Use new auth-type "deny" instead of using "chap" with no chap entries;

it's cleaner this way, and gives better feedback to the user. Sponsored by: The FreeBSD Foundation
2014-02-11 11:32:36 +00:00 · 2014-02-11 11:32:36 +00:00 · e76ce4484d
commit e76ce4484d
parent ccb1f04d95
5 changed files with 15 additions and 11 deletions
--- a/usr.sbin/ctld/ctl.conf.5
+++ b/usr.sbin/ctld/ctl.conf.5
@ -103,7 +103,7 @@ The following statements are available at the auth-group level:
 .Bl -tag -width indent
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given auth-group.
 .It Ic chap Ao Ar user Ac Aq Ar secret
@ -157,7 +157,7 @@ Another predefined auth-group, "no-authentication", may be used to permit access
 without authentication.
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given target.
 This clause is mutually exclusive with auth-group; one cannot use
--- a/usr.sbin/ctld/ctld.c
+++ b/usr.sbin/ctld/ctld.c
@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_group *ag, const char *str)

 	if (strcmp(str, "none") == 0) {
 		type = AG_TYPE_NO_AUTHENTICATION;
+	} else if (strcmp(str, "deny") == 0) {
+		type = AG_TYPE_DENY;
 	} else if (strcmp(str, "chap") == 0) {
 		type = AG_TYPE_CHAP;
 	} else if (strcmp(str, "chap-mutual") == 0) {
--- a/usr.sbin/ctld/ctld.h
+++ b/usr.sbin/ctld/ctld.h
@ -66,9 +66,10 @@ struct auth_portal {
 };

 #define	AG_TYPE_UNKNOWN			0
-#define	AG_TYPE_NO_AUTHENTICATION	1
-#define	AG_TYPE_CHAP			2
-#define	AG_TYPE_CHAP_MUTUAL		3
+#define	AG_TYPE_DENY			1
+#define	AG_TYPE_NO_AUTHENTICATION	2
+#define	AG_TYPE_CHAP			3
+#define	AG_TYPE_CHAP_MUTUAL		4

 struct auth_group {
 	TAILQ_ENTRY(auth_group)		ag_next;
--- a/usr.sbin/ctld/login.c
+++ b/usr.sbin/ctld/login.c
@ -1030,6 +1030,11 @@ login(struct connection *conn)
 		return;
 	}

+	if (ag->ag_type == AG_TYPE_DENY) {
+		login_send_error(request, 0x02, 0x01);
+		log_errx(1, "auth-group type is \"deny\"");
+	}
+
 	if (ag->ag_type == AG_TYPE_UNKNOWN) {
 		/*
 		 * This can happen with empty auth-group.
--- a/usr.sbin/ctld/parse.y
+++ b/usr.sbin/ctld/parse.y
@ -729,13 +729,9 @@ conf_new_from_file(const char *path)
 	assert(ag != NULL);
 	ag->ag_type = AG_TYPE_NO_AUTHENTICATION;

-	/*
-	 * Here, the type doesn't really matter, as the group doesn't contain
-	 * any entries and thus will always deny access.
-	 */
 	ag = auth_group_new(conf, "no-access");
 	assert(ag != NULL);
-	ag->ag_type = AG_TYPE_CHAP;
+	ag->ag_type = AG_TYPE_DENY;

 	pg = portal_group_new(conf, "default");
 	assert(pg != NULL);
@ -765,7 +761,7 @@ conf_new_from_file(const char *path)
 		    "going with defaults");
 		ag = auth_group_find(conf, "default");
 		assert(ag != NULL);
-		ag->ag_type = AG_TYPE_CHAP;
+		ag->ag_type = AG_TYPE_DENY;
 	}

 	if (conf->conf_default_pg_defined == false) {