diff options
author | Matthew Grooms <mgrooms@pfsense.org> | 2008-09-09 04:08:22 +0000 |
---|---|---|
committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-09-09 04:08:22 +0000 |
commit | fb1266d3a1314ade3ac9bd30dee3acdf762cbef9 (patch) | |
tree | 8976ef916392268e7e69cebaf17e09dc9d3b2058 | |
parent | b28278a261f42ea409eaf49b143e9792fb0261e4 (diff) | |
download | pfsense-fb1266d3a1314ade3ac9bd30dee3acdf762cbef9.zip pfsense-fb1266d3a1314ade3ac9bd30dee3acdf762cbef9.tar.gz |
Moves the protocol and certificate options out of the general config page
to the Advanced admin access tab. The thought is that they should be next
to each other. The certificate management has also been modified to use
the centralized certificate manager. I took the liberty of removing the
default certificate/key definitions from the web server configuration
function as it is now trivial to create these locally.
The global SSH authorized keys have also been removed. Any existing key
data will be migrated to the admin account. I also added some new checks
to ensure the sshd process is only restarted when its configuration has
actually changed.
-rw-r--r-- | etc/inc/auth.inc | 17 | ||||
-rw-r--r-- | etc/inc/config.inc | 36 | ||||
-rw-r--r-- | etc/inc/priv.inc | 16 | ||||
-rw-r--r-- | etc/inc/system.inc | 165 | ||||
-rwxr-xr-x | usr/local/www/system.php | 47 | ||||
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 197 | ||||
-rw-r--r-- | usr/local/www/system_usermanager.php | 37 |
7 files changed, 206 insertions, 309 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 0d69505..3bb00e7 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -187,8 +187,8 @@ function local_user_set(& $user) { $user_group = "nobody";
/* configure shell type */
- if (!hasPrivilegeShell($user)) {
- if (!hasPrivilegeCopyFiles($user))
+ if (!userHasPrivilege($user, "user-shell-access")) {
+ if (!userHasPrivilege($user, "user-copy-files"))
$user_shell = "/sbin/nologin";
else
$user_shell = "/usr/local/bin/scponly";
@@ -227,14 +227,17 @@ function local_user_set(& $user) { /* create user directory if required */
if (!is_dir($user_home))
- mkdir($user_home, 0755);
+ mkdir($user_home, 0700);
chown($user_home, $user_name);
chgrp($user_home, $user_group);
- chmod($user_home, 0700);
- /* FIXME : ssh keys should be per-admin user */
- if(isset($config['system']['ssh']['sshdkeyonly']) && hasPrivilegeShell($user))
- create_authorized_keys($user_name, $user_home);
+ /* write out ssh authorized key file */
+ if($user['authorizedkeys']) {
+ if (!is_dir("{$user_home}/.ssh"))
+ mkdir("{$user_home}/.ssh", 0700);
+ $keys = base64_decode($user['authorizedkeys']);
+ file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
+ }
}
function local_user_del($user) {
diff --git a/etc/inc/config.inc b/etc/inc/config.inc index da5bea6..62a6a89 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1926,6 +1926,42 @@ endif; $config['version'] = "5.2"; } + /* Convert 5.2 -> 5.3 */ + if ($config['version'] <= 5.2) { + + if (!is_array($config['system']['ca'])) + $config['system']['ca'] = array(); + if (!is_array($config['system']['cert'])) + $config['system']['cert'] = array(); + + /* migrate advanced admin page webui ssl to certifcate mngr */ + if ($config['system']['webgui']['certificate'] && + $config['system']['webgui']['private-key']) { + + /* create cert entry */ + $cert = array(); + $cert['refid'] = uniqid(); + $cert['name'] = "webConfigurator SSL Certificate"; + $cert['crt'] = $config['system']['webgui']['certificate']; + $cert['prv'] = $config['system']['webgui']['private-key']; + $config['system']['cert'][] = $cert; + + /* create cert reference */ + unset($config['system']['webgui']['certificate']); + unset($config['system']['webgui']['private-key']); + $config['system']['webgui']['ssl-certref'] = $cert['refid']; + } + + /* migrate advanced admin page ssh keys to user manager */ + if ($config['system']['ssh']['authorizedkeys']) { + $admin_user =& getUserEntryByUID(0); + $admin_user['authorizedkeys'] = $config['system']['ssh']['authorizedkeys']; + unset($config['system']['ssh']['authorizedkeys']); + } + + $config['version'] = "5.3"; + } + $now = date("H:i:s"); log_error("Ended Configuration upgrade at $now"); diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index 89701aa..824ea7b 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -279,20 +279,4 @@ function userHasPrivilege($userent, $privid = false) { return true;
}
-function hasPrivilegeLock($userent) {
- return userHasPrivilege($userent, "user-lock-webcfg");
-}
-
-function hasPrivilegeLockPages($userent) {
- return userHasPrivilege($userent, "user-lock-ipages");
-}
-
-function hasPrivilegeShell($userent) {
- return userHasPrivilege($userent, "user-shell-access");
-}
-
-function hasPrivilegeCopyFiles($userent) {
- return userHasPrivilege($userent, "user-copy-files");
-}
-
?>
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 3b19b48..0a4c5d1 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -496,72 +496,30 @@ function system_webgui_start() { chdir($g['www_path']); + /* defaults */ + $portarg = "80"; + $crt = ""; + $key = ""; + /* non-standard port? */ if ($config['system']['webgui']['port']) $portarg = "{$config['system']['webgui']['port']}"; - else - $portarg = ""; if ($config['system']['webgui']['protocol'] == "https") { - if(!$config['system']['webgui']['port']) - $portarg = "443"; - - if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) { - $cert = base64_decode($config['system']['webgui']['certificate']); - $key = base64_decode($config['system']['webgui']['private-key']); - } else { - /* default certificate/key */ - $cert = <<<EOD ------BEGIN CERTIFICATE----- -MIIDEzCCAnygAwIBAgIJAJM91W+s6qptMA0GCSqGSIb3DQEBBAUAMGUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UE -ChMHcGZTZW5zZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZTAe -Fw0wNjAzMTAyMzQ1MTlaFw0xNjAzMDcyMzQ1MTlaMGUxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UEChMHcGZTZW5z -ZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZTCBnzANBgkqhkiG -9w0BAQEFAAOBjQAwgYkCgYEA3lPNTFH6qge/ygaqe/BS4oH59O6KvAesWcRzSu5N -21lyVE5tBbL0zqOSXmlLyReMSbtAMZqt1P8EPYFoOcaEQHIWm2VQF80Z18+8Gh4O -UQGjHq88OeaLqyk3OLpSKzSpXuCFrSN7q9Kez8zp5dQEu7sIW30da3pAbdqYOimA -1VsCAwEAAaOByjCBxzAdBgNVHQ4EFgQUAnx+ggC4SzJ0CK+rhPhJ2ZpyunEwgZcG -A1UdIwSBjzCBjIAUAnx+ggC4SzJ0CK+rhPhJ2ZpyunGhaaRnMGUxCzAJBgNVBAYT -AlVTMQswCQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UEChMH -cGZTZW5zZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZYIJAJM9 -1W+s6qptMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAAviQpdoeabL8 -1HSZiD7Yjx82pdLpyQOdXvAu3jEAYz53ckx0zSMrzsQ5r7Vae6AE7Xd7Pj+1Yihs -AJZzOQujnmsuim7qu6YSxzP34xonKwd1C9tZUlyNRNnEmtXOEDupn05bih1ugtLG -kqfPIgDbDLXuPtEAA6QDUypaunI6+1E= ------END CERTIFICATE----- - -EOD; - - $key = <<<EOD ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDeU81MUfqqB7/KBqp78FLigfn07oq8B6xZxHNK7k3bWXJUTm0F -svTOo5JeaUvJF4xJu0Axmq3U/wQ9gWg5xoRAchabZVAXzRnXz7waHg5RAaMerzw5 -5ourKTc4ulIrNKle4IWtI3ur0p7PzOnl1AS7uwhbfR1rekBt2pg6KYDVWwIDAQAB -AoGAP7E0VFP8Aq/7os3sE1uS8y8XQ7L+7cUo/AKKoQHKLjfeyAY7t3FALt6vdPqn -anGjkA/j4RIWELoKJfCnwj17703NDCPwB7klcmZvmTx5Om1ZrRyZdQ6RJs0pOOO1 -r2wOnZNaNWStXE9Afpw3dj20Gh0V/Ioo5HXn3sHfxZm8dnkCQQDwv8OaUdp2Hl8t -FDfXB1CMvUG1hEAvbQvZK1ODkE7na2/ChKjVPddEI3DvfzG+nLrNuTrAyVWgRLte -r8qX5PQHAkEA7GlKx0S18LdiKo6wy2QeGu6HYkPncaHNFOWX8cTpvGGtQoWYSh0J -tjCt1/mz4/XkvZWuZyTNx2FdkVlNF5nHDQJBAIRWVTZqEjVlwpmsCHnp6mxCyHD4 -DrRDNAUfnNuwIr9xPlDlzUzSnpc1CCqOd5C45LKbRGGfCrN7tKd66FmQoFcCQQCy -Kvw3R1pTCvHJnvYwoshphaC0dvaDVeyINiwYAk4hMf/wpVxLZqz+CJvLrB1dzOBR -3O+uPjdzbrakpweJpNQ1AkEA3ZtlgEj9eWsLAJP8aKlwB8VqD+EtG9OJSUMnCDiQ -WFFNj/t3Ze3IVuAyL/yMpiv3JNEnZhIxCta42eDFpIZAKw== ------END RSA PRIVATE KEY----- - -EOD; - } - } else { - $cert = ""; - $key = ""; + $cert =& lookup_cert($config['system']['webgui']['ssl-certref']); + if(is_array($cert) && $cert['crt'] && $cert['prv']) { + $crt = base64_decode($cert['crt']); + $key = base64_decode($cert['prv']); + if(!$config['system']['webgui']['port']) + $portarg = "443"; + } else + log_error("Invalid webConfigurator https certificate, defaulting to http"); } /* generate lighttpd configuration */ system_generate_lighty_config("{$g['varetc_path']}/lighty-webConfigurator.conf", - $cert, $key, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/"); + $crt, $key, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/"); /* attempt to start lighthttpd */ $res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-webConfigurator.conf"); @@ -576,101 +534,6 @@ EOD; return $res; } -function system_webgui_start_old() { - global $config, $g; - if(isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "system_webgui_start() being called $mt\n"; - } - - if ($g['booting']) - echo "Starting webConfigurator..."; - - /* kill any running mini_httpd */ - killbypid("{$g['varrun_path']}/mini_httpd.pid"); - - chdir($g['www_path']); - - /* non-standard port? */ - if ($config['system']['webgui']['port']) - $portarg = "-p {$config['system']['webgui']['port']}"; - else - $portarg = ""; - - if ($config['system']['webgui']['protocol'] == "https") { - - if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) { - $cert = base64_decode($config['system']['webgui']['certificate']); - $key = base64_decode($config['system']['webgui']['private-key']); - } else { - /* default certificate/key */ - $cert = <<<EOD ------BEGIN CERTIFICATE----- -MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQKEwhtMG4wd2FsbDAe -Fw0wNTA1MTAxMjI0NDRaFw0wNzA1MTAxMjI0NDRaMBMxETAPBgNVBAoTCG0wbjB3 -YWxsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAShszhFz+o8lsMWTGgTxs -TMPR+v4+qL5jXDyY97MLTGFK7aqQOtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+ -83LPQmQoSPC0VqhfU3uYf3NzxiK8r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFP -C4jE2fvjkbzyVolPywBuewIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFR962c4R5tV -cTn0OQcszYoW6WC+ini9tQQh5ku5jYDAiC+00atawJEVLnL3lwAcpSKTIWlTkD20 -tl3lz5br1qFgYky+Rd0kwS2nk9jRbkxSXxd6KJVnNRCKre28aw3ENzZfCSurPQsX -UPp5er+NtwMT1g7s/JDmKTC4w1rGr5/c ------END CERTIFICATE----- - -EOD; - - $key = <<<EOD ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDAShszhFz+o8lsMWTGgTxsTMPR+v4+qL5jXDyY97MLTGFK7aqQ -OtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+83LPQmQoSPC0VqhfU3uYf3NzxiK8 -r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFPC4jE2fvjkbzyVolPywBuewIDAQAB -AoGAbJJrQW9fQrggJuLMz/hwsYW2m31oyOBmf5u463YQtjRuSuxe/gj87weZuNqY -H2rXq2k2K+ehl8hgW+egASyUL3L7kCkEAsVREujKTEyhSqqIRDPWTxo9S/YA9Gvn -2ZnJvkrcKjqCO9aHX3rvJOK/ErYI6akctgI3KmgkYw5XNmECQQDuZU97RTWH9rmP -aQr57ysNXxgFsyhetOOqeYkPtIVwpOiNbfwE1zi5RGdtO4Ku3fG1lV4J2UoWJ9yD -awdoyYIHAkEAzn0xJ90IjPsHk+8SODEj5JGdHSZPNu1tgtrbjEi9sfGWg4K7XTxr -QW90pWb1bKKU1uh5FzW6OhnFfuQXt1kC7QJAPSthqY+onKqCEnoxhtAHi/bKgyvl -P+fKQwPMV2tKkgy+XwvJjrRqqZ8TqsOKVLQ+QQmCh6RpjiXMPyxHSmvqIQJBAKLR -HF1ucDuaBROkwx0DwmWMW/KMLpIFDQDNSaiIAuu4rxHrl4mhBoGGPNffI04RtILw -s+qVNs5xW8T+XaT4ztECQQDFHPnZeoPWE5z+AX/UUQIUWaDExz3XRzmIxRbOrlFi -CsF1s0TdJLi/wzNQRAL37A8vqCeVFR/ng3Xpg96Yg+8Z ------END RSA PRIVATE KEY----- - -EOD; - } - - $cert = str_replace("\r", "", $cert); - $key = str_replace("\r", "", $key); - - $fd = fopen("{$g['varetc_path']}/cert.pem", "w"); - if (!$fd) { - printf("Error: cannot open cert.pem in system_webgui_start().\n"); - return 1; - } - chmod("{$g['varetc_path']}/cert.pem", 0600); - fwrite($fd, $cert); - fwrite($fd, "\n"); - fwrite($fd, $key); - fclose($fd); - - $res = mwexec("/usr/local/sbin/mini_httpd -S -E {$g['varetc_path']}/cert.pem" . - " -c \"**.php|**.cgi\" -u root -maxproc 16 $portarg" . - " -i {$g['varrun_path']}/mini_httpd.pid"); - } else { - $res = mwexec("/usr/local/sbin/mini_httpd -c \"**.php|**.cgi\" -u root" . - " -maxproc 16 $portarg -i {$g['varrun_path']}/mini_httpd.pid"); - } - - if ($g['booting']) { - if ($res == 0) - echo "done\n"; - else - echo "failed\n"; - } - - return $res; -} - function system_generate_lighty_config($filename, $cert, $key, diff --git a/usr/local/www/system.php b/usr/local/www/system.php index d8c62f3..5ed8065 100755 --- a/usr/local/www/system.php +++ b/usr/local/www/system.php @@ -43,17 +43,12 @@ $pconfig['hostname'] = $config['system']['hostname']; $pconfig['domain'] = $config['system']['domain']; list($pconfig['dns1'],$pconfig['dns2'],$pconfig['dns3'],$pconfig['dns4']) = $config['system']['dnsserver']; - $pconfig['dns1gwint'] = $config['system']['dns1gwint']; $pconfig['dns2gwint'] = $config['system']['dns2gwint']; $pconfig['dns3gwint'] = $config['system']['dns3gwint']; $pconfig['dns4gwint'] = $config['system']['dns4gwint']; $pconfig['dnsallowoverride'] = isset($config['system']['dnsallowoverride']); -$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; -if (!$pconfig['webguiproto']) - $pconfig['webguiproto'] = "http"; -$pconfig['webguiport'] = $config['system']['webgui']['port']; $pconfig['timezone'] = $config['system']['timezone']; $pconfig['timeupdateinterval'] = $config['system']['time-update-interval']; $pconfig['timeservers'] = $config['system']['timeservers']; @@ -132,11 +127,6 @@ if ($_POST) { update_if_changed("hostname", $config['system']['hostname'], strtolower($_POST['hostname'])); update_if_changed("domain", $config['system']['domain'], strtolower($_POST['domain'])); - if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto'])) - $restart_webgui = true; - if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport'])) - $restart_webgui = true; - update_if_changed("timezone", $config['system']['timezone'], $_POST['timezone']); update_if_changed("NTP servers", $config['system']['timeservers'], strtolower($_POST['timeservers'])); update_if_changed("NTP update interval", $config['system']['time-update-interval'], $_POST['timeupdateinterval']); @@ -181,16 +171,6 @@ if ($_POST) { if ($changecount > 0) write_config($changedesc); - if ($restart_webgui) { - global $_SERVER; - list($host) = explode(":", $_SERVER['HTTP_HOST']); - if ($config['system']['webgui']['port']) { - $url="{$config['system']['webgui']['protocol']}://{$host}:{$config['system']['webgui']['port']}/system.php"; - } else { - $url = "{$config['system']['webgui']['protocol']}://{$host}/system.php"; - } - } - $retval = 0; config_lock(); $retval = system_hostname_configure(); @@ -206,8 +186,6 @@ if ($_POST) { config_unlock(); $savemsg = get_std_save_message($retval); - if ($restart_webgui) - $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds."; } } @@ -295,20 +273,6 @@ include("head.inc"); PPTP VPN clients, though.</span></p></td> </tr> <tr> - <td width="22%" valign="top" class="vncell">webConfigurator protocol</td> - <td width="78%" class="vtable"> <input name="webguiproto" type="radio" value="http" <?php if ($pconfig['webguiproto'] == "http") echo "checked"; ?>> - HTTP <input type="radio" name="webguiproto" value="https" <?php if ($pconfig['webguiproto'] == "https") echo "checked"; ?>> - HTTPS</td> - </tr> - <tr> - <td valign="top" class="vncell">webConfigurator port</td> - <td class="vtable"> <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>"> - <br> - <span class="vexpl">Enter a custom port number for the webConfigurator - above if you want to override the default (80 for HTTP, 443 - for HTTPS). Changes will take effect immediately after save.</span></td> - </tr> - <tr> <td width="22%" valign="top" class="vncell">Time zone</td> <td width="78%" class="vtable"> <select name="timezone" id="timezone"> <?php foreach ($timezonelist as $value): ?> @@ -369,16 +333,5 @@ include("head.inc"); </table> </form> <?php include("fend.inc"); ?> -<?php - // restart webgui if proto or port changed - if ($restart_webgui) { - echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">"; - } -?> </body> </html> -<?php -if ($restart_webgui) { - touch("/tmp/restart_webgui"); -} -?> diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 211eca4..179c573 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -43,15 +43,24 @@ require("guiconfig.inc"); -$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); -$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); +$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; +$pconfig['webguiport'] = $config['system']['webgui']['port']; +$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref']; $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['enableserial'] = $config['system']['enableserial']; $pconfig['enablesshd'] = $config['system']['enablesshd']; $pconfig['sshport'] = $config['system']['ssh']['port']; $pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly']; -$pconfig['authorizedkeys'] = base64_decode($config['system']['ssh']['authorizedkeys']); + +$a_cert =& $config['system']['cert']; + +$certs_available = false; +if (is_array($a_cert) && count($a_cert)) + $certs_available = true; + +if (!$pconfig['webguiproto'] || !$certs_available) + $pconfig['webguiproto'] = "http"; if ($_POST) { @@ -59,15 +68,9 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if (($_POST['cert'] && !$_POST['key']) || ($_POST['key'] && !$_POST['cert'])) - $input_errors[] = "Certificate and key must always be specified together."; - - if ($_POST['cert'] && $_POST['key']) { - if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - } + if ($_POST['webguiport']) + if(!is_port($_POST['webguiport'])) + $input_errors[] = "You must specify a valid webConfigurator port number"; if ($_POST['sshport']) if(!is_port($_POST['sshport'])) @@ -83,10 +86,12 @@ if ($_POST) { if (!$input_errors) { - $oldcert = $config['system']['webgui']['certificate']; - $oldkey = $config['system']['webgui']['private-key']; - $config['system']['webgui']['certificate'] = base64_encode($_POST['cert']); - $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); + if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto'])) + $restart_webgui = true; + if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport'])) + $restart_webgui = true; + if (update_if_changed("webgui certificate", $config['system']['webgui']['ssl-certref'], $_POST['ssl-certref'])) + $restart_webgui = true; if($_POST['disableconsolemenu'] == "yes") { $config['system']['disableconsolemenu'] = true; @@ -106,37 +111,50 @@ if ($_POST) { else unset($config['system']['enableserial']); - if($_POST['enablesshd'] == "yes") { + $sshd_enabled = $config['system']['enablesshd']; + if($_POST['enablesshd']) $config['system']['enablesshd'] = "enabled"; - touch("{$g['tmp_path']}/start_sshd"); - } else { + else unset($config['system']['enablesshd']); - mwexec("/usr/bin/killall sshd"); - } - - $oldsshport = $config['system']['ssh']['port']; - if ($_POST['sshdkeyonly'] == "yes") { + $sshd_keyonly = $config['system']['sshdkeyonly']; + if ($_POST['sshdkeyonly']) $config['system']['sshdkeyonly'] = true; - touch("{$g['tmp_path']}/start_sshd"); - } else { + else unset($config['system']['sshdkeyonly']); - mwexec("/usr/bin/killall sshd"); - } - $config['system']['ssh']['port'] = $_POST['sshport']; - $config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $sshd_port = $config['system']['ssh']['port']; + if ($_POST['sshport']) + $config['system']['ssh']['port'] = $_POST['sshport']; + else + unset($config['system']['ssh']['port']); + + if (($sshd_enabled != $config['system']['enablesshd']) || + ($sshd_keyonly != $config['system']['sshdkeyonly']) || + ($sshd_port != $config['system']['ssh']['port'])) + $restart_sshd = true; + + if ($restart_webgui) { + global $_SERVER; + list($host) = explode(":", $_SERVER['HTTP_HOST']); + $prot = $config['system']['webgui']['protocol']; + $port = $config['system']['webgui']['port']; + if ($port) + $url = "{$prot}://{$host}:{$port}/system_advanced_admin.php"; + else + $url = "{$prot}://{$host}/system.php"; + } write_config(); config_lock(); $retval = filter_configure(); - if(stristr($retval, "error") <> true) - $savemsg = get_std_save_message($retval); - else - $savemsg = $retval; config_unlock(); + $savemsg = get_std_save_message($retval); + if ($restart_webgui) + $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds."; + conf_mount_rw(); setup_serial_port(); conf_mount_ro(); @@ -149,8 +167,21 @@ include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function prot_change() { + + if (document.iform.https_proto.checked) + document.getElementById("ssl_opts").style.display=""; + else + document.getElementById("ssl_opts").style.display="none"; +} + +//--> +</script> <?php - include("fbegin.inc"); if ($input_errors) print_input_errors($input_errors); if ($savemsg) @@ -192,19 +223,54 @@ include("head.inc"); <td colspan="2" valign="top" class="listtopic">webConfigurator</td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Certificate</td> + <td width="22%" valign="top" class="vncell">Protocol</td> <td width="78%" class="vtable"> - <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea> + <?php + if ($pconfig['webguiproto'] == "http") + $http_chk = "checked"; + if ($pconfig['webguiproto'] == "https") + $https_chk = "checked"; + if (!$certs_available) + $https_disabled = "disabled"; + ?> + <input name="webguiproto" id="http_proto" type="radio" value="http" <?=$http_chk;?> onClick="prot_change()"> + HTTP + + <input name="webguiproto" id="https_proto" type="radio" value="https" <?=$https_chk;?> <?=$https_disabled;?> onClick="prot_change()"> + HTTPS + <?php if (!$certs_available): ?> <br/> - Paste a signed certificate in X.509 PEM format here. <a href="javascript:if(openwindow('system_advanced_create_certs.php') == false) alert('Popup blocker detected. Action aborted.');" >Create</a> certificates automatically. + No Certificates have been defined. You must + <a href="system_certmanager.php">Create or Import</a> + a Certificate before SSL can be enabled. + <?php endif; ?> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell">Key</td> + <tr id="ssl_opts"> + <td width="22%" valign="top" class="vncell">SSL Certificate</td> <td width="78%" class="vtable"> - <textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea> - <br/> - Paste an RSA private key in PEM format here. + <select name="ssl-certref" id="ssl-certref" class="formselect"> + <?php + foreach($a_cert as $cert): + $selected = ""; + if ($pconfig['ssl-certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td valign="top" class="vncell">TCP port</td> + <td class="vtable"> + <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>"> + <br> + <span class="vexpl"> + Enter a custom port number for the webConfigurator + above if you want to override the default (80 for HTTP, 443 + for HTTPS). Changes will take effect immediately after save. + </span> </td> </tr> <tr> @@ -246,9 +312,9 @@ include("head.inc"); <input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if (isset($pconfig['sshdkeyonly'])) echo "checked"; ?> /> <strong>Disable Password login for Secure Shell (rsa key only)</strong> <br/> - When this option is enabled, you will need to configure - allowed keys for each user that has secure shell - access. + When enabled, authorized keys need to be configured for each + <a href="system_usermanager.php">user</a> + that has been granted secure shell access. </td> </tr> <tr> @@ -260,14 +326,6 @@ include("head.inc"); </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Authorizedkeys");?></td> - <td width="78%" class="vtable"> - <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> - <br/> - Paste an authorized keys file here. - </td> - </tr> - <tr> <td colspan="2" class="list" height="12"> </td> </tr> <?php if($g['platform'] == "pfSense" || $g['platform'] == "cdrom"): ?> @@ -311,22 +369,35 @@ include("head.inc"); </td> </tr> </table> + <script language="JavaScript" type="text/javascript"> + <!-- + prot_change(); + //--> + </script> <?php include("fend.inc"); ?> +<?php + if ($restart_webgui) + echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">"; +?> </body> </html> <?php +if ($restart_sshd) { -if($_POST['cert'] || $_POST['key']) { - if (($config['system']['webgui']['certificate'] != $oldcert) - || ($config['system']['webgui']['private-key'] != $oldkey)) { - ob_flush(); - flush(); - log_error("webConfigurator certificates have changed. Restarting webConfigurator."); - sleep(1); - touch("/tmp/restart_webgui"); + mwexec("/usr/bin/killall sshd"); + log_error("secure shell configuration has changed. Stopping sshd."); + + if ($config['system']['enablesshd']) { + log_error("secure shell configuration has changed. Restarting sshd."); + touch("{$g['tmp_path']}/start_sshd"); } } - +if ($restart_webgui) { + ob_flush(); + flush(); + log_error("webConfigurator configuration has changed. Restarting webConfigurator."); + touch("{$g['tmp_path']}/restart_webgui"); +} ?> diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 5426524..cdb2c35 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -197,12 +197,7 @@ if (isAllowedPage("system_usermanager")) { } } - if(is_array($_POST['groups'])) - foreach($_POST['groups'] as $groupname) - if ($pconfig['utype'] <> "system" && !isset($groupindex[$groupname])) - $input_errors[] = gettext("group {$groupname} does not exist, please define the group before assigning users."); - - if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) + if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) $input_errors[] = gettext("You must provide an authorized key otherwise you won't be able to login into this system."); /* if this is an AJAX caller then handle via JSON */ @@ -216,6 +211,8 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) $userent = $a_user[$id]; + isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; + /* the user name was modified */ if ($_POST['usernamefld'] <> $_POST['oldusername']) $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; @@ -226,11 +223,7 @@ if (isAllowedPage("system_usermanager")) { $userent['name'] = $_POST['usernamefld']; $userent['fullname'] = $_POST['fullname']; - - isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; - - if(isset($config['system']['ssh']['sshdkeyonly'])) - $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); if (isset($id) && $a_user[$id]) $a_user[$id] = $userent; @@ -367,20 +360,6 @@ function presubmit() { <?=gettext("User's full name, for your own information only");?> </td> </tr> - - <?php if (isset($config['system']['ssh']['sshdkeyonly'])): ?> - - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td> - <td width="78%" class="vtable"> - <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> - <br/> - <?=gettext("Paste an authorized keys file here.");?> - </td> - </tr> - - <?php endif; ?> - <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Group Memberships");?></td> <td width="78%" class="vtable" align="center"> @@ -552,6 +531,14 @@ function presubmit() { <?php endif; ?> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td> + <td width="78%" class="vtable"> + <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> + <br/> + <?=gettext("Paste an authorized keys file here.");?> + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input id="submit" name="save" type="submit" class="formbtn" value="Save" /> |