diff options
author | Kazuya Goda <goda@cvs.openbsd.org> | 2017-08-11 16:41:48 +0000 |
---|---|---|
committer | Kazuya Goda <goda@cvs.openbsd.org> | 2017-08-11 16:41:48 +0000 |
commit | e74eb6ce1f0e541ef95e268a7fe73938a1532b38 (patch) | |
tree | 04acedc8a14d8a91fd859eae969db5534cbe3cfe /usr.sbin | |
parent | 2505fbe0b98d38a2ec729a1e7561a84500c843d0 (diff) |
add a new option to set limits on user-max-sessions each AUTHENTICATION.
It can set limits on different user-max-sessions if there're using several
protocols such as PPPoE and L2TP/IPsec.
ok yasuoka@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/npppd/npppd/npppd.c | 30 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/npppd.conf.5 | 8 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/npppd.h | 3 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/npppd_auth.c | 21 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/npppd_auth.h | 4 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/npppd_auth_local.h | 4 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/parse.y | 5 | ||||
-rw-r--r-- | usr.sbin/npppd/npppd/ppp.c | 7 |
8 files changed, 60 insertions, 22 deletions
diff --git a/usr.sbin/npppd/npppd/npppd.c b/usr.sbin/npppd/npppd/npppd.c index 198dce790ac..9f463886918 100644 --- a/usr.sbin/npppd/npppd/npppd.c +++ b/usr.sbin/npppd/npppd/npppd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd.c,v 1.45 2017/04/18 03:28:04 yasuoka Exp $ */ +/* $OpenBSD: npppd.c,v 1.46 2017/08/11 16:41:47 goda Exp $ */ /*- * Copyright (c) 2005-2008,2009 Internet Initiative Japan Inc. @@ -29,7 +29,7 @@ * Next pppd(nppd). This file provides a npppd daemon process and operations * for npppd instance. * @author Yasuoka Masahiko - * $Id: npppd.c,v 1.45 2017/04/18 03:28:04 yasuoka Exp $ + * $Id: npppd.c,v 1.46 2017/08/11 16:41:47 goda Exp $ */ #include "version.h" #include <sys/param.h> /* ALIGNED_POINTER */ @@ -800,25 +800,37 @@ npppd_get_ppp_by_id(npppd *_this, u_int ppp_id) int npppd_check_user_max_session(npppd *_this, npppd_ppp *ppp) { - int count; + int global_count, realm_count; npppd_ppp *ppp1; slist *uppp; /* user_max_session == 0 means unlimit */ - if (_this->conf.user_max_session == 0) + if (_this->conf.user_max_session == 0 && + npppd_auth_user_session_unlimited(ppp->realm)) return 1; - count = 0; + global_count = realm_count = 0; if ((uppp = npppd_get_ppp_by_user(_this, ppp->username)) != NULL) { for (slist_itr_first(uppp); slist_itr_has_next(uppp); ) { ppp1 = slist_itr_next(uppp); - if (strcmp(ppp_iface(ppp)->ifname, - ppp_iface(ppp1)->ifname) == 0) - count++; + if (ppp->realm == ppp1->realm) + realm_count++; + global_count++; } } - return (count < _this->conf.user_max_session)? 1 : 0; + if (npppd_check_auth_user_max_session(ppp->realm, realm_count)) { + ppp_log(ppp, LOG_WARNING, + "user %s exceeds user-max-session limit per auth", + ppp->username); + return 0; + } else if (_this->conf.user_max_session != 0 && + _this->conf.user_max_session <= global_count) { + ppp_log(ppp, LOG_WARNING, + "user %s exceeds user-max-session limit", ppp->username); + return 0; + } else + return 1; } /*********************************************************************** diff --git a/usr.sbin/npppd/npppd/npppd.conf.5 b/usr.sbin/npppd/npppd/npppd.conf.5 index 493ac3dde24..3347c573a4a 100644 --- a/usr.sbin/npppd/npppd/npppd.conf.5 +++ b/usr.sbin/npppd/npppd/npppd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: npppd.conf.5,v 1.19 2017/02/22 10:16:14 patrick Exp $ +.\" $OpenBSD: npppd.conf.5,v 1.20 2017/08/11 16:41:47 goda Exp $ .\" .\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 22 2017 $ +.Dd $Mdocdate: August 11 2017 $ .Dt NPPPD.CONF 5 .Os .Sh NAME @@ -621,6 +621,10 @@ See .Ic authentication-server section for details of .Ar radius-config . +.It Ic user-max-session Ar number +Specify the maximum number of sessions for each user for this +.Ic authentication +setting. .El .Sh BIND .Ic bind diff --git a/usr.sbin/npppd/npppd/npppd.h b/usr.sbin/npppd/npppd/npppd.h index 9f583fbea6e..a1dd27a0133 100644 --- a/usr.sbin/npppd/npppd/npppd.h +++ b/usr.sbin/npppd/npppd/npppd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd.h,v 1.17 2015/12/05 16:10:31 yasuoka Exp $ */ +/* $OpenBSD: npppd.h,v 1.18 2017/08/11 16:41:47 goda Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -161,6 +161,7 @@ struct authconf { bool strip_nt_domain; bool strip_atmark_realm; char users_file_path[PATH_MAX]; + int user_max_session; union { struct { struct radconf auth; diff --git a/usr.sbin/npppd/npppd/npppd_auth.c b/usr.sbin/npppd/npppd/npppd_auth.c index 4ba3f0e8f7a..a732050408d 100644 --- a/usr.sbin/npppd/npppd/npppd_auth.c +++ b/usr.sbin/npppd/npppd/npppd_auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd_auth.c,v 1.19 2017/02/22 07:48:26 yasuoka Exp $ */ +/* $OpenBSD: npppd_auth.c,v 1.20 2017/08/11 16:41:47 goda Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -26,7 +26,7 @@ * SUCH DAMAGE. */ /**@file authentication realm */ -/* $Id: npppd_auth.c,v 1.19 2017/02/22 07:48:26 yasuoka Exp $ */ +/* $Id: npppd_auth.c,v 1.20 2017/08/11 16:41:47 goda Exp $ */ #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> @@ -193,6 +193,7 @@ npppd_auth_reload(npppd_auth_base *base) base->strip_atmark_realm = auth->strip_atmark_realm; base->has_users_file = 0; base->radius_ready = 0; + base->user_max_session = auth->user_max_session; if (strlen(auth->users_file_path) > 0) { strlcpy(base->users_file_path, auth->users_file_path, @@ -461,6 +462,22 @@ npppd_auth_username_for_auth(npppd_auth_base *base, const char *username, return username_buffer; } +int +npppd_auth_user_session_unlimited(npppd_auth_base *_this) +{ + return (_this->user_max_session == 0) ? 1 : 0; +} + +int +npppd_check_auth_user_max_session(npppd_auth_base *_this, int count) +{ + if (!npppd_auth_user_session_unlimited(_this) && + _this->user_max_session <= count) + return 1; + else + return 0; +} + /*********************************************************************** * Account list related functions ***********************************************************************/ diff --git a/usr.sbin/npppd/npppd/npppd_auth.h b/usr.sbin/npppd/npppd/npppd_auth.h index 8008583152a..1d72957ea56 100644 --- a/usr.sbin/npppd/npppd/npppd_auth.h +++ b/usr.sbin/npppd/npppd/npppd_auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd_auth.h,v 1.8 2014/07/12 14:04:18 yasuoka Exp $ */ +/* $OpenBSD: npppd_auth.h,v 1.9 2017/08/11 16:41:47 goda Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -83,6 +83,8 @@ const char *npppd_auth_get_suffix (npppd_auth_base *); const char *npppd_auth_username_for_auth (npppd_auth_base *, const char *, char *); void *npppd_auth_radius_get_radius_auth_setting (npppd_auth_radius *); void *npppd_auth_radius_get_radius_acct_setting (npppd_auth_radius *); +int npppd_auth_user_session_unlimited(npppd_auth_base *); +int npppd_check_auth_user_max_session(npppd_auth_base *, int); #ifdef __cplusplus } diff --git a/usr.sbin/npppd/npppd/npppd_auth_local.h b/usr.sbin/npppd/npppd/npppd_auth_local.h index d027b7ff65f..2ae55d2abc5 100644 --- a/usr.sbin/npppd/npppd/npppd_auth_local.h +++ b/usr.sbin/npppd/npppd/npppd_auth_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd_auth_local.h,v 1.7 2014/03/22 04:23:17 yasuoka Exp $ */ +/* $OpenBSD: npppd_auth_local.h,v 1.8 2017/08/11 16:41:47 goda Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -56,6 +56,8 @@ struct _npppd_auth_base { char users_file_path[64]; /** last load time */ time_t last_load; + /**counter of sessions from this auth */ + int user_max_session; }; #ifdef USE_NPPPD_RADIUS diff --git a/usr.sbin/npppd/npppd/parse.y b/usr.sbin/npppd/npppd/parse.y index 23cf71c6ae4..6b4c1291396 100644 --- a/usr.sbin/npppd/npppd/parse.y +++ b/usr.sbin/npppd/npppd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.17 2015/10/11 07:16:01 guenther Exp $ */ +/* $OpenBSD: parse.y,v 1.18 2017/08/11 16:41:47 goda Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -676,6 +676,9 @@ authopt : USERNAME_SUFFIX STRING { sizeof(curr_authconf->users_file_path)); free($2); } + | USER_MAX_SESSION NUMBER { + curr_authconf->user_max_session = $2; + } | AUTHENTICATION_SERVER { if (curr_authconf->auth_type != NPPPD_AUTH_TYPE_RADIUS){ yyerror("`authentication-server' can not be " diff --git a/usr.sbin/npppd/npppd/ppp.c b/usr.sbin/npppd/npppd/ppp.c index eed3a956131..2402cb01a33 100644 --- a/usr.sbin/npppd/npppd/ppp.c +++ b/usr.sbin/npppd/npppd/ppp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ppp.c,v 1.26 2015/12/05 18:43:36 mmcc Exp $ */ +/* $OpenBSD: ppp.c,v 1.27 2017/08/11 16:41:47 goda Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -/* $Id: ppp.c,v 1.26 2015/12/05 18:43:36 mmcc Exp $ */ +/* $Id: ppp.c,v 1.27 2017/08/11 16:41:47 goda Exp $ */ /**@file * This file provides PPP(Point-to-Point Protocol, RFC 1661) and * {@link :: _npppd_ppp PPP instance} related functions. @@ -583,9 +583,6 @@ ppp_auth_ok(npppd_ppp *_this) if (_this->peer_auth != 0) { /* Limit the number of connections per the user */ if (!npppd_check_user_max_session(_this->pppd, _this)) { - ppp_log(_this, LOG_WARNING, - "user %s exceeds user-max-session limit", - _this->username); ppp_stop(_this, NULL); return; |