summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
29d737a)
In practice, the admin can configure allow-number settings, and getty
or other programs can call ppp with the remotenumber option. remotenumber
is also available to plugins; for example the radius plugin will pass this
on as the Calling-Station-Id attribute and the radius server can make an
authentication decision based on that.
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-#define RCSID "$Id: auth.c,v 1.84 2002/09/24 11:35:22 fcusack Exp $"
+#define RCSID "$Id: auth.c,v 1.85 2002/10/10 05:47:34 fcusack Exp $"
#include <stdio.h>
#include <stddef.h>
#include <stdio.h>
#include <stddef.h>
without authenticating itself. */
static struct wordlist *noauth_addrs;
without authenticating itself. */
static struct wordlist *noauth_addrs;
+/* Remote telephone number, if available */
+char remote_number[MAXNAMELEN];
+
+/* Wordlist giving remote telephone numbers which may connect. */
+static struct wordlist *permitted_numbers;
+
/* Extra options to apply, from the secrets file entry for the peer. */
static struct wordlist *extra_options;
/* Extra options to apply, from the secrets file entry for the peer. */
static struct wordlist *extra_options;
static int setupapfile __P((char **));
static int privgroup __P((char **));
static int set_noauth_addr __P((char **));
static int setupapfile __P((char **));
static int privgroup __P((char **));
static int set_noauth_addr __P((char **));
+static int set_permitted_number __P((char **));
static void check_access __P((FILE *, char *));
static int wordlist_count __P((struct wordlist *));
static void check_access __P((FILE *, char *));
static int wordlist_count __P((struct wordlist *));
"Set IP address(es) which can be used without authentication",
OPT_PRIV | OPT_A2LIST },
"Set IP address(es) which can be used without authentication",
OPT_PRIV | OPT_A2LIST },
+ { "remotenumber", o_string, remote_number,
+ "Set remote telephone number for authentication", OPT_PRIO | OPT_STATIC,
+ NULL, MAXNAMELEN },
+
+ { "allow-number", o_special, (void *)set_permitted_number,
+ "Set telephone number(s) which are allowed to connect",
+ OPT_PRIV | OPT_A2LIST },
+
+/*
+ * set_permitted_number - set remote telephone number(s) that may connect.
+ */
+static int
+set_permitted_number(argv)
+ char **argv;
+{
+ char *number = *argv;
+ int l = strlen(number) + 1;
+ struct wordlist *wp;
+
+ wp = (struct wordlist *) malloc(sizeof(struct wordlist) + l);
+ if (wp == NULL)
+ novm("allow-number argument");
+ wp->word = (char *) (wp + 1);
+ wp->next = permitted_numbers;
+ BCOPY(number, wp->word, l);
+ permitted_numbers = wp;
+ return 1;
+}
+
+
/*
* An Open on LCP has requested a change from Dead to Establish phase.
* Do what's necessary to bring the physical layer up.
/*
* An Open on LCP has requested a change from Dead to Establish phase.
* Do what's necessary to bring the physical layer up.
+/*
+ * auth_number - check whether the remote number is allowed to connect.
+ * Returns 1 if authorized, 0 otherwise.
+ */
+int
+auth_number()
+{
+ struct wordlist *wp = permitted_numbers;
+ int l;
+
+ /* Allow all if no authorization list. */
+ if (!wp)
+ return 1;
+
+ /* Allow if we have a match in the authorization list. */
+ while (wp) {
+ /* trailing '*' wildcard */
+ l = strlen(wp->word);
+ if ((wp->word)[l - 1] == '*')
+ l--;
+ if (!strncasecmp(wp->word, remote_number, l))
+ return 1;
+ }
+ wp = wp->next;
+ }
+
+ return 0;
+}
+
/*
* check_access - complain if a secret file has too-liberal permissions.
*/
/*
* check_access - complain if a secret file has too-liberal permissions.
*/
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
-#define RCSID "$Id: main.c,v 1.113 2002/05/21 17:26:49 dfs Exp $"
+#define RCSID "$Id: main.c,v 1.114 2002/10/10 05:47:34 fcusack Exp $"
#include <stdio.h>
#include <ctype.h>
#include <stdio.h>
#include <ctype.h>
static char pidfilename[MAXPATHLEN]; /* name of pid file */
static char linkpidfile[MAXPATHLEN]; /* name of linkname pid file */
char ppp_devnam[MAXPATHLEN]; /* name of PPP tty (maybe ttypx) */
static char pidfilename[MAXPATHLEN]; /* name of pid file */
static char linkpidfile[MAXPATHLEN]; /* name of linkname pid file */
char ppp_devnam[MAXPATHLEN]; /* name of PPP tty (maybe ttypx) */
-char remote_number[MAXNAMELEN]; /* Remote telephone number, if available */
uid_t uid; /* Our real user-id */
struct notifier *pidchange = NULL;
struct notifier *phasechange = NULL;
uid_t uid; /* Our real user-id */
struct notifier *pidchange = NULL;
struct notifier *phasechange = NULL;
init_pr_log(NULL, LOG_INFO);
print_options(pr_log, NULL);
end_pr_log();
init_pr_log(NULL, LOG_INFO);
print_options(pr_log, NULL);
end_pr_log();
+ /*
+ * Early check for remote number authorization.
+ */
+ if (!auth_number()) {
+ error("remote number %s is not authorized", remote_number);
+ exit(EXIT_CNID_AUTH_FAILED);
+ }
+
+ if (dryrun)
+ die(0);
+
/*
* Initialize system-dependent stuff.
*/
/*
* Initialize system-dependent stuff.
*/
.\" manual page [] for pppd 2.4
.\" manual page [] for pppd 2.4
-.\" $Id: pppd.8,v 1.65 2002/09/20 06:53:19 fcusack Exp $
+.\" $Id: pppd.8,v 1.66 2002/10/10 05:47:34 fcusack Exp $
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph
element of the list of allowed IP addresses in the secrets files (see
the AUTHENTICATION section below).
.TP
element of the list of allowed IP addresses in the secrets files (see
the AUTHENTICATION section below).
.TP
+.B allow-number \fInumber
+Allow peers to connect from the given telephone number. A trailing
+`*' character will match all numbers beginning with the leading part.
+.TP
.B bsdcomp \fInr,nt
Request that the peer compress packets that it sends, using the
BSD-Compress scheme, with a maximum code size of \fInr\fR bits, and
.B bsdcomp \fInr,nt
Request that the peer compress packets that it sends, using the
BSD-Compress scheme, with a maximum code size of \fInr\fR bits, and
Set the assumed name of the remote system for authentication purposes
to \fIname\fR.
.TP
Set the assumed name of the remote system for authentication purposes
to \fIname\fR.
.TP
+.B remotenumber \fInumber
+Set the assumed telephone number of the remote system for authentication
+purposes to \fInumber\fR.
+.TP
.B refuse-chap
With this option, pppd will not agree to authenticate itself to the
peer using CHAP.
.B refuse-chap
With this option, pppd will not agree to authenticate itself to the
peer using CHAP.
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
- * $Id: pppd.h,v 1.74 2002/09/24 11:35:22 fcusack Exp $
+ * $Id: pppd.h,v 1.75 2002/10/10 05:47:34 fcusack Exp $
/* get "secret" for chap */
int auth_ip_addr __P((int, u_int32_t));
/* check if IP address is authorized */
/* get "secret" for chap */
int auth_ip_addr __P((int, u_int32_t));
/* check if IP address is authorized */
+int auth_number __P((void)); /* check if remote number is authorized */
int bad_ip_adrs __P((u_int32_t));
/* check if IP address is unreasonable */
int bad_ip_adrs __P((u_int32_t));
/* check if IP address is unreasonable */
#ifdef MAXOCTETS
#define EXIT_TRAFFIC_LIMIT 20
#endif
#ifdef MAXOCTETS
#define EXIT_TRAFFIC_LIMIT 20
#endif
+#define EXIT_CNID_AUTH_FAILED 21
/*
* Debug macros. Slightly useful for finding bugs in pppd, not particularly
/*
* Debug macros. Slightly useful for finding bugs in pppd, not particularly
projects / ppp.git / commitdiff