File: README.pwfd

package info (click to toggle)
ppp 2.4.7-2+4.1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 7,100 kB
  • sloc: ansic: 56,241; sh: 1,050; perl: 334; makefile: 114; exp: 82
file content (174 lines) | stat: -rw-r--r-- 3,556 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

	Support to pass the password via a pipe to the pppd
	---------------------------------------------------

	Arvin Schnell <arvin@suse.de>
	2002-02-08


1. Introduction
---------------

Normally programs like wvdial or kppp read the online password from their
config file and store them in the pap- and chap-secrets before they start the
pppd and remove them afterwards. Sure they need special privileges to do so.

The passwordfd feature offers a simpler and more secure solution. The program
that starts the pppd opens a pipe and writes the password into it. The pppd
simply reads the password from that pipe.

This methods is used for quite a while on SuSE Linux by the programs wvdial,
kppp and smpppd.


2. Example
----------

Here is a short C program that uses the passwordfd feature. It starts the pppd
to buildup a pppoe connection.


--snip--

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>
#include <paths.h>

#ifndef _PATH_PPPD
#define _PATH_PPPD "/usr/sbin/pppd"
#endif


// Of course these values can be read from a configuration file or
// entered in a graphical dialog.
char *device = "eth0";
char *username = "1122334455661122334455660001@t-online.de";
char *password = "hello";

pid_t pid = 0;


void
sigproc (int src)
{
    fprintf (stderr, "Sending signal %d to pid %d\n", src, pid);
    kill (pid, src);
    exit (EXIT_SUCCESS);
}


void
sigchild (int src)
{
    fprintf (stderr, "Daemon died\n");
    exit (EXIT_SUCCESS);
}


int
start_pppd ()
{
    signal (SIGINT, &sigproc);
    signal (SIGTERM, &sigproc);
    signal (SIGCHLD, &sigchild);

    pid = fork ();
    if (pid < 0) {
	fprintf (stderr, "unable to fork() for pppd: %m\n");
	return 0;
    }

    if (pid == 0) {

	int i, pppd_argc = 0;
	char *pppd_argv[20];
	char buffer[32] = "";
	int pppd_passwdfd[2];

	for (i = 0; i < 20; i++)
	    pppd_argv[i] = NULL;

	pppd_argv[pppd_argc++] = "pppd";

	pppd_argv[pppd_argc++] = "call";
	pppd_argv[pppd_argc++] = "pwfd-test";

	// The device must be after the call, since the call loads the plugin.
	pppd_argv[pppd_argc++] = device;

	pppd_argv[pppd_argc++] = "user";
	pppd_argv[pppd_argc++] = username;

	// Open a pipe to pass the password to pppd.
	if (pipe (pppd_passwdfd) == -1) {
	    fprintf (stderr, "pipe failed: %m\n");
	    exit (EXIT_FAILURE);
	}

	// Of course this only works it the password is shorter
	// than the pipe buffer. Otherwise you have to fork to
	// prevent that your main program blocks.
	write (pppd_passwdfd[1], password, strlen (password));
	close (pppd_passwdfd[1]);

	// Tell the pppd to read the password from the fd.
	pppd_argv[pppd_argc++] = "passwordfd";
	snprintf (buffer, 32, "%d", pppd_passwdfd[0]);
	pppd_argv[pppd_argc++] = buffer;

	if (execv (_PATH_PPPD, (char **) pppd_argv) < 0) {
	    fprintf (stderr, "cannot execl %s: %m\n", _PATH_PPPD);
	    exit (EXIT_FAILURE);
	}
    }

    pause ();

    return 1;
}


int
main (int argc, char **argv)
{
    if (start_pppd ())
	exit (EXIT_SUCCESS);

    exit (EXIT_FAILURE);
}

---snip---


Copy this file to /etc/ppp/peers/pwfd-test. The plugins can't be loaded on the
command line (unless you are root) since the plugin option is privileged.


---snip---

#
# PPPoE plugin for kernel 2.4
#
plugin pppoe.so

#
# This plugin enables us to pipe the password to pppd, thus we don't have
# to fiddle with pap-secrets and chap-secrets. The user is also passed
# on the command line.
#
plugin passwordfd.so

noauth
usepeerdns
defaultroute
hide-password
nodetach
nopcomp
novjccomp
noccp

---snip---