path... after we've talked to any RADIUS servers involved, so that we
haven't touched the data before it gets to the server.
Make it clearer in the code that this compensation is done by setting
a flag to a value of zero, a flag which rfc2759 says *MUST* be zero.
While we're here, don't bother passing the peer challenge into
radius_Authenticate(). It's already part of the key we're passing in
(this becomes obvious now that I've structured that data...).
This ``fix'' doesn't help to authenticate Win98/WinME users in my test
environment as ports/net/freeradius seems to ignore the flag
completely anyway, but it may help with other RADIUS servers.
visible change should be that more than one queue can now be specified,
if one uses the '-msg' parameter to separate the list of queues from the
status message to set.
The previous implementation of 'down' remains available as the command
'xdown', available for instant fallback if there seems to be anything
wrong with the new one. If no one reports a problem after a few weeks,
then a later update will remove 'xdown'.
Reviewed by: freebsd-print@bostonradio.org
MFC after: 10 days
change the status message of a print queue. This includes some minor
changes to the upstat() routine, so that error messages are not printed
while seteuid(priv-user).
Reviewed by: freebsd-audit and freebsd-print@bostonradio.org
MFC after: 10 days
was removed from the kernel;
Advertise the prefix with zero lifetimes rather than to remove the prefix
from the prefix list to be advertised.
This will help renumber a receiving host by deprecating the address
derived from the old prefix.
Obtained from: KAME
MFC after: 2 weeks
'restart', 'start', 'stop' and 'up'. These are commands which mainly
just alter the access bits on the lock-file of a queue, and they all
now use a central routine to do that. This reduces the amount of code
that is run as the priv userid, and eliminates a number of cases where
error messages were written while that priv uid was in effect.
As far as users are concerned, there should be no noticable difference
in the new versions. In case there *is*, the previous implementations
are still there as 'xabort', 'xenable', etc, so they are available for
instant fallback. If no one reports a problem after a few weeks, then
a later update will remove those x-commands.
Reviewed by: freebsd-audit and freebsd-print@bostonradio.org
MFC after: 10 days
RAD_MICROSOFT_MS_CHAP_ERROR and RAD_MICROSOFT_MS_CHAP2_SUCCESS
messages, and remove the hack in chap.c to ignore that ident field
on the client side.
This anomoly was hacked around during development, and I forgot to
go back and fix it properly.
Spotted by: Sergey Korolew <ds@rt.balakovo.ru>
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_POLICY
RAD_MICROSOFT_MS_MPPE_ENCRYPTION_TYPES
RAD_MICROSOFT_MS_MPPE_RECV_KEY
RAD_MICROSOFT_MS_MPPE_SEND_KEY
These attributes may be supplied by a RADIUS server when MSCHAPv2 is
used to authenticate.
It *should* now be possible to build ppp with -DNODES and still support
CHAP/MSCHAP/MSCHAPv2/MPPE via a RADIUS server, but the code isn't yet
smart enough to do that (building with -DNODES just looses these
facilities).
Sponsored by: Monzoon
hatching the idea of using dc, and Giorgos (keramida) for incubating it.
This also reverses most of the previous commit which took out or
modified the text about umask stuff.
are installing.
* Since this means that for now we can't accomodate non-standard
umask's, warn the user accordingly.
* Convert the "press enter to continue" prompt into a function.
of them to keep better track of which-is-which (multiple variables were
named 'pid'). Moved a global pid-variable into the only routine that
used it. Net result: fixes two compile-time warnings...
MFC after: 2 weeks
actually does work. Ignore errors from kldload(2) if the errno value is
EEXIST. It would help if this return value were documented in the
kldload(2) manual page.
one can set the 'noError' variable to ignore any errors that occur for the
next command. However, the code was only unsetting 'noError' when an error
actually occurred, so if you set 'noError', the next command completed ok,
and the command after that failed, the second command's failure would be
ignored. This fixes this by performing the 'noError' check earlier and
then unsetting 'noError' after every command that is run.
Sponsored by: The Weather Channel
sufficient.
In fact, using both breaks the radiator RADIUS daemon when used with
a db as it maps both attributes to the same field value and then
fails the insert.
I decided to remove RAD_NAS_IP_ADDRESS on the basis that rfc2138 says:
An Access-Request MUST contain a User-Name attribute. It SHOULD
contain either a NAS-IP-Address attribute or NAS-Identifier
attribute (or both, although that is not recommended). It MUST
despite the fact that this not recommended bit was removed from the
updated rfc.