2 * auth.c - PPP authentication and phase control.
4 * Copyright (c) 1993 The Australian National University.
7 * Redistribution and use in source and binary forms are permitted
8 * provided that the above copyright notice and this paragraph are
9 * duplicated in all such forms and that any documentation,
10 * advertising materials, and other materials related to such
11 * distribution and use acknowledge that the software was developed
12 * by the Australian National University. The name of the University
13 * may not be used to endorse or promote products derived from this
14 * software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
17 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
19 * Copyright (c) 1989 Carnegie Mellon University.
20 * All rights reserved.
22 * Redistribution and use in source and binary forms are permitted
23 * provided that the above copyright notice and this paragraph are
24 * duplicated in all such forms and that any documentation,
25 * advertising materials, and other materials related to such
26 * distribution and use acknowledge that the software was developed
27 * by Carnegie Mellon University. The name of the
28 * University may not be used to endorse or promote products derived
29 * from this software without specific prior written permission.
30 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
32 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
35 #define RCSID "$Id: auth.c,v 1.1.1.4 2003/10/14 08:09:53 sparq Exp $"
44 #include <sys/types.h>
46 #include <sys/socket.h>
49 #if defined(_PATH_LASTLOG) && defined(_linux_)
54 #include <netinet/in.h>
55 #include <arpa/inet.h>
58 #include <security/pam_appl.h>
64 #define PW_PPP PW_LOGIN
77 #include "pathnames.h"
79 static const char rcsid
[] = RCSID
;
81 /* Bits in scan_authfile return value */
82 #define NONWILD_SERVER 1
83 #define NONWILD_CLIENT 2
85 #define ISWILD(word) (word[0] == '*' && word[1] == 0)
87 /* The name by which the peer authenticated itself to us. */
88 char peer_authname
[MAXNAMELEN
];
90 /* Records which authentication operations haven't completed yet. */
91 static int auth_pending
[NUM_PPP
];
93 /* Set if we have successfully called plogin() */
96 /* List of addresses which the peer may use. */
97 static struct permitted_ip
*addresses
[NUM_PPP
];
99 /* Wordlist giving addresses which the peer may use
100 without authenticating itself. */
101 static struct wordlist
*noauth_addrs
;
103 /* Extra options to apply, from the secrets file entry for the peer. */
104 static struct wordlist
*extra_options
;
106 /* Number of network protocols which we have opened. */
107 static int num_np_open
;
109 /* Number of network protocols which have come up. */
110 static int num_np_up
;
112 /* Set if we got the contents of passwd[] from the pap-secrets file. */
113 static int passwd_from_file
;
115 /* Set if we require authentication only because we have a default route. */
116 static bool default_auth
;
118 /* Hook to enable a plugin to control the idle time limit */
119 int (*idle_time_hook
) __P((struct ppp_idle
*)) = NULL
;
121 /* Hook for a plugin to say whether we can possibly authenticate any peer */
122 int (*pap_check_hook
) __P((void)) = NULL
;
124 /* Hook for a plugin to check the PAP user and password */
125 int (*pap_auth_hook
) __P((char *user
, char *passwd
, char **msgp
,
126 struct wordlist
**paddrs
,
127 struct wordlist
**popts
)) = NULL
;
129 /* Hook for a plugin to know about the PAP user logout */
130 void (*pap_logout_hook
) __P((void)) = NULL
;
132 /* Hook for a plugin to get the PAP password for authenticating us */
133 int (*pap_passwd_hook
) __P((char *user
, char *passwd
)) = NULL
;
136 * This is used to ensure that we don't start an auth-up/down
137 * script while one is already running.
144 static enum script_state auth_state
= s_down
;
145 static enum script_state auth_script_state
= s_down
;
146 static pid_t auth_script_pid
= 0;
148 static int used_login
; /* peer authenticated against login database */
153 bool uselogin
= 0; /* Use /etc/passwd for checking PAP */
154 bool cryptpap
= 0; /* Passwords in pap-secrets are encrypted */
155 bool refuse_pap
= 0; /* Don't wanna auth. ourselves with PAP */
156 bool refuse_chap
= 0; /* Don't wanna auth. ourselves with CHAP */
157 bool usehostname
= 0; /* Use hostname for our_name */
158 bool auth_required
= 0; /* Always require authentication from peer */
159 bool allow_any_ip
= 0; /* Allow peer to use any IP address */
160 bool explicit_remote
= 0; /* User specified explicit remote name */
161 char remote_name
[MAXNAMELEN
]; /* Peer's name for authentication */
163 static char *uafname
; /* name of most recent +ua file */
165 /* Bits in auth_pending[] */
166 #define PAP_WITHPEER 1
168 #define CHAP_WITHPEER 4
171 extern char *crypt
__P((const char *, const char *));
173 /* Prototypes for procedures local to this file. */
175 static void network_phase
__P((int));
176 static void check_idle
__P((void *));
177 static void connect_time_expired
__P((void *));
178 static int plogin
__P((char *, char *, char **));
179 static void plogout
__P((void));
180 static int null_login
__P((int));
181 static int get_pap_passwd
__P((char *));
182 static int have_pap_secret
__P((int *));
183 static int have_chap_secret
__P((char *, char *, int, int *));
184 static int ip_addr_check
__P((u_int32_t
, struct permitted_ip
*));
185 static int scan_authfile
__P((FILE *, char *, char *, char *,
186 struct wordlist
**, struct wordlist
**,
188 static void free_wordlist
__P((struct wordlist
*));
189 static void auth_script
__P((char *));
190 static void auth_script_done
__P((void *));
191 static void set_allowed_addrs
__P((int, struct wordlist
*, struct wordlist
*));
192 static int some_ip_ok
__P((struct wordlist
*));
193 static int setupapfile
__P((char **));
194 static int privgroup
__P((char **));
195 static int set_noauth_addr
__P((char **));
196 static void check_access
__P((FILE *, char *));
197 static int wordlist_count
__P((struct wordlist
*));
200 * Authentication-related options.
202 option_t auth_options
[] = {
203 { "auth", o_bool
, &auth_required
,
204 "Require authentication from peer", OPT_PRIO
| 1 },
205 { "noauth", o_bool
, &auth_required
,
206 "Don't require peer to authenticate", OPT_PRIOSUB
| OPT_PRIV
,
208 { "require-pap", o_bool
, &lcp_wantoptions
[0].neg_upap
,
209 "Require PAP authentication from peer",
210 OPT_PRIOSUB
| 1, &auth_required
},
211 { "+pap", o_bool
, &lcp_wantoptions
[0].neg_upap
,
212 "Require PAP authentication from peer",
213 OPT_ALIAS
| OPT_PRIOSUB
| 1, &auth_required
},
214 { "require-chap", o_bool
, &lcp_wantoptions
[0].neg_chap
,
215 "Require CHAP authentication from peer",
216 OPT_PRIOSUB
| 1, &auth_required
},
217 { "+chap", o_bool
, &lcp_wantoptions
[0].neg_chap
,
218 "Require CHAP authentication from peer",
219 OPT_ALIAS
| OPT_PRIOSUB
| 1, &auth_required
},
221 { "refuse-pap", o_bool
, &refuse_pap
,
222 "Don't agree to auth to peer with PAP", 1 },
223 { "-pap", o_bool
, &refuse_pap
,
224 "Don't allow PAP authentication with peer", OPT_ALIAS
| 1 },
226 { "refuse-chap", o_bool
, &refuse_chap
,
227 "Don't agree to auth to peer with CHAP", 1 },
228 { "-chap", o_bool
, &refuse_chap
,
229 "Don't allow CHAP authentication with peer", OPT_ALIAS
| 1 },
231 { "name", o_string
, our_name
,
232 "Set local name for authentication",
233 OPT_PRIO
| OPT_PRIV
| OPT_STATIC
, NULL
, MAXNAMELEN
},
235 { "+ua", o_special
, (void *)setupapfile
,
236 "Get PAP user and password from file",
237 OPT_PRIO
| OPT_A2STRVAL
, &uafname
},
239 { "user", o_string
, user
,
240 "Set name for auth with peer", OPT_PRIO
| OPT_STATIC
, NULL
, MAXNAMELEN
},
242 { "password", o_string
, passwd
,
243 "Password for authenticating us to the peer",
244 OPT_PRIO
| OPT_STATIC
| OPT_HIDE
, NULL
, MAXSECRETLEN
},
246 { "usehostname", o_bool
, &usehostname
,
247 "Must use hostname for authentication", 1 },
249 { "remotename", o_string
, remote_name
,
250 "Set remote name for authentication", OPT_PRIO
| OPT_STATIC
,
251 &explicit_remote
, MAXNAMELEN
},
253 { "login", o_bool
, &uselogin
,
254 "Use system password database for PAP", 1 },
256 { "papcrypt", o_bool
, &cryptpap
,
257 "PAP passwords are encrypted", 1 },
259 { "privgroup", o_special
, (void *)privgroup
,
260 "Allow group members to use privileged options", OPT_PRIV
| OPT_A2LIST
},
262 { "allow-ip", o_special
, (void *)set_noauth_addr
,
263 "Set IP address(es) which can be used without authentication",
264 OPT_PRIV
| OPT_A2LIST
},
270 * setupapfile - specifies UPAP info for authenticating with peer.
278 char u
[MAXNAMELEN
], p
[MAXSECRETLEN
];
281 lcp_allowoptions
[0].neg_upap
= 1;
283 /* open user info file */
284 fname
= strdup(*argv
);
286 novm("+ua file name");
288 ufile
= fopen(fname
, "r");
291 option_error("unable to open user login data file %s", fname
);
294 check_access(ufile
, fname
);
298 if (fgets(u
, MAXNAMELEN
- 1, ufile
) == NULL
299 || fgets(p
, MAXSECRETLEN
- 1, ufile
) == NULL
){
300 option_error("unable to read user login data file %s", fname
);
305 /* get rid of newlines */
307 if (l
> 0 && u
[l
-1] == '\n')
310 if (l
> 0 && p
[l
-1] == '\n')
313 if (override_value("user", option_priority
, fname
))
314 strlcpy(user
, u
, sizeof(user
));
315 if (override_value("passwd", option_priority
, fname
))
316 strlcpy(passwd
, p
, sizeof(passwd
));
323 * privgroup - allow members of the group to have privileged access.
334 option_error("group %s is unknown", *argv
);
337 for (i
= 0; i
< ngroups
; ++i
) {
338 if (groups
[i
] == g
->gr_gid
) {
348 * set_noauth_addr - set address(es) that can be used without authentication.
349 * Equivalent to specifying an entry like `"" * "" addr' in pap-secrets.
352 set_noauth_addr(argv
)
356 int l
= strlen(addr
) + 1;
359 wp
= (struct wordlist
*) malloc(sizeof(struct wordlist
) + l
);
361 novm("allow-ip argument");
362 wp
->word
= (char *) (wp
+ 1);
363 wp
->next
= noauth_addrs
;
364 BCOPY(addr
, wp
->word
, l
);
371 * An Open on LCP has requested a change from Dead to Establish phase.
372 * Do what's necessary to bring the physical layer up.
381 * LCP has terminated the link; go to the Dead phase and take the
382 * physical layer down.
385 link_terminated(unit
)
388 if (phase
== PHASE_DEAD
)
390 if (pap_logout_hook
) {
396 new_phase(PHASE_DEAD
);
397 LOGX_NOTICE("Connection terminated.");
401 * LCP has gone down; it will either die or try to re-establish.
408 struct protent
*protp
;
411 if (auth_script_state
== s_up
&& auth_script_pid
== 0) {
412 update_link_stats(unit
);
413 auth_script_state
= s_down
;
414 auth_script(_PATH_AUTHDOWN
);
416 for (i
= 0; (protp
= protocols
[i
]) != NULL
; ++i
) {
417 if (!protp
->enabled_flag
)
419 if (protp
->protocol
!= PPP_LCP
&& protp
->lowerdown
!= NULL
)
420 (*protp
->lowerdown
)(unit
);
421 if (protp
->protocol
< 0xC000 && protp
->close
!= NULL
)
422 (*protp
->close
)(unit
, "LCP down");
426 if (phase
!= PHASE_DEAD
)
427 new_phase(PHASE_TERMINATE
);
431 * The link is established.
432 * Proceed to the Dead, Authenticate or Network phase as appropriate.
435 link_established(unit
)
439 lcp_options
*wo
= &lcp_wantoptions
[unit
];
440 lcp_options
*go
= &lcp_gotoptions
[unit
];
441 lcp_options
*ho
= &lcp_hisoptions
[unit
];
443 struct protent
*protp
;
446 * Tell higher-level protocols that LCP is up.
448 for (i
= 0; (protp
= protocols
[i
]) != NULL
; ++i
)
449 if (protp
->protocol
!= PPP_LCP
&& protp
->enabled_flag
450 && protp
->lowerup
!= NULL
)
451 (*protp
->lowerup
)(unit
);
453 if (auth_required
&& !(go
->neg_chap
|| go
->neg_upap
)) {
455 * We wanted the peer to authenticate itself, and it refused:
456 * if we have some address(es) it can use without auth, fine,
457 * otherwise treat it as though it authenticated with PAP using
458 * a username * of "" and a password of "". If that's not OK,
461 if (noauth_addrs
!= NULL
) {
462 set_allowed_addrs(unit
, NULL
, NULL
);
463 } else if (!wo
->neg_upap
|| uselogin
|| !null_login(unit
)) {
464 warn("peer refused to authenticate: terminating link");
465 lcp_close(unit
, "peer refused to authenticate");
466 status
= EXIT_PEER_AUTH_FAILED
;
471 new_phase(PHASE_AUTHENTICATE
);
475 ChapAuthPeer(unit
, our_name
, go
->chap_mdtype
);
477 } else if (go
->neg_upap
) {
482 ChapAuthWithPeer(unit
, user
, ho
->chap_mdtype
);
483 auth
|= CHAP_WITHPEER
;
484 } else if (ho
->neg_upap
) {
485 if (passwd
[0] == 0) {
486 passwd_from_file
= 1;
487 if (!get_pap_passwd(passwd
))
488 error("No secret found for PAP login");
490 upap_authwithpeer(unit
, user
, passwd
);
491 auth
|= PAP_WITHPEER
;
493 auth_pending
[unit
] = auth
;
500 * Proceed to the network phase.
506 lcp_options
*go
= &lcp_gotoptions
[unit
];
509 * If the peer had to authenticate, run the auth-up script now.
511 if (go
->neg_chap
|| go
->neg_upap
) {
513 if (auth_script_state
== s_down
&& auth_script_pid
== 0) {
514 auth_script_state
= s_up
;
515 auth_script(_PATH_AUTHUP
);
521 * If we negotiated callback, do it now.
524 new_phase(PHASE_CALLBACK
);
525 (*cbcp_protent
.open
)(unit
);
531 * Process extra options from the secrets file
534 options_from_list(extra_options
, 1);
535 free_wordlist(extra_options
);
545 struct protent
*protp
;
547 new_phase(PHASE_NETWORK
);
549 #ifdef HAVE_MULTILINK
551 if (mp_join_bundle()) {
552 if (updetach
&& !nodetach
)
557 #endif /* HAVE_MULTILINK */
561 set_filters(&pass_filter
, &active_filter
);
563 for (i
= 0; (protp
= protocols
[i
]) != NULL
; ++i
)
564 if (protp
->protocol
< 0xC000 && protp
->enabled_flag
565 && protp
->open
!= NULL
) {
567 if (protp
->protocol
!= PPP_CCP
)
571 if (num_np_open
== 0)
573 lcp_close(0, "No network protocols running");
577 * The peer has failed to authenticate himself using `protocol'.
580 auth_peer_fail(unit
, protocol
)
584 * Authentication failure: take the link down
586 lcp_close(unit
, "Authentication failed");
587 status
= EXIT_PEER_AUTH_FAILED
;
591 * The peer has been successfully authenticated using `protocol'.
594 auth_peer_success(unit
, protocol
, name
, namelen
)
609 warn("auth_peer_success: unknown protocol %x", protocol
);
614 * Save the authenticated name of the peer for later.
616 if (namelen
> sizeof(peer_authname
) - 1)
617 namelen
= sizeof(peer_authname
) - 1;
618 BCOPY(name
, peer_authname
, namelen
);
619 peer_authname
[namelen
] = 0;
620 script_setenv("PEERNAME", peer_authname
, 0);
623 * If there is no more authentication still to be done,
624 * proceed to the network (or callback) phase.
626 if ((auth_pending
[unit
] &= ~bit
) == 0)
631 * We have failed to authenticate ourselves to the peer using `protocol'.
634 auth_withpeer_fail(unit
, protocol
)
637 if (passwd_from_file
)
638 BZERO(passwd
, MAXSECRETLEN
);
640 * We've failed to authenticate ourselves to our peer.
641 * Some servers keep sending CHAP challenges, but there
642 * is no point in persisting without any way to get updated
643 * authentication secrets.
645 lcp_close(unit
, "Failed to authenticate ourselves to peer");
646 status
= EXIT_AUTH_TOPEER_FAILED
;
650 * We have successfully authenticated ourselves with the peer using `protocol'.
653 auth_withpeer_success(unit
, protocol
)
663 if (passwd_from_file
)
664 BZERO(passwd
, MAXSECRETLEN
);
668 warn("auth_withpeer_success: unknown protocol %x", protocol
);
673 * If there is no more authentication still being done,
674 * proceed to the network (or callback) phase.
676 if ((auth_pending
[unit
] &= ~bit
) == 0)
682 * np_up - a network protocol has come up.
690 if (num_np_up
== 0) {
692 * At this point we consider that the link has come up successfully.
696 new_phase(PHASE_RUNNING
);
698 if (idle_time_hook
!= 0)
699 tlim
= (*idle_time_hook
)(NULL
);
701 tlim
= idle_time_limit
;
703 TIMEOUT(check_idle
, NULL
, tlim
);
706 * Set a timeout to close the connection once the maximum
707 * connect time has expired.
710 TIMEOUT(connect_time_expired
, 0, maxconnect
);
713 * Detach now, if the updetach option was given.
715 if (updetach
&& !nodetach
)
722 * np_down - a network protocol has gone down.
728 if (--num_np_up
== 0) {
729 UNTIMEOUT(check_idle
, NULL
);
730 new_phase(PHASE_NETWORK
);
735 * np_finished - a network protocol has finished using the link.
738 np_finished(unit
, proto
)
741 if (--num_np_open
<= 0) {
742 /* no further use for the link: shut up shop. */
743 lcp_close(0, "No network protocols running");
748 * check_idle - check whether the link has been idle for long
749 * enough that we can shut it down.
755 struct ppp_idle idle
;
759 if (!get_idle_time(0, &idle
))
761 if (idle_time_hook
!= 0) {
762 tlim
= idle_time_hook(&idle
);
764 itime
= MIN(idle
.xmit_idle
, idle
.recv_idle
);
765 tlim
= idle_time_limit
- itime
;
768 /* link is idle: shut it down. */
769 notice("Terminating connection due to lack of activity.");
770 lcp_close(0, "Link inactive");
772 status
= EXIT_IDLE_TIMEOUT
;
774 TIMEOUT(check_idle
, NULL
, tlim
);
779 * connect_time_expired - log a message and close the connection.
782 connect_time_expired(arg
)
785 info("Connect time expired");
786 lcp_close(0, "Connect time expired"); /* Close connection */
787 status
= EXIT_CONNECT_TIME
;
791 * auth_check_options - called to check authentication options.
796 lcp_options
*wo
= &lcp_wantoptions
[0];
800 /* Default our_name to hostname, and user to our_name */
801 if (our_name
[0] == 0 || usehostname
)
802 strlcpy(our_name
, hostname
, sizeof(our_name
));
804 strlcpy(user
, our_name
, sizeof(user
));
807 * If we have a default route, require the peer to authenticate
808 * unless the noauth option was given or the real user is root.
810 if (!auth_required
&& !allow_any_ip
&& have_route_to(0) && !privileged
) {
815 /* If authentication is required, ask peer for CHAP or PAP. */
818 if (!wo
->neg_chap
&& !wo
->neg_upap
) {
828 * Check whether we have appropriate secrets to use
829 * to authenticate the peer.
832 can_auth
= wo
->neg_upap
&& (uselogin
|| have_pap_secret(&lacks_ip
));
833 if (!can_auth
&& wo
->neg_chap
) {
834 can_auth
= have_chap_secret((explicit_remote
? remote_name
: NULL
),
835 our_name
, 1, &lacks_ip
);
838 if (auth_required
&& !can_auth
&& noauth_addrs
== NULL
) {
841 "By default the remote system is required to authenticate itself");
843 "(because this system has a default route to the internet)");
844 } else if (explicit_remote
)
846 "The remote system (%s) is required to authenticate itself",
850 "The remote system is required to authenticate itself");
852 "but I couldn't find any suitable secret (password) for it to use to do so.");
855 "(None of the available passwords would let it use an IP address.)");
862 * auth_reset - called when LCP is starting negotiations to recheck
863 * authentication options, i.e. whether we have appropriate secrets
864 * to use for authenticating ourselves and/or the peer.
870 lcp_options
*go
= &lcp_gotoptions
[unit
];
871 lcp_options
*ao
= &lcp_allowoptions
[0];
873 ao
->neg_upap
= !refuse_pap
&& (passwd
[0] != 0 || get_pap_passwd(NULL
));
874 ao
->neg_chap
= !refuse_chap
876 || have_chap_secret(user
, (explicit_remote
? remote_name
: NULL
),
879 if (go
->neg_upap
&& !uselogin
&& !have_pap_secret(NULL
))
882 if (!have_chap_secret((explicit_remote
? remote_name
: NULL
),
890 * check_passwd - Check the user name and passwd against the PAP secrets
891 * file. If requested, also check against the system password database,
892 * and login the user if OK.
895 * UPAP_AUTHNAK: Authentication failed.
896 * UPAP_AUTHACK: Authentication succeeded.
897 * In either case, msg points to an appropriate message.
900 check_passwd(unit
, auser
, userlen
, apasswd
, passwdlen
, msg
)
911 struct wordlist
*addrs
= NULL
, *opts
= NULL
;
912 char passwd
[256], user
[256];
913 char secret
[MAXWORDLEN
];
914 static int attempts
= 0;
917 * Make copies of apasswd and auser, then null-terminate them.
918 * If there are unprintable characters in the password, make
921 slprintf(passwd
, sizeof(passwd
), "%.*v", passwdlen
, apasswd
);
922 slprintf(user
, sizeof(user
), "%.*v", userlen
, auser
);
926 * Check if a plugin wants to handle this.
929 ret
= (*pap_auth_hook
)(user
, passwd
, msg
, &addrs
, &opts
);
932 set_allowed_addrs(unit
, addrs
, opts
);
933 BZERO(passwd
, sizeof(passwd
));
935 free_wordlist(addrs
);
936 return ret
? UPAP_AUTHACK
: UPAP_AUTHNAK
;
941 * Open the file of pap secrets and scan for a suitable secret
942 * for authenticating this user.
944 filename
= _PATH_UPAPFILE
;
947 f
= fopen(filename
, "r");
949 error("Can't open PAP password file %s: %m", filename
);
952 check_access(f
, filename
);
953 if (scan_authfile(f
, user
, our_name
, secret
, &addrs
, &opts
, filename
) < 0) {
954 warn("no PAP secret found for %s", user
);
957 * If the secret is "@login", it means to check
958 * the password against the login database.
960 int login_secret
= strcmp(secret
, "@login") == 0;
962 if (uselogin
|| login_secret
) {
963 /* login option or secret is @login */
964 ret
= plogin(user
, passwd
, msg
);
965 if (ret
== UPAP_AUTHNAK
)
966 warn("PAP login failure for %s", user
);
970 if (secret
[0] != 0 && !login_secret
) {
971 /* password given in pap-secrets - must match */
972 if ((cryptpap
|| strcmp(passwd
, secret
) != 0)
973 && strcmp(crypt(passwd
, secret
), secret
) != 0) {
975 warn("PAP authentication failure for %s", user
);
982 if (ret
== UPAP_AUTHNAK
) {
984 *msg
= "Login incorrect";
985 if (attempts
++ >= 10) {
986 warn("%d LOGIN FAILURES ON %s, %s", attempts
, devnam
, user
);
987 lcp_close(unit
, "login failed");
990 sleep((u_int
) (attempts
- 3) * 5);
995 attempts
= 0; /* Reset count */
998 set_allowed_addrs(unit
, addrs
, opts
);
1002 free_wordlist(addrs
);
1003 BZERO(passwd
, sizeof(passwd
));
1004 BZERO(secret
, sizeof(secret
));
1010 * This function is needed for PAM.
1014 /* Static variables used to communicate between the conversation function
1015 * and the server_login function
1017 static char *PAM_username
;
1018 static char *PAM_password
;
1019 static int PAM_error
= 0;
1020 static pam_handle_t
*pamh
= NULL
;
1022 /* PAM conversation function
1023 * Here we assume (for now, at least) that echo on means login name, and
1024 * echo off means password.
1027 static int PAM_conv (int num_msg
, const struct pam_message
**msg
,
1028 struct pam_response
**resp
, void *appdata_ptr
)
1031 struct pam_response
*reply
= NULL
;
1033 #define COPY_STRING(s) (s) ? strdup(s) : NULL
1035 reply
= malloc(sizeof(struct pam_response
) * num_msg
);
1036 if (!reply
) return PAM_CONV_ERR
;
1038 for (replies
= 0; replies
< num_msg
; replies
++) {
1039 switch (msg
[replies
]->msg_style
) {
1040 case PAM_PROMPT_ECHO_ON
:
1041 reply
[replies
].resp_retcode
= PAM_SUCCESS
;
1042 reply
[replies
].resp
= COPY_STRING(PAM_username
);
1043 /* PAM frees resp */
1045 case PAM_PROMPT_ECHO_OFF
:
1046 reply
[replies
].resp_retcode
= PAM_SUCCESS
;
1047 reply
[replies
].resp
= COPY_STRING(PAM_password
);
1048 /* PAM frees resp */
1053 /* ignore it, but pam still wants a NULL response... */
1054 reply
[replies
].resp_retcode
= PAM_SUCCESS
;
1055 reply
[replies
].resp
= NULL
;
1058 /* Must be an error of some sort... */
1061 return PAM_CONV_ERR
;
1068 static struct pam_conv PAM_conversation
= {
1072 #endif /* USE_PAM */
1075 * plogin - Check the user name and password against the system
1076 * password database, and login the user if OK.
1079 * UPAP_AUTHNAK: Login failed.
1080 * UPAP_AUTHACK: Login succeeded.
1081 * In either case, msg points to an appropriate message.
1085 plogin(user
, passwd
, msg
)
1095 pam_error
= pam_start ("ppp", user
, &PAM_conversation
, &pamh
);
1096 if (pam_error
!= PAM_SUCCESS
) {
1097 *msg
= (char *) pam_strerror (pamh
, pam_error
);
1099 return UPAP_AUTHNAK
;
1102 * Define the fields for the credential validation
1105 PAM_username
= user
;
1106 PAM_password
= passwd
;
1108 pam_set_item (pamh
, PAM_TTY
, devnam
); /* this might be useful to some modules */
1113 pam_error
= pam_authenticate (pamh
, PAM_SILENT
);
1114 if (pam_error
== PAM_SUCCESS
&& !PAM_error
) {
1115 pam_error
= pam_acct_mgmt (pamh
, PAM_SILENT
);
1116 if (pam_error
== PAM_SUCCESS
)
1117 pam_open_session (pamh
, PAM_SILENT
);
1120 *msg
= (char *) pam_strerror (pamh
, pam_error
);
1125 reopen_log(); /* apparently the PAM stuff does closelog() */
1126 PAM_username
= NULL
;
1127 PAM_password
= NULL
;
1128 if (pam_error
!= PAM_SUCCESS
)
1129 return UPAP_AUTHNAK
;
1130 #else /* #ifdef USE_PAM */
1133 * Use the non-PAM methods directly
1138 struct spwd
*getspnam();
1140 struct passwd
*pw
= getpwnam(user
);
1144 return (UPAP_AUTHNAK
);
1147 spwd
= getspnam(user
);
1150 /* check the age of the password entry */
1151 long now
= time(NULL
) / 86400L;
1153 if ((spwd
->sp_expire
> 0 && now
>= spwd
->sp_expire
)
1154 || ((spwd
->sp_max
>= 0 && spwd
->sp_max
< 10000)
1155 && spwd
->sp_lstchg
>= 0
1156 && now
>= spwd
->sp_lstchg
+ spwd
->sp_max
)) {
1157 warn("Password for %s has expired", user
);
1158 return (UPAP_AUTHNAK
);
1160 pw
->pw_passwd
= spwd
->sp_pwdp
;
1165 * If no passwd, don't let them login.
1167 if (pw
->pw_passwd
== NULL
|| strlen(pw
->pw_passwd
) < 2
1168 || strcmp(crypt(passwd
, pw
->pw_passwd
), pw
->pw_passwd
) != 0)
1169 return (UPAP_AUTHNAK
);
1171 #endif /* #ifdef USE_PAM */
1174 * Write a wtmp entry for this user.
1178 if (strncmp(tty
, "/dev/", 5) == 0)
1180 logwtmp(tty
, user
, remote_name
); /* Add wtmp login entry */
1182 #if defined(_PATH_LASTLOG) && !defined(USE_PAM)
1183 if (pw
!= (struct passwd
*)NULL
) {
1187 if ((fd
= open(_PATH_LASTLOG
, O_RDWR
, 0)) >= 0) {
1188 (void)lseek(fd
, (off_t
)(pw
->pw_uid
* sizeof(ll
)), SEEK_SET
);
1189 memset((void *)&ll
, 0, sizeof(ll
));
1190 (void)time(&ll
.ll_time
);
1191 (void)strncpy(ll
.ll_line
, tty
, sizeof(ll
.ll_line
));
1192 (void)write(fd
, (char *)&ll
, sizeof(ll
));
1196 #endif /* _PATH_LASTLOG and not USE_PAM */
1198 info("user %s logged in", user
);
1201 return (UPAP_AUTHACK
);
1205 * plogout - Logout the user.
1214 pam_error
= pam_close_session (pamh
, PAM_SILENT
);
1215 pam_end (pamh
, pam_error
);
1218 /* Apparently the pam stuff does closelog(). */
1220 #else /* ! USE_PAM */
1224 if (strncmp(tty
, "/dev/", 5) == 0)
1226 logwtmp(tty
, "", ""); /* Wipe out utmp logout entry */
1227 #endif /* ! USE_PAM */
1233 * null_login - Check if a username of "" and a password of "" are
1234 * acceptable, and iff so, set the list of acceptable IP addresses
1244 struct wordlist
*addrs
, *opts
;
1245 char secret
[MAXWORDLEN
];
1248 * Open the file of pap secrets and scan for a suitable secret.
1250 filename
= _PATH_UPAPFILE
;
1252 f
= fopen(filename
, "r");
1255 check_access(f
, filename
);
1257 i
= scan_authfile(f
, "", our_name
, secret
, &addrs
, &opts
, filename
);
1258 ret
= i
>= 0 && secret
[0] == 0;
1259 BZERO(secret
, sizeof(secret
));
1262 set_allowed_addrs(unit
, addrs
, opts
);
1264 free_wordlist(opts
);
1266 free_wordlist(addrs
);
1274 * get_pap_passwd - get a password for authenticating ourselves with
1275 * our peer using PAP. Returns 1 on success, 0 if no suitable password
1277 * Assumes passwd points to MAXSECRETLEN bytes of space (if non-null).
1280 get_pap_passwd(passwd
)
1286 char secret
[MAXWORDLEN
];
1289 * Check whether a plugin wants to supply this.
1291 if (pap_passwd_hook
) {
1292 ret
= (*pap_passwd_hook
)(user
, passwd
);
1297 filename
= _PATH_UPAPFILE
;
1298 f
= fopen(filename
, "r");
1301 check_access(f
, filename
);
1302 ret
= scan_authfile(f
, user
,
1303 (remote_name
[0]? remote_name
: NULL
),
1304 secret
, NULL
, NULL
, filename
);
1309 strlcpy(passwd
, secret
, MAXSECRETLEN
);
1310 BZERO(secret
, sizeof(secret
));
1316 * have_pap_secret - check whether we have a PAP file with any
1317 * secrets that we could possibly use for authenticating the peer.
1320 have_pap_secret(lacks_ipp
)
1326 struct wordlist
*addrs
;
1328 /* let the plugin decide, if there is one */
1329 if (pap_check_hook
) {
1330 ret
= (*pap_check_hook
)();
1335 filename
= _PATH_UPAPFILE
;
1336 f
= fopen(filename
, "r");
1340 ret
= scan_authfile(f
, (explicit_remote
? remote_name
: NULL
), our_name
,
1341 NULL
, &addrs
, NULL
, filename
);
1343 if (ret
>= 0 && !some_ip_ok(addrs
)) {
1349 free_wordlist(addrs
);
1356 * have_chap_secret - check whether we have a CHAP file with a
1357 * secret that we could possibly use for authenticating `client'
1358 * on `server'. Either can be the null string, meaning we don't
1359 * know the identity yet.
1362 have_chap_secret(client
, server
, need_ip
, lacks_ipp
)
1371 struct wordlist
*addrs
;
1373 filename
= _PATH_CHAPFILE
;
1374 f
= fopen(filename
, "r");
1378 if (client
!= NULL
&& client
[0] == 0)
1380 else if (server
!= NULL
&& server
[0] == 0)
1383 ret
= scan_authfile(f
, client
, server
, NULL
, &addrs
, NULL
, filename
);
1385 if (ret
>= 0 && need_ip
&& !some_ip_ok(addrs
)) {
1391 free_wordlist(addrs
);
1398 * get_secret - open the CHAP secret file and return the secret
1399 * for authenticating the given client on the given server.
1400 * (We could be either client or server).
1403 get_secret(unit
, client
, server
, secret
, secret_len
, am_server
)
1414 struct wordlist
*addrs
, *opts
;
1415 char secbuf
[MAXWORDLEN
];
1417 if (!am_server
&& passwd
[0] != 0) {
1418 strlcpy(secbuf
, passwd
, sizeof(secbuf
));
1420 filename
= _PATH_CHAPFILE
;
1424 f
= fopen(filename
, "r");
1426 error("Can't open chap secret file %s: %m", filename
);
1429 check_access(f
, filename
);
1431 ret
= scan_authfile(f
, client
, server
, secbuf
, &addrs
, &opts
, filename
);
1437 set_allowed_addrs(unit
, addrs
, opts
);
1439 free_wordlist(opts
);
1441 free_wordlist(addrs
);
1444 len
= strlen(secbuf
);
1445 if (len
> MAXSECRETLEN
) {
1446 error("Secret for %s on %s is too long", client
, server
);
1449 BCOPY(secbuf
, secret
, len
);
1450 BZERO(secbuf
, sizeof(secbuf
));
1457 * set_allowed_addrs() - set the list of allowed addresses.
1458 * Also looks for `--' indicating options to apply for this peer
1459 * and leaves the following words in extra_options.
1462 set_allowed_addrs(unit
, addrs
, opts
)
1464 struct wordlist
*addrs
;
1465 struct wordlist
*opts
;
1468 struct wordlist
*ap
, **plink
;
1469 struct permitted_ip
*ip
;
1470 char *ptr_word
, *ptr_mask
;
1473 u_int32_t a
, mask
, ah
, offset
;
1474 struct ipcp_options
*wo
= &ipcp_wantoptions
[unit
];
1475 u_int32_t suggested_ip
= 0;
1477 if (addresses
[unit
] != NULL
)
1478 free(addresses
[unit
]);
1479 addresses
[unit
] = NULL
;
1480 if (extra_options
!= NULL
)
1481 free_wordlist(extra_options
);
1482 extra_options
= opts
;
1485 * Count the number of IP addresses given.
1487 n
= wordlist_count(addrs
) + wordlist_count(noauth_addrs
);
1490 ip
= (struct permitted_ip
*) malloc((n
+ 1) * sizeof(struct permitted_ip
));
1494 /* temporarily append the noauth_addrs list to addrs */
1495 for (plink
= &addrs
; *plink
!= NULL
; plink
= &(*plink
)->next
)
1497 *plink
= noauth_addrs
;
1500 for (ap
= addrs
; ap
!= NULL
; ap
= ap
->next
) {
1501 /* "-" means no addresses authorized, "*" means any address allowed */
1502 ptr_word
= ap
->word
;
1503 if (strcmp(ptr_word
, "-") == 0)
1505 if (strcmp(ptr_word
, "*") == 0) {
1507 ip
[n
].base
= ip
[n
].mask
= 0;
1513 if (*ptr_word
== '!') {
1518 mask
= ~ (u_int32_t
) 0;
1520 ptr_mask
= strchr (ptr_word
, '/');
1521 if (ptr_mask
!= NULL
) {
1525 bit_count
= (int) strtol (ptr_mask
+1, &endp
, 10);
1526 if (bit_count
<= 0 || bit_count
> 32) {
1527 warn("invalid address length %v in auth. address list",
1531 bit_count
= 32 - bit_count
; /* # bits in host part */
1533 offset
= ifunit
+ 1;
1537 warn("invalid address length syntax: %v", ptr_mask
+1);
1544 hp
= gethostbyname(ptr_word
);
1545 if (hp
!= NULL
&& hp
->h_addrtype
== AF_INET
) {
1546 a
= *(u_int32_t
*)hp
->h_addr
;
1548 np
= getnetbyname (ptr_word
);
1549 if (np
!= NULL
&& np
->n_addrtype
== AF_INET
) {
1550 a
= htonl (*(u_int32_t
*)np
->n_net
);
1551 if (ptr_mask
== NULL
) {
1552 /* calculate appropriate mask for net */
1555 mask
= IN_CLASSA_NET
;
1556 else if (IN_CLASSB(ah
))
1557 mask
= IN_CLASSB_NET
;
1558 else if (IN_CLASSC(ah
))
1559 mask
= IN_CLASSC_NET
;
1562 a
= inet_addr (ptr_word
);
1566 if (ptr_mask
!= NULL
)
1569 if (a
== (u_int32_t
)-1L) {
1570 warn("unknown host %s in auth. address list", ap
->word
);
1574 if (offset
>= ~mask
) {
1575 warn("interface unit %d too large for subnet %v",
1579 a
= htonl((ntohl(a
) & mask
) + offset
);
1580 mask
= ~(u_int32_t
)0;
1582 ip
[n
].mask
= htonl(mask
);
1583 ip
[n
].base
= a
& ip
[n
].mask
;
1585 if (~mask
== 0 && suggested_ip
== 0)
1590 ip
[n
].permit
= 0; /* make the last entry forbid all addresses */
1591 ip
[n
].base
= 0; /* to terminate the list */
1594 addresses
[unit
] = ip
;
1597 * If the address given for the peer isn't authorized, or if
1598 * the user hasn't given one, AND there is an authorized address
1599 * which is a single host, then use that if we find one.
1601 if (suggested_ip
!= 0
1602 && (wo
->hisaddr
== 0 || !auth_ip_addr(unit
, wo
->hisaddr
))) {
1603 wo
->hisaddr
= suggested_ip
;
1605 * Do we insist on this address? No, if there are other
1606 * addresses authorized than the suggested one.
1609 wo
->accept_remote
= 1;
1614 * auth_ip_addr - check whether the peer is authorized to use
1615 * a given IP address. Returns 1 if authorized, 0 otherwise.
1618 auth_ip_addr(unit
, addr
)
1624 /* don't allow loopback or multicast address */
1625 if (bad_ip_adrs(addr
))
1628 if (addresses
[unit
] != NULL
) {
1629 ok
= ip_addr_check(addr
, addresses
[unit
]);
1634 return 0; /* no addresses authorized */
1635 return allow_any_ip
|| privileged
|| !have_route_to(addr
);
1639 ip_addr_check(addr
, addrs
)
1641 struct permitted_ip
*addrs
;
1644 if ((addr
& addrs
->mask
) == addrs
->base
)
1645 return addrs
->permit
;
1649 * bad_ip_adrs - return 1 if the IP address is one we don't want
1650 * to use, such as an address in the loopback net or a multicast address.
1651 * addr is in network byte order.
1658 return (addr
>> IN_CLASSA_NSHIFT
) == IN_LOOPBACKNET
1659 || IN_MULTICAST(addr
) || IN_BADCLASS(addr
);
1663 * some_ip_ok - check a wordlist to see if it authorizes any
1668 struct wordlist
*addrs
;
1670 for (; addrs
!= 0; addrs
= addrs
->next
) {
1671 if (addrs
->word
[0] == '-')
1673 if (addrs
->word
[0] != '!')
1674 return 1; /* some IP address is allowed */
1680 * check_access - complain if a secret file has too-liberal permissions.
1683 check_access(f
, filename
)
1689 if (fstat(fileno(f
), &sbuf
) < 0) {
1690 warn("cannot stat secret file %s: %m", filename
);
1691 } else if ((sbuf
.st_mode
& (S_IRWXG
| S_IRWXO
)) != 0) {
1692 warn("Warning - secret file %s has world and/or group access",
1699 * scan_authfile - Scan an authorization file for a secret suitable
1700 * for authenticating `client' on `server'. The return value is -1
1701 * if no secret is found, otherwise >= 0. The return value has
1702 * NONWILD_CLIENT set if the secret didn't have "*" for the client, and
1703 * NONWILD_SERVER set if the secret didn't have "*" for the server.
1704 * Any following words on the line up to a "--" (i.e. address authorization
1705 * info) are placed in a wordlist and returned in *addrs. Any
1706 * following words (extra options) are placed in a wordlist and
1707 * returned in *opts.
1708 * We assume secret is NULL or points to MAXWORDLEN bytes of space.
1711 scan_authfile(f
, client
, server
, secret
, addrs
, opts
, filename
)
1716 struct wordlist
**addrs
;
1717 struct wordlist
**opts
;
1721 int got_flag
, best_flag
;
1723 struct wordlist
*ap
, *addr_list
, *alist
, **app
;
1724 char word
[MAXWORDLEN
];
1725 char atfile
[MAXWORDLEN
];
1726 char lsecret
[MAXWORDLEN
];
1733 if (!getword(f
, word
, &newline
, filename
))
1734 return -1; /* file is empty??? */
1739 * Skip until we find a word at the start of a line.
1741 while (!newline
&& getword(f
, word
, &newline
, filename
))
1744 break; /* got to end of file */
1747 * Got a client - check if it's a match or a wildcard.
1750 if (client
!= NULL
&& strcmp(word
, client
) != 0 && !ISWILD(word
)) {
1755 got_flag
= NONWILD_CLIENT
;
1758 * Now get a server and check if it matches.
1760 if (!getword(f
, word
, &newline
, filename
))
1764 if (!ISWILD(word
)) {
1765 if (server
!= NULL
&& strcmp(word
, server
) != 0)
1767 got_flag
|= NONWILD_SERVER
;
1771 * Got some sort of a match - see if it's better than what
1774 if (got_flag
<= best_flag
)
1780 if (!getword(f
, word
, &newline
, filename
))
1785 if (secret
!= NULL
) {
1787 * Special syntax: @/pathname means read secret from file.
1789 if (word
[0] == '@' && word
[1] == '/') {
1790 strlcpy(atfile
, word
+1, sizeof(atfile
));
1791 if ((sf
= fopen(atfile
, "r")) == NULL
) {
1792 warn("can't open indirect secret file %s", atfile
);
1795 check_access(sf
, atfile
);
1796 if (!getword(sf
, word
, &xxx
, atfile
)) {
1797 warn("no secret in indirect secret file %s", atfile
);
1803 strlcpy(lsecret
, word
, sizeof(lsecret
));
1807 * Now read address authorization info and make a wordlist.
1811 if (!getword(f
, word
, &newline
, filename
) || newline
)
1813 ap
= (struct wordlist
*)
1814 malloc(sizeof(struct wordlist
) + strlen(word
) + 1);
1816 novm("authorized addresses");
1817 ap
->word
= (char *) (ap
+ 1);
1818 strcpy(ap
->word
, word
);
1825 * This is the best so far; remember it.
1827 best_flag
= got_flag
;
1829 free_wordlist(addr_list
);
1832 strlcpy(secret
, lsecret
, MAXWORDLEN
);
1838 /* scan for a -- word indicating the start of options */
1839 for (app
= &addr_list
; (ap
= *app
) != NULL
; app
= &ap
->next
)
1840 if (strcmp(ap
->word
, "--") == 0)
1842 /* ap = start of options */
1844 ap
= ap
->next
; /* first option */
1845 free(*app
); /* free the "--" word */
1846 *app
= NULL
; /* terminate addr list */
1850 else if (ap
!= NULL
)
1854 else if (addr_list
!= NULL
)
1855 free_wordlist(addr_list
);
1861 * wordlist_count - return the number of items in a wordlist
1865 struct wordlist
*wp
;
1869 for (n
= 0; wp
!= NULL
; wp
= wp
->next
)
1875 * free_wordlist - release memory allocated for a wordlist.
1879 struct wordlist
*wp
;
1881 struct wordlist
*next
;
1883 while (wp
!= NULL
) {
1891 * auth_script_done - called when the auth-up or auth-down script
1895 auth_script_done(arg
)
1898 auth_script_pid
= 0;
1899 switch (auth_script_state
) {
1901 if (auth_state
== s_down
) {
1902 auth_script_state
= s_down
;
1903 auth_script(_PATH_AUTHDOWN
);
1907 if (auth_state
== s_up
) {
1908 auth_script_state
= s_up
;
1909 auth_script(_PATH_AUTHUP
);
1916 * auth_script - execute a script with arguments
1917 * interface-name peer-name real-user tty speed
1929 if ((pw
= getpwuid(getuid())) != NULL
&& pw
->pw_name
!= NULL
)
1930 user_name
= pw
->pw_name
;
1932 slprintf(struid
, sizeof(struid
), "%d", getuid());
1935 slprintf(strspeed
, sizeof(strspeed
), "%d", baud_rate
);
1939 argv
[2] = peer_authname
;
1940 argv
[3] = user_name
;
1945 auth_script_pid
= run_program(script
, argv
, 0, auth_script_done
, NULL
);