Re: Can I execute a script _after_ PAP authentication is complete?

"Chris Nelson" <cnelson@xxxxxxxxxxxx> writes:
authentication? Presumably at that point, CALLER_ID would still be in
the environment and, I'd hope, the PPP user name would be available
somehow so I could act on the combination of those two values.
[...]
I suspect it's really this latter one that you'll want to use.

Why the latter? Building a binary plug-in seems a *lot* more work than
writing a script. Is it just that it's a more secure mechanism (the
code can't be read, even if the file can be seen)? Also, while I said

No, that's not the reason.

The reason is that it sounds like you want to make the access decision
based on a combination of factors -- the authentication data supplied
by the peer *plus* some additional factors.

In order to do that correctly, you need to be synchronous with the
rest of the framework operation. If you use auth-up (or, worse,
ip-up), then the "bad" user who authenticates correctly but is calling
from the wrong location will be able to gain access for a short period
of time before your script runs, you find the problem, and you kill
off the connection.

You're introducing an unnecessary race condition.

"after PAP authentication" I really meant just authentication; I'm
using PAP now but I'd rather be flexible in case I add/use another
method later.

Sure. auth-up works for both, though it's not what you really need
here.

It seems to me that by using ip-up, I can secure against
misconfiguration or hacking so that if someone gets in without
authentication I can trap it and drop the link in ip-up. If I put my
code in auth-up then if noauth gets into the mix my code won't get
executed. Right?

How exactly does "noauth" get "into the mix?" It needs to be added by
someone with root privileges -- all of the files that can specify that
option are writable only by root. If it's getting "into the mix," I
think it means that you have a root user who is vandalizing the
system. All bets are off if that happens, as such a user can scribble
on /dev/kmem.

In any event, if you want to use it with "noauth" (relying on just
some external data to authenticate the connection, and nothing else),
then the same sorts of issues apply, though the regular PAP auth hook
won't work. I think you'll need to modify the main pppd code to do
that correctly.

echo "CALLER_ID=$CALLER_ID;export CALLER_ID" >/etc/ppp/cid.$DEVICE

Nit: use /var instead. I also suggest that you just write the value
itself into the file, and read it back, rather than using "." to
execute that file. Executing dynamically-created content can be a bit
hazardous.

/usr/sbin/pppd silent auth -chap +pap

That might not do what you're expecting. "+pap" is the deprecated
(obsolete) alias of the "require-pap" option. It causes pppd to
demand PAP from the peer.

However, "-chap" is "refuse-chap." That means that if the peer asks
us to identify *ourselves* using CHAP, we'll refuse. Do your clients
ask your server for authentication? That's not often done.

The +/- flags here are not at all symmetric in operation.

Also note that "silent" likely doesn't do anything good here. This
should *not* have to be done. If it does, then it sounds like there
are bugs somewhere.

I imagine the same code could be in auth-up.

The problem is (still) that those scripts are fired off by pppd when
the event occurs, but that the PPP link itself intentionally isn't
"paused" to wait for them to complete.

If you're trying to add another authentication factor, this isn't the
place to do it.

--
James Carlson, KISS Network <james.d.carlson@xxxxxxx>
Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
.

Relevant Pages

  • PAP problem (GPRS connection problem) under CE.net
    ... Authentication Protocol (PAP) in Window CE. ... The problem seems to come from the way the Identifier field of PPP packets ... changed after each emission of an authentication request. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Authentication type
    ... The client is using PAP. ... as the authentication type but whenever try to connect get the following ...
    (microsoft.public.internet.radius)
  • IAS on a 2003 server wont authenticate a call through a Max using MS-CHAP
    ... Internet Authentication Service running on a Win 2003 server. ... that is not enabled on the matching remote access policy." ... available authentication protocols, PAP, CHAP,and MS-CHAP. ...
    (microsoft.public.windows.server.general)
  • Re: Logon Window Appears on siblings of authenticated directories
    ... Windows Auth, and a physical directory under root. ... authentication when my user identity was recognized on the machine -- which ... when virtual directories and authentication are ...
    (microsoft.public.inetserver.iis)
  • Re: Linux dialup to Netscape.net?
    ... > segment of the ppp log between the 'Serial connection established.' ... Starting pppd and hoping for the best. ... --> The PPP daemon has died: Authentication error. ... reference to the "aolnet" response somewhere through Google, ...
    (comp.os.linux.misc)
Loading