ctld

Edward Tomasz Napierala Tue, 11 Feb 2014 03:33:31 -0800

Author: trasz
Date: Tue Feb 11 11:32:36 2014
New Revision: 261763
URL: http://svnweb.freebsd.org/changeset/base/261763

Log:
  Use new auth-type "deny" instead of using "chap" with no chap entries;
  it's cleaner this way, and gives better feedback to the user.
  
  Sponsored by: The FreeBSD Foundation

Modified:
  head/usr.sbin/ctld/ctl.conf.5
  head/usr.sbin/ctld/ctld.c
  head/usr.sbin/ctld/ctld.h
  head/usr.sbin/ctld/login.c
  head/usr.sbin/ctld/parse.y

Modified: head/usr.sbin/ctld/ctl.conf.5
==============================================================================
--- head/usr.sbin/ctld/ctl.conf.5       Tue Feb 11 11:31:08 2014        
(r261762)
+++ head/usr.sbin/ctld/ctl.conf.5       Tue Feb 11 11:32:36 2014        
(r261763)
@@ -103,7 +103,7 @@ The following statements are available a
 .Bl -tag -width indent
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given auth-group.
 .It Ic chap Ao Ar user Ac Aq Ar secret
@@ -157,7 +157,7 @@ Another predefined auth-group, "no-authe
 without authentication.
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given target.
 This clause is mutually exclusive with auth-group; one cannot use

Modified: head/usr.sbin/ctld/ctld.c
==============================================================================
--- head/usr.sbin/ctld/ctld.c   Tue Feb 11 11:31:08 2014        (r261762)
+++ head/usr.sbin/ctld/ctld.c   Tue Feb 11 11:32:36 2014        (r261763)
@@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_grou
 
        if (strcmp(str, "none") == 0) {
                type = AG_TYPE_NO_AUTHENTICATION;
+       } else if (strcmp(str, "deny") == 0) {
+               type = AG_TYPE_DENY;
        } else if (strcmp(str, "chap") == 0) {
                type = AG_TYPE_CHAP;
        } else if (strcmp(str, "chap-mutual") == 0) {

Modified: head/usr.sbin/ctld/ctld.h
==============================================================================
--- head/usr.sbin/ctld/ctld.h   Tue Feb 11 11:31:08 2014        (r261762)
+++ head/usr.sbin/ctld/ctld.h   Tue Feb 11 11:32:36 2014        (r261763)
@@ -66,9 +66,10 @@ struct auth_portal {
 };
 
 #define        AG_TYPE_UNKNOWN                 0
-#define        AG_TYPE_NO_AUTHENTICATION       1
-#define        AG_TYPE_CHAP                    2
-#define        AG_TYPE_CHAP_MUTUAL             3
+#define        AG_TYPE_DENY                    1
+#define        AG_TYPE_NO_AUTHENTICATION       2
+#define        AG_TYPE_CHAP                    3
+#define        AG_TYPE_CHAP_MUTUAL             4
 
 struct auth_group {
        TAILQ_ENTRY(auth_group)         ag_next;

Modified: head/usr.sbin/ctld/login.c
==============================================================================
--- head/usr.sbin/ctld/login.c  Tue Feb 11 11:31:08 2014        (r261762)
+++ head/usr.sbin/ctld/login.c  Tue Feb 11 11:32:36 2014        (r261763)
@@ -1030,6 +1030,11 @@ login(struct connection *conn)
                return;
        }
 
+       if (ag->ag_type == AG_TYPE_DENY) {
+               login_send_error(request, 0x02, 0x01);
+               log_errx(1, "auth-group type is \"deny\"");
+       }
+
        if (ag->ag_type == AG_TYPE_UNKNOWN) {
                /*
                 * This can happen with empty auth-group.

Modified: head/usr.sbin/ctld/parse.y
==============================================================================
--- head/usr.sbin/ctld/parse.y  Tue Feb 11 11:31:08 2014        (r261762)
+++ head/usr.sbin/ctld/parse.y  Tue Feb 11 11:32:36 2014        (r261763)
@@ -729,13 +729,9 @@ conf_new_from_file(const char *path)
        assert(ag != NULL);
        ag->ag_type = AG_TYPE_NO_AUTHENTICATION;
 
-       /*
-        * Here, the type doesn't really matter, as the group doesn't contain
-        * any entries and thus will always deny access.
-        */
        ag = auth_group_new(conf, "no-access");
        assert(ag != NULL);
-       ag->ag_type = AG_TYPE_CHAP;
+       ag->ag_type = AG_TYPE_DENY;
 
        pg = portal_group_new(conf, "default");
        assert(pg != NULL);
@@ -765,7 +761,7 @@ conf_new_from_file(const char *path)
                    "going with defaults");
                ag = auth_group_find(conf, "default");
                assert(ag != NULL);
-               ag->ag_type = AG_TYPE_CHAP;
+               ag->ag_type = AG_TYPE_DENY;
        }
 
        if (conf->conf_default_pg_defined == false) {
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

svn commit: r261763 - head/usr.sbin/ctld

Reply via email to