diff options
author | trasz <trasz@FreeBSD.org> | 2014-03-25 12:22:30 +0000 |
---|---|---|
committer | trasz <trasz@FreeBSD.org> | 2014-03-25 12:22:30 +0000 |
commit | 5fb75e3b8f09c689ffcda3c05dad773f6f6625f2 (patch) | |
tree | e1b1ca58287cf781432e4c39bad08464dea2e932 /usr.sbin | |
parent | d3e539d4a4a3fa52420768795cc3944d48cc616a (diff) | |
download | FreeBSD-src-5fb75e3b8f09c689ffcda3c05dad773f6f6625f2.zip FreeBSD-src-5fb75e3b8f09c689ffcda3c05dad773f6f6625f2.tar.gz |
MFC r261763:
Use new auth-type "deny" instead of using "chap" with no chap entries;
it's cleaner this way, and gives better feedback to the user.
Sponsored by: The FreeBSD Foundation
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/ctld/ctl.conf.5 | 4 | ||||
-rw-r--r-- | usr.sbin/ctld/ctld.c | 2 | ||||
-rw-r--r-- | usr.sbin/ctld/ctld.h | 7 | ||||
-rw-r--r-- | usr.sbin/ctld/login.c | 5 | ||||
-rw-r--r-- | usr.sbin/ctld/parse.y | 8 |
5 files changed, 15 insertions, 11 deletions
diff --git a/usr.sbin/ctld/ctl.conf.5 b/usr.sbin/ctld/ctl.conf.5 index d44caa8..87e3592 100644 --- a/usr.sbin/ctld/ctl.conf.5 +++ b/usr.sbin/ctld/ctl.conf.5 @@ -103,7 +103,7 @@ The following statements are available at the auth-group level: .Bl -tag -width indent .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given auth-group. .It Ic chap Ao Ar user Ac Aq Ar secret @@ -157,7 +157,7 @@ Another predefined auth-group, "no-authentication", may be used to permit access without authentication. .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given target. This clause is mutually exclusive with auth-group; one cannot use diff --git a/usr.sbin/ctld/ctld.c b/usr.sbin/ctld/ctld.c index 8ab8670..d082227 100644 --- a/usr.sbin/ctld/ctld.c +++ b/usr.sbin/ctld/ctld.c @@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_group *ag, const char *str) if (strcmp(str, "none") == 0) { type = AG_TYPE_NO_AUTHENTICATION; + } else if (strcmp(str, "deny") == 0) { + type = AG_TYPE_DENY; } else if (strcmp(str, "chap") == 0) { type = AG_TYPE_CHAP; } else if (strcmp(str, "chap-mutual") == 0) { diff --git a/usr.sbin/ctld/ctld.h b/usr.sbin/ctld/ctld.h index a4b1e4e..ae11922 100644 --- a/usr.sbin/ctld/ctld.h +++ b/usr.sbin/ctld/ctld.h @@ -66,9 +66,10 @@ struct auth_portal { }; #define AG_TYPE_UNKNOWN 0 -#define AG_TYPE_NO_AUTHENTICATION 1 -#define AG_TYPE_CHAP 2 -#define AG_TYPE_CHAP_MUTUAL 3 +#define AG_TYPE_DENY 1 +#define AG_TYPE_NO_AUTHENTICATION 2 +#define AG_TYPE_CHAP 3 +#define AG_TYPE_CHAP_MUTUAL 4 struct auth_group { TAILQ_ENTRY(auth_group) ag_next; diff --git a/usr.sbin/ctld/login.c b/usr.sbin/ctld/login.c index 7dd0ebf..3273664 100644 --- a/usr.sbin/ctld/login.c +++ b/usr.sbin/ctld/login.c @@ -1034,6 +1034,11 @@ login(struct connection *conn) return; } + if (ag->ag_type == AG_TYPE_DENY) { + login_send_error(request, 0x02, 0x01); + log_errx(1, "auth-group type is \"deny\""); + } + if (ag->ag_type == AG_TYPE_UNKNOWN) { /* * This can happen with empty auth-group. diff --git a/usr.sbin/ctld/parse.y b/usr.sbin/ctld/parse.y index c1a506e..6299b58 100644 --- a/usr.sbin/ctld/parse.y +++ b/usr.sbin/ctld/parse.y @@ -729,13 +729,9 @@ conf_new_from_file(const char *path) assert(ag != NULL); ag->ag_type = AG_TYPE_NO_AUTHENTICATION; - /* - * Here, the type doesn't really matter, as the group doesn't contain - * any entries and thus will always deny access. - */ ag = auth_group_new(conf, "no-access"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; pg = portal_group_new(conf, "default"); assert(pg != NULL); @@ -765,7 +761,7 @@ conf_new_from_file(const char *path) "going with defaults"); ag = auth_group_find(conf, "default"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; } if (conf->conf_default_pg_defined == false) { |