1 '\" te
2 .\" Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
3 .\" Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
4 .\" WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
5 .\" Portions Copyright (c) 2008, Sun Microsystems, Inc. All Right Reserved.
6 .TH PPPD 1M "November 22, 2021"
7 .SH NAME
8 pppd \- point to point protocol daemon
9 .SH SYNOPSIS
10 .nf
11 \fBpppd\fR [\fItty_name\fR] [\fIspeed\fR] [\fIoptions\fR]
12 .fi
13
14 .SH DESCRIPTION
15 The point-to-point protocol (PPP) provides a method for transmitting datagrams
16 over serial point-to-point links. PPP is composed of three components: a
17 facility for encapsulating datagrams over serial links, an extensible link
18 control protocol (LCP), and a family of network control protocols (NCP) for
19 establishing and configuring different network-layer protocols.
20 .sp
21 .LP
22 The encapsulation scheme is provided by driver code in the kernel. \fBpppd\fR
23 provides the basic LCP authentication support and several NCPs for establishing
24 and configuring the Internet Protocol (referred to as the IP Control Protocol
25 or "IPCP") and IPv6 (IPV6CP).
26 .SH OPTIONS
27 The following sections discuss the \fBpppd\fR options:
28 .SS "Options Files"
29 Options are taken from files and the command line. \fBpppd\fR reads options
30 from the files \fB/etc/ppp/options\fR, \fB$HOME/.ppprc\fR and
31 \fB/etc/ppp/options.\fR\fIttyname\fR (in that order) before processing the
32 options on the command line. (Command-line options are scanned for the terminal
33 name before the \fBoptions\fR.\fIttyname\fR file is read.) To form the name of
34 the \fBoptions\fR.\fIttyname\fR file, the initial \fB/dev/\fR is removed from
35 the terminal name, and any remaining forward slash characters (/) are replaced
36 with dots. For example, with serial device \fB/dev/cua/a\fR, option file
37 \fB/etc/ppp/options.cua.a\fR is read.
38 .sp
39 .LP
40 An options file is parsed into a series of words that are delimited by
41 whitespace. Whitespace can be included in a word by enclosing the word in
42 double-quotes ("). A backslash (\e) quotes the succeeding character. A hash (#)
43 starts a comment, which continues until the end of the line. There is no
44 restriction on using the \fBfile\fR or \fBcall\fR options within an options
45 file.
46 .SS "Frequently Used Options"
47 .ne 2
48 .na
49 \fB\fB<tty_name>\fR \fR
50 .ad
51 .RS 23n
52 Communicate over the named device. The string \fB/dev/\fR is prepended if
53 necessary. If no device name is given, or if the name of the terminal connected
54 to the standard input is given, \fBpppd\fR uses that terminal and does not fork
55 to put itself in the background. A value for this option from a privileged
56 source cannot be overridden by a non-privileged user.
57 .RE
58
59 .sp
60 .ne 2
61 .na
62 \fB\fB<speed>\fR \fR
63 .ad
64 .RS 23n
65 Set the baud rate to <\fBspeed\fR> (a decimal number). The default is to leave
66 the baud rate unchanged. This option is normally needed for dial-out only.
67 .RE
68
69 .sp
70 .ne 2
71 .na
72 \fB\fBasyncmap\fR \fB\fI<map>\fR\fR \fR
73 .ad
74 .RS 23n
75 Set the \fBasync\fR character map to \fI<map>\fR\&. The map describes which
76 control characters cannot be successfully received over the serial line.
77 \fBpppd\fR asks the peer to send these characters as a 2-byte escape sequence.
78 The argument is a 32 bit hex number, with each bit representing a character to
79 escape. Bit 0 (00000001) represents the character 0x00; bit 31 (80000000)
80 represents the character 0x1f or ^_. If multiple \fBasyncmap\fR options are
81 given, the values are \fBORed\fR together. If no \fBasyncmap\fR option is
82 given, \fBpppd\fR attempts to negotiate a value of 0. If the peer agrees, this
83 disables escaping of the standard control characters. Use the
84 \fBdefault-asyncmap\fR option to disable negotiation and escape all control
85 characters.
86 .RE
87
88 .sp
89 .ne 2
90 .na
91 \fB\fBauth\fR \fR
92 .ad
93 .RS 23n
94 Require the peer to authenticate itself before allowing network packets to be
95 sent or received. This option is the default if the system has a default route.
96 If the \fBauth\fR or the \fBnoauth\fR option is not specified, \fBpppd\fR
97 allows the peer to use only those IP addresses to which the system does not
98 already have a route.
99 .RE
100
101 .sp
102 .ne 2
103 .na
104 \fB\fBcall\fR \fB\fIname\fR\fR \fR
105 .ad
106 .RS 23n
107 Read options from the file \fB/etc/ppp/peers/\fR\fIname\fR. This file may
108 contain privileged options, including \fBnoauth\fR, even if \fBpppd\fR is not
109 being run by root. The \fIname\fR string may not begin with a slash ("/") or
110 include consecutive periods \fB("..")\fR as a pathname component.
111 .RE
112
113 .sp
114 .ne 2
115 .na
116 \fB\fBcallback\fR \fB\fInumber\fR\fR \fR
117 .ad
118 .RS 23n
119 Request a callback to the given telephone number using Microsoft CBCP.
120 .RE
121
122 .sp
123 .ne 2
124 .na
125 \fB\fBconnect\fR \fB\fIscript\fR\fR \fR
126 .ad
127 .RS 23n
128 Use the executable or shell command specified by \fIscript\fR to set up the
129 serial line. This script would typically use the \fBchat\fR(1M) program to dial
130 the modem and start the remote \fBPPP\fR session. A value for this option
131 originating from a privileged source cannot be overridden by a non-privileged
132 user.
133 .RE
134
135 .sp
136 .ne 2
137 .na
138 \fB\fBcrtscts\fR \fR
139 .ad
140 .RS 23n
141 Use hardware flow control, that is, RTS/CTS, to control the flow of data on the
142 serial port. If the \fBcrtscts\fR, \fBnocrtscts\fR, \fBcdtrcts\fR or
143 \fBnocdtrcts\fR option is not provided, the hardware flow control setting for
144 the serial port is left unchanged. Some serial ports lack a true RTS output and
145 use this mode to implement unidirectional flow control. The serial port
146 suspends transmission when requested by the modem by means of CTS but cannot
147 request the modem to stop sending to the computer. This mode allows the use of
148 DTR as a modem control line.
149 .RE
150
151 .sp
152 .ne 2
153 .na
154 \fB\fBdefaultroute\fR \fR
155 .ad
156 .RS 23n
157 Add a default route to the system routing tables when IPCP negotiation
158 successfully completes, using the peer as the gateway. This entry is removed
159 when the \fBPPP\fR connection is broken. This option is privileged if the
160 \fBnodefaultroute\fR option is specified.
161 .RE
162
163 .sp
164 .ne 2
165 .na
166 \fB\fBdisconnect\fR \fB \fIscript\fR\fR \fR
167 .ad
168 .RS 23n
169 Run the executable or shell command specified by \fIscript\fR after \fBpppd\fR
170 terminates the link. Typically, this script is used to command the modem to
171 hang up if hardware modem control signals are not available. \fBdisconnect\fR
172 is not run if the modem has already hung up. A value for this option
173 originating from a privileged source cannot be overridden by a non-privileged
174 user.
175 .RE
176
177 .sp
178 .ne 2
179 .na
180 \fB\fBescape\fR \fB\fIxx,yy,...\fR\fR \fR
181 .ad
182 .RS 23n
183 Specifies that certain characters be escaped on transmission regardless of
184 whether the peer requests them to be escaped with its \fBasync\fR control
185 character map. The characters to be escaped are specified as a list of hex
186 numbers separated by commas. Note that almost any character can be specified
187 for the \fBescape\fR option, unlike the \fBasyncmap\fR option which allows only
188 control characters to be specified. Characters that cannot be escaped are those
189 containing hex values 0x20 through 0x3f and 0x5e.
190 .RE
191
192 .sp
193 .ne 2
194 .na
195 \fB\fBfile\fR \fB\fIname\fR\fR \fR
196 .ad
197 .RS 23n
198 Read options from file \fIname\fR. If this option is used on the command line
199 or in \fB$HOME/.ppprc\fR, the file must be readable by the user invoking
200 \fBpppd\fR. See for a list of files that \fBpppd\fR always reads, regardless
201 of the use of this option.
202 .RE
203
204 .sp
205 .ne 2
206 .na
207 \fB\fBinit\fR \fB \fIscript\fR \fR \fR
208 .ad
209 .RS 23n
210 Run the executable or shell command specified by \fIscript\fR to initialize the
211 serial line. This script would typically use the \fBchat\fR(1M) program to
212 configure the modem to enable auto-answer. A value for this option from a
213 privileged source cannot be overridden by a non-privileged user.
214 .RE
215
216 .sp
217 .ne 2
218 .na
219 \fB\fBlock\fR \fR
220 .ad
221 .RS 23n
222 Directs \fBpppd\fR to create a UUCP-style lock file for the serial device to
223 ensure exclusive access to the device.
224 .RE
225
226 .sp
227 .ne 2
228 .na
229 \fB\fBmru\fR \fB\fIn\fR\fR \fR
230 .ad
231 .RS 23n
232 Set the Maximum Receive Unit (MRU) value to \fIn\fR. \fBpppd\fR asks the peer
233 to send packets of no more than \fIn\fR bytes. Minimum MRU value is 128.
234 Default MRU value is 1500. A value of 296 is recommended for slow links (40
235 bytes for TCP/IP header + 256 bytes of data). For IPv6, MRU must be at least
236 1280.
237 .RE
238
239 .sp
240 .ne 2
241 .na
242 \fB\fBmtu\fR \fB\fIn\fR\fR \fR
243 .ad
244 .RS 23n
245 Set the Maximum Transmit Unit (MTU) value to \fIn\fR. Unless the peer requests
246 a smaller value via MRU negotiation, \fBpppd\fR requests the kernel networking
247 code to send data packets of no more than \fIn\fR bytes through the PPP network
248 interface. For IPv6, MTU must be at least 1280.
249 .RE
250
251 .sp
252 .ne 2
253 .na
254 \fB\fBpassive\fR \fR
255 .ad
256 .RS 23n
257 Enables the "passive" option in the LCP. With this option, \fBpppd\fR attempts
258 to initiate a connection; if no reply is received from the peer, \fBpppd\fR
259 waits passively for a valid LCP packet instead of exiting, as it would without
260 this option.
261 .RE
262
263 .SS "Options"
264 .ne 2
265 .na
266 \fB\fB<local_IP_address>:<remote_IP_address>\fR \fR
267 .ad
268 .sp .6
269 .RS 4n
270 Set the local and/or remote interface IP addresses. Either one may be omitted,
271 but the colon is required. The IP addresses are specified with a host name or
272 in decimal dot notation, for example: \fB:10.1.2.3\fR. The default local
273 address is the first IP address of the system unless the \fBnoipdefault\fR
274 option is provided. The remote address is obtained from the peer if not
275 specified in any option. Thus, in simple cases, this option is not required. If
276 a local and/or remote IP address is specified with this option, \fBpppd\fR will
277 not accept a different value from the peer in the IPCP negotiation unless the
278 \fBipcp-accept-local\fR and/or \fBipcp-accept-remote\fR options are given,
279 respectively.
280 .RE
281
282 .sp
283 .ne 2
284 .na
285 \fB\fBallow-fcs\fR \fB\fIfcs-type\fR\fR \fR
286 .ad
287 .sp .6
288 .RS 4n
289 Set allowable FCS type(s) for data sent to the peer. The \fIfcs-type\fR is a
290 comma-separated list of "crc16", "crc32", "null", or integers. By default, all
291 known types are allowed. If this option is specified and the peer requests a
292 type not listed, a LCP Configure-Nak is sent to request only the listed types.
293 .RE
294
295 .sp
296 .ne 2
297 .na
298 \fB\fBallow-ip\fR \fB\fIaddress(es)\fR\fR \fR
299 .ad
300 .sp .6
301 .RS 4n
302 Allow peers to use the given IP address or subnet without authenticating
303 themselves. The parameter is parsed in the same manner as each element of the
304 list of allowed IP addresses is parsed in the secrets files. See the section
305 more more details.
306 .RE
307
308 .sp
309 .ne 2
310 .na
311 \fB\fBbsdcomp\fR \fB\fInr,nt\fR\fR \fR
312 .ad
313 .sp .6
314 .RS 4n
315 Request that the peer compress packets that it sends using the BSD-Compress
316 scheme, with a maximum code size of \fInr\fR bits, and agree to compress
317 packets sent to the peer with a maximum code size of \fInt\fR bits. If \fInt\fR
318 is not specified, it defaults to the value given for \fInr\fR. Values in the
319 range 9 to 15 may be used for \fInr\fR and \fInt\fR; larger values provide
320 better compression but consume more kernel memory for compression dictionaries.
321 Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables compression in
322 the corresponding direction. Use \fBnobsdcomp\fR or \fBbsdcomp 0\fR to disable
323 BSD-Compress compression entirely. If this option is read from a privileged
324 source, a nonprivileged user may not specify a code size larger than the value
325 from the privileged source.
326 .RE
327
328 .sp
329 .ne 2
330 .na
331 \fB\fBcdtrcts\fR \fR
332 .ad
333 .sp .6
334 .RS 4n
335 Use a non-standard hardware flow control such as DTR/CTS to control the flow of
336 data on the serial port. If the \fBcrtscts\fR, \fBnocrtscts\fR, \fBcdtrcts\fR
337 or \fBnocdtrcts\fR option is not specified, the hardware flow control setting
338 for the serial port is left unchanged. Some serial ports lack a true RTS
339 output. Such serial ports use this mode to implement true bi-directional flow
340 control. Note that this flow control mode does not permit using DTR as a modem
341 control line.
342 .RE
343
344 .sp
345 .ne 2
346 .na
347 \fB\fBchap-interval\fR \fB\fIn\fR\fR\fR
348 .ad
349 .sp .6
350 .RS 4n
351 If this option is given, \fBpppd\fR will rechallenge the peer every \fIn\fR
352 seconds.
353 .RE
354
355 .sp
356 .ne 2
357 .na
358 \fB\fBchap-max-challenge\fR \fB\fIn\fR\fR \fR
359 .ad
360 .sp .6
361 .RS 4n
362 Set the maximum number of CHAP challenge transmissions to \fIn\fR (default 10).
363 .RE
364
365 .sp
366 .ne 2
367 .na
368 \fB\fBchap-restart\fR \fB\fIn\fR\fR \fR
369 .ad
370 .sp .6
371 .RS 4n
372 Set the CHAP restart interval (retransmission timeout for challenges) to
373 \fIn\fR seconds. The default is 3.
374 .RE
375
376 .sp
377 .ne 2
378 .na
379 \fB\fBconnect-delay\fR \fB\fIn\fR\fR \fR
380 .ad
381 .sp .6
382 .RS 4n
383 Wait for up to \fIn\fR milliseconds after the connect script finishes for a
384 valid PPP packet from the peer. When the wait period elapses or when a valid
385 PPP packet is received from the peer, \fBpppd\fR begins negotiation by sending
386 its first LCP packet. The default value is 1000 (1 second). A wait period
387 applies only if the \fBconnect\fR or \fBpty\fR option is used.
388 .RE
389
390 .sp
391 .ne 2
392 .na
393 \fB\fBdatarate\fR \fB\fIn\fR\fR \fR
394 .ad
395 .sp .6
396 .RS 4n
397 Set maximum data rate to \fIn\fR (in bytes per second) when using the
398 \fBpty\fR, \fBnotty\fR, \fBrecord\fR, or \fBsocket\fR options.
399 .RE
400
401 .sp
402 .ne 2
403 .na
404 \fB\fBdebug\fR \fR
405 .ad
406 .sp .6
407 .RS 4n
408 Enables connection debugging facilities. If this option is given, \fBpppd\fR
409 logs the contents of all control packets sent or received in a readable form.
410 The packets are logged through syslog with facility \fBdaemon\fR and level
411 \fBdebug\fR. This information can be directed to a file by configuring
412 \fB/etc/syslog.conf\fR appropriately.
413 .RE
414
415 .sp
416 .ne 2
417 .na
418 \fB\fBdefault-asyncmap\fR \fR
419 .ad
420 .sp .6
421 .RS 4n
422 Disable \fBasyncmap\fR negotiation, forcing all control characters to be
423 escaped for both the transmit and the receive direction.
424 .RE
425
426 .sp
427 .ne 2
428 .na
429 \fB\fBdefault-fcs\fR \fR
430 .ad
431 .sp .6
432 .RS 4n
433 Disable FCS Alternatives negotiation entirely. By default, no FCS Alternatives
434 option is sent to the peer, but the option is accepted. If this option is
435 specified by the peer, then LCP Configure-Reject is sent.
436 .RE
437
438 .sp
439 .ne 2
440 .na
441 \fB\fBdefault-mru\fR \fR
442 .ad
443 .sp .6
444 .RS 4n
445 Disable MRU [Maximum Receive Unit] negotiation. With this option, \fBpppd\fR
446 uses the default MRU value of 1500 bytes for the transmit and receive
447 directions.
448 .RE
449
450 .sp
451 .ne 2
452 .na
453 \fB\fBdeflate\fR \fB\fInr,nt,e\fR\fR \fR
454 .ad
455 .sp .6
456 .RS 4n
457 Request that the peer compress packets that it sends, using the \fBdeflate\fR
458 scheme, with a maximum window size of \fI2**nr\fR bytes, and agree to compress
459 packets sent to the peer with a maximum window size of \fI2**nt\fR bytes and
460 effort level of \fIe\fR (1 to 9). If \fInt\fR is not specified, it defaults to
461 the value given for \fInr\fR. If \fIe\fR is not specified, it defaults to 6.
462 Values in the range 9 to 15 may be used for \fInr\fR and \fInt\fR; larger
463 values provide better compression but consume more kernel memory for
464 compression dictionaries. (Value 8 is not permitted due to a zlib bug.)
465 Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables compression in
466 the corresponding direction. Use \fBnodeflate\fR or \fBdeflate 0\fR to disable
467 \fBdeflate\fR compression entirely. (Note: \fBpppd\fR requests deflate
468 compression in preference to BSD-Compress if the peer can do either.) If this
469 option is read from a privileged source, a nonprivileged user may not specify a
470 code size larger than the value from the privileged source.
471 .RE
472
473 .sp
474 .ne 2
475 .na
476 \fB\fBdemand\fR \fR
477 .ad
478 .sp .6
479 .RS 4n
480 Initiate the link only on demand, that is, when data traffic is present. With
481 this option, the remote IP address must be specified by the user on the command
482 line or in an options file. \fBpppd\fR initially configures and enables the
483 interface for IP traffic without connecting to the peer. When traffic is
484 available, \fBpppd\fR connects to the peer and performs negotiation,
485 authentication and other actions. When completed, \fBpppd\fR passes data
486 packets across the link. The \fBdemand\fR option implies the \fBpersist\fR
487 option. If this behavior is not desired, use the \fBnopersist\fR option after
488 the \fBdemand\fR option. The \fBidle\fR and \fBholdoff\fR options can be used
489 in conjunction with the \fBdemand\fR option.
490 .RE
491
492 .sp
493 .ne 2
494 .na
495 \fB\fBdomain\fR \fB\fId\fR\fR \fR
496 .ad
497 .sp .6
498 .RS 4n
499 Append the domain name \fId\fR to the local host name for authentication
500 purposes. For example, if \fBgethostname()\fR returns the name \fBporsche\fR,
501 but the fully qualified domain name is \fBporsche.Example.COM\fR, you could
502 specify \fBdomain Example.COM\fR. With this configuration, \fBpppd\fR uses the
503 name \fBporsche.Example.COM\fR for accessing secrets in the secrets file and as
504 the default name when authenticating to the peer. This option is privileged.
505 .RE
506
507 .sp
508 .ne 2
509 .na
510 \fB\fBendpoint\fR \fB\fIendpoint-value\fR\fR \fR
511 .ad
512 .sp .6
513 .RS 4n
514 Set the endpoint discriminator (normally used for RFC 1990 Multilink PPP
515 operation). The \fIendpoint-value\fR consists of a class identifier and a
516 class-dependent value. The class identifier is one of "null," "local," "IP,"
517 "MAC," "magic," "phone," or a decimal integer. If present, the class-dependent
518 value is separated from the identifier by a colon (":") or period (".") . This
519 value may be a standard dotted-decimal IP address for class "IP," an optionally
520 colon-or-dot separated hex Ethernet address for class "MAC" (must have 6
521 numbers), or an arbitrary string of bytes specified in hex with optional colon
522 or dot separators between bytes. Although this option is available, this
523 implementation does not support multilink.
524 .RE
525
526 .sp
527 .ne 2
528 .na
529 \fB\fBfcs\fR \fB\fIfcs-type\fR\fR \fR
530 .ad
531 .sp .6
532 .RS 4n
533 Set FCS type(s) desired for data sent by the peer. The \fIfcs-type\fR is a
534 comma-separated list of \fBcrc16\fR, \fBcrc32\fR, \fBnull\fR, or integers. By
535 default, an FCS Alternatives option is not specified, and the medium-dependent
536 FCS type is used. If this option is specified and the peer sends an LCP
537 Configure-Nak, only the listed types are used. If none are in common, the FCS
538 Alternatives option is omitted from the next LCP Configure-Request to drop back
539 to the default.
540 .RE
541
542 .sp
543 .ne 2
544 .na
545 \fB\fBhide-password\fR \fR
546 .ad
547 .sp .6
548 .RS 4n
549 When logging the contents of PAP packets, this option causes \fBpppd\fR to
550 exclude the password string from the log. This is the default.
551 .RE
552
553 .sp
554 .ne 2
555 .na
556 \fB\fBholdoff\fR \fB\fIn\fR\fR \fR
557 .ad
558 .sp .6
559 .RS 4n
560 Specifies how many seconds to wait before re-initiating the link after it
561 terminates. This option is effective only if the \fBpersist\fR or \fBdemand\fR
562 option is used. The holdoff period is not applied if the link is terminated
563 because it was idle.
564 .RE
565
566 .sp
567 .ne 2
568 .na
569 \fB\fBident\fR \fB\fIstring\fR\fR \fR
570 .ad
571 .sp .6
572 .RS 4n
573 Set the LCP Identification string. The default value is a version string
574 similar to that displayed by the \fB--version\fR option.
575 .RE
576
577 .sp
578 .ne 2
579 .na
580 \fB\fBidle\fR \fB\fIn\fR\fR \fR
581 .ad
582 .sp .6
583 .RS 4n
584 Specifies that \fBpppd\fR must disconnect if the link is idle for \fIn\fR
585 seconds. The link is idle when no data packets (i.e. IP packets) are being sent
586 or received. Do not use this option with the \fBpersist\fR option but without
587 the \fBdemand\fR option.
588 .RE
589
590 .sp
591 .ne 2
592 .na
593 \fB\fBipcp-accept-local\fR \fR
594 .ad
595 .sp .6
596 .RS 4n
597 With this option, \fBpppd\fR accepts the peer's idea of the local IP address,
598 even if the local IP address is specified in an option.
599 .RE
600
601 .sp
602 .ne 2
603 .na
604 \fB\fBipcp-accept-remote\fR \fR
605 .ad
606 .sp .6
607 .RS 4n
608 With this option, \fBpppd\fR accepts the peer's idea of its remote IP address,
609 even if the remote IP address is specified in an option.
610 .RE
611
612 .sp
613 .ne 2
614 .na
615 \fB\fBipcp-max-configure\fR \fB\fIn\fR\fR \fR
616 .ad
617 .sp .6
618 .RS 4n
619 Set the maximum number of IPCP Configure-Request transmissions to \fIn\fR
620 (default 10).
621 .RE
622
623 .sp
624 .ne 2
625 .na
626 \fB\fBipcp-max-failure\fR \fB\fIn\fR\fR \fR
627 .ad
628 .sp .6
629 .RS 4n
630 Set the maximum number of IPCP Configure-NAKs sent before sending
631 Configure-Rejects instead to \fIn\fR (default 10).
632 .RE
633
634 .sp
635 .ne 2
636 .na
637 \fB\fBipcp-max-terminate\fR \fB\fIn\fR\fR \fR
638 .ad
639 .sp .6
640 .RS 4n
641 Set the maximum number of IPCP terminate-request transmissions to \fIn\fR
642 (default 3).
643 .RE
644
645 .sp
646 .ne 2
647 .na
648 \fB\fBipcp-restart\fR \fB\fIn\fR\fR \fR
649 .ad
650 .sp .6
651 .RS 4n
652 Set the IPCP restart interval (retransmission timeout) to \fIn\fR seconds
653 (default 3).
654 .RE
655
656 .sp
657 .ne 2
658 .na
659 \fB\fBipparam\fR \fB\fIstring\fR\fR \fR
660 .ad
661 .sp .6
662 .RS 4n
663 Provides an extra parameter to the ip-up and ip-down scripts. When this option
664 is given, the \fIstring\fR supplied is given as the sixth parameter to those
665 scripts. See the section.
666 .RE
667
668 .sp
669 .ne 2
670 .na
671 \fB\fBipv6\fR
672 \fB\fI<local_interface_identifier>\fR,\fI<remote_interface_identifier>\fR\fR
673 \fR
674 .ad
675 .sp .6
676 .RS 4n
677 Set the local and/or remote 64-bit interface identifier. Either one may be
678 omitted. The identifier must be specified in standard ASCII notation of IPv6
679 addresses (for example: \fB::dead:beef\fR). If the \fBipv6cp-use-ipaddr\fR
680 option is given, the local and remote identifiers are derived from the
681 respective IPv4 addresses (see above). The \fBipv6cp-use-persistent\fR option
682 can be used instead of the \fBipv6 <local>,<remote>\fR option.
683 .RE
684
685 .sp
686 .ne 2
687 .na
688 \fB\fBipv6cp-accept-local\fR \fR
689 .ad
690 .sp .6
691 .RS 4n
692 Accept peer's interface identifier for the local link identifier.
693 .RE
694
695 .sp
696 .ne 2
697 .na
698 \fB\fBipv6cp-max-configure\fR \fB\fIn\fR\fR \fR
699 .ad
700 .sp .6
701 .RS 4n
702 Set the maximum number of IPv6CP Configure-Request transmissions to \fIn\fR
703 (default 10).
704 .RE
705
706 .sp
707 .ne 2
708 .na
709 \fB\fBipv6cp-max-failure\fR \fB\fIn\fR\fR \fR
710 .ad
711 .sp .6
712 .RS 4n
713 Set the maximum number of IPv6CP Configure-NAKs sent before sending
714 Configure-Rejects instead to \fIn\fR (default 10).
715 .RE
716
717 .sp
718 .ne 2
719 .na
720 \fB\fBipv6cp-max-terminate\fR \fB\fIn\fR\fR \fR
721 .ad
722 .sp .6
723 .RS 4n
724 Set the maximum number of IPv6CP terminate-request transmissions to \fIn\fR
725 (default 3).
726 .RE
727
728 .sp
729 .ne 2
730 .na
731 \fB\fBipv6cp-restart\fR \fB\fIn\fR\fR \fR
732 .ad
733 .sp .6
734 .RS 4n
735 Set the IPv6CP restart interval (retransmission timeout) to \fIn\fR seconds
736 (default 3).
737 .RE
738
739 .sp
740 .ne 2
741 .na
742 \fB\fBipv6cp-use-ipaddr\fR \fR
743 .ad
744 .sp .6
745 .RS 4n
746 If either the local or remote IPv6 address is unspecified, use the
747 corresponding configured IPv4 address as a default interface identifier. (This
748 option uses the configured addresses, not the negotiated addresses. Do not use
749 it with \fBipcp-accept-local\fR if the local IPv6 identifier is unspecified or
750 with \fBipcp-accept-remote\fR if the remote IPv6 identifier is unspecified.)
751 .RE
752
753 .sp
754 .ne 2
755 .na
756 \fB\fBipv6cp-use-persistent\fR \fR
757 .ad
758 .sp .6
759 .RS 4n
760 Use uniquely-available persistent value for link local address.
761 .RE
762
763 .sp
764 .ne 2
765 .na
766 \fB\fBkdebug\fR \fB\fIn\fR\fR \fR
767 .ad
768 .sp .6
769 .RS 4n
770 Enable debugging code in the kernel-level PPP driver. Argument \fIn\fR is the
771 sum of the following values: \fB1\fR to enable general debug messages, \fB2\fR
772 to request that contents of received packets be printed, and \fB4\fR to request
773 contents of transmitted packets be printed. Messages printed by the kernel are
774 logged by \fBsyslogd\fR(1M) to a file directed in the \fB/etc/syslog.conf\fR
775 configuration file. Do not use the \fBkdebug\fR option to debug failed links.
776 Use the \fBdebug\fR option instead.
777 .RE
778
779 .sp
780 .ne 2
781 .na
782 \fB\fBlcp-echo-failure\fR \fB\fIn\fR\fR \fR
783 .ad
784 .sp .6
785 .RS 4n
786 If this option is given, \fBpppd\fR presumes the peer to be dead if \fIn\fR LCP
787 Echo-Requests are sent without receiving a valid LCP Echo-Reply. If this
788 happens, \fBpppd\fR terminates the connection. This option requires a non-zero
789 value for the \fBlcp-echo-interval\fR parameter. This option enables \fBpppd\fR
790 to terminate after the physical connection is broken (for example, if the modem
791 has hung up) in situations where no hardware modem control lines are available.
792 .RE
793
794 .sp
795 .ne 2
796 .na
797 \fB\fBlcp-echo-interval\fR \fB\fIn\fR\fR \fR
798 .ad
799 .sp .6
800 .RS 4n
801 If this option is given, \fBpppd\fR sends an LCP Echo-Request frame to the peer
802 every \fIn\fR seconds. Normally the peer responds to the Echo-Request by
803 sending an Echo-Reply. This option can be used with the \fBlcp-echo-failure\fR
804 option to detect that the peer is no longer connected.
805 .RE
806
807 .sp
808 .ne 2
809 .na
810 \fB\fBlcp-max-configure\fR \fB\fIn\fR\fR \fR
811 .ad
812 .sp .6
813 .RS 4n
814 Set the maximum number of LCP Configure-Request transmissions to \fIn\fR
815 (default 10).
816 .RE
817
818 .sp
819 .ne 2
820 .na
821 \fB\fBlcp-max-failure\fR \fB\fIn\fR\fR \fR
822 .ad
823 .sp .6
824 .RS 4n
825 Set the maximum number of LCP Configure-NAKs sent before starting to send
826 Configure-Rejects instead to \fIn\fR (default 10).
827 .RE
828
829 .sp
830 .ne 2
831 .na
832 \fB\fBlcp-max-terminate\fR \fB\fIn\fR\fR \fR
833 .ad
834 .sp .6
835 .RS 4n
836 Set the maximum number of LCP Terminate-Request transmissions to \fIn\fR
837 (default 3).
838 .RE
839
840 .sp
841 .ne 2
842 .na
843 \fB\fBlcp-restart\fR \fB\fIn\fR\fR \fR
844 .ad
845 .sp .6
846 .RS 4n
847 Set the LCP restart interval (retransmission timeout) to \fIn\fR seconds
848 (default 3).
849 .RE
850
851 .sp
852 .ne 2
853 .na
854 \fB\fBlinkname\fR \fB\fIname\fR\fR \fR
855 .ad
856 .sp .6
857 .RS 4n
858 Sets the logical name of the link to \fIname\fR. \fBpppd\fR creates a file
859 named \fBppp-\fR\fIname\fR\fB\&.pid\fR in \fB/var/run\fR containing its process
860 ID. This is useful in determining which instance of \fBpppd\fR is responsible
861 for the link to a given peer system. This is a privileged option.
862 .RE
863
864 .sp
865 .ne 2
866 .na
867 \fB\fBlocal\fR \fR
868 .ad
869 .sp .6
870 .RS 4n
871 Do not use modem control lines. With this option, \fBpppd\fR ignores the state
872 of the CD (Carrier Detect) signal from the modem and does not change the state
873 of the DTR (Data Terminal Ready) signal.
874 .RE
875
876 .sp
877 .ne 2
878 .na
879 \fB\fBlogfd\fR \fB\fIn\fR\fR \fR
880 .ad
881 .sp .6
882 .RS 4n
883 Send log messages to file descriptor \fIn\fR. \fBpppd\fR sends log messages to
884 (at most) one file or file descriptor (as well as sending the log messages to
885 syslog), so this option and the \fBlogfile\fR option are mutually exclusive. By
886 default \fBpppd\fR sends log messages to \fBstdout\fR (file descriptor 1)
887 unless the serial port is open on stdout.
888 .RE
889
890 .sp
891 .ne 2
892 .na
893 \fB\fBlogfile\fR \fB\fIfilename\fR\fR \fR
894 .ad
895 .sp .6
896 .RS 4n
897 Append log messages to the file \fIfilename\fR (and send the log messages to
898 syslog). The file is opened in append mode with the privileges of the user who
899 invoked \fBpppd\fR.
900 .RE
901
902 .sp
903 .ne 2
904 .na
905 \fB\fBlogin\fR \fR
906 .ad
907 .sp .6
908 .RS 4n
909 Use the system password database for authenticating the peer using PAP, and
910 record the user in the system \fBwtmp\fR file. Note that the peer must have an
911 entry in the \fB/etc/ppp/pap-secrets\fR file and the system password database
912 to be allowed access.
913 .RE
914
915 .sp
916 .ne 2
917 .na
918 \fB\fBmaxconnect\fR \fB\fIn\fR\fR \fR
919 .ad
920 .sp .6
921 .RS 4n
922 Terminate the connection after it has been available for network traffic for
923 \fIn\fR seconds (that is, \fIn\fR seconds after the first network control
924 protocol starts). An LCP Time-Remaining message is sent when the first NCP
925 starts, and again when 5, 2, and 0.5 minutes are remaining.
926 .RE
927
928 .sp
929 .ne 2
930 .na
931 \fB\fBmaxfail\fR \fB\fIn\fR\fR \fR
932 .ad
933 .sp .6
934 .RS 4n
935 Terminate after \fIn\fR consecutive failed connection attempts. A value of 0
936 means no limit. The default value is 10.
937 .RE
938
939 .sp
940 .ne 2
941 .na
942 \fB\fBmodem\fR \fR
943 .ad
944 .sp .6
945 .RS 4n
946 Use the modem control lines. This option is the default. With this option,
947 \fBpppd\fR waits for the CD (Carrier Detect) signal from the modem to be
948 asserted when opening the serial device (unless a connect script is specified),
949 and drops the DTR (Data Terminal Ready) signal briefly when the connection is
950 terminated and before executing the connect script.
951 .RE
952
953 .sp
954 .ne 2
955 .na
956 \fB\fBms-dns\fR \fB\fI<addr>\fR\fR \fR
957 .ad
958 .sp .6
959 .RS 4n
960 If \fBpppd\fR is acting as a server for Microsoft Windows clients, this option
961 allows \fBpppd\fR to supply one or two DNS (Domain Name Server) addresses to
962 the clients. The first instance of this option specifies the primary DNS
963 address; the second instance (if given) specifies the secondary DNS address. If
964 the first instance specifies a name that resolves to multiple IP addresses,
965 then the first two addresses are used. (This option is present in some older
966 versions of \fBpppd\fR under the name \fBdns-addr\fR.)
967 .RE
968
969 .sp
970 .ne 2
971 .na
972 \fB\fBms-lanman\fR \fR
973 .ad
974 .sp .6
975 .RS 4n
976 If \fBpppd\fR connects as a client to a Microsoft server and uses MS-CHAPv1 for
977 authentication, this option selects the LAN Manager password style instead of
978 Microsoft NT.
979 .RE
980
981 .sp
982 .ne 2
983 .na
984 \fB\fBms-wins\fR \fB\fI<addr>\fR\fR \fR
985 .ad
986 .sp .6
987 .RS 4n
988 If \fBpppd\fR acts as a server for Microsoft Windows or Samba clients, this
989 option allows \fBpppd\fR to supply one or two WINS (Windows Internet Name
990 Services) server addresses to the clients. The first instance of this option
991 specifies the primary WINS address; the second instance (if given) specifies
992 the secondary WINS address. As with \fBms-dns\fR, if the name specified
993 resolves to multiple IP addresses, then the first two will be taken as primary
994 and secondary.
995 .RE
996
997 .sp
998 .ne 2
999 .na
1000 \fB\fBname\fR \fB\fIname\fR\fR \fR
1001 .ad
1002 .sp .6
1003 .RS 4n
1004 Set the name of the local system for authentication purposes to \fIname\fR.
1005 This is a privileged option. With this option, \fBpppd\fR uses lines in the
1006 secrets files that have \fIname\fR as the second field to look for a secret to
1007 use in authenticating the peer. In addition, unless overridden with the
1008 \fBuser\fR option, \fIname\fR is used as the name to send to the peer when
1009 authenticating the local system. (Note that \fBpppd\fR does not append the
1010 domain name to \fIname\fR.)
1011 .RE
1012
1013 .sp
1014 .ne 2
1015 .na
1016 \fB\fBno-accm-test\fR \fR
1017 .ad
1018 .sp .6
1019 .RS 4n
1020 Disable use of \fBasyncmap\fR (ACCM) checking using LCP Echo-Request messages.
1021 If the \fBlcp-echo-failure\fR is used on an asynchronous line, \fBpppd\fR
1022 includes all control characters in the first \fIn\fR LCP Echo-Request messages.
1023 If the \fBasyncmap\fR is set incorrectly, the link drops rather than continue
1024 operation with random failures. This option disables that feature.
1025 .RE
1026
1027 .sp
1028 .ne 2
1029 .na
1030 \fB\fBnoaccomp\fR \fR
1031 .ad
1032 .sp .6
1033 .RS 4n
1034 Disable HDLC Address/Control compression in both directions (send and receive).
1035 .RE
1036
1037 .sp
1038 .ne 2
1039 .na
1040 \fB\fBnoauth\fR \fR
1041 .ad
1042 .sp .6
1043 .RS 4n
1044 Do not require the peer to authenticate itself. This option is privileged.
1045 .RE
1046
1047 .sp
1048 .ne 2
1049 .na
1050 \fB\fBnobsdcomp\fR \fR
1051 .ad
1052 .sp .6
1053 .RS 4n
1054 Disables BSD-Compress compression; \fBpppd\fR will not request or agree to
1055 compress packets using the BSD-Compress scheme. This option is not necessary if
1056 \fBnoccp\fR is specified.
1057 .RE
1058
1059 .sp
1060 .ne 2
1061 .na
1062 \fB\fBnoccp\fR \fR
1063 .ad
1064 .sp .6
1065 .RS 4n
1066 Disable CCP (Compression Control Protocol) negotiation. This option should only
1067 be required if the peer has bugs or becomes confused by requests from
1068 \fBpppd\fR for CCP negotiation. If CCP is disabled, then BSD and deflate
1069 compression do not need to be separately disabled.
1070 .RE
1071
1072 .sp
1073 .ne 2
1074 .na
1075 \fB\fBnocrtscts\fR \fR
1076 .ad
1077 .sp .6
1078 .RS 4n
1079 Disable hardware flow control (i.e. RTS/CTS) on the serial port. If the
1080 \fBcrtscts\fR, \fBnocrtscts\fR, \fBcdtrcts\fR or \fBnocdtrcts\fR options are
1081 not given, the hardware flow control setting for the serial port is left
1082 unchanged.
1083 .RE
1084
1085 .sp
1086 .ne 2
1087 .na
1088 \fB\fBnocdtrcts\fR \fR
1089 .ad
1090 .sp .6
1091 .RS 4n
1092 This option is a synonym for \fBnocrtscts\fR. Either option will disable both
1093 forms of hardware flow control.
1094 .RE
1095
1096 .sp
1097 .ne 2
1098 .na
1099 \fB\fBnodefaultroute\fR \fR
1100 .ad
1101 .sp .6
1102 .RS 4n
1103 Disable the \fBdefaultroute\fR option. You can prevent non-root users from
1104 creating default routes with \fBpppd\fR by placing this option in the
1105 \fB/etc/ppp/options\fR file.
1106 .RE
1107
1108 .sp
1109 .ne 2
1110 .na
1111 \fB\fBnodeflate\fR \fR
1112 .ad
1113 .sp .6
1114 .RS 4n
1115 Disables deflate compression; \fBpppd\fR will not request or agree to compress
1116 packets using the deflate scheme. This option is not necessary if \fBnoccp\fR
1117 is specified.
1118 .RE
1119
1120 .sp
1121 .ne 2
1122 .na
1123 \fB\fBnodeflatedraft\fR \fR
1124 .ad
1125 .sp .6
1126 .RS 4n
1127 Do not use Internet Draft (incorrectly assigned) algorithm number for deflate
1128 compression. This option is not necessary if \fBnoccp\fR is specified.
1129 .RE
1130
1131 .sp
1132 .ne 2
1133 .na
1134 \fB\fBnodetach\fR \fR
1135 .ad
1136 .sp .6
1137 .RS 4n
1138 Do not detach from the controlling terminal. Without this option, \fBpppd\fR
1139 forks to become a background process if a serial device other than the terminal
1140 on the standard input is specified.
1141 .RE
1142
1143 .sp
1144 .ne 2
1145 .na
1146 \fB\fBnoendpoint\fR \fR
1147 .ad
1148 .sp .6
1149 .RS 4n
1150 Do not send or accept the Multilink Endpoint Discriminator option.
1151 .RE
1152
1153 .sp
1154 .ne 2
1155 .na
1156 \fB\fBnoident\fR \fR
1157 .ad
1158 .sp .6
1159 .RS 4n
1160 Disable use of LCP Identification. LCP Identification messages will not be sent
1161 to the peer, but received messages will be logged. (Specify this option twice
1162 to completely disable LCP Identification. In this case, \fBpppd\fR sends LCP
1163 Code-Reject in response to received LCP Identification messages.)
1164 .RE
1165
1166 .sp
1167 .ne 2
1168 .na
1169 \fB\fBnoip\fR \fR
1170 .ad
1171 .sp .6
1172 .RS 4n
1173 Disable IPCP negotiation and IP communication. Use this option only if the peer
1174 has bugs or becomes confused by requests from \fBpppd\fR for IPCP negotiation.
1175 .RE
1176
1177 .sp
1178 .ne 2
1179 .na
1180 \fB\fBnoipv6\fR \fR
1181 .ad
1182 .sp .6
1183 .RS 4n
1184 Disable IPv6CP negotiation and IPv6 communication. IPv6 is not enabled by
1185 default.
1186 .RE
1187
1188 .sp
1189 .ne 2
1190 .na
1191 \fB\fBnoipdefault\fR \fR
1192 .ad
1193 .sp .6
1194 .RS 4n
1195 Disables the default behavior when no local IP address is specified, which is
1196 to determine (if possible) the local IP address from the hostname. With this
1197 option, the peer must supply the local IP address during IPCP negotiation
1198 (unless it specified explicitly on the command line or in an options file).
1199 .RE
1200
1201 .sp
1202 .ne 2
1203 .na
1204 \fB\fBnolog\fR \fR
1205 .ad
1206 .sp .6
1207 .RS 4n
1208 Do not send log messages to a file or file descriptor. This option cancels the
1209 \fBlogfd\fR and \fBlogfile\fR options. \fBnologfd\fR acts as an alias for this
1210 option.
1211 .RE
1212
1213 .sp
1214 .ne 2
1215 .na
1216 \fB\fBnomagic\fR \fR
1217 .ad
1218 .sp .6
1219 .RS 4n
1220 Disable magic number negotiation. With this option, \fBpppd\fR cannot detect a
1221 looped-back line. Use this option only if the peer has bugs. Do not use this
1222 option to work around the "Serial line is looped back" error message.
1223 .RE
1224
1225 .sp
1226 .ne 2
1227 .na
1228 \fB\fBnopam\fR \fR
1229 .ad
1230 .sp .6
1231 .RS 4n
1232 This privileged option disables use of pluggable authentication modules. If
1233 this option is specified, \fBpppd\fR reverts to standard authentication
1234 mechanisms. The default is not to use PAM.
1235 .RE
1236
1237 .sp
1238 .ne 2
1239 .na
1240 \fB\fBnopcomp\fR \fR
1241 .ad
1242 .sp .6
1243 .RS 4n
1244 Disable protocol field compression negotiation in the receive and the transmit
1245 direction.
1246 .RE
1247
1248 .sp
1249 .ne 2
1250 .na
1251 \fB\fBnopersist\fR \fR
1252 .ad
1253 .sp .6
1254 .RS 4n
1255 Exit once a connection has been made and terminated. This is the default unless
1256 the \fBpersist\fR or \fBdemand\fR option is specified.
1257 .RE
1258
1259 .sp
1260 .ne 2
1261 .na
1262 \fB\fBnoplink\fR \fR
1263 .ad
1264 .sp .6
1265 .RS 4n
1266 Cause \fBpppd\fR to use I_LINK instead of I_PLINK. This is the default. When
1267 I_LINK is used, the system cleans up terminated interfaces (even when SIGKILL
1268 is used) but does not allow \fBifconfig\fR(1M) to unplumb PPP streams or insert
1269 or remove modules dynamically. Use the \fBplink\fR option if \fBifconfig\fR(1M)
1270 modinsert, modremove or unplumb support is needed.
1271 .RE
1272
1273 .sp
1274 .ne 2
1275 .na
1276 \fB\fBnopredictor1\fR \fR
1277 .ad
1278 .sp .6
1279 .RS 4n
1280 Do not accept or agree to Predictor-1 compression. (This option is accepted for
1281 compatibility. The implementation does not support Predictor-1 compression.)
1282 .RE
1283
1284 .sp
1285 .ne 2
1286 .na
1287 \fB\fBnoproxyarp\fR \fR
1288 .ad
1289 .sp .6
1290 .RS 4n
1291 Disable the \fBproxyarp\fR option. If you want to prevent users from creating
1292 proxy ARP entries with \fBpppd\fR, place this option in the
1293 \fB/etc/ppp/options\fR file.
1294 .RE
1295
1296 .sp
1297 .ne 2
1298 .na
1299 \fB\fBnotty\fR \fR
1300 .ad
1301 .sp .6
1302 .RS 4n
1303 Normally, \fBpppd\fR requires a terminal device. With this option, \fBpppd\fR
1304 allocates itself a pseudo-tty master/slave pair and uses the slave as its
1305 terminal device. \fBpppd\fR creates a child process to act as a character shunt
1306 to transfer characters between the pseudo-tty master and its standard input and
1307 output. Thus, \fBpppd\fR transmits characters on its standard output and
1308 receives characters on its standard input even if they are not terminal
1309 devices. This option increases the latency and CPU overhead of transferring
1310 data over the ppp interface as all of the characters sent and received must
1311 flow through the character shunt process. An explicit device name may not be
1312 given if this option is used.
1313 .RE
1314
1315 .sp
1316 .ne 2
1317 .na
1318 \fB\fBnovj\fR \fR
1319 .ad
1320 .sp .6
1321 .RS 4n
1322 Disable Van Jacobson style TCP/IP header compression in both the transmit and
1323 the receive direction.
1324 .RE
1325
1326 .sp
1327 .ne 2
1328 .na
1329 \fB\fBnovjccomp\fR \fR
1330 .ad
1331 .sp .6
1332 .RS 4n
1333 Disable the connection-ID compression option in Van Jacobson style TCP/IP
1334 header compression. With this option, \fBpppd\fR does not omit the
1335 connection-ID byte from Van Jacobson compressed TCP/IP headers, nor does it ask
1336 the peer to do so. This option is unnecessary if \fBnovj\fR is specified.
1337 .RE
1338
1339 .sp
1340 .ne 2
1341 .na
1342 \fB\fBpam\fR \fR
1343 .ad
1344 .sp .6
1345 .RS 4n
1346 This privileged option enables use of PAM. If this is specified, \fBpppd\fR
1347 uses the \fBpam\fR(3PAM) framework for user authentication with a service name
1348 of "ppp" if the \fBlogin\fR option and PAP authentication are used. The default
1349 is not to use PAM.
1350 .RE
1351
1352 .sp
1353 .ne 2
1354 .na
1355 \fB\fBpapcrypt\fR \fR
1356 .ad
1357 .sp .6
1358 .RS 4n
1359 Indicates that \fBpppd\fR should not accept a password which, before
1360 encryption, is identical to the secret from the \fB/etc/ppp/pap-secrets\fR
1361 file. Use this option if the secrets in the \fBpap-secrets\fR file are in
1362 \fBcrypt\fR(3C) format.
1363 .RE
1364
1365 .sp
1366 .ne 2
1367 .na
1368 \fB\fBpap-max-authreq\fR \fB\fIn\fR\fR \fR
1369 .ad
1370 .sp .6
1371 .RS 4n
1372 Set the maximum number of PAP authenticate-request transmissions to \fIn\fR
1373 (default 10).
1374 .RE
1375
1376 .sp
1377 .ne 2
1378 .na
1379 \fB\fBpap-restart\fR \fB\fIn\fR\fR \fR
1380 .ad
1381 .sp .6
1382 .RS 4n
1383 Set the PAP restart interval (retransmission timeout) to \fIn\fR seconds
1384 (default 3).
1385 .RE
1386
1387 .sp
1388 .ne 2
1389 .na
1390 \fB\fBpap-timeout\fR \fB\fIn\fR\fR \fR
1391 .ad
1392 .sp .6
1393 .RS 4n
1394 Set the maximum time that \fBpppd\fR waits for the peer to authenticate itself
1395 with PAP to \fIn\fR seconds (0= no limit). The default is 30 seconds.
1396 .RE
1397
1398 .sp
1399 .ne 2
1400 .na
1401 \fB\fBpassword\fR \fB\fIstring\fR\fR \fR
1402 .ad
1403 .sp .6
1404 .RS 4n
1405 Password string for authentication to the peer.
1406 .RE
1407
1408 .sp
1409 .ne 2
1410 .na
1411 \fB\fBpersist\fR \fR
1412 .ad
1413 .sp .6
1414 .RS 4n
1415 Do not exit after a connection is terminated; instead try to reopen the
1416 connection.
1417 .RE
1418
1419 .sp
1420 .ne 2
1421 .na
1422 \fB\fBplink\fR \fR
1423 .ad
1424 .sp .6
1425 .RS 4n
1426 Cause \fBpppd\fR to use I_PLINK instead of I_LINK. The default is to use
1427 I_LINK, which cleans up terminated interface (even if SIGKILL is used), but
1428 does not allow \fBifconfig\fR(1M) to unplumb PPP streams or insert or remove
1429 modules dynamically. Use this option if \fBifconfig\fR(1M)
1430 modinsert/modremove/unplumb support is needed. See also the \fBplumbed\fR
1431 option.
1432 .RE
1433
1434 .sp
1435 .ne 2
1436 .na
1437 \fB\fBplugin\fR \fB\fIfilename\fR\fR \fR
1438 .ad
1439 .sp .6
1440 .RS 4n
1441 Load the shared library object file \fIfilename\fR as a plugin. This is a
1442 privileged option. Unless the filename specifies an explicit path,
1443 \fB/etc/ppp/plugins\fR and \fB/usr/lib/inet/ppp\fR will be searched for the
1444 object to load in that order.
1445 .RE
1446
1447 .sp
1448 .ne 2
1449 .na
1450 \fB\fBplumbed\fR \fR
1451 .ad
1452 .sp .6
1453 .RS 4n
1454 This option indicates that \fBpppd\fR should find a plumbed interface and use
1455 that for the session. If IPv4 addresses or IPv6 interface IDs or link MTU are
1456 otherwise unspecified, they are copied from the interface selected. This mode
1457 mimics some of the functionality of the older \fBaspppd\fR implementation and
1458 may be helpful when \fBpppd\fR is used with external applications that use
1459 \fBifconfig\fR(1M).
1460 .RE
1461
1462 .sp
1463 .ne 2
1464 .na
1465 \fB\fBpppmux\fR \fB\fItimer\fR\fR \fR
1466 .ad
1467 .sp .6
1468 .RS 4n
1469 Enable PPP Multiplexing option negotiation and set transmit multiplexing
1470 timeout to \fItimer\fR microseconds.
1471 .RE
1472
1473 .sp
1474 .ne 2
1475 .na
1476 \fB\fBprivgroup\fR \fB\fIgroup-name\fR\fR \fR
1477 .ad
1478 .sp .6
1479 .RS 4n
1480 Allows members of group \fIgroup-name\fR to use privileged options. This is a
1481 privileged option. Because there is no guarantee that members of
1482 \fIgroup-name\fR cannot use \fBpppd\fR to become root themselves, you should be
1483 careful using this option. Consider it equivalent to putting the members of
1484 \fIgroup-name\fR in the \fBroot\fR or \fBsys\fR group.
1485 .RE
1486
1487 .sp
1488 .ne 2
1489 .na
1490 \fB\fBproxyarp\fR \fR
1491 .ad
1492 .sp .6
1493 .RS 4n
1494 Add an entry to the system's Address Resolution Protocol (ARP) table with the
1495 IP address of the peer and the Ethernet address of this system. When you use
1496 this option, the peer appears to other systems to be on the local Ethernet. The
1497 remote address on the PPP link must be in the same subnet as assigned to an
1498 Ethernet interface.
1499 .RE
1500
1501 .sp
1502 .ne 2
1503 .na
1504 \fB\fBpty\fR \fB \fIscript\fR\fR \fR
1505 .ad
1506 .sp .6
1507 .RS 4n
1508 Specifies that the command \fIscript\fR, and not a specific terminal device is
1509 used for serial communication. \fBpppd\fR allocates itself a pseudo-tty
1510 master/slave pair and uses the slave as its terminal device. \fIscript\fR runs
1511 in a child process with the pseudo-tty master as its standard input and output.
1512 An explicit device name may not be given if this option is used. (Note: if the
1513 \fBrecord\fR option is used in conjunction with the \fBpty\fR option, the child
1514 process will have pipes on its standard input and output.)
1515 .RE
1516
1517 .sp
1518 .ne 2
1519 .na
1520 \fB\fBreceive-all\fR \fR
1521 .ad
1522 .sp .6
1523 .RS 4n
1524 With this option, \fBpppd\fR accepts all control characters from the peer,
1525 including those marked in the receive \fBasyncmap\fR. Without this option,
1526 \fBpppd\fR discards those characters as specified in \fIRFC 1662\fR. This
1527 option should be used only if the peer has bugs, as is often found with
1528 dial-back implementations.
1529 .RE
1530
1531 .sp
1532 .ne 2
1533 .na
1534 \fB\fBrecord\fR \fB\fIfilename\fR\fR \fR
1535 .ad
1536 .sp .6
1537 .RS 4n
1538 Directs \fBpppd\fR to record all characters sent and received to a file named
1539 \fIfilename\fR. \fIfilename\fR is opened in append mode, using the user's
1540 user-ID and permissions. Because this option uses a pseudo-tty and a process to
1541 transfer characters between the pseudo-tty and the real serial device, it
1542 increases the latency and CPU overhead of transferring data over the PPP
1543 interface. Characters are stored in a tagged format with timestamps that can be
1544 displayed in readable form using the \fBpppdump\fR(1M) program. This option is
1545 generally used when debugging the kernel portion of \fBpppd\fR (especially CCP
1546 compression algorithms) and not for debugging link configuration problems. See
1547 the \fBdebug\fR option.
1548 .RE
1549
1550 .sp
1551 .ne 2
1552 .na
1553 \fB\fBremotename\fR \fB\fIname\fR\fR \fR
1554 .ad
1555 .sp .6
1556 .RS 4n
1557 Set the assumed name of the remote system for authentication purposes to
1558 \fIname\fR. Microsoft WindowsNT does not provide a system name in its CHAP
1559 Challenge messages, and this option is often used to work around this problem.
1560 .RE
1561
1562 .sp
1563 .ne 2
1564 .na
1565 \fB\fBrefuse-chap\fR \fR
1566 .ad
1567 .sp .6
1568 .RS 4n
1569 With this option, \fBpppd\fR will not agree to authenticate itself to the peer
1570 using standard Challenge Handshake Authentication Protocol (CHAP). (MS-CHAP is
1571 not affected.)
1572 .RE
1573
1574 .sp
1575 .ne 2
1576 .na
1577 \fB\fBrefuse-mschap\fR \fR
1578 .ad
1579 .sp .6
1580 .RS 4n
1581 Do not agree to authenticate to peer with MS-CHAPv1. If this option is
1582 specified, requests for MS-CHAPv1 authentication from the peer are declined
1583 with LCP Configure-Nak. That option does not disable any other form of CHAP.
1584 .RE
1585
1586 .sp
1587 .ne 2
1588 .na
1589 \fB\fBrefuse-mschapv2\fR \fR
1590 .ad
1591 .sp .6
1592 .RS 4n
1593 Do not agree to authenticate to peer with MS-CHAPv2. If specified, this option
1594 requests that MS-CHAPv2 authentication from the peer be declined with LCP
1595 Configure-Nak. That option does not disable any other form of CHAP.
1596 .RE
1597
1598 .sp
1599 .ne 2
1600 .na
1601 \fB\fBrefuse-pap\fR \fR
1602 .ad
1603 .sp .6
1604 .RS 4n
1605 With this option, \fBpppd\fR will not agree to authenticate itself to the peer
1606 using Password Authentication Protocol (PAP).
1607 .RE
1608
1609 .sp
1610 .ne 2
1611 .na
1612 \fB\fBrequire-chap\fR \fR
1613 .ad
1614 .sp .6
1615 .RS 4n
1616 Require the peer to authenticate itself using standard CHAP authentication.
1617 MS-CHAP is not affected.
1618 .RE
1619
1620 .sp
1621 .ne 2
1622 .na
1623 \fB\fBrequire-mschap\fR \fR
1624 .ad
1625 .sp .6
1626 .RS 4n
1627 Require the peer to authenticate itself using MS-CHAPv1 authentication.
1628 .RE
1629
1630 .sp
1631 .ne 2
1632 .na
1633 \fB\fBrequire-mschapv2\fR \fR
1634 .ad
1635 .sp .6
1636 .RS 4n
1637 Require the peer to authenticate itself using MS-CHAPv2 authentication.
1638 .RE
1639
1640 .sp
1641 .ne 2
1642 .na
1643 \fB\fBrequire-pap\fR \fR
1644 .ad
1645 .sp .6
1646 .RS 4n
1647 Require the peer to authenticate itself using PAP authentication.
1648 .RE
1649
1650 .sp
1651 .ne 2
1652 .na
1653 \fB\fBshow-password\fR \fR
1654 .ad
1655 .sp .6
1656 .RS 4n
1657 When logging contents of PAP packets, this option causes \fBpppd\fR to show the
1658 password string in the log message.
1659 .RE
1660
1661 .sp
1662 .ne 2
1663 .na
1664 \fB\fBsilent\fR \fR
1665 .ad
1666 .sp .6
1667 .RS 4n
1668 With this option, \fBpppd\fR will not transmit LCP packets to initiate a
1669 connection until a valid LCP packet is received from the peer. This is like the
1670 "passive" option with older versions of \fBpppd\fR and is retained for
1671 compatibility, but the current \fBpassive\fR option is preferred.
1672 .RE
1673
1674 .sp
1675 .ne 2
1676 .na
1677 \fB\fBsmall-accm-test\fR \fR
1678 .ad
1679 .sp .6
1680 .RS 4n
1681 When checking the \fBasyncmap\fR (ACCM) setting, \fBpppd\fR uses all 256
1682 possible values by default. See \fBno-accm-test\fR. This option restricts the
1683 test so that only the 32 values affected by standard ACCM negotiation are
1684 tested. This option is useful on very slow links.
1685 .RE
1686
1687 .sp
1688 .ne 2
1689 .na
1690 \fB\fBsocket\fR \fB\fIhost\fR:\fIport\fR\fR \fR
1691 .ad
1692 .sp .6
1693 .RS 4n
1694 Connect to given host and port using TCP and run PPP over this connection.
1695 .RE
1696
1697 .sp
1698 .ne 2
1699 .na
1700 \fB\fBsync\fR \fR
1701 .ad
1702 .sp .6
1703 .RS 4n
1704 Use synchronous HDLC serial encoding instead of asynchronous. The device used
1705 by \fBpppd\fR with this option must have sync support. Currently supports
1706 \fBzs\fR, \fBse\fR, and \fBhsi\fR drivers.
1707 .RE
1708
1709 .sp
1710 .ne 2
1711 .na
1712 \fB\fBunit\fR \fB\fIn\fR\fR \fR
1713 .ad
1714 .sp .6
1715 .RS 4n
1716 Set PPP interface unit number to \fIn\fR, if possible.
1717 .RE
1718
1719 .sp
1720 .ne 2
1721 .na
1722 \fB\fBupdetach\fR \fR
1723 .ad
1724 .sp .6
1725 .RS 4n
1726 With this option, \fBpppd\fR detaches from its controlling terminal after
1727 establishing the PPP connection. When this is specified, messages sent to
1728 \fBstderr\fR by the connect script, usually \fBchat\fR(1M), and debugging
1729 messages from the debug option are directed to \fBpppd\fR's standard output.
1730 .RE
1731
1732 .sp
1733 .ne 2
1734 .na
1735 \fB\fBusehostname\fR \fR
1736 .ad
1737 .sp .6
1738 .RS 4n
1739 Enforce the use of the hostname with domain name appended, if given, as the
1740 name of the local system for authentication purposes. This overrides the
1741 \fBname\fR option. Because the \fBname\fR option is privileged, this option is
1742 normally not needed.
1743 .RE
1744
1745 .sp
1746 .ne 2
1747 .na
1748 \fB\fBusepeerdns\fR \fR
1749 .ad
1750 .sp .6
1751 .RS 4n
1752 Ask the peer for up to two DNS server addresses. Addresses supplied by the
1753 peer, if any, are passed to the \fB/etc/ppp/ip-up\fR script in the environment
1754 variables DNS1 and DNS2. In addition, \fBpppd\fR creates an
1755 \fB/etc/ppp/resolv.conf\fR file containing one or two nameserver lines with the
1756 address(es) supplied by the peer.
1757 .RE
1758
1759 .sp
1760 .ne 2
1761 .na
1762 \fB\fBuser\fR \fB\fIname\fR\fR \fR
1763 .ad
1764 .sp .6
1765 .RS 4n
1766 Sets the name used for authenticating the local system to the peer to
1767 \fIname\fR.
1768 .RE
1769
1770 .sp
1771 .ne 2
1772 .na
1773 \fB\fBvj-max-slots\fR \fB\fIn\fR\fR \fR
1774 .ad
1775 .sp .6
1776 .RS 4n
1777 Sets the number of connection slots to be used by the Van Jacobson TCP/IP
1778 header compression and decompression code to \fIn\fR, which must be between 2
1779 and 16 (inclusive).
1780 .RE
1781
1782 .sp
1783 .ne 2
1784 .na
1785 \fB\fBwelcome\fR \fB\fIscript\fR\fR \fR
1786 .ad
1787 .sp .6
1788 .RS 4n
1789 Run the executable or shell command specified by \fIscript\fR before initiating
1790 PPP negotiation, after the connect script, if any, has completed. A value for
1791 this option from a privileged source cannot be overridden by a non-privileged
1792 user.
1793 .RE
1794
1795 .sp
1796 .ne 2
1797 .na
1798 \fB\fBxonxoff\fR \fR
1799 .ad
1800 .sp .6
1801 .RS 4n
1802 Use software flow control, that is, XON/XOFF, to control the flow of data on
1803 the serial port.
1804 .RE
1805
1806 .SS "Obsolete Options"
1807 The following options are obsolete:
1808 .sp
1809 .ne 2
1810 .na
1811 \fB\fB+ua\fR \fB\fIname\fR\fR\fR
1812 .ad
1813 .RS 14n
1814 Read a PAP user name and password from the file \fIname\fR. This file must have
1815 two lines for name and password. Name and password are sent to the peer when
1816 the peer requests PAP authentication.
1817 .RE
1818
1819 .sp
1820 .ne 2
1821 .na
1822 \fB\fB+ipv6\fR \fR
1823 .ad
1824 .RS 14n
1825 Enable IPv6 and IPv6CP without specifying interface identifiers.
1826 .RE
1827
1828 .sp
1829 .ne 2
1830 .na
1831 \fB\fB--version\fR \fR
1832 .ad
1833 .RS 14n
1834 Show version number and exit.
1835 .RE
1836
1837 .sp
1838 .ne 2
1839 .na
1840 \fB\fB--help\fR \fR
1841 .ad
1842 .RS 14n
1843 Show brief help message and exit.
1844 .RE
1845
1846 .SH EXTENDED DESCRIPTION
1847 The following sections discuss miscellaneous features of \fBpppd\fR:
1848 .SS "Security"
1849 \fBpppd\fR allows system administrators to provide legitimate users with PPP
1850 access to a server machine without fear of compromising the security of the
1851 server or the network it runs on. Access control is provided by restricting IP
1852 addresses the peer may use based on its authenticated identity (if any), and
1853 through restrictions on options a non-privileged user may use. Options that
1854 permit potentially insecure configurations are privileged. Privileged options
1855 are accepted only in files that are under the control of the system
1856 administrator or when \fBpppd\fR is being run by root.
1857 .sp
1858 .LP
1859 By default, \fBpppd\fR allows an unauthenticated peer to use a given IP address
1860 only if the system does not already have a route to that IP address. For
1861 example, a system with a permanent connection to the wider Internet will
1862 normally have a default route, meaning all peers must authenticate themselves
1863 to set up a connection. On such a system, the \fBauth\fR option is the default.
1864 Conversely, a system with a PPP link that comprises the only connection to the
1865 Internet probably does not possess a default route, so the peer can use
1866 virtually any IP address without authenticating itself.
1867 .sp
1868 .LP
1869 Security-sensitive options are privileged and cannot be accessed by a
1870 non-privileged user running \fBpppd\fR, either on the command line, in the
1871 user's \fB$HOME/.ppprc\fR file, or in an options file read using the \fBfile\fR
1872 option. Privileged options may be used in \fB/etc/ppp/options\fR file or in an
1873 options file read using the \fBcall\fR option. If \fBpppd\fR is run by the root
1874 user, privileged options can be used without restriction. If the
1875 \fB/etc/ppp/options\fR file does not exist, then only root may invoke
1876 \fBpppd\fR. The \fB/etc/ppp/options\fR file must be created (but may be empty)
1877 to allow ordinary non-root users to access \fBpppd\fR.
1878 .sp
1879 .LP
1880 When opening the device, \fBpppd\fR uses the invoking user's user ID or the
1881 root UID (that is, 0), depending if the device name was specified by the user
1882 or the system administrator. If the device name comes from a privileged source,
1883 that is, \fB/etc/ppp/options\fR or an options file read using the \fBcall\fR
1884 option, \fBpppd\fR uses full root privileges when opening the device. Thus, by
1885 creating an appropriate file under \fB/etc/ppp/peers\fR, the system
1886 administrator can allow users to establish a PPP connection via a device that
1887 they would not normally have access to. Otherwise \fBpppd\fR uses the invoking
1888 user's real UID when opening the device.
1889 .SS "Authentication"
1890 During the authentication process, one peer convinces the other of its identity
1891 by sending its name and some secret information to the other. During
1892 authentication, the first peer becomes the "client" and the second becomes the
1893 "server." Authentication names can (but are not required to) correspond to the
1894 peer's Internet hostnames.
1895 .sp
1896 .LP
1897 \fBpppd\fR supports four authentication protocols: the Password Authentication
1898 Protocol (PAP) and three forms of the Challenge Handshake Authentication
1899 Protocol (CHAP). With the PAP protocol, the client sends its name and a
1900 cleartext password to the server to authenticate itself. With CHAP, the server
1901 initiates the authentication exchange by sending a challenge to the client who
1902 must respond with its name and a hash value derived from the shared secret and
1903 the challenge.
1904 .sp
1905 .LP
1906 The PPP protocol is symmetrical, meaning that each peer may be required to
1907 authenticate itself to the other. Different authentication protocols and names
1908 can be used for each exchange.
1909 .sp
1910 .LP
1911 By default, \fBpppd\fR authenticates if requested and does not require
1912 authentication from the peer. However, \fBpppd\fR does not authenticate itself
1913 with a specific protocol if it has no secrets that can do so.
1914 .sp
1915 .LP
1916 \fBpppd\fR stores authentication secrets in the \fB/etc/ppp/pap-secrets\fR (for
1917 PAP), and \fB/etc/ppp/chap-secrets\fR (for CHAP) files. Both files use the same
1918 format. \fBpppd\fR uses secrets files to authenticate itself to other systems
1919 and to authenticate other systems to itself.
1920 .sp
1921 .LP
1922 Secrets files contain one secret per line. Secrets are specific to a particular
1923 combination of client and server and can only be used by that client to
1924 authenticate itself to that server. Each line in a secrets file has a minimum
1925 of three fields that contain the client and server names followed by the
1926 secret. Often, these three fields are followed by IP addresses that are used by
1927 clients to connect to a server.
1928 .sp
1929 .LP
1930 A secrets file is parsed into words, with client name, server name and secrets
1931 fields allocated one word each. Embedded spaces or other special characters
1932 within a word must be quoted or escaped. Case is significant in all three
1933 fields.
1934 .sp
1935 .LP
1936 A secret beginning with an at sign ("@") is followed by the name of a file
1937 containing the secret. An asterisk (*) as the client or server name matches any
1938 name. When choosing a match, \fBpppd\fR selects the one with the fewest
1939 wildcards. Succeeding words on a line are interpreted by \fBpppd\fR as
1940 acceptable IP addresses for that client. IP Addresses are disallowed if they
1941 appear in lines that contain only three words or lines whose first word begins
1942 with a hyphen ("-"). To allow any address, use "*". An address starting with an
1943 exclamation point ("!") indicates that the specified address is not acceptable.
1944 An address may be followed by "/" and a number \fIn\fR to indicate a whole
1945 subnet (all addresses that have the same value in the most significant \fIn\fR
1946 bits). In this form, the address may be followed by a plus sign ("+") to
1947 indicate that one address from the subnet is authorized, based on the ppp
1948 network interface unit number in use. In this case, the host part of the
1949 address is set to the unit number, plus one.
1950 .sp
1951 .LP
1952 When authenticating the peer, \fBpppd\fR chooses a secret with the peer's name
1953 in the first field of the secrets file and the name of the local system in the
1954 second field. The local system name defaults to the hostname, with the domain
1955 name appended if the \fBdomain\fR option is used. The default can be overridden
1956 with the \fBname\fR option unless the \fBusehostname\fR option is used.
1957 .sp
1958 .LP
1959 When authenticating to the peer, \fBpppd\fR first determines the name it will
1960 use to identify itself to the peer. This name is specified with the \fBuser\fR
1961 option. If the \fBuser\fR option is not used, the name defaults to the host
1962 name of the local system. \fBpppd\fR then selects a secret from the secrets
1963 file by searching for an entry with a local name in the first field and the
1964 peer's name in the second field. \fBpppd\fR will know the name of the peer if
1965 standard CHAP authentication is used because the peer will have sent it in the
1966 Challenge packet. However, if MS-CHAP or PAP is being used, \fBpppd\fR must
1967 determine the peer's name from the options specified by the user. The user can
1968 specify the peer's name directly with the \fBremotename\fR option. Otherwise,
1969 if the remote IP address was specified by a name, rather than in numeric form,
1970 that name will be used as the peer's name. If that fails, \fBpppd\fR uses the
1971 null string as the peer's name.
1972 .sp
1973 .LP
1974 When authenticating the peer with PAP, the supplied password is compared with
1975 data in the secrets file. If the password and secret do not match, the password
1976 is encrypted using \fBcrypt()\fR and checked against the secret again. If the
1977 \fBpapcrypt\fR option is given, the first unencrypted comparison is omitted for
1978 better security, and entries must thus be in encrypted \fBcrypt\fR(3C) form.
1979 .sp
1980 .LP
1981 If the \fBlogin\fR option is specified, the username and password are also
1982 checked against the system password database. This allows you to set up the
1983 \fBpap-secrets\fR file to enable PPP access only to certain users, and to
1984 restrict the set of IP addresses available to users. Typically, when using the
1985 \fBlogin\fR option, the secret in \fB/etc/ppp/pap-secrets\fR would be "", which
1986 matches any password supplied by the peer. This makes having the same secret in
1987 two places unnecessary. When \fBlogin\fR is used, the \fBpam\fR option enables
1988 access control through \fBpam\fR(3PAM).
1989 .sp
1990 .LP
1991 Authentication must be completed before IPCP (or other network protocol) can be
1992 started. If the peer is required to authenticate itself and fails, \fBpppd\fR
1993 closes LCP and terminates the link. If IPCP negotiates an unacceptable IP
1994 address for the remote host, IPCP is closed. IP packets are sent or received
1995 only when IPCP is open.
1996 .sp
1997 .LP
1998 To allow hosts that cannot authenticate themselves to connect and use one of a
1999 restricted set of IP addresses, add a line to the \fBpap-secrets\fR file
2000 specifying the empty string for the client name and secret.
2001 .sp
2002 .LP
2003 Additional \fBpppd\fR options for a given peer may be specified by placing them
2004 at the end of the secrets entry, separated by two dashes (--). For example
2005 .sp
2006 .in +2
2007 .nf
2008 peername servername secret ip-address -- novj
2009 .fi
2010 .in -2
2011
2012 .SS "Routing"
2013 When IPCP negotiation is complete, \fBpppd\fR informs the kernel of the local
2014 and remote IP addresses for the PPP interface and creates a host route to the
2015 remote end of the link that enables peers to exchange IP packets. Communication
2016 with other machines generally requires further modification to routing tables
2017 and/or Address Resolution Protocol (ARP) tables. In most cases the
2018 \fBdefaultroute\fR and/or \fBproxyarp\fR options are sufficient for this, but
2019 further intervention may be necessary. If further intervention is required, use
2020 the \fB/etc/ppp/ip-up\fR script or a routing protocol daemon.
2021 .sp
2022 .LP
2023 To add a default route through the remote host, use the \fBdefaultroute\fR
2024 option. This option is typically used for "client" systems; that is, end-nodes
2025 that use the PPP link for access to the general Internet.
2026 .sp
2027 .LP
2028 In some cases it is desirable to use proxy ARP, for example on a server machine
2029 connected to a LAN, to allow other hosts to communicate with the remote host.
2030 \fBproxyarp\fR instructs \fBpppd\fR to look for a network interface on the same
2031 subnet as the remote host. That is, an interface supporting broadcast and ARP
2032 that is not a point-to-point or loopback interface and that is currently up. If
2033 found, \fBpppd\fR creates a permanent, published ARP entry with the IP address
2034 of the remote host and the hardware address of the network interface.
2035 .sp
2036 .LP
2037 When the \fBdemand\fR option is used, the interface IP addresses are already
2038 set at the time when IPCP comes up. If \fBpppd\fR cannot negotiate the same
2039 addresses it used to configure the interface, it changes the interface IP
2040 addresses to the negotiated addresses. This may disrupt existing connections.
2041 Using demand dialing with peers that perform dynamic IP address assignment is
2042 not recommended.
2043 .SS "Scripts"
2044 \fBpppd\fR invokes scripts at various stages during processing that are used to
2045 perform site-specific ancillary processing. These scripts may be shell scripts
2046 or executable programs. \fBpppd\fR does not wait for the scripts to finish. The
2047 scripts are executed as \fBroot\fR (with the real and effective user-id set to
2048 0), enabling them to update routing tables, run privileged daemons, or perform
2049 other tasks. Be sure that the contents of these scripts do not compromise your
2050 system's security. \fBpppd\fR runs the scripts with standard input, output and
2051 error redirected to \fB/dev/null\fR, and with an environment that is empty
2052 except for some environment variables that give information about the link. The
2053 \fBpppd\fR environment variables are:
2054 .sp
2055 .ne 2
2056 .na
2057 \fB\fBDEVICE\fR \fR
2058 .ad
2059 .RS 15n
2060 Name of the serial tty device.
2061 .RE
2062
2063 .sp
2064 .ne 2
2065 .na
2066 \fB\fBIFNAME\fR \fR
2067 .ad
2068 .RS 15n
2069 Name of the network interface.
2070 .RE
2071
2072 .sp
2073 .ne 2
2074 .na
2075 \fB\fBIPLOCAL\fR \fR
2076 .ad
2077 .RS 15n
2078 IP address for the link's local end. This is set only when IPCP has started.
2079 .RE
2080
2081 .sp
2082 .ne 2
2083 .na
2084 \fB\fBIPREMOTE\fR \fR
2085 .ad
2086 .RS 15n
2087 IP address for the link's remote end. This is set only when IPCP has started.
2088 .RE
2089
2090 .sp
2091 .ne 2
2092 .na
2093 \fB\fBPEERNAME\fR \fR
2094 .ad
2095 .RS 15n
2096 Authenticated name of the peer. This is set only if the peer authenticates
2097 itself.
2098 .RE
2099
2100 .sp
2101 .ne 2
2102 .na
2103 \fB\fBSPEED\fR \fR
2104 .ad
2105 .RS 15n
2106 Baud rate of the tty device.
2107 .RE
2108
2109 .sp
2110 .ne 2
2111 .na
2112 \fB\fBORIG_UID\fR \fR
2113 .ad
2114 .RS 15n
2115 Real user-id of user who invoked \fBpppd\fR.
2116 .RE
2117
2118 .sp
2119 .ne 2
2120 .na
2121 \fB\fBPPPLOGNAME\fR \fR
2122 .ad
2123 .RS 15n
2124 Username of the real user-id who invoked \fBpppd\fR. This is always set.
2125 .RE
2126
2127 .sp
2128 .LP
2129 \fBpppd\fR also sets the following variables for the ip-down and auth-down
2130 scripts:
2131 .sp
2132 .ne 2
2133 .na
2134 \fB\fBCONNECT_TIME\fR \fR
2135 .ad
2136 .RS 17n
2137 Number of seconds between the start of PPP negotiation and connection
2138 termination.
2139 .RE
2140
2141 .sp
2142 .ne 2
2143 .na
2144 \fB\fBBYTES_SENT\fR \fR
2145 .ad
2146 .RS 17n
2147 Number of bytes sent at the level of the serial port during the connection.
2148 .RE
2149
2150 .sp
2151 .ne 2
2152 .na
2153 \fB\fBBYTES_RCVD\fR \fR
2154 .ad
2155 .RS 17n
2156 Number of bytes received at the level of the serial port during the connection.
2157 .RE
2158
2159 .sp
2160 .ne 2
2161 .na
2162 \fB\fBLINKNAME\fR \fR
2163 .ad
2164 .RS 17n
2165 Logical name of the link, set with the \fBlinkname\fR option.
2166 .RE
2167
2168 .sp
2169 .LP
2170 If they exist, \fBpppd\fR invokes the following scripts. It is not an error if
2171 they do not exist.
2172 .sp
2173 .ne 2
2174 .na
2175 \fB\fB/etc/ppp/auth-up\fR \fR
2176 .ad
2177 .RS 23n
2178 Program or script executed after the remote system successfully authenticates
2179 itself. It is executed with five command-line arguments: \fBinterface-name
2180 peer-name user-name tty-device speed\fR. Note that this script is not executed
2181 if the peer does not authenticate itself, for example, when the \fBnoauth\fR
2182 option is used.
2183 .RE
2184
2185 .sp
2186 .ne 2
2187 .na
2188 \fB\fB/etc/ppp/auth-down\fR \fR
2189 .ad
2190 .RS 23n
2191 Program or script executed when the link goes down if \fB/etc/ppp/auth-up\fR
2192 was previously executed. It is executed in the same manner with the same
2193 parameters as \fB/etc/ppp/auth-up\fR.
2194 .RE
2195
2196 .sp
2197 .ne 2
2198 .na
2199 \fB\fB/etc/ppp/ip-up\fR \fR
2200 .ad
2201 .RS 21n
2202 A program or script that is executed when the link is available for sending and
2203 receiving IP packets (that is, IPCP has come up). It is executed with six
2204 command-line arguments: \fBinterface-name tty-device speed local-IP-address
2205 remote-IP-address ipparam\fR.
2206 .RE
2207
2208 .sp
2209 .ne 2
2210 .na
2211 \fB\fB/etc/ppp/ip-down\fR \fR
2212 .ad
2213 .RS 21n
2214 A program or script which is executed when the link is no longer available for
2215 sending and receiving IP packets. This script can be used for undoing the
2216 effects of the \fB/etc/ppp/ip-up\fR script. It is invoked in the same manner
2217 and with the same parameters as the \fBip-up\fR script.
2218 .RE
2219
2220 .sp
2221 .ne 2
2222 .na
2223 \fB\fB/etc/ppp/ipv6-up\fR \fR
2224 .ad
2225 .RS 21n
2226 Similar to \fB/etc/ppp/ip-up\fR, except that it is executed when the link is
2227 available for sending and receiving IPv6 packets. Executed with six
2228 command-line arguments: \fBinterface-name tty-device speed
2229 local-link-local-address remote-link-local-address ipparam\fR.
2230 .RE
2231
2232 .sp
2233 .ne 2
2234 .na
2235 \fB\fB/etc/ppp/ipv6-down\fR \fR
2236 .ad
2237 .RS 23n
2238 Similar to \fB/etc/ppp/ip-down\fR, but executed when IPv6 packets can no longer
2239 be transmitted on the link. Executed with the same parameters as the ipv6-up
2240 script.
2241 .RE
2242
2243 .SH EXAMPLES
2244 \fBExample 1 \fRUsing the \fBauth\fR Option
2245 .sp
2246 .LP
2247 The following examples assume that the \fB/etc/ppp/options\fR file contains the
2248 \fBauth\fR option.
2249
2250 .sp
2251 .LP
2252 \fBpppd\fR is commonly used to dial out to an ISP. You can do this using the
2253 "\fBpppd call isp\fR" command where the \fB/etc/ppp/peers/isp\fR file is set up
2254 to contain a line similar to the following:
2255
2256 .sp
2257 .in +2
2258 .nf
2259 cua/a 19200 crtscts connect '/usr/bin/chat -f /etc/ppp/chat-isp' noauth
2260 .fi
2261 .in -2
2262
2263 .sp
2264 .LP
2265 For this example, \fBchat\fR(1M) is used to dial the ISP's modem and process
2266 any login sequence required. The \fB/etc/ppp/chat-isp\fR file is used by
2267 \fBchat\fR and could contain the following:
2268
2269 .sp
2270 .in +2
2271 .nf
2272 ABORT "NO CARRIER"
2273 ABORT "NO DIALTONE"
2274 ABORT "ERROR"
2275 ABORT "NO ANSWER"
2276 ABORT "BUSY"
2277 ABORT "Username/Password Incorrect"
2278 "" "at"
2279 OK "at&f&d2&c1"
2280 OK "atdt2468135"
2281 "name:" "^Umyuserid"
2282 "word:" "\eqmypassword"
2283 "ispts" "\eq^Uppp"
2284 "~-^Uppp-~"
2285 .fi
2286 .in -2
2287
2288 .sp
2289 .LP
2290 See the \fBchat\fR(1M) man page for details of \fBchat\fR scripts.
2291
2292 .LP
2293 \fBExample 2 \fRUsing \fBpppd\fR with \fBproxyarp\fR
2294 .sp
2295 .LP
2296 \fBpppd\fR can also provide a dial-in ppp service for users. If the users
2297 already have login accounts, the simplest way to set up the ppp service is to
2298 let the users log in to their accounts and run \fBpppd\fR as shown in the
2299 following example:
2300
2301 .sp
2302 .in +2
2303 .nf
2304 example% \fBpppd proxyarp\fR
2305 .fi
2306 .in -2
2307 .sp
2308
2309 .LP
2310 \fBExample 3 \fRProviding a User with Access to PPP Facilities
2311 .sp
2312 .LP
2313 To provide a user with access to the PPP facilities, allocate an IP address for
2314 the user's machine, create an entry in \fB/etc/ppp/pap-secrets\fR or
2315 \fB/etc/ppp/chap-secrets\fR. This enables the user's machine to authenticate
2316 itself. For example, to enable user "Joe" using machine "joespc" to dial in to
2317 machine "server" and use the IP address "joespc.example.net," add the following
2318 entry to the \fB/etc/ppp/pap-secrets\fR or \fB/etc/ppp/chap-secrets\fR files:
2319
2320 .sp
2321 .in +2
2322 .nf
2323 \fBjoespc server "joe's secret" joespc.example.net\fR
2324 .fi
2325 .in -2
2326 .sp
2327
2328 .sp
2329 .LP
2330 Alternatively, you can create another username, for example "ppp," whose login
2331 shell is \fB/usr/bin/pppd\fR and whose home directory is \fB/etc/ppp\fR. If you
2332 run \fBpppd\fR this way, add the options to the \fB/etc/ppp/.ppprc\fR file.
2333
2334 .sp
2335 .LP
2336 If your serial connection is complex, it may be useful to escape such control
2337 characters as XON (^Q) and XOFF (^S), using \fBasyncmap a0000\fR. If the path
2338 includes a telnet, escape ^] (\fBasyncmap 200a0000\fR). If the path includes a
2339 \fBrlogin\fR command, add \fBescape ff\fR option to the options, because
2340 \fBrlogin\fR removes the window-size-change sequence [0xff, 0xff, 0x73, 0x73,
2341 followed by any 8 bytes] from the stream.
2342
2343 .SH EXIT STATUS
2344 The \fBpppd\fR exit status indicates errors or specifies why a link was
2345 terminated. Exit status values are:
2346 .sp
2347 .ne 2
2348 .na
2349 \fB\fB0\fR \fR
2350 .ad
2351 .RS 7n
2352 \fBpppd\fR has detached or the connection was successfully established and
2353 terminated at the peer's request.
2354 .RE
2355
2356 .sp
2357 .ne 2
2358 .na
2359 \fB\fB1\fR \fR
2360 .ad
2361 .RS 7n
2362 An immediately fatal error occurred. For example, an essential system call
2363 failed.
2364 .RE
2365
2366 .sp
2367 .ne 2
2368 .na
2369 \fB\fB2\fR \fR
2370 .ad
2371 .RS 7n
2372 An error was detected in the options given. For example, two mutually exclusive
2373 options were used, or \fB/etc/ppp/options\fR is missing and the user is not
2374 root.
2375 .RE
2376
2377 .sp
2378 .ne 2
2379 .na
2380 \fB\fB3\fR \fR
2381 .ad
2382 .RS 7n
2383 \fBpppd\fR is not \fBsetuid-root\fR and the invoking user is not root.
2384 .RE
2385
2386 .sp
2387 .ne 2
2388 .na
2389 \fB\fB4\fR \fR
2390 .ad
2391 .RS 7n
2392 The kernel does not support PPP. For example, the PPP kernel driver is not
2393 included or cannot be loaded.
2394 .RE
2395
2396 .sp
2397 .ne 2
2398 .na
2399 \fB\fB5\fR \fR
2400 .ad
2401 .RS 7n
2402 \fBpppd\fR terminated because it was sent a SIGINT, SIGTERM or SIGHUP signal.
2403 .RE
2404
2405 .sp
2406 .ne 2
2407 .na
2408 \fB\fB6\fR \fR
2409 .ad
2410 .RS 7n
2411 The serial port could not be locked.
2412 .RE
2413
2414 .sp
2415 .ne 2
2416 .na
2417 \fB\fB7\fR \fR
2418 .ad
2419 .RS 7n
2420 The serial port could not be opened.
2421 .RE
2422
2423 .sp
2424 .ne 2
2425 .na
2426 \fB\fB8\fR \fR
2427 .ad
2428 .RS 7n
2429 The connect script failed and returned a non-zero exit status.
2430 .RE
2431
2432 .sp
2433 .ne 2
2434 .na
2435 \fB\fB9\fR \fR
2436 .ad
2437 .RS 7n
2438 The command specified as the argument to the \fBpty\fR option could not be run.
2439 .RE
2440
2441 .sp
2442 .ne 2
2443 .na
2444 \fB\fB10\fR \fR
2445 .ad
2446 .RS 7n
2447 The PPP negotiation failed because no network protocols were able to run.
2448 .RE
2449
2450 .sp
2451 .ne 2
2452 .na
2453 \fB\fB11\fR \fR
2454 .ad
2455 .RS 7n
2456 The peer system failed or refused to authenticate itself.
2457 .RE
2458
2459 .sp
2460 .ne 2
2461 .na
2462 \fB\fB12\fR \fR
2463 .ad
2464 .RS 7n
2465 The link was established successfully, but terminated because it was idle.
2466 .RE
2467
2468 .sp
2469 .ne 2
2470 .na
2471 \fB\fB13\fR \fR
2472 .ad
2473 .RS 7n
2474 The link was established successfully, but terminated because the connect time
2475 limit was reached.
2476 .RE
2477
2478 .sp
2479 .ne 2
2480 .na
2481 \fB\fB14\fR \fR
2482 .ad
2483 .RS 7n
2484 Callback was negotiated and an incoming call should arrive shortly.
2485 .RE
2486
2487 .sp
2488 .ne 2
2489 .na
2490 \fB\fB15\fR \fR
2491 .ad
2492 .RS 7n
2493 The link was terminated because the peer is not responding to echo requests.
2494 .RE
2495
2496 .sp
2497 .ne 2
2498 .na
2499 \fB\fB16\fR \fR
2500 .ad
2501 .RS 7n
2502 The link was terminated by the modem hanging up.
2503 .RE
2504
2505 .sp
2506 .ne 2
2507 .na
2508 \fB\fB17\fR \fR
2509 .ad
2510 .RS 7n
2511 The PPP negotiation failed because serial loopback was detected.
2512 .RE
2513
2514 .sp
2515 .ne 2
2516 .na
2517 \fB\fB18\fR \fR
2518 .ad
2519 .RS 7n
2520 The init script failed because a non-zero exit status was returned.
2521 .RE
2522
2523 .sp
2524 .ne 2
2525 .na
2526 \fB\fB19\fR \fR
2527 .ad
2528 .RS 7n
2529 Authentication to the peer failed.
2530 .RE
2531
2532 .SH FILES
2533 .ne 2
2534 .na
2535 \fB\fB/var/run/sppp\fIn\fR\fR\fB\&.pid\fR \fR
2536 .ad
2537 .RS 29n
2538 Process-ID for \fBpppd\fR process on PPP interface unit \fIn\fR.
2539 .RE
2540
2541 .sp
2542 .ne 2
2543 .na
2544 \fB\fB/var/run/ppp-\fIname\fR\fR\fB\&.pid\fR \fR
2545 .ad
2546 .RS 29n
2547 Process-ID for \fBpppd\fR process for logical link name (see the \fBlinkname\fR
2548 option).
2549 .RE
2550
2551 .sp
2552 .ne 2
2553 .na
2554 \fB\fB/etc/ppp/pap-secrets\fR \fR
2555 .ad
2556 .RS 29n
2557 Usernames, passwords and IP addresses for PAP authentication. This file should
2558 be owned by root and not readable or writable by any other user, otherwise
2559 \fBpppd\fR will log a warning.
2560 .RE
2561
2562 .sp
2563 .ne 2
2564 .na
2565 \fB\fB/etc/ppp/chap-secrets\fR \fR
2566 .ad
2567 .RS 29n
2568 Names, secrets and IP addresses for all forms of CHAP authentication. The
2569 \fB/etc/ppp/pap-secrets\fR file should be owned by \fBroot\fR should not
2570 readable or writable by any other user, otherwise, \fBpppd\fR will log a
2571 warning.
2572 .RE
2573
2574 .sp
2575 .ne 2
2576 .na
2577 \fB\fB/etc/ppp/options\fR \fR
2578 .ad
2579 .RS 29n
2580 System default options for \fBpppd\fR, read before user default options or
2581 command-line options.
2582 .RE
2583
2584 .sp
2585 .ne 2
2586 .na
2587 \fB\fB$HOME/.ppprc\fR \fR
2588 .ad
2589 .RS 29n
2590 User default options, read before \fB/etc/ppp/options.\fIttyname\fR\fR.
2591 .RE
2592
2593 .sp
2594 .ne 2
2595 .na
2596 \fB\fB/etc/ppp/options.\fIttyname\fR\fR \fR
2597 .ad
2598 .RS 29n
2599 System default options for the serial port in use; read after
2600 \fB$HOME/.ppprc\fR. The \fIttyname\fR component of this filename is formed when
2601 the initial \fB/dev/\fR is stripped from the port name (if present), and
2602 slashes (if any) are converted to dots.
2603 .RE
2604
2605 .sp
2606 .ne 2
2607 .na
2608 \fB\fB/etc/ppp/peers\fR \fR
2609 .ad
2610 .RS 29n
2611 Directory with options files that may contain privileged options, even if
2612 \fBpppd\fR was invoked by a user other than \fBroot\fR. The system
2613 administrator can create options files in this directory to permit
2614 non-privileged users to dial out without requiring the peer to authenticate,
2615 but only to certain trusted peers.
2616 .RE
2617
2618 .SH ATTRIBUTES
2619 See \fBattributes\fR(5) for descriptions of the following attributes:
2620 .sp
2621
2622 .sp
2623 .TS
2624 box;
2625 c | c
2626 l | l .
2627 ATTRIBUTE TYPE ATTRIBUTE VALUE
2628 _
2629 Interface Stability Evolving
2630 .TE
2631
2632 .SH SEE ALSO
2633 \fBchat\fR(1M), \fBifconfig\fR(1M), \fBcrypt\fR(3C), \fBpam\fR(3PAM),
2634 \fBattributes\fR(5)
2635 .sp
2636 .LP
2637 Haskin, D., Allen, E. \fIRFC 2472 - IP Version 6 Over PPP\fR. Network Working
2638 Group. December 1998.
2639 .sp
2640 .LP
2641 Jacobson, V. \fIRFC 1144, Compressing TCP/IP Headers for Low-Speed Serial
2642 Links\fR. Network Working Group. February, 1990
2643 .sp
2644 .LP
2645 Lloyd, B., Simpson, W. \fIRFC 1334, PPP Authentication Protocols\fR. Network
2646 Working Group. October 1992.
2647 .sp
2648 .LP
2649 McGregor, G. \fIRFC 1332, The PPP Internet Protocol Control Protocol (IPCP)\fR.
2650 Network Working Group. May 1992.
2651 .sp
2652 .LP
2653 Rivest, R. \fIRFC 1321, The MD5 Message-Digest Algorithm\fR. Network Working
2654 Group. April 1992
2655 .sp
2656 .LP
2657 Simpson, W. \fIRFC 1661, The Point-to-Point Protocol (PPP)\fR. Network Working
2658 Group. July 1994.
2659 .sp
2660 .LP
2661 Simpson, W. \fIRFC 1662, HDLC-like Framing \fR. Network Working Group. July
2662 1994.
2663 .SH NOTES
2664 These signals affect \fBpppd\fR behavior:
2665 .sp
2666 .ne 2
2667 .na
2668 \fB\fBSIGINT, SIGTERM\fR \fR
2669 .ad
2670 .RS 20n
2671 Terminate the link, restore the serial device settings and exit.
2672 .RE
2673
2674 .sp
2675 .ne 2
2676 .na
2677 \fB\fBSIGHUP\fR \fR
2678 .ad
2679 .RS 20n
2680 Terminate the link, restore the serial device settings and close the serial
2681 device. If the \fBpersist\fR or \fBdemand\fR option is specified, \fBpppd\fR
2682 attempts to reopen the serial device and start another connection after the
2683 holdoff period. Otherwise \fBpppd\fR exits. If received during the holdoff
2684 period, \fBSIGHUP\fR causes \fBpppd\fR to end the holdoff period immediately.
2685 .RE
2686
2687 .sp
2688 .ne 2
2689 .na
2690 \fB\fBSIGUSR1\fR \fR
2691 .ad
2692 .RS 20n
2693 Toggles the state of the \fBdebug\fR option and prints link status information
2694 to the log.
2695 .RE
2696
2697 .sp
2698 .ne 2
2699 .na
2700 \fB\fBSIGUSR2\fR \fR
2701 .ad
2702 .RS 20n
2703 Causes \fBpppd\fR to renegotiate compression. This is useful to re-enable
2704 compression after it has been disabled as a result of a fatal decompression
2705 error. (Fatal decompression errors generally indicate a bug in an
2706 implementation.)
2707 .RE
2708
2709 .SH DIAGNOSTICS
2710 Messages are sent to the syslog daemon using facility \fBLOG_DAEMON\fR. To see
2711 error and debug messages, edit the \fB/etc/syslog.conf\fR file to direct the
2712 messages to the desired output device or file, or use the \fBupdetach\fR or
2713 \fBlogfile\fR options.
2714 .sp
2715 .LP
2716 The \fBdebug\fR option causes the contents of all LCP, PAP, CHAP or IPCP
2717 control packets sent or received to be logged. This is useful if PPP
2718 negotiation does not succeed or if authentication fails.
2719 .sp
2720 .LP
2721 Debugging can also be enabled or disabled by sending a \fBSIGUSR1\fR signal,
2722 which acts as a toggle to the \fBpppd\fR process.