diff options
| author | Matthew Grooms <mgrooms@pfsense.org> | 2008-09-09 04:08:22 +0000 |
|---|---|---|
| committer | Matthew Grooms <mgrooms@pfsense.org> | 2008-09-09 04:08:22 +0000 |
| commit | fb1266d3a1314ade3ac9bd30dee3acdf762cbef9 (patch) | |
| tree | 8976ef916392268e7e69cebaf17e09dc9d3b2058 /usr | |
| parent | b28278a261f42ea409eaf49b143e9792fb0261e4 (diff) | |
| download | pfsense-fb1266d3a1314ade3ac9bd30dee3acdf762cbef9.zip pfsense-fb1266d3a1314ade3ac9bd30dee3acdf762cbef9.tar.gz | |
Moves the protocol and certificate options out of the general config page
to the Advanced admin access tab. The thought is that they should be next
to each other. The certificate management has also been modified to use
the centralized certificate manager. I took the liberty of removing the
default certificate/key definitions from the web server configuration
function as it is now trivial to create these locally.
The global SSH authorized keys have also been removed. Any existing key
data will be migrated to the admin account. I also added some new checks
to ensure the sshd process is only restarted when its configuration has
actually changed.
Diffstat (limited to 'usr')
| -rwxr-xr-x | usr/local/www/system.php | 47 | ||||
| -rw-r--r-- | usr/local/www/system_advanced_admin.php | 197 | ||||
| -rw-r--r-- | usr/local/www/system_usermanager.php | 37 |
3 files changed, 146 insertions, 135 deletions
diff --git a/usr/local/www/system.php b/usr/local/www/system.php index d8c62f3..5ed8065 100755 --- a/usr/local/www/system.php +++ b/usr/local/www/system.php @@ -43,17 +43,12 @@ $pconfig['hostname'] = $config['system']['hostname']; $pconfig['domain'] = $config['system']['domain']; list($pconfig['dns1'],$pconfig['dns2'],$pconfig['dns3'],$pconfig['dns4']) = $config['system']['dnsserver']; - $pconfig['dns1gwint'] = $config['system']['dns1gwint']; $pconfig['dns2gwint'] = $config['system']['dns2gwint']; $pconfig['dns3gwint'] = $config['system']['dns3gwint']; $pconfig['dns4gwint'] = $config['system']['dns4gwint']; $pconfig['dnsallowoverride'] = isset($config['system']['dnsallowoverride']); -$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; -if (!$pconfig['webguiproto']) - $pconfig['webguiproto'] = "http"; -$pconfig['webguiport'] = $config['system']['webgui']['port']; $pconfig['timezone'] = $config['system']['timezone']; $pconfig['timeupdateinterval'] = $config['system']['time-update-interval']; $pconfig['timeservers'] = $config['system']['timeservers']; @@ -132,11 +127,6 @@ if ($_POST) { update_if_changed("hostname", $config['system']['hostname'], strtolower($_POST['hostname'])); update_if_changed("domain", $config['system']['domain'], strtolower($_POST['domain'])); - if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto'])) - $restart_webgui = true; - if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport'])) - $restart_webgui = true; - update_if_changed("timezone", $config['system']['timezone'], $_POST['timezone']); update_if_changed("NTP servers", $config['system']['timeservers'], strtolower($_POST['timeservers'])); update_if_changed("NTP update interval", $config['system']['time-update-interval'], $_POST['timeupdateinterval']); @@ -181,16 +171,6 @@ if ($_POST) { if ($changecount > 0) write_config($changedesc); - if ($restart_webgui) { - global $_SERVER; - list($host) = explode(":", $_SERVER['HTTP_HOST']); - if ($config['system']['webgui']['port']) { - $url="{$config['system']['webgui']['protocol']}://{$host}:{$config['system']['webgui']['port']}/system.php"; - } else { - $url = "{$config['system']['webgui']['protocol']}://{$host}/system.php"; - } - } - $retval = 0; config_lock(); $retval = system_hostname_configure(); @@ -206,8 +186,6 @@ if ($_POST) { config_unlock(); $savemsg = get_std_save_message($retval); - if ($restart_webgui) - $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds."; } } @@ -295,20 +273,6 @@ include("head.inc"); PPTP VPN clients, though.</span></p></td> </tr> <tr> - <td width="22%" valign="top" class="vncell">webConfigurator protocol</td> - <td width="78%" class="vtable"> <input name="webguiproto" type="radio" value="http" <?php if ($pconfig['webguiproto'] == "http") echo "checked"; ?>> - HTTP <input type="radio" name="webguiproto" value="https" <?php if ($pconfig['webguiproto'] == "https") echo "checked"; ?>> - HTTPS</td> - </tr> - <tr> - <td valign="top" class="vncell">webConfigurator port</td> - <td class="vtable"> <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>"> - <br> - <span class="vexpl">Enter a custom port number for the webConfigurator - above if you want to override the default (80 for HTTP, 443 - for HTTPS). Changes will take effect immediately after save.</span></td> - </tr> - <tr> <td width="22%" valign="top" class="vncell">Time zone</td> <td width="78%" class="vtable"> <select name="timezone" id="timezone"> <?php foreach ($timezonelist as $value): ?> @@ -369,16 +333,5 @@ include("head.inc"); </table> </form> <?php include("fend.inc"); ?> -<?php - // restart webgui if proto or port changed - if ($restart_webgui) { - echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">"; - } -?> </body> </html> -<?php -if ($restart_webgui) { - touch("/tmp/restart_webgui"); -} -?> diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 211eca4..179c573 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -43,15 +43,24 @@ require("guiconfig.inc"); -$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); -$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); +$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; +$pconfig['webguiport'] = $config['system']['webgui']['port']; +$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref']; $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['enableserial'] = $config['system']['enableserial']; $pconfig['enablesshd'] = $config['system']['enablesshd']; $pconfig['sshport'] = $config['system']['ssh']['port']; $pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly']; -$pconfig['authorizedkeys'] = base64_decode($config['system']['ssh']['authorizedkeys']); + +$a_cert =& $config['system']['cert']; + +$certs_available = false; +if (is_array($a_cert) && count($a_cert)) + $certs_available = true; + +if (!$pconfig['webguiproto'] || !$certs_available) + $pconfig['webguiproto'] = "http"; if ($_POST) { @@ -59,15 +68,9 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if (($_POST['cert'] && !$_POST['key']) || ($_POST['key'] && !$_POST['cert'])) - $input_errors[] = "Certificate and key must always be specified together."; - - if ($_POST['cert'] && $_POST['key']) { - if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - } + if ($_POST['webguiport']) + if(!is_port($_POST['webguiport'])) + $input_errors[] = "You must specify a valid webConfigurator port number"; if ($_POST['sshport']) if(!is_port($_POST['sshport'])) @@ -83,10 +86,12 @@ if ($_POST) { if (!$input_errors) { - $oldcert = $config['system']['webgui']['certificate']; - $oldkey = $config['system']['webgui']['private-key']; - $config['system']['webgui']['certificate'] = base64_encode($_POST['cert']); - $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); + if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto'])) + $restart_webgui = true; + if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport'])) + $restart_webgui = true; + if (update_if_changed("webgui certificate", $config['system']['webgui']['ssl-certref'], $_POST['ssl-certref'])) + $restart_webgui = true; if($_POST['disableconsolemenu'] == "yes") { $config['system']['disableconsolemenu'] = true; @@ -106,37 +111,50 @@ if ($_POST) { else unset($config['system']['enableserial']); - if($_POST['enablesshd'] == "yes") { + $sshd_enabled = $config['system']['enablesshd']; + if($_POST['enablesshd']) $config['system']['enablesshd'] = "enabled"; - touch("{$g['tmp_path']}/start_sshd"); - } else { + else unset($config['system']['enablesshd']); - mwexec("/usr/bin/killall sshd"); - } - - $oldsshport = $config['system']['ssh']['port']; - if ($_POST['sshdkeyonly'] == "yes") { + $sshd_keyonly = $config['system']['sshdkeyonly']; + if ($_POST['sshdkeyonly']) $config['system']['sshdkeyonly'] = true; - touch("{$g['tmp_path']}/start_sshd"); - } else { + else unset($config['system']['sshdkeyonly']); - mwexec("/usr/bin/killall sshd"); - } - $config['system']['ssh']['port'] = $_POST['sshport']; - $config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $sshd_port = $config['system']['ssh']['port']; + if ($_POST['sshport']) + $config['system']['ssh']['port'] = $_POST['sshport']; + else + unset($config['system']['ssh']['port']); + + if (($sshd_enabled != $config['system']['enablesshd']) || + ($sshd_keyonly != $config['system']['sshdkeyonly']) || + ($sshd_port != $config['system']['ssh']['port'])) + $restart_sshd = true; + + if ($restart_webgui) { + global $_SERVER; + list($host) = explode(":", $_SERVER['HTTP_HOST']); + $prot = $config['system']['webgui']['protocol']; + $port = $config['system']['webgui']['port']; + if ($port) + $url = "{$prot}://{$host}:{$port}/system_advanced_admin.php"; + else + $url = "{$prot}://{$host}/system.php"; + } write_config(); config_lock(); $retval = filter_configure(); - if(stristr($retval, "error") <> true) - $savemsg = get_std_save_message($retval); - else - $savemsg = $retval; config_unlock(); + $savemsg = get_std_save_message($retval); + if ($restart_webgui) + $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds."; + conf_mount_rw(); setup_serial_port(); conf_mount_ro(); @@ -149,8 +167,21 @@ include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function prot_change() { + + if (document.iform.https_proto.checked) + document.getElementById("ssl_opts").style.display=""; + else + document.getElementById("ssl_opts").style.display="none"; +} + +//--> +</script> <?php - include("fbegin.inc"); if ($input_errors) print_input_errors($input_errors); if ($savemsg) @@ -192,19 +223,54 @@ include("head.inc"); <td colspan="2" valign="top" class="listtopic">webConfigurator</td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Certificate</td> + <td width="22%" valign="top" class="vncell">Protocol</td> <td width="78%" class="vtable"> - <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea> + <?php + if ($pconfig['webguiproto'] == "http") + $http_chk = "checked"; + if ($pconfig['webguiproto'] == "https") + $https_chk = "checked"; + if (!$certs_available) + $https_disabled = "disabled"; + ?> + <input name="webguiproto" id="http_proto" type="radio" value="http" <?=$http_chk;?> onClick="prot_change()"> + HTTP + + <input name="webguiproto" id="https_proto" type="radio" value="https" <?=$https_chk;?> <?=$https_disabled;?> onClick="prot_change()"> + HTTPS + <?php if (!$certs_available): ?> <br/> - Paste a signed certificate in X.509 PEM format here. <a href="javascript:if(openwindow('system_advanced_create_certs.php') == false) alert('Popup blocker detected. Action aborted.');" >Create</a> certificates automatically. + No Certificates have been defined. You must + <a href="system_certmanager.php">Create or Import</a> + a Certificate before SSL can be enabled. + <?php endif; ?> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell">Key</td> + <tr id="ssl_opts"> + <td width="22%" valign="top" class="vncell">SSL Certificate</td> <td width="78%" class="vtable"> - <textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea> - <br/> - Paste an RSA private key in PEM format here. + <select name="ssl-certref" id="ssl-certref" class="formselect"> + <?php + foreach($a_cert as $cert): + $selected = ""; + if ($pconfig['ssl-certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td valign="top" class="vncell">TCP port</td> + <td class="vtable"> + <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>"> + <br> + <span class="vexpl"> + Enter a custom port number for the webConfigurator + above if you want to override the default (80 for HTTP, 443 + for HTTPS). Changes will take effect immediately after save. + </span> </td> </tr> <tr> @@ -246,9 +312,9 @@ include("head.inc"); <input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if (isset($pconfig['sshdkeyonly'])) echo "checked"; ?> /> <strong>Disable Password login for Secure Shell (rsa key only)</strong> <br/> - When this option is enabled, you will need to configure - allowed keys for each user that has secure shell - access. + When enabled, authorized keys need to be configured for each + <a href="system_usermanager.php">user</a> + that has been granted secure shell access. </td> </tr> <tr> @@ -260,14 +326,6 @@ include("head.inc"); </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Authorizedkeys");?></td> - <td width="78%" class="vtable"> - <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> - <br/> - Paste an authorized keys file here. - </td> - </tr> - <tr> <td colspan="2" class="list" height="12"> </td> </tr> <?php if($g['platform'] == "pfSense" || $g['platform'] == "cdrom"): ?> @@ -311,22 +369,35 @@ include("head.inc"); </td> </tr> </table> + <script language="JavaScript" type="text/javascript"> + <!-- + prot_change(); + //--> + </script> <?php include("fend.inc"); ?> +<?php + if ($restart_webgui) + echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">"; +?> </body> </html> <?php +if ($restart_sshd) { -if($_POST['cert'] || $_POST['key']) { - if (($config['system']['webgui']['certificate'] != $oldcert) - || ($config['system']['webgui']['private-key'] != $oldkey)) { - ob_flush(); - flush(); - log_error("webConfigurator certificates have changed. Restarting webConfigurator."); - sleep(1); - touch("/tmp/restart_webgui"); + mwexec("/usr/bin/killall sshd"); + log_error("secure shell configuration has changed. Stopping sshd."); + + if ($config['system']['enablesshd']) { + log_error("secure shell configuration has changed. Restarting sshd."); + touch("{$g['tmp_path']}/start_sshd"); } } - +if ($restart_webgui) { + ob_flush(); + flush(); + log_error("webConfigurator configuration has changed. Restarting webConfigurator."); + touch("{$g['tmp_path']}/restart_webgui"); +} ?> diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 5426524..cdb2c35 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -197,12 +197,7 @@ if (isAllowedPage("system_usermanager")) { } } - if(is_array($_POST['groups'])) - foreach($_POST['groups'] as $groupname) - if ($pconfig['utype'] <> "system" && !isset($groupindex[$groupname])) - $input_errors[] = gettext("group {$groupname} does not exist, please define the group before assigning users."); - - if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) + if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) $input_errors[] = gettext("You must provide an authorized key otherwise you won't be able to login into this system."); /* if this is an AJAX caller then handle via JSON */ @@ -216,6 +211,8 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) $userent = $a_user[$id]; + isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; + /* the user name was modified */ if ($_POST['usernamefld'] <> $_POST['oldusername']) $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; @@ -226,11 +223,7 @@ if (isAllowedPage("system_usermanager")) { $userent['name'] = $_POST['usernamefld']; $userent['fullname'] = $_POST['fullname']; - - isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; - - if(isset($config['system']['ssh']['sshdkeyonly'])) - $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); if (isset($id) && $a_user[$id]) $a_user[$id] = $userent; @@ -367,20 +360,6 @@ function presubmit() { <?=gettext("User's full name, for your own information only");?> </td> </tr> - - <?php if (isset($config['system']['ssh']['sshdkeyonly'])): ?> - - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td> - <td width="78%" class="vtable"> - <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> - <br/> - <?=gettext("Paste an authorized keys file here.");?> - </td> - </tr> - - <?php endif; ?> - <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Group Memberships");?></td> <td width="78%" class="vtable" align="center"> @@ -552,6 +531,14 @@ function presubmit() { <?php endif; ?> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td> + <td width="78%" class="vtable"> + <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> + <br/> + <?=gettext("Paste an authorized keys file here.");?> + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input id="submit" name="save" type="submit" class="formbtn" value="Save" /> |
