* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-#define RCSID "$Id: auth.c,v 1.84 2002/09/24 11:35:22 fcusack Exp $"
+#define RCSID "$Id: auth.c,v 1.85 2002/10/10 05:47:34 fcusack Exp $"
#include <stdio.h>
#include <stddef.h>
without authenticating itself. */
static struct wordlist *noauth_addrs;
+/* Remote telephone number, if available */
+char remote_number[MAXNAMELEN];
+
+/* Wordlist giving remote telephone numbers which may connect. */
+static struct wordlist *permitted_numbers;
+
/* Extra options to apply, from the secrets file entry for the peer. */
static struct wordlist *extra_options;
static int setupapfile __P((char **));
static int privgroup __P((char **));
static int set_noauth_addr __P((char **));
+static int set_permitted_number __P((char **));
static void check_access __P((FILE *, char *));
static int wordlist_count __P((struct wordlist *));
"Set IP address(es) which can be used without authentication",
OPT_PRIV | OPT_A2LIST },
+ { "remotenumber", o_string, remote_number,
+ "Set remote telephone number for authentication", OPT_PRIO | OPT_STATIC,
+ NULL, MAXNAMELEN },
+
+ { "allow-number", o_special, (void *)set_permitted_number,
+ "Set telephone number(s) which are allowed to connect",
+ OPT_PRIV | OPT_A2LIST },
+
{ NULL }
};
}
+/*
+ * set_permitted_number - set remote telephone number(s) that may connect.
+ */
+static int
+set_permitted_number(argv)
+ char **argv;
+{
+ char *number = *argv;
+ int l = strlen(number) + 1;
+ struct wordlist *wp;
+
+ wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l);
+ if (wp == NULL)
+ novm("allow-number argument");
+ wp->word = (char *) (wp + 1);
+ wp->next = permitted_numbers;
+ BCOPY(number, wp->word, l);
+ permitted_numbers = wp;
+ return 1;
+}
+
+
/*
* An Open on LCP has requested a change from Dead to Establish phase.
* Do what's necessary to bring the physical layer up.
return 0;
}
+/*
+ * auth_number - check whether the remote number is allowed to connect.
+ * Returns 1 if authorized, 0 otherwise.
+ */
+int
+auth_number()
+{
+ struct wordlist *wp = permitted_numbers;
+ int l;
+
+ /* Allow all if no authorization list. */
+ if (!wp)
+ return 1;
+
+ /* Allow if we have a match in the authorization list. */
+ while (wp) {
+ /* trailing '*' wildcard */
+ l = strlen(wp->word);
+ if ((wp->word)[l - 1] == '*')
+ l--;
+ if (!strncasecmp(wp->word, remote_number, l))
+ return 1;
+ }
+ wp = wp->next;
+ }
+
+ return 0;
+}
+
/*
* check_access - complain if a secret file has too-liberal permissions.
*/
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-#define RCSID "$Id: main.c,v 1.113 2002/05/21 17:26:49 dfs Exp $"
+#define RCSID "$Id: main.c,v 1.114 2002/10/10 05:47:34 fcusack Exp $"
#include <stdio.h>
#include <ctype.h>
static char pidfilename[MAXPATHLEN]; /* name of pid file */
static char linkpidfile[MAXPATHLEN]; /* name of linkname pid file */
char ppp_devnam[MAXPATHLEN]; /* name of PPP tty (maybe ttypx) */
-char remote_number[MAXNAMELEN]; /* Remote telephone number, if available */
uid_t uid; /* Our real user-id */
struct notifier *pidchange = NULL;
struct notifier *phasechange = NULL;
init_pr_log(NULL, LOG_INFO);
print_options(pr_log, NULL);
end_pr_log();
- if (dryrun)
- die(0);
}
+ /*
+ * Early check for remote number authorization.
+ */
+ if (!auth_number()) {
+ error("remote number %s is not authorized", remote_number);
+ exit(EXIT_CNID_AUTH_FAILED);
+ }
+
+ if (dryrun)
+ die(0);
+
/*
* Initialize system-dependent stuff.
*/
.\" manual page [] for pppd 2.4
-.\" $Id: pppd.8,v 1.65 2002/09/20 06:53:19 fcusack Exp $
+.\" $Id: pppd.8,v 1.66 2002/10/10 05:47:34 fcusack Exp $
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
element of the list of allowed IP addresses in the secrets files (see
the AUTHENTICATION section below).
.TP
+.B allow-number \fInumber
+Allow peers to connect from the given telephone number. A trailing
+`*' character will match all numbers beginning with the leading part.
+.TP
.B bsdcomp \fInr,nt
Request that the peer compress packets that it sends, using the
BSD-Compress scheme, with a maximum code size of \fInr\fR bits, and
Set the assumed name of the remote system for authentication purposes
to \fIname\fR.
.TP
+.B remotenumber \fInumber
+Set the assumed telephone number of the remote system for authentication
+purposes to \fInumber\fR.
+.TP
.B refuse-chap
With this option, pppd will not agree to authenticate itself to the
peer using CHAP.
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
- * $Id: pppd.h,v 1.74 2002/09/24 11:35:22 fcusack Exp $
+ * $Id: pppd.h,v 1.75 2002/10/10 05:47:34 fcusack Exp $
*/
/*
/* get "secret" for chap */
int auth_ip_addr __P((int, u_int32_t));
/* check if IP address is authorized */
+int auth_number __P((void)); /* check if remote number is authorized */
int bad_ip_adrs __P((u_int32_t));
/* check if IP address is unreasonable */
#ifdef MAXOCTETS
#define EXIT_TRAFFIC_LIMIT 20
#endif
+#define EXIT_CNID_AUTH_FAILED 21
/*
* Debug macros. Slightly useful for finding bugs in pppd, not particularly