Allow forcing of local_ip:remote_ip in pap-secrets

and chap-secrets files.  This allows specific users
to have pre-allocated IP numbers while others get
assigned dynamically.

Submitted by: David Nugent <davidn@unique.usn.blaze.net.au>
This commit is contained in:
brian 1997-04-13 01:07:00 +00:00
parent b2533fba6f
commit 5b8c55b34e
2 changed files with 64 additions and 18 deletions

View File

@ -33,7 +33,7 @@
*/
#ifndef lint
static char rcsid[] = "$Id$";
static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $";
#endif
#include <stdio.h>
@ -91,6 +91,7 @@ struct wordlist {
/* Records which authentication operations haven't completed yet. */
static int auth_pending[NUM_PPP];
static int logged_in;
static int non_wildclient =0; /* not wild nor blank */
static struct wordlist *addresses[NUM_PPP];
/* Bits in auth_pending[] */
@ -112,6 +113,7 @@ static int have_chap_secret __P((char *, char *));
static int scan_authfile __P((FILE *, char *, char *, char *,
struct wordlist **, char *));
static void free_wordlist __P((struct wordlist *));
static void auth_set_ip_addr __P((int));
/*
* An Open on LCP has requested a change from Dead to Establish phase.
@ -254,6 +256,12 @@ auth_peer_success(unit, protocol)
return;
}
/*
* If we have overridden addresses based on auth info
* then set that information now before continuing
*/
auth_set_ip_addr(unit);
/*
* If there is no more authentication still to be done,
* proceed to the network phase.
@ -301,6 +309,12 @@ auth_withpeer_success(unit, protocol)
bit = 0;
}
/*
* If we have overridden addresses based on auth info
* then set that information now before continuing
*/
auth_set_ip_addr(unit);
/*
* If there is no more authentication still being done,
* proceed to the network phase.
@ -740,6 +754,27 @@ get_secret(unit, client, server, secret, secret_len, save_addrs)
return 1;
}
static void
auth_set_ip_addr(unit)
int unit;
{
struct wordlist *addrs;
if (non_wildclient && (addrs = addresses[unit]) != NULL) {
for (; addrs != NULL; addrs = addrs->next) {
/*
* Look for address overrides, and set them if we have any
*/
if (strchr(addrs->word, ':') != NULL) {
if (setipaddr(addrs->word))
break;
}
}
}
}
/*
* auth_ip_addr - check whether the peer is authorized to use
* a given IP address. Returns 1 if authorized, 0 otherwise.
@ -749,6 +784,7 @@ auth_ip_addr(unit, addr)
int unit;
u_int32_t addr;
{
int x, y;
u_int32_t a;
struct hostent *hp;
struct wordlist *addrs;
@ -757,25 +793,31 @@ auth_ip_addr(unit, addr)
if (bad_ip_adrs(addr))
return 0;
if ((addrs = addresses[unit]) == NULL)
return 1; /* no restriction */
for (; addrs != NULL; addrs = addrs->next) {
x = y = 0;
for (addrs = addresses[unit]; addrs != NULL; addrs = addrs->next, y++) {
/* "-" means no addresses authorized */
if (strcmp(addrs->word, "-") == 0)
break;
if ((a = inet_addr(addrs->word)) == -1) {
if ((hp = gethostbyname(addrs->word)) == NULL) {
syslog(LOG_WARNING, "unknown host %s in auth. address list",
addrs->word);
continue;
} else
a = *(u_int32_t *)hp->h_addr;
/*
* A colon in the string means that we wish to force a specific
* local:remote address, but we ignore these for now
*/
if (strchr(addrs->word, ':') != NULL)
x++;
else {
if ((a = inet_addr(addrs->word)) == -1) {
if ((hp = gethostbyname(addrs->word)) == NULL) {
syslog(LOG_WARNING, "unknown host %s in auth. address list",
addrs->word);
continue;
} else
a = *(u_int32_t *)hp->h_addr;
}
if (addr == a)
return 1;
}
if (addr == a)
return 1;
}
return 0; /* not in list => can't have it */
return x == y; /* not in list => can't have it */
}
/*
@ -943,6 +985,7 @@ scan_authfile(f, client, server, secret, addrs, filename)
else if (addr_list != NULL)
free_wordlist(addr_list);
non_wildclient = (best_flag & NONWILD_CLIENT) && *client != '\0';
return best_flag;
}

View File

@ -1,5 +1,5 @@
.\" manual page [] for pppd 2.0
.\" $Id$
.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
@ -497,8 +497,11 @@ directions if desired.
A secrets file is parsed into words as for a options file. A secret
is specified by a line containing at least 3 words, in the order
client name, server name, secret. Any following words on the same line are
taken to be a list of acceptable IP addresses for that client. If
there are only 3 words on the line, it is assumed that any IP address
taken to be a list of acceptable IP addresses for that client, or an
override for "local:remote" addresses (the same format used on the
command line or in the options file) when on a line that contains a
specific client name (not a wildcard nor empty).
If there are only 3 words on the line, it is assumed that any IP address
is OK; to disallow all IP addresses, use "-". If the secret starts
with an `@', what follows is assumed to be the name of a file from
which to read the secret. A "*" as the client or server name matches