the userland ppp(9) code goes awa. Having too much ppp choice in the

tree results in one-true-ppp not coming into existance.  This code is
essentially un-audited and quite dangerous.
ok claudio sthen

9 files changed, 11 insertions, 706 deletions

diff --git a/etc/Makefile b/etc/Makefile
index 21c1d02d93e..47a7f03ba4b 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.347 2014/03/15 22:13:36 sthen Exp $
+#	$OpenBSD: Makefile,v 1.348 2014/03/17 17:07:45 deraadt Exp $
 
 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@@ -183,14 +183,6 @@ distribution-etc-root-var: distrib-dirs
 		${INSTALL} -c -o root -g wheel -m 600 chatscript.sample \
 		    ${DESTDIR}/etc/ppp; \
 		${INSTALL} -c -o root -g wheel -m 600 pap-secrets \
-		    ${DESTDIR}/etc/ppp; \
-		${INSTALL} -c -o root -g wheel -m 600 ppp.conf.sample \
-		    ${DESTDIR}/etc/ppp; \
-		${INSTALL} -c -o root -g wheel -m 644 ppp.linkup.sample \
-		    ${DESTDIR}/etc/ppp; \
-		${INSTALL} -c -o root -g wheel -m 644 ppp.linkdown.sample \
-		    ${DESTDIR}/etc/ppp; \
-		${INSTALL} -c -o root -g wheel -m 644 ppp.secret.sample \
 		    ${DESTDIR}/etc/ppp
 	cd signify; \
 		${INSTALL} -c -o root -g wheel -m 644 *.pub \
diff --git a/etc/ppp/ppp.conf.sample b/etc/ppp/ppp.conf.sample
deleted file mode 100644
index 9e4acfebd76..00000000000
--- a/etc/ppp/ppp.conf.sample
+++ /dev/null
@@ -1,559 +0,0 @@
-#################################################################
-#
-#  	PPP  Sample Configuration File
-#
-#	  Originally written by Toshiharu OHNO
-#
-# $OpenBSD: ppp.conf.sample,v 1.24 2006/07/30 18:02:01 david Exp $
-#
-#################################################################
-
-# This file is separated into sections.  Each section is named with
-# a label starting in column 0 and followed directly by a ``:''.  The
-# section continues until the next section.  Blank lines and lines
-# beginning with ``#'' are ignored.
-#
-# Lines beginning with "!include" will ``include'' another file.  You
-# may want to ``!include ~/.ppp.conf'' for backwards compatibility.
-#
-
-# Default setup. Always executed when PPP is invoked.
-#  This section is *not* loaded by the ``load'' or ``dial'' commands.
-#
-#  This is the best place to specify your modem device, its DTR rate,
-#  and any logging specification.  Logging specs should be done first
-#  so that subsequent commands are logged.
-#
-default:
- set log Phase Chat LCP IPCP CCP tun command
- set device /dev/cua01
- set speed 115200
- set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
-
-# Client side PPP
-#
-#  Although the PPP protocol is a peer to peer protocol, we normally
-#  consider the side that makes the connection as the client and the
-#  side that receives the connection as the server.  Authentication
-#  is required by the server either using a unix-style login procedure
-#  or by demanding PAP or CHAP authentication from the client.
-#
-
-# An on demand example where we have dynamic IP addresses:
-#  If the peer assigns us an arbitrary IP (most ISPs do this) and we
-#  can't predict what their IP will be either, take a wild guess at
-#  some IPs that you can't currently route to.
-#
-#  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
-#  specified IP actually being correct, therefore, the other side can assign
-#  any IP numbers.
-#
-#  The fourth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
-#  IP number, forcing the peer to make the decision.
-#
-#  This entry also works with static IP numbers or when not in -auto mode.
-#  The ``add'' line adds a `sticky' default route that will be updated if
-#  and when any of the IP numbers are changed in IPCP negotiations.
-#  The "set ifaddr" is required in -auto mode.
-#
-#  Finally, the ``enable dns'' bit tells ppp to ask the peer for the
-#  nameserver addresses that should be used.  This isn't always supported
-#  by the other side, but if it is, /etc/resolv.conf will automatically be
-#  updated.
-#
-pmdemand:
- set phone 1234567
- set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
- set timeout 120
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- add default HISADDR
- enable dns
-
-# When we want to use PAP or CHAP instead of using a unix-style login
-# procedure, we do the following.  Note, the peer suggests whether we
-# should send PAP or CHAP.  By default, we send whatever we're asked for.
-#
-PAPorCHAPpmdemand:
- set phone 1234567
- set login
- set authname MyName
- set authkey MyKey
- set timeout 120
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- add default HISADDR
- enable dns
-
-# On demand dialup example with static IP addresses:
-#  Here, the local side uses 192.244.185.226 and the remote side
-#  uses 192.244.176.44.
-#
-#  # ppp -auto ondemand
-#
-#  With static IP numbers, our setup is similar to dynamic:
-#  Remember, ppp.linkup is searched for a "192.244.176.44" label, then
-#  a "ondemand" label, and finally the "MYADDR" label.
-#
-ondemand:
- set phone 1234567
- set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp"
- set timeout 120
- set ifaddr 192.244.185.226 192.244.176.44
- add default HISADDR
- enable dns
-
-# To connect via a GPRS or UMTS device (e.g. a mobile phone or a PC Card),
-# it's often necessary to set the access-point name (in this case 'internet')
-# which requires quotes in the dial string. This section shows the escaping
-# required. Devices that have not already authenticated the SIM card (like a
-# PC Card) need to issue the "AT+CPIN=xxxx" (xxxx being the PIN for the SIM
-# card) first.
-# For certain devices it is necessary to adjust the baud rate (speed setting)
-# and/or change the dial string to "*99***1#".
-# UMTS devices often allow control of the connect mode (UMTS only, GPRS only
-# or default to which is available); this can be controlled with the number
-# passed to the AT+CGDCONT command and is device dependant.
-# Some ISPs do special things in their IPCP session in order to negotiate
-# the IP addresses; in this case it may be necessary to play with the ifaddr
-# setting.
-# See also: com(4), ubsa(4), ucom(4) and umodem(4)
-#
-mobile:
- set device /dev/cuaU0
- set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
-           \"\" ATZ OK-ATZ-OK AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \\dATD\\T TIMEOUT 40 CONNECT"
- set phone "*99#"
- set speed 115200
- set login
- set timeout 0
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- add default HISADDR
- enable dns
-
-#                          Example segments
-#
-# The following lines may be included as part of your configuration
-# section and aren't themselves complete.  They're provided as examples
-# of how to achieve different things.
-
-examples:
-# Multi-phone example.  Numbers separated by a : are used sequentially.
-# Numbers separated by a | are used if the previous dial or login script
-# failed.  Usually, you will prefer to use only one of | or :, but both
-# are allowed.
-#
-    set phone 12345678|12345679:12345670|12345671
-#
-# Ppp can accept control instructions from the ``pppctl'' program.
-# First, you must set up your control socket.  It's safest to use
-# a UNIX domain socket, and watch the permissions:
-#
-    set server /var/tmp/internet MySecretPassword 0177
-#
-# Although a TCP port may be used if you want to allow control
-# connections from other machines:
-#
-    set server 6670 MySecretpassword
-#
-# If you don't like ppp's builtin chat, use an external one:
-#
-    set login "\"!chat \\\\-f /etc/ppp/ppp.dev.chat\""
-#
-# If we have a ``strange'' modem that must be re-initialized when we
-# hangup:
-#
-    set hangup "\"\" AT OK-AT-OK ATZ OK"
-#
-# To adjust logging withouth blasting the setting in default:
-#
-    set log -command +tcp/ip
-#
-# To see log messages on the screen in interactive mode:
-#
-    set log local LCP IPCP CCP
-#
-# If you're seeing a lot of magic number problems and failed connections,
-# try this (see the man page):
-#
-    set openmode active 5
-#
-# For noisy lines, we may want to reconnect (up to 20 times) after loss
-# of carrier, with 3 second delays between each attempt:
-#
-    set reconnect 3 20
-#
-# When playing server for M$ clients, tell them who our NetBIOS name
-# servers are:
-#
-    set nbns 10.0.0.1 10.0.0.2
-#
-# Inform the client if they ask for our DNS IP numbers:
-#
-    enable dns
-#
-# If you don't want to tell them what's in your /etc/resolv.conf file
-# with `enable dns', override the values:
-#
-    set dns 10.0.0.1 10.0.0.2
-#
-# If we're using the -alias switch, redirect ftp and http to an internal
-# machine:
-#
-    alias port 10.0.0.2:ftp ftp
-    alias port 10.0.0.2:http http
-#
-# or don't trust the outside at all
-#
-    alias deny_incoming yes
-#
-# I trust user brian to run ppp, so this goes in the `default' section:
-#
-    allow user brian
-#
-# But label `internet' contains passwords that even brian can't have, so
-# I empty out the user access list in that section so that only root can
-# have access:
-#
-    allow users
-#
-# I also may wish to set up my ppp login script so that it asks the client
-# for the label they wish to use.  I may only want user ``dodgy'' to access
-# their own label in direct mode:
-#
-dodgy:
-    allow user dodgy
-    allow mode direct
-#
-# If we don't want ICMP and DNS packets to keep the connection alive:
-#
-    set filter alive 0 deny icmp
-    set filter alive 1 deny udp src eq 53
-    set filter alive 2 deny udp dst eq 53
-    set filter alive 3 permit 0 0
-#
-# And we don't want ICMPs to cause a dialup:
-#
-    set filter dial 0 deny icmp
-    set filter dial 1 permit 0 0
-#
-# or any TCP SYN or RST packets (badly closed TCP channels):
-#
-    set filter dial 2 deny 0 0 tcp syn finrst
-#
-# Once the line's up, allow connections for ident (113), telnet (23),
-# ftp (20 & 21), DNS (53), my place of work (192.244.191.0/24),
-# ICMP (ping) and traceroute (>33433).
-#
-# Anything else is blocked by default
-#
-    set filter in  0 permit tcp dst eq 113
-    set filter out 0 permit tcp src eq 113
-    set filter in  1 permit tcp src eq 23 estab
-    set filter out 1 permit tcp dst eq 23
-    set filter in  2 permit tcp src eq 21 estab
-    set filter out 2 permit tcp dst eq 21
-    set filter in  3 permit tcp src eq 20 dst gt 1023
-    set filter out 3 permit tcp dst eq 20
-    set filter in  4 permit udp src eq 53
-    set filter out 4 permit udp dst eq 53
-    set filter in  5 permit 192.244.191.0/24 0/0
-    set filter out 5 permit 0/0 192.244.191.0/24
-    set filter in  6 permit icmp
-    set filter out 6 permit icmp
-    set filter in  7 permit udp dst gt 33433
-    set filter out 7 permit udp dst gt 33433
-
-#
-# ``dodgynet'' is an example intended for an autodial configuration which
-# is connecting a local network to a host on an untrusted network.
-dodgynet:
-    # Log link uptime
-    set log Phase
-    # For autoconnect only
-    allow modes auto
-    # Define modem device and speed
-    set device /dev/cua01
-    set speed 115200
-    # Don't support LQR
-    deny lqr
-    # Remote system phone number, login and password
-    set phone 0W1194
-    set authname pppLogin
-    set authkey MyPassword
-    # Chat script to dial remote system
-    set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
-              ATE1Q0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
-    # Chat script to login to remote Unix system
-    set login "TIMEOUT 10 \"\" \"\" gin:--gin: \\U word: \\P"
-    # Drop the link after 15 minutes of inactivity
-    # Inactivity is defined by the `set filter alive' line below
-    set timeout 900
-    # Hard-code remote system to appear within local subnet and use proxy arp
-    # to make this system the gateway
-    set ifaddr 172.17.20.247 172.17.20.248 255.255.240.0
-    enable proxy
-
-    # Allow any TCP packet to keep the link alive
-    set filter alive 0 permit tcp
-
-    # Only allow dialup to be triggered by http, rlogin, rsh, telnet, ftp or
-    # private TCP ports 24 and 4000
-    set filter dial  0 7      0 0 tcp dst eq http
-    set filter dial  1 7      0 0 tcp dst eq login
-    set filter dial  2 7      0 0 tcp dst eq shell
-    set filter dial  3 7      0 0 tcp dst eq telnet
-    set filter dial  4 7      0 0 tcp dst eq ftp
-    set filter dial  5 7      0 0 tcp dst eq 24
-    set filter dial  6 deny ! 0 0 tcp dst eq 4000
-    # From hosts on a couple of local subnets to the remote peer
-    # If the remote host allowed IP forwarding and we wanted to use it, the
-    # following rules could be split into two groups to separately validate
-    # the source and destination addresses.
-    set filter dial  7 permit 172.17.16.0/20  172.17.20.248
-    set filter dial  8 permit 172.17.36.0/22  172.17.20.248
-    set filter dial  9 permit 172.17.118.0/26 172.17.20.248
-    set filter dial 10 permit 10.123.5.0/24   172.17.20.248
-
-    # Once the link's up, limit outgoing access to the specified hosts
-    set filter out  0 4      172.17.16.0/20  172.17.20.248
-    set filter out  1 4      172.17.36.0/22  172.17.20.248
-    set filter out  2 4      172.17.118.0/26 172.17.20.248
-    set filter out  3 deny ! 10.123.5.0/24   172.17.20.248
-    # Allow established TCP connections
-    set filter out  4 permit 0 0 tcp estab
-    # And new connections to http, rlogin, rsh, telnet, ftp and ports
-    # 24 and 4000
-    set filter out  5 permit 0 0 tcp dst eq http
-    set filter out  6 permit 0 0 tcp dst eq login
-    set filter out  7 permit 0 0 tcp dst eq shell
-    set filter out  8 permit 0 0 tcp dst eq telnet
-    set filter out  9 permit 0 0 tcp dst eq ftp
-    set filter out 10 permit 0 0 tcp dst eq 24
-    set filter out 11 permit 0 0 tcp dst eq 4000
-    # And outgoing icmp
-    set filter out 12 permit 0 0 icmp
-
-    # Once the link's up, limit incoming access to the specified hosts
-    set filter in   0 4      172.17.20.248  172.17.16.0/20
-    set filter in   1 4      172.17.20.248  172.17.36.0/22
-    set filter in   2 4      172.17.20.248  172.17.118.0/26
-    set filter in   3 deny ! 172.17.20.248  10.123.5.0/24
-    # Established TCP connections and non-PASV FTP
-    set filter in   4 permit 0/0  0/0  tcp estab
-    set filter in   5 permit 0/0  0/0  tcp src eq 20
-    # Useful ICMP messages
-    set filter in   6 permit 0/0  0/0  icmp src eq 3
-    set filter in   7 permit 0/0  0/0  icmp src eq 4
-    set filter in   8 permit 0/0  0/0  icmp src eq 11
-    set filter in   9 permit 0/0  0/0  icmp src eq 12
-    # Echo reply (local systems can ping the remote host)
-    set filter in  10 permit 0/0  0/0  icmp src eq 0
-    # And the remote host can ping the local gateway (only)
-    set filter in  11 permit 0/0  172.17.20.247 icmp src eq 8
-
-
-# Server side PPP
-#  If you want the remote system to authenticate itself, you insist
-#  that the peer uses CHAP (or PAP) with the "enable" keyword.  Both CHAP and
-#  PAP are disabled by default (we usually only "enable" one of them if the
-#  other side is dialing into our server).
-#  When the peer authenticates itself, we use ppp.secret for verification.
-#
-#  Ppp is launched with:
-#   # ppp -direct CHAPserver
-#
-#  Note:  We can supply a third field in ppp.secret specifying the IP address
-#         for that user.  We can even specify a fourth field to specify the
-#         ppp.link{up,down} label to use.
-#
-CHAPserver:
- enable chap
- enable proxy
- set ifaddr 192.244.176.44 292.244.184.31
- accept dns
-
-# If we wish to act as a server, allowing PAP access according to
-# accounts in /etc/passwd, we do this  (Without `enable passwdauth',
-# you may still enter ``*'' as the users password in ppp.secret and
-# ppp will look it up in the passwd database.  This is useful if you
-# need to assign a special label or IP number or range):
-#
-PAPServerwithPASSWD:
- enable pap
- enable passwdauth
- enable proxy
- set ifaddr 192.244.176.44 292.244.184.31
- accept dns
-
-
-# Example to connect using a null-modem cable:
-#  The important thing here is to allow the lqr packets on both sides.
-#  Without them enabled, we can't tell if the line's dropped - there
-#  should always be carrier on a direct connection.
-#  Here, the server sends lqr's every 10 seconds and quits if five in a
-#  row fail.
-#
-#  Make sure you don't have "deny lqr" in your default: on the client !
-#  If the peer denies LQR, we still send ECHO LQR packets at the given
-#  lqrperiod interval (ppp-style-pings).
-#
-direct-client:
- set dial ""
- set device /dev/cua00
- set sp 115200
- set timeout 900
- set lqrperiod 10
- set log Phase Chat LQM
- set login "ABORT NO\\sCARRIER TIMEOUT 5 ogin:--ogin: ppp word: ppp HELLO"
- set ifaddr 10.0.4.2 10.0.4.1
- enable lqr
- accept lqr
-
-direct-server:
- set timeout 0
- set lqrperiod 10
- set log Phase LQM
- set ifaddr 10.0.4.1 10.0.4.2
- enable lqr
- accept lqr
-
-
-# Example to connect via compuserve (who insist on 7 bits even parity
-#  during the chat phase).
-#
-compuserve:
- set phone 1234567
- set parity even
- set login "TIMEOUT 100 \"\" \"\" Name: CIS ID: 999999,9999/go:pppconnect \
-            word: XXXXXXXX PPP"
- set timeout 300
- set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
- delete ALL
- add default HISADDR
-
-
-# Example for PPP over TCP.
-#  We assume that inetd on tcpsrv.mynet has been
-#  configured to run "ppp -direct tcp-server" when it gets a connection on
-#  port 1234.  Read the man page for further details
-#
-#  Note, we assume we're using a binary-clean connection.  If something
-#  such as `rlogin' is involved, you may need to ``set escape 0xff''
-#
-tcp-client:
- set device tcpsrv.mynet:1234
- set dial
- set login
- set ifaddr 10.0.5.1 10.0.4.1 255.255.255.0
-
-tcp-server:
- set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
-
-# If you want to test ppp, do it through a loopback:
-#
-# Requires a line in /etc/services:
-#   ppploop 6671/tcp # loopback ppp daemon
-#
-# and a line in /etc/inetd.conf:
-#   ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
-#
-loop:
- set timeout 0
- set log phase chat connect lcp ipcp command
- set device localhost:ppploop
- set dial
- set login
- set ifaddr 127.0.0.2 127.0.0.3
- set server /var/tmp/loop "" 0177
-
-loop-in:
- set timeout 0
- set log phase lcp ipcp command
- allow mode direct
-
-# Example of a VPN.
-#  If you're going to create a tunnel through a public network, your VPN
-#  should be set up something like this:
-#
-#  You should already have set up ssh using ssh-agent & ssh-add.
-#
-#
-sloop:
- load loop
- # Passive mode allows ssh plenty of time to establish the connection
- set openmode passive
- set device "!ssh whatevermachine /usr/sbin/ppp -direct loop-in"
-
-# If you wish to connect to a server that will dial back *without* using
-# the ppp callback facility (rfc1570), take advantage of the fact that
-# ppp doesn't look for carrier 'till `set login' is complete:
-#
-# Here, we expect the server to say DIALBACK then disconnect after
-# we've authenticated ourselves.  When this has happened, we wait
-# 60 seconds for a RING.
-#
-dialback:
- set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
-           ATDT\\T TIMEOUT 60 CONNECT"
- set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
-           \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
-
-# Alternatively, if the peer is using the PPP callback protocol, use
-# normal dial and login scripts and add
-#
- set callback auth cbcp e.164 1234567
- set cbcp 1234567
-
-# If we're running a ppp server that wants to only call back microsoft
-# clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
-#
- set callback cbcp
- set cbcp
- set log +cbcp
- set redial 3 1
- set device /dev/cua00
- set speed 115200
- set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
-
-# Or if we want to allow authenticated clients to specify their own
-# callback number, use this ``set cbcp'' line instead:
-#
- set cbcp *
-
-# Multilink mode is available (rfc1990).
-# To enable multilink capabilities, you must specify a MRRU.  1500 is
-# a reasonable value.  To create new links, use the ``clone'' command
-# to duplicate an existing link.  If you already have more than one
-# link, you must specify which link you wish to run the command on via
-# the ``link'' command.
-#
-# You can now ``dial'' specific links, or even dial all links at the
-# same time.  The `dial' command may also be prefixed with a specific
-# link that should do the dialing.
-#
-mloop:
- load loop
- set mode interactive
- set mrru 1500
- set mru 1504			# Room for the MP header
- clone 1 2 3
- link deflink remove
- # dial
- # link 2 dial
- # link 3 dial
-
-mloop-in:
- set timeout 0
- set log tun phase
- allow mode direct
- set mrru 1500
- set mru 1504			# Room for the MP header
-
-# A PPPoE (PPP over Ethernet) setup may look like this:
-#
-pppoe:
- set device "!/usr/sbin/pppoe"
- set mtu max 1492
- set mru max 1492
- set speed sync
- disable acfcomp protocomp
- deny acfcomp
diff --git a/etc/ppp/ppp.linkdown.sample b/etc/ppp/ppp.linkdown.sample
deleted file mode 100644
index 47cfa141640..00000000000
--- a/etc/ppp/ppp.linkdown.sample
+++ /dev/null
@@ -1,34 +0,0 @@
-#########################################################################
-#
-#          Example of ppp.linkdown file
-#
-#  This file is checked when ppp closes a connection.
-#  ppp searches the labels in this file as follows:
-#
-#  1) The label that matches the IP number assigned to our side.
-#
-#  2) The label specified on the command line to ppp.
-#
-#  3) If no label has been found, use MYADDR if it exists.
-#
-#
-# $OpenBSD: ppp.linkdown.sample,v 1.5 2002/06/09 06:15:15 todd Exp $
-#
-#########################################################################
-
-# We don't really need to do much here.  If we have notified a DNS
-# of our temporary IP number, we may want to ``un-notify'' them.
-#
-# If you're into sound effects when the link goes down, you can run
-# ``auplay'' (assuming NAS is installed and configured).
-#
-MYADDR:
- !bg /usr/X11R6/bin/auplay /etc/ppp/linkdown.au
-
-# If you're running ``ppp -auto -alias dynamic-alias-auto'', and are
-# assigned a dynamic IP number by the peer, this may be worth while
-# to keep the interface aliases to a minimum (see ``enable iface-alias''
-# in the man page):
-#
-dynamic-alias-auto:
- iface clear
diff --git a/etc/ppp/ppp.linkup.sample b/etc/ppp/ppp.linkup.sample
deleted file mode 100644
index d654cee3311..00000000000
--- a/etc/ppp/ppp.linkup.sample
+++ /dev/null
@@ -1,49 +0,0 @@
-#########################################################################
-#
-#          Example of ppp.linkup file
-#
-#  This file is checked when ppp establishes a connection.
-#  ppp searches the labels in this file as follows:
-#
-#  1) The label that matches the IP number assigned to our side.
-#
-#  2) The label specified on the command line to ppp.
-#
-#  3) If no label has been found, use MYADDR if it exists.
-#
-#
-# $OpenBSD: ppp.linkup.sample,v 1.4 2002/06/09 06:15:15 todd Exp $
-#
-#########################################################################
-
-# It is no longer necessary to re-add the default route here as our
-# ppp.conf route is `sticky' (see the man page).
-# If you're into sound effects when the link comes up, you can run
-# ``auplay'' (assuming NAS is installed and configured).
-#
-MYADDR:
- !bg /usr/X11R6/bin/auplay /etc/ppp/linkup.au
-
-# If we've got 192.244.176.32 as our address, then regard peer as a gateway
-# to 192.244.176.0 network.  This may also be done in ppp.conf instead.
-#
-192.244.176.32:
- add 192.244.176.0 0 HISADDR
-
-#You may want to execute a script after connecting.  This script can do
-# nice things such as kick off "sendmail -q", "popclient my.isp" and
-# "slurp -d news".  It can be passed MYADDR, HISADDR and INTERFACE
-# as arguments too - useful for informing a DNS of your assigned IP.
-#
-# You may also want some sound effects....
-#
-pmdemand:
- !bg /etc/ppp/ppp.etherup.pmdemand
- ! sh -c "cat /etc/ppp/linkup.au >/dev/audio"
-
-# If your minimum call charge is 5 minutes, you may as well stay on
-# the line for that amount of time.  If we want a 60 second subsequent
-# timeout, set your timeout to 300 in ppp.conf and then do this:
-#
-min5minutes:
- !bg sh -c "sleep 240; pppctl -p mypassword 3000 set timeout 60"
diff --git a/etc/ppp/ppp.secret.sample b/etc/ppp/ppp.secret.sample
deleted file mode 100644
index 4bf5034380b..00000000000
--- a/etc/ppp/ppp.secret.sample
+++ /dev/null
@@ -1,41 +0,0 @@
-##################################################
-#
-#          Example of ppp.secret file
-#
-#  This file is used to authenticate incoming connections.
-#  You must ``enable'' either PAP or CHAP in your ppp.conf file.
-#  The peer may then use any of the Authname/Authkey pairs listed.
-#  Additionally, if ``passwdauth'' is enabled and an entry isn't
-#  found in this file, the passwd(5) database is used.
-#
-#  If the password is specified as "*", look it up in passwd(5).
-#  This doesn't work for CHAP connections as ppp must have access
-#  to the unencrypted password for CHAP.
-#
-#  If an IP address or address range is given as the third field, it
-#  will be assigned to the peer.  A ``*'' or an empty field may be
-#  used as a placeholder if you do not wish to override the IP
-#  address, but wish to specify further fields.
-#
-#  If a label is given as the forth field, it is used when reading
-#  the ppp.linkup and ppp.linkdown files.  A ``*'' or an empty field
-#  can be used as a placeholder if you do not wish to override the
-#  label, but wish to specify further fields.
-#
-#  If a phone number or list of phone numbers is given as the fifth
-#  field, these numbers will be used to call back the client if
-#  ``auth'' or ``cbcp'' callback is enabled (see ``set callback'').
-#  A ``*'' specifies that the client must specify the number.
-#
-# $OpenBSD: ppp.secret.sample,v 1.4 2002/06/09 06:15:15 todd Exp $
-#
-##################################################
-
-# Authname Authkey      Peer's IP address        Label   Callback
-
-oscar      OurSecretKey 192.2.18.34
-BigBird    X4dWg9327    192.2.18.33/32
-fred       *            *                        fred
-subnet     *            192.2.18.35-192.2.18.70  subnet
-admin      *            *                        *       *
-homeworker *            *                        *       1234567
diff --git a/share/man/man4/pppoe.4 b/share/man/man4/pppoe.4
index baa02391786..d48ad259a74 100644
--- a/share/man/man4/pppoe.4
+++ b/share/man/man4/pppoe.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pppoe.4,v 1.24 2012/09/26 17:34:38 jmc Exp $
+.\"	$OpenBSD: pppoe.4,v 1.25 2014/03/17 17:07:45 deraadt Exp $
 .\"	$NetBSD: pppoe.4,v 1.26 2003/10/02 07:06:36 wiz Exp $
 .\"
 .\" Copyright (c) 2002 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 26 2012 $
+.Dd $Mdocdate: March 17 2014 $
 .Dt PPPOE 4
 .Os
 .Sh NAME
@@ -237,9 +237,7 @@ for more information on MTU, MSS, and NAT.
 .Xr sppp 4 ,
 .Xr hostname.if 5 ,
 .Xr pf.conf 5 ,
-.Xr ifconfig 8 ,
-.Xr ppp 8 ,
-.Xr pppoe 8
+.Xr ifconfig 8
 .Sh STANDARDS
 .Rs
 .%A L. Mamakos
diff --git a/share/man/man4/sppp.4 b/share/man/man4/sppp.4
index a70167cee6a..f4bcc35f997 100644
--- a/share/man/man4/sppp.4
+++ b/share/man/man4/sppp.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sppp.4,v 1.23 2013/07/16 16:05:49 schwarze Exp $
+.\" $OpenBSD: sppp.4,v 1.24 2014/03/17 17:07:45 deraadt Exp $
 .\"
 .\" Copyright (c) 1997 Joerg Wunsch
 .\"
@@ -25,7 +25,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\"
-.Dd $Mdocdate: July 16 2013 $
+.Dd $Mdocdate: March 17 2014 $
 .Dt SPPP 4
 .Os
 .Sh NAME
@@ -204,8 +204,7 @@ take place.
 .Sh SEE ALSO
 .Xr inet 4 ,
 .Xr pppoe 4 ,
-.Xr ifconfig 8 ,
-.Xr ppp 8
+.Xr ifconfig 8
 .Sh STANDARDS
 .Rs
 .%A G. McGregor
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index afdc2f4fa38..ffe2fbfd7c8 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.174 2014/03/15 22:13:36 sthen Exp $
+#	$OpenBSD: Makefile,v 1.175 2014/03/17 17:07:44 deraadt Exp $
 
 .include <bsd.own.mk>
 
@@ -11,7 +11,7 @@ SUBDIR=	ac accton acpidump adduser amd apm apmd arp \
 	memconfig mksuncd mkuboot mopd mrinfo mrouted \
 	mtrace mtree ndp netgroup_mkdb \
 	nginx npppctl npppd nsd ntpd openssl ospfctl ospfd ospf6d ospf6ctl \
-	pcidump pkg_add portmap ppp pppd pppoe procmap pstat pwd_mkdb \
+	pcidump pkg_add portmap pppd procmap pstat pwd_mkdb \
 	quot quotaon rarpd rbootd rdate relayctl relayd repquota rip6query \
 	ripctl ripd rmt route6d rpc.bootparamd rpc.lockd rpc.statd rtadvd \
 	rtsold rwhod sa sasyncd sensorsd sliplogin slowcgi slstats smtpd \
diff --git a/usr.sbin/pppd/pppd.8 b/usr.sbin/pppd/pppd.8
index 3110fb28672..55fefdfbdc6 100644
--- a/usr.sbin/pppd/pppd.8
+++ b/usr.sbin/pppd/pppd.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pppd.8,v 1.42 2014/01/21 03:15:46 schwarze Exp $
+.\" $OpenBSD: pppd.8,v 1.43 2014/03/17 17:07:45 deraadt Exp $
 .\" Id: pppd.8,v 1.27 1998/03/31 04:31:08 paulus Exp $
 .\"
 .\" Copyright (c) 1993-2003 Paul Mackerras <paulus@samba.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 21 2014 $
+.Dd $Mdocdate: March 17 2014 $
 .Dt PPPD 8
 .Os
 .Sh NAME
@@ -1427,7 +1427,6 @@ This signal acts as a toggle.
 .Xr ppp 4 ,
 .Xr tty 4 ,
 .Xr chat 8 ,
-.Xr ppp 8 ,
 .Xr syslogd 8 ,
 .Xr tcpdump 8
 .Rs