diff options
-rw-r--r-- | etc/inc/auth.inc | 17 | ||||
-rw-r--r-- | etc/inc/config.inc | 36 | ||||
-rw-r--r-- | etc/inc/priv.inc | 16 | ||||
-rw-r--r-- | etc/inc/system.inc | 165 | ||||
-rwxr-xr-x | usr/local/www/system.php | 47 | ||||
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 197 | ||||
-rw-r--r-- | usr/local/www/system_usermanager.php | 37 |
7 files changed, 206 insertions, 309 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 0d69505..3bb00e7 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -187,8 +187,8 @@ function local_user_set(& $user) { $user_group = "nobody";
/* configure shell type */
- if (!hasPrivilegeShell($user)) {
- if (!hasPrivilegeCopyFiles($user))
+ if (!userHasPrivilege($user, "user-shell-access")) {
+ if (!userHasPrivilege($user, "user-copy-files"))
$user_shell = "/sbin/nologin";
else
$user_shell = "/usr/local/bin/scponly";
@@ -227,14 +227,17 @@ function local_user_set(& $user) { /* create user directory if required */
if (!is_dir($user_home))
- mkdir($user_home, 0755);
+ mkdir($user_home, 0700);
chown($user_home, $user_name);
chgrp($user_home, $user_group);
- chmod($user_home, 0700);
- /* FIXME : ssh keys should be per-admin user */
- if(isset($config['system']['ssh']['sshdkeyonly']) && hasPrivilegeShell($user))
- create_authorized_keys($user_name, $user_home);
+ /* write out ssh authorized key file */
+ if($user['authorizedkeys']) {
+ if (!is_dir("{$user_home}/.ssh"))
+ mkdir("{$user_home}/.ssh", 0700);
+ $keys = base64_decode($user['authorizedkeys']);
+ file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
+ }
}
function local_user_del($user) {
diff --git a/etc/inc/config.inc b/etc/inc/config.inc index da5bea6..62a6a89 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1926,6 +1926,42 @@ endif; $config['version'] = "5.2"; } + /* Convert 5.2 -> 5.3 */ + if ($config['version'] <= 5.2) { + + if (!is_array($config['system']['ca'])) + $config['system']['ca'] = array(); + if (!is_array($config['system']['cert'])) + $config['system']['cert'] = array(); + + /* migrate advanced admin page webui ssl to certifcate mngr */ + if ($config['system']['webgui']['certificate'] && + $config['system']['webgui']['private-key']) { + + /* create cert entry */ + $cert = array(); + $cert['refid'] = uniqid(); + $cert['name'] = "webConfigurator SSL Certificate"; + $cert['crt'] = $config['system']['webgui']['certificate']; + $cert['prv'] = $config['system']['webgui']['private-key']; + $config['system']['cert'][] = $cert; + + /* create cert reference */ + unset($config['system']['webgui']['certificate']); + unset($config['system']['webgui']['private-key']); + $config['system']['webgui']['ssl-certref'] = $cert['refid']; + } + + /* migrate advanced admin page ssh keys to user manager */ + if ($config['system']['ssh']['authorizedkeys']) { + $admin_user =& getUserEntryByUID(0); + $admin_user['authorizedkeys'] = $config['system']['ssh']['authorizedkeys']; + unset($config['system']['ssh']['authorizedkeys']); + } + + $config['version'] = "5.3"; + } + $now = date("H:i:s"); log_error("Ended Configuration upgrade at $now"); diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index 89701aa..824ea7b 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -279,20 +279,4 @@ function userHasPrivilege($userent, $privid = false) { return true;
}
-function hasPrivilegeLock($userent) {
- return userHasPrivilege($userent, "user-lock-webcfg");
-}
-
-function hasPrivilegeLockPages($userent) {
- return userHasPrivilege($userent, "user-lock-ipages");
-}
-
-function hasPrivilegeShell($userent) {
- return userHasPrivilege($userent, "user-shell-access");
-}
-
-function hasPrivilegeCopyFiles($userent) {
- return userHasPrivilege($userent, "user-copy-files");
-}
-
?>
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 3b19b48..0a4c5d1 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -496,72 +496,30 @@ function system_webgui_start() { chdir($g['www_path']); + /* defaults */ + $portarg = "80"; + $crt = ""; + $key = ""; + /* non-standard port? */ if ($config['system']['webgui']['port']) $portarg = "{$config['system']['webgui']['port']}"; - else - $portarg = ""; if ($config['system']['webgui']['protocol'] == "https") { - if(!$config['system']['webgui']['port']) - $portarg = "443"; - - if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) { - $cert = base64_decode($config['system']['webgui']['certificate']); - $key = base64_decode($config['system']['webgui']['private-key']); - } else { - /* default certificate/key */ - $cert = <<<EOD ------BEGIN CERTIFICATE----- -MIIDEzCCAnygAwIBAgIJAJM91W+s6qptMA0GCSqGSIb3DQEBBAUAMGUxCzAJBgNV -BAYTAlVTMQswCQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UE -ChMHcGZTZW5zZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZTAe -Fw0wNjAzMTAyMzQ1MTlaFw0xNjAzMDcyMzQ1MTlaMGUxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UEChMHcGZTZW5z -ZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZTCBnzANBgkqhkiG -9w0BAQEFAAOBjQAwgYkCgYEA3lPNTFH6qge/ygaqe/BS4oH59O6KvAesWcRzSu5N -21lyVE5tBbL0zqOSXmlLyReMSbtAMZqt1P8EPYFoOcaEQHIWm2VQF80Z18+8Gh4O -UQGjHq88OeaLqyk3OLpSKzSpXuCFrSN7q9Kez8zp5dQEu7sIW30da3pAbdqYOimA -1VsCAwEAAaOByjCBxzAdBgNVHQ4EFgQUAnx+ggC4SzJ0CK+rhPhJ2ZpyunEwgZcG -A1UdIwSBjzCBjIAUAnx+ggC4SzJ0CK+rhPhJ2ZpyunGhaaRnMGUxCzAJBgNVBAYT -AlVTMQswCQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UEChMH -cGZTZW5zZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZYIJAJM9 -1W+s6qptMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAAviQpdoeabL8 -1HSZiD7Yjx82pdLpyQOdXvAu3jEAYz53ckx0zSMrzsQ5r7Vae6AE7Xd7Pj+1Yihs -AJZzOQujnmsuim7qu6YSxzP34xonKwd1C9tZUlyNRNnEmtXOEDupn05bih1ugtLG -kqfPIgDbDLXuPtEAA6QDUypaunI6+1E= ------END CERTIFICATE----- - -EOD; - - $key = <<<EOD ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDeU81MUfqqB7/KBqp78FLigfn07oq8B6xZxHNK7k3bWXJUTm0F -svTOo5JeaUvJF4xJu0Axmq3U/wQ9gWg5xoRAchabZVAXzRnXz7waHg5RAaMerzw5 -5ourKTc4ulIrNKle4IWtI3ur0p7PzOnl1AS7uwhbfR1rekBt2pg6KYDVWwIDAQAB -AoGAP7E0VFP8Aq/7os3sE1uS8y8XQ7L+7cUo/AKKoQHKLjfeyAY7t3FALt6vdPqn -anGjkA/j4RIWELoKJfCnwj17703NDCPwB7klcmZvmTx5Om1ZrRyZdQ6RJs0pOOO1 -r2wOnZNaNWStXE9Afpw3dj20Gh0V/Ioo5HXn3sHfxZm8dnkCQQDwv8OaUdp2Hl8t -FDfXB1CMvUG1hEAvbQvZK1ODkE7na2/ChKjVPddEI3DvfzG+nLrNuTrAyVWgRLte -r8qX5PQHAkEA7GlKx0S18LdiKo6wy2QeGu6HYkPncaHNFOWX8cTpvGGtQoWYSh0J -tjCt1/mz4/XkvZWuZyTNx2FdkVlNF5nHDQJBAIRWVTZqEjVlwpmsCHnp6mxCyHD4 -DrRDNAUfnNuwIr9xPlDlzUzSnpc1CCqOd5C45LKbRGGfCrN7tKd66FmQoFcCQQCy -Kvw3R1pTCvHJnvYwoshphaC0dvaDVeyINiwYAk4hMf/wpVxLZqz+CJvLrB1dzOBR -3O+uPjdzbrakpweJpNQ1AkEA3ZtlgEj9eWsLAJP8aKlwB8VqD+EtG9OJSUMnCDiQ -WFFNj/t3Ze3IVuAyL/yMpiv3JNEnZhIxCta42eDFpIZAKw== ------END RSA PRIVATE KEY----- - -EOD; - } - } else { - $cert = ""; - $key = ""; + $cert =& lookup_cert($config['system']['webgui']['ssl-certref']); + if(is_array($cert) && $cert['crt'] && $cert['prv']) { + $crt = base64_decode($cert['crt']); + $key = base64_decode($cert['prv']); + if(!$config['system']['webgui']['port']) + $portarg = "443"; + } else + log_error("Invalid webConfigurator https certificate, defaulting to http"); } /* generate lighttpd configuration */ system_generate_lighty_config("{$g['varetc_path']}/lighty-webConfigurator.conf", - $cert, $key, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/"); + $crt, $key, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/"); /* attempt to start lighthttpd */ $res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-webConfigurator.conf"); @@ -576,101 +534,6 @@ EOD; return $res; } -function system_webgui_start_old() { - global $config, $g; - if(isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "system_webgui_start() being called $mt\n"; - } - - if ($g['booting']) - echo "Starting webConfigurator..."; - - /* kill any running mini_httpd */ - killbypid("{$g['varrun_path']}/mini_httpd.pid"); - - chdir($g['www_path']); - - /* non-standard port? */ - if ($config['system']['webgui']['port']) - $portarg = "-p {$config['system']['webgui']['port']}"; - else - $portarg = ""; - - if ($config['system']['webgui']['protocol'] == "https") { - - if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) { - $cert = base64_decode($config['system']['webgui']['certificate']); - $key = base64_decode($config['system']['webgui']['private-key']); - } else { - /* default certificate/key */ - $cert = <<<EOD ------BEGIN CERTIFICATE----- -MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQKEwhtMG4wd2FsbDAe -Fw0wNTA1MTAxMjI0NDRaFw0wNzA1MTAxMjI0NDRaMBMxETAPBgNVBAoTCG0wbjB3 -YWxsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAShszhFz+o8lsMWTGgTxs -TMPR+v4+qL5jXDyY97MLTGFK7aqQOtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+ -83LPQmQoSPC0VqhfU3uYf3NzxiK8r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFP -C4jE2fvjkbzyVolPywBuewIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFR962c4R5tV -cTn0OQcszYoW6WC+ini9tQQh5ku5jYDAiC+00atawJEVLnL3lwAcpSKTIWlTkD20 -tl3lz5br1qFgYky+Rd0kwS2nk9jRbkxSXxd6KJVnNRCKre28aw3ENzZfCSurPQsX -UPp5er+NtwMT1g7s/JDmKTC4w1rGr5/c ------END CERTIFICATE----- - -EOD; - - $key = <<<EOD ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQDAShszhFz+o8lsMWTGgTxsTMPR+v4+qL5jXDyY97MLTGFK7aqQ -OtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+83LPQmQoSPC0VqhfU3uYf3NzxiK8 -r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFPC4jE2fvjkbzyVolPywBuewIDAQAB -AoGAbJJrQW9fQrggJuLMz/hwsYW2m31oyOBmf5u463YQtjRuSuxe/gj87weZuNqY -H2rXq2k2K+ehl8hgW+egASyUL3L7kCkEAsVREujKTEyhSqqIRDPWTxo9S/YA9Gvn -2ZnJvkrcKjqCO9aHX3rvJOK/ErYI6akctgI3KmgkYw5XNmECQQDuZU97RTWH9rmP -aQr57ysNXxgFsyhetOOqeYkPtIVwpOiNbfwE1zi5RGdtO4Ku3fG1lV4J2UoWJ9yD -awdoyYIHAkEAzn0xJ90IjPsHk+8SODEj5JGdHSZPNu1tgtrbjEi9sfGWg4K7XTxr -QW90pWb1bKKU1uh5FzW6OhnFfuQXt1kC7QJAPSthqY+onKqCEnoxhtAHi/bKgyvl -P+fKQwPMV2tKkgy+XwvJjrRqqZ8TqsOKVLQ+QQmCh6RpjiXMPyxHSmvqIQJBAKLR -HF1ucDuaBROkwx0DwmWMW/KMLpIFDQDNSaiIAuu4rxHrl4mhBoGGPNffI04RtILw -s+qVNs5xW8T+XaT4ztECQQDFHPnZeoPWE5z+AX/UUQIUWaDExz3XRzmIxRbOrlFi -CsF1s0TdJLi/wzNQRAL37A8vqCeVFR/ng3Xpg96Yg+8Z ------END RSA PRIVATE KEY----- - -EOD; - } - - $cert = str_replace("\r", "", $cert); - $key = str_replace("\r", "", $key); - - $fd = fopen("{$g['varetc_path']}/cert.pem", "w"); - if (!$fd) { - printf("Error: cannot open cert.pem in system_webgui_start().\n"); - return 1; - } - chmod("{$g['varetc_path']}/cert.pem", 0600); - fwrite($fd, $cert); - fwrite($fd, "\n"); - fwrite($fd, $key); - fclose($fd); - - $res = mwexec("/usr/local/sbin/mini_httpd -S -E {$g['varetc_path']}/cert.pem" . - " -c \"**.php|**.cgi\" -u root -maxproc 16 $portarg" . - " -i {$g['varrun_path']}/mini_httpd.pid"); - } else { - $res = mwexec("/usr/local/sbin/mini_httpd -c \"**.php|**.cgi\" -u root" . - " -maxproc 16 $portarg -i {$g['varrun_path']}/mini_httpd.pid"); - } - - if ($g['booting']) { - if ($res == 0) - echo "done\n"; - else - echo "failed\n"; - } - - return $res; -} - function system_generate_lighty_config($filename, $cert, $key, diff --git a/usr/local/www/system.php b/usr/local/www/system.php index d8c62f3..5ed8065 100755 --- a/usr/local/www/system.php +++ b/usr/local/www/system.php @@ -43,17 +43,12 @@ $pconfig['hostname'] = $config['system']['hostname']; $pconfig['domain'] = $config['system']['domain']; list($pconfig['dns1'],$pconfig['dns2'],$pconfig['dns3'],$pconfig['dns4']) = $config['system']['dnsserver']; - $pconfig['dns1gwint'] = $config['system']['dns1gwint']; $pconfig['dns2gwint'] = $config['system']['dns2gwint']; $pconfig['dns3gwint'] = $config['system']['dns3gwint']; $pconfig['dns4gwint'] = $config['system']['dns4gwint']; $pconfig['dnsallowoverride'] = isset($config['system']['dnsallowoverride']); -$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; -if (!$pconfig['webguiproto']) - $pconfig['webguiproto'] = "http"; -$pconfig['webguiport'] = $config['system']['webgui']['port']; $pconfig['timezone'] = $config['system']['timezone']; $pconfig['timeupdateinterval'] = $config['system']['time-update-interval']; $pconfig['timeservers'] = $config['system']['timeservers']; @@ -132,11 +127,6 @@ if ($_POST) { update_if_changed("hostname", $config['system']['hostname'], strtolower($_POST['hostname'])); update_if_changed("domain", $config['system']['domain'], strtolower($_POST['domain'])); - if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto'])) - $restart_webgui = true; - if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport'])) - $restart_webgui = true; - update_if_changed("timezone", $config['system']['timezone'], $_POST['timezone']); update_if_changed("NTP servers", $config['system']['timeservers'], strtolower($_POST['timeservers'])); update_if_changed("NTP update interval", $config['system']['time-update-interval'], $_POST['timeupdateinterval']); @@ -181,16 +171,6 @@ if ($_POST) { if ($changecount > 0) write_config($changedesc); - if ($restart_webgui) { - global $_SERVER; - list($host) = explode(":", $_SERVER['HTTP_HOST']); - if ($config['system']['webgui']['port']) { - $url="{$config['system']['webgui']['protocol']}://{$host}:{$config['system']['webgui']['port']}/system.php"; - } else { - $url = "{$config['system']['webgui']['protocol']}://{$host}/system.php"; - } - } - $retval = 0; config_lock(); $retval = system_hostname_configure(); @@ -206,8 +186,6 @@ if ($_POST) { config_unlock(); $savemsg = get_std_save_message($retval); - if ($restart_webgui) - $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds."; } } @@ -295,20 +273,6 @@ include("head.inc"); PPTP VPN clients, though.</span></p></td> </tr> <tr> - <td width="22%" valign="top" class="vncell">webConfigurator protocol</td> - <td width="78%" class="vtable"> <input name="webguiproto" type="radio" value="http" <?php if ($pconfig['webguiproto'] == "http") echo "checked"; ?>> - HTTP <input type="radio" name="webguiproto" value="https" <?php if ($pconfig['webguiproto'] == "https") echo "checked"; ?>> - HTTPS</td> - </tr> - <tr> - <td valign="top" class="vncell">webConfigurator port</td> - <td class="vtable"> <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>"> - <br> - <span class="vexpl">Enter a custom port number for the webConfigurator - above if you want to override the default (80 for HTTP, 443 - for HTTPS). Changes will take effect immediately after save.</span></td> - </tr> - <tr> <td width="22%" valign="top" class="vncell">Time zone</td> <td width="78%" class="vtable"> <select name="timezone" id="timezone"> <?php foreach ($timezonelist as $value): ?> @@ -369,16 +333,5 @@ include("head.inc"); </table> </form> <?php include("fend.inc"); ?> -<?php - // restart webgui if proto or port changed - if ($restart_webgui) { - echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">"; - } -?> </body> </html> -<?php -if ($restart_webgui) { - touch("/tmp/restart_webgui"); -} -?> diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index 211eca4..179c573 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -43,15 +43,24 @@ require("guiconfig.inc"); -$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']); -$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']); +$pconfig['webguiproto'] = $config['system']['webgui']['protocol']; +$pconfig['webguiport'] = $config['system']['webgui']['port']; +$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref']; $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['enableserial'] = $config['system']['enableserial']; $pconfig['enablesshd'] = $config['system']['enablesshd']; $pconfig['sshport'] = $config['system']['ssh']['port']; $pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly']; -$pconfig['authorizedkeys'] = base64_decode($config['system']['ssh']['authorizedkeys']); + +$a_cert =& $config['system']['cert']; + +$certs_available = false; +if (is_array($a_cert) && count($a_cert)) + $certs_available = true; + +if (!$pconfig['webguiproto'] || !$certs_available) + $pconfig['webguiproto'] = "http"; if ($_POST) { @@ -59,15 +68,9 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - if (($_POST['cert'] && !$_POST['key']) || ($_POST['key'] && !$_POST['cert'])) - $input_errors[] = "Certificate and key must always be specified together."; - - if ($_POST['cert'] && $_POST['key']) { - if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE")) - $input_errors[] = "This certificate does not appear to be valid."; - if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY")) - $input_errors[] = "This key does not appear to be valid."; - } + if ($_POST['webguiport']) + if(!is_port($_POST['webguiport'])) + $input_errors[] = "You must specify a valid webConfigurator port number"; if ($_POST['sshport']) if(!is_port($_POST['sshport'])) @@ -83,10 +86,12 @@ if ($_POST) { if (!$input_errors) { - $oldcert = $config['system']['webgui']['certificate']; - $oldkey = $config['system']['webgui']['private-key']; - $config['system']['webgui']['certificate'] = base64_encode($_POST['cert']); - $config['system']['webgui']['private-key'] = base64_encode($_POST['key']); + if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto'])) + $restart_webgui = true; + if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport'])) + $restart_webgui = true; + if (update_if_changed("webgui certificate", $config['system']['webgui']['ssl-certref'], $_POST['ssl-certref'])) + $restart_webgui = true; if($_POST['disableconsolemenu'] == "yes") { $config['system']['disableconsolemenu'] = true; @@ -106,37 +111,50 @@ if ($_POST) { else unset($config['system']['enableserial']); - if($_POST['enablesshd'] == "yes") { + $sshd_enabled = $config['system']['enablesshd']; + if($_POST['enablesshd']) $config['system']['enablesshd'] = "enabled"; - touch("{$g['tmp_path']}/start_sshd"); - } else { + else unset($config['system']['enablesshd']); - mwexec("/usr/bin/killall sshd"); - } - - $oldsshport = $config['system']['ssh']['port']; - if ($_POST['sshdkeyonly'] == "yes") { + $sshd_keyonly = $config['system']['sshdkeyonly']; + if ($_POST['sshdkeyonly']) $config['system']['sshdkeyonly'] = true; - touch("{$g['tmp_path']}/start_sshd"); - } else { + else unset($config['system']['sshdkeyonly']); - mwexec("/usr/bin/killall sshd"); - } - $config['system']['ssh']['port'] = $_POST['sshport']; - $config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $sshd_port = $config['system']['ssh']['port']; + if ($_POST['sshport']) + $config['system']['ssh']['port'] = $_POST['sshport']; + else + unset($config['system']['ssh']['port']); + + if (($sshd_enabled != $config['system']['enablesshd']) || + ($sshd_keyonly != $config['system']['sshdkeyonly']) || + ($sshd_port != $config['system']['ssh']['port'])) + $restart_sshd = true; + + if ($restart_webgui) { + global $_SERVER; + list($host) = explode(":", $_SERVER['HTTP_HOST']); + $prot = $config['system']['webgui']['protocol']; + $port = $config['system']['webgui']['port']; + if ($port) + $url = "{$prot}://{$host}:{$port}/system_advanced_admin.php"; + else + $url = "{$prot}://{$host}/system.php"; + } write_config(); config_lock(); $retval = filter_configure(); - if(stristr($retval, "error") <> true) - $savemsg = get_std_save_message($retval); - else - $savemsg = $retval; config_unlock(); + $savemsg = get_std_save_message($retval); + if ($restart_webgui) + $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds."; + conf_mount_rw(); setup_serial_port(); conf_mount_ro(); @@ -149,8 +167,21 @@ include("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<script language="JavaScript"> +<!-- + +function prot_change() { + + if (document.iform.https_proto.checked) + document.getElementById("ssl_opts").style.display=""; + else + document.getElementById("ssl_opts").style.display="none"; +} + +//--> +</script> <?php - include("fbegin.inc"); if ($input_errors) print_input_errors($input_errors); if ($savemsg) @@ -192,19 +223,54 @@ include("head.inc"); <td colspan="2" valign="top" class="listtopic">webConfigurator</td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Certificate</td> + <td width="22%" valign="top" class="vncell">Protocol</td> <td width="78%" class="vtable"> - <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea> + <?php + if ($pconfig['webguiproto'] == "http") + $http_chk = "checked"; + if ($pconfig['webguiproto'] == "https") + $https_chk = "checked"; + if (!$certs_available) + $https_disabled = "disabled"; + ?> + <input name="webguiproto" id="http_proto" type="radio" value="http" <?=$http_chk;?> onClick="prot_change()"> + HTTP + + <input name="webguiproto" id="https_proto" type="radio" value="https" <?=$https_chk;?> <?=$https_disabled;?> onClick="prot_change()"> + HTTPS + <?php if (!$certs_available): ?> <br/> - Paste a signed certificate in X.509 PEM format here. <a href="javascript:if(openwindow('system_advanced_create_certs.php') == false) alert('Popup blocker detected. Action aborted.');" >Create</a> certificates automatically. + No Certificates have been defined. You must + <a href="system_certmanager.php">Create or Import</a> + a Certificate before SSL can be enabled. + <?php endif; ?> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncell">Key</td> + <tr id="ssl_opts"> + <td width="22%" valign="top" class="vncell">SSL Certificate</td> <td width="78%" class="vtable"> - <textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea> - <br/> - Paste an RSA private key in PEM format here. + <select name="ssl-certref" id="ssl-certref" class="formselect"> + <?php + foreach($a_cert as $cert): + $selected = ""; + if ($pconfig['ssl-certref'] == $cert['refid']) + $selected = "selected"; + ?> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['name'];?></option> + <?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td valign="top" class="vncell">TCP port</td> + <td class="vtable"> + <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>"> + <br> + <span class="vexpl"> + Enter a custom port number for the webConfigurator + above if you want to override the default (80 for HTTP, 443 + for HTTPS). Changes will take effect immediately after save. + </span> </td> </tr> <tr> @@ -246,9 +312,9 @@ include("head.inc"); <input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if (isset($pconfig['sshdkeyonly'])) echo "checked"; ?> /> <strong>Disable Password login for Secure Shell (rsa key only)</strong> <br/> - When this option is enabled, you will need to configure - allowed keys for each user that has secure shell - access. + When enabled, authorized keys need to be configured for each + <a href="system_usermanager.php">user</a> + that has been granted secure shell access. </td> </tr> <tr> @@ -260,14 +326,6 @@ include("head.inc"); </td> </tr> <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Authorizedkeys");?></td> - <td width="78%" class="vtable"> - <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> - <br/> - Paste an authorized keys file here. - </td> - </tr> - <tr> <td colspan="2" class="list" height="12"> </td> </tr> <?php if($g['platform'] == "pfSense" || $g['platform'] == "cdrom"): ?> @@ -311,22 +369,35 @@ include("head.inc"); </td> </tr> </table> + <script language="JavaScript" type="text/javascript"> + <!-- + prot_change(); + //--> + </script> <?php include("fend.inc"); ?> +<?php + if ($restart_webgui) + echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">"; +?> </body> </html> <?php +if ($restart_sshd) { -if($_POST['cert'] || $_POST['key']) { - if (($config['system']['webgui']['certificate'] != $oldcert) - || ($config['system']['webgui']['private-key'] != $oldkey)) { - ob_flush(); - flush(); - log_error("webConfigurator certificates have changed. Restarting webConfigurator."); - sleep(1); - touch("/tmp/restart_webgui"); + mwexec("/usr/bin/killall sshd"); + log_error("secure shell configuration has changed. Stopping sshd."); + + if ($config['system']['enablesshd']) { + log_error("secure shell configuration has changed. Restarting sshd."); + touch("{$g['tmp_path']}/start_sshd"); } } - +if ($restart_webgui) { + ob_flush(); + flush(); + log_error("webConfigurator configuration has changed. Restarting webConfigurator."); + touch("{$g['tmp_path']}/restart_webgui"); +} ?> diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 5426524..cdb2c35 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -197,12 +197,7 @@ if (isAllowedPage("system_usermanager")) { } } - if(is_array($_POST['groups'])) - foreach($_POST['groups'] as $groupname) - if ($pconfig['utype'] <> "system" && !isset($groupindex[$groupname])) - $input_errors[] = gettext("group {$groupname} does not exist, please define the group before assigning users."); - - if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) + if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) $input_errors[] = gettext("You must provide an authorized key otherwise you won't be able to login into this system."); /* if this is an AJAX caller then handle via JSON */ @@ -216,6 +211,8 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) $userent = $a_user[$id]; + isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; + /* the user name was modified */ if ($_POST['usernamefld'] <> $_POST['oldusername']) $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; @@ -226,11 +223,7 @@ if (isAllowedPage("system_usermanager")) { $userent['name'] = $_POST['usernamefld']; $userent['fullname'] = $_POST['fullname']; - - isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; - - if(isset($config['system']['ssh']['sshdkeyonly'])) - $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); + $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']); if (isset($id) && $a_user[$id]) $a_user[$id] = $userent; @@ -367,20 +360,6 @@ function presubmit() { <?=gettext("User's full name, for your own information only");?> </td> </tr> - - <?php if (isset($config['system']['ssh']['sshdkeyonly'])): ?> - - <tr> - <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td> - <td width="78%" class="vtable"> - <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> - <br/> - <?=gettext("Paste an authorized keys file here.");?> - </td> - </tr> - - <?php endif; ?> - <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Group Memberships");?></td> <td width="78%" class="vtable" align="center"> @@ -552,6 +531,14 @@ function presubmit() { <?php endif; ?> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td> + <td width="78%" class="vtable"> + <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea> + <br/> + <?=gettext("Paste an authorized keys file here.");?> + </td> + </tr> + <tr> <td width="22%" valign="top"> </td> <td width="78%"> <input id="submit" name="save" type="submit" class="formbtn" value="Save" /> |