18.3. Managing PPP Accounts
If you enable dialin access to your system, you should force all clients to authenticate themselves by turning on the Require authentication? option on the PPP Options page. Even if you think that your sever doesn't need to authenticate clients because only you know the phone number of the line your modem is on, it is still a good idea to enable it in case someone stumbles across the number by accident—or in case a “war dialer” trying out hundreds of phone numbers in search of insecure servers finds it.
Once authentication is enabled, you can add a new account that is allowed to log in by following these steps:
1. | On the main page of the module, click on the PPP Accounts icon. This will take you to a page listing all existing accounts, including those that have been created for dialing out to other servers. |
2. | Follow the Create a new PPP account link, which will bring you to the account creation form shown in Figure 18.3. Figure 18.3. Creating a new PPP account.
|
3. | |
4. | Make sure the Server field is set to Any. If you set it to something else, then the username will be accepted only when the client's hostname matches whatever you enter. |
5. | Select the Set to option in the Password field, and enter a password for the account into the text field next to it. It is also possible to have the PPP server read the password from a separate file, by selecting the From file option and entering a file name into its text field. Or you can remove the need for a password to be supplied at all, by selecting None—however, this isn't a very good idea from a security point of view. |
6. | Assuming that all clients are being assigned IP addresses, set the Valid Addresses field to Allow any. However, if no addresses are specified in the PPP Options page, you may want to select Allow listed and enter acceptable addresses into the text box below it. |
7. | Finally, click the Save button and the new PPP account will be created. It can be used immediately by connecting clients. |
To edit an existing PPP account, just click on its username from the accounts list. This will being you to the account editing form, which is almost identical to the creation form shown in Figure 18.3. Change the username, password, or any other options, and click the Save button to save your changes and make them immediately active. Or click the Delete button on the editing form to remove the account instead.
By default, Webmin will add new users to the /etc/ppp/pap-secrets file. This is only read by the PPP server when doing PAP authentication, which is used by default. If you have manually configured your system to authenticate clients using the more secure CHAP protocol instead, you will need to configure Webmin to edit the chap-secrets file instead. This can be done by clicking on the Module Config link in the top left corner of the main page, and changing the PAP secrets file field to /etc/ppp/chap-secrets.