summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--usr.sbin/pppd/auth.c99
-rw-r--r--usr.sbin/pppd/main.c26
-rw-r--r--usr.sbin/pppd/pathnames.h5
-rw-r--r--usr.sbin/pppd/pppd.817
4 files changed, 119 insertions, 28 deletions
diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c
index 44d4bcb..56fbd28 100644
--- a/usr.sbin/pppd/auth.c
+++ b/usr.sbin/pppd/auth.c
@@ -33,7 +33,7 @@
*/
#ifndef lint
-static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $";
+static char rcsid[] = "$Id: auth.c,v 1.13 1997/04/13 01:06:56 brian Exp $";
#endif
#include <stdio.h>
@@ -470,6 +470,39 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)
/*
+ * Check if an "entry" is in the file "fname" - used by ppplogin.
+ * Taken from libexec/ftpd/ftpd.c
+ * Returns: 0 if not found, 1 if found, 2 if file can't be opened for reading.
+ */
+static int
+checkfile(fname, name)
+ char *fname;
+ char *name;
+{
+ FILE *fd;
+ int found = 0;
+ char *p, line[BUFSIZ];
+
+ if ((fd = fopen(fname, "r")) != NULL) {
+ while (fgets(line, sizeof(line), fd) != NULL)
+ if ((p = strchr(line, '\n')) != NULL) {
+ *p = '\0';
+ if (line[0] == '#')
+ continue;
+ if (strcmp(line, name) == 0) {
+ found = 1;
+ break;
+ }
+ }
+ (void) fclose(fd);
+ } else {
+ return(2);
+ }
+ return (found);
+}
+
+
+/*
* ppplogin - Check the user name and password against the system
* password database, and login the user if OK.
*
@@ -477,6 +510,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)
* UPAP_AUTHNAK: Login failed.
* UPAP_AUTHACK: Login succeeded.
* In either case, msg points to an appropriate message.
+ *
+ * UPAP_AUTHACK should only be returned *after* wtmp and utmp are updated.
*/
static int
ppplogin(user, passwd, msg, msglen)
@@ -500,6 +535,24 @@ ppplogin(user, passwd, msg, msglen)
return (UPAP_AUTHNAK);
}
+/*
+ * Check that the user is not listed in /etc/ppp/ppp.disabled
+ * and that the user's shell is listed in /etc/ppp/ppp.shells
+ * if /etc/ppp/ppp.shells exists.
+ */
+
+ if (checkfile(_PATH_PPPDISABLED, user) == 1) {
+ syslog(LOG_WARNING, "upap user %s: account disabled in %s",
+ user, _PATH_PPPDISABLED);
+ return (UPAP_AUTHNAK);
+ }
+
+ if (checkfile(_PATH_PPPSHELLS, pw->pw_shell) == 0) {
+ syslog(LOG_WARNING, "upap user %s: shell %s not in %s",
+ user, pw->pw_shell, _PATH_PPPSHELLS);
+ return (UPAP_AUTHNAK);
+ }
+
#ifdef HAS_SHADOW
if ((spwd = getspnam(user)) == NULL) {
pw->pw_passwd = "";
@@ -509,44 +562,42 @@ ppplogin(user, passwd, msg, msglen)
#endif
/*
- * XXX If no passwd, let them login without one.
+ * If there is a password, check it.
*/
- if (pw->pw_passwd == '\0') {
- return (UPAP_AUTHACK);
- }
+ if (pw->pw_passwd[0] != '\0') {
#ifdef HAS_SHADOW
- if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
- && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL))
- || !valid (passwd, pw)) {
- return (UPAP_AUTHNAK);
- }
+ if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
+ && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL))
+ || !valid (passwd, pw)) {
+ return (UPAP_AUTHNAK);
+ }
#else
- epasswd = crypt(passwd, pw->pw_passwd);
- if (strcmp(epasswd, pw->pw_passwd)) {
- return (UPAP_AUTHNAK);
- }
+ epasswd = crypt(passwd, pw->pw_passwd);
+ if (strcmp(epasswd, pw->pw_passwd)) {
+ return (UPAP_AUTHNAK);
+ }
#endif
- if (pw->pw_expire) {
- (void)gettimeofday(&tp, (struct timezone *)NULL);
- if (tp.tv_sec >= pw->pw_expire) {
- syslog(LOG_INFO, "user %s account expired", user);
- return (UPAP_AUTHNAK);
+ if (pw->pw_expire) {
+ (void)gettimeofday(&tp, (struct timezone *)NULL);
+ if (tp.tv_sec >= pw->pw_expire) {
+ syslog(LOG_INFO, "pap user %s account expired", user);
+ return (UPAP_AUTHNAK);
+ }
}
- }
+ } /* if password */
+
syslog(LOG_INFO, "user %s logged in", user);
- /*
- * Write a wtmp entry for this user.
- */
+ /* Log in wtmp and utmp using login() */
+
tty = devnam;
if (strncmp(tty, "/dev/", 5) == 0)
tty += 5;
logged_in = TRUE;
- /* Log in wtmp and utmp using login() */
memset((void *)&utmp, 0, sizeof(utmp));
(void)time(&utmp.ut_time);
(void)strncpy(utmp.ut_name, user, sizeof(utmp.ut_name));
diff --git a/usr.sbin/pppd/main.c b/usr.sbin/pppd/main.c
index ee7dec1..c13a90d 100644
--- a/usr.sbin/pppd/main.c
+++ b/usr.sbin/pppd/main.c
@@ -18,7 +18,7 @@
*/
#ifndef lint
-static char rcsid[] = "$Id$";
+static char rcsid[] = "$Id: main.c,v 1.10 1997/02/22 16:11:48 peter Exp $";
#endif
#include <stdio.h>
@@ -67,6 +67,7 @@ int ifunit; /* Interface unit number */
char *progname; /* Name of this program */
char hostname[MAXNAMELEN]; /* Our hostname */
static char pidfilename[MAXPATHLEN]; /* name of pid file */
+static char iffilename[MAXPATHLEN]; /* name of if file */
static char default_devnam[MAXPATHLEN]; /* name of default device */
static pid_t pid; /* Our pid */
static pid_t pgrpid; /* Process Group ID */
@@ -154,10 +155,11 @@ main(argc, argv)
int argc;
char *argv[];
{
- int i, nonblock;
+ int i, n, nonblock;
struct sigaction sa;
struct cmd *cmdp;
FILE *pidfile;
+ FILE *iffile;
char *p;
struct passwd *pw;
struct timeval timo;
@@ -393,6 +395,21 @@ main(argc, argv)
pidfilename[0] = 0;
}
+ /* write interface unit number to file */
+ for (n = strlen(devnam); n > 0 ; n--)
+ if (devnam[n] == '/') {
+ n = n++;
+ break;
+ }
+ (void) sprintf(iffilename, "%s%s.if", _PATH_VARRUN, &devnam[n]);
+ if ((iffile = fopen(iffilename, "w")) != NULL) {
+ fprintf(iffile, "ppp%d\n", ifunit);
+ (void) fclose(iffile);
+ } else {
+ syslog(LOG_ERR, "Failed to create if file %s: %m", iffilename);
+ iffilename[0] = 0;
+ }
+
/*
* Set device for non-blocking reads.
*/
@@ -448,6 +465,11 @@ main(argc, argv)
syslog(LOG_WARNING, "unable to delete pid file: %m");
pidfilename[0] = 0;
+ if (iffile)
+ if (unlink(iffilename) < 0 && errno != ENOENT)
+ syslog(LOG_WARNING, "unable to delete if file: %m");
+ iffilename[0] = 0;
+
} while (persist);
die(0);
diff --git a/usr.sbin/pppd/pathnames.h b/usr.sbin/pppd/pathnames.h
index d0ec2ff..7033ff0 100644
--- a/usr.sbin/pppd/pathnames.h
+++ b/usr.sbin/pppd/pathnames.h
@@ -1,7 +1,7 @@
/*
* define path names
*
- * $Id$
+ * $Id: pathnames.h,v 1.5 1997/02/22 16:11:52 peter Exp $
*/
#ifdef HAVE_PATHS_H
@@ -20,3 +20,6 @@
#define _PATH_TTYOPT "/etc/ppp/options."
#define _PATH_CONNERRS "/etc/ppp/connect-errors"
#define _PATH_USEROPT ".ppprc"
+#define _PATH_PPPDISABLED "/etc/ppp/ppp.disabled"
+#define _PATH_PPPSHELLS "/etc/ppp/ppp.shells"
+
diff --git a/usr.sbin/pppd/pppd.8 b/usr.sbin/pppd/pppd.8
index 76cef60..e0e8bfa 100644
--- a/usr.sbin/pppd/pppd.8
+++ b/usr.sbin/pppd/pppd.8
@@ -1,5 +1,5 @@
.\" manual page [] for pppd 2.0
-.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $
+.\" $Id: pppd.8,v 1.10 1997/04/13 01:07:00 brian Exp $
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
@@ -566,6 +566,11 @@ set of IP addresses that each user can use. Typically, when using the
\fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to
avoid the need to have the same secret in two places.
.LP
+Additional checks are performed when the \fBlogin\fR option is used.
+If the file /etc/ppp/ppp.disabled exists, and the user is listed in it,
+the authentication fails. If the file /etc/ppp/ppp.shells exists and
+the user's normal login shell is not listed, the authentication fails.
+.LP
Secrets are selected from the CHAP secrets file as follows:
.TP 2
*
@@ -682,6 +687,9 @@ process. This signal acts as a toggle.
.B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others)
Process-ID for \fIpppd\fR process on ppp interface unit \fIn\fR.
.TP
+.B /var/run/tty\fIXn\fB.if \fR(BSD or Linux), \fB/etc/ppp/tty\fIXn\fB.if \fR(others)
+Interface for \fIpppd\fR process on serial device /dev/tty\fIXn\fR.
+.TP
.B /etc/ppp/ip-up
A program or script which is executed when the link is available for
sending and receiving IP packets (that is, IPCP has come up). It is
@@ -726,6 +734,13 @@ User default options, read before command-line options.
.B /etc/ppp/options.\fIttyname
System default options for the serial port being used, read after
command-line options.
+.TP
+.B /etc/ppp/ppp.disabled
+Lists users who may not use the system password PAP authentication.
+.TP
+.B /etc/ppp/ppp.shells
+Lists user shells which are approved for system password PAP authentication
+logins.
.SH SEE ALSO
.IR chat(8),
.IR ppp(8)
OpenPOWER on IntegriCloud