Don't allow accept/deny when it's not appropriate.

Log PAP/CHAP users in utmp & wtmp, allowing it to
be avoided with "disable utmp"

usr.sbin/ppp/chap.c

@@ -17,12 +17,13 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: chap.c,v 1.20 1997/08/25 00:29:06 brian Exp $
+ * $Id: chap.c,v 1.21 1997/09/17 23:17:48 brian Exp $
  *
  *	TODO:
  */
 #include <sys/types.h>
 #include <time.h>
+#include <utmp.h>
 #include "fsm.h"
 #include "chap.h"
 #include "lcpproto.h"
@@ -32,6 +33,11 @@
 #include "loadalias.h"
 #include "vars.h"
 #include "auth.h"
+#ifdef __OpenBSD__
+#include "util.h"
+#else
+#include "libutil.h"
+#endif
 
 static char *chapcodes[] = {
   "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE"
@@ -184,7 +190,22 @@ RecvChapTalk(struct fsmheader * chp, struct mbuf * bp)
        * Compare with the response
        */
       if (bcmp(cp, cdigest, 16) == 0) {
-	ChapOutput(CHAP_SUCCESS, chp->id, "Wellcome!!", 10);
+	ChapOutput(CHAP_SUCCESS, chp->id, "Welcome!!", 10);
+        if ((mode & MODE_DIRECT) && isatty(modem) && Enabled(ConfUtmp))
+	  if (Utmp)
+	    LogPrintf(LogERROR, "Oops, already logged in on %s\n",
+		      VarBaseDevice);
+	  else {
+	    struct utmp ut;
+	    memset(&ut, 0, sizeof(ut));
+	    time(&ut.ut_time);
+	    strncpy(ut.ut_name, name, sizeof(ut.ut_name)-1);
+	    strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1);
+	    if (logout(ut.ut_line))
+	      logwtmp(ut.ut_line, "", "");
+	    login(&ut);
+	    Utmp = 1;
+	  }
 	NewPhase(PHASE_NETWORK);
 	break;
       }

usr.sbin/ppp/lcp.c

@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: lcp.c,v 1.31 1997/09/21 23:01:34 brian Exp $
+ * $Id: lcp.c,v 1.32 1997/09/22 02:51:24 brian Exp $
  *
  * TODO:
  *      o Validate magic number received from peer.
@@ -291,7 +291,7 @@ LcpSendConfigReq(struct fsm * fp)
     break;
   case PROTO_CHAP:
     PutConfValue(&cp, cftypes, TY_AUTHPROTO, 5, lcp->want_auth);
-    *cp++ = 5;			/* Use MD5 */
+    *cp++ = VarEncMD4 ? 0x80 : 0x05;			/* Use MD4/MD5 */
     break;
   }
   FsmOutput(fp, CODE_CONFIGREQ, fp->reqid++, ReqBuff, cp - ReqBuff);
@@ -510,10 +510,11 @@ LcpDecodeConfig(u_char * cp, int plen, int mode)
 	    LogPrintf(LogLCP, " %s bad length (%d)\n", request, length);
 	    goto reqreject;
 	  }
-	  if (Acceptable(ConfChap) && cp[4] == 5) {
+	  if (Acceptable(ConfChap) && (cp[4] == 5 || cp[4] == 0x80)) {
 	    LcpInfo.his_auth = proto;
 	    bcopy(cp, ackp, length);
 	    ackp += length;
+	    VarEncMD4 = cp[4] == 0x80;
 	  } else if (Acceptable(ConfPap)) {
 	    *nakp++ = *cp;
 	    *nakp++ = 4;

usr.sbin/ppp/modem.c

@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: modem.c,v 1.55 1997/09/22 00:46:56 brian Exp $
+ * $Id: modem.c,v 1.56 1997/09/22 00:55:46 brian Exp $
  *
  *  TODO:
  */
@@ -32,6 +32,7 @@
 #include <errno.h>
 #include <time.h>
 #include <paths.h>
+#include <utmp.h>
 #ifdef __OpenBSD__
 #include <util.h>
 #else
@@ -728,6 +729,17 @@ CloseModem()
 {
   if (modem >= 0) {
     close(modem);
+    if (Utmp) {
+      struct utmp ut;
+      strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1);
+      ut.ut_line[sizeof(ut.ut_line)-1] = '\0';
+      if (logout(ut.ut_line))
+        logwtmp(ut.ut_line, "", ""); 
+      else
+        LogPrintf(LogERROR, "CloseModem: No longer logged in on %s\n",
+		  ut.ut_line);
+      Utmp = 0;
+    }
     UnlockModem();
     modem = -1;
   }

usr.sbin/ppp/pap.c

@@ -18,10 +18,12 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: pap.c,v 1.13 1997/06/09 03:27:32 brian Exp $
+ * $Id: pap.c,v 1.14 1997/08/25 00:29:24 brian Exp $
  *
  *	TODO:
  */
+#include <time.h>
+#include <utmp.h>
 #include "fsm.h"
 #include "lcp.h"
 #include "pap.h"
@@ -31,6 +33,11 @@
 #include "lcpproto.h"
 #include "phase.h"
 #include "auth.h"
+#ifdef __OpenBSD__
+#include "util.h"
+#else
+#include "libutil.h"
+#endif
 
 #ifndef NOPASSWDAUTH
 #include "passwdauth.h"
@@ -141,8 +148,24 @@ PapInput(struct mbuf * bp)
 	if (PapValidate(cp, cp + *cp + 1)) {
 	  SendPapCode(php->id, PAP_ACK, "Greetings!!");
 	  lcp->auth_ineed = 0;
-	  if (lcp->auth_iwait == 0)
+	  if (lcp->auth_iwait == 0) {
+	    if ((mode & MODE_DIRECT) && isatty(modem) && Enabled(ConfUtmp))
+	      if (Utmp)
+		LogPrintf(LogERROR, "Oops, already logged in on %s\n",
+			  VarBaseDevice);
+	      else {
+	        struct utmp ut;
+	        memset(&ut, 0, sizeof(ut));
+	        time(&ut.ut_time);
+	        strncpy(ut.ut_name, cp+1, sizeof(ut.ut_name)-1);
+	        strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1);
+	        if (logout(ut.ut_line))
+		  logwtmp(ut.ut_line, "", "");
+	        login(&ut);
+	        Utmp = 1;
+	      }
 	    NewPhase(PHASE_NETWORK);
+	  }
 	} else {
 	  SendPapCode(php->id, PAP_NAK, "Login incorrect");
 	  reconnect(RECON_FALSE);

usr.sbin/ppp/ppp.8

@@ -1,4 +1,4 @@
-.\" $Id: ppp.8,v 1.65 1997/09/17 23:17:56 brian Exp $
+.\" $Id: ppp.8,v 1.66 1997/09/21 13:06:43 brian Exp $
 .Dd 20 September 1995
 .Os FreeBSD
 .Dt PPP 8
@@ -1483,29 +1483,41 @@ field number is reduced to one octet rather than two.
 Default: Enabled and Accepted.  This option decides if Predictor 1
 compression will be used.
 
+.It msext
+Default: Disabled.  This option allows the use of Microsoft's ppp
+extensions, supporting the negotiation of the Microsoft PPP DNS
+and the Microsoft NetBIOS NS.  Enabling this allows us to pass back
+the values given in "set ns" and "set nbns".
+
+.El
+The following options are not actually negotiated with the peer.
+Therefore, accepting or denying them makes no sense.
+
+.Bl -tag -width 20
 .It proxy
-Default: Disabled and Denied.  Unlike the other options (except
-passwdauth below), this is not negotiated with the peer.  Therefore,
-accepting or denying it is of no use.  Enabling this option will tell
+Default: Disabled.  Enabling this option will tell
 .Nm
 to proxy ARP for the peer.
 
-.It msext
-Default: Disabled and Accepted.  This option allows the use
-of Microsoft's ppp extensions, supporting the negotiation of
-the Microsoft PPP DNS and the Microsoft NetBIOS NS.
-
 .It passwdauth
-Default: Disabled and Denied.  Unlike the other options (except
-.Dq proxy
-above), this is not negotiated with the peer.  Therefore,
-accepting or denying it is of no use.  Enabling this option will
-tell the PAP authentication code to use the
+Default: Disabled.  Enabling this option will tell the PAP authentication
+code to use the
 .Pa passwd
 file to authenticate the caller rather than the
 .Pa ppp.secret
 file.
 
+.It utmp
+Default: Enabled.  Normally, when a user is authenticated using PAP or
+CHAP, and when
+.Nm
+is running in
+.Fl direct
+mode, an entry is made in the utmp and wtmp files for that user.  Disabling
+this option will tell ppp not to make any utmp or wtmp entries.  This is
+usually only necessary if you require the user to both login and authenticate
+themselves.
+
 .El
 
 .It add dest mask gateway
@@ -1842,12 +1854,12 @@ This sets the speed of the serial device.
 This command allows the setting of the idle timer, the LQR timer (if
 enabled) and the retry timer.
 
-.It set ns x.x.x.x
-This option allows the setting of the Microsoft PPP DNS server that
+.It set ns x.x.x.x y.y.y.y
+This option allows the setting of the Microsoft PPP DNS servers that
 will be negotiated.
 
-.It set nbns
-This option allows the setting of the Microsoft NetBIOS DNS server that
+.It set nbns x.x.x.x y.y.y.y
+This option allows the setting of the Microsoft NetBIOS DNS servers that
 will be negotiated.
 
 .It set help|?

usr.sbin/ppp/ppp.8.m4

@@ -1,4 +1,4 @@
-.\" $Id: ppp.8,v 1.65 1997/09/17 23:17:56 brian Exp $
+.\" $Id: ppp.8,v 1.66 1997/09/21 13:06:43 brian Exp $
 .Dd 20 September 1995
 .Os FreeBSD
 .Dt PPP 8
@@ -1483,29 +1483,41 @@ field number is reduced to one octet rather than two.
 Default: Enabled and Accepted.  This option decides if Predictor 1
 compression will be used.
 
+.It msext
+Default: Disabled.  This option allows the use of Microsoft's ppp
+extensions, supporting the negotiation of the Microsoft PPP DNS
+and the Microsoft NetBIOS NS.  Enabling this allows us to pass back
+the values given in "set ns" and "set nbns".
+
+.El
+The following options are not actually negotiated with the peer.
+Therefore, accepting or denying them makes no sense.
+
+.Bl -tag -width 20
 .It proxy
-Default: Disabled and Denied.  Unlike the other options (except
-passwdauth below), this is not negotiated with the peer.  Therefore,
-accepting or denying it is of no use.  Enabling this option will tell
+Default: Disabled.  Enabling this option will tell
 .Nm
 to proxy ARP for the peer.
 
-.It msext
-Default: Disabled and Accepted.  This option allows the use
-of Microsoft's ppp extensions, supporting the negotiation of
-the Microsoft PPP DNS and the Microsoft NetBIOS NS.
-
 .It passwdauth
-Default: Disabled and Denied.  Unlike the other options (except
-.Dq proxy
-above), this is not negotiated with the peer.  Therefore,
-accepting or denying it is of no use.  Enabling this option will
-tell the PAP authentication code to use the
+Default: Disabled.  Enabling this option will tell the PAP authentication
+code to use the
 .Pa passwd
 file to authenticate the caller rather than the
 .Pa ppp.secret
 file.
 
+.It utmp
+Default: Enabled.  Normally, when a user is authenticated using PAP or
+CHAP, and when
+.Nm
+is running in
+.Fl direct
+mode, an entry is made in the utmp and wtmp files for that user.  Disabling
+this option will tell ppp not to make any utmp or wtmp entries.  This is
+usually only necessary if you require the user to both login and authenticate
+themselves.
+
 .El
 
 .It add dest mask gateway
@@ -1842,12 +1854,12 @@ This sets the speed of the serial device.
 This command allows the setting of the idle timer, the LQR timer (if
 enabled) and the retry timer.
 
-.It set ns x.x.x.x
-This option allows the setting of the Microsoft PPP DNS server that
+.It set ns x.x.x.x y.y.y.y
+This option allows the setting of the Microsoft PPP DNS servers that
 will be negotiated.
 
-.It set nbns
-This option allows the setting of the Microsoft NetBIOS DNS server that
+.It set nbns x.x.x.x y.y.y.y
+This option allows the setting of the Microsoft NetBIOS DNS servers that
 will be negotiated.
 
 .It set help|?

usr.sbin/ppp/vars.c

@@ -17,7 +17,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: vars.c,v 1.28 1997/09/16 23:15:16 brian Exp $
+ * $Id: vars.c,v 1.29 1997/09/21 13:08:00 brian Exp $
  *
  */
 #include "fsm.h"
@@ -30,7 +30,7 @@
 #include "defs.h"
 
 char VarVersion[] = "PPP Version 1.2";
-char VarLocalVersion[] = "$Date: 1997/09/16 23:15:16 $";
+char VarLocalVersion[] = "$Date: 1997/09/21 13:08:00 $";
 
 /*
  * Order of conf option is important. See vars.h.
@@ -43,9 +43,10 @@ struct confdesc pppConfs[] = {
   {"acfcomp", CONF_ENABLE, CONF_ACCEPT},
   {"protocomp", CONF_ENABLE, CONF_ACCEPT},
   {"pred1", CONF_ENABLE, CONF_ACCEPT},
-  {"proxy", CONF_DISABLE, CONF_DENY},
-  {"msext", CONF_DISABLE, CONF_ACCEPT},
-  {"passwdauth", CONF_DISABLE, CONF_DENY},
+  {"proxy", CONF_DISABLE, CONF_NONE},
+  {"msext", CONF_DISABLE, CONF_NONE},
+  {"passwdauth", CONF_DISABLE, CONF_NONE},
+  {"utmp", CONF_ENABLE, CONF_NONE},
   {NULL},
 };
 
@@ -69,8 +70,10 @@ DisplayCommand()
   fprintf(VarTerm, "----------------------------------------\n");
   for (vp = pppConfs; vp->name; vp++)
     fprintf(VarTerm, "%-10s\t%s\t\t%s\n", vp->name,
-	    (vp->myside == CONF_ENABLE) ? "enable" : "disable",
-	    (vp->hisside == CONF_ACCEPT) ? "accept" : "deny");
+	    (vp->myside == CONF_ENABLE) ? "enable" :
+             (vp->myside == CONF_DISABLE ? "disable" : "N/A"),
+	    (vp->hisside == CONF_ACCEPT) ? "accept" :
+             (vp->hisside == CONF_DENY ? "deny" : "N/A"));
 
   return 0;
 }
@@ -88,10 +91,21 @@ ConfigCommand(struct cmdtab * list, int argc, char **argv, int mine, int val)
   do {
     for (vp = pppConfs; vp->name; vp++)
       if (strcasecmp(vp->name, *argv) == 0) {
-	if (mine)
-	  vp->myside = val;
-	else
-	  vp->hisside = val;
+	if (mine) {
+          if (vp->myside == CONF_NONE) {
+            LogPrintf(LogWARN, "Config: %s cannot be enabled or disabled\n",
+                      vp->name);
+            err++;
+          } else
+	    vp->myside = val;
+	} else {
+          if (vp->hisside == CONF_NONE) {
+            LogPrintf(LogWARN, "Config: %s cannot be accepted or denied\n",
+                      vp->name);
+            err++;
+          } else
+	    vp->hisside = val;
+        }
 	break;
       }
     if (!vp->name) {

usr.sbin/ppp/vars.h

@@ -15,7 +15,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: vars.h,v 1.26 1997/09/04 00:38:22 brian Exp $
+ * $Id: vars.h,v 1.27 1997/09/17 23:17:57 brian Exp $
  *
  *	TODO:
  */
@@ -30,6 +30,7 @@ struct confdesc {
   int myside, hisside;
 };
 
+#define	CONF_NONE	-1
 #define	CONF_DISABLE	0
 #define	CONF_ENABLE	1
 
@@ -46,7 +47,8 @@ struct confdesc {
 #define	ConfProxy	7
 #define ConfMSExt	8
 #define ConfPasswdAuth	9
-#define	MAXCONFS	10
+#define ConfUtmp	10
+#define	MAXCONFS	11
 
 #define	Enabled(x)	(pppConfs[x].myside & CONF_ENABLE)
 #define	Acceptable(x)	(pppConfs[x].hisside & CONF_ACCEPT)
@@ -142,6 +144,7 @@ struct pppvars {
 
 extern struct pppvars pppVars;
 
+int Utmp;		/* Are we in /etc/utmp ? */
 int ipInOctets, ipOutOctets, ipKeepAlive;
 int ipConnectSecs, ipIdleSecs;