MFC r261760:

Add a new auth-group "default", defaulting to deny, and make it possible
to redefine it.  From now on, assigning auth-group to a target is no longer
mandatory.

Sponsored by:	The FreeBSD Foundation

usr.sbin/ctld/ctld.c

@@ -1105,10 +1105,9 @@ conf_verify(struct conf *conf)
 
 	TAILQ_FOREACH(targ, &conf->conf_targets, t_next) {
 		if (targ->t_auth_group == NULL) {
-			log_warnx("missing authentication for target \"%s\"; "
+			targ->t_auth_group = auth_group_find(conf,
-			    "must specify either \"auth-group\", \"chap\", "
+			    "default");
-			    "or \"chap-mutual\"", targ->t_name);
+			assert(targ->t_auth_group != NULL);
-			return (1);
 		}
 		if (targ->t_portal_group == NULL) {
 			targ->t_portal_group = portal_group_find(conf,

usr.sbin/ctld/parse.y

@@ -132,7 +132,17 @@ auth_group:	AUTH_GROUP auth_group_name
 
 auth_group_name:	STR
 	{
-		auth_group = auth_group_new(conf, $1);
+		/*
+		 * Make it possible to redefine default
+		 * auth-group. but only once.
+		 */
+		if (strcmp($1, "default") == 0 &&
+		    conf->conf_default_ag_defined == false) {
+			auth_group = auth_group_find(conf, $1);
+			conf->conf_default_ag_defined = true;
+		} else {
+			auth_group = auth_group_new(conf, $1);
+		}
 		free($1);
 		if (auth_group == NULL)
 			return (1);
@@ -712,6 +722,9 @@ conf_new_from_file(const char *path)
 
 	conf = conf_new();
 
+	ag = auth_group_new(conf, "default");
+	assert(ag != NULL);
+
 	ag = auth_group_new(conf, "no-authentication");
 	assert(ag != NULL);
 	ag->ag_type = AG_TYPE_NO_AUTHENTICATION;
@@ -747,6 +760,14 @@ conf_new_from_file(const char *path)
 		return (NULL);
 	}
 
+	if (conf->conf_default_ag_defined == false) {
+		log_debugx("auth-group \"default\" not defined; "
+		    "going with defaults");
+		ag = auth_group_find(conf, "default");
+		assert(ag != NULL);
+		ag->ag_type = AG_TYPE_CHAP;
+	}
+
 	if (conf->conf_default_pg_defined == false) {
 		log_debugx("portal-group \"default\" not defined; "
 		    "going with defaults");