d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reviewed by: Brian Somers <brian@freebsd.org>

Browse Source 
pppd now creates /var/run/ttyXn.if file containing the interface name;
check that a 'login' user is not listed in /etc/ppp/ppp.disabled;
check that a 'login' user's shell is listed in /etc/ppp/ppp.shells;
make sure that passwordless 'login' logins are recorded in wtmp and
utmp.
This commit is contained in:
Daniel O'Callaghan 1997-04-15 07:00:35 +00:00
parent 4f72618556
commit 629098536b
4 changed files with 119 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
usr.sbin/pppd/auth.c
View File

@ -33,7 +33,7 @@
*/
#ifndef lint
static char rcsid[] = "$Id: auth.c,v 1.12 1997/02/22 16:11:32 peter Exp $";
static char rcsid[] = "$Id: auth.c,v 1.13 1997/04/13 01:06:56 brian Exp $";
#endif
#include <stdio.h>
@ -469,6 +469,39 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)
}
/*
* Check if an "entry" is in the file "fname" - used by ppplogin.
* Taken from libexec/ftpd/ftpd.c
* Returns: 0 if not found, 1 if found, 2 if file can't be opened for reading.
*/
static int
checkfile(fname, name)
char *fname;
char *name;
{
FILE *fd;
int found = 0;
char *p, line[BUFSIZ];
if ((fd = fopen(fname, "r")) != NULL) {
while (fgets(line, sizeof(line), fd) != NULL)
if ((p = strchr(line, '\n')) != NULL) {
*p = '\0';
if (line[0] == '#')
continue;
if (strcmp(line, name) == 0) {
found = 1;
break;
}
}
(void) fclose(fd);
} else {
return(2);
}
return (found);
}
/*
* ppplogin - Check the user name and password against the system
* password database, and login the user if OK.
@ -477,6 +510,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen)
* UPAP_AUTHNAK: Login failed.
* UPAP_AUTHACK: Login succeeded.
* In either case, msg points to an appropriate message.
*
* UPAP_AUTHACK should only be returned *after* wtmp and utmp are updated.
*/
static int
ppplogin(user, passwd, msg, msglen)
@ -500,6 +535,24 @@ ppplogin(user, passwd, msg, msglen)
return (UPAP_AUTHNAK);
}
/*
* Check that the user is not listed in /etc/ppp/ppp.disabled
* and that the user's shell is listed in /etc/ppp/ppp.shells
* if /etc/ppp/ppp.shells exists.
*/
if (checkfile(_PATH_PPPDISABLED, user) == 1) {
syslog(LOG_WARNING, "upap user %s: account disabled in %s",
user, _PATH_PPPDISABLED);
return (UPAP_AUTHNAK);
}
if (checkfile(_PATH_PPPSHELLS, pw->pw_shell) == 0) {
syslog(LOG_WARNING, "upap user %s: shell %s not in %s",
user, pw->pw_shell, _PATH_PPPSHELLS);
return (UPAP_AUTHNAK);
}
#ifdef HAS_SHADOW
if ((spwd = getspnam(user)) == NULL) {
pw->pw_passwd = "";
@ -509,44 +562,42 @@ ppplogin(user, passwd, msg, msglen)
#endif
/*
* XXX If no passwd, let them login without one.
* If there is a password, check it.
*/
if (pw->pw_passwd == '\0') {
return (UPAP_AUTHACK);
}
if (pw->pw_passwd[0] != '\0') {
#ifdef HAS_SHADOW
if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
&& pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL))
|| !valid (passwd, pw)) {
return (UPAP_AUTHNAK);
}
if ((pw->pw_passwd && pw->pw_passwd[0] == '@'
&& pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL))
|| !valid (passwd, pw)) {
return (UPAP_AUTHNAK);
}
#else
epasswd = crypt(passwd, pw->pw_passwd);
if (strcmp(epasswd, pw->pw_passwd)) {
return (UPAP_AUTHNAK);
}
epasswd = crypt(passwd, pw->pw_passwd);
if (strcmp(epasswd, pw->pw_passwd)) {
return (UPAP_AUTHNAK);
}
#endif
if (pw->pw_expire) {
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (tp.tv_sec >= pw->pw_expire) {
syslog(LOG_INFO, "user %s account expired", user);
return (UPAP_AUTHNAK);
if (pw->pw_expire) {
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (tp.tv_sec >= pw->pw_expire) {
syslog(LOG_INFO, "pap user %s account expired", user);
return (UPAP_AUTHNAK);
}
}
}
} /* if password */
syslog(LOG_INFO, "user %s logged in", user);
/*
* Write a wtmp entry for this user.
*/
/* Log in wtmp and utmp using login() */
tty = devnam;
if (strncmp(tty, "/dev/", 5) == 0)
tty += 5;
logged_in = TRUE;
/* Log in wtmp and utmp using login() */
memset((void *)&utmp, 0, sizeof(utmp));
(void)time(&utmp.ut_time);
(void)strncpy(utmp.ut_name, user, sizeof(utmp.ut_name));

26
usr.sbin/pppd/main.c
View File

@ -18,7 +18,7 @@
*/
#ifndef lint
static char rcsid[] = "$Id$";
static char rcsid[] = "$Id: main.c,v 1.10 1997/02/22 16:11:48 peter Exp $";
#endif
#include <stdio.h>
@ -67,6 +67,7 @@ int ifunit; /* Interface unit number */
char *progname; /* Name of this program */
char hostname[MAXNAMELEN]; /* Our hostname */
static char pidfilename[MAXPATHLEN]; /* name of pid file */
static char iffilename[MAXPATHLEN]; /* name of if file */
static char default_devnam[MAXPATHLEN]; /* name of default device */
static pid_t pid; /* Our pid */
static pid_t pgrpid; /* Process Group ID */
@ -154,10 +155,11 @@ main(argc, argv)
int argc;
char *argv[];
{
int i, nonblock;
int i, n, nonblock;
struct sigaction sa;
struct cmd *cmdp;
FILE *pidfile;
FILE *iffile;
char *p;
struct passwd *pw;
struct timeval timo;
@ -393,6 +395,21 @@ main(argc, argv)
pidfilename[0] = 0;
}
/* write interface unit number to file */
for (n = strlen(devnam); n > 0 ; n--)
if (devnam[n] == '/') {
n = n++;
break;
}
(void) sprintf(iffilename, "%s%s.if", _PATH_VARRUN, &devnam[n]);
if ((iffile = fopen(iffilename, "w")) != NULL) {
fprintf(iffile, "ppp%d\n", ifunit);
(void) fclose(iffile);
} else {
syslog(LOG_ERR, "Failed to create if file %s: %m", iffilename);
iffilename[0] = 0;
}
/*
* Set device for non-blocking reads.
*/
@ -448,6 +465,11 @@ main(argc, argv)
syslog(LOG_WARNING, "unable to delete pid file: %m");
pidfilename[0] = 0;
if (iffile)
if (unlink(iffilename) < 0 && errno != ENOENT)
syslog(LOG_WARNING, "unable to delete if file: %m");
iffilename[0] = 0;
} while (persist);
die(0);

5
usr.sbin/pppd/pathnames.h
View File

@ -1,7 +1,7 @@
/*
* define path names
*
* $Id$
* $Id: pathnames.h,v 1.5 1997/02/22 16:11:52 peter Exp $
*/
#ifdef HAVE_PATHS_H
@ -20,3 +20,6 @@
#define _PATH_TTYOPT "/etc/ppp/options."
#define _PATH_CONNERRS "/etc/ppp/connect-errors"
#define _PATH_USEROPT ".ppprc"
#define _PATH_PPPDISABLED "/etc/ppp/ppp.disabled"
#define _PATH_PPPSHELLS "/etc/ppp/ppp.shells"

17
usr.sbin/pppd/pppd.8
View File

@ -1,5 +1,5 @@
.\" manual page [] for pppd 2.0
.\" $Id: pppd.8,v 1.9 1997/02/22 16:11:54 peter Exp $
.\" $Id: pppd.8,v 1.10 1997/04/13 01:07:00 brian Exp $
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
@ -566,6 +566,11 @@ set of IP addresses that each user can use. Typically, when using the
\fBlogin\fR option, the secret in /etc/ppp/pap-secrets would be "", to
avoid the need to have the same secret in two places.
.LP
Additional checks are performed when the \fBlogin\fR option is used.
If the file /etc/ppp/ppp.disabled exists, and the user is listed in it,
the authentication fails. If the file /etc/ppp/ppp.shells exists and
the user's normal login shell is not listed, the authentication fails.
.LP
Secrets are selected from the CHAP secrets file as follows:
.TP 2
*
@ -682,6 +687,9 @@ process. This signal acts as a toggle.
.B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others)
Process-ID for \fIpppd\fR process on ppp interface unit \fIn\fR.
.TP
.B /var/run/tty\fIXn\fB.if \fR(BSD or Linux), \fB/etc/ppp/tty\fIXn\fB.if \fR(others)
Interface for \fIpppd\fR process on serial device /dev/tty\fIXn\fR.
.TP
.B /etc/ppp/ip-up
A program or script which is executed when the link is available for
sending and receiving IP packets (that is, IPCP has come up). It is
@ -726,6 +734,13 @@ User default options, read before command-line options.
.B /etc/ppp/options.\fIttyname
System default options for the serial port being used, read after
command-line options.
.TP
.B /etc/ppp/ppp.disabled
Lists users who may not use the system password PAP authentication.
.TP
.B /etc/ppp/ppp.shells
Lists user shells which are approved for system password PAP authentication
logins.
.SH SEE ALSO
.IR chat(8),
.IR ppp(8)