[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: encrypting pppd?
Ian Goldberg <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> In article <[email protected]>,
> Roy M. Silvernail <[email protected]> wrote:
> >In list.cypherpunks, [email protected] writes:
> >
> >> Anyone worked on, or know of a freely available, one of these beasts?
> >
> >What threat model does this address? It'd be link encryption, where the
> >best security is found in end-to-end encryption.
>
> pppd doesn't necessarily run over a modem; you can "tunnel" it over
> another IP connection.
>
> I have in fact done this very thing. Use ssh to (encrypted) log in to
> the ppp server, and start pppd at each end. It's been a while; I think
> I had to tweak something to make it work over a pty instead of a serial
> port.
Here's a little script for tunnelling SLIP over a ssh session on Linux:
(sleep 2;\
/usr/local/bin/ssh -l username -e none remotehost</dev/ttyqe>&/dev/ttyqe)&
(echo "port ptyqe";\
echo "wait ord: 15";\
echo "send secretpw\\n";\
echo "wait (shellprompt)> 60";\
echo "send slip\\n";\
echo get \$rmtip 192.168.0.1;\
echo get \$locip 192.168.0.2;\
echo "mode CSLIP";sleep 15)|/sbin/dip -tv
PPP is a little more complicated; I found it's easier if you put the ssh on
the pty instead of the tty side. You can't do this from a shell script,
because the pty can only be opened once. This will take care of that:
main(ac,av)int ac;char **av;{
int fd;
fd=open("/dev/tty",O_RDWR);
ioctl(fd,TIOCNOTTY);
close(fd);
fd=open("/dev/ptyqf",O_RDWR);
if(fd<=0) exit(1);
dup2(fd,0);
dup2(fd,1);
dup2(fd,2);
execl("/usr/local/bin/ssh","ssh","-l","username","-e","none","-c","idea",
"-t","remotehost","mesg n;/usr/sbin/ppp -direct mylink",(char *)0);
exit(1);
}
Do remember that you can't route the ip addresses that you're tunneling
inside the tunnel! So be sure to assign some alternate ip addresses to
each end of the link. 192.168.x.x will work; those addresses aren't
assigned to anyone.
I used /dev/ttyqf for the tty, that is usually unused. If you have more
than 30 users online then you'll need to increase it.