X-Git-Url: http://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fauth.c;h=1cbc14973acad1d0ef4a54ad7843f3275a78f924;hp=61a1b72d4723fb5e2e45b3c7226fa4c08f8bcdc6;hb=6041de91d21e0c9fe92bcec7b8a9231ed98145c3;hpb=6a34bc9a3edf435bc67e81755b65acb6786c98b3 diff --git a/pppd/auth.c b/pppd/auth.c index 61a1b72..1cbc149 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.11 1994/10/22 11:54:04 paulus Exp $"; +static char rcsid[] = "$Id: auth.c,v 1.20 1995/12/18 03:43:04 paulus Exp $"; #endif #include @@ -44,21 +44,27 @@ static char rcsid[] = "$Id: auth.c,v 1.11 1994/10/22 11:54:04 paulus Exp $"; #include #include #include +#include #include #include #include +#ifdef HAS_SHADOW +#include +#include +#ifndef PW_PPP +#define PW_PPP PW_LOGIN +#endif +#endif + #include "pppd.h" #include "fsm.h" #include "lcp.h" #include "upap.h" -#include "chap.h" -#include "ipcp.h" -#include "ccp.h" #include "pathnames.h" -#ifdef sparc +#if defined(sun) && defined(sparc) #include #endif /*sparc*/ @@ -78,9 +84,9 @@ struct wordlist { #define TRUE 1 /* Records which authentication operations haven't completed yet. */ -static int auth_pending[N_PPP]; +static int auth_pending[NUM_PPP]; static int logged_in; -static struct wordlist *addresses[N_PPP]; +static struct wordlist *addresses[NUM_PPP]; /* Bits in auth_pending[] */ #define UPAP_WITHPEER 1 @@ -88,8 +94,7 @@ static struct wordlist *addresses[N_PPP]; #define CHAP_WITHPEER 4 #define CHAP_PEER 8 -/* Prototypes */ -void check_access __P((FILE *, char *)); +/* Prototypes for procedures local to this file. */ static void network_phase __P((int)); static int login __P((char *, char *, char **, int *)); @@ -137,8 +142,15 @@ void link_down(unit) int unit; { - ipcp_close(0); - ccp_close(0); + int i; + struct protent *protp; + + for (i = 0; (protp = protocols[i]) != NULL; ++i) { + if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) + (*protp->lowerdown)(unit); + if (protp->protocol < 0xC000 && protp->close != NULL) + (*protp->close)(unit); + } phase = PHASE_TERMINATE; } @@ -154,6 +166,15 @@ link_established(unit) lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; + int i; + struct protent *protp; + + /* + * Tell higher-level protocols that LCP is up. + */ + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol != PPP_LCP && protp->lowerup != NULL) + (*protp->lowerup)(unit); if (auth_required && !(go->neg_chap || go->neg_upap)) { /* @@ -161,9 +182,9 @@ link_established(unit) * treat it as though it authenticated with PAP using a username * of "" and a password of "". If that's not OK, boot it out. */ - if (wo->neg_upap && !null_login(unit)) { + if (!wo->neg_upap || !null_login(unit)) { syslog(LOG_WARNING, "peer refused to authenticate"); - lcp_close(unit); + lcp_close(unit, "peer refused to authenticate"); phase = PHASE_TERMINATE; return; } @@ -198,9 +219,13 @@ static void network_phase(unit) int unit; { + int i; + struct protent *protp; + phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol < 0xC000 && protp->open != NULL) + (*protp->open)(unit); } /* @@ -213,7 +238,7 @@ auth_peer_fail(unit, protocol) /* * Authentication failure: take the link down */ - lcp_close(unit); + lcp_close(unit, "Authentication failed"); phase = PHASE_TERMINATE; } @@ -243,11 +268,8 @@ auth_peer_success(unit, protocol) * If there is no more authentication still to be done, * proceed to the network phase. */ - if ((auth_pending[unit] &= ~bit) == 0) { - phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); - } + if ((auth_pending[unit] &= ~bit) == 0) + network_phase(unit); } /* @@ -384,16 +406,16 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) f = fopen(filename, "r"); if (f == NULL) { if (!uselogin) { - syslog(LOG_ERR, "Can't open upap password file %s: %m", filename); + syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); ret = UPAP_AUTHNAK; } } else { check_access(f, filename); if (scan_authfile(f, user, our_name, secret, &addrs, filename) < 0 - || (secret[0] != 0 && strcmp(passwd, secret) != 0 + || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) && strcmp(crypt(passwd, secret), secret) != 0)) { - syslog(LOG_WARNING, "upap authentication failure for %s", user); + syslog(LOG_WARNING, "PAP authentication failure for %s", user); ret = UPAP_AUTHNAK; } fclose(f); @@ -402,7 +424,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) if (uselogin && ret == UPAP_AUTHACK) { ret = login(user, passwd, msg, msglen); if (ret == UPAP_AUTHNAK) { - syslog(LOG_WARNING, "upap login failure for %s", user); + syslog(LOG_WARNING, "PAP login failure for %s", user); } } @@ -457,10 +479,23 @@ login(user, passwd, msg, msglen) char *epasswd; char *tty; +#ifdef HAS_SHADOW + struct spwd *spwd; + struct spwd *getspnam(); +#endif + if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } +#ifdef HAS_SHADOW + if ((spwd = getspnam(user)) == NULL) { + pw->pw_passwd = ""; + } else { + pw->pw_passwd = spwd->sp_pwdp; + } +#endif + /* * XXX If no passwd, let them login without one. */ @@ -468,21 +503,27 @@ login(user, passwd, msg, msglen) return (UPAP_AUTHACK); } +#ifdef HAS_SHADOW + if ((pw->pw_passwd && pw->pw_passwd[0] == '@' + && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_PPP, NULL)) + || !valid (passwd, pw)) { + return (UPAP_AUTHNAK); + } +#else epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } +#endif syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ - tty = strrchr(devnam, '/'); - if (tty == NULL) - tty = devnam; - else - tty++; + tty = devnam; + if (strncmp(tty, "/dev/", 5) == 0) + tty += 5; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; @@ -497,11 +538,9 @@ logout() { char *tty; - tty = strrchr(devnam, '/'); - if (tty == NULL) - tty = devnam; - else - tty++; + tty = devnam; + if (strncmp(tty, "/dev/", 5) == 0) + tty += 5; logwtmp(tty, "", ""); /* Wipe out wtmp logout entry */ logged_in = FALSE; } @@ -695,8 +734,11 @@ auth_ip_addr(unit, addr) int unit; u_int32_t addr; { - u_int32_t a; + u_int32_t a, mask; + int accept; + char *ptr_word, *ptr_mask; struct hostent *hp; + struct netent *np; struct wordlist *addrs; /* don't allow loopback or multicast address */ @@ -708,18 +750,54 @@ auth_ip_addr(unit, addr) for (; addrs != NULL; addrs = addrs->next) { /* "-" means no addresses authorized */ - if (strcmp(addrs->word, "-") == 0) + ptr_word = addrs->word; + if (strcmp(ptr_word, "-") == 0) break; - if ((a = inet_addr(addrs->word)) == -1) { - if ((hp = gethostbyname(addrs->word)) == NULL) { - syslog(LOG_WARNING, "unknown host %s in auth. address list", - addrs->word); + + accept = 1; + if (*ptr_word == '!') { + accept = 0; + ++ptr_word; + } + + mask = ~ (u_int32_t) 0; + ptr_mask = strchr (ptr_word, '/'); + if (ptr_mask != NULL) { + int bit_count; + + bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10); + if (bit_count <= 0 || bit_count > 32) { + syslog (LOG_WARNING, + "invalid address length %s in auth. address list", + ptr_mask); continue; - } else - a = *(u_int32_t *)hp->h_addr; + } + *ptr_mask = '\0'; + mask <<= 32 - bit_count; } - if (addr == a) - return 1; + + hp = gethostbyname(ptr_word); + if (hp != NULL && hp->h_addrtype == AF_INET) { + a = *(u_int32_t *)hp->h_addr; + mask = ~ (u_int32_t) 0; /* are we sure we want this? */ + } else { + np = getnetbyname (ptr_word); + if (np != NULL && np->n_addrtype == AF_INET) + a = htonl (*(u_int32_t *)np->n_net); + else + a = inet_addr (ptr_word); + } + + if (ptr_mask != NULL) + *ptr_mask = '/'; + + if (a == -1L) + syslog (LOG_WARNING, + "unknown host %s in auth. address list", + addrs->word); + else + if (((addr ^ a) & mask) == 0) + return accept; } return 0; /* not in list => can't have it */ }