From 77844c8786da077ce333d27f0bc596d05bb8dc2e Mon Sep 17 00:00:00 2001
From: trasz <trasz@FreeBSD.org>
Date: Fri, 13 Dec 2013 15:23:07 +0000
Subject: [PATCH] MFC r259182:

Fix handling for empty auth-groups.  Without it, ctld child process
would either exit on assertion, or, if assertions are not enabled,
fail to authenticate the target.

Sponsored by:	The FreeBSD Foundation
---
 usr.sbin/ctld/login.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/usr.sbin/ctld/login.c b/usr.sbin/ctld/login.c
index 042cf2ac80da..b528fc0feaeb 100644
--- a/usr.sbin/ctld/login.c
+++ b/usr.sbin/ctld/login.c
@@ -1007,6 +1007,14 @@ login(struct connection *conn)
 		return;
 	}
 
+	if (ag->ag_type == AG_TYPE_UNKNOWN) {
+		/*
+		 * This can happen with empty auth-group.
+		 */
+		login_send_error(request, 0x02, 0x01);
+		log_errx(1, "auth-group type not set, denying access");
+	}
+
 	log_debugx("CHAP authentication required");
 
 	auth_method = keys_find(request_keys, "AuthMethod");