Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 194198

Summary: net-dialup/ppp auth-fail enhancement
Product: Gentoo Linux Reporter: Jaco Kroon <jaco>
Component: Current packagesAssignee: Alin Năstac (RETIRED) <mrness>
Status: RESOLVED INVALID    
Severity: normal CC: net-dialup
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: ppp-2.4.4-auth_not_possible.patch

Description Jaco Kroon 2007-09-29 14:02:41 UTC 
Hi,

In a similar vein to bug 180180 I would like to get the auth-fail script executed if we are unable to obtain credentials to authenticate with, however, the only place I could locate to detect this is in lcp.c and whilst the patch I'm about to attach works I'd prefer if someone can point me at a better way of doing this.

Basically all this does is that if the peer requests authentication but we are unable to present it with credentials (debug message "No auth is possible") then I make a call to auth_script.  IMHO there should be a better way to do this, prefereably only call the auth_script once we receive the TermReq LCP packet from the peer.  As it stands the auth-fail script gets executed multiple times, and it litters the logs due to the fact that I restart net.${linkname} from that script.

The debug log before the patch looks like:

Plugin rp-pppoe.so loaded.
RP-PPPoE plugin version 3.3 compiled against pppd 2.4.4
using channel 33
Using interface ppp1
Connect: ppp1 <--> exteth
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
rcvd [LCP ConfReq id=0x1 <mru 1492> <auth pap> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x1 <auth pap>]
rcvd [LCP ConfAck id=0x1 <mru 1492> <magic 0xbc16efbe>]
rcvd [LCP ConfReq id=0x2 <mru 1492> <auth chap MD5> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x2 <auth chap MD5>]
rcvd [LCP ConfReq id=0x3 <mru 1492> <auth pap> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x3 <auth pap>]
rcvd [LCP ConfReq id=0x4 <mru 1492> <auth chap MD5> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x4 <auth chap MD5>]
rcvd [LCP ConfReq id=0x5 <mru 1492> <auth pap> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x5 <auth pap>]
rcvd [LCP ConfReq id=0x6 <mru 1492> <auth chap MD5> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x6 <auth chap MD5>]
rcvd [LCP ConfReq id=0x7 <mru 1492> <auth pap> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x7 <auth pap>]
rcvd [LCP ConfReq id=0x8 <mru 1492> <auth chap MD5> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x8 <auth chap MD5>]
rcvd [LCP ConfReq id=0x9 <mru 1492> <auth pap> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0x9 <auth pap>]
rcvd [LCP ConfReq id=0xa <mru 1492> <auth chap MD5> <magic 0x1a964226>]
No auth is possible
sent [LCP ConfRej id=0xa <auth chap MD5>]
rcvd [LCP TermReq id=0xb]
sent [LCP TermAck id=0xb]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
sent [LCP ConfReq id=0x1 <mru 1492> <magic 0xbc16efbe>]
LCP: timeout sending Config-Requests
Connection terminated.
Modem hangup
Terminating on signal 2

So the auth-fail script is executed for each "No auth is possible", instead of once at TermReq.  If anybody would like to point me at a better way, please go for it.  patch constructed against net0dialup/ppp-2.4.4-r9
Comment 1 Jaco Kroon 2007-09-29 14:03:21 UTC 
Created attachment 132172 [details, diff]
ppp-2.4.4-auth_not_possible.patch
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2007-09-29 14:20:30 UTC 
I don't understand exactly why do you want such thing. The "no auth is possible" is triggered only by bad configurations (when either you disable all authentication methods or the *-secrets files doesn't contain any entry). 
auth-fail script on the other hand is executed when the negotiated authentication method has failed.
Comment 3 Jaco Kroon 2007-09-29 22:06:13 UTC 
I live in SA, and to make the best possible use of already paid for bandwidth I dynamically muck around with chap-secrets.  At the end of the month some of my accounts expire and I remove them from chap-secrets, however, I don't want to immediately restart the pppd process to make use of the new/alternative accounts since I can still use them for a few hours (up to 24), so when the ISP disconnects me pppd fails to authenticate with "No auth is possible", at this point I would like to restart pppd in order to make use of the new accounts.
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2007-09-30 06:14:43 UTC 
Just don't remove the obsolete secret entry as long as your ISP didn't rejected you yet. Or replace the password in *-secrets with something else (e.g. "UNKNOWN").

Closed as INVALID.
Comment 5 Jaco Kroon 2007-09-30 07:58:34 UTC 
I would still have prefered the hook, but the invalid password trick should suffice as well, thanks for the tip.