diff options
author | brian <brian@cvs.openbsd.org> | 1998-01-05 01:39:06 +0000 |
---|---|---|
committer | brian <brian@cvs.openbsd.org> | 1998-01-05 01:39:06 +0000 |
commit | bae3fcb0cfd3b34e7e50e254daa122463ed46942 (patch) | |
tree | bf25677f92fa1b5385e564c435982323341ad710 /usr.sbin/ppp | |
parent | 3b4da6f1fb7f4cb7f80286a4d5bc3e53ef8050e2 (diff) |
o Allow the use of HISADDR as the first arg to "add".
o Allow a forth argument in ppp.secret, specifying a new
label. This gives control over which section of
ppp.link{up,down} is used based on the authenticated user.
o Support random address ranges in ppp.secret (not just in ppp.conf).
o Add a AUTHENTICATING INCOMING CONNECTIONS section to the man page.
o Add a bit more about DEFLATE in the man page.
o Fix the incorrect "you must specify a password in interactive
mode" bit of the manual.
o Space things in the man page consistently.
o Be more precice about where you can use MYADDR, HISADDR and INTERFACE
in the "add" command documentation.
Diffstat (limited to 'usr.sbin/ppp')
-rw-r--r-- | usr.sbin/ppp/auth.c | 38 | ||||
-rw-r--r-- | usr.sbin/ppp/command.c | 35 | ||||
-rw-r--r-- | usr.sbin/ppp/ipcp.c | 39 | ||||
-rw-r--r-- | usr.sbin/ppp/ipcp.h | 5 | ||||
-rw-r--r-- | usr.sbin/ppp/ppp.8 | 157 |
5 files changed, 189 insertions, 85 deletions
diff --git a/usr.sbin/ppp/auth.c b/usr.sbin/ppp/auth.c index dcc9d40b644..42dd15bd9e6 100644 --- a/usr.sbin/ppp/auth.c +++ b/usr.sbin/ppp/auth.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: auth.c,v 1.2 1997/12/24 09:30:22 brian Exp $ + * $Id: auth.c,v 1.3 1998/01/05 01:39:03 brian Exp $ * * TODO: * o Implement check against with registered IP addresses. @@ -43,6 +43,8 @@ #include "auth.h" #include "chat.h" #include "systems.h" +#include "iplist.h" +#include "route.h" void LocalAuthInit() @@ -106,7 +108,7 @@ AuthValidate(const char *fname, const char *system, const char *key) { FILE *fp; int n; - char *vector[4]; + char *vector[5]; char buff[LINE_LEN]; char passwd[100]; @@ -125,17 +127,11 @@ AuthValidate(const char *fname, const char *system, const char *key) ExpandString(vector[1], passwd, sizeof passwd, 0); if (strcmp(passwd, key) == 0) { CloseSecret(fp); - memset(&DefHisAddress, '\0', sizeof DefHisAddress); - n -= 2; - if (n > 0) { - if (ParseAddr(n--, (char const *const *)(vector+2), - &DefHisAddress.ipaddr, - &DefHisAddress.mask, - &DefHisAddress.width) == 0) { - return (0); /* Invalid */ - } - } + if (n > 2 && !UseHisaddr(vector[2], 1)) + return (0); IpcpInit(); + if (n > 3) + SetLabel(vector[3]); return (1); /* Valid */ } } @@ -149,7 +145,7 @@ AuthGetSecret(const char *fname, const char *system, int len, int setaddr) { FILE *fp; int n; - char *vector[4]; + char *vector[5]; char buff[LINE_LEN]; static char passwd[100]; @@ -169,15 +165,13 @@ AuthGetSecret(const char *fname, const char *system, int len, int setaddr) if (setaddr) { memset(&DefHisAddress, '\0', sizeof DefHisAddress); } - n -= 2; - if (n > 0 && setaddr) { - LogPrintf(LogDEBUG, "AuthGetSecret: n = %d, %s\n", n, vector[2]); - if (ParseAddr(n--, (char const *const *)(vector+2), - &DefHisAddress.ipaddr, - &DefHisAddress.mask, - &DefHisAddress.width) != 0) - IpcpInit(); - } + if (n > 2 && setaddr) + if (UseHisaddr(vector[2], 1)) + IpcpInit(); + else + return NULL; + if (n > 3) + SetLabel(vector[3]); return (passwd); } } diff --git a/usr.sbin/ppp/command.c b/usr.sbin/ppp/command.c index 6f891c8d0ab..20620341122 100644 --- a/usr.sbin/ppp/command.c +++ b/usr.sbin/ppp/command.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: command.c,v 1.19 1997/12/30 23:22:35 brian Exp $ + * $Id: command.c,v 1.20 1998/01/05 01:39:04 brian Exp $ * */ #include <sys/param.h> @@ -1215,6 +1215,9 @@ GetIpAddr(const char *cp) static int SetInterfaceAddr(struct cmdargs const *arg) { + const char *hisaddr; + + hisaddr = NULL; DefMyAddress.ipaddr.s_addr = DefHisAddress.ipaddr.s_addr = 0L; if (arg->argc > 4) @@ -1229,11 +1232,7 @@ SetInterfaceAddr(struct cmdargs const *arg) &DefMyAddress.mask, &DefMyAddress.width)) return 1; if (arg->argc > 1) { - if (strpbrk(arg->argv[1], ",-")) - iplist_setsrc(&DefHisChoice, arg->argv[1]); - else if (!ParseAddr(arg->argc, arg->argv+1, &DefHisAddress.ipaddr, - &DefHisAddress.mask, &DefHisAddress.width)) - return 2; + hisaddr = arg->argv[1]; if (arg->argc > 2) { ifnetmask = GetIpAddr(arg->argv[2]); if (arg->argc > 3) { @@ -1251,30 +1250,14 @@ SetInterfaceAddr(struct cmdargs const *arg) DefMyAddress.mask.s_addr = 0; DefMyAddress.width = 0; } + IpcpInfo.want_ipaddr.s_addr = DefMyAddress.ipaddr.s_addr; if (DefHisAddress.ipaddr.s_addr == 0) { DefHisAddress.mask.s_addr = 0; DefHisAddress.width = 0; } - IpcpInfo.want_ipaddr.s_addr = DefMyAddress.ipaddr.s_addr; - if (iplist_isvalid(&DefHisChoice)) { - iplist_setrandpos(&DefHisChoice); - IpcpInfo.his_ipaddr = ChooseHisAddr(IpcpInfo.want_ipaddr); - if (IpcpInfo.his_ipaddr.s_addr == INADDR_ANY) { - LogPrintf(LogWARN, "%s: None available !\n", DefHisChoice.src); - return 3; - } - DefHisAddress.ipaddr.s_addr = IpcpInfo.his_ipaddr.s_addr; - DefHisAddress.mask.s_addr = 0xffffffff; - DefHisAddress.width = 32; - } else { - IpcpInfo.his_ipaddr.s_addr = DefHisAddress.ipaddr.s_addr; - if ((mode & MODE_AUTO) && - OsSetIpaddress(DefMyAddress.ipaddr, DefHisAddress.ipaddr) < 0) { - DefMyAddress.ipaddr.s_addr = DefHisAddress.ipaddr.s_addr = 0L; - return 4; - } - } + if (hisaddr && !UseHisaddr(hisaddr, mode & MODE_AUTO)) + return 4; return 0; } @@ -1525,6 +1508,8 @@ AddCommand(struct cmdargs const *arg) else { if (strcasecmp(arg->argv[0], "MYADDR") == 0) dest = IpcpInfo.want_ipaddr; + else if (strcasecmp(arg->argv[0], "HISADDR") == 0) + dest = IpcpInfo.his_ipaddr; else dest = GetIpAddr(arg->argv[0]); netmask = GetIpAddr(arg->argv[1]); diff --git a/usr.sbin/ppp/ipcp.c b/usr.sbin/ppp/ipcp.c index cbb777e61c5..e5652171066 100644 --- a/usr.sbin/ppp/ipcp.c +++ b/usr.sbin/ppp/ipcp.c @@ -17,7 +17,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipcp.c,v 1.9 1997/12/27 13:45:19 brian Exp $ + * $Id: ipcp.c,v 1.10 1998/01/05 01:39:04 brian Exp $ * * TODO: * o More RFC1772 backwoard compatibility @@ -55,6 +55,7 @@ #include "ip.h" #include "throughput.h" #include "route.h" +#include "filter.h" #ifndef NOMSEXT struct in_addr ns_entries[2]; @@ -631,3 +632,39 @@ IpcpInput(struct mbuf * bp) { FsmInput(&IpcpFsm, bp); } + +int +UseHisaddr(const char *hisaddr, int setaddr) +{ + memset(&DefHisAddress, '\0', sizeof DefHisAddress); + iplist_reset(&DefHisChoice); + if (strpbrk(hisaddr, ",-")) { + iplist_setsrc(&DefHisChoice, hisaddr); + if (iplist_isvalid(&DefHisChoice)) { + iplist_setrandpos(&DefHisChoice); + IpcpInfo.his_ipaddr = ChooseHisAddr(IpcpInfo.want_ipaddr); + if (IpcpInfo.his_ipaddr.s_addr == INADDR_ANY) { + LogPrintf(LogWARN, "%s: None available !\n", DefHisChoice.src); + return(0); + } + DefHisAddress.ipaddr.s_addr = IpcpInfo.his_ipaddr.s_addr; + DefHisAddress.mask.s_addr = 0xffffffff; + DefHisAddress.width = 32; + } else { + LogPrintf(LogWARN, "%s: Invalid range !\n", hisaddr); + return 0; + } + } else if (ParseAddr(1, &hisaddr, &DefHisAddress.ipaddr, + &DefHisAddress.mask, &DefHisAddress.width) != 0) { + IpcpInfo.his_ipaddr.s_addr = DefHisAddress.ipaddr.s_addr; + + if (setaddr && OsSetIpaddress + (DefMyAddress.ipaddr, DefHisAddress.ipaddr) < 0) { + DefMyAddress.ipaddr.s_addr = DefHisAddress.ipaddr.s_addr = 0L; + return 0; + } + } else + return 0; + + return 1; +} diff --git a/usr.sbin/ppp/ipcp.h b/usr.sbin/ppp/ipcp.h index a8522ce7f5b..d9d48147cf6 100644 --- a/usr.sbin/ppp/ipcp.h +++ b/usr.sbin/ppp/ipcp.h @@ -15,7 +15,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipcp.h,v 1.2 1997/12/15 22:44:53 brian Exp $ + * $Id: ipcp.h,v 1.3 1998/01/05 01:39:05 brian Exp $ * * TODO: */ @@ -74,7 +74,8 @@ extern void IpcpInit(void); extern void IpcpDefAddress(void); extern void IpcpUp(void); extern void IpcpOpen(void); -extern int ReportIpcpStatus(struct cmdargs const *); +extern int ReportIpcpStatus(struct cmdargs const *); extern void IpcpInput(struct mbuf *); extern void IpcpAddInOctets(int); extern void IpcpAddOutOctets(int); +extern int UseHisaddr(const char *, int); diff --git a/usr.sbin/ppp/ppp.8 b/usr.sbin/ppp/ppp.8 index 371edc884d4..8014fec5449 100644 --- a/usr.sbin/ppp/ppp.8 +++ b/usr.sbin/ppp/ppp.8 @@ -1,4 +1,4 @@ -.\" $Id: ppp.8,v 1.13 1998/01/04 21:28:59 brian Exp $ +.\" $Id: ppp.8,v 1.14 1998/01/05 01:39:05 brian Exp $ .Dd 20 September 1995 .Os OpenBSD .Dt PPP 8 @@ -174,7 +174,9 @@ your kernel should include a tunnel device (the GENERIC kernel includes one by default). If it doesn't, or if you require more than one tun interface, you'll need to rebuild your kernel with the following line in your kernel configuration file: +.Pp .Dl pseudo-device tun N +.Pp where .Ar N is the maximum number of @@ -199,8 +201,11 @@ to log information. A common log file name is To make output go to this file, put the following lines in the .Pa /etc/syslog.conf file: -.Dl !ppp -.Dl *.*<TAB>/var/log/ppp.log +.Bd -literal -offset indent +!ppp +*.*<TAB>/var/log/ppp.log +.Ed +.Pp Make sure you use actual TABs here. If you use spaces, the line will be silently ignored. It is possible to have more than one @@ -208,11 +213,16 @@ It is possible to have more than one log file by creating a link to the .Nm executable: +.Pp .Dl # cd /usr/sbin .Dl # ln ppp ppp0 +.Pp and using -.Dl !ppp0 -.Dl *.* /var/log/ppp0.log +.Bd -literal -offset indent +!ppp0 +*.* /var/log/ppp0.log +.Ed +.Pp in .Pa /etc/syslog.conf . Don't forget to send a @@ -224,24 +234,25 @@ after altering .Sh MANUAL DIALING In the following examples, we assume that your machine name is .Dv awfulhak . -If you set your host name and password in -.Pa /etc/ppp/ppp.secret , -you can't do anything except run the help, passwd and quit commands. -.Bd -literal -offset indent -ppp on "your host name"> help - help : Display this message - passwd : Password for security - quit : Quit the PPP program -ppp on awfulhak> pass <password> -.Ed -.Pp -The "on" part of your prompt will change to "ON" if you specify the -correct password. +when you invoke +.Nm +(see +.Em PERMISSIONS +above) with no arguments, you are presented with a prompt: .Bd -literal -offset indent ppp ON awfulhak> .Ed .Pp -You can now specify the device name, speed and parity for your modem, +The +.Sq ON +part of your prompt should always be in upper case. If it is in lower +case, it means that you must supply a password using the +.Dq passwd +command. This only ever happens if you connect to a running version of +.Nm +and have not authenticated yourself using the correct password. +.Pp +You can start by specifying the device name, speed and parity for your modem, and whether CTS/RTS signalling should be used (CTS/RTS is used by default). If your hardware does not provide CTS/RTS lines (as may happen when you are connected directly to certain PPP-capable @@ -585,8 +596,10 @@ command is honoured, as is the reconnect tries value. If your redial value is less than the number of phone numbers specified, not all the specified numbers will be tried. To terminate the program, type - PPP ON awfulhak> close - ppp ON awfulhak> quit all +.Bd -literal -offset indent +PPP ON awfulhak> close +ppp ON awfulhak> quit all +.Ed .Pp A simple .Dq quit @@ -714,6 +727,54 @@ from a line like .Dl /AutoPPP/ - - /etc/ppp/ppp-pap-dialup .El .Pp +.Sh AUTHENTICATING INCOMING CONNECTIONS +Normally, the receiver of a connection requires that the peer +authenticates themself. This may be done using +.Xr login 1 , +but alternatively, you can use PAP or CHAP. CHAP is the more secure +of the two, but some clients may not support it. Once you decide which +you wish to use, add the command +.Sq enable chap +or +.Sq enable pap +to the relevent section of +.Pa ppp.conf . +.Pp +You must then configure the +.Pa /etc/ppp/ppp.secret +file. This file contains one line per possible client, each line +containing up to four fields: +.Bd -literal -offset indent +name key [hisaddr [label]] +.Ed +.Pp +The +.Ar name +and +.Ar key +specify the client as expected. If the client does not offer a suitable +response based on any +.Ar name No / Ar key +combination in +.Pa ppp.secret , +authentication fails. +.Pp +If authentication is successful, +.Ar hisaddr +.Pq if specified +is used when negotiating IP numbers. See the +.Dq set ifaddr +command for details. +.Pp +If authentication is successful and +.Ar label +is specified, the current system label is changed to match the given +.Ar label . +This will change the subsequent parsing of the +.Pa ppp.linkup +and +.Pa ppp.linkdown +files. .Sh PPP OVER TCP (a.k.a Tunneling) Instead of running .Nm @@ -922,17 +983,26 @@ closed, though the .Nm program itself remains running. Another trigger packet will cause it to attempt to reestablish the link. -.Sh PREDICTOR-1 COMPRESSION -This version supports CCP and Predictor type 1 compression based on -the current IETF-draft specs. As a default behaviour, -.Nm -will attempt to use (or be willing to accept) this capability when the -peer agrees (or requests it). -To disable CCP/predictor1 functionality completely, use the -.Dq disable pred1 +.Sh PREDICTOR-1 and DEFLATE COMPRESSION +This version supports CCP and Predictor type 1 or deflate compression +based on the current IETF-draft specs. As a default behaviour, +.Nm +will attempt to use (or be willing to accept) both compression protocols +when the peer agrees +.Pq or requests them . +The deflate protocol is preferred by +.Nm ppp . +Refer to the +.Dq disable and -.Dq deny pred1 -commands. +.Dq deny +commands if you wish to disable this functionality. +.Pp +It is possible to use a different algorithm in each direction by using +only one of +.Dq disable deflate +and +.Dq deny deflate . .Sh CONTROLLING IP ADDRESS .Nm uses IPCP to negotiate IP addresses. Each side of the connection @@ -1001,7 +1071,9 @@ it is often the case that one side is acting as a server which controls all IP addresses and the other side should obey the direction from it. In order to allow more flexible behaviour, `ifaddr' variable allows the user to specify IP address more loosely: +.Pp .Dl set ifaddr 192.244.177.38/24 192.244.177.2/20 +.Pp A number followed by a slash (/) represent the number of bits significant in the IP address. The above example signifies that: .Bl -bullet -compact @@ -1584,20 +1656,27 @@ arguments. is the next hop gateway to get to the given .Ar dest machine/network. It is possible to use the symbolic names +.Sq MYADDR +and +.Sq HISADDR +as the destination, and either .Sq HISADDR or .Sq INTERFACE as the .Ar gateway . -.Sq INTERFACE -is replaced with the current interface name and +.Sq MYADDR +is replaced with the interface address, .Sq HISADDR -is replaced with the current interface address. If the current interface +is replaced with the interfaces destination address and +.Sq INTERFACE +is replaced with the current interface name. If the interfaces destination address has not yet been assigned .Pq via Dq set ifaddr , the current .Sq INTERFACE -is used instead. +is used instead of +.Sq HISADDR . .Pp Refer to the .Dq set ifaddr @@ -2127,6 +2206,14 @@ file should be used instead). Use to restrict the current profile to .Fl auto mode only. +.Pp +Note also that the +.Ar hisaddr +argument may be overridden in the +.Pa ppp.secret +file once the client has authenticated themself. Refer to the +.Em AUTHENTICATING INCOMING CONNECTIONS +section for details. .It set loopback on|off When set to .Ar on |