X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fauth.c;h=023653d5d15c0036e12437bdd6524779a2496253;hp=ac2eee93a654066c15a2c3553d102081fc79b426;hb=3f2fe49d822135c209e9896f666b748cf2234f2e;hpb=07de73a331240b97d915c1851431a743449dd0f4 diff --git a/pppd/auth.c b/pppd/auth.c index ac2eee9..023653d 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -32,7 +32,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -#define RCSID "$Id: auth.c,v 1.58 1999/09/11 12:08:56 paulus Exp $" +#define RCSID "$Id: auth.c,v 1.64 2000/04/13 12:05:57 paulus Exp $" #include #include @@ -112,6 +112,9 @@ static int num_np_up; /* Set if we got the contents of passwd[] from the pap-secrets file. */ static int passwd_from_file; +/* Set if we require authentication only because we have a default route. */ +static bool default_auth; + /* Hook to enable a plugin to control the idle time limit */ int (*idle_time_hook) __P((struct ppp_idle *)) = NULL; @@ -123,6 +126,9 @@ int (*pap_auth_hook) __P((char *user, char *passwd, char **msgp, struct wordlist **paddrs, struct wordlist **popts)) = NULL; +/* Hook for a plugin to know about the PAP user logout */ +void (*pap_logout_hook) __P((void)) = NULL; + /* Hook for a plugin to get the PAP password for authenticating us */ int (*pap_passwd_hook) __P((char *user, char *passwd)) = NULL; @@ -346,8 +352,12 @@ link_terminated(unit) { if (phase == PHASE_DEAD) return; - if (logged_in) - plogout(); + if (pap_logout_hook) { + pap_logout_hook(); + } else { + if (logged_in) + plogout(); + } new_phase(PHASE_DEAD); notice("Connection terminated."); } @@ -499,6 +509,17 @@ start_networks() struct protent *protp; new_phase(PHASE_NETWORK); + +#ifdef HAVE_MULTILINK + if (multilink) { + if (mp_join_bundle()) { + if (updetach && !nodetach) + detach(); + return; + } + } +#endif /* HAVE_MULTILINK */ + #if 0 if (!demand) set_filters(&pass_filter, &active_filter); @@ -560,7 +581,7 @@ auth_peer_success(unit, protocol, name, namelen) namelen = sizeof(peer_authname) - 1; BCOPY(name, peer_authname, namelen); peer_authname[namelen] = 0; - script_setenv("PEERNAME", peer_authname); + script_setenv("PEERNAME", peer_authname, 0); /* * If there is no more authentication still to be done, @@ -748,10 +769,12 @@ auth_check_options() /* * If we have a default route, require the peer to authenticate - * unless the noauth option was given. + * unless the noauth option was given or the real user is root. */ - if (!auth_required && !allow_any_ip && have_route_to(0)) + if (!auth_required && !allow_any_ip && have_route_to(0) && !privileged) { auth_required = 1; + default_auth = 1; + } /* If authentication is required, ask peer for CHAP or PAP. */ if (auth_required) { @@ -776,20 +799,23 @@ auth_check_options() } if (auth_required && !can_auth && noauth_addrs == NULL) { - if (explicit_remote) + if (default_auth) { option_error( -"The remote system (%s) is required to authenticate itself but I", - remote_name); - else +"By default the remote system is required to authenticate itself"); option_error( -"The remote system is required to authenticate itself but I"); - - if (!lacks_ip) +"(because this system has a default route to the internet)"); + } else if (explicit_remote) option_error( -"couldn't find any suitable secret (password) for it to use to do so."); +"The remote system (%s) is required to authenticate itself", + remote_name); else option_error( -"couldn't find any secret (password) which would let it use an IP address."); +"The remote system is required to authenticate itself"); + option_error( +"but I couldn't find any suitable secret (password) for it to use to do so."); + if (lacks_ip) + option_error( +"(None of the available passwords would let it use an IP address.)"); exit(1); } @@ -868,6 +894,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) if (ret) set_allowed_addrs(unit, addrs, opts); BZERO(passwd, sizeof(passwd)); + if (addrs != 0) + free_wordlist(addrs); return ret? UPAP_AUTHACK: UPAP_AUTHNAK; } } @@ -921,8 +949,6 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) } if (attempts > 3) sleep((u_int) (attempts - 3) * 5); - if (addrs != NULL) - free_wordlist(addrs); if (opts != NULL) free_wordlist(opts); @@ -933,6 +959,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) set_allowed_addrs(unit, addrs, opts); } + if (addrs != NULL) + free_wordlist(addrs); BZERO(passwd, sizeof(passwd)); BZERO(secret, sizeof(secret)); @@ -1193,10 +1221,10 @@ null_login(unit) if (ret) set_allowed_addrs(unit, addrs, opts); - else { - free_wordlist(addrs); + else if (opts != 0) free_wordlist(opts); - } + if (addrs != 0) + free_wordlist(addrs); fclose(f); return ret; @@ -1216,7 +1244,6 @@ get_pap_passwd(passwd) char *filename; FILE *f; int ret; - struct wordlist *addrs; char secret[MAXWORDLEN]; /* @@ -1229,7 +1256,6 @@ get_pap_passwd(passwd) } filename = _PATH_UPAPFILE; - addrs = NULL; f = fopen(filename, "r"); if (f == NULL) return 0; @@ -1370,10 +1396,10 @@ get_secret(unit, client, server, secret, secret_len, am_server) if (am_server) set_allowed_addrs(unit, addrs, opts); - else { - free_wordlist(addrs); + else if (opts != 0) free_wordlist(opts); - } + if (addrs != 0) + free_wordlist(addrs); } len = strlen(secbuf); @@ -1555,7 +1581,7 @@ auth_ip_addr(unit, addr) } if (auth_required) return 0; /* no addresses authorized */ - return allow_any_ip || !have_route_to(addr); + return allow_any_ip || privileged || !have_route_to(addr); } static int