diff options
| author | Renato Botelho <renato@netgate.com> | 2015-08-25 08:08:24 -0300 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2015-08-25 14:49:54 -0300 |
| commit | 46bc6e545a17e77202aaf01ec0cd8d5a46567525 (patch) | |
| tree | 32d18dda436ec739c67c489ceb771e8629cd926f /etc/inc/ipsec.auth-user.php | |
| parent | 4d9801c2dbd2b3e54a39578ee62b93af66607227 (diff) | |
| download | pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.zip pfsense-46bc6e545a17e77202aaf01ec0cd8d5a46567525.tar.gz | |
Move main pfSense content to src/
Diffstat (limited to 'etc/inc/ipsec.auth-user.php')
| -rwxr-xr-x | etc/inc/ipsec.auth-user.php | 169 |
1 files changed, 0 insertions, 169 deletions
diff --git a/etc/inc/ipsec.auth-user.php b/etc/inc/ipsec.auth-user.php deleted file mode 100755 index 2589598..0000000 --- a/etc/inc/ipsec.auth-user.php +++ /dev/null @@ -1,169 +0,0 @@ -#!/usr/local/bin/php-cgi -f -<?php -/* - ipsec.auth-user.php - - Copyright (C) 2008 Shrew Soft Inc - Copyright (C) 2010 Ermal Luçi - Copyright (C) 2013-2015 Electric Sheep Fencing, LP - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ -/* - pfSense_BUILDER_BINARIES: - pfSense_MODULE: openvpn -*/ -/* - * ipsec calls this script to authenticate a user - * based on a username and password. We lookup these - * in our config.xml file and check the credentials. - */ - -require_once("globals.inc"); -require_once("config.inc"); -require_once("radius.inc"); -require_once("auth.inc"); -require_once("interfaces.inc"); - -/** - * Get the NAS-Identifier - * - * We will use our local hostname to make up the nas_id - */ -if (!function_exists("getNasID")) { -function getNasID() { - global $g; - - $nasId = gethostname(); - if (empty($nasId)) { - $nasId = $g['product_name']; - } - return $nasId; -} -} - -/** - * Get the NAS-IP-Address based on the current wan address - * - * Use functions in interfaces.inc to find this out - * - */ -if (!function_exists("getNasIP")) { -function getNasIP() { - $nasIp = get_interface_ip(); - if (!$nasIp) { - $nasIp = "0.0.0.0"; - } - return $nasIp; -} -} -/* setup syslog logging */ -openlog("charon", LOG_ODELAY, LOG_AUTH); - -if (isset($_GET['username'])) { - $authmodes = explode(",", $_GET['authcfg']); - $username = $_GET['username']; - $password = $_GET['password']; - $common_name = $_GET['cn']; -} else { - /* read data from environment */ - $username = getenv("username"); - $password = getenv("password"); - $common_name = getenv("common_name"); - $authmodes = explode(",", getenv("authcfg")); -} - -if (!$username || !$password) { - syslog(LOG_ERR, "invalid user authentication environment"); - if (isset($_GET['username'])) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit (-1); - } -} - -$authenticated = false; - -if (($strictusercn === true) && ($common_name != $username)) { - syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); - if (isset($_GET['username'])) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit (1); - } -} - -$attributes = array(); -foreach ($authmodes as $authmode) { - $authcfg = auth_get_authserver($authmode); - if (!$authcfg && $authmode != "local") { - continue; - } - - $authenticated = authenticate_user($username, $password, $authcfg, $attributes); - if ($authenticated == true) { - if (stristr($authmode, "local")) { - $user = getUserEntry($username); - if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) { - $authenticated = false; - syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n"); - continue; - } - } - break; - } -} - -if ($authenticated == false) { - syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n"); - if (isset($_GET['username'])) { - echo "FAILED"; - closelog(); - return; - } else { - closelog(); - exit (-1); - } -} - -if (file_exists("/etc/inc/ipsec.attributes.php")) { - include_once("/etc/inc/ipsec.attributes.php"); -} - -syslog(LOG_NOTICE, "user '{$username}' authenticated\n"); -closelog(); - -if (isset($_GET['username'])) { - echo "OK"; -} else { - exit (0); -} - -?> |
