From owner-svn-src-all@FreeBSD.ORG Tue Mar 25 12:22:31 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8891616A; Tue, 25 Mar 2014 12:22:31 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 73AEA34F; Tue, 25 Mar 2014 12:22:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2PCMV3P076767; Tue, 25 Mar 2014 12:22:31 GMT (envelope-from trasz@svn.freebsd.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2PCMU9H076758; Tue, 25 Mar 2014 12:22:30 GMT (envelope-from trasz@svn.freebsd.org) Message-Id: <201403251222.s2PCMU9H076758@svn.freebsd.org> From: Edward Tomasz Napierala Date: Tue, 25 Mar 2014 12:22:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r263729 - stable/10/usr.sbin/ctld X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2014 12:22:31 -0000 Author: trasz Date: Tue Mar 25 12:22:30 2014 New Revision: 263729 URL: http://svnweb.freebsd.org/changeset/base/263729 Log: MFC r261763: Use new auth-type "deny" instead of using "chap" with no chap entries; it's cleaner this way, and gives better feedback to the user. Sponsored by: The FreeBSD Foundation Modified: stable/10/usr.sbin/ctld/ctl.conf.5 stable/10/usr.sbin/ctld/ctld.c stable/10/usr.sbin/ctld/ctld.h stable/10/usr.sbin/ctld/login.c stable/10/usr.sbin/ctld/parse.y Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.sbin/ctld/ctl.conf.5 ============================================================================== --- stable/10/usr.sbin/ctld/ctl.conf.5 Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/ctl.conf.5 Tue Mar 25 12:22:30 2014 (r263729) @@ -103,7 +103,7 @@ The following statements are available a .Bl -tag -width indent .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given auth-group. .It Ic chap Ao Ar user Ac Aq Ar secret @@ -157,7 +157,7 @@ Another predefined auth-group, "no-authe without authentication. .It Ic auth-type Ao Ar type Ac Specifies authentication type. -Type can be either "none", "chap", or "chap-mutual". +Type can be either "none", "deny", "chap", or "chap-mutual". In most cases it is not neccessary to set the type using this clause; it is usually used to disable authentication for a given target. This clause is mutually exclusive with auth-group; one cannot use Modified: stable/10/usr.sbin/ctld/ctld.c ============================================================================== --- stable/10/usr.sbin/ctld/ctld.c Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/ctld.c Tue Mar 25 12:22:30 2014 (r263729) @@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_grou if (strcmp(str, "none") == 0) { type = AG_TYPE_NO_AUTHENTICATION; + } else if (strcmp(str, "deny") == 0) { + type = AG_TYPE_DENY; } else if (strcmp(str, "chap") == 0) { type = AG_TYPE_CHAP; } else if (strcmp(str, "chap-mutual") == 0) { Modified: stable/10/usr.sbin/ctld/ctld.h ============================================================================== --- stable/10/usr.sbin/ctld/ctld.h Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/ctld.h Tue Mar 25 12:22:30 2014 (r263729) @@ -66,9 +66,10 @@ struct auth_portal { }; #define AG_TYPE_UNKNOWN 0 -#define AG_TYPE_NO_AUTHENTICATION 1 -#define AG_TYPE_CHAP 2 -#define AG_TYPE_CHAP_MUTUAL 3 +#define AG_TYPE_DENY 1 +#define AG_TYPE_NO_AUTHENTICATION 2 +#define AG_TYPE_CHAP 3 +#define AG_TYPE_CHAP_MUTUAL 4 struct auth_group { TAILQ_ENTRY(auth_group) ag_next; Modified: stable/10/usr.sbin/ctld/login.c ============================================================================== --- stable/10/usr.sbin/ctld/login.c Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/login.c Tue Mar 25 12:22:30 2014 (r263729) @@ -1034,6 +1034,11 @@ login(struct connection *conn) return; } + if (ag->ag_type == AG_TYPE_DENY) { + login_send_error(request, 0x02, 0x01); + log_errx(1, "auth-group type is \"deny\""); + } + if (ag->ag_type == AG_TYPE_UNKNOWN) { /* * This can happen with empty auth-group. Modified: stable/10/usr.sbin/ctld/parse.y ============================================================================== --- stable/10/usr.sbin/ctld/parse.y Tue Mar 25 12:20:29 2014 (r263728) +++ stable/10/usr.sbin/ctld/parse.y Tue Mar 25 12:22:30 2014 (r263729) @@ -729,13 +729,9 @@ conf_new_from_file(const char *path) assert(ag != NULL); ag->ag_type = AG_TYPE_NO_AUTHENTICATION; - /* - * Here, the type doesn't really matter, as the group doesn't contain - * any entries and thus will always deny access. - */ ag = auth_group_new(conf, "no-access"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; pg = portal_group_new(conf, "default"); assert(pg != NULL); @@ -765,7 +761,7 @@ conf_new_from_file(const char *path) "going with defaults"); ag = auth_group_find(conf, "default"); assert(ag != NULL); - ag->ag_type = AG_TYPE_CHAP; + ag->ag_type = AG_TYPE_DENY; } if (conf->conf_default_pg_defined == false) {