summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorKazuya Goda <goda@cvs.openbsd.org>2017-08-11 16:41:48 +0000
committerKazuya Goda <goda@cvs.openbsd.org>2017-08-11 16:41:48 +0000
commite74eb6ce1f0e541ef95e268a7fe73938a1532b38 (patch)
tree04acedc8a14d8a91fd859eae969db5534cbe3cfe /usr.sbin
parent2505fbe0b98d38a2ec729a1e7561a84500c843d0 (diff)
add a new option to set limits on user-max-sessions each AUTHENTICATION.
It can set limits on different user-max-sessions if there're using several protocols such as PPPoE and L2TP/IPsec. ok yasuoka@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/npppd/npppd/npppd.c30
-rw-r--r--usr.sbin/npppd/npppd/npppd.conf.58
-rw-r--r--usr.sbin/npppd/npppd/npppd.h3
-rw-r--r--usr.sbin/npppd/npppd/npppd_auth.c21
-rw-r--r--usr.sbin/npppd/npppd/npppd_auth.h4
-rw-r--r--usr.sbin/npppd/npppd/npppd_auth_local.h4
-rw-r--r--usr.sbin/npppd/npppd/parse.y5
-rw-r--r--usr.sbin/npppd/npppd/ppp.c7
8 files changed, 60 insertions, 22 deletions
diff --git a/usr.sbin/npppd/npppd/npppd.c b/usr.sbin/npppd/npppd/npppd.c
index 198dce790ac..9f463886918 100644
--- a/usr.sbin/npppd/npppd/npppd.c
+++ b/usr.sbin/npppd/npppd/npppd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: npppd.c,v 1.45 2017/04/18 03:28:04 yasuoka Exp $ */
+/* $OpenBSD: npppd.c,v 1.46 2017/08/11 16:41:47 goda Exp $ */
/*-
* Copyright (c) 2005-2008,2009 Internet Initiative Japan Inc.
@@ -29,7 +29,7 @@
* Next pppd(nppd). This file provides a npppd daemon process and operations
* for npppd instance.
* @author Yasuoka Masahiko
- * $Id: npppd.c,v 1.45 2017/04/18 03:28:04 yasuoka Exp $
+ * $Id: npppd.c,v 1.46 2017/08/11 16:41:47 goda Exp $
*/
#include "version.h"
#include <sys/param.h> /* ALIGNED_POINTER */
@@ -800,25 +800,37 @@ npppd_get_ppp_by_id(npppd *_this, u_int ppp_id)
int
npppd_check_user_max_session(npppd *_this, npppd_ppp *ppp)
{
- int count;
+ int global_count, realm_count;
npppd_ppp *ppp1;
slist *uppp;
/* user_max_session == 0 means unlimit */
- if (_this->conf.user_max_session == 0)
+ if (_this->conf.user_max_session == 0 &&
+ npppd_auth_user_session_unlimited(ppp->realm))
return 1;
- count = 0;
+ global_count = realm_count = 0;
if ((uppp = npppd_get_ppp_by_user(_this, ppp->username)) != NULL) {
for (slist_itr_first(uppp); slist_itr_has_next(uppp); ) {
ppp1 = slist_itr_next(uppp);
- if (strcmp(ppp_iface(ppp)->ifname,
- ppp_iface(ppp1)->ifname) == 0)
- count++;
+ if (ppp->realm == ppp1->realm)
+ realm_count++;
+ global_count++;
}
}
- return (count < _this->conf.user_max_session)? 1 : 0;
+ if (npppd_check_auth_user_max_session(ppp->realm, realm_count)) {
+ ppp_log(ppp, LOG_WARNING,
+ "user %s exceeds user-max-session limit per auth",
+ ppp->username);
+ return 0;
+ } else if (_this->conf.user_max_session != 0 &&
+ _this->conf.user_max_session <= global_count) {
+ ppp_log(ppp, LOG_WARNING,
+ "user %s exceeds user-max-session limit", ppp->username);
+ return 0;
+ } else
+ return 1;
}
/***********************************************************************
diff --git a/usr.sbin/npppd/npppd/npppd.conf.5 b/usr.sbin/npppd/npppd/npppd.conf.5
index 493ac3dde24..3347c573a4a 100644
--- a/usr.sbin/npppd/npppd/npppd.conf.5
+++ b/usr.sbin/npppd/npppd/npppd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: npppd.conf.5,v 1.19 2017/02/22 10:16:14 patrick Exp $
+.\" $OpenBSD: npppd.conf.5,v 1.20 2017/08/11 16:41:47 goda Exp $
.\"
.\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: February 22 2017 $
+.Dd $Mdocdate: August 11 2017 $
.Dt NPPPD.CONF 5
.Os
.Sh NAME
@@ -621,6 +621,10 @@ See
.Ic authentication-server
section for details of
.Ar radius-config .
+.It Ic user-max-session Ar number
+Specify the maximum number of sessions for each user for this
+.Ic authentication
+setting.
.El
.Sh BIND
.Ic bind
diff --git a/usr.sbin/npppd/npppd/npppd.h b/usr.sbin/npppd/npppd/npppd.h
index 9f583fbea6e..a1dd27a0133 100644
--- a/usr.sbin/npppd/npppd/npppd.h
+++ b/usr.sbin/npppd/npppd/npppd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: npppd.h,v 1.17 2015/12/05 16:10:31 yasuoka Exp $ */
+/* $OpenBSD: npppd.h,v 1.18 2017/08/11 16:41:47 goda Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -161,6 +161,7 @@ struct authconf {
bool strip_nt_domain;
bool strip_atmark_realm;
char users_file_path[PATH_MAX];
+ int user_max_session;
union {
struct {
struct radconf auth;
diff --git a/usr.sbin/npppd/npppd/npppd_auth.c b/usr.sbin/npppd/npppd/npppd_auth.c
index 4ba3f0e8f7a..a732050408d 100644
--- a/usr.sbin/npppd/npppd/npppd_auth.c
+++ b/usr.sbin/npppd/npppd/npppd_auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: npppd_auth.c,v 1.19 2017/02/22 07:48:26 yasuoka Exp $ */
+/* $OpenBSD: npppd_auth.c,v 1.20 2017/08/11 16:41:47 goda Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -26,7 +26,7 @@
* SUCH DAMAGE.
*/
/**@file authentication realm */
-/* $Id: npppd_auth.c,v 1.19 2017/02/22 07:48:26 yasuoka Exp $ */
+/* $Id: npppd_auth.c,v 1.20 2017/08/11 16:41:47 goda Exp $ */
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
@@ -193,6 +193,7 @@ npppd_auth_reload(npppd_auth_base *base)
base->strip_atmark_realm = auth->strip_atmark_realm;
base->has_users_file = 0;
base->radius_ready = 0;
+ base->user_max_session = auth->user_max_session;
if (strlen(auth->users_file_path) > 0) {
strlcpy(base->users_file_path, auth->users_file_path,
@@ -461,6 +462,22 @@ npppd_auth_username_for_auth(npppd_auth_base *base, const char *username,
return username_buffer;
}
+int
+npppd_auth_user_session_unlimited(npppd_auth_base *_this)
+{
+ return (_this->user_max_session == 0) ? 1 : 0;
+}
+
+int
+npppd_check_auth_user_max_session(npppd_auth_base *_this, int count)
+{
+ if (!npppd_auth_user_session_unlimited(_this) &&
+ _this->user_max_session <= count)
+ return 1;
+ else
+ return 0;
+}
+
/***********************************************************************
* Account list related functions
***********************************************************************/
diff --git a/usr.sbin/npppd/npppd/npppd_auth.h b/usr.sbin/npppd/npppd/npppd_auth.h
index 8008583152a..1d72957ea56 100644
--- a/usr.sbin/npppd/npppd/npppd_auth.h
+++ b/usr.sbin/npppd/npppd/npppd_auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: npppd_auth.h,v 1.8 2014/07/12 14:04:18 yasuoka Exp $ */
+/* $OpenBSD: npppd_auth.h,v 1.9 2017/08/11 16:41:47 goda Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -83,6 +83,8 @@ const char *npppd_auth_get_suffix (npppd_auth_base *);
const char *npppd_auth_username_for_auth (npppd_auth_base *, const char *, char *);
void *npppd_auth_radius_get_radius_auth_setting (npppd_auth_radius *);
void *npppd_auth_radius_get_radius_acct_setting (npppd_auth_radius *);
+int npppd_auth_user_session_unlimited(npppd_auth_base *);
+int npppd_check_auth_user_max_session(npppd_auth_base *, int);
#ifdef __cplusplus
}
diff --git a/usr.sbin/npppd/npppd/npppd_auth_local.h b/usr.sbin/npppd/npppd/npppd_auth_local.h
index d027b7ff65f..2ae55d2abc5 100644
--- a/usr.sbin/npppd/npppd/npppd_auth_local.h
+++ b/usr.sbin/npppd/npppd/npppd_auth_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: npppd_auth_local.h,v 1.7 2014/03/22 04:23:17 yasuoka Exp $ */
+/* $OpenBSD: npppd_auth_local.h,v 1.8 2017/08/11 16:41:47 goda Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -56,6 +56,8 @@ struct _npppd_auth_base {
char users_file_path[64];
/** last load time */
time_t last_load;
+ /**counter of sessions from this auth */
+ int user_max_session;
};
#ifdef USE_NPPPD_RADIUS
diff --git a/usr.sbin/npppd/npppd/parse.y b/usr.sbin/npppd/npppd/parse.y
index 23cf71c6ae4..6b4c1291396 100644
--- a/usr.sbin/npppd/npppd/parse.y
+++ b/usr.sbin/npppd/npppd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.17 2015/10/11 07:16:01 guenther Exp $ */
+/* $OpenBSD: parse.y,v 1.18 2017/08/11 16:41:47 goda Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -676,6 +676,9 @@ authopt : USERNAME_SUFFIX STRING {
sizeof(curr_authconf->users_file_path));
free($2);
}
+ | USER_MAX_SESSION NUMBER {
+ curr_authconf->user_max_session = $2;
+ }
| AUTHENTICATION_SERVER {
if (curr_authconf->auth_type != NPPPD_AUTH_TYPE_RADIUS){
yyerror("`authentication-server' can not be "
diff --git a/usr.sbin/npppd/npppd/ppp.c b/usr.sbin/npppd/npppd/ppp.c
index eed3a956131..2402cb01a33 100644
--- a/usr.sbin/npppd/npppd/ppp.c
+++ b/usr.sbin/npppd/npppd/ppp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ppp.c,v 1.26 2015/12/05 18:43:36 mmcc Exp $ */
+/* $OpenBSD: ppp.c,v 1.27 2017/08/11 16:41:47 goda Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
-/* $Id: ppp.c,v 1.26 2015/12/05 18:43:36 mmcc Exp $ */
+/* $Id: ppp.c,v 1.27 2017/08/11 16:41:47 goda Exp $ */
/**@file
* This file provides PPP(Point-to-Point Protocol, RFC 1661) and
* {@link :: _npppd_ppp PPP instance} related functions.
@@ -583,9 +583,6 @@ ppp_auth_ok(npppd_ppp *_this)
if (_this->peer_auth != 0) {
/* Limit the number of connections per the user */
if (!npppd_check_user_max_session(_this->pppd, _this)) {
- ppp_log(_this, LOG_WARNING,
- "user %s exceeds user-max-session limit",
- _this->username);
ppp_stop(_this, NULL);
return;