Allow forcing of local_ip:remote_ip in pap-secrets
and chap-secrets files. This allows specific users to have pre-allocated IP numbers while others get assigned dynamically. Submitted by: David Nugent <davidn@unique.usn.blaze.net.au>
This commit is contained in:
parent
b2533fba6f
commit
5b8c55b34e
@ -33,7 +33,7 @@
|
||||
*/
|
||||
|
||||
#ifndef lint
|
||||
static char rcsid[] = "$Id$";
|
||||
static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $";
|
||||
#endif
|
||||
|
||||
#include <stdio.h>
|
||||
@ -91,6 +91,7 @@ struct wordlist {
|
||||
/* Records which authentication operations haven't completed yet. */
|
||||
static int auth_pending[NUM_PPP];
|
||||
static int logged_in;
|
||||
static int non_wildclient =0; /* not wild nor blank */
|
||||
static struct wordlist *addresses[NUM_PPP];
|
||||
|
||||
/* Bits in auth_pending[] */
|
||||
@ -112,6 +113,7 @@ static int have_chap_secret __P((char *, char *));
|
||||
static int scan_authfile __P((FILE *, char *, char *, char *,
|
||||
struct wordlist **, char *));
|
||||
static void free_wordlist __P((struct wordlist *));
|
||||
static void auth_set_ip_addr __P((int));
|
||||
|
||||
/*
|
||||
* An Open on LCP has requested a change from Dead to Establish phase.
|
||||
@ -254,6 +256,12 @@ auth_peer_success(unit, protocol)
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* If we have overridden addresses based on auth info
|
||||
* then set that information now before continuing
|
||||
*/
|
||||
auth_set_ip_addr(unit);
|
||||
|
||||
/*
|
||||
* If there is no more authentication still to be done,
|
||||
* proceed to the network phase.
|
||||
@ -301,6 +309,12 @@ auth_withpeer_success(unit, protocol)
|
||||
bit = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* If we have overridden addresses based on auth info
|
||||
* then set that information now before continuing
|
||||
*/
|
||||
auth_set_ip_addr(unit);
|
||||
|
||||
/*
|
||||
* If there is no more authentication still being done,
|
||||
* proceed to the network phase.
|
||||
@ -740,6 +754,27 @@ get_secret(unit, client, server, secret, secret_len, save_addrs)
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
auth_set_ip_addr(unit)
|
||||
int unit;
|
||||
{
|
||||
struct wordlist *addrs;
|
||||
|
||||
if (non_wildclient && (addrs = addresses[unit]) != NULL) {
|
||||
for (; addrs != NULL; addrs = addrs->next) {
|
||||
/*
|
||||
* Look for address overrides, and set them if we have any
|
||||
*/
|
||||
if (strchr(addrs->word, ':') != NULL) {
|
||||
if (setipaddr(addrs->word))
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* auth_ip_addr - check whether the peer is authorized to use
|
||||
* a given IP address. Returns 1 if authorized, 0 otherwise.
|
||||
@ -749,6 +784,7 @@ auth_ip_addr(unit, addr)
|
||||
int unit;
|
||||
u_int32_t addr;
|
||||
{
|
||||
int x, y;
|
||||
u_int32_t a;
|
||||
struct hostent *hp;
|
||||
struct wordlist *addrs;
|
||||
@ -757,25 +793,31 @@ auth_ip_addr(unit, addr)
|
||||
if (bad_ip_adrs(addr))
|
||||
return 0;
|
||||
|
||||
if ((addrs = addresses[unit]) == NULL)
|
||||
return 1; /* no restriction */
|
||||
|
||||
for (; addrs != NULL; addrs = addrs->next) {
|
||||
x = y = 0;
|
||||
for (addrs = addresses[unit]; addrs != NULL; addrs = addrs->next, y++) {
|
||||
/* "-" means no addresses authorized */
|
||||
if (strcmp(addrs->word, "-") == 0)
|
||||
break;
|
||||
if ((a = inet_addr(addrs->word)) == -1) {
|
||||
if ((hp = gethostbyname(addrs->word)) == NULL) {
|
||||
syslog(LOG_WARNING, "unknown host %s in auth. address list",
|
||||
addrs->word);
|
||||
continue;
|
||||
} else
|
||||
a = *(u_int32_t *)hp->h_addr;
|
||||
/*
|
||||
* A colon in the string means that we wish to force a specific
|
||||
* local:remote address, but we ignore these for now
|
||||
*/
|
||||
if (strchr(addrs->word, ':') != NULL)
|
||||
x++;
|
||||
else {
|
||||
if ((a = inet_addr(addrs->word)) == -1) {
|
||||
if ((hp = gethostbyname(addrs->word)) == NULL) {
|
||||
syslog(LOG_WARNING, "unknown host %s in auth. address list",
|
||||
addrs->word);
|
||||
continue;
|
||||
} else
|
||||
a = *(u_int32_t *)hp->h_addr;
|
||||
}
|
||||
if (addr == a)
|
||||
return 1;
|
||||
}
|
||||
if (addr == a)
|
||||
return 1;
|
||||
}
|
||||
return 0; /* not in list => can't have it */
|
||||
return x == y; /* not in list => can't have it */
|
||||
}
|
||||
|
||||
/*
|
||||
@ -943,6 +985,7 @@ scan_authfile(f, client, server, secret, addrs, filename)
|
||||
else if (addr_list != NULL)
|
||||
free_wordlist(addr_list);
|
||||
|
||||
non_wildclient = (best_flag & NONWILD_CLIENT) && *client != '\0';
|
||||
return best_flag;
|
||||
}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
.\" manual page [] for pppd 2.0
|
||||
.\" $Id$
|
||||
.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $
|
||||
.\" SH section heading
|
||||
.\" SS subsection heading
|
||||
.\" LP paragraph
|
||||
@ -497,8 +497,11 @@ directions if desired.
|
||||
A secrets file is parsed into words as for a options file. A secret
|
||||
is specified by a line containing at least 3 words, in the order
|
||||
client name, server name, secret. Any following words on the same line are
|
||||
taken to be a list of acceptable IP addresses for that client. If
|
||||
there are only 3 words on the line, it is assumed that any IP address
|
||||
taken to be a list of acceptable IP addresses for that client, or an
|
||||
override for "local:remote" addresses (the same format used on the
|
||||
command line or in the options file) when on a line that contains a
|
||||
specific client name (not a wildcard nor empty).
|
||||
If there are only 3 words on the line, it is assumed that any IP address
|
||||
is OK; to disallow all IP addresses, use "-". If the secret starts
|
||||
with an `@', what follows is assumed to be the name of a file from
|
||||
which to read the secret. A "*" as the client or server name matches
|
||||
|
Loading…
x
Reference in New Issue
Block a user