mirror of
https://github.com/pfsense/pfsense.git
synced 2025-10-26 11:38:35 +00:00
Cleanup authentication code. The basic auth method, the passwd, htpasswd
and pam backing functions have been removed. The basic auth method was legacy code and the backing functions were redundant with no added value that I could see. A simplified replacement backing function named local_backed has been added that authenticates to the local configuration info which should be identical to system pwdb credentials. Since the htpassword file is no longer required, sync_webgui_passwords and its wrapper function system_password_configure have been removed. The local account management functions were renamed for consistency. A few minor bugs related to setting local passwords have also been corrected.
This commit is contained in:
parent
5064cec767
commit
659fa7f23b
948
etc/inc/auth.inc
948
etc/inc/auth.inc
File diff suppressed because it is too large
Load Diff
@ -46,7 +46,6 @@ require_once("functions.inc");
|
||||
* radius_backed - this will allow you to use a radius server
|
||||
* pam_backed - this uses the system's PAM facility .htpasswd file
|
||||
*/
|
||||
$auth_method="session_auth";
|
||||
|
||||
/* enable correct auth backend, default to htpasswd_backed */
|
||||
$ldapcase = $config['system']['webgui']['backend'];
|
||||
@ -59,11 +58,11 @@ switch($ldapcase)
|
||||
$backing_method="ldap_backed";
|
||||
break;
|
||||
default:
|
||||
$backing_method="htpasswd_backed";
|
||||
$backing_method="local_backed";
|
||||
}
|
||||
|
||||
/* Authenticate user - exit if failed */
|
||||
if (!$auth_method($backing_method))
|
||||
if (!session_auth($backing_method))
|
||||
exit;
|
||||
|
||||
/*
|
||||
|
||||
@ -1592,7 +1592,7 @@ function convert_config() {
|
||||
$groups[] = $all;
|
||||
$groups = array_merge($config['system']['group'],$groups);
|
||||
$config['system']['group'] = $groups;
|
||||
set_local_group($all);
|
||||
local_group_set($all);
|
||||
|
||||
$config['version'] = 4.9;
|
||||
}
|
||||
@ -1643,7 +1643,7 @@ function convert_config() {
|
||||
}
|
||||
|
||||
/* sync all local account information */
|
||||
sync_local_accounts();
|
||||
local_sync_accounts();
|
||||
|
||||
$config['version'] = 5.0;
|
||||
}
|
||||
|
||||
@ -2580,36 +2580,6 @@ function reload_interfaces() {
|
||||
touch("/tmp/reload_interfaces");
|
||||
}
|
||||
|
||||
/****f* pfsense-utils/sync_webgui_passwords
|
||||
* NAME
|
||||
* sync_webgui_passwords - syncs all www pwdb entries
|
||||
* INPUTS
|
||||
* none
|
||||
* RESULT
|
||||
* none
|
||||
******/
|
||||
function sync_webgui_passwords() {
|
||||
global $config, $g, $groupindex, $userindex;
|
||||
|
||||
conf_mount_rw();
|
||||
$fd = fopen("{$g['varrun_path']}/htpasswd", "w");
|
||||
|
||||
if (!$fd) {
|
||||
log_error("Error: cannot open htpasswd in sync_webgui_passwords().\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* loop through custom users and add "virtual" entries */
|
||||
if ($config['system']['user'])
|
||||
foreach ($config['system']['user'] as $user)
|
||||
fwrite($fd, "{$user['name']}:{$user['password']}\n");
|
||||
|
||||
fclose($fd);
|
||||
chmod("{$g['varrun_path']}/htpasswd", 0600);
|
||||
|
||||
conf_mount_ro();
|
||||
}
|
||||
|
||||
/****f* pfsense-utils/reload_all_sync
|
||||
* NAME
|
||||
* reload_all - reload all settings
|
||||
@ -2693,7 +2663,7 @@ function reload_all_sync() {
|
||||
system_routing_enable();
|
||||
|
||||
/* ensure passwords are sync'd */
|
||||
system_password_configure();
|
||||
// system_password_configure();
|
||||
|
||||
/* start dnsmasq service */
|
||||
services_dnsmasq_configure();
|
||||
|
||||
@ -142,7 +142,7 @@ function get_user_privileges(& $user) {
|
||||
if (!is_array($privs))
|
||||
$privs = array();
|
||||
|
||||
$names = get_local_user_groups($user, true);
|
||||
$names = local_user_get_groups($user, true);
|
||||
|
||||
foreach ($names as $name) {
|
||||
$group = getGroupEntry($name);
|
||||
@ -162,7 +162,7 @@ function get_user_privdesc(& $user) {
|
||||
if (!is_array($user_privs))
|
||||
$user_privs = array();
|
||||
|
||||
$names = get_local_user_groups($user, true);
|
||||
$names = local_user_get_groups($user, true);
|
||||
|
||||
foreach ($names as $name) {
|
||||
$group = getGroupEntry($name);
|
||||
@ -244,7 +244,7 @@ function getAllowedPages($username) {
|
||||
|
||||
// obtain local groups if we have a local user
|
||||
if ($local_user) {
|
||||
$allowed_groups = get_local_user_groups($local_user);
|
||||
$allowed_groups = local_user_get_groups($local_user);
|
||||
getPrivPages($local_user, $allowed_pages);
|
||||
}
|
||||
|
||||
|
||||
@ -494,9 +494,6 @@ function system_webgui_start() {
|
||||
|
||||
sleep(1);
|
||||
|
||||
/* generate password file */
|
||||
system_password_configure();
|
||||
|
||||
chdir($g['www_path']);
|
||||
|
||||
/* non-standard port? */
|
||||
@ -592,9 +589,6 @@ function system_webgui_start_old() {
|
||||
/* kill any running mini_httpd */
|
||||
killbypid("{$g['varrun_path']}/mini_httpd.pid");
|
||||
|
||||
/* generate password file */
|
||||
system_password_configure();
|
||||
|
||||
chdir($g['www_path']);
|
||||
|
||||
/* non-standard port? */
|
||||
@ -1000,21 +994,6 @@ EOD;
|
||||
|
||||
}
|
||||
|
||||
function system_password_configure() {
|
||||
global $config, $g;
|
||||
if(isset($config['system']['developerspew'])) {
|
||||
$mt = microtime();
|
||||
echo "system_password_configure() being called $mt\n";
|
||||
}
|
||||
|
||||
/* sync passwords */
|
||||
sync_webgui_passwords();
|
||||
|
||||
/* !NOTE! conf_mount_ro is done by sync_webgui_passwords() */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
function system_timezone_configure() {
|
||||
global $config, $g;
|
||||
if(isset($config['system']['developerspew'])) {
|
||||
@ -1308,4 +1287,4 @@ function enable_watchdog() {
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
?>
|
||||
|
||||
@ -148,9 +148,9 @@ function post_cvssync_commands() {
|
||||
|
||||
echo "===> Upgrading configuration (if needed)...\n";
|
||||
convert_config();
|
||||
|
||||
|
||||
echo "===> Syncing system passwords...\n";
|
||||
sync_webgui_passwords();
|
||||
local_sync_accounts();
|
||||
|
||||
echo "===> Restarting check_reload_status...\n";
|
||||
exec("killall check_reload_status");
|
||||
|
||||
@ -106,11 +106,6 @@
|
||||
system_setup_sysctl();
|
||||
echo "done.\n";
|
||||
|
||||
/* sync user passwords */
|
||||
echo "Syncing user passwords...";
|
||||
sync_webgui_passwords();
|
||||
echo "done.\n";
|
||||
|
||||
echo "Starting Secure Shell Services...";
|
||||
mwexec_bg("/etc/sshd");
|
||||
echo "done.\n";
|
||||
@ -216,7 +211,7 @@
|
||||
system_routing_enable();
|
||||
|
||||
/* ensure passwords are sync'd */
|
||||
system_password_configure();
|
||||
// system_password_configure();
|
||||
|
||||
/* configure console menu */
|
||||
system_console_configure();
|
||||
|
||||
@ -41,17 +41,25 @@ The webConfigurator password will be reset to the default (which is "' . strtolo
|
||||
gettext('Do you want to proceed [y|n]?');
|
||||
|
||||
if (strcasecmp(chop(fgets($fp)), "y") == 0) {
|
||||
|
||||
foreach ($config['system']['user'] as & $user) {
|
||||
if (isset($user['uid']) && !$user['uid']) {
|
||||
$user['name'] = "admin";
|
||||
set_local_user($user, strtolower($g['product_name']));
|
||||
write_config(gettext("password changed from console menu"));
|
||||
system_password_configure();
|
||||
break;
|
||||
}
|
||||
$admin_user =& getUserEntryByUID(0);
|
||||
if (!$admin_user) {
|
||||
echo "Failed to locate the admin user account! Attempting to restore access.\n";
|
||||
$admin_user = array();
|
||||
$admin_user['uid'] = 0;
|
||||
$admin_user['priv'] = explode(",", "user-shell-access,page-all");
|
||||
if (!is_array($config['system']['user']))
|
||||
$config['system']['user'] = array();
|
||||
$config['system']['user'][] = $admin_user;
|
||||
}
|
||||
|
||||
$admin_user['name'] = "admin";
|
||||
$admin_user['scope'] = "system";
|
||||
$admin_user['blah'] = "set by console";
|
||||
|
||||
local_user_set_password($admin_user, strtolower($g['product_name']));
|
||||
local_user_set($admin_user);
|
||||
write_config(gettext("password changed from console menu"));
|
||||
|
||||
echo "\n" . gettext('
|
||||
The password for the webConfigurator has been reset and
|
||||
the default username has been set to "admin".') . "\n" .
|
||||
|
||||
3
etc/sshd
3
etc/sshd
@ -65,9 +65,6 @@
|
||||
touch("/var/log/lastlog");
|
||||
}
|
||||
|
||||
/* reset passwords */
|
||||
sync_webgui_passwords();
|
||||
|
||||
$sshConfigDir = "/etc/ssh";
|
||||
|
||||
if($config['system']['ssh']['port'] <> "") {
|
||||
|
||||
@ -119,9 +119,6 @@ ob_flush();
|
||||
/* mount rw fs */
|
||||
conf_mount_rw();
|
||||
|
||||
/* resync password database to avoid out of sync issues */
|
||||
sync_webgui_passwords();
|
||||
|
||||
switch($_GET['mode']) {
|
||||
case "delete":
|
||||
$id = get_pkg_id($_GET['pkg']);
|
||||
|
||||
@ -117,9 +117,6 @@ if ($_POST) {
|
||||
($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) {
|
||||
$input_errors[] = "A valid TCP/IP port must be specified for the webConfigurator port.";
|
||||
}
|
||||
if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) {
|
||||
$input_errors[] = "The passwords do not match.";
|
||||
}
|
||||
|
||||
$t = (int)$_POST['timeupdateinterval'];
|
||||
if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) {
|
||||
@ -163,12 +160,6 @@ if ($_POST) {
|
||||
unset($config['system']['dnsallowoverride']);
|
||||
$config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false;
|
||||
|
||||
if ($_POST['password']) {
|
||||
$config['system']['password'] = crypt($_POST['password']);
|
||||
update_changedesc("password changed via webConfigurator");
|
||||
sync_webgui_passwords();
|
||||
}
|
||||
|
||||
/* which interface should the dns servers resolve through? */
|
||||
if($_POST['dns1gwint'])
|
||||
$config['system']['dns1gwint'] = $pconfig['dns1gwint'];
|
||||
@ -205,7 +196,6 @@ if ($_POST) {
|
||||
$retval = system_hostname_configure();
|
||||
$retval |= system_hosts_generate();
|
||||
$retval |= system_resolvconf_generate();
|
||||
$retval |= system_password_configure();
|
||||
$retval |= services_dnsmasq_configure();
|
||||
$retval |= system_timezone_configure();
|
||||
$retval |= system_ntp_configure();
|
||||
|
||||
@ -63,7 +63,7 @@ if ($_GET['act'] == "delgroup") {
|
||||
exit;
|
||||
}
|
||||
|
||||
del_local_group($a_group[$_GET['id']]);
|
||||
local_group_del($a_group[$_GET['id']]);
|
||||
$groupdeleted = $a_group[$_GET['id']]['name'];
|
||||
unset($a_group[$_GET['id']]);
|
||||
write_config();
|
||||
@ -84,7 +84,7 @@ if ($_GET['act'] == "delpriv") {
|
||||
foreach ($a_group[$id]['member'] as $uid) {
|
||||
$user = getUserEntryByUID($uid);
|
||||
if ($user)
|
||||
set_local_user($user);
|
||||
local_user_set($user);
|
||||
}
|
||||
|
||||
write_config();
|
||||
@ -146,7 +146,7 @@ if ($_POST) {
|
||||
$a_group[] = $group;
|
||||
}
|
||||
|
||||
set_local_group($group);
|
||||
local_group_set($group);
|
||||
write_config();
|
||||
|
||||
header("Location: system_groupmanager.php");
|
||||
|
||||
@ -85,7 +85,7 @@ if ($_POST) {
|
||||
foreach ($a_group['member'] as $uid) {
|
||||
$user = getUserEntryByUID($uid);
|
||||
if ($user)
|
||||
set_local_user($user);
|
||||
local_user_set($user);
|
||||
}
|
||||
|
||||
$retval = write_config();
|
||||
|
||||
@ -67,11 +67,10 @@ if (isAllowedPage("system_usermanager")) {
|
||||
exit;
|
||||
}
|
||||
|
||||
del_local_user($a_user[$_GET['id']]);
|
||||
local_user_del($a_user[$_GET['id']]);
|
||||
$userdeleted = $a_user[$_GET['id']]['name'];
|
||||
unset($a_user[$_GET['id']]);
|
||||
write_config();
|
||||
$retval = system_password_configure();
|
||||
$savemsg = gettext("User")." {$userdeleted} ".
|
||||
gettext("successfully deleted")."<br/>";
|
||||
}
|
||||
@ -96,7 +95,7 @@ if (isAllowedPage("system_usermanager")) {
|
||||
if (isset($id) && $a_user[$id]) {
|
||||
$pconfig['usernamefld'] = $a_user[$id]['name'];
|
||||
$pconfig['fullname'] = $a_user[$id]['fullname'];
|
||||
$pconfig['groups'] = get_local_user_groups($a_user[$id]);
|
||||
$pconfig['groups'] = local_user_get_groups($a_user[$id]);
|
||||
$pconfig['utype'] = $a_user[$id]['scope'];
|
||||
$pconfig['uid'] = $a_user[$id]['uid'];
|
||||
$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
|
||||
@ -163,10 +162,14 @@ if (isAllowedPage("system_usermanager")) {
|
||||
if (isset($id) && $a_user[$id])
|
||||
$userent = $a_user[$id];
|
||||
|
||||
/* the user did change his username */
|
||||
/* the user name was modified */
|
||||
if ($_POST['usernamefld'] <> $_POST['oldusername'])
|
||||
$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
|
||||
|
||||
/* the user password was mofified */
|
||||
if ($_POST['passwordfld1'])
|
||||
local_user_set_password($userent, $_POST['passwordfld1']);
|
||||
|
||||
$userent['name'] = $_POST['usernamefld'];
|
||||
$userent['fullname'] = $_POST['fullname'];
|
||||
|
||||
@ -182,10 +185,9 @@ if (isAllowedPage("system_usermanager")) {
|
||||
$a_user[] = $userent;
|
||||
}
|
||||
|
||||
set_local_user($userent, $_POST['passwordfld1']);
|
||||
set_local_user_groups($userent,$_POST['groups']);
|
||||
local_user_set($userent);
|
||||
local_user_set_groups($userent,$_POST['groups']);
|
||||
write_config();
|
||||
$retval = system_password_configure();
|
||||
|
||||
pfSenseHeader("system_usermanager.php");
|
||||
}
|
||||
@ -488,7 +490,7 @@ function presubmit() {
|
||||
<td class="listr"><?=htmlspecialchars($userent['fullname']);?> </td>
|
||||
<td class="listbg">
|
||||
<font color="white">
|
||||
<?=implode(",",get_local_user_groups($userent));?>
|
||||
<?=implode(",",local_user_get_groups($userent));?>
|
||||
</font>
|
||||
|
||||
</td>
|
||||
@ -563,10 +565,6 @@ function presubmit() {
|
||||
$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1']));
|
||||
|
||||
write_config();
|
||||
|
||||
sync_webgui_passwords();
|
||||
|
||||
$retval = system_password_configure();
|
||||
$savemsg = "Password successfully changed<br />";
|
||||
}
|
||||
}
|
||||
|
||||
@ -86,7 +86,7 @@ if ($_POST) {
|
||||
else
|
||||
$a_user['priv'] = array_merge($a_user['priv'], $pconfig['sysprivs']);
|
||||
|
||||
set_local_user($a_user);
|
||||
local_user_set($a_user);
|
||||
$retval = write_config();
|
||||
$savemsg = get_std_save_message($retval);
|
||||
|
||||
|
||||
@ -126,12 +126,8 @@ if ($_POST) {
|
||||
else
|
||||
unset($pconfig['ldapgroupattribute']);
|
||||
|
||||
|
||||
write_config();
|
||||
|
||||
$retval = system_password_configure();
|
||||
sync_webgui_passwords();
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -418,14 +418,10 @@
|
||||
<stepsubmitphpaction>
|
||||
if($_POST['adminpassword'] != "") {
|
||||
if($_POST['adminpassword'] == $_POST['adminpasswordagain']) {
|
||||
$fd = popen("/usr/sbin/pw usermod -n root -H 0", "w");
|
||||
$salt = md5(time());
|
||||
$crypted_pw = crypt($_POST['adminpassword'],$salt);
|
||||
fwrite($fd, $crypted_pw);
|
||||
pclose($fd);
|
||||
$config['system']['password'] = crypt($_POST['adminpassword']);
|
||||
$admin_user =& getUserEntryByUID(0);
|
||||
local_user_set_password($admin_user, $_POST['adminpassword']);
|
||||
local_user_set($admin_user);
|
||||
write_config();
|
||||
system_password_configure();
|
||||
} else {
|
||||
print_info_box_np("Passwords do not match! Please press back in your browser window and correct.");
|
||||
die;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user