diff options
| author | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-03 17:54:35 +0000 |
|---|---|---|
| committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-08-03 17:54:35 +0000 |
| commit | 659fa7f23bb28d316ec6c99a538ee74bc7ffc0a3 (patch) | |
| tree | 31ce9604a21b27b3f88c50332251ea570136c817 | |
| parent | 5064cec7670cffa8efa3d7276ebf13c2c9d5e23c (diff) | |
| download | pfsense-659fa7f23bb28d316ec6c99a538ee74bc7ffc0a3.zip pfsense-659fa7f23bb28d316ec6c99a538ee74bc7ffc0a3.tar.gz | |
Cleanup authentication code. The basic auth method, the passwd, htpasswd
and pam backing functions have been removed. The basic auth method was
legacy code and the backing functions were redundant with no added value
that I could see. A simplified replacement backing function named
local_backed has been added that authenticates to the local configuration
info which should be identical to system pwdb credentials. Since the
htpassword file is no longer required, sync_webgui_passwords and its
wrapper function system_password_configure have been removed.
The local account management functions were renamed for consistency. A few
minor bugs related to setting local passwords have also been corrected.
| -rw-r--r-- | etc/inc/auth.inc | 630 | ||||
| -rw-r--r-- | etc/inc/authgui.inc | 5 | ||||
| -rw-r--r-- | etc/inc/config.inc | 4 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 32 | ||||
| -rw-r--r-- | etc/inc/priv.inc | 6 | ||||
| -rw-r--r-- | etc/inc/system.inc | 23 | ||||
| -rw-r--r-- | etc/phpshellsessions/cvssync | 4 | ||||
| -rwxr-xr-x | etc/rc.bootup | 7 | ||||
| -rwxr-xr-x | etc/rc.initial.password | 26 | ||||
| -rwxr-xr-x | etc/sshd | 3 | ||||
| -rwxr-xr-x | usr/local/www/pkg_mgr_install.php | 3 | ||||
| -rwxr-xr-x | usr/local/www/system.php | 10 | ||||
| -rw-r--r-- | usr/local/www/system_groupmanager.php | 6 | ||||
| -rw-r--r-- | usr/local/www/system_groupmanager_addprivs.php | 2 | ||||
| -rw-r--r-- | usr/local/www/system_usermanager.php | 22 | ||||
| -rw-r--r-- | usr/local/www/system_usermanager_addprivs.php | 2 | ||||
| -rwxr-xr-x | usr/local/www/system_usermanager_settings.php | 4 | ||||
| -rw-r--r-- | usr/local/www/wizards/setup_wizard.xml | 10 |
18 files changed, 308 insertions, 491 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 2d89e5d..3d5b3ac 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -102,7 +102,18 @@ function & getGroupEntryByGID($gid) { return false;
}
-function sync_local_accounts() {
+function local_backed($username, $passwd) {
+
+ $user = getUserEntry($username);
+ if (!$user)
+ return false;
+
+ $passwd = crypt($passwd, $user['password']);
+
+ return ($passwd == $user['password']);
+}
+
+function local_sync_accounts() {
global $config;
/* remove local users to avoid uid conflicts */
@@ -140,22 +151,20 @@ function sync_local_accounts() { /* make sure the all group exists */
$allgrp = getGroupEntryByGID(1998);
- set_local_group($allgrp, true);
+ local_group_set($allgrp, true);
/* sync all local users */
if (is_array($config['system']['user']))
foreach ($config['system']['user'] as $user)
- set_local_user($user);
+ local_user_set($user);
/* sync all local groups */
if (is_array($config['system']['group']))
foreach ($config['system']['group'] as $group)
- set_local_group($group);
-
- sync_webgui_passwords();
+ local_group_set($group);
}
-function set_local_user(& $user, $password = false) {
+function local_user_set(& $user) {
global $g;
$home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home";
@@ -168,30 +177,6 @@ function set_local_user(& $user, $password = false) { $user_shell = "/etc/rc.initial";
$user_group = "nobody";
- /* set all password hashes if required */
- if ($password && strlen($password)) {
-
- $user['password'] = crypt($password);
- $user['md5-hash'] = md5($password);
-
- /*
- * NOTE : This section of code id based on the BSD
- * licensed CHAP.php courtesy of Michael Retterklieber.
- */
- /* Waiting for mhash to settle into the tree
- // Converts ascii to unicode.
- $astr = (string) $password;
- $ustr = '';
- for ($i = 0; $i < strlen($astr); $i++) {
- $a = ord($astr{$i}) << 8;
- $ustr.= sprintf("%X", $a);
- }
-
- // Generate the NT-HASH from the unicode string
- $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
- */
- }
-
/* configure shell type */
if (!hasPrivilegeShell($user)) {
if (!hasPrivilegeCopyFiles($user))
@@ -241,10 +226,10 @@ function set_local_user(& $user, $password = false) { create_authorized_keys($user_name, $user_home);
}
-function del_local_user($user) {
+function local_user_del($user) {
/* remove all memberships */
- set_local_user_groups($user);
+ local_user_get_groups($user);
/* delete from pw db */
$cmd = "/usr/sbin/pw userdel {$user['name']}";
@@ -255,7 +240,30 @@ function del_local_user($user) { pclose($fd);
}
-function get_local_user_groups($user, $all = false) {
+function local_user_set_password(& $user, $password) {
+
+ $user['password'] = crypt($password);
+ $user['md5-hash'] = md5($password);
+
+ /*
+ * NOTE : This section of code id based on the BSD
+ * licensed CHAP.php courtesy of Michael Retterklieber.
+ */
+ /* Waiting for mhash to settle into the tree
+ // Converts ascii to unicode.
+ $astr = (string) $password;
+ $ustr = '';
+ for ($i = 0; $i < strlen($astr); $i++) {
+ $a = ord($astr{$i}) << 8;
+ $ustr.= sprintf("%X", $a);
+ }
+
+ // Generate the NT-HASH from the unicode string
+ $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
+ */
+}
+
+function local_user_get_groups($user, $all = false) {
global $config;
$groups = array();
@@ -273,13 +281,13 @@ function get_local_user_groups($user, $all = false) { return $groups;
}
-function set_local_user_groups($user, $new_groups = NULL ) {
+function local_user_set_groups($user, $new_groups = NULL ) {
global $config, $groupindex;
if (!is_array($config['system']['group']))
return;
- $cur_groups = get_local_user_groups($user);
+ $cur_groups = local_user_get_groups($user);
$mod_groups = array();
if (!is_array($new_groups))
@@ -309,10 +317,10 @@ function set_local_user_groups($user, $new_groups = NULL ) { /* sync all modified groups */
foreach ($mod_groups as $group)
- set_local_group($group);
+ local_group_set($group);
}
-function set_local_group($group, $reset = false) {
+function local_group_set($group, $reset = false) {
$group_name = $group['name'];
$group_gid = $group['gid'];
@@ -340,7 +348,7 @@ function set_local_group($group, $reset = false) { pclose($fd);
}
-function del_local_group($group) {
+function local_group_del($group) {
/* delete from group db */
$cmd = "/usr/sbin/pw groupdel {$group['name']}";
@@ -351,294 +359,6 @@ function del_local_group($group) { pclose($fd);
}
-function basic_auth($backing) {
- global $HTTP_SERVER_VARS;
-
- /* Check for AUTH_USER */
- if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
- $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
- $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
- }
-
- if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) {
- require_once("authgui.inc");
- header("WWW-Authenticate: Basic realm=\".\"");
- header("HTTP/1.0 401 Unauthorized");
- display_error_form("401", gettext("You must enter valid credentials to access this resource."));
- exit;
- }
-
- return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']);
-}
-
-function session_auth($backing) {
- global $g, $HTTP_SERVER_VARS, $userindex, $config;
-
- session_start();
-
- /* Validate incoming login request */
- if (isset($_POST['login'])) {
- if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
- $_SESSION['Logged_In'] = "True";
- $_SESSION['Username'] = $_POST['usernamefld'];
- $_SESSION['last_access'] = time();
- log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- } else {
- /* give the user a more detailed error message */
- if (isset($userindex[$_POST['usernamefld']])) {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- } else {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- }
- }
- }
-
- /* Show login page if they aren't logged in */
- if (empty($_SESSION['Logged_In'])) {
- /* Don't display login forms to AJAX */
- if (isAjax())
- return false;
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /* If session timeout isn't set, we don't mark sessions stale */
- if (!isset($config['system']['webgui']['session_timeout']) ||
- $config['system']['webgui']['session_timeout'] == 0 ||
- $config['system']['webgui']['session_timeout'] == "")
- $_SESSION['last_access'] = time();
- else {
- /* Check for stale session */
- if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
- $_GET['logout'] = true;
- $_SESSION['Logout'] = true;
- } else {
- /* only update if it wasn't ajax */
- if (!isAjax())
- $_SESSION['last_access'] = time();
- }
- }
-
- /* obtain user object */
- $user = getUserEntry($_SESSION['Username']);
-
- /* user hit the logout button */
- if (isset($_GET['logout'])) {
-
- if ($_SESSION['Logout'])
- log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
- else
- log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
-
- if (hasPrivilegeLock($user))
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- if (isset($_COOKIE[session_name()]))
- setcookie(session_name(), '', time()-42000, '/');
-
- /* and destroy it */
- session_destroy();
-
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
-
- if (isAjax())
- return false;
-
- /* redirect to page the user is on, it'll prompt them to login again */
- pfSenseHeader($scriptName);
-
- return false;
- }
-
- /*
- * user wants to explicitely delete the lock file.
- * Requires a particular privilege.
- */
- if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * user wants to explicitely create a lock.
- * Requires a particular privilege.
- */
- if ($_GET['createlock'] && hasPrivilegeLock($user)) {
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * this is for debugging purpose if you do not want to use Ajax
- * to submit a HTML form. It basically diables the observation
- * of the submit event and hence does not trigger Ajax.
- */
- if ($_GET['disable_ajax']) {
- $_SESSION['NO_AJAX'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * Same to re-enable Ajax.
- */
- if ($_GET['enable_ajax']) {
- unset($_SESSION['NO_AJAX']);
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * is the user is allowed to create a lock
- */
- if (hasPrivilegeLock($user)) {
-
- /*
- * create a lock once per session
- */
- if (!isset($_SESSION['Lock_Created'])) {
-
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- }
-
- } else {
-
- /*
- * give regular users a chance to automatically invalidate
- * a lock if its older than a particular time.
- */
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
-
- $offset = 12; //hours
- $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
- $now_minus_offset = mktime(date("H") - $offset, 0, 0,
- date("m"), date("d"), date("Y"));
-
- if (($mtime - $now_minus_offset) < $mtime) {
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /*
- * file is older than mtime + offset which may
- * indicate a stale lockfile, hence we are going
- * to remove it.
- */
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
- }
-
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-}
-
-function pam_backed($username = "", $password = "") {
-
- /* do not allow blank passwords */
- if ($username == "" || password == "")
- return false;
-
- if (!extension_loaded( 'pam_auth'))
- if (!@dl('pam_auth.so'))
- return false;
-
- /* no php file no auth, sorry */
- if (!file_exists("/etc/pam.d/php")) {
-
- if (!file_exists("/etc/pam.d"))
- mkdir("/etc/pam.d");
-
- $pam_php = <<<EOD
-
-# /etc/pam.d/php
-#
-# note: both an auth and account entry are required
-
-# auth
-auth required pam_nologin.so no_warn
-auth sufficient pam_opie.so no_warn no_fake_prompts
-auth requisite pam_opieaccess.so no_warn allow_local
-auth required pam_unix.so no_warn try_first_pass
-
-# account
-account required pam_unix.so
-
-# session
-session required pam_permit.so
-
-# password
-password required pam_unix.so no_warn try_first_pass
-
-EOD;
-
- file_put_contents("/etc/pam.d/php", $pam_php);
- }
-
- if (pam_auth($username, $password, &$error))
- return true;
-
- return false;
-}
-
-function passwd_backed($username, $passwd) {
-
- $authfile = file("/etc/master.passwd");
- $matches="";
-
- /* Check to see if user even exists */
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /*
- * Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function ldap_test_connection() {
global $config, $g;
@@ -686,8 +406,8 @@ function ldap_get_user_ous($show_complete_ou=true) { $ldapfilter = "(ou=*)";
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -695,8 +415,8 @@ function ldap_get_user_ous($show_complete_ou=true) { ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -762,8 +482,8 @@ function ldap_get_groups($username) { /* connect and see if server is up */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -772,8 +492,8 @@ function ldap_get_groups($username) { /* bind as user that has rights to read group attributes */
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -838,8 +558,8 @@ function ldap_backed($username, $passwd) { /* first check if there is even an LDAP server populated */
if(!$ldapserver) {
- log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -849,15 +569,15 @@ function ldap_backed($username, $passwd) { /* Make sure we can connect to LDAP */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
/* ok, its up. now, lets bind as the bind user so we can search it */
if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
ldap_close($ldap);
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -914,7 +634,7 @@ function ldap_backed($username, $passwd) { }
if ($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
$_SESSION['ldapon'] = "false";
ldap_close($ldap);
return $status;
@@ -956,7 +676,7 @@ function ldap_backed($username, $passwd) { }
if($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
ldap_close($ldap);
$_SESSION['ldapon'] = "false";
return $status;
@@ -965,8 +685,8 @@ function ldap_backed($username, $passwd) { /* Now lets bind as the user we found */
if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -976,30 +696,6 @@ function ldap_backed($username, $passwd) { return true;
}
-function htpasswd_backed($username, $passwd) {
- $authfile = file("/var/run/htpasswd");
-
- /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
- unlink_if_exists("/usr/local/www/.htpasswd");
-
- $matches="";
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /* Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function radius_backed($username, $passwd){
global $config, $debug;
$ret = false;
@@ -1043,4 +739,200 @@ function radius_backed($username, $passwd){ return $ret;
}
+function session_auth($backing) {
+ global $g, $HTTP_SERVER_VARS, $userindex, $config;
+
+ session_start();
+
+ /* Validate incoming login request */
+ if (isset($_POST['login'])) {
+ if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
+ $_SESSION['Logged_In'] = "True";
+ $_SESSION['Username'] = $_POST['usernamefld'];
+ $_SESSION['last_access'] = time();
+ log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ } else {
+ /* give the user a more detailed error message */
+ if (isset($userindex[$_POST['usernamefld']])) {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ } else {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ }
+ }
+ }
+
+ /* Show login page if they aren't logged in */
+ if (empty($_SESSION['Logged_In'])) {
+ /* Don't display login forms to AJAX */
+ if (isAjax())
+ return false;
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /* If session timeout isn't set, we don't mark sessions stale */
+ if (!isset($config['system']['webgui']['session_timeout']) ||
+ $config['system']['webgui']['session_timeout'] == 0 ||
+ $config['system']['webgui']['session_timeout'] == "")
+ $_SESSION['last_access'] = time();
+ else {
+ /* Check for stale session */
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
+ $_GET['logout'] = true;
+ $_SESSION['Logout'] = true;
+ } else {
+ /* only update if it wasn't ajax */
+ if (!isAjax())
+ $_SESSION['last_access'] = time();
+ }
+ }
+
+ /* obtain user object */
+ $user = getUserEntry($_SESSION['Username']);
+
+ /* user hit the logout button */
+ if (isset($_GET['logout'])) {
+
+ if ($_SESSION['Logout'])
+ log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+ else
+ log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+
+ if (hasPrivilegeLock($user))
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ if (isset($_COOKIE[session_name()]))
+ setcookie(session_name(), '', time()-42000, '/');
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+
+ if (isAjax())
+ return false;
+
+ /* redirect to page the user is on, it'll prompt them to login again */
+ pfSenseHeader($scriptName);
+
+ return false;
+ }
+
+ /*
+ * user wants to explicitely delete the lock file.
+ * Requires a particular privilege.
+ */
+ if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * user wants to explicitely create a lock.
+ * Requires a particular privilege.
+ */
+ if ($_GET['createlock'] && hasPrivilegeLock($user)) {
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * this is for debugging purpose if you do not want to use Ajax
+ * to submit a HTML form. It basically diables the observation
+ * of the submit event and hence does not trigger Ajax.
+ */
+ if ($_GET['disable_ajax']) {
+ $_SESSION['NO_AJAX'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * Same to re-enable Ajax.
+ */
+ if ($_GET['enable_ajax']) {
+ unset($_SESSION['NO_AJAX']);
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * is the user is allowed to create a lock
+ */
+ if (hasPrivilegeLock($user)) {
+
+ /*
+ * create a lock once per session
+ */
+ if (!isset($_SESSION['Lock_Created'])) {
+
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ }
+
+ } else {
+
+ /*
+ * give regular users a chance to automatically invalidate
+ * a lock if its older than a particular time.
+ */
+ if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+
+ $offset = 12; //hours
+ $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
+ $now_minus_offset = mktime(date("H") - $offset, 0, 0,
+ date("m"), date("d"), date("Y"));
+
+ if (($mtime - $now_minus_offset) < $mtime) {
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /*
+ * file is older than mtime + offset which may
+ * indicate a stale lockfile, hence we are going
+ * to remove it.
+ */
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+ }
+
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+}
+
?>
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 7467ccd..e370250 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -46,7 +46,6 @@ require_once("functions.inc"); * radius_backed - this will allow you to use a radius server * pam_backed - this uses the system's PAM facility .htpasswd file */ -$auth_method="session_auth"; /* enable correct auth backend, default to htpasswd_backed */ $ldapcase = $config['system']['webgui']['backend']; @@ -59,11 +58,11 @@ switch($ldapcase) $backing_method="ldap_backed"; break; default: - $backing_method="htpasswd_backed"; + $backing_method="local_backed"; } /* Authenticate user - exit if failed */ -if (!$auth_method($backing_method)) +if (!session_auth($backing_method)) exit; /* diff --git a/etc/inc/config.inc b/etc/inc/config.inc index f811b53..cd9e13d 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1592,7 +1592,7 @@ function convert_config() { $groups[] = $all; $groups = array_merge($config['system']['group'],$groups); $config['system']['group'] = $groups; - set_local_group($all); + local_group_set($all); $config['version'] = 4.9; } @@ -1643,7 +1643,7 @@ function convert_config() { } /* sync all local account information */ - sync_local_accounts(); + local_sync_accounts(); $config['version'] = 5.0; } diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 9c71b67..f49943a 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2580,36 +2580,6 @@ function reload_interfaces() { touch("/tmp/reload_interfaces"); } -/****f* pfsense-utils/sync_webgui_passwords - * NAME - * sync_webgui_passwords - syncs all www pwdb entries - * INPUTS - * none - * RESULT - * none - ******/ -function sync_webgui_passwords() { - global $config, $g, $groupindex, $userindex; - - conf_mount_rw(); - $fd = fopen("{$g['varrun_path']}/htpasswd", "w"); - - if (!$fd) { - log_error("Error: cannot open htpasswd in sync_webgui_passwords().\n"); - return 1; - } - - /* loop through custom users and add "virtual" entries */ - if ($config['system']['user']) - foreach ($config['system']['user'] as $user) - fwrite($fd, "{$user['name']}:{$user['password']}\n"); - - fclose($fd); - chmod("{$g['varrun_path']}/htpasswd", 0600); - - conf_mount_ro(); -} - /****f* pfsense-utils/reload_all_sync * NAME * reload_all - reload all settings @@ -2693,7 +2663,7 @@ function reload_all_sync() { system_routing_enable(); /* ensure passwords are sync'd */ - system_password_configure(); +// system_password_configure(); /* start dnsmasq service */ services_dnsmasq_configure(); diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index 917cc00..dfacf55 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -142,7 +142,7 @@ function get_user_privileges(& $user) { if (!is_array($privs))
$privs = array();
- $names = get_local_user_groups($user, true);
+ $names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -162,7 +162,7 @@ function get_user_privdesc(& $user) { if (!is_array($user_privs))
$user_privs = array();
- $names = get_local_user_groups($user, true);
+ $names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -244,7 +244,7 @@ function getAllowedPages($username) { // obtain local groups if we have a local user
if ($local_user) {
- $allowed_groups = get_local_user_groups($local_user);
+ $allowed_groups = local_user_get_groups($local_user);
getPrivPages($local_user, $allowed_pages);
}
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 24617c9..c161e8f 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -494,9 +494,6 @@ function system_webgui_start() { sleep(1); - /* generate password file */ - system_password_configure(); - chdir($g['www_path']); /* non-standard port? */ @@ -592,9 +589,6 @@ function system_webgui_start_old() { /* kill any running mini_httpd */ killbypid("{$g['varrun_path']}/mini_httpd.pid"); - /* generate password file */ - system_password_configure(); - chdir($g['www_path']); /* non-standard port? */ @@ -1000,21 +994,6 @@ EOD; } -function system_password_configure() { - global $config, $g; - if(isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "system_password_configure() being called $mt\n"; - } - - /* sync passwords */ - sync_webgui_passwords(); - - /* !NOTE! conf_mount_ro is done by sync_webgui_passwords() */ - - return 0; -} - function system_timezone_configure() { global $config, $g; if(isset($config['system']['developerspew'])) { @@ -1308,4 +1287,4 @@ function enable_watchdog() { } } -?>
\ No newline at end of file +?> diff --git a/etc/phpshellsessions/cvssync b/etc/phpshellsessions/cvssync index fdb7159..6bc1317 100644 --- a/etc/phpshellsessions/cvssync +++ b/etc/phpshellsessions/cvssync @@ -148,9 +148,9 @@ function post_cvssync_commands() { echo "===> Upgrading configuration (if needed)...\n"; convert_config(); - + echo "===> Syncing system passwords...\n"; - sync_webgui_passwords(); + local_sync_accounts(); echo "===> Restarting check_reload_status...\n"; exec("killall check_reload_status"); diff --git a/etc/rc.bootup b/etc/rc.bootup index eb98118..ec8066c 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -106,11 +106,6 @@ system_setup_sysctl(); echo "done.\n"; - /* sync user passwords */ - echo "Syncing user passwords..."; - sync_webgui_passwords(); - echo "done.\n"; - echo "Starting Secure Shell Services..."; mwexec_bg("/etc/sshd"); echo "done.\n"; @@ -216,7 +211,7 @@ system_routing_enable(); /* ensure passwords are sync'd */ - system_password_configure(); +// system_password_configure(); /* configure console menu */ system_console_configure(); diff --git a/etc/rc.initial.password b/etc/rc.initial.password index f92055f..82a3edd 100755 --- a/etc/rc.initial.password +++ b/etc/rc.initial.password @@ -41,17 +41,25 @@ The webConfigurator password will be reset to the default (which is "' . strtolo gettext('Do you want to proceed [y|n]?'); if (strcasecmp(chop(fgets($fp)), "y") == 0) { - - foreach ($config['system']['user'] as & $user) { - if (isset($user['uid']) && !$user['uid']) { - $user['name'] = "admin"; - set_local_user($user, strtolower($g['product_name'])); - write_config(gettext("password changed from console menu")); - system_password_configure(); - break; - } + $admin_user =& getUserEntryByUID(0); + if (!$admin_user) { + echo "Failed to locate the admin user account! Attempting to restore access.\n"; + $admin_user = array(); + $admin_user['uid'] = 0; + $admin_user['priv'] = explode(",", "user-shell-access,page-all"); + if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); + $config['system']['user'][] = $admin_user; } + $admin_user['name'] = "admin"; + $admin_user['scope'] = "system"; + $admin_user['blah'] = "set by console"; + + local_user_set_password($admin_user, strtolower($g['product_name'])); + local_user_set($admin_user); + write_config(gettext("password changed from console menu")); + echo "\n" . gettext(' The password for the webConfigurator has been reset and the default username has been set to "admin".') . "\n" . @@ -65,9 +65,6 @@ touch("/var/log/lastlog"); } - /* reset passwords */ - sync_webgui_passwords(); - $sshConfigDir = "/etc/ssh"; if($config['system']['ssh']['port'] <> "") { diff --git a/usr/local/www/pkg_mgr_install.php b/usr/local/www/pkg_mgr_install.php index 359d575..20d2dde 100755 --- a/usr/local/www/pkg_mgr_install.php +++ b/usr/local/www/pkg_mgr_install.php @@ -119,9 +119,6 @@ ob_flush(); /* mount rw fs */ conf_mount_rw(); -/* resync password database to avoid out of sync issues */ -sync_webgui_passwords(); - switch($_GET['mode']) { case "delete": $id = get_pkg_id($_GET['pkg']); diff --git a/usr/local/www/system.php b/usr/local/www/system.php index b04e9ce..8abaf4d 100755 --- a/usr/local/www/system.php +++ b/usr/local/www/system.php @@ -117,9 +117,6 @@ if ($_POST) { ($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) { $input_errors[] = "A valid TCP/IP port must be specified for the webConfigurator port."; } - if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { - $input_errors[] = "The passwords do not match."; - } $t = (int)$_POST['timeupdateinterval']; if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) { @@ -163,12 +160,6 @@ if ($_POST) { unset($config['system']['dnsallowoverride']); $config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false; - if ($_POST['password']) { - $config['system']['password'] = crypt($_POST['password']); - update_changedesc("password changed via webConfigurator"); - sync_webgui_passwords(); - } - /* which interface should the dns servers resolve through? */ if($_POST['dns1gwint']) $config['system']['dns1gwint'] = $pconfig['dns1gwint']; @@ -205,7 +196,6 @@ if ($_POST) { $retval = system_hostname_configure(); $retval |= system_hosts_generate(); $retval |= system_resolvconf_generate(); - $retval |= system_password_configure(); $retval |= services_dnsmasq_configure(); $retval |= system_timezone_configure(); $retval |= system_ntp_configure(); diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php index e79a77f..d2ab78e 100644 --- a/usr/local/www/system_groupmanager.php +++ b/usr/local/www/system_groupmanager.php @@ -63,7 +63,7 @@ if ($_GET['act'] == "delgroup") { exit; } - del_local_group($a_group[$_GET['id']]); + local_group_del($a_group[$_GET['id']]); $groupdeleted = $a_group[$_GET['id']]['name']; unset($a_group[$_GET['id']]); write_config(); @@ -84,7 +84,7 @@ if ($_GET['act'] == "delpriv") { foreach ($a_group[$id]['member'] as $uid) { $user = getUserEntryByUID($uid); if ($user) - set_local_user($user); + local_user_set($user); } write_config(); @@ -146,7 +146,7 @@ if ($_POST) { $a_group[] = $group; } - set_local_group($group); + local_group_set($group); write_config(); header("Location: system_groupmanager.php"); diff --git a/usr/local/www/system_groupmanager_addprivs.php b/usr/local/www/system_groupmanager_addprivs.php index 6c808be..a449b2d 100644 --- a/usr/local/www/system_groupmanager_addprivs.php +++ b/usr/local/www/system_groupmanager_addprivs.php @@ -85,7 +85,7 @@ if ($_POST) { foreach ($a_group['member'] as $uid) { $user = getUserEntryByUID($uid); if ($user) - set_local_user($user); + local_user_set($user); } $retval = write_config(); diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 791fae6..0b8f76e 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -67,11 +67,10 @@ if (isAllowedPage("system_usermanager")) { exit; } - del_local_user($a_user[$_GET['id']]); + local_user_del($a_user[$_GET['id']]); $userdeleted = $a_user[$_GET['id']]['name']; unset($a_user[$_GET['id']]); write_config(); - $retval = system_password_configure(); $savemsg = gettext("User")." {$userdeleted} ". gettext("successfully deleted")."<br/>"; } @@ -96,7 +95,7 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) { $pconfig['usernamefld'] = $a_user[$id]['name']; $pconfig['fullname'] = $a_user[$id]['fullname']; - $pconfig['groups'] = get_local_user_groups($a_user[$id]); + $pconfig['groups'] = local_user_get_groups($a_user[$id]); $pconfig['utype'] = $a_user[$id]['scope']; $pconfig['uid'] = $a_user[$id]['uid']; $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); @@ -163,10 +162,14 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) $userent = $a_user[$id]; - /* the user did change his username */ + /* the user name was modified */ if ($_POST['usernamefld'] <> $_POST['oldusername']) $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; + /* the user password was mofified */ + if ($_POST['passwordfld1']) + local_user_set_password($userent, $_POST['passwordfld1']); + $userent['name'] = $_POST['usernamefld']; $userent['fullname'] = $_POST['fullname']; @@ -182,10 +185,9 @@ if (isAllowedPage("system_usermanager")) { $a_user[] = $userent; } - set_local_user($userent, $_POST['passwordfld1']); - set_local_user_groups($userent,$_POST['groups']); + local_user_set($userent); + local_user_set_groups($userent,$_POST['groups']); write_config(); - $retval = system_password_configure(); pfSenseHeader("system_usermanager.php"); } @@ -488,7 +490,7 @@ function presubmit() { <td class="listr"><?=htmlspecialchars($userent['fullname']);?> </td> <td class="listbg"> <font color="white"> - <?=implode(",",get_local_user_groups($userent));?> + <?=implode(",",local_user_get_groups($userent));?> </font> </td> @@ -563,10 +565,6 @@ function presubmit() { $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1'])); write_config(); - - sync_webgui_passwords(); - - $retval = system_password_configure(); $savemsg = "Password successfully changed<br />"; } } diff --git a/usr/local/www/system_usermanager_addprivs.php b/usr/local/www/system_usermanager_addprivs.php index 61758b7..0214d63 100644 --- a/usr/local/www/system_usermanager_addprivs.php +++ b/usr/local/www/system_usermanager_addprivs.php @@ -86,7 +86,7 @@ if ($_POST) { else $a_user['priv'] = array_merge($a_user['priv'], $pconfig['sysprivs']); - set_local_user($a_user); + local_user_set($a_user); $retval = write_config(); $savemsg = get_std_save_message($retval); diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index c1d3a71..90e6598 100755 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -126,12 +126,8 @@ if ($_POST) { else
unset($pconfig['ldapgroupattribute']);
-
write_config();
- $retval = system_password_configure();
- sync_webgui_passwords();
-
}
}
diff --git a/usr/local/www/wizards/setup_wizard.xml b/usr/local/www/wizards/setup_wizard.xml index e6b46bc..1cf882c 100644 --- a/usr/local/www/wizards/setup_wizard.xml +++ b/usr/local/www/wizards/setup_wizard.xml @@ -418,14 +418,10 @@ <stepsubmitphpaction> if($_POST['adminpassword'] != "") { if($_POST['adminpassword'] == $_POST['adminpasswordagain']) { - $fd = popen("/usr/sbin/pw usermod -n root -H 0", "w"); - $salt = md5(time()); - $crypted_pw = crypt($_POST['adminpassword'],$salt); - fwrite($fd, $crypted_pw); - pclose($fd); - $config['system']['password'] = crypt($_POST['adminpassword']); + $admin_user =& getUserEntryByUID(0); + local_user_set_password($admin_user, $_POST['adminpassword']); + local_user_set($admin_user); write_config(); - system_password_configure(); } else { print_info_box_np("Passwords do not match! Please press back in your browser window and correct."); die; |
