From 61ebd9732d40eade1a74d55302bdb02c2865cb6c Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Fri, 26 Feb 1999 10:38:52 +0000 Subject: [PATCH] minor fixes, update man page --- pppd/auth.c | 13 ++++--------- pppd/chap.c | 4 ++-- pppd/main.c | 4 ++-- pppd/pppd.8 | 49 +++++++++++++++++++++++++++++-------------------- 4 files changed, 37 insertions(+), 33 deletions(-) diff --git a/pppd/auth.c b/pppd/auth.c index 994395a..5c1fbf1 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.40 1999/01/19 23:59:14 paulus Exp $"; +static char rcsid[] = "$Id: auth.c,v 1.41 1999/02/26 10:38:50 paulus Exp $"; #endif #include @@ -154,10 +154,7 @@ static int scan_authfile __P((FILE *, char *, char *, u_int32_t, char *, static void free_wordlist __P((struct wordlist *)); static void auth_script __P((char *)); static void set_allowed_addrs __P((int, struct wordlist *)); - -#ifdef OLD_OPTIONS static int setupapfile __P((char **)); -#endif /* * Authentication-related options. @@ -170,7 +167,7 @@ option_t auth_options[] = { { "refuse-pap", o_bool, &refuse_pap, "Don't agree to auth to peer with PAP", 1 }, { "-pap", o_bool, &refuse_pap, - "Don't allow UPAP authentication with peer", 1 }, + "Don't allow PAP authentication with peer", 1 }, { "require-chap", o_bool, &lcp_wantoptions[0].neg_chap, "Require CHAP authentication from peer", 1, &auth_required }, { "+chap", o_bool, &lcp_wantoptions[0].neg_chap, @@ -196,14 +193,11 @@ option_t auth_options[] = { "Use system password database for PAP", 1 }, { "papcrypt", o_bool, &cryptpap, "PAP passwords are encrypted", 1 }, -#if OLD_OPTIONS { "+ua", o_special, setupapfile, "Get PAP user and password from file" }, -#endif { NULL } }; -#if OLD_OPTIONS /* * setupapfile - specifies UPAP info for authenticating with peer. */ @@ -245,7 +239,6 @@ setupapfile(argv) return (1); } -#endif /* @@ -1533,6 +1526,8 @@ scan_authfile(f, client, server, ipaddr, secret, addrs, filename) /* * Check if the given IP address is allowed by the wordlist. + * XXX accepts this entry even if it has no allowed IP addresses + * if they didn't specify a remote IP address. XXX */ if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { free_wordlist(alist); diff --git a/pppd/chap.c b/pppd/chap.c index 06c17e8..96348e1 100644 --- a/pppd/chap.c +++ b/pppd/chap.c @@ -34,7 +34,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: chap.c,v 1.16 1998/11/07 06:59:26 paulus Exp $"; +static char rcsid[] = "$Id: chap.c,v 1.17 1999/02/26 10:38:51 paulus Exp $"; #endif /* @@ -66,7 +66,7 @@ static option_t chap_option_list[] = { "Set interval for rechallenge" }, #ifdef MSLANMAN { "ms-lanman", o_bool, &ms_lanman, - "Use LanMan psswd when using MS-CHAP", 1 }, + "Use LanMan passwd when using MS-CHAP", 1 }, #endif { NULL } }; diff --git a/pppd/main.c b/pppd/main.c index 214af77..f5614b9 100644 --- a/pppd/main.c +++ b/pppd/main.c @@ -18,7 +18,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: main.c,v 1.52 1999/01/19 23:59:39 paulus Exp $"; +static char rcsid[] = "$Id: main.c,v 1.53 1999/02/26 10:38:51 paulus Exp $"; #endif #include @@ -828,7 +828,7 @@ close_tty() restore_tty(ttyfd); if (tty_mode != (mode_t) -1) { - if (fchmod(devnam, tty_mode) != 0) { + if (fchmod(ttyfd, tty_mode) != 0) { /* XXX if devnam is a symlink, this will change the link */ chmod(devnam, tty_mode); } diff --git a/pppd/pppd.8 b/pppd/pppd.8 index 6e039f9..9cfcb63 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -1,5 +1,5 @@ .\" manual page [] for pppd 2.3 -.\" $Id: pppd.8,v 1.30 1998/11/07 06:59:29 paulus Exp $ +.\" $Id: pppd.8,v 1.31 1999/02/26 10:38:52 paulus Exp $ .\" SH section heading .\" SS subsection heading .\" LP paragraph @@ -76,7 +76,10 @@ characters, use the \fIescape\fR option. .TP .B auth Require the peer to authenticate itself before allowing network -packets to be sent or received. +packets to be sent or received. If neither this option nor the +\fInoauth\fR option is specified, the default is that pppd will not +require the peer to authenticate, but will then only allow it to use +IP addresses to which the system does not already have a route. .TP .B call \fIname Read options from the file /etc/ppp/peers/\fIname\fR. This file may @@ -468,7 +471,9 @@ specified is ORed with the default netmask. The default netmask is chosen based on the negotiated remote IP address; it is the appropriate network mask for the class of the remote IP address, ORed with the netmasks for any non point-to-point network interfaces in the -system which are on the same network. +system which are on the same network. (Note: on some platforms, pppd +will always use 255.255.255.255 for the netmask, if that is the only +appropriate value for a point-to-point interface.) .TP .B noaccomp Disable Address/Control compression in both directions (send and @@ -476,7 +481,7 @@ receive). .TP .B noauth Do not require the peer to authenticate itself. This option is -privileged if the \fIauth\fR option is specified in /etc/ppp/options. +privileged. .TP .B nobsdcomp Disables BSD-Compress compression; \fBpppd\fR will not request or @@ -639,7 +644,8 @@ the `passive' option with ancient versions of pppd). .B usehostname Enforce the use of the hostname (with domain name appended, if given) as the name of the local system for authentication purposes (overrides -the \fIname\fR option). +the \fIname\fR option). This option is not normally needed since the +\fIname\fR option is privileged. .TP .B user \fIname Sets the name used for authenticating the local system to the peer to @@ -680,22 +686,25 @@ options within an options file. provides system administrators with sufficient access control that PPP access to a server machine can be provided to legitimate users without fear of compromising the security of the server or the network it's -on. In part this is provided by the /etc/ppp/options file, where the -administrator can place options to restrict the ways in which pppd can -be used, and in part by the PAP and CHAP secrets files, where the -administrator can restrict the set of IP addresses which individual -users may use. +on. This control is provided through restrictions on which IP +addresses the peer may use, based on its authenticated identity (if +any), and through restrictions on which options a non-privileged user +may use. Several of pppd's options are privileged, in particular +those which permit potentially insecure configurations; these options +are only accepted in files which are under the control of the system +administrator, or if pppd is being run by root. .PP -The normal way that pppd should be set up is to have the \fIauth\fR -option in the /etc/ppp/options file. (This may become the default in -later releases.) If users wish to use pppd to dial out to a peer -which will refuse to authenticate itself (such as an internet service -provider), the system administrator should create an options file -under /etc/ppp/peers containing the \fInoauth\fR option, the name of -the serial port to use, and the \fIconnect\fR option (if required), -plus any other appropriate options. In this way, pppd can be set up -to allow non-privileged users to make unauthenticated connections only -to trusted peers. +The default behaviour of pppd is to allow an unauthenticated peer +to use a given IP address if the system does not already have a +route to that IP address already. For example, a system with a +permanent connection to the wider internet will normally have a +default route, and thus all peers will have to authenticate themselves +in order to set up a connection. On such a system, the \fIauth\fR +option should be used in /etc/ppp/options so that pppd will ask the +peer to authenticate itself. On the other hand, a system where the +PPP link is the only connection to the internet will not normally have +a default route, so the peer will be able to use almost any IP address +without authenticating itself. .PP As indicated above, some security-sensitive options are privileged, which means that they may not be used by an ordinary non-privileged -- 2.39.2