Re: A 'pppctl' port for Linux, for controlling 'ppp' running on OpenBSD?

[Marcus Watts <mdw@umich.edu>]

Beneath <ishikodzume@beneath.plus.com> writes:
> Hi,
> 
> I recently set up OpenBSD running as my firewall/gateway.
> I need to be able to bring up and take down the PPP link that the
> OpenBSD box has to the internet, via a command from a Linux box on my
> LAN.
> The ideal way to do this, i thought, would be to run 'ppp' on the BSD
> box, accepting TCP connections from the 'pppctl' program. However,
> search as i might, i cannot find a port of this program for linux.
> Any idea on how to do this? The command is actually going to be running
> from a Bash CGI script on the linux box, via Apache (so all machines can
> use this page to connect, even the windoze ones). I don't want to run a
> httpd on the BSD box.
> SSHing in each time to do it a decent option... unless i can automate
> this in a nice way.
> 
> Ideally i'd like my OpenBSD box running absolutely no services
> whatsoever, however i assume this is almost as secure as long as i limit
> it to the rl0 device and a specific IP via pf.

If you're running "ppp" and it accepts external connections, then you
are not running "absolutely no services".  Authentication based on IP
address, interface, or even ethernet mac address is "weak" - an
attacker who has found another hole giving him even temporary access
inside your network may be able to easily bypass or spoof all these
things.  Moreover, an attacker who is able to sniff your internal wire
and observe you (or your automatic scripts) doing anything to your
firewall can learn all he needs to know to do the same thing.

If you want security against sniffing &etc, then you generally want
something based on some form of cryptography.  Practically, for you
this probably means ssl, ssh, or kerberos.  Based on what you say you
want to do, ssh is probably going to be easiest for you.  For fully
automated use you would need a key that is not password protected (but
is stored in a "secure" location on the local machine only accessible
to that which needs it).  You might also want to think about what you
can do to make sure the associated openbsd account can't do anything
other than what you want it to do (presumably, just run pppctl; or
possibly just scripts you supply that *then* run pppctl.)  Lots of
people use ssh for all sorts of automated remote system administration
without any great trouble, so you shouldn't be scared about doing
this.  Probably you would use a shell script, perl, or tcl or expect to
actually run pppctl and interpret results on the openbsd end.

If you wanted to go a bit fancier, with perl, tcl, etc., it should be
quite feasible to write a small server that talks ssl or uses kerberos,
then perhaps either runs pppctl or might even interact with ppp
directly via a socket.  You would also need to write a corresponding
client program, probably in the same language, to interact with your
server.  The server should have some notion of identity and
authorization; just encrypting the connection isn't sufficient.  The
client program would use either a certificate (ssl) or keytab
(kerberos) to authenticate its identity to the server, in addition to
the server of course also having its own.  This would be more involved,
but could obviously be quite powerful and you would certainly have more
control over what actually happens.

If you *really* want to run pppctl on the linux box, and don't care
about the security exposure on your private net, then you could port
pppctl to linux yourself.  It's only a 477 line program and at first
glance looks fairly well self-contained and non-exotic.  This could
possibly be a less complicated project than the actual set of fancy
automatic scripts you might be wanting to write to control ppp.
But, like I said, the security would be pretty lame...

				-Marcus Watts