# pptpd - how to allow users to connect with their shell pass?

## molot

I want to give my users ability to connect to my network. As there are both windows and *nix people, pptpd seemed a solution. One thing I can't quite figure:

How to allow them to login with their system username and password? And how to allow connections only for people in vpn group?

If there is some obvious documentation about this thing, then I must've missed it, please be so kind and post a link. more so if it isn't so obvious.

----------

## arut8ur

Hi,

I am interested in this as well. 

If you find any docs that describes this, pleas post a follow up link here.

----------

## molot

Just bump. So is it impossible with linux and I'd have to put M$ Windows Server on virtual machine, use samba/domain connect it's account to host's, and then route vpn via it? Is it the only way to do this? Except kicking Gentoo out of my box, but I'd rather not.

----------

## molot

Ok, tried to google for it once more. It seems I should set "enable passwdauth" in /etc/ppp/ppp.conf - but in Gentoo I don't have file like this. And can't find Gentoo-based manual. No pptpd related man page says how to do it neither - or I do not know how to do it. Does anyone here know where should I start it?

----------

## salahx

pppd has a PAM flag (which is normally set by default). Try configuring pppd though the usual PAM modules (pam_unix and pam_succeed_if ). 

Do be advised that since the password database is encrypted in the password database, passwords have to be sent over the link the clear.

----------

## SoLoR

Sorry to bump this... i wanted to try to achive this as well, however after lots of reading it seems, its not possible using CHAP, you must use PAP and "login" directive inside options.pptpd, problem is PAP is plain text with no encryption... why this is not possible with CHAP is, password in shadow file is hashed, chap also sends hashed password so because of 2x hash password cant be decoded...

----------

## chithanh

If you want to use MPPE encryption, then you need to use MSCHAPv2, which requires that your users have NTLM style password hashes. For CHAP, the passwords need to be stored in plaintext. So if you still want PPTP, probably the best way would be to authenticate them against LDAP which could serve both pptpd and pam.

If you care about both Windows users and security, go L2TP/IPSec.

----------

## salahx

And if you want to set up ipsec/l2tp I wrote a tutorial not too long ago: http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server

Unfortunately l2tp just tunnels ppp, leaving you right back at the same mschapv2 problem. However, ppp dpes have a winbind plugin:

```
plugin winbind.so

ntlm_auth-helper "/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1"
```

Of course, you'll need Samba for this to work. I haven't found a way to mkae Winbind work without a domain/ADS controller, however. You can setup Samba as a domain controller, though.

----------

