*/
#ifndef lint
-static char rcsid[] = "$Id: auth.c,v 1.40 1999/01/19 23:59:14 paulus Exp $";
+static char rcsid[] = "$Id: auth.c,v 1.44 1999/03/08 01:47:54 paulus Exp $";
#endif
#include <stdio.h>
static void free_wordlist __P((struct wordlist *));
static void auth_script __P((char *));
static void set_allowed_addrs __P((int, struct wordlist *));
-
-#ifdef OLD_OPTIONS
static int setupapfile __P((char **));
-#endif
/*
* Authentication-related options.
{ "refuse-pap", o_bool, &refuse_pap,
"Don't agree to auth to peer with PAP", 1 },
{ "-pap", o_bool, &refuse_pap,
- "Don't allow UPAP authentication with peer", 1 },
+ "Don't allow PAP authentication with peer", 1 },
{ "require-chap", o_bool, &lcp_wantoptions[0].neg_chap,
"Require CHAP authentication from peer", 1, &auth_required },
{ "+chap", o_bool, &lcp_wantoptions[0].neg_chap,
"Use system password database for PAP", 1 },
{ "papcrypt", o_bool, &cryptpap,
"PAP passwords are encrypted", 1 },
-#if OLD_OPTIONS
{ "+ua", o_special, setupapfile,
"Get PAP user and password from file" },
-#endif
{ NULL }
};
-#if OLD_OPTIONS
/*
* setupapfile - specifies UPAP info for authenticating with peer.
*/
lcp_allowoptions[0].neg_upap = 1;
/* open user info file */
- if ((ufile = fopen(*argv, "r")) == NULL) {
+ seteuid(getuid());
+ ufile = fopen(*argv, "r");
+ seteuid(0);
+ if (ufile == NULL) {
option_error("unable to open user login data file %s", *argv);
return 0;
}
+#if 0 /* check done by setting effective UID above */
if (!readable(fileno(ufile))) {
option_error("%s: access denied", *argv);
return 0;
}
+#endif
check_access(ufile, *argv);
/* get username */
return (1);
}
-#endif
/*
wo->neg_upap = 0;
}
+ /*
+ * If we have a default route, require the peer to authenticate
+ * unless the noauth option was given.
+ */
+ if (!auth_required && !allow_any_ip && have_route_to(0))
+ auth_required = 1;
+
/*
* Check whether we have appropriate secrets to use
* to authenticate the peer.
int unit;
u_int32_t addr;
{
+
+ if (addresses[unit] == NULL) {
+ if (auth_required)
+ return 0; /* no addresses authorized */
+ return allow_any_ip || !have_route_to(addr);
+ }
return ip_addr_check(addr, addresses[unit]);
}
if (bad_ip_adrs(addr))
return 0;
- if (addrs == NULL) {
- if (auth_required)
- return 0; /* no addresses authorized */
- return allow_any_ip || !have_route_to(addr);
- }
+ if (addrs == NULL)
+ return 0; /* no addresses authorized */
for (; addrs != NULL; addrs = addrs->next) {
/* "-" means no addresses authorized, "*" means any address allowed */
/*
* Check if the given IP address is allowed by the wordlist.
+ * XXX accepts this entry even if it has no allowed IP addresses
+ * if they didn't specify a remote IP address. XXX
*/
if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) {
free_wordlist(alist);