📄 pppd-2.2.0g.patch
字号:
diff -ruN ppp-2.2.0g/README.tacacs ppp-2.2.0g.tacacs/README.tacacs--- ppp-2.2.0g/README.tacacs Thu Jan 1 01:00:00 1970+++ ppp-2.2.0g.tacacs/README.tacacs Mon Feb 16 18:52:45 1998@@ -0,0 +1,124 @@++ TACACS+ support for pppd+ + + Copyright 1997 by Pawel Krawczyk <kravietz@ceti.com.pl>+ + Distributed under GPL+ +Introduction++ This module supports subset of TACACS+ functions allowing a Linux+ dialup server to authenticate, authorize and account users on remote+ authentication server. This includes:+ + * PAP authentication+ * authorization for IP protocol+ * accounting of PPP session beginning and end+ + All above functions are performed from within pppd program with+ username and password passed with PPP protocol. In addition, there is+ standalone TACACS+ client program - tacc, which can be used as+ replacement for login program in getty style dialup server programs.+ +Installation++ 1. Download the distribution:+ http://ceti.com.pl/~kravietz/progs/tacc-1.5.tar.gz+ 2. Download and original pppd sources. This program was developed on+ version 2.2.0g. You can find pppd sources on local sunsite.unc.edu+ mirror.+ 3. Compile tacc, by entering tacc-1.5 subdirectory and typing make.+ 4. Apply the patch to pppd source tree:++ patch -p0 <pppd-tacacs.patch+ 5. Configure pppd sources as described in INSTALL file.+ 6. Run make in pppd subdirectory, with the following extra+ parameters:+ + USE_TACACS_PLUS=1+ to actually compile pppd with TACACS+ support+ + USE_BIND8=1+ if your are using BIND 8.x; this is a small workaround to+ use old functions from libc; if you don't use BIND 8.x,+ simply omit this parameter+ + 7. You should now have two programs: tacc and pppd. You should+ install them in appropriate directory and configure your dialup+ server to actually use them. The following is example of my+ /etc/mgetty/login.conf:++/AutoPPP/ - autoppp /usr/sbin/pppd auth -chap +pap tacacs debug -detach+* - @ /usr/local/sbin/tacc @++ 8. Configure your TACACS+ server. You can get it from+ ftp://ftpeng.cisco.com/pub/tacacs/. Following options are+ necessary in tac_plus configuration file:+ + default authentication = file filename+ passwd(5) file; use /etc/passwd even if you have shadow+ passwords suite installed+ + key = "string"+ key used to encrypt TACACS+ packets over the network+ + user = DEFAULT { default service = permit }+ permit all valid and authenticated users to use PPP+ + For more details about configuring TACACS+ server refer to+ users_guide in the server distribution.+ 9. To enable TACACS+ authentication in pppd use the following options+ in /etc/ppp/options file:+ + tacacs-server aaa.bbb.ccc.ddd+ TACACS+ server IP address (multiple allowed)+ + tacacs-secret string+ key used to encrypt TACACS+ packets over the network;+ should be same as the key defined on TACACS+ server+ + -tacacs-encryption+ send packets cleartext; this is for debugging only, do+ not use in real operations+ + tacacs-accounting+ if you want pppd to send TACACS+ accounting packets to+ the server; currently it includes only start and stop+ messages+ + tacacs-authorize+ if you want pppd to request authorization for use of PPP+ for already authenticated user; currently this is limited+ to service PPP and protocol IP+ + 10. When running pppd (probably from mgetty or similiar software), add+ tacacs option, e.g.:++ /usr/sbin/pppd auth +pap -chap tacacs++ Note that since current version you should use tacacs option instead+ of previous login! This option tell pppd to actually use TACACS++ functions.+ 11. Test if this works. If not, that's probably because keys on+ authentication and dialup servers are different. tacc can be used+ to test if the TACACS+ server is working correctly:++ $ tacc -TRA -u user -p pass -s localhost -k 'secret key' -w+ Authentication OK+ Authorization OK: Service granted.+ Accounting: START ok+ Accounting: STOP ok+ $ _+ In case of problems recompiling auth_tac.c with -DDEBUGTAC will+ cause every TACACS+ function report its progress and errors to+ syslog. I'll appreciate such log file very much if you send me a+ bug report.+ + tacc+ + tacc documentation was moved to manual page. It was also extended ;)+ _________________________________________________________________+ + Latest versions of this patch can be found on:+ http://www.ceti.com.pl/~kravietz/progs/tacacs.htmldiff -ruN ppp-2.2.0g/pppd/ChangeLog.tacacs ppp-2.2.0g.tacacs/pppd/ChangeLog.tacacs--- ppp-2.2.0g/pppd/ChangeLog.tacacs Thu Jan 1 01:00:00 1970+++ ppp-2.2.0g.tacacs/pppd/ChangeLog.tacacs Mon Feb 16 18:05:13 1998@@ -0,0 +1,31 @@+1.5+* Many changes in `tacc', mostly in user interface+* 'tacc' is no longer distributed as patch to pppd++1.4+* Added more TACACS+ accounting attributes+* Fixed some bugs in accounting+* Functions now return server messages +* Accounting and authorization now work both for IP and IPX+* Multiple TACACS+ servers may be defined+* Major changes in the way of handling TACACS+ AAA ++1.3+* Added simple TACACS+ accounting+* New options for pppd to enable TACACS+, authorization and accounting+* TACACS+ procedures are no longer called from login() function +* Minor fixes in tacc.c and auth_tac.c++1.2+* Changed names of some internal functions (prepending "_")+* tac_send and tac_read functions now accept file descriptor on input+* _tac_crypt() was rewritten to be more RFC compliant+* New function _tac_header()++1.1+* Added `tacc' client++1.0+* First working version, basic TACACS+ PAP authentication+ on top of login() function+diff -ruN ppp-2.2.0g/pppd/Makefile.linux ppp-2.2.0g.tacacs/pppd/Makefile.linux--- ppp-2.2.0g/pppd/Makefile.linux Thu Feb 5 13:34:39 1998+++ ppp-2.2.0g.tacacs/pppd/Makefile.linux Mon Feb 16 18:10:58 1998@@ -20,18 +20,32 @@ HEADERS := $(HEADERS) .depend endif -# CC = gcc-DEBUG_FLAGS = -DDEBUGALL+CC = gcc+#DEBUG_FLAGS = -DDEBUGTAC COMPILE_FLAGS = -D_linux_=1 -DHAVE_PATHS_H-COPTS = -O2 # -g+#COPTS = -Wall -ggdb3+COPTS = -O2 VER = 2.2.0-LIBS = -lbsd -lbind -L/usr/local/lib+LIBS = -lbsd CFLAGS= $(COPTS) $(DEBUG_FLAGS) $(COMPILE_FLAGS) SOURCE= RELNOTES Makefile.linux $(PPPDSRCS) $(HEADERS) $(MANPAGES) ifdef USE_MS_DNS CFLAGS += -DUSE_MS_DNS=1+endif++ifdef USE_TACACS_PLUS+CFLAGS += -DUSE_TACACS_PLUS=1+PPPDSRCS += auth_tac.c+HEADERS += auth_tac.h+PPPDOBJS += auth_tac.o+endif++ifdef USE_BIND8+# this really doesn't make use of BIND8+# it's workaround to use old BIND4 functions from libc+CFLAGS += -D__inet_addr=inet_addr -D__inet_aton=inet_aton -D__inet_ntoa=inet_ntoa endif ifdef IPX_CHANGEdiff -ruN ppp-2.2.0g/pppd/auth.c ppp-2.2.0g.tacacs/pppd/auth.c--- ppp-2.2.0g/pppd/auth.c Fri Mar 15 18:19:48 1996+++ ppp-2.2.0g.tacacs/pppd/auth.c Wed Feb 11 15:19:31 1998@@ -48,6 +48,7 @@ #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h>+#include <linux/if_ppp.h> #ifdef HAS_SHADOW #include <shadow.h>@@ -66,6 +67,14 @@ #include "ccp.h" #include "pathnames.h" +#ifdef USE_TACACS_PLUS+#include "tacplus.h"+#include "auth_tac.h"+int task_id; /* task identifier for accounting */+char *tac_username; /* storage between tac_login() and logout()+ also IPCP and IPXCP use this */+#endif+ #if defined(sun) && defined(sparc) #include <alloca.h> #endif /*sparc*/@@ -397,16 +406,23 @@ ret = UPAP_AUTHACK; f = fopen(filename, "r"); if (f == NULL) {- if (!uselogin) {+ if (!uselogin+#ifdef USE_TACACS_PLUS+ && !usetacacs+#endif+ ) { syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); ret = UPAP_AUTHNAK; }- } else {+ } ++ else { check_access(f, filename); if (scan_authfile(f, user, our_name, secret, &addrs, filename) < 0 || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) && strcmp(crypt(passwd, secret), secret) != 0)) {- syslog(LOG_WARNING, "PAP authentication failure for %s", user);+ syslog(LOG_WARNING, "PAP authfile authentication failure for %s",+ user); ret = UPAP_AUTHNAK; } fclose(f);@@ -419,6 +435,17 @@ } } +#if 0 /* currently obsolete, call to tac_login was moved to upap.c */+#ifdef USE_TACACS_PLUS+ if(usetacacs && ret == UPAP_AUTHACK) {+ ret = tac_login(user, passwd);+ if(ret == UPAP_AUTHNAK) {+ syslog(LOG_WARNING, "PAP TACACS+ authentication failure for %s", user);+ }+ }+#endif+#endif+ if (ret == UPAP_AUTHNAK) { *msg = "Login incorrect"; *msglen = strlen(*msg);@@ -510,6 +537,84 @@ } #endif +#ifdef USE_TACACS_PLUS+/* do TACACS+ authentication instead of + * checking username and password against local+ * passwd(5) files+ *+ * returns:+ * UPAP_AUTHNAK: Login failed.+ * UPAP_AUTHACK: Login succeeded.+ */+int+tac_login(auser, apasswd, userlen, passlen, msg, msglen)+ char *auser;+ char *apasswd;+ int userlen;+ int passlen;+ char **msg;+ int *msglen;+{+ char buf[40];+ char *tty;+ char *tacmsg;+ int tac_fd;+ struct tac_attrib *attr;+ char passwd[256], user[256];++ BCOPY(apasswd, passwd, passlen);+ passwd[passlen] = '\0';+ BCOPY(auser, user, userlen);+ user[userlen] = '\0';++ /* record tty name */+ tty = devnam;+ if(strncmp(tty, "/dev/", 5) == 0)+ tty += 5;++ tac_fd=tac_connect(tac_server, tac_servers);++ if(tac_fd < 0) {+ *msg = "TACACS+ server error";+ *msglen = strlen(*msg);+ return(UPAP_AUTHNAK);+ }++ if(tac_authen_pap_send(tac_fd, user, passwd, tty) < 0) {+ *msg = "TACACS+ error";+ *msglen = strlen(*msg);+ return(UPAP_AUTHNAK);+ }++ tacmsg=tac_authen_pap_read(tac_fd);++ /* authentication failed, return */+ if(tacmsg != NULL) {+ syslog(LOG_ERR, "TACACS+ authentication failed for `%s': %s",+ user, tacmsg);+ *msg = tacmsg;+ *msglen = strlen(*msg);+ return(UPAP_AUTHNAK);+ }++ close(tac_fd);++ syslog(LOG_INFO, "user %s logged in", user);+ logwtmp(tty, user, "");+ logged_in = TRUE;++ /* store username for accounting and authorization functions */+ tac_username = (char *) xcalloc(1, strlen(user)+1);+ strncpy(tac_username, user, strlen(user));+ + *msg = "Login ok";+ *msglen = strlen(*msg);++ return (UPAP_AUTHACK);++}+#endif /* USE_TACACS_PLUS */+ /* * login - Check the user name and password against the system * password database, and login the user if OK.@@ -590,6 +695,7 @@ logged_in = TRUE; return (UPAP_AUTHACK);+ } /*@@ -605,6 +711,7 @@ tty += 5; logwtmp(tty, "", ""); /* Wipe out wtmp logout entry */ logged_in = FALSE;+ } diff -ruN ppp-2.2.0g/pppd/auth_tac.c ppp-2.2.0g.tacacs/pppd/auth_tac.c--- ppp-2.2.0g/pppd/auth_tac.c Thu Jan 1 01:00:00 1970+++ ppp-2.2.0g.tacacs/pppd/auth_tac.c Mon Feb 16 18:06:14 1998@@ -0,0 +1,911 @@+/* auth_tac.c - TACACS+ PAP authentication for pppd+ * + * Copyright 1997-98 by Pawel Krawczyk <kravietz@ceti.com.pl>+ *+ * Distributed under GPL.+ *+ * See http://www.ceti.com.pl/~kravietz/progs/tacacs.html+ * for details.+ */++#include <stdio.h>+#include <unistd.h> /* getpid() */+#include <stdlib.h> /* rand(), calloc() */+#include <time.h>+#include <syslog.h>+#include <errno.h>+#include <netinet/in.h> /* htonl,... */+#include <string.h> /* bcopy,... */+#include <netdb.h> /* getservbyname */+#include "tacplus.h"+#include "md5.h"+#include "magic.h"+#include "auth_tac.h"+//#include "pppd.h"++#define MD5_LEN 16++int tac_ver_major=1;+int tac_ver_minor=5;++/* external and global vars used */+int session_id; /* session storage for session_id */+extern char *tac_secret; /* TACACS+ shared secret */+extern int tac_encryption; /* do we encrypt packets? */+char *system_err_msg="Authentication error, please contact administrator.";+char *protocol_err_msg="Protocol error.";+char *author_ok_msg="Service granted.";+char *author_fail_msg="Service not allowed.";+char *author_err_msg="Protocol error.";++/* functions in this file */+int tac_connect(u_long *server, int servers);+int tac_authen_pap_send(int fd, char *user, char *pass, char *tty);+char *tac_authen_pap_read(int fd);+HDR *_tac_req_header(u_char type);+void _tac_crypt(u_char *buf, HDR *th, int length);+char *_tac_check_header(HDR *th, int type);+u_char *tac_pseudo_pad(int len, HDR *hdr);+void tac_add_attrib(struct tac_attrib *attr, char *name, char *value);+void tac_free_attrib(struct tac_attrib *attr);+int tac_account_send(int fd, int type, char *user, char *tty,+ struct tac_attrib *attr);+char *tac_account_read(int fd);+int tac_author_send(int fd, char *username, char *tty, + struct tac_attrib *attr);+struct areply *tac_author_read(int fd);+void *xcalloc(size_t nmemb, size_t size);+void *xrealloc(void *ptr, size_t size);++/* this functions returns file descriptor+ * of connection to the TACACS+ server + *+ * since v1.4 it also supports switching to+ * secondary servers if some of them don't work+ */+int tac_connect(u_long *server, int servers) {+ struct sockaddr_in serv_addr;+ struct servent *s;+ int fd;+ int tries = 0;++ if(!servers) {+ syslog(LOG_ERR, "no TACACS+ servers defines");+ return(-1);+ }++ while(tries < servers) { ++ bzero( (char *) &serv_addr, sizeof(serv_addr));+ serv_addr.sin_addr.s_addr = server[tries];++ s=getservbyname("tacacs", "tcp");+ if(s == NULL) + serv_addr.sin_port = htons(TAC_PLUS_PORT);+ else+ serv_addr.sin_port = s->s_port;++ if((fd=socket(AF_INET, SOCK_STREAM, 0)) < 0) {+ syslog(LOG_WARNING, + "socket creation error for %s: %m",+ ip_ntoa(server[tries]));+ tries++;+ continue;+ }++ if(connect(fd, (struct sockaddr *) &serv_addr, + sizeof(serv_addr)) < 0)+ {+ syslog(LOG_WARNING, + "connection to %s failed: %m",+ ip_ntoa(server[tries]));+ tries++;+ continue;+ }++ /* connected ok */+ TACDEBUG((LOG_DEBUG, "%s: connected to %s", __FUNCTION__, \+ ip_ntoa(server[tries])));+ return(fd);+ }++ /* all attempts failed */+ syslog(LOG_ERR, "all possible TACACS+ servers failed");+ return(-1);++} /* tac_connect */++/* this function returns pre-filled TACACS++ * packet header of given type+ * 1. you MUST fill th->datalength and th->version+ * 2. you MAY fill th->encryption, th->version+ * 3. you are responsible for freeing allocated header + */+HDR *_tac_req_header(u_char type) {+ HDR *th;++ th=(HDR *) xcalloc(1, TAC_PLUS_HDR_SIZE);++ /* preset some packet options in header */+ th->type=type;+ th->seq_no=1; /* always 1 for request */+ th->encryption=TAC_PLUS_ENCRYPTED;+ + /* make session_id from pseudo-random number */+ session_id=magic();+ th->session_id=htonl(session_id);++ return(th);+}++int tac_author_send(int fd, char *user, char *tty, struct tac_attrib *attr) {+ HDR *th;+ struct author tb;+ u_char user_len, port_len;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -