diff options
author | brian <brian@FreeBSD.org> | 1997-09-22 23:59:16 +0000 |
---|---|---|
committer | brian <brian@FreeBSD.org> | 1997-09-22 23:59:16 +0000 |
commit | 3884570228b4fa8937f60dd6d2fcba459b3a17d3 (patch) | |
tree | 50b89e1bd1f71f2296e7205dab3ed03434607277 /usr.sbin/ppp | |
parent | 21a8eb1d318f2fd4ee79da9aac7115e89b4bc033 (diff) | |
download | FreeBSD-src-3884570228b4fa8937f60dd6d2fcba459b3a17d3.zip FreeBSD-src-3884570228b4fa8937f60dd6d2fcba459b3a17d3.tar.gz |
Don't allow accept/deny when it's not appropriate.
Log PAP/CHAP users in utmp & wtmp, allowing it to
be avoided with "disable utmp"
Diffstat (limited to 'usr.sbin/ppp')
-rw-r--r-- | usr.sbin/ppp/chap.c | 25 | ||||
-rw-r--r-- | usr.sbin/ppp/lcp.c | 7 | ||||
-rw-r--r-- | usr.sbin/ppp/modem.c | 14 | ||||
-rw-r--r-- | usr.sbin/ppp/pap.c | 27 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp.8 | 48 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp.8.m4 | 48 | ||||
-rw-r--r-- | usr.sbin/ppp/vars.c | 36 | ||||
-rw-r--r-- | usr.sbin/ppp/vars.h | 7 |
8 files changed, 155 insertions, 57 deletions
diff --git a/usr.sbin/ppp/chap.c b/usr.sbin/ppp/chap.c index 9effb34..35ae17d 100644 --- a/usr.sbin/ppp/chap.c +++ b/usr.sbin/ppp/chap.c @@ -17,12 +17,13 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: chap.c,v 1.20 1997/08/25 00:29:06 brian Exp $ + * $Id: chap.c,v 1.21 1997/09/17 23:17:48 brian Exp $ * * TODO: */ #include <sys/types.h> #include <time.h> +#include <utmp.h> #include "fsm.h" #include "chap.h" #include "lcpproto.h" @@ -32,6 +33,11 @@ #include "loadalias.h" #include "vars.h" #include "auth.h" +#ifdef __OpenBSD__ +#include "util.h" +#else +#include "libutil.h" +#endif static char *chapcodes[] = { "???", "CHALLENGE", "RESPONSE", "SUCCESS", "FAILURE" @@ -184,7 +190,22 @@ RecvChapTalk(struct fsmheader * chp, struct mbuf * bp) * Compare with the response */ if (bcmp(cp, cdigest, 16) == 0) { - ChapOutput(CHAP_SUCCESS, chp->id, "Wellcome!!", 10); + ChapOutput(CHAP_SUCCESS, chp->id, "Welcome!!", 10); + if ((mode & MODE_DIRECT) && isatty(modem) && Enabled(ConfUtmp)) + if (Utmp) + LogPrintf(LogERROR, "Oops, already logged in on %s\n", + VarBaseDevice); + else { + struct utmp ut; + memset(&ut, 0, sizeof(ut)); + time(&ut.ut_time); + strncpy(ut.ut_name, name, sizeof(ut.ut_name)-1); + strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1); + if (logout(ut.ut_line)) + logwtmp(ut.ut_line, "", ""); + login(&ut); + Utmp = 1; + } NewPhase(PHASE_NETWORK); break; } diff --git a/usr.sbin/ppp/lcp.c b/usr.sbin/ppp/lcp.c index 1aa31b0..ca7006a 100644 --- a/usr.sbin/ppp/lcp.c +++ b/usr.sbin/ppp/lcp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: lcp.c,v 1.31 1997/09/21 23:01:34 brian Exp $ + * $Id: lcp.c,v 1.32 1997/09/22 02:51:24 brian Exp $ * * TODO: * o Validate magic number received from peer. @@ -291,7 +291,7 @@ LcpSendConfigReq(struct fsm * fp) break; case PROTO_CHAP: PutConfValue(&cp, cftypes, TY_AUTHPROTO, 5, lcp->want_auth); - *cp++ = 5; /* Use MD5 */ + *cp++ = VarEncMD4 ? 0x80 : 0x05; /* Use MD4/MD5 */ break; } FsmOutput(fp, CODE_CONFIGREQ, fp->reqid++, ReqBuff, cp - ReqBuff); @@ -510,10 +510,11 @@ LcpDecodeConfig(u_char * cp, int plen, int mode) LogPrintf(LogLCP, " %s bad length (%d)\n", request, length); goto reqreject; } - if (Acceptable(ConfChap) && cp[4] == 5) { + if (Acceptable(ConfChap) && (cp[4] == 5 || cp[4] == 0x80)) { LcpInfo.his_auth = proto; bcopy(cp, ackp, length); ackp += length; + VarEncMD4 = cp[4] == 0x80; } else if (Acceptable(ConfPap)) { *nakp++ = *cp; *nakp++ = 4; diff --git a/usr.sbin/ppp/modem.c b/usr.sbin/ppp/modem.c index dca1257..0a41320 100644 --- a/usr.sbin/ppp/modem.c +++ b/usr.sbin/ppp/modem.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: modem.c,v 1.55 1997/09/22 00:46:56 brian Exp $ + * $Id: modem.c,v 1.56 1997/09/22 00:55:46 brian Exp $ * * TODO: */ @@ -32,6 +32,7 @@ #include <errno.h> #include <time.h> #include <paths.h> +#include <utmp.h> #ifdef __OpenBSD__ #include <util.h> #else @@ -728,6 +729,17 @@ CloseModem() { if (modem >= 0) { close(modem); + if (Utmp) { + struct utmp ut; + strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1); + ut.ut_line[sizeof(ut.ut_line)-1] = '\0'; + if (logout(ut.ut_line)) + logwtmp(ut.ut_line, "", ""); + else + LogPrintf(LogERROR, "CloseModem: No longer logged in on %s\n", + ut.ut_line); + Utmp = 0; + } UnlockModem(); modem = -1; } diff --git a/usr.sbin/ppp/pap.c b/usr.sbin/ppp/pap.c index 2fd39cd..0ef06de 100644 --- a/usr.sbin/ppp/pap.c +++ b/usr.sbin/ppp/pap.c @@ -18,10 +18,12 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: pap.c,v 1.13 1997/06/09 03:27:32 brian Exp $ + * $Id: pap.c,v 1.14 1997/08/25 00:29:24 brian Exp $ * * TODO: */ +#include <time.h> +#include <utmp.h> #include "fsm.h" #include "lcp.h" #include "pap.h" @@ -31,6 +33,11 @@ #include "lcpproto.h" #include "phase.h" #include "auth.h" +#ifdef __OpenBSD__ +#include "util.h" +#else +#include "libutil.h" +#endif #ifndef NOPASSWDAUTH #include "passwdauth.h" @@ -141,8 +148,24 @@ PapInput(struct mbuf * bp) if (PapValidate(cp, cp + *cp + 1)) { SendPapCode(php->id, PAP_ACK, "Greetings!!"); lcp->auth_ineed = 0; - if (lcp->auth_iwait == 0) + if (lcp->auth_iwait == 0) { + if ((mode & MODE_DIRECT) && isatty(modem) && Enabled(ConfUtmp)) + if (Utmp) + LogPrintf(LogERROR, "Oops, already logged in on %s\n", + VarBaseDevice); + else { + struct utmp ut; + memset(&ut, 0, sizeof(ut)); + time(&ut.ut_time); + strncpy(ut.ut_name, cp+1, sizeof(ut.ut_name)-1); + strncpy(ut.ut_line, VarBaseDevice, sizeof(ut.ut_line)-1); + if (logout(ut.ut_line)) + logwtmp(ut.ut_line, "", ""); + login(&ut); + Utmp = 1; + } NewPhase(PHASE_NETWORK); + } } else { SendPapCode(php->id, PAP_NAK, "Login incorrect"); reconnect(RECON_FALSE); diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8 index 9db68a7..5584ecb 100644 --- a/usr.sbin/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp.8 @@ -1,4 +1,4 @@ -.\" $Id: ppp.8,v 1.65 1997/09/17 23:17:56 brian Exp $ +.\" $Id: ppp.8,v 1.66 1997/09/21 13:06:43 brian Exp $ .Dd 20 September 1995 .Os FreeBSD .Dt PPP 8 @@ -1483,29 +1483,41 @@ field number is reduced to one octet rather than two. Default: Enabled and Accepted. This option decides if Predictor 1 compression will be used. +.It msext +Default: Disabled. This option allows the use of Microsoft's ppp +extensions, supporting the negotiation of the Microsoft PPP DNS +and the Microsoft NetBIOS NS. Enabling this allows us to pass back +the values given in "set ns" and "set nbns". + +.El +The following options are not actually negotiated with the peer. +Therefore, accepting or denying them makes no sense. + +.Bl -tag -width 20 .It proxy -Default: Disabled and Denied. Unlike the other options (except -passwdauth below), this is not negotiated with the peer. Therefore, -accepting or denying it is of no use. Enabling this option will tell +Default: Disabled. Enabling this option will tell .Nm to proxy ARP for the peer. -.It msext -Default: Disabled and Accepted. This option allows the use -of Microsoft's ppp extensions, supporting the negotiation of -the Microsoft PPP DNS and the Microsoft NetBIOS NS. - .It passwdauth -Default: Disabled and Denied. Unlike the other options (except -.Dq proxy -above), this is not negotiated with the peer. Therefore, -accepting or denying it is of no use. Enabling this option will -tell the PAP authentication code to use the +Default: Disabled. Enabling this option will tell the PAP authentication +code to use the .Pa passwd file to authenticate the caller rather than the .Pa ppp.secret file. +.It utmp +Default: Enabled. Normally, when a user is authenticated using PAP or +CHAP, and when +.Nm +is running in +.Fl direct +mode, an entry is made in the utmp and wtmp files for that user. Disabling +this option will tell ppp not to make any utmp or wtmp entries. This is +usually only necessary if you require the user to both login and authenticate +themselves. + .El .It add dest mask gateway @@ -1842,12 +1854,12 @@ This sets the speed of the serial device. This command allows the setting of the idle timer, the LQR timer (if enabled) and the retry timer. -.It set ns x.x.x.x -This option allows the setting of the Microsoft PPP DNS server that +.It set ns x.x.x.x y.y.y.y +This option allows the setting of the Microsoft PPP DNS servers that will be negotiated. -.It set nbns -This option allows the setting of the Microsoft NetBIOS DNS server that +.It set nbns x.x.x.x y.y.y.y +This option allows the setting of the Microsoft NetBIOS DNS servers that will be negotiated. .It set help|? diff --git a/usr.sbin/ppp/ppp.8.m4 b/usr.sbin/ppp/ppp.8.m4 index 9db68a7..5584ecb 100644 --- a/usr.sbin/ppp/ppp.8.m4 +++ b/usr.sbin/ppp/ppp.8.m4 @@ -1,4 +1,4 @@ -.\" $Id: ppp.8,v 1.65 1997/09/17 23:17:56 brian Exp $ +.\" $Id: ppp.8,v 1.66 1997/09/21 13:06:43 brian Exp $ .Dd 20 September 1995 .Os FreeBSD .Dt PPP 8 @@ -1483,29 +1483,41 @@ field number is reduced to one octet rather than two. Default: Enabled and Accepted. This option decides if Predictor 1 compression will be used. +.It msext +Default: Disabled. This option allows the use of Microsoft's ppp +extensions, supporting the negotiation of the Microsoft PPP DNS +and the Microsoft NetBIOS NS. Enabling this allows us to pass back +the values given in "set ns" and "set nbns". + +.El +The following options are not actually negotiated with the peer. +Therefore, accepting or denying them makes no sense. + +.Bl -tag -width 20 .It proxy -Default: Disabled and Denied. Unlike the other options (except -passwdauth below), this is not negotiated with the peer. Therefore, -accepting or denying it is of no use. Enabling this option will tell +Default: Disabled. Enabling this option will tell .Nm to proxy ARP for the peer. -.It msext -Default: Disabled and Accepted. This option allows the use -of Microsoft's ppp extensions, supporting the negotiation of -the Microsoft PPP DNS and the Microsoft NetBIOS NS. - .It passwdauth -Default: Disabled and Denied. Unlike the other options (except -.Dq proxy -above), this is not negotiated with the peer. Therefore, -accepting or denying it is of no use. Enabling this option will -tell the PAP authentication code to use the +Default: Disabled. Enabling this option will tell the PAP authentication +code to use the .Pa passwd file to authenticate the caller rather than the .Pa ppp.secret file. +.It utmp +Default: Enabled. Normally, when a user is authenticated using PAP or +CHAP, and when +.Nm +is running in +.Fl direct +mode, an entry is made in the utmp and wtmp files for that user. Disabling +this option will tell ppp not to make any utmp or wtmp entries. This is +usually only necessary if you require the user to both login and authenticate +themselves. + .El .It add dest mask gateway @@ -1842,12 +1854,12 @@ This sets the speed of the serial device. This command allows the setting of the idle timer, the LQR timer (if enabled) and the retry timer. -.It set ns x.x.x.x -This option allows the setting of the Microsoft PPP DNS server that +.It set ns x.x.x.x y.y.y.y +This option allows the setting of the Microsoft PPP DNS servers that will be negotiated. -.It set nbns -This option allows the setting of the Microsoft NetBIOS DNS server that +.It set nbns x.x.x.x y.y.y.y +This option allows the setting of the Microsoft NetBIOS DNS servers that will be negotiated. .It set help|? diff --git a/usr.sbin/ppp/vars.c b/usr.sbin/ppp/vars.c index e5b3842..a6328f3 100644 --- a/usr.sbin/ppp/vars.c +++ b/usr.sbin/ppp/vars.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: vars.c,v 1.28 1997/09/16 23:15:16 brian Exp $ + * $Id: vars.c,v 1.29 1997/09/21 13:08:00 brian Exp $ * */ #include "fsm.h" @@ -30,7 +30,7 @@ #include "defs.h" char VarVersion[] = "PPP Version 1.2"; -char VarLocalVersion[] = "$Date: 1997/09/16 23:15:16 $"; +char VarLocalVersion[] = "$Date: 1997/09/21 13:08:00 $"; /* * Order of conf option is important. See vars.h. @@ -43,9 +43,10 @@ struct confdesc pppConfs[] = { {"acfcomp", CONF_ENABLE, CONF_ACCEPT}, {"protocomp", CONF_ENABLE, CONF_ACCEPT}, {"pred1", CONF_ENABLE, CONF_ACCEPT}, - {"proxy", CONF_DISABLE, CONF_DENY}, - {"msext", CONF_DISABLE, CONF_ACCEPT}, - {"passwdauth", CONF_DISABLE, CONF_DENY}, + {"proxy", CONF_DISABLE, CONF_NONE}, + {"msext", CONF_DISABLE, CONF_NONE}, + {"passwdauth", CONF_DISABLE, CONF_NONE}, + {"utmp", CONF_ENABLE, CONF_NONE}, {NULL}, }; @@ -69,8 +70,10 @@ DisplayCommand() fprintf(VarTerm, "----------------------------------------\n"); for (vp = pppConfs; vp->name; vp++) fprintf(VarTerm, "%-10s\t%s\t\t%s\n", vp->name, - (vp->myside == CONF_ENABLE) ? "enable" : "disable", - (vp->hisside == CONF_ACCEPT) ? "accept" : "deny"); + (vp->myside == CONF_ENABLE) ? "enable" : + (vp->myside == CONF_DISABLE ? "disable" : "N/A"), + (vp->hisside == CONF_ACCEPT) ? "accept" : + (vp->hisside == CONF_DENY ? "deny" : "N/A")); return 0; } @@ -88,10 +91,21 @@ ConfigCommand(struct cmdtab * list, int argc, char **argv, int mine, int val) do { for (vp = pppConfs; vp->name; vp++) if (strcasecmp(vp->name, *argv) == 0) { - if (mine) - vp->myside = val; - else - vp->hisside = val; + if (mine) { + if (vp->myside == CONF_NONE) { + LogPrintf(LogWARN, "Config: %s cannot be enabled or disabled\n", + vp->name); + err++; + } else + vp->myside = val; + } else { + if (vp->hisside == CONF_NONE) { + LogPrintf(LogWARN, "Config: %s cannot be accepted or denied\n", + vp->name); + err++; + } else + vp->hisside = val; + } break; } if (!vp->name) { diff --git a/usr.sbin/ppp/vars.h b/usr.sbin/ppp/vars.h index 9584177..6c8ffb3 100644 --- a/usr.sbin/ppp/vars.h +++ b/usr.sbin/ppp/vars.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: vars.h,v 1.26 1997/09/04 00:38:22 brian Exp $ + * $Id: vars.h,v 1.27 1997/09/17 23:17:57 brian Exp $ * * TODO: */ @@ -30,6 +30,7 @@ struct confdesc { int myside, hisside; }; +#define CONF_NONE -1 #define CONF_DISABLE 0 #define CONF_ENABLE 1 @@ -46,7 +47,8 @@ struct confdesc { #define ConfProxy 7 #define ConfMSExt 8 #define ConfPasswdAuth 9 -#define MAXCONFS 10 +#define ConfUtmp 10 +#define MAXCONFS 11 #define Enabled(x) (pppConfs[x].myside & CONF_ENABLE) #define Acceptable(x) (pppConfs[x].hisside & CONF_ACCEPT) @@ -142,6 +144,7 @@ struct pppvars { extern struct pppvars pppVars; +int Utmp; /* Are we in /etc/utmp ? */ int ipInOctets, ipOutOctets, ipKeepAlive; int ipConnectSecs, ipIdleSecs; |