Chris Nelson
2006-06-13 23:47:43 UTC
I was going slightly crazy trying to implement a pap_auth_hook with
pppd (2.4.2 and 2.4.4b1). I kept getting "Peer is not authorized to
use remote address ...". I finally realized that the documentation
says that for late version of pppd, pap-secrets *must* have at least a
"*" in the fourth column (allowed addresses) and it occurred to me that
by inserting my pap_auth_hook, I had to play by the same rules and set
*paddrs to the list of allowable addresses, at least "*".
My hook now includes:
char* addr = "*";
int len = strlen(addr) + 1;
*paddrs = (struct wordlist *) malloc(sizeof(struct wordlist) + len);
// FIXME - handle failed malloc
(*paddrs)->word = (char*)(*paddrs + 1);
(*paddrs)->next = NULL;
BCOPY(addr, (*paddrs)->word, len);
and the same address works just fine.
Assuming I'm not too far off base, I suggest that the PLUGINS file in
the pppd distribution should say:
If the username/password was valid, the hook must set *paddrs to
point to a wordlist containing the IP address(es) which the peer is
permitted to use, formatted as in the pap-secrets file. As in the
pap-secrets file, if no addresses are listed, the user isn't
permitted to use any address and link negotiation will fail. ...
That is, change "can" to "must" in the first line quoted and add the
second sentence. If I get some feedback on wording and accuracy, I'll
consider submitting a "patch" to the PLUGINS file.
Chris
pppd (2.4.2 and 2.4.4b1). I kept getting "Peer is not authorized to
use remote address ...". I finally realized that the documentation
says that for late version of pppd, pap-secrets *must* have at least a
"*" in the fourth column (allowed addresses) and it occurred to me that
by inserting my pap_auth_hook, I had to play by the same rules and set
*paddrs to the list of allowable addresses, at least "*".
My hook now includes:
char* addr = "*";
int len = strlen(addr) + 1;
*paddrs = (struct wordlist *) malloc(sizeof(struct wordlist) + len);
// FIXME - handle failed malloc
(*paddrs)->word = (char*)(*paddrs + 1);
(*paddrs)->next = NULL;
BCOPY(addr, (*paddrs)->word, len);
and the same address works just fine.
Assuming I'm not too far off base, I suggest that the PLUGINS file in
the pppd distribution should say:
If the username/password was valid, the hook must set *paddrs to
point to a wordlist containing the IP address(es) which the peer is
permitted to use, formatted as in the pap-secrets file. As in the
pap-secrets file, if no addresses are listed, the user isn't
permitted to use any address and link negotiation will fail. ...
That is, change "can" to "must" in the first line quoted and add the
second sentence. If I get some feedback on wording and accuracy, I'll
consider submitting a "patch" to the PLUGINS file.
Chris