diff --git a/ipppd/NOTES.IPPPD b/ipppd/NOTES.IPPPD index d6f0ada5..76a2d42d 100644 --- a/ipppd/NOTES.IPPPD +++ b/ipppd/NOTES.IPPPD @@ -69,6 +69,11 @@ CHANGELOG: 21.Jun.99: - I got two different DNS patches. Applied one of them. - added changes from A. Beck to ccp.c +07.Nov.99: + - Added auth-fail script call if authentication fails + - documented in man page. + - Done by Werner Cornelius (werner@isdn4linux.de or werner@titro.de) + ----------------------------------------------------------------- diff --git a/ipppd/auth.c b/ipppd/auth.c index a23d5170..d9a03b9a 100644 --- a/ipppd/auth.c +++ b/ipppd/auth.c @@ -36,7 +36,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -char auth_rcsid[] = "$Id: auth.c,v 1.14 1998/11/05 09:42:36 hipp Exp $"; +char auth_rcsid[] = "$Id: auth.c,v 1.15 1999/11/10 08:01:32 werner Exp $"; #include #include @@ -117,7 +117,7 @@ static int have_chap_secret __P((char *, char *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, char *)); static void free_wordlist __P((struct wordlist *)); -static void auth_script __P((int,char *)); +static void auth_script __P((int,char *,int)); /* * An Open on LCP has requested a change from Dead to Establish phase. @@ -143,7 +143,7 @@ void link_terminated(int linkunit) #endif if(lns[linkunit].auth_up_script) - auth_script(linkunit,_PATH_AUTHDOWN); + auth_script(linkunit,_PATH_AUTHDOWN,0); if (lns[linkunit].phase == PHASE_DEAD) return; if (lns[linkunit].logged_in) { @@ -461,13 +461,14 @@ static void callback_phase(int linkunit) /* * The peer has failed to authenticate himself using `protocol'. */ -void auth_peer_fail(int unit,int protocol) +void auth_peer_fail(int unit,int protocol, int reason) { /* * Authentication failure: take the link down */ lcp_close(lns[unit].lcp_unit,"auth failure"); lns[unit].phase = PHASE_TERMINATE; + auth_script(unit, _PATH_AUTHFAIL, reason); } /* @@ -502,13 +503,14 @@ void auth_peer_success(int linkunit,int protocol) /* * We have failed to authenticate ourselves to the peer using `protocol'. */ -void auth_withpeer_fail(int unit,int protocol) +void auth_withpeer_fail(int unit,int protocol,int reason) { /* * We've failed to authenticate ourselves to our peer. * He'll probably take the link down, and there's not much * we can do except wait for that. */ + auth_script(unit, _PATH_AUTHFAIL, reason); } /* @@ -709,7 +711,7 @@ int check_passwd(int linkunit,char *auser,int userlen,char *apasswd, if (lns[linkunit].addresses != NULL) free_wordlist(lns[linkunit].addresses); lns[linkunit].addresses = addrs; - auth_script(linkunit,_PATH_AUTHUP); + auth_script(linkunit,_PATH_AUTHUP,0); lns[linkunit].auth_up_script = 1; } return ret; @@ -1297,15 +1299,15 @@ static void free_wordlist(struct wordlist *wp) /* * auth_script - execute a script with arguments - * interface-name peer-name real-user tty speed + * interface-name peer-name real-user tty speed remote-number [fail-reason] */ -static void auth_script(int linkunit,char *script) +static void auth_script(int linkunit,char *script,int error_reason) { char strspeed[32]; struct passwd *pw; char struid[32]; char *user_name; - char *argv[8]; + char *argv[9]; if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) user_name = pw->pw_name; @@ -1323,7 +1325,11 @@ static void auth_script(int linkunit,char *script) argv[5] = strspeed; argv[6] = lns[linkunit].pci.remote_num; argv[7] = NULL; - + if (error_reason) { + sprintf(struid,"%d",error_reason); + argv[7] = struid; + argv[8] = NULL; + } run_program(script, argv, debug,linkunit); } diff --git a/ipppd/chap.c b/ipppd/chap.c index ce319232..2f40d954 100644 --- a/ipppd/chap.c +++ b/ipppd/chap.c @@ -18,7 +18,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -char chap_rcsid[] = "$Id: chap.c,v 1.5 1998/05/05 08:51:19 hipp Exp $"; +char chap_rcsid[] = "$Id: chap.c,v 1.6 1999/11/10 08:01:32 werner Exp $"; /* * TODO: @@ -185,7 +185,7 @@ ChapChallengeTimeout(arg) /* give up on peer */ syslog(LOG_ERR, "Peer failed to respond to CHAP challenge"); cstate->serverstate = CHAPSS_BADAUTH; - auth_peer_fail(cstate->unit, PPP_CHAP); + auth_peer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_TIME | AUTH_ERR_CHAP); return; } @@ -291,10 +291,10 @@ void ChapProtocolReject(int linkunit) if (cstate->serverstate != CHAPSS_INITIAL && cstate->serverstate != CHAPSS_CLOSED) - auth_peer_fail(cstate->unit, PPP_CHAP); + auth_peer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_PROT | AUTH_ERR_CHAP); if (cstate->clientstate != CHAPCS_INITIAL && cstate->clientstate != CHAPCS_CLOSED) - auth_withpeer_fail(cstate->unit, PPP_CHAP); + auth_withpeer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_PROT | AUTH_ERR_CHAP); ChapLowerDown(unit); /* shutdown chap */ } @@ -571,7 +571,7 @@ static void ChapReceiveResponse(chap_state *cstate,u_char *inp,int } else { syslog(LOG_ERR, "CHAP peer authentication failed"); cstate->serverstate = CHAPSS_BADAUTH; - auth_peer_fail(cstate->unit, PPP_CHAP); + auth_peer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_USER | AUTH_ERR_CHAP); } } @@ -641,7 +641,7 @@ ChapReceiveFailure(cstate, inp, id, len) PRINTMSG(inp, len); syslog(LOG_ERR, "CHAP authentication failed"); - auth_withpeer_fail(cstate->unit, PPP_CHAP); + auth_withpeer_fail(cstate->unit, PPP_CHAP, AUTH_ERR_USER | AUTH_ERR_CHAP); } diff --git a/ipppd/ipppd.h b/ipppd/ipppd.h index 6d12622f..11c55e9f 100644 --- a/ipppd/ipppd.h +++ b/ipppd/ipppd.h @@ -16,7 +16,7 @@ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * - * $Id: ipppd.h,v 1.17 1998/10/29 17:28:46 hipp Exp $ + * $Id: ipppd.h,v 1.18 1999/11/10 08:01:32 werner Exp $ */ /* @@ -272,8 +272,8 @@ int bad_ip_adrs(u_int32_t); int getword(FILE *,char *,int *,char *); void print_string(char *p,int len,void (*printer)(void *,char *,...),void *arg); int auth_ip_addr(int unit,u_int32_t addr); -void auth_peer_fail(int,int); -void auth_withpeer_fail(int unit,int protocol); +void auth_peer_fail(int,int,int); +void auth_withpeer_fail(int unit,int protocol,int reason); void auth_peer_success(int unit,int protocol); void auth_withpeer_success(int unit,int protocol); @@ -499,5 +499,13 @@ extern struct option_info devnam_info; #define MAX(a, b) ((a) > (b)? (a): (b)) #endif +/* error values for auth-fail script */ +#define AUTH_ERR_TIME 1 /* timeout sending auth requests */ +#define AUTH_ERR_PROT 2 /* auth protocol rejected */ +#define AUTH_ERR_USER 3 /* user or password illegal */ +#define AUTH_ERR_PAP 0 /* error in PAP-handling ored with reason */ +#define AUTH_ERR_CHAP 8 /* error in CHAP-handling ored with reason */ + + #endif /* __IPPP_H__ */ diff --git a/ipppd/ipppd.man.in b/ipppd/ipppd.man.in index adf54be6..6cd4a1f5 100644 --- a/ipppd/ipppd.man.in +++ b/ipppd/ipppd.man.in @@ -1,6 +1,6 @@ .\" manual page [] for ipppd 2.0 -.\" $Id: ipppd.man.in,v 1.5 1999/06/21 13:28:47 hipp Exp $ -.\" CHECKIN $Date: 1999/06/21 13:28:47 $ +.\" $Id: ipppd.man.in,v 1.6 1999/11/10 08:01:32 werner Exp $ +.\" CHECKIN $Date: 1999/11/10 08:01:32 $ .\" SH section heading .\" SS subsection heading .\" LP paragraph @@ -900,7 +900,8 @@ the following parameters: .I authentication user name, .I username of ipppd, .I devicename, -.I speed +.I speed, +.I remote number .TP .B /etc/ppp/auth-down This program or script is executed after a disconnection with @@ -909,7 +910,26 @@ the following parameters: .I authentication user name, .I username of ipppd, .I devicename, -.I speed +.I speed, +.I remote number +.TP +.B /etc/ppp/auth-fail +This program or script is executed after a authentication failure with +the following parameters: +.I interface name, +.I authentication user name, +.I username of ipppd, +.I devicename, +.I speed, +.I remote number, +.I failure reason + Valid reasons are: + 1 = Timeout during pap auth + 2 = pap protocol rejected + 3 = pap secrets invalid + 9 = Timeout during chap auth + 10 = chap protocol rejected + 11 = chap secrets invalid .TP .B /etc/ppp/pap-secrets Usernames, passwords and IP addresses for PAP authentication. diff --git a/ipppd/pathnames.h.in b/ipppd/pathnames.h.in index 26bae909..6e5119c7 100644 --- a/ipppd/pathnames.h.in +++ b/ipppd/pathnames.h.in @@ -1,7 +1,7 @@ /* * define path names * - * $Id: pathnames.h.in,v 1.1 1997/10/26 23:06:25 fritz Exp $ + * $Id: pathnames.h.in,v 1.2 1999/11/10 08:01:32 werner Exp $ */ #include "config.h" @@ -20,7 +20,7 @@ #define _PATH_UPAPFILE "/etc/ppp/pap-secrets" #define _PATH_CHAPFILE "/etc/ppp/chap-secrets" #define _PATH_SYSOPTIONS "/etc/ppp/ioptions" -#define _PATH_IPUP "/etc/ppp/ip-up" +#define _PATH_IPUP "/etc/ppp/ip-up" #define _PATH_IPDOWN "/etc/ppp/ip-down" #define _PATH_TTYOPT "/etc/ppp/ioptions." #define _PATH_CONNERRS "/etc/ppp/connect-errors" @@ -30,6 +30,7 @@ /* Programs for processing authenticated logins */ #define _PATH_AUTHUP "/etc/ppp/auth-up" #define _PATH_AUTHDOWN "/etc/ppp/auth-down" +#define _PATH_AUTHFAIL "/etc/ppp/auth-fail" # define _PATH_IPXUP "/etc/ppp/ipx-up" # define _PATH_IPXDOWN "/etc/ppp/ipx-down" diff --git a/ipppd/upap.c b/ipppd/upap.c index 6268b55e..e72eab9c 100644 --- a/ipppd/upap.c +++ b/ipppd/upap.c @@ -17,7 +17,7 @@ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ -char upap_rcsid[] = "$Id: upap.c,v 1.5 1998/04/29 14:29:50 hipp Exp $"; +char upap_rcsid[] = "$Id: upap.c,v 1.6 1999/11/10 08:01:33 werner Exp $"; /* * TODO: @@ -213,7 +213,7 @@ static void upap_timeout(caddr_t arg) /* give up in disgust */ syslog(LOG_ERR, "No response to PAP authenticate-requests"); u->us_clientstate = UPAPCS_BADAUTH; - auth_withpeer_fail(u->us_unit, PPP_PAP); + auth_withpeer_fail(u->us_unit, PPP_PAP, AUTH_ERR_TIME | AUTH_ERR_PAP); return; } @@ -233,7 +233,7 @@ upap_reqtimeout(arg) if (u->us_serverstate != UPAPSS_LISTEN) return; /* huh?? */ - auth_peer_fail(u->us_unit, PPP_PAP); + auth_peer_fail(u->us_unit, PPP_PAP, AUTH_ERR_TIME | AUTH_ERR_PAP); u->us_serverstate = UPAPSS_BADAUTH; } @@ -294,11 +294,11 @@ void upap_protrej(int linkunit) if (u->us_clientstate == UPAPCS_AUTHREQ) { syslog(LOG_ERR, "PAP authentication failed due to protocol-reject"); - auth_withpeer_fail(u->us_unit, PPP_PAP); + auth_withpeer_fail(u->us_unit, PPP_PAP, AUTH_ERR_PROT | AUTH_ERR_PAP); } if (u->us_serverstate == UPAPSS_LISTEN) { syslog(LOG_ERR, "PAP authentication of peer failed (protocol-reject)"); - auth_peer_fail(u->us_unit, PPP_PAP); + auth_peer_fail(u->us_unit, PPP_PAP, AUTH_ERR_PROT | AUTH_ERR_PAP); } upap_lowerdown(unit); } @@ -436,7 +436,7 @@ static void upap_rauthreq(upap_state *u,u_char *inp,int id,int len) auth_peer_success(u->us_unit, PPP_PAP); } else { u->us_serverstate = UPAPSS_BADAUTH; - auth_peer_fail(u->us_unit, PPP_PAP); + auth_peer_fail(u->us_unit, PPP_PAP, AUTH_ERR_USER | AUTH_ERR_PAP); } if (u->us_reqtimeout > 0) @@ -519,7 +519,7 @@ upap_rauthnak(u, inp, id, len) u->us_clientstate = UPAPCS_BADAUTH; syslog(LOG_ERR, "PAP authentication failed"); - auth_withpeer_fail(u->us_unit, PPP_PAP); + auth_withpeer_fail(u->us_unit, PPP_PAP, AUTH_ERR_USER | AUTH_ERR_PAP); }