pppd-2.3.4.patch

pppd unix下使用的 pppd拨号程序源码

diff -ruN ppp-2.3.4/README.tacacs ppp-2.3.4.tacacs/README.tacacs
--- ppp-2.3.4/README.tacacs	Thu Jan  1 01:00:00 1970
+++ ppp-2.3.4.tacacs/README.tacacs	Sat May  9 22:42:29 1998
@@ -0,0 +1,127 @@
+
+                          TACACS+ support for pppd
+                                      
+   
+    Copyright 1997-98 by Pawel Krawczyk <kravietz@ceti.com.pl>
+    
+                           Distributed under GPL
+                                      
+Introduction
+
+   This module supports subset of TACACS+ functions allowing a Linux
+   dialup server to authenticate, authorize and account users on remote
+   authentication server. This includes:
+   
+     * PAP authentication
+     * authorization for IP protocol
+     * accounting of PPP session beginning and end
+       
+   All above functions are performed from within pppd program with
+   username and password passed with PPP protocol. In addition, there is
+   standalone TACACS+ client program - tacc, which can be used as
+   replacement for login program in getty style dialup server programs.
+   
+Installation
+
+    1. Download the distribution from:
+       http://ceti.com.pl/~kravietz/progs/tacacs.html
+    2. Download and original pppd sources. This program was developed on
+       version 2.3.4. You can find pppd sources on local sunsite.unc.edu
+       mirror, or use http://ftpsearch.ntnu.no/
+    3. Compile tacc. You can find instructions in README in tacc subdirectory.
+    4. Apply the patch to pppd source tree:
+
+        patch -p0 <pppd-2.3.4.patch
+
+    5. Configure pppd sources as described in INSTALL file.
+    6. Run make, with the following extra parameter:
+       
+	make USE_TACACS=1
+
+  	You should also check TACACS_DIR definition in pppd/Makefile.linux.
+   	Its set to /usr/src/tacc-1.6.2 by default, you could need to change
+   	it.
+                
+    7. You should now have two programs: tacc and pppd. You should
+       install them in appropriate directory and configure your dialup
+       server to actually use them. The following is example of my
+       /etc/mgetty/login.conf:
+
+/AutoPPP/ -     autoppp /usr/sbin/pppd auth -chap +pap tacacs debug -detach
+*         -     @       /usr/local/sbin/tacc @
+
+    8. Configure your TACACS+ server. You can get it from
+       ftp://ftpeng.cisco.com/pub/tacacs/. Following options are
+       necessary in tac_plus configuration file:
+       
+        default authentication = file filename
+                passwd(5) file; use /etc/passwd even if you have shadow
+                passwords suite installed
+                
+        key = "string"
+                key used to encrypt TACACS+ packets over the network
+                
+        user = DEFAULT { default service = permit }
+                permit all valid and authenticated users to use PPP
+                
+       For more details about configuring TACACS+ server refer to
+       users_guide in the server distribution.
+    9. Following options are recognized by pppd in /etc/ppp/options
+	   file or command line:
+
+	tacacs
+		        Use TACACS+ functions
+       
+	tacacs-server aaa.bbb.ccc.ddd
+                TACACS+ server IP address (multiple allowed)
+                
+	tacacs-secret string
+                key used to encrypt TACACS+ packets over the network;
+                should be same as the key defined on TACACS+ server
+                
+	-tacacs-encryption
+		notacacs-encryption
+                send packets cleartext; this is for debugging only, do
+                not use in real operations
+                
+	tacacs-accounting
+                if you want pppd to send TACACS+ accounting packets to
+                the server; currently it includes only start and stop
+                messages
+                
+ 	tacacs-authorization
+	tacacs-authorize (deprecated)
+                if you want pppd to request authorization for use of PPP
+                for already authenticated user; currently this is limited
+                to service PPP and protocol IP
+                
+   10. When running pppd (probably from mgetty or similiar software), add
+       tacacs option, e.g.:
+
+        /usr/sbin/pppd auth +pap -chap tacacs
+
+   Note that since current version you should use tacacs option instead
+       of previous login! This option tell pppd to actually use TACACS+
+       functions.
+   11. Test if this works. If not, that's probably because keys on
+       authentication and dialup servers are different. tacc can be used
+       to test if the TACACS+ server is working correctly:
+
+        $ tacc -TRA -u user -p pass -s localhost -k 'secret key' -w
+        Authentication OK
+        Authorization OK: Service granted.
+        Accounting: START ok
+        Accounting: STOP ok
+        $ _
+       In case of problems recompiling auth_tac.c with -DDEBUGTAC will
+       cause every TACACS+ function report its progress and errors to
+       syslog. I'll appreciate such log file very much if you send me a
+       bug report.
+       
+                                     tacc
+                                       
+   tacc documentation was moved to manual page. It was also extended ;)
+     _________________________________________________________________
+   
+   Latest versions of this patch can be found on:
+   http://www.ceti.com.pl/~kravietz/progs/tacacs.html
Binary files ppp-2.3.4/chat/chat.zip and ppp-2.3.4.tacacs/chat/chat.zip differ
diff -ruN ppp-2.3.4/pppd/Makefile.linux ppp-2.3.4.tacacs/pppd/Makefile.linux
--- ppp-2.3.4/pppd/Makefile.linux	Wed Apr  1 04:06:37 1998
+++ ppp-2.3.4.tacacs/pppd/Makefile.linux	Sat May  9 22:35:27 1998
@@ -26,18 +26,19 @@
 
 # CC = gcc
 #
-COPTS = -O2 -pipe -Wall -g
+COPTS = -O2 -pipe -Wall -s
+#COPTS = -ggdb3 -pipe
 VER = 2.3.4
 LIBS =
 
-ifneq ($(wildcard /usr/lib/libcrypt*),)
-LIBS += -lcrypt
-endif
+#ifneq ($(wildcard /usr/lib/libcrypt*),)
+#LIBS += -lcrypt
+#endif
 
 # Uncomment the next 2 lines to include support for Microsoft's
 # MS-CHAP authentication protocol.
-CHAPMS=y
-USE_CRYPT=y
+#CHAPMS=y
+#USE_CRYPT=y
 ifneq ($(wildcard /usr/lib/libcrypt*),)
 HAVE_CRYPT_H=y
 endif
@@ -48,7 +49,7 @@
 
 INCLUDE_DIRS= -I../include
 
-COMPILE_FLAGS= -D_linux_=1 -DHAVE_PATHS_H -DIPX_CHANGE
+COMPILE_FLAGS= -D_linux_=1 -DHAVE_PATHS_H -DIPX_CHANGE # -D__inet_ntoa=inet_ntoa -D__inet_addr=inet_addr
 
 CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS)
 
@@ -83,6 +84,13 @@
 ifdef LOCKLIB
 LIBS     := -llock $(LIBS)
 CFLAGS   += -DLOCKLIB=1
+endif
+
+# TACACS+ library should be in already compiled in separate directory
+ifdef USE_TACACS
+TACACS_DIR :=	/usr/src/tacc-1.6.3
+CFLAGS	+= -DUSE_TACACS_PLUS -I$(TACACS_DIR)/include
+LIBS    := -ltac $(LIBS) -L$(TACACS_DIR)/lib
 endif
 
 install: pppd
diff -ruN ppp-2.3.4/pppd/auth.c ppp-2.3.4.tacacs/pppd/auth.c
--- ppp-2.3.4/pppd/auth.c	Thu Mar 26 05:46:00 1998
+++ ppp-2.3.4.tacacs/pppd/auth.c	Sun Apr 19 09:34:06 1998
@@ -55,11 +55,20 @@
 #include <netdb.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
+//#include <linux/if_ppp.h>
 
 #ifdef USE_PAM
 #include <security/pam_appl.h>
 #endif
 
+#ifdef USE_TACACS_PLUS
+#include "tacplus.h"
+#include "libtac.h"
+short int task_id;		/* connection identifier for accounting */
+char *tac_username;	/* storage between tac_login() and logout(), also used
+					   by IPCP */
+#endif
+
 #ifdef HAS_SHADOW
 #include <shadow.h>
 #ifndef PW_PPP
@@ -529,7 +538,11 @@
      * Check whether we have appropriate secrets to use
      * to authenticate the peer.
      */
+#ifdef USE_TACACS_PLUS
+    can_auth = wo->neg_upap && (usetacacs || uselogin || have_pap_secret());
+#else
     can_auth = wo->neg_upap && (uselogin || have_pap_secret());
+#endif
     if (!can_auth && wo->neg_chap) {
 	remote = ipwo->accept_remote? 0: ipwo->hisaddr;
 	can_auth = have_chap_secret(remote_name, our_name, remote);
@@ -582,7 +595,11 @@
     ao->neg_chap = !refuse_chap
 	&& have_chap_secret(user, remote_name, (u_int32_t)0);
 
+#ifdef USE_TACACS_PLUS
+    if (go->neg_upap && !uselogin && !usetacacs && !have_pap_secret())
+#else
     if (go->neg_upap && !uselogin && !have_pap_secret())
+#endif
 	go->neg_upap = 0;
     if (go->neg_chap) {
 	remote = ipwo->accept_remote? 0: ipwo->hisaddr;
@@ -656,7 +673,12 @@
 	fclose(f);
     }
 
-    if (uselogin && ret == UPAP_AUTHACK) {
+#ifdef USE_TACACS_PLUS
+    if ((uselogin || usetacacs)
+#else
+    if (uselogin 
+#endif
+					&& ret == UPAP_AUTHACK) {
 	ret = plogin(user, passwd, msg, msglen);
 	if (ret == UPAP_AUTHNAK) {
 	    syslog(LOG_WARNING, "PAP login failure for %s", user);
@@ -759,6 +781,82 @@
 }
 #endif
 
+#ifdef USE_TACACS_PLUS
+/* do TACACS+ authentication instead of 
+ * checking username and password against local
+ * passwd(5) files
+ *
+ * returns:
+ *	UPAP_AUTHNAK: Login failed.
+ *	UPAP_AUTHACK: Login succeeded.
+ */
+int
+tac_login(auser, apasswd, userlen, passlen, msg, msglen)
+	char *auser;
+	char *apasswd;
+	int userlen;
+	int passlen;
+	char **msg;
+	int *msglen;
+{
+    char *tty;
+    char *tacmsg;
+    int tac_fd;
+    char passwd[256], user[256];
+
+    BCOPY(apasswd, passwd, passlen);
+    passwd[passlen] = '\0';
+    BCOPY(auser, user, userlen);
+    user[userlen] = '\0';
+
+    /* record tty name */
+    tty = devnam;
+    if(strncmp(tty, "/dev/", 5) == 0)
+	tty += 5;
+
+    tac_fd=tac_connect(tac_server, tac_servers);
+
+    if(tac_fd < 0) {
+ 	*msg = "TACACS+ server error";
+	*msglen = strlen(*msg);
+    	return(UPAP_AUTHNAK);
+    }
+
+    if(tac_authen_pap_send(tac_fd, user, passwd, tty) < 0) {
+    	*msg = "TACACS+ error";
+	*msglen = strlen(*msg);
+    	return(UPAP_AUTHNAK);
+    }
+
+    tacmsg=tac_authen_pap_read(tac_fd);
+
+    /* authentication failed, return */
+    if(tacmsg != NULL) {
+     	syslog(LOG_ERR, "TACACS+ authentication failed for `%s': %s",
+								user, tacmsg);
+     	*msg = tacmsg;
+     	*msglen = strlen(*msg);
+     	return(UPAP_AUTHNAK);
+    }
+
+    close(tac_fd);
+
+    syslog(LOG_INFO, "user %s logged in", user);
+    logwtmp(tty, user, "");
+    logged_in = TRUE;
+
+    /* store username for accounting and authorization functions */
+    tac_username = (char *) xcalloc(1, strlen(user)+1);
+    strncpy(tac_username, user, strlen(user));
+    
+    *msg = "Login ok";
+    *msglen = strlen(*msg);
+
+    return (UPAP_AUTHACK);
+
+}
+#endif /* USE_TACACS_PLUS */
+
 /*
  * plogin - Check the user name and password against the system
  * password database, and login the user if OK.
@@ -904,6 +1002,7 @@
     logged_in = TRUE;
 
     return (UPAP_AUTHACK);
+
 }
 
 /*
@@ -941,6 +1040,7 @@
 #endif
 
     logged_in = FALSE;
+
 }
 
 
diff -ruN ppp-2.3.4/pppd/ipcp.c ppp-2.3.4.tacacs/pppd/ipcp.c
--- ppp-2.3.4/pppd/ipcp.c	Wed Mar 25 04:08:48 1998
+++ ppp-2.3.4.tacacs/pppd/ipcp.c	Sat May  9 22:33:54 1998
@@ -39,6 +39,26 @@
 #include "ipcp.h"
 #include "pathnames.h"
 
+#ifdef USE_TACACS_PLUS
+#ifdef _linux_
+#include <net/if.h>
+#if __GLIBC__ >= 2
+#include <asm/types.h>
+#endif
+#include <linux/if_ppp.h>
+#endif
+#include <time.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <signal.h>
+#include "tacplus.h"
+#include "libtac.h"
+#include "magic.h"
+extern char *tac_username;
+extern int task_id;
+struct ifpppstatsreq treq;
+#endif
+
 /* global vars */
 ipcp_options ipcp_wantoptions[NUM_PPP];	/* Options that we want to request */
 ipcp_options ipcp_gotoptions[NUM_PPP];	/* Options that peer ack'd */
@@ -1138,6 +1158,12 @@
     ipcp_options *go = &ipcp_gotoptions[f->unit];
     ipcp_options *wo = &ipcp_wantoptions[f->unit];
 
+#ifdef USE_TACACS_PLUS
+	char *msg;
+	char *tty;
+	struct tac_attrib *attr;
+#endif
+
     np_up(f->unit, PPP_IP);
     IPCPDEBUG((LOG_INFO, "ipcp: up"));
 
@@ -1163,13 +1189,68 @@
     /*
      * Check that the peer is allowed to use the IP address it wants.
      */
-    if (!auth_ip_addr(f->unit, ho->hisaddr)) {
+    if (!auth_ip_addr(f->unit, ho->hisaddr)
+#ifdef USE_TACACS_PLUS
+					/* if there's TACACS+ authorization it takes
+					   precedence over local authorizaition */
+					&& (!tac_authorize && usetacacs)
+#endif
+					) {
 	syslog(LOG_ERR, "Peer is not authorized to use remote address %s",
 	       ip_ntoa(ho->hisaddr));
 	ipcp_close(f->unit, "Unauthorized remote IP address");
 	return;
     }
 
+#ifdef USE_TACACS_PLUS
+	/* Check the TACACS+ authorization for providing IP service */
+
+	if(usetacacs) {