The PAP secrets file is very similar to that used by CHAP. The first two fields always contain a user name and a server name; the third holds the PAP secret. When the remote sends an authenticate request, pppd uses the entry that has a server field equal to the local hostname, and a user field equal to the user name sent in the request. When authenticating itself with the peer, pppd picks the secret to be sent from the line with the user field equal to the local user name, and the server field equal to the remote hostname.
A sample PAP secrets file might look like this:
The first line is used to authenticate ourselves when talking to c3po. The second line describes how a user named c3po has to authenticate itself with us.
The name vlager-pap in column one is the user name we send to c3po. By default, pppd will pick the local hostname as the user name, but you can also specify a different name by giving the user option, followed by that name.
When picking an entry from the pap-secrets file for authentication with the peer, pppd has to know the remote host's name. As it has no way of finding that out, you have to specify it on the command line using the remotename keyword, followed by the peer's hostname. For instance, to use the above entry for authentication with c3po, we have to add the following option to pppd's command line:
In the fourth field (and all fields following), you may specify what IP addresses are allowed for that particular host, just as in the CHAP secrets file. The peer may then only request addresses from that list. In the sample file, we require c3po to use its real IP address.
Note that PAP is a rather weak authentication method, and it is suggested you use CHAP instead whenever possible. We will therefore not cover PAP in greater detail here; if you are interested in using PAP, you will find some more PAP features in the pppd(8) manual page.