mirror of
https://github.com/freebsd/freebsd-src
synced 2024-09-25 11:15:34 +00:00
Don't allow accept/deny when it's not appropriate.
Log PAP/CHAP users in utmp & wtmp, allowing it to be avoided with "disable utmp"
This commit is contained in:
parent
eb00d48411
commit
301127fb0a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=29729
|
@ -17,12 +17,13 @@
|
|||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $Id: chap.c,v 1.20 1997/08/25 00:29:06 brian Exp $
|
||||
* $Id: chap.c,v 1.21 1997/09/17 23:17:48 brian Exp $
|
||||
*
|
||||
* TODO:
|
||||
*/
|
||||
#include <sys/types.h>
|
||||
#include <time.h>
|
||||
#include <utmp.h>
|
||||
#include "fsm.h"
|
||||
#include "chap.h"
|
||||
#include "lcpproto.h"
|
||||
|
@ -32,6 +33,11 @@
|
|||
#include "loadalias.h"
|
||||
#include "vars.h"
|
||||
#include "auth.h"
|
||||
#ifdef __OpenBSD__
|
||||
#include "util.h"
|
||||
#else
|
||||
#include "libutil.h"
|
||||
#endif
|
||||
|
||||
static char *chapcodes[] = {
|
||||
"???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE"
|
||||
|
@ -184,7 +190,22 @@ RecvChapTalk(struct fsmheader * chp, struct mbuf * bp)
|
|||
* Compare with the response
|
||||
*/
|
||||
if (bcmp(cp, cdigest, 16) == 0) {
|
||||
ChapOutput(CHAP_SUCCESS, chp->id, "Wellcome!!", 10);
|
||||
ChapOutput(CHAP_SUCCESS, chp->id, "Welcome!!", 10);
|
||||
if ((mode & MODE_DIRECT) && isatty(modem) && Enabled(ConfUtmp))
|
||||
if (Utmp)
|
||||
LogPrintf(LogERROR, "Oops, already logged in on %s\n",
|
||||
VarBaseDevice);
|
||||
else {
|
||||
struct utmp ut;
|
||||
memset(&ut, 0, sizeof(ut));
|
||||
time(&ut.ut_time);
|
||||
strncpy(ut.ut_name, name, sizeof(ut.ut_name)-1);
|
||||
strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1);
|
||||
if (logout(ut.ut_line))
|
||||
logwtmp(ut.ut_line, "", "");
|
||||
login(&ut);
|
||||
Utmp = 1;
|
||||
}
|
||||
NewPhase(PHASE_NETWORK);
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $Id: lcp.c,v 1.31 1997/09/21 23:01:34 brian Exp $
|
||||
* $Id: lcp.c,v 1.32 1997/09/22 02:51:24 brian Exp $
|
||||
*
|
||||
* TODO:
|
||||
* o Validate magic number received from peer.
|
||||
|
@ -291,7 +291,7 @@ LcpSendConfigReq(struct fsm * fp)
|
|||
break;
|
||||
case PROTO_CHAP:
|
||||
PutConfValue(&cp, cftypes, TY_AUTHPROTO, 5, lcp->want_auth);
|
||||
*cp++ = 5; /* Use MD5 */
|
||||
*cp++ = VarEncMD4 ? 0x80 : 0x05; /* Use MD4/MD5 */
|
||||
break;
|
||||
}
|
||||
FsmOutput(fp, CODE_CONFIGREQ, fp->reqid++, ReqBuff, cp - ReqBuff);
|
||||
|
@ -510,10 +510,11 @@ LcpDecodeConfig(u_char * cp, int plen, int mode)
|
|||
LogPrintf(LogLCP, " %s bad length (%d)\n", request, length);
|
||||
goto reqreject;
|
||||
}
|
||||
if (Acceptable(ConfChap) && cp[4] == 5) {
|
||||
if (Acceptable(ConfChap) && (cp[4] == 5 || cp[4] == 0x80)) {
|
||||
LcpInfo.his_auth = proto;
|
||||
bcopy(cp, ackp, length);
|
||||
ackp += length;
|
||||
VarEncMD4 = cp[4] == 0x80;
|
||||
} else if (Acceptable(ConfPap)) {
|
||||
*nakp++ = *cp;
|
||||
*nakp++ = 4;
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $Id: modem.c,v 1.55 1997/09/22 00:46:56 brian Exp $
|
||||
* $Id: modem.c,v 1.56 1997/09/22 00:55:46 brian Exp $
|
||||
*
|
||||
* TODO:
|
||||
*/
|
||||
|
@ -32,6 +32,7 @@
|
|||
#include <errno.h>
|
||||
#include <time.h>
|
||||
#include <paths.h>
|
||||
#include <utmp.h>
|
||||
#ifdef __OpenBSD__
|
||||
#include <util.h>
|
||||
#else
|
||||
|
@ -728,6 +729,17 @@ CloseModem()
|
|||
{
|
||||
if (modem >= 0) {
|
||||
close(modem);
|
||||
if (Utmp) {
|
||||
struct utmp ut;
|
||||
strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1);
|
||||
ut.ut_line[sizeof(ut.ut_line)-1] = '\0';
|
||||
if (logout(ut.ut_line))
|
||||
logwtmp(ut.ut_line, "", "");
|
||||
else
|
||||
LogPrintf(LogERROR, "CloseModem: No longer logged in on %s\n",
|
||||
ut.ut_line);
|
||||
Utmp = 0;
|
||||
}
|
||||
UnlockModem();
|
||||
modem = -1;
|
||||
}
|
||||
|
|
|
@ -18,10 +18,12 @@
|
|||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $Id: pap.c,v 1.13 1997/06/09 03:27:32 brian Exp $
|
||||
* $Id: pap.c,v 1.14 1997/08/25 00:29:24 brian Exp $
|
||||
*
|
||||
* TODO:
|
||||
*/
|
||||
#include <time.h>
|
||||
#include <utmp.h>
|
||||
#include "fsm.h"
|
||||
#include "lcp.h"
|
||||
#include "pap.h"
|
||||
|
@ -31,6 +33,11 @@
|
|||
#include "lcpproto.h"
|
||||
#include "phase.h"
|
||||
#include "auth.h"
|
||||
#ifdef __OpenBSD__
|
||||
#include "util.h"
|
||||
#else
|
||||
#include "libutil.h"
|
||||
#endif
|
||||
|
||||
#ifndef NOPASSWDAUTH
|
||||
#include "passwdauth.h"
|
||||
|
@ -141,8 +148,24 @@ PapInput(struct mbuf * bp)
|
|||
if (PapValidate(cp, cp + *cp + 1)) {
|
||||
SendPapCode(php->id, PAP_ACK, "Greetings!!");
|
||||
lcp->auth_ineed = 0;
|
||||
if (lcp->auth_iwait == 0)
|
||||
if (lcp->auth_iwait == 0) {
|
||||
if ((mode & MODE_DIRECT) && isatty(modem) && Enabled(ConfUtmp))
|
||||
if (Utmp)
|
||||
LogPrintf(LogERROR, "Oops, already logged in on %s\n",
|
||||
VarBaseDevice);
|
||||
else {
|
||||
struct utmp ut;
|
||||
memset(&ut, 0, sizeof(ut));
|
||||
time(&ut.ut_time);
|
||||
strncpy(ut.ut_name, cp+1, sizeof(ut.ut_name)-1);
|
||||
strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1);
|
||||
if (logout(ut.ut_line))
|
||||
logwtmp(ut.ut_line, "", "");
|
||||
login(&ut);
|
||||
Utmp = 1;
|
||||
}
|
||||
NewPhase(PHASE_NETWORK);
|
||||
}
|
||||
} else {
|
||||
SendPapCode(php->id, PAP_NAK, "Login incorrect");
|
||||
reconnect(RECON_FALSE);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $Id: ppp.8,v 1.65 1997/09/17 23:17:56 brian Exp $
|
||||
.\" $Id: ppp.8,v 1.66 1997/09/21 13:06:43 brian Exp $
|
||||
.Dd 20 September 1995
|
||||
.Os FreeBSD
|
||||
.Dt PPP 8
|
||||
|
@ -1483,29 +1483,41 @@ field number is reduced to one octet rather than two.
|
|||
Default: Enabled and Accepted. This option decides if Predictor 1
|
||||
compression will be used.
|
||||
|
||||
.It msext
|
||||
Default: Disabled. This option allows the use of Microsoft's ppp
|
||||
extensions, supporting the negotiation of the Microsoft PPP DNS
|
||||
and the Microsoft NetBIOS NS. Enabling this allows us to pass back
|
||||
the values given in "set ns" and "set nbns".
|
||||
|
||||
.El
|
||||
The following options are not actually negotiated with the peer.
|
||||
Therefore, accepting or denying them makes no sense.
|
||||
|
||||
.Bl -tag -width 20
|
||||
.It proxy
|
||||
Default: Disabled and Denied. Unlike the other options (except
|
||||
passwdauth below), this is not negotiated with the peer. Therefore,
|
||||
accepting or denying it is of no use. Enabling this option will tell
|
||||
Default: Disabled. Enabling this option will tell
|
||||
.Nm
|
||||
to proxy ARP for the peer.
|
||||
|
||||
.It msext
|
||||
Default: Disabled and Accepted. This option allows the use
|
||||
of Microsoft's ppp extensions, supporting the negotiation of
|
||||
the Microsoft PPP DNS and the Microsoft NetBIOS NS.
|
||||
|
||||
.It passwdauth
|
||||
Default: Disabled and Denied. Unlike the other options (except
|
||||
.Dq proxy
|
||||
above), this is not negotiated with the peer. Therefore,
|
||||
accepting or denying it is of no use. Enabling this option will
|
||||
tell the PAP authentication code to use the
|
||||
Default: Disabled. Enabling this option will tell the PAP authentication
|
||||
code to use the
|
||||
.Pa passwd
|
||||
file to authenticate the caller rather than the
|
||||
.Pa ppp.secret
|
||||
file.
|
||||
|
||||
.It utmp
|
||||
Default: Enabled. Normally, when a user is authenticated using PAP or
|
||||
CHAP, and when
|
||||
.Nm
|
||||
is running in
|
||||
.Fl direct
|
||||
mode, an entry is made in the utmp and wtmp files for that user. Disabling
|
||||
this option will tell ppp not to make any utmp or wtmp entries. This is
|
||||
usually only necessary if you require the user to both login and authenticate
|
||||
themselves.
|
||||
|
||||
.El
|
||||
|
||||
.It add dest mask gateway
|
||||
|
@ -1842,12 +1854,12 @@ This sets the speed of the serial device.
|
|||
This command allows the setting of the idle timer, the LQR timer (if
|
||||
enabled) and the retry timer.
|
||||
|
||||
.It set ns x.x.x.x
|
||||
This option allows the setting of the Microsoft PPP DNS server that
|
||||
.It set ns x.x.x.x y.y.y.y
|
||||
This option allows the setting of the Microsoft PPP DNS servers that
|
||||
will be negotiated.
|
||||
|
||||
.It set nbns
|
||||
This option allows the setting of the Microsoft NetBIOS DNS server that
|
||||
.It set nbns x.x.x.x y.y.y.y
|
||||
This option allows the setting of the Microsoft NetBIOS DNS servers that
|
||||
will be negotiated.
|
||||
|
||||
.It set help|?
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $Id: ppp.8,v 1.65 1997/09/17 23:17:56 brian Exp $
|
||||
.\" $Id: ppp.8,v 1.66 1997/09/21 13:06:43 brian Exp $
|
||||
.Dd 20 September 1995
|
||||
.Os FreeBSD
|
||||
.Dt PPP 8
|
||||
|
@ -1483,29 +1483,41 @@ field number is reduced to one octet rather than two.
|
|||
Default: Enabled and Accepted. This option decides if Predictor 1
|
||||
compression will be used.
|
||||
|
||||
.It msext
|
||||
Default: Disabled. This option allows the use of Microsoft's ppp
|
||||
extensions, supporting the negotiation of the Microsoft PPP DNS
|
||||
and the Microsoft NetBIOS NS. Enabling this allows us to pass back
|
||||
the values given in "set ns" and "set nbns".
|
||||
|
||||
.El
|
||||
The following options are not actually negotiated with the peer.
|
||||
Therefore, accepting or denying them makes no sense.
|
||||
|
||||
.Bl -tag -width 20
|
||||
.It proxy
|
||||
Default: Disabled and Denied. Unlike the other options (except
|
||||
passwdauth below), this is not negotiated with the peer. Therefore,
|
||||
accepting or denying it is of no use. Enabling this option will tell
|
||||
Default: Disabled. Enabling this option will tell
|
||||
.Nm
|
||||
to proxy ARP for the peer.
|
||||
|
||||
.It msext
|
||||
Default: Disabled and Accepted. This option allows the use
|
||||
of Microsoft's ppp extensions, supporting the negotiation of
|
||||
the Microsoft PPP DNS and the Microsoft NetBIOS NS.
|
||||
|
||||
.It passwdauth
|
||||
Default: Disabled and Denied. Unlike the other options (except
|
||||
.Dq proxy
|
||||
above), this is not negotiated with the peer. Therefore,
|
||||
accepting or denying it is of no use. Enabling this option will
|
||||
tell the PAP authentication code to use the
|
||||
Default: Disabled. Enabling this option will tell the PAP authentication
|
||||
code to use the
|
||||
.Pa passwd
|
||||
file to authenticate the caller rather than the
|
||||
.Pa ppp.secret
|
||||
file.
|
||||
|
||||
.It utmp
|
||||
Default: Enabled. Normally, when a user is authenticated using PAP or
|
||||
CHAP, and when
|
||||
.Nm
|
||||
is running in
|
||||
.Fl direct
|
||||
mode, an entry is made in the utmp and wtmp files for that user. Disabling
|
||||
this option will tell ppp not to make any utmp or wtmp entries. This is
|
||||
usually only necessary if you require the user to both login and authenticate
|
||||
themselves.
|
||||
|
||||
.El
|
||||
|
||||
.It add dest mask gateway
|
||||
|
@ -1842,12 +1854,12 @@ This sets the speed of the serial device.
|
|||
This command allows the setting of the idle timer, the LQR timer (if
|
||||
enabled) and the retry timer.
|
||||
|
||||
.It set ns x.x.x.x
|
||||
This option allows the setting of the Microsoft PPP DNS server that
|
||||
.It set ns x.x.x.x y.y.y.y
|
||||
This option allows the setting of the Microsoft PPP DNS servers that
|
||||
will be negotiated.
|
||||
|
||||
.It set nbns
|
||||
This option allows the setting of the Microsoft NetBIOS DNS server that
|
||||
.It set nbns x.x.x.x y.y.y.y
|
||||
This option allows the setting of the Microsoft NetBIOS DNS servers that
|
||||
will be negotiated.
|
||||
|
||||
.It set help|?
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $Id: vars.c,v 1.28 1997/09/16 23:15:16 brian Exp $
|
||||
* $Id: vars.c,v 1.29 1997/09/21 13:08:00 brian Exp $
|
||||
*
|
||||
*/
|
||||
#include "fsm.h"
|
||||
|
@ -30,7 +30,7 @@
|
|||
#include "defs.h"
|
||||
|
||||
char VarVersion[] = "PPP Version 1.2";
|
||||
char VarLocalVersion[] = "$Date: 1997/09/16 23:15:16 $";
|
||||
char VarLocalVersion[] = "$Date: 1997/09/21 13:08:00 $";
|
||||
|
||||
/*
|
||||
* Order of conf option is important. See vars.h.
|
||||
|
@ -43,9 +43,10 @@ struct confdesc pppConfs[] = {
|
|||
{"acfcomp", CONF_ENABLE, CONF_ACCEPT},
|
||||
{"protocomp", CONF_ENABLE, CONF_ACCEPT},
|
||||
{"pred1", CONF_ENABLE, CONF_ACCEPT},
|
||||
{"proxy", CONF_DISABLE, CONF_DENY},
|
||||
{"msext", CONF_DISABLE, CONF_ACCEPT},
|
||||
{"passwdauth", CONF_DISABLE, CONF_DENY},
|
||||
{"proxy", CONF_DISABLE, CONF_NONE},
|
||||
{"msext", CONF_DISABLE, CONF_NONE},
|
||||
{"passwdauth", CONF_DISABLE, CONF_NONE},
|
||||
{"utmp", CONF_ENABLE, CONF_NONE},
|
||||
{NULL},
|
||||
};
|
||||
|
||||
|
@ -69,8 +70,10 @@ DisplayCommand()
|
|||
fprintf(VarTerm, "----------------------------------------\n");
|
||||
for (vp = pppConfs; vp->name; vp++)
|
||||
fprintf(VarTerm, "%-10s\t%s\t\t%s\n", vp->name,
|
||||
(vp->myside == CONF_ENABLE) ? "enable" : "disable",
|
||||
(vp->hisside == CONF_ACCEPT) ? "accept" : "deny");
|
||||
(vp->myside == CONF_ENABLE) ? "enable" :
|
||||
(vp->myside == CONF_DISABLE ? "disable" : "N/A"),
|
||||
(vp->hisside == CONF_ACCEPT) ? "accept" :
|
||||
(vp->hisside == CONF_DENY ? "deny" : "N/A"));
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -88,10 +91,21 @@ ConfigCommand(struct cmdtab * list, int argc, char **argv, int mine, int val)
|
|||
do {
|
||||
for (vp = pppConfs; vp->name; vp++)
|
||||
if (strcasecmp(vp->name, *argv) == 0) {
|
||||
if (mine)
|
||||
vp->myside = val;
|
||||
else
|
||||
vp->hisside = val;
|
||||
if (mine) {
|
||||
if (vp->myside == CONF_NONE) {
|
||||
LogPrintf(LogWARN, "Config: %s cannot be enabled or disabled\n",
|
||||
vp->name);
|
||||
err++;
|
||||
} else
|
||||
vp->myside = val;
|
||||
} else {
|
||||
if (vp->hisside == CONF_NONE) {
|
||||
LogPrintf(LogWARN, "Config: %s cannot be accepted or denied\n",
|
||||
vp->name);
|
||||
err++;
|
||||
} else
|
||||
vp->hisside = val;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (!vp->name) {
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* $Id: vars.h,v 1.26 1997/09/04 00:38:22 brian Exp $
|
||||
* $Id: vars.h,v 1.27 1997/09/17 23:17:57 brian Exp $
|
||||
*
|
||||
* TODO:
|
||||
*/
|
||||
|
@ -30,6 +30,7 @@ struct confdesc {
|
|||
int myside, hisside;
|
||||
};
|
||||
|
||||
#define CONF_NONE -1
|
||||
#define CONF_DISABLE 0
|
||||
#define CONF_ENABLE 1
|
||||
|
||||
|
@ -46,7 +47,8 @@ struct confdesc {
|
|||
#define ConfProxy 7
|
||||
#define ConfMSExt 8
|
||||
#define ConfPasswdAuth 9
|
||||
#define MAXCONFS 10
|
||||
#define ConfUtmp 10
|
||||
#define MAXCONFS 11
|
||||
|
||||
#define Enabled(x) (pppConfs[x].myside & CONF_ENABLE)
|
||||
#define Acceptable(x) (pppConfs[x].hisside & CONF_ACCEPT)
|
||||
|
@ -142,6 +144,7 @@ struct pppvars {
|
|||
|
||||
extern struct pppvars pppVars;
|
||||
|
||||
int Utmp; /* Are we in /etc/utmp ? */
|
||||
int ipInOctets, ipOutOctets, ipKeepAlive;
|
||||
int ipConnectSecs, ipIdleSecs;
|
||||
|
||||
|
|
Loading…
Reference in a new issue