* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-#define RCSID "$Id: auth.c,v 1.58 1999/09/11 12:08:56 paulus Exp $"
+#define RCSID "$Id: auth.c,v 1.60 1999/12/23 01:25:13 paulus Exp $"
#include <stdio.h>
#include <stddef.h>
/* Set if we got the contents of passwd[] from the pap-secrets file. */
static int passwd_from_file;
+/* Set if we require authentication only because we have a default route. */
+static bool default_auth;
+
/* Hook to enable a plugin to control the idle time limit */
int (*idle_time_hook) __P((struct ppp_idle *)) = NULL;
struct wordlist **paddrs,
struct wordlist **popts)) = NULL;
+/* Hook for a plugin to know about the PAP user logout */
+void (*pap_logout_hook) __P((void)) = NULL;
+
/* Hook for a plugin to get the PAP password for authenticating us */
int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL;
{
if (phase == PHASE_DEAD)
return;
- if (logged_in)
- plogout();
+ if (pap_logout_hook) {
+ pap_logout_hook();
+ } else {
+ if (logged_in)
+ plogout();
+ }
new_phase(PHASE_DEAD);
notice("Connection terminated.");
}
/*
* If we have a default route, require the peer to authenticate
- * unless the noauth option was given.
+ * unless the noauth option was given or the real user is root.
*/
- if (!auth_required && !allow_any_ip && have_route_to(0))
+ if (!auth_required && !allow_any_ip && have_route_to(0) && !privileged) {
auth_required = 1;
+ default_auth = 1;
+ }
/* If authentication is required, ask peer for CHAP or PAP. */
if (auth_required) {
}
if (auth_required && !can_auth && noauth_addrs == NULL) {
- if (explicit_remote)
+ if (default_auth) {
option_error(
-"The remote system (%s) is required to authenticate itself but I",
- remote_name);
- else
+"By default the remote system is required to authenticate itself");
option_error(
-"The remote system is required to authenticate itself but I");
-
- if (!lacks_ip)
+"(because this system has a default route to the internet)");
+ } else if (explicit_remote)
option_error(
-"couldn't find any suitable secret (password) for it to use to do so.");
+"The remote system (%s) is required to authenticate itself",
+ remote_name);
else
option_error(
-"couldn't find any secret (password) which would let it use an IP address.");
+"The remote system is required to authenticate itself");
+ option_error(
+"but I couldn't find any suitable secret (password) for it to use to do so.");
+ if (lacks_ip)
+ option_error(
+"(None of the available passwords would let it use an IP address.)");
exit(1);
}
if (ret)
set_allowed_addrs(unit, addrs, opts);
BZERO(passwd, sizeof(passwd));
+ if (addrs != 0)
+ free_wordlist(addrs);
return ret? UPAP_AUTHACK: UPAP_AUTHNAK;
}
}
}
if (attempts > 3)
sleep((u_int) (attempts - 3) * 5);
- if (addrs != NULL)
- free_wordlist(addrs);
if (opts != NULL)
free_wordlist(opts);
set_allowed_addrs(unit, addrs, opts);
}
+ if (addrs != NULL)
+ free_wordlist(addrs);
BZERO(passwd, sizeof(passwd));
BZERO(secret, sizeof(secret));
if (ret)
set_allowed_addrs(unit, addrs, opts);
- else {
- free_wordlist(addrs);
+ else if (opts != 0)
free_wordlist(opts);
- }
+ if (addrs != 0)
+ free_wordlist(addrs);
fclose(f);
return ret;
char *filename;
FILE *f;
int ret;
- struct wordlist *addrs;
char secret[MAXWORDLEN];
/*
}
filename = _PATH_UPAPFILE;
- addrs = NULL;
f = fopen(filename, "r");
if (f == NULL)
return 0;
if (am_server)
set_allowed_addrs(unit, addrs, opts);
- else {
- free_wordlist(addrs);
+ else if (opts != 0)
free_wordlist(opts);
- }
+ if (addrs != 0)
+ free_wordlist(addrs);
}
len = strlen(secbuf);