) man page for details of chat scripts.
1553 Example 2 Using pppd with proxyarp
1556 pppd can also provide a dial-in ppp service for users. If the users
1559 already have login accounts, the simplest way to set up the ppp service
1560 is to let the users log in to their accounts and run pppd as shown in
1561 the following example:
1562 example% pppd proxyarp
1565 Example 3 Providing a User with Access to PPP Facilities
1569 To provide a user with access to the PPP facilities, allocate an IP
1572 address for the user's machine, create an entry in /etc/ppp/pap-secrets
1573 or /etc/ppp/chap-secrets. This enables the user's machine to authenti‐
1574 cate itself. For example, to enable user "Joe" using machine "joespc"
1575 to dial in to machine "server" and use the IP address "joespc.my.net,"
1576 add the following entry to the /etc/ppp/pap-secrets or /etc/ppp/chap-
1577 secrets files:
1578 joespc server "joe's secret" joespc.my.net
1581 Alternatively, you can create another username, for example "ppp,"
1586 whose login shell is /usr/bin/pppd and whose home directory is
1587 /etc/ppp. If you run pppd this way, add the options to the
1588 /etc/ppp/.ppprc file.
1589 If your serial connection is complex, it may be useful to escape such
1593 control characters as XON (^Q) and XOFF (^S), using asyncmap a0000. If
1594 the path includes a telnet, escape ^] (asyncmap 200a0000). If the path
1595 includes a rlogin command, add escape ff option to the options, because
1596 rlogin removes the window-size-change sequence [0xff, 0xff, 0x73, 0x73,
1597 followed by any 8 bytes] from the stream.
1598
1601 The pppd exit status indicates errors or specifies why a link was ter‐
1602 minated. Exit status values are:
1603 0 pppd has detached or the connection was successfully established
1605 and terminated at the peer's request.
1606 1 An immediately fatal error occurred. For example, an essential
1609 system call failed.
1610 2 An error was detected in the options given. For example, two
1613 mutually exclusive options were used, or /etc/ppp/options is
1614 missing and the user is not root.
1615 3 pppd is not setuid-root and the invoking user is not root.
1618 4 The kernel does not support PPP. For example, the PPP kernel
1621 driver is not included or cannot be loaded.
1622 5 pppd terminated because it was sent a SIGINT, SIGTERM or SIGHUP
1625 signal.
1626 6 The serial port could not be locked.
1629 7 The serial port could not be opened.
1632 8 The connect script failed and returned a non-zero exit status.
1635 9 The command specified as the argument to the pty option could
1638 not be run.
1639 10 The PPP negotiation failed because no network protocols were
1642 able to run.
1643 11 The peer system failed or refused to authenticate itself.
1646 12 The link was established successfully, but terminated because it
1649 was idle.
1650 13 The link was established successfully, but terminated because
1653 the connect time limit was reached.
1654 14 Callback was negotiated and an incoming call should arrive
1657 shortly.
1658 15 The link was terminated because the peer is not responding to
1661 echo requests.
1662 16 The link was terminated by the modem hanging up.
1665 17 The PPP negotiation failed because serial loopback was detected.
1668 18 The init script failed because a non-zero exit status was
1671 returned.
1672 19 Authentication to the peer failed.
1675
1678 /var/run/spppn.pid Process-ID for pppd process on PPP inter‐
1679 face unit n.
1680 /var/run/ppp-name.pid Process-ID for pppd process for logical
1683 link name (see the linkname option).
1684 /etc/ppp/pap-secrets Usernames, passwords and IP addresses for
1687 PAP authentication. This file should be
1688 owned by root and not readable or writable
1689 by any other user, otherwise pppd will log
1690 a warning.
1691 /etc/ppp/chap-secrets Names, secrets and IP addresses for all
1694 forms of CHAP authentication. The
1695 /etc/ppp/pap-secrets file should be owned
1696 by root should not readable or writable by
1697 any other user, otherwise, pppd will log a
1698 warning.
1699 /etc/ppp/options System default options for pppd, read
1702 before user default options or command-
1703 line options.
1704 $HOME/.ppprc User default options, read before
1707 /etc/ppp/options.ttyname.
1708 /etc/ppp/options.ttyname System default options for the serial port
1711 in use; read after $HOME/.ppprc. The tty‐
1712 name component of this filename is formed
1713 when the initial /dev/ is stripped from
1714 the port name (if present), and slashes
1715 (if any) are converted to dots.
1716 /etc/ppp/peers Directory with options files that may con‐
1719 tain privileged options, even if pppd was
1720 invoked by a user other than root. The
1721 system administrator can create options
1722 files in this directory to permit non-
1723 privileged users to dial out without
1724 requiring the peer to authenticate, but
1725 only to certain trusted peers.
1726
1729 See attributes(5) for descriptions of the following attributes:
1730 ┌─────────────────────────────┬─────────────────────────────┐
1735 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
1736 ├─────────────────────────────┼─────────────────────────────┤
1737 │Availability │SUNWpppdu │
1738 ├─────────────────────────────┼─────────────────────────────┤
1739 │Interface Stability │Evolving │
1740 └─────────────────────────────┴─────────────────────────────┘
1741
1743 chat(1M), ifconfig(1M), crypt(3C), pam(3PAM), attributes(5)
1744 Haskin, D., Allen, E. RFC 2472 - IP Version 6 Over PPP. Network Working
1747 Group. December 1998.
1748 Jacobson, V. RFC 1144, Compressing TCP/IP Headers for Low-Speed Serial
1751 Links. Network Working Group. February, 1990
1752 Lloyd, B., Simpson, W. RFC 1334, PPP Authentication Protocols. Network
1755 Working Group. October 1992.
1756 McGregor, G. RFC 1332, The PPP Internet Protocol Control Protocol
1759 (IPCP). Network Working Group. May 1992.
1760 Rivest, R. RFC 1321, The MD5 Message-Digest Algorithm. Network Working
1763 Group. April 1992
1764 Simpson, W. RFC 1661, The Point-to-Point Protocol (PPP). Network Work‐
1767 ing Group. July 1994.
1768 Simpson, W. RFC 1662, HDLC-like Framing . Network Working Group. July
1771 1994.
1772
1774 These signals affect pppd behavior:
1775 SIGINT, SIGTERM Terminate the link, restore the serial device set‐
1777 tings and exit.
1778 SIGHUP Terminate the link, restore the serial device set‐
1781 tings and close the serial device. If the persist
1782 or demand option is specified, pppd attempts to
1783 reopen the serial device and start another connec‐
1784 tion after the holdoff period. Otherwise pppd
1785 exits. If received during the holdoff period,
1786 SIGHUP causes pppd to end the holdoff period imme‐
1787 diately.
1788 SIGUSR1 Toggles the state of the debug option and prints
1791 link status information to the log.
1792 SIGUSR2 Causes pppd to renegotiate compression. This is
1795 useful to re-enable compression after it has been
1796 disabled as a result of a fatal decompression
1797 error. (Fatal decompression errors generally indi‐
1798 cate a bug in an implementation.)
1799
1802 Messages are sent to the syslog daemon using facility LOG_DAEMON. To
1803 see error and debug messages, edit the /etc/syslog.conf file to direct
1804 the messages to the desired output device or file, or use the updetach
1805 or logfile options.
1806 The debug option causes the contents of all LCP, PAP, CHAP or IPCP con‐
1809 trol packets sent or received to be logged. This is useful if PPP nego‐
1810 tiation does not succeed or if authentication fails.
1811 Debugging can also be enabled or disabled by sending a SIGUSR1 signal,
1814 which acts as a toggle to the pppd process.
1815SunOS 5.11 21 Nov 2001 pppd(1M)