d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4658933f3a
freebsd-dev/usr.sbin/ppp/auth.c

480 lines
12 KiB
C
Raw Normal View History

Convert IIJ copyrights to BSD copyrights. Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
2001-06-13 21:52:19 +00:00
/*-
* Copyright (c) 1996 - 2001 Brian Somers <brian@Awfulhak.org>
* based on work by Toshiharu OHNO <tony-o@iij.ad.jp>
* Internet Initiative Japan, Inc (IIJ)
* All rights reserved.
1995-01-31 06:29:58 +00:00
*
Convert IIJ copyrights to BSD copyrights. Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
2001-06-13 21:52:19 +00:00
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
1995-01-31 06:29:58 +00:00
*
Convert IIJ copyrights to BSD copyrights. Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
2001-06-13 21:52:19 +00:00
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
Remove trailing whitespace.
1995-05-30 03:57:47 +00:00
*
$Id$ -> $FreeBSD$
1999-08-28 01:35:59 +00:00
* $FreeBSD$
1995-01-31 06:29:58 +00:00
*/
Convert IIJ copyrights to BSD copyrights. Approved by: Toshiharu OHNO <tohno@sirius.ocn.ne.jp>
2001-06-13 21:52:19 +00:00
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
#include <sys/param.h>
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include <netinet/in.h>
Move VJ compression state and stats into struct ipcp.
1998-03-16 22:54:35 +00:00
#include <netinet/in_systm.h>
#include <netinet/ip.h>
o Add ipv6 support, abstracting most NCP addresses into opaque structures (well, they're treated as opaque). It's now possible to manage IPv6 interface addresses and routing table entries and to filter IPV6 traffic whether encapsulated or not. IPV6CP support is crude for now, and hasn't been tested against any other implementations. RADIUS and IPv6 are independent of eachother for now. ppp.linkup/ppp.linkdown aren't currently used by IPV6CP o Understand all protocols(5) in filter rules rather than only a select few. o Allow a mask specification for the ``delete'' command. It's now possible to specifically delete one of two conflicting routes. o When creating and deleting proxy arp entries, do it for all IPv4 interface addresses rather than doing it just for the ``current'' peer address. o When iface-alias isn't in effect, don't blow away manually (via ``iface add'') added interface addresses. o When listening on a tcp server (diagnostic) socket, bind so that a tcp46 socket is created -- allowing both IPv4 and IPv6 connections. o When displaying ICMP traffic, don't display the icmp type twice. When display traffic, display at least some information about unrecognised traffic. o Bump version Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-14 16:05:52 +00:00
#include <sys/socket.h>
o Add the link name to modem diagnostics. o Create struct mpserver as part of struct mp. mpserver creates a unix-domain socket based on the peers auth name and endpoint discriminator. If it already exists, ppp will ``pass the link'' over to the owner of the socket, joining it into the bundle of another ppp invocation, otherwise ppp waits for other invocations to pass it links through this socket. The final piece of code will be the code that flattens our datalink info and passes it down this channel (not yet implemented).
1998-04-28 01:25:46 +00:00
#include <sys/un.h>
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
#include <pwd.h>
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include <stdio.h>
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
#include <stdlib.h>
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include <string.h>
Reimplement the previous fix (no response to PAP requests) at the authentication layer rather than at the PAP layer so that it also applies to CHAP (no response to CHAP challenges).
1999-02-02 09:35:17 +00:00
#include <termios.h>
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include <unistd.h>
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
#ifndef NOPAM
#include <security/pam_appl.h>
Revert previous commit and fix OpenPAM issue properly.
2007-12-22 19:29:32 +00:00
#ifdef OPENPAM
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
#include <security/openpam.h>
#endif
#endif /* !NOPAM */
o Redesign the layering mechanism and make the aliasing code part of the layering. We now ``stack'' layers as soon as we open the device (when we figure out what we're dealing with). A static set of `dispatch' routines are also declared for dealing with incoming packets after they've been `pulled' up through the stacked layers. Physical devices are now assigned handlers based on the device type when they're opened. For the moment there are three device types; ttys, execs and tcps. o Increment version number to 2.2 o Make an entry in [uw]tmp for non-tty -direct invocations (after pap/chap authentication). o Make throughput counters quad_t's o Account for the absolute number of mbuf malloc()s and free()s in ``show mem''. o ``show modem'' becomes ``show physical''.
1999-05-08 11:07:56 +00:00
#include "layer.h"
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include "mbuf.h"
#include "defs.h"
Reimplement the previous fix (no response to PAP requests) at the authentication layer rather than at the PAP layer so that it also applies to CHAP (no response to CHAP challenges).
1999-02-02 09:35:17 +00:00
#include "log.h"
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include "timer.h"
1995-01-31 06:29:58 +00:00
#include "fsm.h"
o Move global/static IPCP data into IpcpInfo. o Use INADDR_ANY and INADDR_BROADCAST instead of 0 and 0xffffffff for IP addresses & masks. o Move struct compreq into ipcp.c (it's none of anyone elses business). o Rename MAX_STATES to MAX_VJ_STATES.
1998-01-29 23:11:44 +00:00
#include "iplist.h"
#include "throughput.h"
Move VJ compression state and stats into struct ipcp.
1998-03-16 22:54:35 +00:00
#include "slcompress.h"
Put the IP buffer queues into struct ipcp. Forgotten by: me
1998-08-26 17:39:37 +00:00
#include "lqr.h"
#include "hdlc.h"
o Add ipv6 support, abstracting most NCP addresses into opaque structures (well, they're treated as opaque). It's now possible to manage IPv6 interface addresses and routing table entries and to filter IPV6 traffic whether encapsulated or not. IPV6CP support is crude for now, and hasn't been tested against any other implementations. RADIUS and IPv6 are independent of eachother for now. ppp.linkup/ppp.linkdown aren't currently used by IPV6CP o Understand all protocols(5) in filter rules rather than only a select few. o Allow a mask specification for the ``delete'' command. It's now possible to specifically delete one of two conflicting routes. o When creating and deleting proxy arp entries, do it for all IPv4 interface addresses rather than doing it just for the ``current'' peer address. o When iface-alias isn't in effect, don't blow away manually (via ``iface add'') added interface addresses. o When listening on a tcp server (diagnostic) socket, bind so that a tcp46 socket is created -- allowing both IPv4 and IPv6 connections. o When displaying ICMP traffic, don't display the icmp type twice. When display traffic, display at least some information about unrecognised traffic. o Bump version Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-14 16:05:52 +00:00
#include "ncpaddr.h"
1995-01-31 06:29:58 +00:00
#include "ipcp.h"
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
#include "auth.h"
Cosmetic (no functional changes): o Add missing $Id$s o Move extern decls from .c -> .h files o Staticize o Remove #includes from .h files o style(9)ify includes o bcopy -> memcpy bzero -> memset bcmp -> memcmp index -> strchr rindex -> strrchr o Move timeout.h -> timer.h (making it consistent w/ timer.c) o Add -Wmissing-prototypes
1997-10-26 01:04:02 +00:00
#include "systems.h"
Create `struct async' and make it part of `struct physical'. This structure contains the asynchronous state of the physical link. Unfortunately, just about every .h file is included in every .c file now. Fixing this can be one of the last jobs.
1998-02-02 19:33:40 +00:00
#include "lcp.h"
o Move struct lcp and struct ccp into struct link. o Remove bundle2lcp(), bundle2ccp() and bundle2link(). They're too resource-hungry and we have `owner pointers' to do their job. o Make our FSM understand LCPs that are always ST_OPENED (with a minimum code that != 1). o Send FSM code rejects for invalid codes. o Make our bundle fsm_parent deal with multiple links. o Make timer diagnostics pretty and allow access via ~t in `term' mode (not just when logging debug) and `show timers'. Only show timers every second in debug mode, otherwise we get too many diagnostics to be useful (we probably still do). Also, don't restrict ~m in term mode to depend on debug logging. o Rationalise our bundles' phases. o Create struct mp (multilink protocol). This is both an NCP and a type of struct link. It feeds off other NCPs for output, passing fragmented packets into the queues of available datalinks. It also gets PROTO_MP input, reassembles the fragments into ppp frames, and passes them back to the HDLC layer that the fragments were passed from. ** It's not yet possible to enter multilink mode :-( ** o Add `set weight' (requires context) for deciding on a links weighting in multilink mode. Weighting is simplistic (and probably badly implemented) for now. o Remove the function pointers in struct link. They ended up only applying to physical links. o Configure our tun device with an MTU equal to the MRU from struct mp's LCP and a speed equal to the sum of our link speeds. o `show {lcp,ccp,proto}' and `set deflate' now have optional context and use ChooseLink() to decide on which `struct link' to use. This allows behaviour as before when in non-multilink mode, and allows access to the MP logical link in multilink mode. o Ignore reconnect and redial values when in -direct mode and when cleaning up. Always redial when in -ddial or -dedicated mode (unless cleaning up). o Tell our links to `staydown' when we close them due to a signal. o Remove remaining `#ifdef SIGALRM's (ppp doesn't function without alarms). o Don't bother strdup()ing our physical link name. o Various other cosmetic changes.
1998-04-03 19:21:56 +00:00
#include "ccp.h"
Create `struct async' and make it part of `struct physical'. This structure contains the asynchronous state of the physical link. Unfortunately, just about every .h file is included in every .c file now. Fixing this can be one of the last jobs.
1998-02-02 19:33:40 +00:00
#include "link.h"
o Introduce struct descriptor. This will ultimately be a member of a list of descriptors and their handler functions on which we need to select() in the main loop. o Make struct physical into a `sort' of struct descriptor.
1998-02-09 19:21:11 +00:00
#include "descriptor.h"
Update to version 2.0-beta Allow for NULL fd_sets in descriptor_UpdateSet() Reimplement the entire chat module, creating `struct chat' - a `type' of struct descriptor. Remove CARRIER logging. CONNECT logging now only logs "CONNECT" lines. CHAT logging masks it with an entire log of the conversation. Modem dialing is now asynchronous, including pauses and timeouts :-) The hooks in DoLoop() in main.c are *very* messy ! I'll have to rewrite DoLoop fairly soon, so I don't care too much for the moment. This code is pretty raw.
1998-02-13 05:10:26 +00:00
#include "chat.h"
o Redesign the layering mechanism and make the aliasing code part of the layering. We now ``stack'' layers as soon as we open the device (when we figure out what we're dealing with). A static set of `dispatch' routines are also declared for dealing with incoming packets after they've been `pulled' up through the stacked layers. Physical devices are now assigned handlers based on the device type when they're opened. For the moment there are three device types; ttys, execs and tcps. o Increment version number to 2.2 o Make an entry in [uw]tmp for non-tty -direct invocations (after pap/chap authentication). o Make throughput counters quad_t's o Account for the absolute number of mbuf malloc()s and free()s in ``show mem''. o ``show modem'' becomes ``show physical''.
1999-05-08 11:07:56 +00:00
#include "proto.h"
Move filter sets into struct bundle.
1998-03-16 22:52:54 +00:00
#include "filter.h"
o Move struct lcp and struct ccp into struct link. o Remove bundle2lcp(), bundle2ccp() and bundle2link(). They're too resource-hungry and we have `owner pointers' to do their job. o Make our FSM understand LCPs that are always ST_OPENED (with a minimum code that != 1). o Send FSM code rejects for invalid codes. o Make our bundle fsm_parent deal with multiple links. o Make timer diagnostics pretty and allow access via ~t in `term' mode (not just when logging debug) and `show timers'. Only show timers every second in debug mode, otherwise we get too many diagnostics to be useful (we probably still do). Also, don't restrict ~m in term mode to depend on debug logging. o Rationalise our bundles' phases. o Create struct mp (multilink protocol). This is both an NCP and a type of struct link. It feeds off other NCPs for output, passing fragmented packets into the queues of available datalinks. It also gets PROTO_MP input, reassembles the fragments into ppp frames, and passes them back to the HDLC layer that the fragments were passed from. ** It's not yet possible to enter multilink mode :-( ** o Add `set weight' (requires context) for deciding on a links weighting in multilink mode. Weighting is simplistic (and probably badly implemented) for now. o Remove the function pointers in struct link. They ended up only applying to physical links. o Configure our tun device with an MTU equal to the MRU from struct mp's LCP and a speed equal to the sum of our link speeds. o `show {lcp,ccp,proto}' and `set deflate' now have optional context and use ChooseLink() to decide on which `struct link' to use. This allows behaviour as before when in non-multilink mode, and allows access to the MP logical link in multilink mode. o Ignore reconnect and redial values when in -direct mode and when cleaning up. Always redial when in -ddial or -dedicated mode (unless cleaning up). o Tell our links to `staydown' when we close them due to a signal. o Remove remaining `#ifdef SIGALRM's (ppp doesn't function without alarms). o Don't bother strdup()ing our physical link name. o Various other cosmetic changes.
1998-04-03 19:21:56 +00:00
#include "mp.h"
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
#ifndef NORADIUS
#include "radius.h"
#endif
Reimplement the previous fix (no response to PAP requests) at the authentication layer rather than at the PAP layer so that it also applies to CHAP (no response to CHAP challenges).
1999-02-02 09:35:17 +00:00
#include "cbcp.h"
#include "chap.h"
#include "async.h"
#include "physical.h"
#include "datalink.h"
o Add ipv6 support, abstracting most NCP addresses into opaque structures (well, they're treated as opaque). It's now possible to manage IPv6 interface addresses and routing table entries and to filter IPV6 traffic whether encapsulated or not. IPV6CP support is crude for now, and hasn't been tested against any other implementations. RADIUS and IPv6 are independent of eachother for now. ppp.linkup/ppp.linkdown aren't currently used by IPV6CP o Understand all protocols(5) in filter rules rather than only a select few. o Allow a mask specification for the ``delete'' command. It's now possible to specifically delete one of two conflicting routes. o When creating and deleting proxy arp entries, do it for all IPv4 interface addresses rather than doing it just for the ``current'' peer address. o When iface-alias isn't in effect, don't blow away manually (via ``iface add'') added interface addresses. o When listening on a tcp server (diagnostic) socket, bind so that a tcp46 socket is created -- allowing both IPv4 and IPv6 connections. o When displaying ICMP traffic, don't display the icmp type twice. When display traffic, display at least some information about unrecognised traffic. o Bump version Inspired after filtering work by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
2001-08-14 16:05:52 +00:00
#include "ipv6cp.h"
#include "ncp.h"
Move the IPCP into struct bundle.
1998-03-13 21:07:46 +00:00
#include "bundle.h"
1995-01-31 06:29:58 +00:00
o Hook the FSMs into our bundle. o The FSM layering is now more sane. o Move a lot of the NCP stuff into our ipcpstate rather than having it in the bundle, including control of the configured IP addresses. We don't need hacks like the global `linkup' variable any more as the FSM decides when our ppp.link* files get run. This is going to eventually be configurable based on FSM events anyway. o Fix a few inconsistencies when both sides require authentication. o We now have "Ppp..." and "PPp" prompts, reflecting authentication and network phase. We don't print loads of spurious prompts as we change phases any more. o Our phase is part of the bundle now. o Fix a bug where the FSM wasn't calling LayerFinish. o Close the FSM down correctly with a signal rather than slamming it down as if the line was dropped (the undocumented ``down'' command is still available though). o Remove the forgotten `tunno' variable and fix references to it.
1998-02-07 20:50:08 +00:00
const char *
Fully support both NT and LANMan CHAP type 0x80 as both authenticator and authenticatee.
1999-02-18 00:52:15 +00:00
Auth2Nam(u_short auth, u_char type)
Final cleanup for now. -Wall is now silent. A couple of bogons found.
1996-01-11 17:48:59 +00:00
{
Fully support both NT and LANMan CHAP type 0x80 as both authenticator and authenticatee.
1999-02-18 00:52:15 +00:00
static char chap[10];
o Hook the FSMs into our bundle. o The FSM layering is now more sane. o Move a lot of the NCP stuff into our ipcpstate rather than having it in the bundle, including control of the configured IP addresses. We don't need hacks like the global `linkup' variable any more as the FSM decides when our ppp.link* files get run. This is going to eventually be configurable based on FSM events anyway. o Fix a few inconsistencies when both sides require authentication. o We now have "Ppp..." and "PPp" prompts, reflecting authentication and network phase. We don't print loads of spurious prompts as we change phases any more. o Our phase is part of the bundle now. o Fix a bug where the FSM wasn't calling LayerFinish. o Close the FSM down correctly with a signal rather than slamming it down as if the line was dropped (the undocumented ``down'' command is still available though). o Remove the forgotten `tunno' variable and fix references to it.
1998-02-07 20:50:08 +00:00
switch (auth) {
case PROTO_PAP:
return "PAP";
case PROTO_CHAP:
Fully support both NT and LANMan CHAP type 0x80 as both authenticator and authenticatee.
1999-02-18 00:52:15 +00:00
snprintf(chap, sizeof chap, "CHAP 0x%02x", type);
return chap;
o Hook the FSMs into our bundle. o The FSM layering is now more sane. o Move a lot of the NCP stuff into our ipcpstate rather than having it in the bundle, including control of the configured IP addresses. We don't need hacks like the global `linkup' variable any more as the FSM decides when our ppp.link* files get run. This is going to eventually be configurable based on FSM events anyway. o Fix a few inconsistencies when both sides require authentication. o We now have "Ppp..." and "PPp" prompts, reflecting authentication and network phase. We don't print loads of spurious prompts as we change phases any more. o Our phase is part of the bundle now. o Fix a bug where the FSM wasn't calling LayerFinish. o Close the FSM down correctly with a signal rather than slamming it down as if the line was dropped (the undocumented ``down'' command is still available though). o Remove the forgotten `tunno' variable and fix references to it.
1998-02-07 20:50:08 +00:00
case 0:
return "none";
}
return "unknown";
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
Revert previous commit and fix OpenPAM issue properly.
2007-12-22 19:29:32 +00:00
#if !defined(NOPAM) && !defined(OPENPAM)
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
static int
pam_conv(int n, const struct pam_message **msg, struct pam_response **resp,
void *data)
{
if (n != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
return (PAM_CONV_ERR);
if ((*resp = malloc(sizeof(struct pam_response))) == NULL)
return (PAM_CONV_ERR);
(*resp)[0].resp = strdup((const char *)data);
(*resp)[0].resp_retcode = 0;
return ((*resp)[0].resp != NULL ? PAM_SUCCESS : PAM_CONV_ERR);
}
Revert previous commit and fix OpenPAM issue properly.
2007-12-22 19:29:32 +00:00
#endif /* !defined(NOPAM) && !defined(OPENPAM) */
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
static int
auth_CheckPasswd(const char *name, const char *data, const char *key)
{
if (!strcmp(data, "*")) {
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
#ifdef NOPAM
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
/* Then look up the real password database */
struct passwd *pw;
int result;
result = (pw = getpwnam(name)) &&
!strcmp(crypt(key, pw->pw_passwd), pw->pw_passwd);
endpwent();
return result;
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
#else /* !NOPAM */
/* Then consult with PAM. */
pam_handle_t *pamh;
int status;
struct pam_conv pamc = {
Revert previous commit and fix OpenPAM issue properly.
2007-12-22 19:29:32 +00:00
#ifdef OPENPAM
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
&openpam_nullconv, NULL
#else
Revert previous commit and fix OpenPAM issue properly.
2007-12-22 19:29:32 +00:00
&pam_conv, key
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
#endif
};
if (pam_start("ppp", name, &pamc, &pamh) != PAM_SUCCESS)
return (0);
Revert previous commit and fix OpenPAM issue properly.
2007-12-22 19:29:32 +00:00
#ifdef OPENPAM
Basic PAM authentication support.
2003-10-29 20:32:19 +00:00
if ((status = pam_set_item(pamh, PAM_AUTHTOK, key)) == PAM_SUCCESS)
#endif
status = pam_authenticate(pamh, 0);
pam_end(pamh, status);
return (status == PAM_SUCCESS);
#endif /* !NOPAM */
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
}
return !strcmp(data, key);
}
This commit was manufactured by cvs2svn to create branch 'MP'.
1998-01-29 00:44:16 +00:00
int
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
auth_SetPhoneList(const char *name, char *phone, int phonelen)
{
FILE *fp;
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
int n, lineno;
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
char *vector[6], buff[LINE_LEN];
const char *slash;
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
fp = OpenSecret(SECRETFILE);
if (fp != NULL) {
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
again:
lineno = 0;
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
while (fgets(buff, sizeof buff, fp)) {
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
lineno++;
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
if (buff[0] == '#')
continue;
buff[strlen(buff) - 1] = '\0';
memset(vector, '\0', sizeof vector);
Don't allowt '#' as a comment when it's embedded in quotes: set something "xxx yyy # zzz" aaa shouldn't be interpreted as set something "xxx yyy" aaa
1999-12-27 11:43:31 +00:00
if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
if (n < 5)
continue;
if (strcmp(vector[0], name) == 0) {
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
CloseSecret(fp);
if (*vector[4] == '\0')
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
return 0;
strncpy(phone, vector[4], phonelen - 1);
phone[phonelen - 1] = '\0';
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
return 1; /* Valid */
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
}
}
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
/* Look for the name without the leading domain */
name = slash + 1;
rewind(fp);
goto again;
}
o Support callback types NONE, E.164, AUTH and CBCP. (see the new ``set callback'' and ``set cbcp'' commands) o Add a ``cbcp'' log level and mbuf type. o Don't dump core when \T is given in ``set login'' or ``set hangup''. o Allow ``*'' and blanks as placeholders in ppp.secret and allow a fifth field for specifying auth/cbcp dialback parameters. o Remove a few extraneous #includes o Define the default number of REQs (restart counter) in defs.h rather than hardcoding ``5'' all over the place. o Fix a few man page inconsistencies.
1998-08-07 18:42:51 +00:00
CloseSecret(fp);
}
*phone = '\0';
return 0;
}
int
auth_Select(struct bundle *bundle, const char *name)
Make the code format more in line with style(9). Update loadalias to use the new libalias api. Update to version 1.1.
1997-08-25 00:29:32 +00:00
{
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
FILE *fp;
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
int n, lineno;
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
char *vector[5], buff[LINE_LEN];
const char *slash;
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
if (*name == '\0') {
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
return 1;
}
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
#ifndef NORADIUS
Get tun P2P address from the local pool if RADIUS server returned 255.255.255.254 as client ipaddr. Reviewed-By: freebsd-net mailing list
2002-04-04 08:43:00 +00:00
if (bundle->radius.valid && bundle->radius.ip.s_addr != INADDR_NONE &&
bundle->radius.ip.s_addr != RADIUS_INADDR_POOL) {
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
/* We've got a radius IP - it overrides everything */
if (!ipcp_UseHisIPaddr(bundle, bundle->radius.ip))
return 0;
ipcp_Setup(&bundle->ncp.ipcp, bundle->radius.mask.s_addr);
/* Continue with ppp.secret in case we've got a new label */
}
#endif
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
fp = OpenSecret(SECRETFILE);
if (fp != NULL) {
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
again:
lineno = 0;
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
while (fgets(buff, sizeof buff, fp)) {
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
lineno++;
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
if (buff[0] == '#')
continue;
Add missing braces - without them, the IP & label were mis-selected from ppp.secret. Problem reported by: Dom Mitchell <dom@phmit.demon.co.uk>
1998-07-19 21:07:24 +00:00
buff[strlen(buff) - 1] = '\0';
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
memset(vector, '\0', sizeof vector);
Don't allowt '#' as a comment when it's embedded in quotes: set something "xxx yyy # zzz" aaa shouldn't be interpreted as set something "xxx yyy" aaa
1999-12-27 11:43:31 +00:00
if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
if (n < 2)
continue;
Add missing braces - without them, the IP & label were mis-selected from ppp.secret. Problem reported by: Dom Mitchell <dom@phmit.demon.co.uk>
1998-07-19 21:07:24 +00:00
if (strcmp(vector[0], name) == 0) {
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
CloseSecret(fp);
#ifndef NORADIUS
if (!bundle->radius.valid || bundle->radius.ip.s_addr == INADDR_NONE) {
#endif
if (n > 2 && *vector[2] && strcmp(vector[2], "*") &&
!ipcp_UseHisaddr(bundle, vector[2], 1))
return 0;
ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
#ifndef NORADIUS
}
#endif
if (n > 3 && *vector[3] && strcmp(vector[3], "*"))
bundle_SetLabel(bundle, vector[3]);
return 1; /* Valid */
Add missing braces - without them, the IP & label were mis-selected from ppp.secret. Problem reported by: Dom Mitchell <dom@phmit.demon.co.uk>
1998-07-19 21:07:24 +00:00
}
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
/* Look for the name without the leading domain */
name = slash + 1;
rewind(fp);
goto again;
}
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
CloseSecret(fp);
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
#ifndef NOPASSWDAUTH
/* Let 'em in anyway - they must have been in the passwd file */
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
ipcp_Setup(&bundle->ncp.ipcp, INADDR_NONE);
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
return 1;
#else
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
#ifndef NORADIUS
if (bundle->radius.valid)
return 1;
#endif
/* Disappeared from ppp.secret ??? */
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
return 0;
#endif
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
1995-01-31 06:29:58 +00:00
int
Make ppp WARNS=5 clean
2004-09-05 01:46:52 +00:00
auth_Validate(struct bundle *bundle, const char *name, const char *key)
1995-01-31 06:29:58 +00:00
{
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
/* Used by PAP routines */
1995-01-31 06:29:58 +00:00
FILE *fp;
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
int n, lineno;
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
char *vector[5], buff[LINE_LEN];
const char *slash;
1995-01-31 06:29:58 +00:00
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
fp = OpenSecret(SECRETFILE);
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
again:
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
lineno = 0;
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
if (fp != NULL) {
while (fgets(buff, sizeof buff, fp)) {
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
lineno++;
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
if (buff[0] == '#')
continue;
buff[strlen(buff) - 1] = 0;
memset(vector, '\0', sizeof vector);
Don't allowt '#' as a comment when it's embedded in quotes: set something "xxx yyy # zzz" aaa shouldn't be interpreted as set something "xxx yyy" aaa
1999-12-27 11:43:31 +00:00
if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
if (n < 2)
continue;
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
if (strcmp(vector[0], name) == 0) {
CloseSecret(fp);
return auth_CheckPasswd(name, vector[1], key);
1995-01-31 06:29:58 +00:00
}
}
}
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
/* Look for the name without the leading domain */
name = slash + 1;
if (fp != NULL) {
rewind(fp);
goto again;
}
}
if (fp != NULL)
CloseSecret(fp);
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
#ifndef NOPASSWDAUTH
o Move the accept/deny/disable/enable globals either to the bundle (non-negotiated vars) or to their respective IPCP, LCP or CCP. o Enable rolling throughput statistics by default. o Remove the `display' command. These values now appear in `show bundle', `show ipcp', `show ccp' and `show lcp'. o Initialise auth name & key at bundle create time (oops). o Rename pppd-deflate (the id-24 hack) to deflate24. o Don't send both a REJ and a NAK to an IPCP or LCP REQ. Favour the REJ (already done at the CCP level). o Recurse in datalink_UpdateSet() when we change state, otherwise we end up setting no descriptors and getting jammed in the imminent select() instead of doing the dial/login/hangup. o Display our CHAP encryption method despite being built with DES. o Display VJ as not negotiated in ``show ipcp'' when necessary.
1998-04-16 00:26:21 +00:00
if (Enabled(bundle, OPT_PASSWDAUTH))
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
return auth_CheckPasswd(name, "*", key);
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
#endif
return 0; /* Invalid */
1995-01-31 06:29:58 +00:00
}
char *
Make ppp WARNS=5 clean
2004-09-05 01:46:52 +00:00
auth_GetSecret(const char *name, size_t len)
1995-01-31 06:29:58 +00:00
{
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
/* Used by CHAP routines */
1995-01-31 06:29:58 +00:00
FILE *fp;
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
int n, lineno;
o Allow the use of HISADDR as the first arg to "add". o Allow a forth argument in ppp.secret, specifying a new label. This gives control over which section of ppp.link{up,down} is used based on the authenticated user. o Support random address ranges in ppp.secret (not just in ppp.conf). o Add a AUTHENTICATING INCOMING CONNECTIONS section to the man page. o Add a bit more about DEFLATE in the man page. o Fix the incorrect "you must specify a password in interactive mode" bit of the manual. o Space things in the man page consistently. o Be more precice about where you can use MYADDR, HISADDR and INTERFACE in the "add" command documentation.
1998-01-05 01:35:20 +00:00
char *vector[5];
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
const char *slash;
Don't drop the last character from lines in ppp.secret unless it's '\n'.
1999-06-08 20:11:53 +00:00
static char buff[LINE_LEN]; /* vector[] will point here when returned */
1995-01-31 06:29:58 +00:00
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
fp = OpenSecret(SECRETFILE);
1995-01-31 06:29:58 +00:00
if (fp == NULL)
Make the code format more in line with style(9). Update loadalias to use the new libalias api. Update to version 1.1.
1997-08-25 00:29:32 +00:00
return (NULL);
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
again:
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
lineno = 0;
Cosmetic (style): sizeof(var) -> sizeof var sizeof type -> sizeof(type) Suggested by: J Wunsch <j@uriah.heep.sax.de>
1997-12-24 09:29:17 +00:00
while (fgets(buff, sizeof buff, fp)) {
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
lineno++;
1995-01-31 06:29:58 +00:00
if (buff[0] == '#')
continue;
Don't drop the last character from lines in ppp.secret unless it's '\n'.
1999-06-08 20:11:53 +00:00
n = strlen(buff) - 1;
if (buff[n] == '\n')
buff[n] = '\0'; /* Trim the '\n' */
Cosmetic (style): sizeof(var) -> sizeof var sizeof type -> sizeof(type) Suggested by: J Wunsch <j@uriah.heep.sax.de>
1997-12-24 09:29:17 +00:00
memset(vector, '\0', sizeof vector);
Don't allowt '#' as a comment when it's embedded in quotes: set something "xxx yyy # zzz" aaa shouldn't be interpreted as set something "xxx yyy" aaa
1999-12-27 11:43:31 +00:00
if ((n = MakeArgs(buff, vector, VECSIZE(vector), PARSE_REDUCE)) < 0)
Notice and warn about unterminated quoted strings in commands. The entire command is ignored if the syntax is invalid...
1999-12-20 20:30:02 +00:00
log_Printf(LogWARN, "%s: %d: Invalid line\n", SECRETFILE, lineno);
1995-01-31 06:29:58 +00:00
if (n < 2)
continue;
Initial RADIUS support (using libradius). See the man page for details. Compiling with -DNORADIUS (the default for `release') removes support. TODO: The functionality in libradius::rad_send_request() needs to be supplied as a set of routines so that ppp doesn't have to wait indefinitely for the radius server(s). Instead, we need to get a descriptor back, select() on the descriptor, and ask libradius to service it when necessary. For now, ppp blocks SIGALRM while in rad_send_request(), so it misses PAP/CHAP retries & timeouts if they occur. Only PAP is functional. When CHAP is attempted, libradius complains that no User-Password has been specified... rfc2138 says that it *mustn't* be used for CHAP :-( Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-01-28 01:56:34 +00:00
if (strlen(vector[0]) == len && strncmp(vector[0], name, len) == 0) {
o Defer setting up pap/chap based IP numbers & labels until after we've determined if we're going to join another ppp invocation. o Make ``show link'' show all link details, and ``show links'' just give a list of links and their current status. o Show our current label in ``show bundle''. o Allow link cloning and removal as soon as our MRRU is set. o Make ``show lcp'' require context as nothing will ever change in our MP LCP (it's auto-configured as per rfc1990). o Initialise our LQM owner in hdlc_Init(). o Store our endpoint discriminator and authentication name at both the datalink and multilink level and compare them when we've finished AUTHENTICATE phase and before entering NETWORK phase. If they don't match, close the link again. Display the information in the appropriate ``show'' command. o Initialise datalink::phone and datalink::fsmp.object properly when we're cloning the link. o Show which link we're passing LQRs on in our diagnostics. o Reject endpoint discriminator REQs at the logical multilink level. o Remove the rest of our CARRIER and LINK logging setup.
1998-04-24 19:16:15 +00:00
CloseSecret(fp);
o Allow "*" in the password field in ppp.secret (forcing a getpwnam() lookup). o Don't use chat_ExpandString on the password field in ppp.secret. It's still possible to quote the string for embedded spaces. o Don't allow multiple entries with the same name in ppp.secret.
1998-03-09 19:25:35 +00:00
return vector[1];
1995-01-31 06:29:58 +00:00
}
}
When authenticating a name containing a ``\'', attempt to autenticate using the part after the ``\'' if the original name is not found. This allows M$ clients to use domain\user as their authname. Reviewed by: Ian West <ian@niw.com.au>
2002-01-08 11:24:39 +00:00
if ((slash = strrchr(name, '\\')) != NULL && slash[1]) {
/* Go back and look for the name without the leading domain */
len -= slash - name + 1;
name = slash + 1;
rewind(fp);
goto again;
}
1995-01-31 06:29:58 +00:00
CloseSecret(fp);
Make the code format more in line with style(9). Update loadalias to use the new libalias api. Update to version 1.1.
1997-08-25 00:29:32 +00:00
return (NULL); /* Invalid */
1995-01-31 06:29:58 +00:00
}
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
static void
Fix prototypes. Remove extraneous decls. Add ``const'' to several places. Allow ``make NOALIAS=1'' to remove IP aliasing. Merge with OpenBSD - only the Makefiles vary. We can now survive a compile with -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wredundant-decls -Wshadow -Wstrict-prototypes -Wwrite-strings -Wchar-subscripts (although the Makefile just contains -Wall).
1997-11-22 03:37:54 +00:00
AuthTimeout(void *vauthp)
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
{
Fix prototypes. Remove extraneous decls. Add ``const'' to several places. Allow ``make NOALIAS=1'' to remove IP aliasing. Merge with OpenBSD - only the Makefiles vary. We can now survive a compile with -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wredundant-decls -Wshadow -Wstrict-prototypes -Wwrite-strings -Wchar-subscripts (although the Makefile just contains -Wall).
1997-11-22 03:37:54 +00:00
struct authinfo *authp = (struct authinfo *)vauthp;
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
Cosmetic: Make our external function names consistent.
1998-05-01 19:26:12 +00:00
timer_Stop(&authp->authtimer);
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
if (--authp->retry > 0) {
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
authp->id++;
(*authp->fn.req)(authp);
Cosmetic: Make our external function names consistent.
1998-05-01 19:26:12 +00:00
timer_Start(&authp->authtimer);
Reimplement the previous fix (no response to PAP requests) at the authentication layer rather than at the PAP layer so that it also applies to CHAP (no response to CHAP challenges).
1999-02-02 09:35:17 +00:00
} else {
log_Printf(LogPHASE, "Auth: No response from server\n");
datalink_AuthNotOk(authp->physical->dl);
}
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
void
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
auth_Init(struct authinfo *authp, struct physical *p, auth_func req,
auth_func success, auth_func failure)
This commit was manufactured by cvs2svn to create branch 'MP'.
1998-01-29 00:44:16 +00:00
{
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
memset(authp, '\0', sizeof(struct authinfo));
Allow control over the number of ConfigREQ & TermREQ attempts that are made in each of the FSMs (LCP, CCP & IPCP) and the number of REQs/Challenges for PAP/CHAP by accepting more arguments in the ``set {c,ip,l}cpretry'' and ``set {ch,p}apretry'' commands. Change the non-convergence thresholds to 3 times the number of configured REQ tries (rather than the previous fixed ``10''). We now notice repeated NAKs and REJs rather than just REQs. Don't suggest that CHAP 0x05 isn't supported when it's not configured. Fix some bugs that expose themselves with smaller numbers of retries: o Handle instantaneous disconnects (set device /dev/null) correctly by stopping all fsm timers in fsm2initial. o Don't forget to uu_unlock() devices that are files but are not ttys (set device /dev/zero). Fix a *HORRENDOUS* bug in RFC1661 (already fixed for an Open event in state ``Closed''): According to the state transition table, a RCR+ or RCR- received in the ``Stopped'' state are supposed to InitRestartCounter, SendConfigReq and SendConfig{Ack,Nak}. However, in ``Stopped'', we haven't yet done a TLS (or the last thing we did is a TLF). We must therefore do the TLS at this point ! This was never noticed before because LCP and CCP used not use LayerStart() for anything interesting, and IPCP tends to go into Stopped then get a Down because of an LCP RTR rather than getting a RCR again.
1999-02-26 21:28:14 +00:00
authp->cfg.fsm.timeout = DEF_FSMRETRY;
authp->cfg.fsm.maxreq = DEF_FSMAUTHTRIES;
authp->cfg.fsm.maxtrm = 0; /* not used */
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
authp->fn.req = req;
authp->fn.success = success;
authp->fn.failure = failure;
authp->physical = p;
Do authentication at the datalink level, not the bundle level. The bundle doesn't get a LayerUp 'till we're authenticated. Introduce DATALINK_LCP and DATALINK_AUTH phases.
1998-03-01 01:07:49 +00:00
}
Create a new MP branch for `multilink protocol'. Do lots of initial shuffling and grouping. Submitted by: Eivind Eklund <perhaps@yes.no>
1998-01-29 00:49:32 +00:00
Do authentication at the datalink level, not the bundle level. The bundle doesn't get a LayerUp 'till we're authenticated. Introduce DATALINK_LCP and DATALINK_AUTH phases.
1998-03-01 01:07:49 +00:00
void
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
auth_StartReq(struct authinfo *authp)
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
{
Cosmetic: Make our external function names consistent.
1998-05-01 19:26:12 +00:00
timer_Stop(&authp->authtimer);
Do authentication at the datalink level, not the bundle level. The bundle doesn't get a LayerUp 'till we're authenticated. Introduce DATALINK_LCP and DATALINK_AUTH phases.
1998-03-01 01:07:49 +00:00
authp->authtimer.func = AuthTimeout;
o Move struct lcp and struct ccp into struct link. o Remove bundle2lcp(), bundle2ccp() and bundle2link(). They're too resource-hungry and we have `owner pointers' to do their job. o Make our FSM understand LCPs that are always ST_OPENED (with a minimum code that != 1). o Send FSM code rejects for invalid codes. o Make our bundle fsm_parent deal with multiple links. o Make timer diagnostics pretty and allow access via ~t in `term' mode (not just when logging debug) and `show timers'. Only show timers every second in debug mode, otherwise we get too many diagnostics to be useful (we probably still do). Also, don't restrict ~m in term mode to depend on debug logging. o Rationalise our bundles' phases. o Create struct mp (multilink protocol). This is both an NCP and a type of struct link. It feeds off other NCPs for output, passing fragmented packets into the queues of available datalinks. It also gets PROTO_MP input, reassembles the fragments into ppp frames, and passes them back to the HDLC layer that the fragments were passed from. ** It's not yet possible to enter multilink mode :-( ** o Add `set weight' (requires context) for deciding on a links weighting in multilink mode. Weighting is simplistic (and probably badly implemented) for now. o Remove the function pointers in struct link. They ended up only applying to physical links. o Configure our tun device with an MTU equal to the MRU from struct mp's LCP and a speed equal to the sum of our link speeds. o `show {lcp,ccp,proto}' and `set deflate' now have optional context and use ChooseLink() to decide on which `struct link' to use. This allows behaviour as before when in non-multilink mode, and allows access to the MP logical link in multilink mode. o Ignore reconnect and redial values when in -direct mode and when cleaning up. Always redial when in -ddial or -dedicated mode (unless cleaning up). o Tell our links to `staydown' when we close them due to a signal. o Remove remaining `#ifdef SIGALRM's (ppp doesn't function without alarms). o Don't bother strdup()ing our physical link name. o Various other cosmetic changes.
1998-04-03 19:21:56 +00:00
authp->authtimer.name = "auth";
Allow control over the number of ConfigREQ & TermREQ attempts that are made in each of the FSMs (LCP, CCP & IPCP) and the number of REQs/Challenges for PAP/CHAP by accepting more arguments in the ``set {c,ip,l}cpretry'' and ``set {ch,p}apretry'' commands. Change the non-convergence thresholds to 3 times the number of configured REQ tries (rather than the previous fixed ``10''). We now notice repeated NAKs and REJs rather than just REQs. Don't suggest that CHAP 0x05 isn't supported when it's not configured. Fix some bugs that expose themselves with smaller numbers of retries: o Handle instantaneous disconnects (set device /dev/null) correctly by stopping all fsm timers in fsm2initial. o Don't forget to uu_unlock() devices that are files but are not ttys (set device /dev/zero). Fix a *HORRENDOUS* bug in RFC1661 (already fixed for an Open event in state ``Closed''): According to the state transition table, a RCR+ or RCR- received in the ``Stopped'' state are supposed to InitRestartCounter, SendConfigReq and SendConfig{Ack,Nak}. However, in ``Stopped'', we haven't yet done a TLS (or the last thing we did is a TLF). We must therefore do the TLS at this point ! This was never noticed before because LCP and CCP used not use LayerStart() for anything interesting, and IPCP tends to go into Stopped then get a Down because of an LCP RTR rather than getting a RCR again.
1999-02-26 21:28:14 +00:00
authp->authtimer.load = authp->cfg.fsm.timeout * SECTICKS;
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
authp->authtimer.arg = (void *)authp;
Allow control over the number of ConfigREQ & TermREQ attempts that are made in each of the FSMs (LCP, CCP & IPCP) and the number of REQs/Challenges for PAP/CHAP by accepting more arguments in the ``set {c,ip,l}cpretry'' and ``set {ch,p}apretry'' commands. Change the non-convergence thresholds to 3 times the number of configured REQ tries (rather than the previous fixed ``10''). We now notice repeated NAKs and REJs rather than just REQs. Don't suggest that CHAP 0x05 isn't supported when it's not configured. Fix some bugs that expose themselves with smaller numbers of retries: o Handle instantaneous disconnects (set device /dev/null) correctly by stopping all fsm timers in fsm2initial. o Don't forget to uu_unlock() devices that are files but are not ttys (set device /dev/zero). Fix a *HORRENDOUS* bug in RFC1661 (already fixed for an Open event in state ``Closed''): According to the state transition table, a RCR+ or RCR- received in the ``Stopped'' state are supposed to InitRestartCounter, SendConfigReq and SendConfig{Ack,Nak}. However, in ``Stopped'', we haven't yet done a TLS (or the last thing we did is a TLF). We must therefore do the TLS at this point ! This was never noticed before because LCP and CCP used not use LayerStart() for anything interesting, and IPCP tends to go into Stopped then get a Down because of an LCP RTR rather than getting a RCR again.
1999-02-26 21:28:14 +00:00
authp->retry = authp->cfg.fsm.maxreq;
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
authp->id = 1;
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
(*authp->fn.req)(authp);
Cosmetic: Make our external function names consistent.
1998-05-01 19:26:12 +00:00
timer_Start(&authp->authtimer);
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
void
Cosmetic: Make our external function names consistent.
1998-05-01 19:26:12 +00:00
auth_StopTimer(struct authinfo *authp)
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
{
Cosmetic: Make our external function names consistent.
1998-05-01 19:26:12 +00:00
timer_Stop(&authp->authtimer);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
}
struct mbuf *
auth_ReadHeader(struct authinfo *authp, struct mbuf *bp)
{
Make ppp WARNS=5 clean
2004-09-05 01:46:52 +00:00
size_t len;
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
Cosmetic: Make struct mbuf more like kernel mbufs.
1999-12-20 20:29:47 +00:00
len = m_length(bp);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
if (len >= sizeof authp->in.hdr) {
bp = mbuf_Read(bp, (u_char *)&authp->in.hdr, sizeof authp->in.hdr);
if (len >= ntohs(authp->in.hdr.length))
return bp;
Handle empty PAP & CHAP packets (containing only an FSM header). Some CHAP implementations send no welcome message with their SUCCESS/FAILURE packets. This was being mis-identified as a truncated packet by the new authentication code :-(
1999-02-20 01:12:45 +00:00
authp->in.hdr.length = htons(0);
Fix the build on 64-bit platforms.
2004-09-06 00:07:58 +00:00
log_Printf(LogWARN, "auth_ReadHeader: Short packet (%u > %zu) !\n",
Be a little more verbose about dodgy looking authentication packets before dropping them in the bit-bucket.
1999-02-19 10:48:42 +00:00
ntohs(authp->in.hdr.length), len);
Handle empty PAP & CHAP packets (containing only an FSM header). Some CHAP implementations send no welcome message with their SUCCESS/FAILURE packets. This was being mis-identified as a truncated packet by the new authentication code :-(
1999-02-20 01:12:45 +00:00
} else {
authp->in.hdr.length = htons(0);
Fix the build on 64-bit platforms.
2004-09-06 00:07:58 +00:00
log_Printf(LogWARN, "auth_ReadHeader: Short packet header (%u > %zu) !\n",
Avoid a few warnings on the alpha
1999-03-31 14:21:46 +00:00
(int)(sizeof authp->in.hdr), len);
Handle empty PAP & CHAP packets (containing only an FSM header). Some CHAP implementations send no welcome message with their SUCCESS/FAILURE packets. This was being mis-identified as a truncated packet by the new authentication code :-(
1999-02-20 01:12:45 +00:00
}
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
Cosmetic: Make struct mbuf more like kernel mbufs.
1999-12-20 20:29:47 +00:00
m_freem(bp);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
return NULL;
}
struct mbuf *
Make ppp WARNS=5 clean
2004-09-05 01:46:52 +00:00
auth_ReadName(struct authinfo *authp, struct mbuf *bp, size_t len)
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
{
if (len > sizeof authp->in.name - 1)
Fix the build on 64-bit platforms.
2004-09-06 00:07:58 +00:00
log_Printf(LogWARN, "auth_ReadName: Name too long (%zu) !\n", len);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
else {
Make ppp WARNS=5 clean
2004-09-05 01:46:52 +00:00
size_t mlen = m_length(bp);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
if (len > mlen)
Fix the build on 64-bit platforms.
2004-09-06 00:07:58 +00:00
log_Printf(LogWARN, "auth_ReadName: Short packet (%zu > %zu) !\n",
Be a little more verbose about dodgy looking authentication packets before dropping them in the bit-bucket.
1999-02-19 10:48:42 +00:00
len, mlen);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
else {
bp = mbuf_Read(bp, (u_char *)authp->in.name, len);
authp->in.name[len] = '\0';
return bp;
}
}
*authp->in.name = '\0';
Cosmetic: Make struct mbuf more like kernel mbufs.
1999-12-20 20:29:47 +00:00
m_freem(bp);
Decouple pap & chap output routines from the corresponding input routines and take advantage of the new init/continue interface in libradius. This allows a timely response on other links in an MP setup while RADIUS requests are in progress as well as the ability to handle other data from the peer in parallel. It should also make the future addition of PAM support trivial. While I'm in there, validate pap & chap header IDs if ``idcheck'' is enabled (the default) for other FSM packet types. NOTE: This involved integrating the generation of chap challenges and the validation of chap responses (and commenting what's going on in those routines). I currently have no way of testing ppps ability to respond to M$Chap CHALLENGEs correctly, so if someone could do the honours, it'd be much appreciated (it *looks* ok!). Sponsored by: Internet Business Solutions Ltd., Switzerland
1999-02-06 02:54:47 +00:00
return NULL;
New user Process PPP based on iij-ppp0.94beta2. o Supporting SYNC SIO device (But need a device driver) - add "set speed sync" o Fixing bug for Predictor-1 function. o Add new parameter that re-sent interval for set timeout commands. o Improving RTT (Round Trip Time) and reducing processor time. - Previous Timer service was using polling, and now using SIGALRM ;-) - A 0.94beta2 will not work correctly.... -- Follows are additinal feature not including 0.94beta2 o Support Proxy ARP - add "enable/disable proxy" commands o Marging common routine in CHAP/PAP. o Enhancing LCP/IPCP log information. o Support local Authfication connection on port 300x and tty. - You can set up pair of your "hostname -s" and password in ppp.secret. if either ppp.secret file nor your hostname line don't exist, It will notify a message and working as same as previous version.(Backword compatibility) - If you did set up them, It's allow connection but nothing to do except help and passwd command. - add "passwd yourpasswd" commands o Support afilter - keep Alive filter that a packet can send/receiving according to ifilter/ofilter but doesn't count it as preventing idle timer expires. - Same syntax of other filters. o Fixing bugs reported by current user for previous one. Thanks !! Reviewed by: Atsushi Murai (amurai@spec.co.jp)
1995-02-26 12:18:08 +00:00
}
Reference in New Issue Copy Permalink