diff options
author | danny <danny@FreeBSD.org> | 1997-04-15 07:00:35 +0000 |
---|---|---|
committer | danny <danny@FreeBSD.org> | 1997-04-15 07:00:35 +0000 |
commit | bef64f77917dde67ad18bf0622fe731038170004 (patch) | |
tree | 2adfe79ac8e3c515964d84255088457d8fc2c87d /usr.sbin/pppd | |
parent | dfe24302ecdf896515261413b602a0fe73f5fbd4 (diff) | |
download | FreeBSD-src-bef64f77917dde67ad18bf0622fe731038170004.zip FreeBSD-src-bef64f77917dde67ad18bf0622fe731038170004.tar.gz |
Reviewed by: Brian Somers <brian@freebsd.org>
pppd now creates /var/run/ttyXn.if file containing the interface name;
check that a 'login' user is not listed in /etc/ppp/ppp.disabled;
check that a 'login' user's shell is listed in /etc/ppp/ppp.shells;
make sure that passwordless 'login' logins are recorded in wtmp and
utmp.
Diffstat (limited to 'usr.sbin/pppd')
-rw-r--r-- | usr.sbin/pppd/auth.c | 99 | ||||
-rw-r--r-- | usr.sbin/pppd/main.c | 26 | ||||
-rw-r--r-- | usr.sbin/pppd/pathnames.h | 5 | ||||
-rw-r--r-- | usr.sbin/pppd/pppd.8 | 17 |
4 files changed, 119 insertions, 28 deletions
diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index 44d4bcb..56fbd28 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $"; +static char rcsid[] = "$Id: auth.c,v 1.13 1997/04/13 01:06:56 brian Exp $"; #endif #include <stdio.h> @@ -470,6 +470,39 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) /* + * Check if an "entry" is in the file "fname" - used by ppplogin. + * Taken from libexec/ftpd/ftpd.c + * Returns: 0 if not found, 1 if found, 2 if file can't be opened for reading. + */ +static int +checkfile(fname, name) + char *fname; + char *name; +{ + FILE *fd; + int found = 0; + char *p, line[BUFSIZ]; + + if ((fd = fopen(fname, "r")) != NULL) { + while (fgets(line, sizeof(line), fd) != NULL) + if ((p = strchr(line, '\n')) != NULL) { + *p = '\0'; + if (line[0] == '#') + continue; + if (strcmp(line, name) == 0) { + found = 1; + break; + } + } + (void) fclose(fd); + } else { + return(2); + } + return (found); +} + + +/* * ppplogin - Check the user name and password against the system * password database, and login the user if OK. * @@ -477,6 +510,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. + * + * UPAP_AUTHACK should only be returned *after* wtmp and utmp are updated. */ static int ppplogin(user, passwd, msg, msglen) @@ -500,6 +535,24 @@ ppplogin(user, passwd, msg, msglen) return (UPAP_AUTHNAK); } +/* + * Check that the user is not listed in /etc/ppp/ppp.disabled + * and that the user's shell is listed in /etc/ppp/ppp.shells + * if /etc/ppp/ppp.shells exists. + */ + + if (checkfile(_PATH_PPPDISABLED, user) == 1) { + syslog(LOG_WARNING, "upap user %s: account disabled in %s", + user, _PATH_PPPDISABLED); + return (UPAP_AUTHNAK); + } + + if (checkfile(_PATH_PPPSHELLS, pw->pw_shell) == 0) { + syslog(LOG_WARNING, "upap user %s: shell %s not in %s", + user, pw->pw_shell, _PATH_PPPSHELLS); + return (UPAP_AUTHNAK); + } + #ifdef HAS_SHADOW if ((spwd = getspnam(user)) == NULL) { pw->pw_passwd = ""; @@ -509,44 +562,42 @@ ppplogin(user, passwd, msg, msglen) #endif /* - * XXX If no passwd, let them login without one. + * If there is a password, check it. */ - if (pw->pw_passwd == '\0') { - return (UPAP_AUTHACK); - } + if (pw->pw_passwd[0] != '\0') { #ifdef HAS_SHADOW - if ((pw->pw_passwd && pw->pw_passwd[0] == '@' - && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL)) - || !valid (passwd, pw)) { - return (UPAP_AUTHNAK); - } + if ((pw->pw_passwd && pw->pw_passwd[0] == '@' + && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL)) + || !valid (passwd, pw)) { + return (UPAP_AUTHNAK); + } #else - epasswd = crypt(passwd, pw->pw_passwd); - if (strcmp(epasswd, pw->pw_passwd)) { - return (UPAP_AUTHNAK); - } + epasswd = crypt(passwd, pw->pw_passwd); + if (strcmp(epasswd, pw->pw_passwd)) { + return (UPAP_AUTHNAK); + } #endif - if (pw->pw_expire) { - (void)gettimeofday(&tp, (struct timezone *)NULL); - if (tp.tv_sec >= pw->pw_expire) { - syslog(LOG_INFO, "user %s account expired", user); - return (UPAP_AUTHNAK); + if (pw->pw_expire) { + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (tp.tv_sec >= pw->pw_expire) { + syslog(LOG_INFO, "pap user %s account expired", user); + return (UPAP_AUTHNAK); + } } - } + } /* if password */ + syslog(LOG_INFO, "user %s logged in", user); - /* - * Write a wtmp entry for this user. - */ + /* Log in wtmp and utmp using login() */ + tty = devnam; if (strncmp(tty, "/dev/", 5) == 0) tty += 5; logged_in = TRUE; - /* Log in wtmp and utmp using login() */ memset((void *)&utmp, 0, sizeof(utmp)); (void)time(&utmp.ut_time); (void)strncpy(utmp.ut_name, user, sizeof(utmp.ut_name)); diff --git a/usr.sbin/pppd/main.c b/usr.sbin/pppd/main.c index ee7dec1..c13a90d 100644 --- a/usr.sbin/pppd/main.c +++ b/usr.sbin/pppd/main.c @@ -18,7 +18,7 @@ */ #ifndef lint -static char rcsid[] = "$Id$"; +static char rcsid[] = "$Id: main.c,v 1.10 1997/02/22 16:11:48 peter Exp $"; #endif #include <stdio.h> @@ -67,6 +67,7 @@ int ifunit; /* Interface unit number */ char *progname; /* Name of this program */ char hostname[MAXNAMELEN]; /* Our hostname */ static char pidfilename[MAXPATHLEN]; /* name of pid file */ +static char iffilename[MAXPATHLEN]; /* name of if file */ static char default_devnam[MAXPATHLEN]; /* name of default device */ static pid_t pid; /* Our pid */ static pid_t pgrpid; /* Process Group ID */ @@ -154,10 +155,11 @@ main(argc, argv) int argc; char *argv[]; { - int i, nonblock; + int i, n, nonblock; struct sigaction sa; struct cmd *cmdp; FILE *pidfile; + FILE *iffile; char *p; struct passwd *pw; struct timeval timo; @@ -393,6 +395,21 @@ main(argc, argv) pidfilename[0] = 0; } + /* write interface unit number to file */ + for (n = strlen(devnam); n > 0 ; n--) + if (devnam[n] == '/') { + n = n++; + break; + } + (void) sprintf(iffilename, "%s%s.if", _PATH_VARRUN, &devnam[n]); + if ((iffile = fopen(iffilename, "w")) != NULL) { + fprintf(iffile, "ppp%d\n", ifunit); + (void) fclose(iffile); + } else { + syslog(LOG_ERR, "Failed to create if file %s: %m", iffilename); + iffilename[0] = 0; + } + /* * Set device for non-blocking reads. */ @@ -448,6 +465,11 @@ main(argc, argv) syslog(LOG_WARNING, "unable to delete pid file: %m"); pidfilename[0] = 0; + if (iffile) + if (unlink(iffilename) < 0 && errno != ENOENT) + syslog(LOG_WARNING, "unable to delete if file: %m"); + iffilename[0] = 0; + } while (persist); die(0); diff --git a/usr.sbin/pppd/pathnames.h b/usr.sbin/pppd/pathnames.h index d0ec2ff..7033ff0 100644 --- a/usr.sbin/pppd/pathnames.h +++ b/usr.sbin/pppd/pathnames.h @@ -1,7 +1,7 @@ /* * define path names * - * $Id$ + * $Id: pathnames.h,v 1.5 1997/02/22 16:11:52 peter Exp $ */ #ifdef HAVE_PATHS_H @@ -20,3 +20,6 @@ #define _PATH_TTYOPT "/etc/ppp/options." #define _PATH_CONNERRS "/etc/ppp/connect-errors" #define _PATH_USEROPT ".ppprc" +#define _PATH_PPPDISABLED "/etc/ppp/ppp.disabled" +#define _PATH_PPPSHELLS "/etc/ppp/ppp.shells" + diff --git a/usr.sbin/pppd/pppd.8 b/usr.sbin/pppd/pppd.8 index 76cef60..e0e8bfa 100644 --- a/usr.sbin/pppd/pppd.8 +++ b/usr.sbin/pppd/pppd.8 @@ -1,5 +1,5 @@ .\" manual page [] for pppd 2.0 -.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $ +.\" $Id: pppd.8,v 1.10 1997/04/13 01:07:00 brian Exp $ .\" SH section heading .\" SS subsection heading .\" LP paragraph @@ -566,6 +566,11 @@ set of IP addresses that each user can use. Typically, when using the \fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to avoid the need to have the same secret in two places. .LP +Additional checks are performed when the \fBlogin\fR option is used. +If the file /etc/ppp/ppp.disabled exists, and the user is listed in it, +the authentication fails. If the file /etc/ppp/ppp.shells exists and +the user's normal login shell is not listed, the authentication fails. +.LP Secrets are selected from the CHAP secrets file as follows: .TP 2 * @@ -682,6 +687,9 @@ process. This signal acts as a toggle. .B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others) Process-ID for \fIpppd\fR process on ppp interface unit \fIn\fR. .TP +.B /var/run/tty\fIXn\fB.if \fR(BSD or Linux), \fB/etc/ppp/tty\fIXn\fB.if \fR(others) +Interface for \fIpppd\fR process on serial device /dev/tty\fIXn\fR. +.TP .B /etc/ppp/ip-up A program or script which is executed when the link is available for sending and receiving IP packets (that is, IPCP has come up). It is @@ -726,6 +734,13 @@ User default options, read before command-line options. .B /etc/ppp/options.\fIttyname System default options for the serial port being used, read after command-line options. +.TP +.B /etc/ppp/ppp.disabled +Lists users who may not use the system password PAP authentication. +.TP +.B /etc/ppp/ppp.shells +Lists user shells which are approved for system password PAP authentication +logins. .SH SEE ALSO .IR chat(8), .IR ppp(8) |