the userland ppp(9) code goes awa. Having too much ppp choice in the

tree results in one-true-ppp not coming into existance. This code is essentially un-audited and quite dangerous. ok claudio sthen
10 years ago · 357cb1b33e
--- a/src/etc/Makefile
+++ b/src/etc/Makefile
@ -1,4 +1,4 @@
 #	$OpenBSD: Makefile,v 1.347 2014/03/15 22:13:36 sthen Exp $
 #	$OpenBSD: Makefile,v 1.348 2014/03/17 17:07:45 deraadt Exp $

 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@ -183,14 +183,6 @@ distribution-etc-root-var: distrib-dirs
 		${INSTALL} -c -o root -g wheel -m 600 chatscript.sample \
 		    ${DESTDIR}/etc/ppp; \
 		${INSTALL} -c -o root -g wheel -m 600 pap-secrets \
 		    ${DESTDIR}/etc/ppp; \
 		${INSTALL} -c -o root -g wheel -m 600 ppp.conf.sample \
 		    ${DESTDIR}/etc/ppp; \
 		${INSTALL} -c -o root -g wheel -m 644 ppp.linkup.sample \
 		    ${DESTDIR}/etc/ppp; \
 		${INSTALL} -c -o root -g wheel -m 644 ppp.linkdown.sample \
 		    ${DESTDIR}/etc/ppp; \
 		${INSTALL} -c -o root -g wheel -m 644 ppp.secret.sample \
 		    ${DESTDIR}/etc/ppp
 	cd signify; \
 		${INSTALL} -c -o root -g wheel -m 644 *.pub \
--- a/src/etc/ppp/ppp.conf.sample
+++ b/src/etc/ppp/ppp.conf.sample
@ -1,559 +0,0 @@
 #################################################################
 #
 #  	PPP  Sample Configuration File
 #
 #	  Originally written by Toshiharu OHNO
 #
 # $OpenBSD: ppp.conf.sample,v 1.24 2006/07/30 18:02:01 david Exp $
 #
 #################################################################

 # This file is separated into sections.  Each section is named with
 # a label starting in column 0 and followed directly by a ``:''.  The
 # section continues until the next section.  Blank lines and lines
 # beginning with ``#'' are ignored.
 #
 # Lines beginning with "!include" will ``include'' another file.  You
 # may want to ``!include ~/.ppp.conf'' for backwards compatibility.
 #

 # Default setup. Always executed when PPP is invoked.
 #  This section is *not* loaded by the ``load'' or ``dial'' commands.
 #
 #  This is the best place to specify your modem device, its DTR rate,
 #  and any logging specification.  Logging specs should be done first
 #  so that subsequent commands are logged.
 #
 default:
 set log Phase Chat LCP IPCP CCP tun command
 set device /dev/cua01
 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"

 # Client side PPP
 #
 #  Although the PPP protocol is a peer to peer protocol, we normally
 #  consider the side that makes the connection as the client and the
 #  side that receives the connection as the server.  Authentication
 #  is required by the server either using a unix-style login procedure
 #  or by demanding PAP or CHAP authentication from the client.
 #

 # An on demand example where we have dynamic IP addresses:
 #  If the peer assigns us an arbitrary IP (most ISPs do this) and we
 #  can't predict what their IP will be either, take a wild guess at
 #  some IPs that you can't currently route to.
 #
 #  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
 #  specified IP actually being correct, therefore, the other side can assign
 #  any IP numbers.
 #
 #  The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
 #  IP number, forcing the peer to make the decision.
 #
 #  This entry also works with static IP numbers or when not in -auto mode.
 #  The ``add'' line adds a `sticky' default route that will be updated if
 #  and when any of the IP numbers are changed in IPCP negotiations.
 #  The "set ifaddr" is required in -auto mode.
 #
 #  Finally, the ``enable dns'' bit tells ppp to ask the peer for the
 #  nameserver addresses that should be used.  This isn't always supported
 #  by the other side, but if it is, /etc/resolv.conf will automatically be
 #  updated.
 #
 pmdemand:
 set phone 1234567
 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR
 enable dns

 # When we want to use PAP or CHAP instead of using a unix-style login
 # procedure, we do the following.  Note, the peer suggests whether we
 # should send PAP or CHAP.  By default, we send whatever we're asked for.
 #
 PAPorCHAPpmdemand:
 set phone 1234567
 set login
 set authname MyName
 set authkey MyKey
 set timeout 120
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR
 enable dns

 # On demand dialup example with static IP addresses:
 #  Here, the local side uses 192.244.185.226 and the remote side
 #  uses 192.244.176.44.
 #
 #  # ppp -auto ondemand
 #
 #  With static IP numbers, our setup is similar to dynamic:
 #  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
 #  a "ondemand" label, and finally the "MYADDR" label.
 #
 ondemand:
 set phone 1234567
 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
 set timeout 120
 set ifaddr 192.244.185.226 192.244.176.44
 add default HISADDR
 enable dns

 # To connect via a GPRS or UMTS device (e.g. a mobile phone or a PC Card),
 # it's often necessary to set the access-point name (in this case 'internet')
 # which requires quotes in the dial string. This section shows the escaping
 # required. Devices that have not already authenticated the SIM card (like a
 # PC Card) need to issue the "AT+CPIN=xxxx" (xxxx being the PIN for the SIM
 # card) first.
 # For certain devices it is necessary to adjust the baud rate (speed setting)
 # and/or change the dial string to "*99***1#".
 # UMTS devices often allow control of the connect mode (UMTS only, GPRS only
 # or default to which is available); this can be controlled with the number
 # passed to the AT+CGDCONT command and is device dependant.
 # Some ISPs do special things in their IPCP session in order to negotiate
 # the IP addresses; in this case it may be necessary to play with the ifaddr
 # setting.
 # See also: com(4), ubsa(4), ucom(4) and umodem(4)
 #
 mobile:
 set device /dev/cuaU0
 set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
           \"\" ATZ OK-ATZ-OK AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \\dATD\\T TIMEOUT 40 CONNECT"
 set phone "*99#"
 set speed 115200
 set login
 set timeout 0
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR
 enable dns

 #                          Example segments
 #
 # The following lines may be included as part of your configuration
 # section and aren't themselves complete.  They're provided as examples
 # of how to achieve different things.

 examples:
 # Multi-phone example.  Numbers separated by a : are used sequentially.
 # Numbers separated by a | are used if the previous dial or login script
 # failed.  Usually, you will prefer to use only one of | or :, but both
 # are allowed.
 #
    set phone 12345678|12345679:12345670|12345671
 #
 # Ppp can accept control instructions from the ``pppctl'' program.
 # First, you must set up your control socket.  It's safest to use
 # a UNIX domain socket, and watch the permissions:
 #
    set server /var/tmp/internet MySecretPassword 0177
 #
 # Although a TCP port may be used if you want to allow control
 # connections from other machines:
 #
    set server 6670 MySecretpassword
 #
 # If you don't like ppp's builtin chat, use an external one:
 #
    set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
 #
 # If we have a ``strange'' modem that must be re-initialized when we
 # hangup:
 #
    set hangup "\"\" AT OK-AT-OK ATZ OK"
 #
 # To adjust logging withouth blasting the setting in default:
 #
    set log -command +tcp/ip
 #
 # To see log messages on the screen in interactive mode:
 #
    set log local LCP IPCP CCP
 #
 # If you're seeing a lot of magic number problems and failed connections,
 # try this (see the man page):
 #
    set openmode active 5
 #
 # For noisy lines, we may want to reconnect (up to 20 times) after loss
 # of carrier, with 3 second delays between each attempt:
 #
    set reconnect 3 20
 #
 # When playing server for M$ clients, tell them who our NetBIOS name
 # servers are:
 #
    set nbns 10.0.0.1 10.0.0.2
 #
 # Inform the client if they ask for our DNS IP numbers:
 #
    enable dns
 #
 # If you don't want to tell them what's in your /etc/resolv.conf file
 # with `enable dns', override the values:
 #
    set dns 10.0.0.1 10.0.0.2
 #
 # If we're using the -alias switch, redirect ftp and http to an internal
 # machine:
 #
    alias port 10.0.0.2:ftp ftp
    alias port 10.0.0.2:http http
 #
 # or don't trust the outside at all
 #
    alias deny_incoming yes
 #
 # I trust user brian to run ppp, so this goes in the `default' section:
 #
    allow user brian
 #
 # But label `internet' contains passwords that even brian can't have, so
 # I empty out the user access list in that section so that only root can
 # have access:
 #
    allow users
 #
 # I also may wish to set up my ppp login script so that it asks the client
 # for the label they wish to use.  I may only want user ``dodgy'' to access
 # their own label in direct mode:
 #
 dodgy:
    allow user dodgy
    allow mode direct
 #
 # If we don't want ICMP and DNS packets to keep the connection alive:
 #
    set filter alive 0 deny icmp
    set filter alive 1 deny udp src eq 53
    set filter alive 2 deny udp dst eq 53
    set filter alive 3 permit 0 0
 #
 # And we don't want ICMPs to cause a dialup:
 #
    set filter dial 0 deny icmp
    set filter dial 1 permit 0 0
 #
 # or any TCP SYN or RST packets (badly closed TCP channels):
 #
    set filter dial 2 deny 0 0 tcp syn finrst
 #
 # Once the line's up, allow connections for ident (113), telnet (23),
 # ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
 # ICMP (ping) and traceroute (>33433).
 #
 # Anything else is blocked by default
 #
    set filter in  0 permit tcp dst eq 113
    set filter out 0 permit tcp src eq 113
    set filter in  1 permit tcp src eq 23 estab
    set filter out 1 permit tcp dst eq 23
    set filter in  2 permit tcp src eq 21 estab
    set filter out 2 permit tcp dst eq 21
    set filter in  3 permit tcp src eq 20 dst gt 1023
    set filter out 3 permit tcp dst eq 20
    set filter in  4 permit udp src eq 53
    set filter out 4 permit udp dst eq 53
    set filter in  5 permit 192.244.191.0/24 0/0
    set filter out 5 permit 0/0 192.244.191.0/24
    set filter in  6 permit icmp
    set filter out 6 permit icmp
    set filter in  7 permit udp dst gt 33433
    set filter out 7 permit udp dst gt 33433

 #
 # ``dodgynet'' is an example intended for an autodial configuration which
 # is connecting a local network to a host on an untrusted network.
 dodgynet:
    # Log link uptime
    set log Phase
    # For autoconnect only
    allow modes auto
    # Define modem device and speed
    set device /dev/cua01
    set speed 115200
    # Don't support LQR
    deny lqr
    # Remote system phone number, login and password
    set phone 0W1194
    set authname pppLogin
    set authkey MyPassword
    # Chat script to dial remote system
    set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
              ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
    # Chat script to login to remote Unix system
    set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
    # Drop the link after 15 minutes of inactivity
    # Inactivity is defined by the `set filter alive' line below
    set timeout 900
    # Hard-code remote system to appear within local subnet and use proxy arp
    # to make this system the gateway
    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
    enable proxy

    # Allow any TCP packet to keep the link alive
    set filter alive 0 permit tcp

    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
    # private TCP ports 24 and 4000
    set filter dial  0 7      0 0 tcp dst eq http
    set filter dial  1 7      0 0 tcp dst eq login
    set filter dial  2 7      0 0 tcp dst eq shell
    set filter dial  3 7      0 0 tcp dst eq telnet
    set filter dial  4 7      0 0 tcp dst eq ftp
    set filter dial  5 7      0 0 tcp dst eq 24
    set filter dial  6 deny ! 0 0 tcp dst eq 4000
    # From hosts on a couple of local subnets to the remote peer
    # If the remote host allowed IP forwarding and we wanted to use it, the
    # following rules could be split into two groups to separately validate
    # the source and destination addresses.
    set filter dial  7 permit 172.17.16.0/20  172.17.20.248
    set filter dial  8 permit 172.17.36.0/22  172.17.20.248
    set filter dial  9 permit 172.17.118.0/26 172.17.20.248
    set filter dial 10 permit 10.123.5.0/24   172.17.20.248

    # Once the link's up, limit outgoing access to the specified hosts
    set filter out  0 4      172.17.16.0/20  172.17.20.248
    set filter out  1 4      172.17.36.0/22  172.17.20.248
    set filter out  2 4      172.17.118.0/26 172.17.20.248
    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248
    # Allow established TCP connections
    set filter out  4 permit 0 0 tcp estab
    # And new connections to http, rlogin, rsh, telnet, ftp and ports
    # 24 and 4000
    set filter out  5 permit 0 0 tcp dst eq http
    set filter out  6 permit 0 0 tcp dst eq login
    set filter out  7 permit 0 0 tcp dst eq shell
    set filter out  8 permit 0 0 tcp dst eq telnet
    set filter out  9 permit 0 0 tcp dst eq ftp
    set filter out 10 permit 0 0 tcp dst eq 24
    set filter out 11 permit 0 0 tcp dst eq 4000
    # And outgoing icmp
    set filter out 12 permit 0 0 icmp

    # Once the link's up, limit incoming access to the specified hosts
    set filter in   0 4      172.17.20.248  172.17.16.0/20
    set filter in   1 4      172.17.20.248  172.17.36.0/22
    set filter in   2 4      172.17.20.248  172.17.118.0/26
    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
    # Established TCP connections and non-PASV FTP
    set filter in   4 permit 0/0  0/0  tcp estab
    set filter in   5 permit 0/0  0/0  tcp src eq 20
    # Useful ICMP messages
    set filter in   6 permit 0/0  0/0  icmp src eq 3
    set filter in   7 permit 0/0  0/0  icmp src eq 4
    set filter in   8 permit 0/0  0/0  icmp src eq 11
    set filter in   9 permit 0/0  0/0  icmp src eq 12
    # Echo reply (local systems can ping the remote host)
    set filter in  10 permit 0/0  0/0  icmp src eq 0
    # And the remote host can ping the local gateway (only)
    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8


 # Server side PPP
 #  If you want the remote system to authenticate itself, you insist
 #  that the peer uses CHAP (or PAP) with the "enable" keyword.  Both CHAP and
 #  PAP are disabled by default (we usually only "enable" one of them if the
 #  other side is dialing into our server).
 #  When the peer authenticates itself, we use ppp.secret for verification.
 #
 #  Ppp is launched with:
 #   # ppp -direct CHAPserver
 #
 #  Note:  We can supply a third field in ppp.secret specifying the IP address
 #         for that user.  We can even specify a fourth field to specify the
 #         ppp.link{up,down} label to use.
 #
 CHAPserver:
 enable chap
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31
 accept dns

 # If we wish to act as a server, allowing PAP access according to
 # accounts in /etc/passwd, we do this  (Without `enable passwdauth',
 # you may still enter ``*'' as the users password in ppp.secret and
 # ppp will look it up in the passwd database.  This is useful if you
 # need to assign a special label or IP number or range):
 #
 PAPServerwithPASSWD:
 enable pap
 enable passwdauth
 enable proxy
 set ifaddr 192.244.176.44 292.244.184.31
 accept dns


 # Example to connect using a null-modem cable:
 #  The important thing here is to allow the lqr packets on both sides.
 #  Without them enabled, we can't tell if the line's dropped - there
 #  should always be carrier on a direct connection.
 #  Here, the server sends lqr's every 10 seconds and quits if five in a
 #  row fail.
 #
 #  Make sure you don't have "deny lqr" in your default: on the client !
 #  If the peer denies LQR, we still send ECHO LQR packets at the given
 #  lqrperiod interval (ppp-style-pings).
 #
 direct-client:
 set dial ""
 set device /dev/cua00
 set sp 115200
 set timeout 900
 set lqrperiod 10
 set log Phase Chat LQM
 set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
 set ifaddr 10.0.4.2 10.0.4.1
 enable lqr
 accept lqr

 direct-server:
 set timeout 0
 set lqrperiod 10
 set log Phase LQM
 set ifaddr 10.0.4.1 10.0.4.2
 enable lqr
 accept lqr


 # Example to connect via compuserve (who insist on 7 bits even parity
 #  during the chat phase).
 #
 compuserve:
 set phone 1234567
 set parity even
 set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
            word: XXXXXXXX PPP"
 set timeout 300
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 delete ALL
 add default HISADDR


 # Example for PPP over TCP.
 #  We assume that inetd on tcpsrv.mynet has been
 #  configured to run "ppp -direct tcp-server" when it gets a connection on
 #  port 1234.  Read the man page for further details
 #
 #  Note, we assume we're using a binary-clean connection.  If something
 #  such as `rlogin' is involved, you may need to ``set escape 0xff''
 #
 tcp-client:
 set device tcpsrv.mynet:1234
 set dial
 set login
 set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0

 tcp-server:
 set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0

 # If you want to test ppp, do it through a loopback:
 #
 # Requires a line in /etc/services:
 #   ppploop 6671/tcp # loopback ppp daemon
 #
 # and a line in /etc/inetd.conf:
 #   ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
 #
 loop:
 set timeout 0
 set log phase chat connect lcp ipcp command
 set device localhost:ppploop
 set dial
 set login
 set ifaddr 127.0.0.2 127.0.0.3
 set server /var/tmp/loop "" 0177

 loop-in:
 set timeout 0
 set log phase lcp ipcp command
 allow mode direct

 # Example of a VPN.
 #  If you're going to create a tunnel through a public network, your VPN
 #  should be set up something like this:
 #
 #  You should already have set up ssh using ssh-agent & ssh-add.
 #
 #
 sloop:
 load loop
 # Passive mode allows ssh plenty of time to establish the connection
 set openmode passive
 set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"

 # If you wish to connect to a server that will dial back *without* using
 # the ppp callback facility (rfc1570), take advantage of the fact that
 # ppp doesn't look for carrier 'till `set login' is complete:
 #
 # Here, we expect the server to say DIALBACK then disconnect after
 # we've authenticated ourselves.  When this has happened, we wait
 # 60 seconds for a RING.
 #
 dialback:
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
           ATDT\\T TIMEOUT 60 CONNECT"
 set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"

 # Alternatively, if the peer is using the PPP callback protocol, use
 # normal dial and login scripts and add
 #
 set callback auth cbcp e.164 1234567
 set cbcp 1234567

 # If we're running a ppp server that wants to only call back microsoft
 # clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
 #
 set callback cbcp
 set cbcp
 set log +cbcp
 set redial 3 1
 set device /dev/cua00
 set speed 115200
 set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"

 # Or if we want to allow authenticated clients to specify their own
 # callback number, use this ``set cbcp'' line instead:
 #
 set cbcp *

 # Multilink mode is available (rfc1990).
 # To enable multilink capabilities, you must specify a MRRU.  1500 is
 # a reasonable value.  To create new links, use the ``clone'' command
 # to duplicate an existing link.  If you already have more than one
 # link, you must specify which link you wish to run the command on via
 # the ``link'' command.
 #
 # You can now ``dial'' specific links, or even dial all links at the
 # same time.  The `dial' command may also be prefixed with a specific
 # link that should do the dialing.
 #
 mloop:
 load loop
 set mode interactive
 set mrru 1500
 set mru 1504			# Room for the MP header
 clone 1 2 3
 link deflink remove
 # dial
 # link 2 dial
 # link 3 dial

 mloop-in:
 set timeout 0
 set log tun phase
 allow mode direct
 set mrru 1500
 set mru 1504			# Room for the MP header

 # A PPPoE (PPP over Ethernet) setup may look like this:
 #
 pppoe:
 set device "!/usr/sbin/pppoe"
 set mtu max 1492
 set mru max 1492
 set speed sync
 disable acfcomp protocomp
 deny acfcomp
--- a/src/etc/ppp/ppp.linkdown.sample
+++ b/src/etc/ppp/ppp.linkdown.sample
@ -1,34 +0,0 @@
 #########################################################################
 #
 #          Example of ppp.linkdown file
 #
 #  This file is checked when ppp closes a connection.
 #  ppp searches the labels in this file as follows:
 #
 #  1) The label that matches the IP number assigned to our side.
 #
 #  2) The label specified on the command line to ppp.
 #
 #  3) If no label has been found, use MYADDR if it exists.
 #
 #
 # $OpenBSD: ppp.linkdown.sample,v 1.5 2002/06/09 06:15:15 todd Exp $
 #
 #########################################################################

 # We don't really need to do much here.  If we have notified a DNS
 # of our temporary IP number, we may want to ``un-notify'' them.
 #
 # If you're into sound effects when the link goes down, you can run
 # ``auplay'' (assuming NAS is installed and configured).
 #
 MYADDR:
 !bg /usr/X11R6/bin/auplay /etc/ppp/linkdown.au

 # If you're running ``ppp -auto -alias dynamic-alias-auto'', and are
 # assigned a dynamic IP number by the peer, this may be worth while
 # to keep the interface aliases to a minimum (see ``enable iface-alias''
 # in the man page):
 #
 dynamic-alias-auto:
 iface clear
--- a/src/etc/ppp/ppp.linkup.sample
+++ b/src/etc/ppp/ppp.linkup.sample
@ -1,49 +0,0 @@
 #########################################################################
 #
 #          Example of ppp.linkup file
 #
 #  This file is checked when ppp establishes a connection.
 #  ppp searches the labels in this file as follows:
 #
 #  1) The label that matches the IP number assigned to our side.
 #
 #  2) The label specified on the command line to ppp.
 #
 #  3) If no label has been found, use MYADDR if it exists.
 #
 #
 # $OpenBSD: ppp.linkup.sample,v 1.4 2002/06/09 06:15:15 todd Exp $
 #
 #########################################################################

 # It is no longer necessary to re-add the default route here as our
 # ppp.conf route is `sticky' (see the man page).
 # If you're into sound effects when the link comes up, you can run
 # ``auplay'' (assuming NAS is installed and configured).
 #
 MYADDR:
 !bg /usr/X11R6/bin/auplay /etc/ppp/linkup.au

 # If we've got 192.244.176.32 as our address, then regard peer as a gateway
 # to 192.244.176.0 network.  This may also be done in ppp.conf instead.
 #
 192.244.176.32:
 add 192.244.176.0 0 HISADDR

 #You may want to execute a script after connecting.  This script can do
 # nice things such as kick off "sendmail -q", "popclient my.isp" and
 # "slurp -d news".  It can be passed MYADDR, HISADDR and INTERFACE
 # as arguments too - useful for informing a DNS of your assigned IP.
 #
 # You may also want some sound effects....
 #
 pmdemand:
 !bg /etc/ppp/ppp.etherup.pmdemand
 ! sh -c "cat /etc/ppp/linkup.au >/dev/audio"

 # If your minimum call charge is 5 minutes, you may as well stay on
 # the line for that amount of time.  If we want a 60 second subsequent
 # timeout, set your timeout to 300 in ppp.conf and then do this:
 #
 min5minutes:
 !bg sh -c "sleep 240; pppctl -p mypassword 3000 set timeout 60"
--- a/src/etc/ppp/ppp.secret.sample
+++ b/src/etc/ppp/ppp.secret.sample
@ -1,41 +0,0 @@
 ##################################################
 #
 #          Example of ppp.secret file
 #
 #  This file is used to authenticate incoming connections.
 #  You must ``enable'' either PAP or CHAP in your ppp.conf file.
 #  The peer may then use any of the Authname/Authkey pairs listed.
 #  Additionally, if ``passwdauth'' is enabled and an entry isn't
 #  found in this file, the passwd(5) database is used.
 #
 #  If the password is specified as "*", look it up in passwd(5).
 #  This doesn't work for CHAP connections as ppp must have access
 #  to the unencrypted password for CHAP.
 #
 #  If an IP address or address range is given as the third field, it
 #  will be assigned to the peer.  A ``*'' or an empty field may be
 #  used as a placeholder if you do not wish to override the IP
 #  address, but wish to specify further fields.
 #
 #  If a label is given as the forth field, it is used when reading
 #  the ppp.linkup and ppp.linkdown files.  A ``*'' or an empty field
 #  can be used as a placeholder if you do not wish to override the
 #  label, but wish to specify further fields.
 #
 #  If a phone number or list of phone numbers is given as the fifth
 #  field, these numbers will be used to call back the client if
 #  ``auth'' or ``cbcp'' callback is enabled (see ``set callback'').
 #  A ``*'' specifies that the client must specify the number.
 #
 # $OpenBSD: ppp.secret.sample,v 1.4 2002/06/09 06:15:15 todd Exp $
 #
 ##################################################

 # Authname Authkey      Peer's IP address        Label   Callback

 oscar      OurSecretKey 192.2.18.34
 BigBird    X4dWg9327    192.2.18.33/32
 fred       *            *                        fred
 subnet     *            192.2.18.35-192.2.18.70  subnet
 admin      *            *                        *       *
 homeworker *            *                        *       1234567