From e76ce4484dcc72dca65172fa46f8b83a9f773fe6 Mon Sep 17 00:00:00 2001 From: Edward Tomasz Napierala Date: Tue, 11 Feb 2014 11:32:36 +0000 Subject: [PATCH] Use new auth-type "deny" instead of using "chap" with no chap entries; it's cleaner this way, and gives better feedback to the user. Sponsored by: The FreeBSD Foundation --- usr.sbin/ctld/ctl.conf.5 | 4 ++-- usr.sbin/ctld/ctld.c | 2 ++ usr.sbin/ctld/ctld.h | 7 ++++--- usr.sbin/ctld/login.c | 5 +++++ usr.sbin/ctld/parse.y | 8 ++------ 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/usr.sbin/ctld/ctl.conf.5 b/usr.sbin/ctld/ctl.conf.5 index d44caa808036..87e35929971c 100644 --- a/usr.sbin/ctld/ctl.conf.5 +++ b/usr.sbin/ctld/ctl.conf.5 @@ -103,7 +103,7 @@ The following statements are available at the auth-group level: .Bl -tag -width indent .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given auth-group. .It Ic chap Ao Ar user Ac Aq Ar secret @@ -157,7 +157,7 @@ Another predefined auth-group, "no-authentication", may be used to permit access without authentication. .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given target. This clause is mutually exclusive with auth-group; one cannot use diff --git a/usr.sbin/ctld/ctld.c b/usr.sbin/ctld/ctld.c index a4574820b8d8..c5f5771d51bf 100644 --- a/usr.sbin/ctld/ctld.c +++ b/usr.sbin/ctld/ctld.c @@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_group *ag, const char *str) if (strcmp(str, "none") == 0) { type = AG_TYPE_NO_AUTHENTICATION; + } else if (strcmp(str, "deny") == 0) { + type = AG_TYPE_DENY; } else if (strcmp(str, "chap") == 0) { type = AG_TYPE_CHAP; } else if (strcmp(str, "chap-mutual") == 0) { diff --git a/usr.sbin/ctld/ctld.h b/usr.sbin/ctld/ctld.h index 0982ef129619..ce161b6dc05d 100644 --- a/usr.sbin/ctld/ctld.h +++ b/usr.sbin/ctld/ctld.h @@ -66,9 +66,10 @@ struct auth_portal { }; #define AG_TYPE_UNKNOWN 0 -#define AG_TYPE_NO_AUTHENTICATION 1 -#define AG_TYPE_CHAP 2 -#define AG_TYPE_CHAP_MUTUAL 3 +#define AG_TYPE_DENY 1 +#define AG_TYPE_NO_AUTHENTICATION 2 +#define AG_TYPE_CHAP 3 +#define AG_TYPE_CHAP_MUTUAL 4 struct auth_group { TAILQ_ENTRY(auth_group) ag_next; diff --git a/usr.sbin/ctld/login.c b/usr.sbin/ctld/login.c index 9dea58ef54ff..ceabd927f742 100644 --- a/usr.sbin/ctld/login.c +++ b/usr.sbin/ctld/login.c @@ -1030,6 +1030,11 @@ login(struct connection *conn) return; } + if (ag->ag_type == AG_TYPE_DENY) { + login_send_error(request, 0x02, 0x01); + log_errx(1, "auth-group type is \"deny\""); + } + if (ag->ag_type == AG_TYPE_UNKNOWN) { /* * This can happen with empty auth-group. diff --git a/usr.sbin/ctld/parse.y b/usr.sbin/ctld/parse.y index 30f7c9fd0389..463479bdc9d7 100644 --- a/usr.sbin/ctld/parse.y +++ b/usr.sbin/ctld/parse.y @@ -729,13 +729,9 @@ conf_new_from_file(const char *path) assert(ag != NULL); ag->ag_type = AG_TYPE_NO_AUTHENTICATION; - /* - * Here, the type doesn't really matter, as the group doesn't contain - * any entries and thus will always deny access. - */ ag = auth_group_new(conf, "no-access"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; pg = portal_group_new(conf, "default"); assert(pg != NULL); @@ -765,7 +761,7 @@ conf_new_from_file(const char *path) "going with defaults"); ag = auth_group_find(conf, "default"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; } if (conf->conf_default_pg_defined == false) {