svn commit: r263729 - stable/10/usr.sbin/ctld

Tue Mar 25 12:22:31 UTC 2014

Author: trasz
Date: Tue Mar 25 12:22:30 2014
New Revision: 263729
URL: http://svnweb.freebsd.org/changeset/base/263729

Log:
  MFC r261763:
  
  Use new auth-type "deny" instead of using "chap" with no chap entries;
  it's cleaner this way, and gives better feedback to the user.
  
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/10/usr.sbin/ctld/ctl.conf.5
  stable/10/usr.sbin/ctld/ctld.c
  stable/10/usr.sbin/ctld/ctld.h
  stable/10/usr.sbin/ctld/login.c
  stable/10/usr.sbin/ctld/parse.y
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.sbin/ctld/ctl.conf.5
==============================================================================

--- stable/10/usr.sbin/ctld/ctl.conf.5	Tue Mar 25 12:20:29 2014	(r263728)
+++ stable/10/usr.sbin/ctld/ctl.conf.5	Tue Mar 25 12:22:30 2014	(r263729)
@@ -103,7 +103,7 @@ The following statements are available a
 .Bl -tag -width indent
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given auth-group.
 .It Ic chap Ao Ar user Ac Aq Ar secret
@@ -157,7 +157,7 @@ Another predefined auth-group, "no-authe
 without authentication.
 .It Ic auth-type Ao Ar type Ac
 Specifies authentication type.
-Type can be either "none", "chap", or "chap-mutual".
+Type can be either "none", "deny", "chap", or "chap-mutual".
 In most cases it is not neccessary to set the type using this clause;
 it is usually used to disable authentication for a given target.
 This clause is mutually exclusive with auth-group; one cannot use

Modified: stable/10/usr.sbin/ctld/ctld.c
==============================================================================
--- stable/10/usr.sbin/ctld/ctld.c	Tue Mar 25 12:20:29 2014	(r263728)
+++ stable/10/usr.sbin/ctld/ctld.c	Tue Mar 25 12:22:30 2014	(r263729)
@@ -439,6 +439,8 @@ auth_group_set_type_str(struct auth_grou
 
 	if (strcmp(str, "none") == 0) {
 		type = AG_TYPE_NO_AUTHENTICATION;
+	} else if (strcmp(str, "deny") == 0) {
+		type = AG_TYPE_DENY;
 	} else if (strcmp(str, "chap") == 0) {
 		type = AG_TYPE_CHAP;
 	} else if (strcmp(str, "chap-mutual") == 0) {

Modified: stable/10/usr.sbin/ctld/ctld.h
==============================================================================
--- stable/10/usr.sbin/ctld/ctld.h	Tue Mar 25 12:20:29 2014	(r263728)
+++ stable/10/usr.sbin/ctld/ctld.h	Tue Mar 25 12:22:30 2014	(r263729)
@@ -66,9 +66,10 @@ struct auth_portal {
 };
 
 #define	AG_TYPE_UNKNOWN			0
-#define	AG_TYPE_NO_AUTHENTICATION	1
-#define	AG_TYPE_CHAP			2
-#define	AG_TYPE_CHAP_MUTUAL		3
+#define	AG_TYPE_DENY			1
+#define	AG_TYPE_NO_AUTHENTICATION	2
+#define	AG_TYPE_CHAP			3
+#define	AG_TYPE_CHAP_MUTUAL		4
 
 struct auth_group {
 	TAILQ_ENTRY(auth_group)		ag_next;

Modified: stable/10/usr.sbin/ctld/login.c
==============================================================================
--- stable/10/usr.sbin/ctld/login.c	Tue Mar 25 12:20:29 2014	(r263728)
+++ stable/10/usr.sbin/ctld/login.c	Tue Mar 25 12:22:30 2014	(r263729)
@@ -1034,6 +1034,11 @@ login(struct connection *conn)
 		return;
 	}
 
+	if (ag->ag_type == AG_TYPE_DENY) {
+		login_send_error(request, 0x02, 0x01);
+		log_errx(1, "auth-group type is \"deny\"");
+	}
+
 	if (ag->ag_type == AG_TYPE_UNKNOWN) {
 		/*
 		 * This can happen with empty auth-group.

Modified: stable/10/usr.sbin/ctld/parse.y
==============================================================================
--- stable/10/usr.sbin/ctld/parse.y	Tue Mar 25 12:20:29 2014	(r263728)
+++ stable/10/usr.sbin/ctld/parse.y	Tue Mar 25 12:22:30 2014	(r263729)
@@ -729,13 +729,9 @@ conf_new_from_file(const char *path)
 	assert(ag != NULL);
 	ag->ag_type = AG_TYPE_NO_AUTHENTICATION;
 
-	/*
-	 * Here, the type doesn't really matter, as the group doesn't contain
-	 * any entries and thus will always deny access.
-	 */
 	ag = auth_group_new(conf, "no-access");
 	assert(ag != NULL);
-	ag->ag_type = AG_TYPE_CHAP;
+	ag->ag_type = AG_TYPE_DENY;
 
 	pg = portal_group_new(conf, "default");
 	assert(pg != NULL);
@@ -765,7 +761,7 @@ conf_new_from_file(const char *path)
 		    "going with defaults");
 		ag = auth_group_find(conf, "default");
 		assert(ag != NULL);
-		ag->ag_type = AG_TYPE_CHAP;
+		ag->ag_type = AG_TYPE_DENY;
 	}
 
 	if (conf->conf_default_pg_defined == false) {
