Date: Tue, 25 Mar 2014 12:22:30 +0000 (UTC) From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r263729 - stable/10/usr.sbin/ctld Message-ID: <201403251222.s2PCMU9H076758@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trasz Date: Tue Mar 25 12:22:30 2014 New Revision: 263729 URL: http://svnweb.freebsd.org/changeset/base/263729 Log: MFC r261763: Use new auth-type "deny" instead of using "chap" with no chap entries; it's cleaner this way, and gives better feedback to the user. Sponsored by: The FreeBSD Foundation Modified: stable/10/usr.sbin/ctld/ctl.conf.5 stable/10/usr.sbin/ctld/ctld.c stable/10/usr.sbin/ctld/ctld.h stable/10/usr.sbin/ctld/login.c stable/10/usr.sbin/ctld/parse.y Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.sbin/ctld/ctl.conf.5 ============================================================================== --- stable/10/usr.sbin/ctld/ctl.conf.5 Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/ctl.conf.5 Tue Mar 25 12:22:30 2014 (r263729) @@ -103,7 +103,7 @@ The following statements are available a .Bl -tag -width indent .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given auth-group. .It Ic chap Ao Ar user Ac Aq Ar secret @@ -157,7 +157,7 @@ Another predefined auth-group, "no-authe without authentication. .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given target. This clause is mutually exclusive with auth-group; one cannot use Modified: stable/10/usr.sbin/ctld/ctld.c ============================================================================== --- stable/10/usr.sbin/ctld/ctld.c Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/ctld.c Tue Mar 25 12:22:30 2014 (r263729) @@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_grou if (strcmp(str, "none") == 0) { type = AG_TYPE_NO_AUTHENTICATION; + } else if (strcmp(str, "deny") == 0) { + type = AG_TYPE_DENY; } else if (strcmp(str, "chap") == 0) { type = AG_TYPE_CHAP; } else if (strcmp(str, "chap-mutual") == 0) { Modified: stable/10/usr.sbin/ctld/ctld.h ============================================================================== --- stable/10/usr.sbin/ctld/ctld.h Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/ctld.h Tue Mar 25 12:22:30 2014 (r263729) @@ -66,9 +66,10 @@ struct auth_portal { }; #define AG_TYPE_UNKNOWN 0 -#define AG_TYPE_NO_AUTHENTICATION 1 -#define AG_TYPE_CHAP 2 -#define AG_TYPE_CHAP_MUTUAL 3 +#define AG_TYPE_DENY 1 +#define AG_TYPE_NO_AUTHENTICATION 2 +#define AG_TYPE_CHAP 3 +#define AG_TYPE_CHAP_MUTUAL 4 struct auth_group { TAILQ_ENTRY(auth_group) ag_next; Modified: stable/10/usr.sbin/ctld/login.c ============================================================================== --- stable/10/usr.sbin/ctld/login.c Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/login.c Tue Mar 25 12:22:30 2014 (r263729) @@ -1034,6 +1034,11 @@ login(struct connection *conn) return; } + if (ag->ag_type == AG_TYPE_DENY) { + login_send_error(request, 0x02, 0x01); + log_errx(1, "auth-group type is \"deny\""); + } + if (ag->ag_type == AG_TYPE_UNKNOWN) { /* * This can happen with empty auth-group. Modified: stable/10/usr.sbin/ctld/parse.y ============================================================================== --- stable/10/usr.sbin/ctld/parse.y Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/parse.y Tue Mar 25 12:22:30 2014 (r263729) @@ -729,13 +729,9 @@ conf_new_from_file(const char *path) assert(ag != NULL); ag->ag_type = AG_TYPE_NO_AUTHENTICATION; - /* - * Here, the type doesn't really matter, as the group doesn't contain - * any entries and thus will always deny access. - */ ag = auth_group_new(conf, "no-access"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; pg = portal_group_new(conf, "default"); assert(pg != NULL); @@ -765,7 +761,7 @@ conf_new_from_file(const char *path) "going with defaults"); ag = auth_group_find(conf, "default"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; } if (conf->conf_default_pg_defined == false) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403251222.s2PCMU9H076758>