home   articles   archive   forum   masthead  
Published at 13.04.05
Author: Roger Mayer
Translator: Sebastian Kueppers
Languages: de
Printer printer-version
Support Us!
 

Dialin Server (ISDN) under SuSE Linux 8.0

Introduction:

Setting up a dialin-server running SuSe 8.0 is not documentated anywhere yet.
This documentation is intended for users that already have some knowledge of linux and don't think ISP, ppp, devices and authentication are some kind of disease.
I think it's rather hard to bring this topic near to somebody without any prior knowledge of the above.

1. Before we start
2. dialin-access in addition to a internet-access using one ISDN-interface
2.1 Creating one more ISDN-connection using YAST2
2.2 user authentication
2.2.1 user authentication using PAP or CHAP
2.2.2 user authentication using PAP and login
2.3 dialin-server for routing into your local network

1. Before we start

Running SuSe 8.0 you will find the configuration files we need at 

  /etc/sysconfig/isdn
  /etc/ppp/

In /etc/sysconfig/isdn the cfg-contrx files configure the ISDN hardware. The configuration of the first ISDN interface can be found in cfg-contr0, the second device (if any) is configured in cfg-contr1 and so on.
Connections to the internet service provider and dial-in connections are configured using the cfg-netx files.

The directory /etc/ppp contains the authentication files /etc/ppp/pap-secrets and /etc/ppp/chap-secrets as well as the option files for bringing up a connection are located. It looks strange on the first view but is rather logically done. For every connection (internet or dial-in) an option file can be found there which follows this naming convention:

  options.Device.Provider
For example your first ISP (Internet Service Provider) using the ippp0-device:
  options.ippp0.ISP1
where ISP1 replaces your ISPs connection name.

The following overview should help to understand the connection between your number of ISPs, numbering the device-files and naming the option files:

The vertical column shows the number of configured internet connections.

Overview
ISP1 ISP2 ISP3 ISP4 ISP5 dialin1 dialin2
0 - - - - - cfg-net0
options.ippp0.dialin1		 cfg-net1
options.ippp1.dialin2
1 cfg-net0
options.ippp0.ISP1		 - - - - cfg-net1
options.ippp1.dialin1		 cfg-net2
options.ippp2.dialin2
2 cfg-net0
options.ippp0.ISP1		 cfg-net1
options.ippp1.ISP2		 - - - cfg-net2
options.ippp2.dialin1		 cfg-net3
options.ippp3.dialin2
3 cfg-net0
options.ippp0.ISP1		 cfg-net1
options.ippp1.ISP2		 cfg-net2
options.ippp2.ISP3		 - - cfg-net3
options.ippp3.dialin1		 cfg-net4
options.ippp4.dialin2
4 cfg-net0
options.ippp0.ISP1		 cfg-net1
options.ippp1.ISP2		 cfg-net2
options.ippp2.ISP3		 cfg-net3
options.ippp3.ISP4		 - cfg-net4
options.ippp4.dialin1		 cfg-net5
options.ippp5.dialin2
5 cfg-net0
options.ippp0.ISP1		 cfg-net1
options.ippp1.ISP2		 cfg-net2
options.ippp2.ISP3		 cfg-net3
options.ippp3.ISP4		 cfg-net4
options.ippp4.ISP5		 cfg-net5
options.ippp5.dialin1		 cfg-net6
options.ippp6.dialin2


You might notice that SuSe works on a strictly cronological basis. That means that connections will be numbered succesively as they are configured!

2. dialin-access in addition to internet-access using one ISDN-interface

If you already have a ISDN connection to your ISP configured using Yast2, adding a dialin-access using the same ISDN interface is rather easy.

2.1 creating one more ISDN-connection using Yast2

IMPORTANT: You must have a connection to your ISP already configured!

  • "Yast2->Network-basics->ISDN configuration"
  • "Configured devices->Change"
  • "ISDN connection->aDD;gen"
  • "New"
  • choose SyncPPP as connection type
  • enter dialin as connection name
  • enter dialin as name
  • Phonenumber: 0 (this connection won't dial out)
  • User and Password as you wish (will be defined later)
  • don't check (or uncheck) "ask for password"

  • "Continue"
  • as "your phonenumber" you enter the MSN that sould be used for this dial in connection. This number should not be used for dial out.
  • dial mode: automatic.
  • IDLE-Timeout don't care
  • ChargeHUP don't care
  • uncheck "activate firewall"
    (will be mentioned in another article)
  • deactivate channeling
  • Now change your IP settings
    If your dial-in server is located in a internal network you'll need two more free IP adresses. That way you can use your dialin-server as router into your local network as well. 
        Example:
    My Linux server:    192.168.245.254
    local IP adress:    192.168.245.253
    remote IP adress:   192.168.245.252
    If you don't have an internal network you can use the following adresses:
    local IP adress:    192.168.0.253
    remote IP adress:   192.168.0.252
  • deactivate "dynamic IP adress"
  • enter local and remote IP
  • deaktivate "default route"
  • deaktivate "use provider DNS"

    "OK"
  • "Finish"
  • open a shell
  • become root (su or similar)
  • enter the /etc/sysconfig/isdn directory
  • edit the cfg-net1 file using an editor as joe

/etc/sysconfig/isdn/cfg-net1
  CALLBACK="off"
  CHARGEHUP="on"
  COMPRESSION="no"
  DEFAULTROUTE="no"
  DIALMODE="auto"
  DYNAMICIP="no"
  FIREWALL="no"
  IDLETIME="300"
  IPADDR="192.168.245.253" # your local IP
  MSN="xxxxx" # your MSN
  MULTILINK="no"
  PROTOCOL="syncppp"
  PROVIDER="dialin"
  PTPADDR="192.168.245.252" # your remote IP
  STARTMODE="onboot"
  USEPEERDNS="no"


  • and add the following line: 
      SECURE="off"
    (That's the big secret!)
  • save the file and execute the following commands: 
      >> SuSEconfig --module isdn
  >> rcnetwork restart
  • ok so far...
    Congratulations! Now you own "complete" dial-in access to your machine!.
    Unfortunately we haven't configured any user authetification yet, so actually ANYONE can connect to your computer without providing a username and password (e.g. using the windows dial-up-network) and can gain access to all your files and services!
    Luckily your computer won't work as a router, so users accessing via dial-in cannot access any other computer in your local network.

2.2 user authentication

There is more than one way to secure your dial-in access using usernames and passwords.
Two of them should be mentioned here. Both having there pros and cons...

2.2.1 user authentication using PAP or CHAP

Using the /etc/ppp/pap-secrets and /etc/ppp/chap-secrets files you can set usernames and passwords for your dial-in service. These users don't have anything in common with your system users. They are fully independent from your system and have no filesystem access. Those users can only access the services provided (such as WWW, FTP, Mail, X).
The advantage of this kind of authentification is the easy configuraion and the fact that no dial-in user gains filesystem access.
A disadvantage is the way the /etc/ppp/pap-secrets and /etc/ppp/chap-secrets are built up.
Those files contain the account details for your internet access as well as the usernames and passwords for your dial in accounts. And both will be treated the same way.
If a stranger somehow figures out your internet account information (the username and password you use for your internet dial-out) he would be able to log in using that information.
To keep things simple we only will do the authetification using PAP.

Example for /etc/ppp/pap-secrets
  "NumberNumberNumber" * "YourPassword" # Your abc internet connection
  "Threenet" * "Threenet"                # Your xyz internet connection
  "DialinUser" * "DialinPassword"    # Username and password for your dial-in access


If you look at your own /etc/ppp/pap-secrets you'll see that all passwords are stored in plain text so this file should only be readable by root!

You can add users adding 

  "Username" * "Password"
to the file.

Additionally our /etc/ppp/options.ippp1.dialin file has to be modified:

/etc/ppp/options.ippp1.dialin
  /dev/ippp1
  ipcp-accept-local
  ipcp-accept-remote
  noipdefault
  netmask 255.255.255.255
  useifip
  mtu 1500
  mru 1524


Add the following lines: 

  auth
  +pap
  -chap
Save the file and execute 
  >> rcnetwork restart
to restart the network devices.

Consider that this file is reset to its original content everytime SuSEconfig is run. That way you'll lose your changes.
To prevent this, just revoke yourself the writing access 

  >> chmod 444 /etc/ppp/options.ippp1.dialin
so SuSEconfig can't change it anymore.
To gain write access again just run 
  >> chmod 644 /etc/ppp/options.ippp1.dialin
Now your dial-in connection is ready.
All users mentined in /etc/ppp/pap-secrets can now access your system using their passwords.

2.2.2 user authentication using PAP and login

The advantage of using PAP and login for authenticating is that you can define which users can access the dial-in connections. Furthermore the possibility that a stranger can find your internet-connection information has been removed.
The disadvantage is the fact that all dial-in users have to be created as local users and therefore gain full filesystem access (according to their rights). Those users should be created with as little rights as possible.
Use Yast2 to create those users and groups 

  Example:
  Created group: einwahl
  group members:
  New user tim
  New user antje
  New user ingo
You should know exactly what you're doing, because those users gain access from outside. This can be a real security risk if access rights are badly configured.

Now you edit your /etc/ppp/pap-secrets:

/etc/ppp/pap-secrets
  "NumberNumberNumber" * "YourPassword" # Your abc internet connection
  "Threenet" * "Threenet"                # Your xyz internet connection


add the following lines: 

  "tim" * ""
  "antje" * ""
  "ingo" * ""
NEVER enter root here!
Save this file and modify /etc/ppp/options.ippp1.dialin:

/etc/ppp/options.ippp1.dialin
  /dev/ippp1
  ipcp-accept-local
  ipcp-accept-remote
  noipdefault
  netmask 255.255.255.255
  useifip
  mtu 1500
  mru 1524


and add the following lines: 

  user "tim"
  user "antje"
  user "ingo"
  auth
  login
  +pap
  -chap
Again, NEVER enter root as user here!!
Save the file and execute 
  >> rcnetwork restart
to restart your network devices.

Consider that this file is reset to its original content everytime SuSEconfig is run. That way you'll lose your changes.
To prevent this just revoke yourself the write access 

  >> chmod 444 /etc/ppp/options.ippp1.dialin
so SuSEconfig can't change it anymore.
To gain write access again, just run 
  >> chmod 644 /etc/ppp/options.ippp1.dialin
Now your dial-in connection is ready.
From now on the linux users tim, antje and ingo can log on via your dial-in connection. They are authenticated by your local system.
Executing 
  >> who
will show you the users currently logged in.

2.3 dialin-server for routing into your local network

Doing this you can enable dial-in users to connect other machines in your local network and use their provided services.

ATTENTION! ONLY FOR EXPERTS!
If not explicitly forbidden your linux machine routes network packages between internal network interfaces.
The author (and translator *g*) won't take ANY responsibility for any damages to your computer, network or any data.
IF YOU DON'T KNOW EXACTLY WHAT YOU ARE DOING, YOU SHOULD STOP RIGHT HERE!!

Open your /etc/sysconfig/sysctl file and set the IP_FORWARD option to yes.
After that you should perform a reboot.

After that you have to open your /etc/ppp/options.ippp1.dialin file and add: 

  proxyarp
Save the file and revoke your write access (...because of SuSEconfig). After restarting your network devices using rcnetwork restart you can access your local network from your dial-in accout.



Talkback Area




Enter Own Comment