diff options
author | brian <brian@FreeBSD.org> | 1997-04-13 01:07:00 +0000 |
---|---|---|
committer | brian <brian@FreeBSD.org> | 1997-04-13 01:07:00 +0000 |
commit | 5b8c55b34e7a6f0087c138e43e85652af3f37aee (patch) | |
tree | 7ab46be72927c0415866fb5c18b5d24e713a3090 /usr.sbin | |
parent | b2533fba6ff7273bd2dbe3373b345e5b53d48f0b (diff) | |
download | FreeBSD-src-5b8c55b34e7a6f0087c138e43e85652af3f37aee.zip FreeBSD-src-5b8c55b34e7a6f0087c138e43e85652af3f37aee.tar.gz |
Allow forcing of local_ip:remote_ip in pap-secrets
and chap-secrets files. This allows specific users
to have pre-allocated IP numbers while others get
assigned dynamically.
Submitted by: David Nugent <davidn@unique.usn.blaze.net.au>
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/pppd/auth.c | 73 | ||||
-rw-r--r-- | usr.sbin/pppd/pppd.8 | 9 |
2 files changed, 64 insertions, 18 deletions
diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index e983f1c..44d4bcb 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id$"; +static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $"; #endif #include <stdio.h> @@ -91,6 +91,7 @@ struct wordlist { /* Records which authentication operations haven't completed yet. */ static int auth_pending[NUM_PPP]; static int logged_in; +static int non_wildclient =0; /* not wild nor blank */ static struct wordlist *addresses[NUM_PPP]; /* Bits in auth_pending[] */ @@ -112,6 +113,7 @@ static int have_chap_secret __P((char *, char *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, char *)); static void free_wordlist __P((struct wordlist *)); +static void auth_set_ip_addr __P((int)); /* * An Open on LCP has requested a change from Dead to Establish phase. @@ -255,6 +257,12 @@ auth_peer_success(unit, protocol) } /* + * If we have overridden addresses based on auth info + * then set that information now before continuing + */ + auth_set_ip_addr(unit); + + /* * If there is no more authentication still to be done, * proceed to the network phase. */ @@ -302,6 +310,12 @@ auth_withpeer_success(unit, protocol) } /* + * If we have overridden addresses based on auth info + * then set that information now before continuing + */ + auth_set_ip_addr(unit); + + /* * If there is no more authentication still being done, * proceed to the network phase. */ @@ -740,6 +754,27 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) return 1; } + +static void +auth_set_ip_addr(unit) + int unit; +{ + struct wordlist *addrs; + + if (non_wildclient && (addrs = addresses[unit]) != NULL) { + for (; addrs != NULL; addrs = addrs->next) { + /* + * Look for address overrides, and set them if we have any + */ + if (strchr(addrs->word, ':') != NULL) { + if (setipaddr(addrs->word)) + break; + } + } + } +} + + /* * auth_ip_addr - check whether the peer is authorized to use * a given IP address. Returns 1 if authorized, 0 otherwise. @@ -749,6 +784,7 @@ auth_ip_addr(unit, addr) int unit; u_int32_t addr; { + int x, y; u_int32_t a; struct hostent *hp; struct wordlist *addrs; @@ -757,25 +793,31 @@ auth_ip_addr(unit, addr) if (bad_ip_adrs(addr)) return 0; - if ((addrs = addresses[unit]) == NULL) - return 1; /* no restriction */ - - for (; addrs != NULL; addrs = addrs->next) { + x = y = 0; + for (addrs = addresses[unit]; addrs != NULL; addrs = addrs->next, y++) { /* "-" means no addresses authorized */ if (strcmp(addrs->word, "-") == 0) break; - if ((a = inet_addr(addrs->word)) == -1) { - if ((hp = gethostbyname(addrs->word)) == NULL) { - syslog(LOG_WARNING, "unknown host %s in auth. address list", - addrs->word); - continue; - } else - a = *(u_int32_t *)hp->h_addr; + /* + * A colon in the string means that we wish to force a specific + * local:remote address, but we ignore these for now + */ + if (strchr(addrs->word, ':') != NULL) + x++; + else { + if ((a = inet_addr(addrs->word)) == -1) { + if ((hp = gethostbyname(addrs->word)) == NULL) { + syslog(LOG_WARNING, "unknown host %s in auth. address list", + addrs->word); + continue; + } else + a = *(u_int32_t *)hp->h_addr; + } + if (addr == a) + return 1; } - if (addr == a) - return 1; } - return 0; /* not in list => can't have it */ + return x == y; /* not in list => can't have it */ } /* @@ -943,6 +985,7 @@ scan_authfile(f, client, server, secret, addrs, filename) else if (addr_list != NULL) free_wordlist(addr_list); + non_wildclient = (best_flag & NONWILD_CLIENT) && *client != '\0'; return best_flag; } diff --git a/usr.sbin/pppd/pppd.8 b/usr.sbin/pppd/pppd.8 index c1953d8..76cef60 100644 --- a/usr.sbin/pppd/pppd.8 +++ b/usr.sbin/pppd/pppd.8 @@ -1,5 +1,5 @@ .\" manual page [] for pppd 2.0 -.\" $Id$ +.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $ .\" SH section heading .\" SS subsection heading .\" LP paragraph @@ -497,8 +497,11 @@ directions if desired. A secrets file is parsed into words as for a options file. A secret is specified by a line containing at least 3 words, in the order client name, server name, secret. Any following words on the same line are -taken to be a list of acceptable IP addresses for that client. If -there are only 3 words on the line, it is assumed that any IP address +taken to be a list of acceptable IP addresses for that client, or an +override for "local:remote" addresses (the same format used on the +command line or in the options file) when on a line that contains a +specific client name (not a wildcard nor empty). +If there are only 3 words on the line, it is assumed that any IP address is OK; to disallow all IP addresses, use "-". If the secret starts with an `@', what follows is assumed to be the name of a file from which to read the secret. A "*" as the client or server name matches |