PPPD and callback (was Can I execute a script _after_ PAP authentication is complete?)

First, thanks, James, for your patient and detailed feedback. I think
I'm getting somewhere.

James Carlson wrote:
"Chris Nelson" <cnelson@xxxxxxxxxxxx> writes:
Note that you may want to set remote_number[] and *permitted_numbers
from within your plugin, depending on what you're trying to do. (Or
perhaps they should be set by the command line options.)

OK. I'll keep that in mind.

...
Or -- and I realize I'm looking at timing issues here -- spawn a thread
to call lcp_close() a couple of seconds after ppp_auth_hook returns?

pppd is intentionally a single-threaded design with a event loop. If
you spawn a separate thread, you're on your own. ;-}

There's no internal locking on any of the data structures.

Not to mention that my hook is in a .so and I'd have to find the thread
library somehow and ... I've given up on that route.

...
The symmetric part is PPP itself, which allows each side to
authenticate the other, if desired. Typical deployments of PPP,
though, don't do this, because this isn't what Windows does.

Sorry. You kinda lost me there. Do you mean that 'Windows doesn't
authenticate the called system so most PPP installations don't either;
only the called system validates the peer (the calling system)?

Windows (as best I can tell) operates in only two modes: "server" or
"client." In "server" mode, the peer must be authenticated. In
"client" mode, the system must offer credentials to the peer. As best
I can tell, there's no way to tell it to do both.

So my callback mechanism is unlikely to be usable with 'Windows systems
because if a 'Windows system is set up to dial into my server, it won't
be prepared to answer my call back. I kinda like that. It simplifies
my life because I only can/have to implement call back for non-Windows
callers.

When doing a call back, it's the caller that usually needs to demand
authentication.

Note that pap_auth_hook() is called _ONLY_ on the authenticator's
side. The other side -- if the peer is authenticating us and we're
the authenticatee (i.e., the typical call-to-your-ISP case) -- goes
through pap_passwd_hook.

But if both authenticate then ppp_auth_hoo() gets called on the
callback, too. Right?

Yes.

It's more a question of options than of hooks. On the callback, you
may need to _disable_ authentication via the equivalent of 'noauth'
(programmatically: setting auth_required to 0) and asserting the known
peer's identity via the equivalent of 'remotename' (filling in the
remote_name[] array).

"May." As I said, I don't think anyone's seriously tried to do what
you're doing with pppd.

OK. I've played with this some more, decided threads aren't happening,
and this is what I'm going forward with -- until you tell me I'm nuts
or I hit a roadblock:

- I set up a pap-auth-hook and a phase change notifier proc.

- If my pap-auth-hook determines that this user should be called back,
it sets a module static with some information about who to call back

- When the phase change notifier gets called with PHASE_NETWORK _and_
the module static is set, it calls lcp_close() and spawns a new process
to do the callback after a suitable delay.

What do you think?

.

Relevant Pages