3 files changed, 313 insertions, 64 deletions

diff --git a/share/examples/ppp/chap-auth b/share/examples/ppp/chap-auth
new file mode 100755
index 000000000000..52e9a97ffbde
--- /dev/null
+++ b/share/examples/ppp/chap-auth
@@ -0,0 +1,97 @@
+#! /usr/local/bin/wish8.0 -f
+#
+# Copyright (c) 1999 Brian Somers <brian@Awfulhak.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$Id:$
+
+#
+# Display a window to request a users CHAP secret, accepting the relevant
+# values from ppp (``set authkey !thisprogram'') and passing the entered
+# ``authname'' and ``authkey'' back to ppp.
+#
+
+set pwidth 12;		# Prompt field width
+set vwidth 20;		# Value field width
+set fxpad 7;		# Value field width
+set fypad 3;		# Value field width
+
+wm title . "PPP Authentication";
+
+# We expect three lines of input from ppp
+set hostname [gets stdin];
+set challenge [gets stdin];
+set authname [gets stdin];
+
+proc mkhalfframe { n prompt } {
+  global pwidth;
+
+  frame .$n;
+  text  .$n.prompt -width $pwidth -height 1 -relief flat;
+        .$n.prompt insert 1.0 $prompt;
+  pack  .$n.prompt -side left;
+        .$n.prompt configure -state disabled;
+}
+
+proc mkframe { n prompt value entry } {
+  global vwidth fxpad fypad;
+
+  mkhalfframe $n $prompt;
+  text  .$n.value -width $vwidth -height 1;
+        .$n.value insert 1.0 $value;
+  pack  .$n.value -side right;
+  if ($entry) {
+    # Allow entry, but don't encourage it
+    .$n.value configure -state normal -takefocus 0;
+    bind .$n.value <Return> {done};
+  } else {
+    .$n.value configure -state disabled;
+  }
+  pack .$n -side top -padx $fxpad -pady $fypad;
+}
+
+# Dump our fields to stdout and exit
+proc done {} {
+  puts [.n.value get 1.0 {end - 1 char}];
+  puts [.k.value get];
+  exit 0;
+}
+
+mkframe h "Hostname:" $hostname 0;
+mkframe c "Challenge:" $challenge 0;
+mkframe n "Authname:" $authname 1;
+
+mkhalfframe k "Authkey:";
+entry .k.value -show "*" -width $vwidth;
+pack  .k.value -side right;
+bind  .k.value <Return> {done};
+focus .k.value;
+pack  .k -side top -padx $fxpad -pady $fypad;
+
+frame  .b;
+button .b.ok -default active -text "Ok" -command {done};
+pack   .b.ok -side left;
+button .b.cancel -default normal -text "Cancel" -command {exit 1};
+pack   .b.cancel -side right;
+pack   .b -side top -padx $fxpad -pady $fypad;
diff --git a/share/examples/ppp/login-auth b/share/examples/ppp/login-auth
new file mode 100755
index 000000000000..d21f31dd8e0c
--- /dev/null
+++ b/share/examples/ppp/login-auth
@@ -0,0 +1,74 @@
+#! /usr/local/bin/wish8.0 -f
+#
+# Copyright (c) 1999 Brian Somers <brian@Awfulhak.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+#	$Id:$
+
+#
+# Display a window to request a users password, expecting a login name
+# as an argument and outputting the password to stdout.
+#
+
+set pwidth 11;		# Prompt field width
+set vwidth 20;		# Value field width
+set fxpad 7;		# Value field width
+set fypad 3;		# Value field width
+
+wm title . "PPP Login";
+
+# Dump our password to stdout and exit
+proc done {} {
+  puts [.p.value get];
+  exit 0;
+}
+
+frame .l;
+text  .l.prompt -width $pwidth -height 1 -relief flat;
+      .l.prompt insert 1.0 "Login:";
+pack  .l.prompt -side left;
+      .l.prompt configure -state disabled;
+text  .l.value -width $vwidth -height 1;
+      .l.value insert 1.0 $argv;
+pack  .l.value -side right;
+      .l.value configure -state disabled;
+pack  .l -side top -padx $fxpad -pady $fypad;
+
+frame .p;
+text  .p.prompt -width $pwidth -height 1 -relief flat;
+      .p.prompt insert 1.0 "Password:";
+pack  .p.prompt -side left;
+      .p.prompt configure -state disabled;
+entry .p.value -show "*" -width $vwidth;
+pack  .p.value -side right;
+bind  .p.value <Return> {done};
+focus .p.value;
+pack  .p -side top -padx $fxpad -pady $fypad;
+
+frame  .b;
+button .b.ok -default active -text "Ok" -takefocus 0 -command {done};
+pack   .b.ok -side left;
+button .b.cancel -default normal -text "Cancel" -takefocus 0 -command {exit 1};
+pack   .b.cancel -side right;
+pack   .b -side top -padx $fxpad -pady $fypad;
diff --git a/share/examples/ppp/ppp.conf.sample b/share/examples/ppp/ppp.conf.sample
index e6bc37484fa0..af63830d4d3a 100644
--- a/share/examples/ppp/ppp.conf.sample
+++ b/share/examples/ppp/ppp.conf.sample
@@ -1,10 +1,10 @@
 #################################################################
 #
-#  	PPP  Sample Configuration File
+#              PPP  Sample Configuration File
 #
-#	  Originally written by Toshiharu OHNO
+#           Originally written by Toshiharu OHNO
 #
-# $Id: ppp.conf.sample,v 1.33 1998/10/03 13:12:14 brian Exp $
+# $Id: ppp.conf.sample,v 1.1 1999/02/11 16:33:14 brian Exp $
 #
 #################################################################
 
@@ -18,48 +18,59 @@
 #
 
 # Default setup. Always executed when PPP is invoked.
-#  This section is *not* loaded by the ``load'' or ``dial'' commands.
+#  This section is *not* pre-loaded by the ``load'' or ``dial'' commands.
 #
 #  This is the best place to specify your modem device, it's DTR rate,
-#  and any logging specification.  Logging specs should be done first
-#  so that subsequent commands are logged.
+#  your dial script and any logging specification.  Logging specs should
+#  be done first so that the results of subsequent commands are logged.
 #
 default:
  set log Phase Chat LCP IPCP CCP tun command
  set device /dev/cuaa1
  set speed 115200
- set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
+ set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT \
+           OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 
 # Client side PPP
 #
 #  Although the PPP protocol is a peer to peer protocol, we normally
-#  consider the side that makes the connection as the client and the
-#  side that receives the connection as the server.  Authentication
+#  consider the side that initiates the connection as the client and
+#  the side that receives the connection as the server.  Authentication
 #  is required by the server either using a unix-style login proceedure
 #  or by demanding PAP or CHAP authentication from the client.
 #
 
-# An on demand example where we have dynamic IP addresses:
+# An on demand example where we have dynamic IP addresses and wish to
+# use a unix-style login script:
+#
 #  If the peer assigns us an arbitrary IP (most ISPs do this) and we
 #  can't predict what their IP will be either, take a wild guess at
-#  some IPs that you can't currently route to.
+#  some IPs that you can't currently route to.  Ppp can change this
+#  when the link comes up.
 #
 #  The /0 bit in "set ifaddr" says that we insist on 0 bits of the
 #  specified IP actually being correct, therefore, the other side can assign
-#  any IP numbers.
+#  any IP number.
 #
 #  The forth arg to "set ifaddr" makes us send "0.0.0.0" as our requested
-#  IP number, forcing the peer to make the decision.
+#  IP number, forcing the peer to make the decision.  This is necessary
+#  when negotiating with some (broken) ppp implementations.
 #
 #  This entry also works with static IP numbers or when not in -auto mode.
 #  The ``add'' line adds a `sticky' default route that will be updated if
 #  and when any of the IP numbers are changed in IPCP negotiations.
 #  The "set ifaddr" is required in -auto mode.
 #
-#  Finally, the ``enable dns'' bit tells ppp to ask the peer for the
+#  Finally, the ``enable dns'' line tells ppp to ask the peer for the
 #  nameserver addresses that should be used.  This isn't always supported
-#  by the other side, but if it is, /etc/resolv.conf will automatically be
-#  updated.
+#  by the other side, but if it is, ppp will update /etc/resolv.conf with
+#  the correct nameserver values at connection time.
+#
+#  The login script shown says that you're expecting ``ogin:''.  If you
+#  don't receive that, send a ``\n'' and expect ``ogin:'' again.  When
+#  it's received, send ``ppp'', expect ``word:'' then send ``ppp''.
+#  You *MUST* customise this login script according to your local
+#  requirements.
 #
 pmdemand:
  set phone 1234567
@@ -69,10 +80,12 @@ pmdemand:
  add default HISADDR
  enable dns
 
-# When we want to use PAP or CHAP instead of using a unix-style login
-# proceedure, we do the following.  Note, the peer suggests whether we
+# If you want to use PAP or CHAP instead of using a unix-style login
+# proceedure, do the following.  Note, the peer suggests whether we
 # should send PAP or CHAP.  By default, we send whatever we're asked for.
 #
+# You *MUST* customise ``MyName'' and ``MyKey'' below.
+#
 PAPorCHAPpmdemand:
  set phone 1234567
  set login
@@ -236,38 +249,59 @@ dodgy:
 
 
 # Server side PPP
-#  If you want the remote system to authenticate itself, you insist
-#  that the peer uses CHAP (or PAP) with the "enable" keyword.  Both CHAP and
-#  PAP are disabled by default (we usually only "enable" one of them if the
-#  other side is dialing into our server).
-#  When the peer authenticates itself, we use ppp.secret for verification.
 #
-#  Ppp is launched with:
-#   # ppp -direct CHAPserver
+#  If you want the remote system to authenticate itself, you must insist
+#  that the peer uses CHAP or PAP with the "enable" keyword.  Both CHAP and
+#  PAP are disabled by default.  You may enable either or both.  If both
+#  are enabled, CHAP is requested first.  If the client doesn't agree, PAP
+#  will then be requested.
 #
-#  Note:  We can supply a third field in ppp.secret specifying the IP address
-#         for that user.  We can even specify a forth field to specify the
-#         ppp.link{up,down} label to use.
+#  Note:  If you use the getty/login process to authenticate users, you
+#         don't need to enable CHAP or PAP, but the user that has logged
+#         in *MUST* be a member of the ``network'' group (in /etc/group).
 #
-CHAPserver:
- enable chap
- enable proxy
- set ifaddr 192.244.176.44 292.244.184.31
- accept dns
-
-# If we wish to act as a server, allowing PAP access according to
-# accounts in /etc/passwd, we do this  (Without `enable passwdauth',
-# you may still enter ``*'' as the users password in ppp.secret and
-# ppp will look it up in the passwd database.  This is useful if you
-# need to assign a special label or IP number or range):
+#  If you wish to allow any user in the passwd database ppp access, you
+#  can ``enable passwdauth''.
+#
+#  When the peer authenticates itself, we use ppp.secret for verification
+#  (although refer to the ``set radius'' command below for an alternative).
+#
+#  Note:  We may supply a third field in ppp.secret specifying the IP
+#         address for that user, a forth field to specify the
+#         ppp.link{up,down} label to use and a fifth field to specify
+#         callback characteristics.
+#
+#  The easiest way to allow transparent LAN access to your dialin users
+#  is to assign them a number from your local LAN and tell ppp to make a
+#  ``proxy'' arp entry for them.  In this example, we have a local LAN
+#  with IP numbers 10.0.0.1 - 10.0.0.99, and we assign numbers to our
+#  ppp clients between 10.0.0.100 and 10.0.0.199.  It is possible to
+#  override the dynamic IP number with a static IP number specified in
+#  ppp.secret.
 #
-PAPServerwithPASSWD:
+#  Ppp is launched with:
+#   # ppp -direct server
+#
+server:
+ enable chap
  enable pap
  enable passwdauth
  enable proxy
- set ifaddr 192.244.176.44 292.244.184.31
+ set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
  accept dns
 
+# Example of a RADIUS configuration:
+#  If there are one or more radius servers available, we can use them
+#  instead of the ppp.secret file.  Simply put then in a radius
+#  configuration file (usually /etc/radius.conf) and give ppp the
+#  file name.
+#  Ppp will use the FRAMED characteristics supplied by the radius server
+#  to configure the link.
+
+radius-server:
+ load server
+ set radius /etc/radius.conf
+
 
 # Example to connect using a null-modem cable:
 #  The important thing here is to allow the lqr packets on both sides.
@@ -301,8 +335,9 @@ direct-server:
  accept lqr
 
 
-# Example to connect via compuserve (who insist on 7 bits even parity
-#  during the chat phase).  
+# Example to connect via compuserve
+#  Compuserve insists on 7 bits even parity during the chat phase.  Modem
+#  parity is always reset to ``none'' after the link has been established.
 #
 compuserve:
  set phone 1234567
@@ -332,13 +367,14 @@ tcp-client:
 tcp-server:
  set ifaddr 10.0.4.1 10.0.5.1 255.255.255.0
 
-# If you want to test ppp, do it through a loopback:
+# Example for PPP testing.
+#  If you want to test ppp, do it through the loopback interface:
 #
-# Requires a line in /etc/services:
-#   ppploop 6671/tcp # loopback ppp daemon
+#  Requires a line in /etc/services:
+#    ppploop 6671/tcp # loopback ppp daemon
 #
-# and a line in /etc/inetd.conf:
-#   ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
+#  and a line in /etc/inetd.conf:
+#    ppploop stream tcp nowait root /usr/sbin/ppp ppp -direct loop-in
 #
 loop:
  set timeout 0
@@ -354,24 +390,28 @@ loop-in:
  set log phase lcp ipcp command
  allow mode direct
 
-# If you're going to create a tunnel through a public network, your VPN
-# should be set up something like this:
+# Example of a VPN.
+#  If you're going to create a tunnel through a public network, your VPN
+#  should be set up something like this:
 #
-# /etc/ppp/secure (which should be executable) says:
-#   #! /bin/sh
-#   exec ssh whatevermachine /usr/sbin/ppp -direct loop-in
+#  /etc/ppp/secure (which should be executable) says:
+#    #! /bin/sh
+#    exec ssh whatevermachine /usr/sbin/ppp -direct loop-in
+#
+#  You should already have set up ssh using ssh-agent & ssh-add.
 #
 sloop:
  load loop
  set device !/etc/ppp/secure
 
-# If you wish to connect to a server that will dial back *without* using
-# the ppp callback facility (rfc1570), take advantage of the fact that
-# ppp doesn't look for carrier 'till `set login' is complete:
+# Example of non-PPP callback.
+#  If you wish to connect to a server that will dial back *without* using
+#  the ppp callback facility (rfc1570), take advantage of the fact that
+#  ppp doesn't look for carrier 'till `set login' is complete:
 #
-# Here, we expect the server to say DIALBACK then disconnect after
-# we've authenticated ourselves.  When this has happened, we wait
-# 60 seconds for a RING.
+#  Here, we expect the server to say DIALBACK then disconnect after
+#  we've authenticated ourselves.  When this has happened, we wait
+#  60 seconds for a RING.
 #
 dialback:
  set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ OK-ATZ-OK \
@@ -379,15 +419,27 @@ dialback:
  set login "TIMEOUT 5 ogin:--ogin: ppp word: ppp TIMEOUT 15 DIALBACK \
            \"\" NO\\sCARRIER \"\" TIMEOUT 60 RING ATA CONNECT"
 
-# Alternatively, if the peer is using the PPP callback protocol, use
-# normal dial and login scripts and add
-#
+# Example of PPP callback.
+#  Alternatively, if the peer is using the PPP callback protocol, we're
+#  happy either with ``auth'' style callback where the server dials us
+#  back based on what we authenticate ourselves with, ``cbcp'' style
+#  callback (invented by Microsoft but not agreed by the IETF) where
+#  we negotiate callback *after* authentication or E.164 callback where
+#  we specify only a phone number.  I would recommend only ``auth'' and/or
+#  ``cbcp'' callback methods.
+#  For ``cbcp'', we insist that we choose ``1234567'' as the number that
+#  the server must call back.
+#
+callback:
+ load pmdemand
  set callback auth cbcp e.164 1234567
  set cbcp 1234567
 
 # If we're running a ppp server that wants to only call back microsoft
 # clients on numbers configured in /etc/ppp/ppp.secret (the 5th field):
 #
+callback-server:
+ load server
  set callback cbcp
  set cbcp
  set log +cbcp
@@ -397,8 +449,10 @@ dialback:
  set dial "TIMEOUT 10 \"\" AT OK-AT-OK ATDT\\T CONNECT"
 
 # Or if we want to allow authenticated clients to specify their own
-# callback number, use this ``set cbcp'' line instead:
+# callback number:
 #
+callback-server-client-decides:
+ load callback-server
  set cbcp *
 
 # Multilink mode is available (rfc1990).
@@ -412,7 +466,6 @@ dialback:
 # same time.  The `dial' command may also be prefixed with a specific
 # link that should do the dialing.
 #
-
 mloop:
  load loop
  set mode interactive
@@ -428,3 +481,28 @@ mloop-in:
  set log tun phase
  allow mode direct
  set mrru 1500
+
+# User supplied authentication:
+#  It's possible to run ppp in the background while specifying a
+#  program to use to obtain authentication details on demand.
+#  This program would usually be a simple GUI that presents a
+#  prompt to a known user.  The ``chap-auth'' program is supplied
+#  as an example (and requires tcl version 8.0).
+#
+CHAPprompt:
+ load PAPorCHAPpmdemand
+ set authkey !/usr/share/examples/ppp/chap-auth
+
+#  It's possible to do the same sort of thing at the login prompt.
+#  Here, after sending ``brian'' in response to the ``name'' prompt,
+#  we're prompted with ``code:''.  A window is then displayed on the
+#  ``keep:0.0'' display and the typed response is sent to the peer
+#  as the password.  We then expect to see ``MTU'' and ``.'' in the
+#  servers response.
+#
+loginprompt:
+ load pmdemand
+ set authname brian
+ set login "ABORT NO\\sCARRIER TIMEOUT 15 \"\" \"\" name:--name: \\U \
+            code: \"!/usr/share/examples/ppp/login-auth -display keep:0.0 \
+                    AUTHNAME\" MTU \\c ."