diff options
author | Bill Marquette <billm@pfsense.org> | 2005-04-08 00:30:11 +0000 |
---|---|---|
committer | Bill Marquette <billm@pfsense.org> | 2005-04-08 00:30:11 +0000 |
commit | 6fdc0ab2f536d79e8ba2604bf7ecacad34c3897f (patch) | |
tree | e123f93a362a19df49c0703f735860d6dee15529 /etc/inc/auth.inc | |
parent | 186359bf13385bedb49ec2df0e742e790e60c77e (diff) | |
download | pfsense-6fdc0ab2f536d79e8ba2604bf7ecacad34c3897f.zip pfsense-6fdc0ab2f536d79e8ba2604bf7ecacad34c3897f.tar.gz |
Initial commit of PHP side authentication code for pfSense
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r-- | etc/inc/auth.inc | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc new file mode 100644 index 0000000..7083b86 --- /dev/null +++ b/etc/inc/auth.inc @@ -0,0 +1,82 @@ +<?php +/* $Id$ */ +/* + Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("config.inc"); +require_once("globals.inc"); + +/* We only support file backed HTTP Basic auth right now */ +$auth_method="file_backed_basic_auth"; + +/* Authenticate user - exit if failed (we should have a callback for this maybe) */ +if (!$auth_method()) + exit; + +function basic_auth_prompt(){ + header("WWW-Authenticate: Basic realm=\"pfSense\""); + header("HTTP/1.0 401 Unauthorized"); + echo "You must enter valid credentials to access this resource."; + exit; +} + +function file_backed_basic_auth() { + global $HTTP_SERVER_VARS; + + $authfile = file("/etc/master.passwd"); + + /* Prompt three times and give up */ + for($attempt = 0; $attempt <= 3; basic_auth_prompt()){ + $attempt++; + /* Check for PHP_AUTH_USER */ + if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) + continue; + + /* Check to see if user even exists */ + $username = $HTTP_SERVER_VARS['PHP_AUTH_USER']; + if(!($line = array_shift(preg_grep("/$username:.*$/", $authfile)))) + continue; + + /* Get crypted password */ + preg_match("/$username:((...[0-9A-Za-z_]{8}.)[0-9A-Za-z_]{22})/", $line, $matches); + $pass = $matches[1]; + $salt = $matches[2]; + + /* Encrypt entered password with salt */ + $authpass = crypt($HTTP_SERVER_VARS['PHP_AUTH_PW'], $salt); + + /* And finally validate password */ + if($authpass == $pass) + return true; + else + continue; + } + + /* Should only get here if user fails login three times */ + return false; +} + +?> |