From 0816630b7e90b23792599af619d6950841891b9b Mon Sep 17 00:00:00 2001 From: Paul Mackerras Date: Tue, 8 Oct 1996 06:43:36 +0000 Subject: [PATCH] update from Al --- FAQ | 10 ++--- README.MSCHAP80 | 28 ++++++++++++ linux/kinstall.sh | 75 ++++++------------------------- pppd/Makefile.linux | 13 ++++-- pppd/ipxcp.c | 107 +++++++++++++------------------------------- 5 files changed, 85 insertions(+), 148 deletions(-) diff --git a/FAQ b/FAQ index ef6dd73..cb42c6b 100644 --- a/FAQ +++ b/FAQ @@ -370,13 +370,9 @@ the server. Thus, it may be necessary to use the `remotename' option to pppd when using PAP authentication so that it can select the appropriate secret from /etc/ppp/pap-secrets. -Microsoft also has a variant of CHAP which they apparently think is -more secure than standard CHAP because they don't store secrets in -clear text on the server. However, a bogus client only needs to know -the encrypted secret to gain access, so the only extra security is -that the bogus client would need to run something other than Windows. -There is a client-side implementation of Microsoft's CHAP in ppp-2.3; -see README.MSCHAP80. +Microsoft also has a variant of CHAP which uses a different hashing +arrangement from normal CHAP. There is a client-side implementation +of Microsoft's CHAP in ppp-2.3; see README.MSCHAP80. ------------------------------------------------------------------------ diff --git a/README.MSCHAP80 b/README.MSCHAP80 index 95f01ea..b0d54cb 100644 --- a/README.MSCHAP80 +++ b/README.MSCHAP80 @@ -3,6 +3,7 @@ PPP Client Support for Microsoft's CHAP-80 Eric Rosenquist rosenqui@strataware.com (updated by Paul Mackerras) +(updated by Al Longyear) INTRODUCTION @@ -114,6 +115,33 @@ The "remotename" option is required for MS-CHAP since Microsoft PPP servers don't send their system name in the CHAP challenge packet. +E=691 (AUTHENTICATION_FAILURE) ERRORS WHEN YOU HAVE THE VALID SECRET (PASSWORD) + +If your RAS server is not the domain controller and is not a 'stand-alone' +server then it must make a query to the domain controller for your domain. + +You need to specify the domain name with the user name when you attempt to +use this type of a configuration. The domain name is specified with the +local name in the chap-secrets file and with the option for the 'name' +parameter. + +For example, the previous example would become: + + DialupNT domain\\customer47 foobar + domain\\customer47 DialupNT foobar + +and + + pppd name 'domain\\customer47' remotename DialupNT + +or add: + + name domain\\customer47 + remotename DialupNT + +when the Windows NT domain name is simply called 'domain'. + + TROUBLESHOOTING Assuming that everything else has been configured correctly for PPP and diff --git a/linux/kinstall.sh b/linux/kinstall.sh index 29ba963..23ae2d1 100755 --- a/linux/kinstall.sh +++ b/linux/kinstall.sh @@ -48,7 +48,7 @@ fi # introduced in 1.0.1 if [ `egrep '^VERSION|^PATCHLEVEL|^SUBLEVEL' $LINUXMK | wc -l` -ne 3 ]; then echo You appear to have a very old kernel. You must upgrade. - echo It is recommended that you upgrade to the most recent 2.0.X kernel. + echo It is recommended that you upgrade to the most recent 1.2.X kernel. exit 1 fi @@ -62,18 +62,11 @@ KERNEL=$VERSION.$PATCHLEVEL.$SUBLEVEL # # Pass judgement on the kernel version -if [ $VERSION -eq 1 ]; then - if [ $PATCHLEVEL -eq 0 -o $PATCHLEVEL -eq 1 -a $SUBLEVEL -lt 14 ]; then +if [ $VERSION -lt 2 ]; then echo You appear to be running $KERNEL. There is no support for - echo kernels predating 1.1.14. It is recommended that you upgrade - echo to the most recent 2.0.X kernel. + echo kernels predating 2.0.0. It is recommended that you upgrade + echo to the most recent 2.0.x kernel. exit 1 - fi - if [ $PATCHLEVEL -eq 1 ]; then - echo You appear to be running $KERNEL. It is recommended that you - echo upgrade to the most recent 1.2.X kernel. - echo However, installation will proceed. - fi fi echo @@ -139,13 +132,7 @@ newer () { # # Change the USE_SKB_PROTOCOL for correct operation on 1.3.x update_ppp () { - mv $LINUXSRC/drivers/net/ppp.c $LINUXSRC/drivers/net/ppp.c.in - if [ "$VERSION.$PATCHLEVEL" = "1.3" ]; then - sed 's/#define USE_SKB_PROTOCOL 0/#define USE_SKB_PROTOCOL 1/' <$LINUXSRC/drivers/net/ppp.c.in >$LINUXSRC/drivers/net/ppp.c - else - sed 's/#define USE_SKB_PROTOCOL 1/#define USE_SKB_PROTOCOL 0/' <$LINUXSRC/drivers/net/ppp.c.in >$LINUXSRC/drivers/net/ppp.c - fi - rm $LINUXSRC/drivers/net/ppp.c.in + return } # @@ -269,42 +256,17 @@ echo -n 'Adding BSD compression module to drivers makefile...' NETMK=$LINUXSRC/drivers/net/Makefile fgrep bsd_comp.o $NETMK >/dev/null if [ ! "$?" = "0" ]; then - echo -n '.' - rm -f $NETMK.orig $NETMK.rej - if [ "$VERSION.$PATCHLEVEL" = "1.2" ]; then - (cd $LINUXSRC; patch -p1 -f -F30 -s) $NETMK.temp - bombiffailed - echo -n '.' - mv $NETMK $NETMK.orig - bombiffailed - echo -n '.' - mv $NETMK.temp $NETMK - bombiffailed - fi -# if [ -f $NETMK.orig ]; then - mv $NETMK.orig $NETMK.old + mv $NETMK.orig $NETMK fi + sed 's/ppp.o$/ppp.o bsd_comp.o/g' <$NETMK >$NETMK.temp + bombiffailed + echo -n '.' + mv $NETMK $NETMK.orig + bombiffailed + echo -n '.' + mv $NETMK.temp $NETMK + bombiffailed else echo -n '(already there--skipping)' fi @@ -374,13 +336,4 @@ patch_include echo "Kernel driver files installation done." -if [ "$VERSION.$PATCHLEVEL" = "1.2" ]; then - echo - echo "Please make sure that you apply the kernel patches in the" - echo "linux/Other.Patches directory. You should apply both the 1.2.13 and" - echo "slhc.patch files or the driver in the kernel may not compile." - echo "The instructions are in each of these files and the README.Linux" - echo "document." -fi - exit 0 diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux index 311cc18..e759a61 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux @@ -1,6 +1,6 @@ # # pppd makefile for Linux -# $Id: Makefile.linux,v 1.17 1996/10/08 04:35:01 paulus Exp $ +# $Id: Makefile.linux,v 1.18 1996/10/08 06:42:41 paulus Exp $ # # Default installation locations @@ -40,14 +40,21 @@ COMPILE_FLAGS= -D_linux_=1 -DHAVE_PATHS_H -DIPX_CHANGE CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) +ifdef CHAPMS +CFLAGS += -DCHAPMS=1 +LIBS := -ldes $(LIBS) +PPPDOBJS += md4.o chap_ms.o +endif + ifdef HAS_SHADOW CFLAGS += -DHAS_SHADOW -LIBS += -lshadow +LIBS := -lshadow -lcrypt $(LIBS) endif +# For "Pluggable Authentication Modules", see ftp.redhat.com:/pub/pam/. ifdef USE_PAM CFLAGS += -DUSE_PAM -LIBS += -lpam -ldl +LIBS := -lpam -ldl $(LIBS) endif install: pppd diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c index a347518..542ad85 100644 --- a/pppd/ipxcp.c +++ b/pppd/ipxcp.c @@ -19,7 +19,7 @@ #ifdef IPX_CHANGE #ifndef lint -static char rcsid[] = "$Id: ipxcp.c,v 1.3 1996/09/14 05:15:20 paulus Exp $"; +static char rcsid[] = "$Id: ipxcp.c,v 1.4 1996/10/08 06:43:36 paulus Exp $"; #endif /* @@ -428,23 +428,9 @@ ipxcp_addci(f, ucp, lenp) } if (go->neg_router && (go->router & (BIT(0) | BIT(2) | BIT(4)))) { - if (go->router & BIT(0)) { - PUTCHAR (IPX_ROUTER_PROTOCOL, ucp); - PUTCHAR (CILEN_PROTOCOL, ucp); - PUTSHORT (0, ucp); - } else { - if (go->router & BIT(2)) { - PUTCHAR (IPX_ROUTER_PROTOCOL, ucp); - PUTCHAR (CILEN_PROTOCOL, ucp); - PUTSHORT (2, ucp); - } - - if (go->router & BIT(4)) { - PUTCHAR (IPX_ROUTER_PROTOCOL, ucp); - PUTCHAR (CILEN_PROTOCOL, ucp); - PUTSHORT (4, ucp); - } - } + PUTCHAR (IPX_ROUTER_PROTOCOL, ucp); + PUTCHAR (CILEN_PROTOCOL, ucp); + PUTSHORT (go->router, ucp); } if (go->neg_complete) { @@ -521,20 +507,13 @@ ipxcp_ackci(f, p, len) break; \ } -#define ACKCIPROTO(opt, neg, val, bit) \ - if (neg && (val & BIT(bit))) \ +#define ACKCIPROTO(opt, neg, val) \ + if (neg && p[1] == CILEN_PROTOCOL && len >= p[1] && p[0] == opt) \ { \ - if (len < 2) \ - break; \ - GETCHAR(citype, p); \ - GETCHAR(cilen, p); \ - if (cilen != CILEN_PROTOCOL || citype != opt) \ - break; \ - len -= cilen; \ - if (len < 0) \ - break; \ + INCPTR(2, p); \ + len -= CILEN_PROTOCOL; \ GETSHORT(cishort, p); \ - if (cishort != (bit)) \ + if (cishort != (val)) \ break; \ } /* @@ -544,9 +523,7 @@ ipxcp_ackci(f, p, len) ACKCINETWORK (IPX_NETWORK_NUMBER, go->neg_nn, go->our_network); ACKCINODE (IPX_NODE_NUMBER, go->neg_node, go->our_node); ACKCINAME (IPX_ROUTER_NAME, go->neg_name, go->name); - ACKCIPROTO (IPX_ROUTER_PROTOCOL, go->neg_router, go->router, 0); - ACKCIPROTO (IPX_ROUTER_PROTOCOL, go->neg_router, go->router, 2); - ACKCIPROTO (IPX_ROUTER_PROTOCOL, go->neg_router, go->router, 4); + ACKCIPROTO (IPX_ROUTER_PROTOCOL, go->neg_router, go->router); ACKCICOMPLETE (IPX_COMPLETE, go->neg_complete); /* * This is the end of the record. @@ -700,33 +677,22 @@ ipxcp_rejci(f, p, len) ipxcp_options try; /* options to request next time */ #define REJCINETWORK(opt, neg, val) \ - if (neg) { \ + if (neg && p[1] == CILEN_NETN && len >= p[1] && p[0] == opt) { \ neg = 0; \ - if ((len -= CILEN_NETN) < 0) \ - break; \ - GETCHAR(citype, p); \ - GETCHAR(cilen, p); \ - if (cilen != CILEN_NETN || \ - citype != opt) \ - break; \ + INCPTR(2, p); \ + len -= CILEN_NETN; \ GETLONG(cilong, p); \ if (cilong != val) \ break; \ - IPXCPDEBUG((LOG_INFO,"ipxcp_rejci rejected long opt %d", opt)); \ + IPXCPDEBUG((LOG_INFO,"ipxcp_rejci rejected network 0x%08x", val)); \ } #define REJCICHARS(opt, neg, val, cnt) \ - if (neg) { \ + if (neg && p[1] == cnt + 2 && p[1] >= len && p[0] == opt) { \ int indx, count = cnt; \ neg = 0; \ - len -= (count + 2); \ - if (len < 0) \ - break; \ - GETCHAR(citype, p); \ - GETCHAR(cilen, p); \ - if (cilen != (count + 2) || \ - citype != opt) \ - break; \ + INCPTR(2, p); \ + len -= (cnt + 2); \ for (indx = 0; indx < count; ++indx) {\ GETCHAR(cichar, p); \ if (cichar != ((u_char *) &val)[indx]) \ @@ -741,34 +707,23 @@ ipxcp_rejci(f, p, len) #define REJCINAME(opt,neg,val) REJCICHARS(opt,neg,val,strlen(val)) #define REJCIVOID(opt, neg) \ - if (neg) { \ + if (neg && p[1] == CILEN_VOID && len >= p[1] && p[0] == opt) { \ neg = 0; \ - if ((len -= CILEN_VOID) < 0) \ - break; \ - GETCHAR(citype, p); \ - GETCHAR(cilen, p); \ - if (cilen != CILEN_VOID || citype != opt) \ - break; \ + INCPTR(2, p); \ + len -= CILEN_VOID; \ IPXCPDEBUG((LOG_INFO, "ipxcp_rejci rejected void opt %d", opt)); \ } -#define REJCIPROTO(opt, neg, val, bit) \ - if (neg && (val & BIT(bit))) \ +#define REJCIPROTO(opt, neg, val) \ + if (neg && p[1] == CILEN_PROTOCOL && len >= p[1] && p[0] == opt) \ { \ - if (len < 2) \ - break; \ - GETCHAR(citype, p); \ - GETCHAR(cilen, p); \ - if (cilen != CILEN_PROTOCOL || citype != opt) \ - break; \ - len -= cilen; \ - if (len < 0) \ - break; \ + INCPTR(2, p); \ + len -= CILEN_PROTOCOL; \ GETSHORT(cishort, p); \ - if (cishort != (bit)) \ + IPXCPDEBUG((LOG_INFO, "ipxcp_rejci rejected router proto 0x%04x", cishort)); \ + if ((cishort & val) == 0) \ break; \ - IPXCPDEBUG((LOG_INFO, "ipxcp_rejci rejected router proto %d", bit)); \ - val &= ~BIT(bit); \ + val &= ~cishort; \ if (val == 0) \ neg = 0; \ } @@ -783,9 +738,7 @@ ipxcp_rejci(f, p, len) do { REJCINETWORK (IPX_NETWORK_NUMBER, try.neg_nn, try.our_network); REJCINODE (IPX_NODE_NUMBER, try.neg_node, try.our_node); - REJCIPROTO (IPX_ROUTER_PROTOCOL, try.neg_router, try.router, 0); - REJCIPROTO (IPX_ROUTER_PROTOCOL, try.neg_router, try.router, 2); - REJCIPROTO (IPX_ROUTER_PROTOCOL, try.neg_router, try.router, 4); + REJCIPROTO (IPX_ROUTER_PROTOCOL, try.neg_router, try.router); REJCINAME (IPX_ROUTER_NAME, try.neg_name, try.name); REJCIVOID (IPX_COMPLETE, try.neg_complete); /* @@ -1163,7 +1116,7 @@ ipxcp_up(f) * /etc/ppp/ipx-up interface tty speed local-IPX remote-IPX */ - ipxcp_script (f, "/etc/ppp/ipx-up"); + ipxcp_script (f, _PATH_IPXUP); } /* @@ -1183,7 +1136,7 @@ ipxcp_down(f) cipxfaddr (f->unit); sifdown(f->unit); - ipxcp_script (f, "/etc/ppp/ipx-down"); + ipxcp_script (f, _PATH_IPXDOWN); } -- 2.39.2