5 Sep
2009
5 Sep
'09
6:29 a.m.
This separates the pre and post authentication timeouts.
Cc: Christian Balzer <chibi(a)gol.com>
Signed-off-by: Simon Horman <horms(a)verge.net.au>
Index: perdition/perdition/options.c
===================================================================
--- perdition.orig/perdition/options.c 2009-09-05 15:02:34.000000000 +1000
+++ perdition/perdition/options.c 2009-09-05 15:58:22.000000000 +1000
@@ -355,6 +355,8 @@ int options(int argc, char **argv, flag_
{
{"add_domain", 'A', POPT_ARG_STRING, NULL,
'A'},
{"authenticate_in", 'a', POPT_ARG_NONE, NULL,
'a'},
+ {"authenticate_timeout", '\0', POPT_ARG_STRING, NULL,
+ TAG_AUTHENTICATE_TIMEOUT},
{"no_bind_banner", 'B', POPT_ARG_NONE, NULL,
'B'},
{"bind_address", 'b', POPT_ARG_STRING, NULL,
'b'},
{"connection_logging", 'C', POPT_ARG_NONE, NULL,
'C'},
@@ -444,6 +446,8 @@ int options(int argc, char **argv, flag_
#ifdef WITH_PAM_SUPPORT
opt_i(&(opt.authenticate_in), DEFAULT_AUTHENTICATE_IN, &i, 0, OPT_NOT_SET);
#endif /* WITH_PAM_SUPPORT */
+ opt_i(&(opt.authenticate_timeout), DEFAULT_AUTHENTICATE_TIMEOUT,
+ &i, 0, OPT_NOT_SET);
opt_i(&(opt.no_bind_banner), DEFAULT_NO_BIND_BANNER,
&i, 0, OPT_NOT_SET);
opt_i(&(opt.client_server_specification),
@@ -586,7 +590,13 @@ int options(int argc, char **argv, flag_
poptFreeContext(context);
return(-1);
}
-#endif /* WITH_PAM_SUPPORT */
+#endif
+ case TAG_AUTHENTICATE_TIMEOUT:
+ if(!vanessa_socket_str_is_digit(optarg) && f&OPT_ERR)
+ usage(-1);
+ opt_i(&(opt.authenticate_timeout), atoi(optarg), &(opt.mask2),
+ MASK2_AUTHENTICATE_TIMEOUT, f);
+ break;
case 'B':
opt_i(&(opt.no_bind_banner), 1, &(opt.mask), MASK_NO_BIND_BANNER, f);
break;
@@ -1094,6 +1104,7 @@ int log_options_str(char *str, size_t n)
#ifdef WITH_PAM_SUPPORT
"authenticate_in=%s, "
#endif /* WITH_PAM_SUPPORT */
+ "authenticate_timeout=%d, "
"bind_address=\"%s\", "
"capability=\"%s\", "
"client_server_specification=%s, "
@@ -1151,6 +1162,7 @@ int log_options_str(char *str, size_t n)
#ifdef WITH_PAM_SUPPORT
BIN_OPT_STR(opt.authenticate_in),
#endif /* WITH_PAM_SUPPORT */
+ opt.authenticate_timeout,
OPT_STR(bind_address),
OPT_STR(opt.capability),
BIN_OPT_STR(opt.client_server_specification),
@@ -1298,6 +1310,9 @@ void usage(int exit_status){
" -a|--authenticate_in:\n"
" User is authenticated by perdition before connection to
real-server.\n"
#endif /* WITH_PAM_SUPPORT */
+ " --authenticate_timeout:\n"
+ " Timeout used during authentication phase.\n"
+ " Zero for infinite timeout. (default %d)\n"
" -B|--no_bind_banner:\n"
" Use uname to generate banner of even if bind_address is in effect.\n"
" -b|--bind_address SERVER[,SERVER...]:\n"
@@ -1379,7 +1394,8 @@ void usage(int exit_status){
" Allow domain portion of username to be striped in given state(s).\n"
" (default \"\")\n"
" -t|--timeout SECONDS:\n"
- " Idle timeout. Zero for infinite timeout. (default %d)\n"
+ " Idle timeout for post-authentication phase.\n"
+ " Zero for infinite timeout. (default %d)\n"
" -u|--username USERNAME:\n"
" User to run as. (default \"%s\")\n"
" -U|--username_from_database:\n"
@@ -1451,6 +1467,7 @@ void usage(int exit_status){
" be used unless noted otherwise.\n"
" See the perdition(8) man page for more details.\n",
VERSION,
+ DEFAULT_AUTHENTICATE_TIMEOUT,
OPT_STR(DEFAULT_BIND_ADDRESS),
DEFAULT_CONNECT_RELOG,
OPT_STR(DEFAULT_DOMAIN_DELIMITER),
Index: perdition/perdition/options.h
===================================================================
--- perdition.orig/perdition/options.h 2009-09-05 15:02:34.000000000 +1000
+++ perdition/perdition/options.h 2009-09-05 15:58:22.000000000 +1000
@@ -139,6 +139,7 @@
#define DEFAULT_STRIP_DOMAIN STATE_NONE
#define DEFAULT_SERVER_RESP_LINE 0
#define DEFAULT_TIMEOUT 1800 /*in seconds*/
+#define DEFAULT_AUTHENTICATE_TIMEOUT DEFAULT_TIMEOUT
#ifdef WITH_USER
#define DEFAULT_USERNAME WITH_USER
#else
@@ -179,6 +180,7 @@ typedef struct {
unsigned int add_domain_strip_depth;
#ifdef WITH_PAM_SUPPORT
int authenticate_in;
+ int authenticate_timeout;
#endif /* WITH_PAM_SUPPORT */
vanessa_dynamic_array_t *bind_address;
char *capability;
@@ -277,6 +279,7 @@ typedef struct {
#define MASK2_PID_FILE (flag_t) 0x00000002
#define MASK2_EXPLICIT_DOMAIN (flag_t) 0x00000004
#define MASK2_LOG_PASSWD (flag_t) 0x00000008
+#define MASK2_AUTHENTICATE_TIMEOUT (flag_t) 0x00000010
#ifdef WITH_SSL_SUPPORT
/* options_t.ssl_mask entries */
@@ -325,6 +328,7 @@ typedef struct {
#define TAG_SSL_OUTGOING_CIPHERS (int) 147
#define TAG_SSL_NO_CERT_VERIFY (int) 148
#define TAG_SSL_NO_CN_VERIFY (int) 149
+#define TAG_AUTHENTICATE_TIMEOUT (int) 150
/*Flag values for options()*/
Index: perdition/perdition/perdition.8
===================================================================
--- perdition.orig/perdition/perdition.8 2009-09-05 15:02:34.000000000 +1000
+++ perdition/perdition/perdition.8 2009-09-05 15:58:22.000000000 +1000
@@ -103,6 +103,10 @@ e.g. all,2
.sp
(the default value for add_domain is "")
.TP
+.B \-\-authenticate_timeout:
+Idle timeout in seconds used while the user is unauthenticated. Zero for
+infinite timeout.
+.TP
.B \-a, \-\-authenticate_in:
User is authenticated by perdition before connection to back-end
server is made. Only available if perdition is compiled with pam
@@ -352,7 +356,7 @@ will be striped off in given state(s).Se
description of the states.
.TP
.B \-t, \-\-timeout SECONDS:
-Idle timeout. Zero for infinite timeout.
+Idle timeout for post-authentication phase. Zero for infinite timeout.
.br
(default 1800)
.TP
@@ -672,11 +676,14 @@ POP3
user james(a)other.host
.fi
.SH IDLE TIMEOUTS
-If there is no input from the client or back\-end server for greater than
-timeout seconds then the connection is closed. The default timeout is 1800
-seconds and can be specified on the command line with the \-t|\-\-timeout
-option. A time out of 0 means that timeouts are disabled and clients and
-back\-end servers can idle indefinitely.
+Perdition allows two idle timeouts to be configured. \-\-authentication_timeout
+is used before the user has been successfully authenticated with the
+back-end server. And after that \-\-timeout is used.
+
+The default value for both timeouts is is 1800.
+A timeout value of 0 means that the timeouts are disabled and clients and
+back\-end servers can idle indefinitely, though in practice a TCP timeout
+will be in effect.
.SH LOOP DETECTION
The greeting that perdition displays when accepting an incoming connection
is "+OK POP3 Ready <hostname>" or "* OK IMAP4 Ready
<hostname>" in POP3 and
Index: perdition/perdition/perdition.c
===================================================================
--- perdition.orig/perdition/perdition.c 2009-09-05 15:58:26.000000000 +1000
+++ perdition/perdition/perdition.c 2009-09-05 16:00:54.000000000 +1000
@@ -577,7 +577,7 @@ int main (int argc, char **argv, char **
VANESSA_LOGGER_ERR("Fatal error setting IO. Exiting.");
perdition_exit_cleanly(-1);
}
- io_set_timeout(client_io, opt.timeout);
+ io_set_timeout(client_io, opt.authenticate_timeout);
namelen = sizeof(*peername);
if (getpeername(0, (struct sockaddr *)peername, &namelen)) {
@@ -612,7 +612,7 @@ int main (int argc, char **argv, char **
VANESSA_LOGGER_ERR("Fatal error setting IO. Exiting.");
perdition_exit_cleanly(-1);
}
- io_set_timeout(client_io, opt.timeout);
+ io_set_timeout(client_io, opt.authenticate_timeout);
}
/* A child process, or process handling an inetd connection
@@ -849,7 +849,7 @@ int main (int argc, char **argv, char **
VANESSA_LOGGER_ERR("Fatal error setting IO. Exiting.");
perdition_exit_cleanly(-1);
}
- io_set_timeout(server_io, opt.timeout);
+ io_set_timeout(server_io, opt.authenticate_timeout);
#ifdef WITH_SSL_SUPPORT
if(opt.ssl_mode & SSL_MODE_SSL_OUTGOING) {
@@ -984,6 +984,8 @@ int main (int argc, char **argv, char **
}
/*Let the client talk to the real server*/
+ io_set_timeout(client_io, opt.timeout);
+ io_set_timeout(server_io, opt.timeout);
if(io_pipe(server_io, client_io, buffer, BUFFER_SIZE,
&bytes_written, &bytes_read, &auth_log)<0){
VANESSA_LOGGER_DEBUG("vanessa_socket_pipe");