Added support for auth-fail script if authentication fails.

Updated man page.

ipppd/NOTES.IPPPD

@@ -69,6 +69,11 @@ CHANGELOG:
 21.Jun.99:
  - I got two different DNS patches. Applied one of them.
  - added changes from A. Beck to ccp.c
+07.Nov.99:
+ - Added auth-fail script call if authentication fails
+ - documented in man page. 
+ - Done by Werner Cornelius (werner@isdn4linux.de or werner@titro.de)
+ 
 
 
 -----------------------------------------------------------------

ipppd/auth.c

@@ -36,7 +36,7 @@
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 
-char auth_rcsid[] = "$Id: auth.c,v 1.14 1998/11/05 09:42:36 hipp Exp $";
+char auth_rcsid[] = "$Id: auth.c,v 1.15 1999/11/10 08:01:32 werner Exp $";
 
 #include <stdio.h>
 #include <stddef.h>
@@ -117,7 +117,7 @@ static int  have_chap_secret __P((char *, char *));
 static int  scan_authfile __P((FILE *, char *, char *, char *,
 	  struct wordlist **, char *));
 static void free_wordlist __P((struct wordlist *));
-static void auth_script __P((int,char *));
+static void auth_script __P((int,char *,int));
 
 /*
  * An Open on LCP has requested a change from Dead to Establish phase.
@@ -143,7 +143,7 @@ void link_terminated(int linkunit)
 #endif
 	
 	if(lns[linkunit].auth_up_script)
-		auth_script(linkunit,_PATH_AUTHDOWN);
+		auth_script(linkunit,_PATH_AUTHDOWN,0);
 	if (lns[linkunit].phase == PHASE_DEAD)
 		return;
 	if (lns[linkunit].logged_in) {
@@ -461,13 +461,14 @@ static void callback_phase(int linkunit)
 /*
  * The peer has failed to authenticate himself using `protocol'.
  */
-void auth_peer_fail(int unit,int protocol)
+void auth_peer_fail(int unit,int protocol, int reason)
 {
 	/*
 	 * Authentication failure: take the link down
 	 */
 	lcp_close(lns[unit].lcp_unit,"auth failure");
 	lns[unit].phase = PHASE_TERMINATE;
+	auth_script(unit, _PATH_AUTHFAIL, reason);
 }
 
 /*
@@ -502,13 +503,14 @@ void auth_peer_success(int linkunit,int protocol)
 /*
  * We have failed to authenticate ourselves to the peer using `protocol'.
  */
-void auth_withpeer_fail(int unit,int protocol)
+void auth_withpeer_fail(int unit,int protocol,int reason)
 {
 	/*
 	 * We've failed to authenticate ourselves to our peer.
 	 * He'll probably take the link down, and there's not much
 	 * we can do except wait for that.
 	 */
+	auth_script(unit, _PATH_AUTHFAIL, reason);
 }
 
 /*
@@ -709,7 +711,7 @@ int check_passwd(int linkunit,char *auser,int userlen,char *apasswd,
 		if (lns[linkunit].addresses != NULL)
 			free_wordlist(lns[linkunit].addresses);
 		lns[linkunit].addresses = addrs;
-		auth_script(linkunit,_PATH_AUTHUP);
+		auth_script(linkunit,_PATH_AUTHUP,0);
 		lns[linkunit].auth_up_script = 1;
 	}
 	return ret;
@@ -1297,15 +1299,15 @@ static void free_wordlist(struct wordlist *wp)
 
 /*
  * auth_script - execute a script with arguments
- * interface-name peer-name real-user tty speed
+ * interface-name peer-name real-user tty speed remote-number [fail-reason]
  */
-static void auth_script(int linkunit,char *script)
+static void auth_script(int linkunit,char *script,int error_reason)
 {
 	char strspeed[32];
 	struct passwd *pw;
 	char struid[32];
 	char *user_name;
-	char *argv[8];
+	char *argv[9];
 
 	if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL)
 		user_name = pw->pw_name;
@@ -1323,7 +1325,11 @@ static void auth_script(int linkunit,char *script)
 	argv[5] = strspeed;
 	argv[6] = lns[linkunit].pci.remote_num;
 	argv[7] = NULL;
-
+	if (error_reason) {
+	  sprintf(struid,"%d",error_reason);
+	  argv[7] = struid;
+	  argv[8] = NULL;
+	}
 	run_program(script, argv, debug,linkunit);
 }
 

ipppd/chap.c

@@ -18,7 +18,7 @@
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 
-char chap_rcsid[] = "$Id: chap.c,v 1.5 1998/05/05 08:51:19 hipp Exp $";
+char chap_rcsid[] = "$Id: chap.c,v 1.6 1999/11/10 08:01:32 werner Exp $";
 
 /*
  * TODO:
@@ -185,7 +185,7 @@ ChapChallengeTimeout(arg)
 	/* give up on peer */
 	syslog(LOG_ERR, "Peer failed to respond to CHAP challenge");
 	cstate->serverstate = CHAPSS_BADAUTH;
-	auth_peer_fail(cstate->unit, PPP_CHAP);
+	auth_peer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_TIME | AUTH_ERR_CHAP);
 	return;
     }
 
@@ -291,10 +291,10 @@ void ChapProtocolReject(int linkunit)
 
     if (cstate->serverstate != CHAPSS_INITIAL &&
 	cstate->serverstate != CHAPSS_CLOSED)
-	auth_peer_fail(cstate->unit, PPP_CHAP);
+	auth_peer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_PROT | AUTH_ERR_CHAP);
     if (cstate->clientstate != CHAPCS_INITIAL &&
 	cstate->clientstate != CHAPCS_CLOSED)
-	auth_withpeer_fail(cstate->unit, PPP_CHAP);
+	auth_withpeer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_PROT | AUTH_ERR_CHAP);
     ChapLowerDown(unit);		/* shutdown chap */
 }
 
@@ -571,7 +571,7 @@ static void ChapReceiveResponse(chap_state *cstate,u_char *inp,int
 	} else {
 		syslog(LOG_ERR, "CHAP peer authentication failed");
 		cstate->serverstate = CHAPSS_BADAUTH;
-		auth_peer_fail(cstate->unit, PPP_CHAP);
+		auth_peer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_USER | AUTH_ERR_CHAP);
 	}
 }
 
@@ -641,7 +641,7 @@ ChapReceiveFailure(cstate, inp, id, len)
 	PRINTMSG(inp, len);
 
     syslog(LOG_ERR, "CHAP authentication failed");
-    auth_withpeer_fail(cstate->unit, PPP_CHAP);
+    auth_withpeer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_USER | AUTH_ERR_CHAP);
 }
 
 

ipppd/ipppd.h

@@ -16,7 +16,7 @@
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * $Id: ipppd.h,v 1.17 1998/10/29 17:28:46 hipp Exp $
+ * $Id: ipppd.h,v 1.18 1999/11/10 08:01:32 werner Exp $
  */
 
 /*
@@ -272,8 +272,8 @@ int bad_ip_adrs(u_int32_t);
 int getword(FILE *,char *,int *,char *);
 void print_string(char *p,int len,void (*printer)(void *,char *,...),void *arg);
 int auth_ip_addr(int unit,u_int32_t addr);
-void auth_peer_fail(int,int);
-void auth_withpeer_fail(int unit,int protocol);
+void auth_peer_fail(int,int,int);
+void auth_withpeer_fail(int unit,int protocol,int reason);
 void auth_peer_success(int unit,int protocol);
 void auth_withpeer_success(int unit,int protocol);
 
@@ -499,5 +499,13 @@ extern struct option_info devnam_info;
 #define MAX(a, b)	((a) > (b)? (a): (b))
 #endif
 
+/* error values for auth-fail script */
+#define AUTH_ERR_TIME  1      /* timeout sending auth requests */
+#define AUTH_ERR_PROT  2      /* auth protocol rejected */
+#define AUTH_ERR_USER  3      /* user or password illegal */ 
+#define AUTH_ERR_PAP   0      /* error in PAP-handling ored with reason */
+#define AUTH_ERR_CHAP  8      /* error in CHAP-handling ored with reason */
+
+
 #endif /* __IPPP_H__ */
 

ipppd/ipppd.man.in

@@ -1,6 +1,6 @@
 .\" manual page [] for ipppd 2.0
-.\" $Id: ipppd.man.in,v 1.5 1999/06/21 13:28:47 hipp Exp $
-.\" CHECKIN $Date: 1999/06/21 13:28:47 $
+.\" $Id: ipppd.man.in,v 1.6 1999/11/10 08:01:32 werner Exp $
+.\" CHECKIN $Date: 1999/11/10 08:01:32 $
 .\" SH section heading
 .\" SS subsection heading
 .\" LP paragraph
@@ -900,7 +900,8 @@ the following parameters:
 .I authentication user name,
 .I username of ipppd,
 .I devicename,
-.I speed
+.I speed,
+.I remote number
 .TP
 .B /etc/ppp/auth-down
 This program or script is executed after a disconnection with
@@ -909,7 +910,26 @@ the following parameters:
 .I authentication user name,
 .I username of ipppd,
 .I devicename,
-.I speed
+.I speed,
+.I remote number
+.TP
+.B /etc/ppp/auth-fail
+This program or script is executed after a authentication failure with
+the following parameters:
+.I interface name,
+.I authentication user name,
+.I username of ipppd,
+.I devicename,
+.I speed,
+.I remote number,
+.I failure reason
+ Valid reasons are: 
+  1 = Timeout during pap auth
+  2 = pap protocol rejected
+  3 = pap secrets invalid
+  9 = Timeout during chap auth
+ 10 = chap protocol rejected
+ 11 = chap secrets invalid
 .TP
 .B /etc/ppp/pap-secrets
 Usernames, passwords and IP addresses for PAP authentication.

ipppd/pathnames.h.in

@@ -1,7 +1,7 @@
 /*
  * define path names
  *
- * $Id: pathnames.h.in,v 1.1 1997/10/26 23:06:25 fritz Exp $
+ * $Id: pathnames.h.in,v 1.2 1999/11/10 08:01:32 werner Exp $
  */
 
 #include "config.h"
@@ -20,7 +20,7 @@
 #define _PATH_UPAPFILE		"/etc/ppp/pap-secrets"
 #define _PATH_CHAPFILE		"/etc/ppp/chap-secrets"
 #define _PATH_SYSOPTIONS	"/etc/ppp/ioptions"
-#define _PATH_IPUP			"/etc/ppp/ip-up"
+#define _PATH_IPUP		"/etc/ppp/ip-up"
 #define _PATH_IPDOWN		"/etc/ppp/ip-down"
 #define _PATH_TTYOPT		"/etc/ppp/ioptions."
 #define _PATH_CONNERRS		"/etc/ppp/connect-errors"
@@ -30,6 +30,7 @@
 /* Programs for processing authenticated logins */
 #define _PATH_AUTHUP   "/etc/ppp/auth-up"
 #define _PATH_AUTHDOWN "/etc/ppp/auth-down"
+#define _PATH_AUTHFAIL "/etc/ppp/auth-fail"
 
 # define _PATH_IPXUP	"/etc/ppp/ipx-up"
 # define _PATH_IPXDOWN	"/etc/ppp/ipx-down"

ipppd/upap.c

@@ -17,7 +17,7 @@
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  */
 
-char upap_rcsid[] = "$Id: upap.c,v 1.5 1998/04/29 14:29:50 hipp Exp $";
+char upap_rcsid[] = "$Id: upap.c,v 1.6 1999/11/10 08:01:33 werner Exp $";
 
 /*
  * TODO:
@@ -213,7 +213,7 @@ static void upap_timeout(caddr_t arg)
 	/* give up in disgust */
 	syslog(LOG_ERR, "No response to PAP authenticate-requests");
 	u->us_clientstate = UPAPCS_BADAUTH;
-	auth_withpeer_fail(u->us_unit, PPP_PAP);
+	auth_withpeer_fail(u->us_unit, PPP_PAP, AUTH_ERR_TIME | AUTH_ERR_PAP);
 	return;
     }
 
@@ -233,7 +233,7 @@ upap_reqtimeout(arg)
     if (u->us_serverstate != UPAPSS_LISTEN)
 	return;			/* huh?? */
 
-    auth_peer_fail(u->us_unit, PPP_PAP);
+    auth_peer_fail(u->us_unit, PPP_PAP, AUTH_ERR_TIME | AUTH_ERR_PAP);
     u->us_serverstate = UPAPSS_BADAUTH;
 }
 
@@ -294,11 +294,11 @@ void upap_protrej(int linkunit)
 
     if (u->us_clientstate == UPAPCS_AUTHREQ) {
 	syslog(LOG_ERR, "PAP authentication failed due to protocol-reject");
-	auth_withpeer_fail(u->us_unit, PPP_PAP);
+	auth_withpeer_fail(u->us_unit, PPP_PAP, AUTH_ERR_PROT | AUTH_ERR_PAP);
     }
     if (u->us_serverstate == UPAPSS_LISTEN) {
 	syslog(LOG_ERR, "PAP authentication of peer failed (protocol-reject)");
-	auth_peer_fail(u->us_unit, PPP_PAP);
+	auth_peer_fail(u->us_unit, PPP_PAP, AUTH_ERR_PROT | AUTH_ERR_PAP);
     }
     upap_lowerdown(unit);
 }
@@ -436,7 +436,7 @@ static void upap_rauthreq(upap_state *u,u_char *inp,int id,int len)
 		auth_peer_success(u->us_unit, PPP_PAP);
 	} else {
 		u->us_serverstate = UPAPSS_BADAUTH;
-		auth_peer_fail(u->us_unit, PPP_PAP);
+		auth_peer_fail(u->us_unit, PPP_PAP, AUTH_ERR_USER | AUTH_ERR_PAP);
 	}
 
 	if (u->us_reqtimeout > 0)
@@ -519,7 +519,7 @@ upap_rauthnak(u, inp, id, len)
     u->us_clientstate = UPAPCS_BADAUTH;
 
     syslog(LOG_ERR, "PAP authentication failed");
-    auth_withpeer_fail(u->us_unit, PPP_PAP);
+    auth_withpeer_fail(u->us_unit, PPP_PAP, AUTH_ERR_USER | AUTH_ERR_PAP);
 }