Cleanup authentication code. The basic auth method, the passwd, htpasswd

and pam backing functions have been removed. The basic auth method was
legacy code and the backing functions were redundant with no added value
that I could see. A simplified replacement backing function named
local_backed has been added that authenticates to the local configuration
info which should be identical to system pwdb credentials. Since the
htpassword file is no longer required, sync_webgui_passwords and its
wrapper function system_password_configure have been removed.

The local account management functions were renamed for consistency. A few
minor bugs related to setting local passwords have also been corrected.
This commit is contained in:
Matthew Grooms 2008-08-03 17:54:35 +00:00
parent 5064cec767
commit 659fa7f23b
18 changed files with 467 additions and 650 deletions

File diff suppressed because it is too large Load Diff

View File

@ -46,7 +46,6 @@ require_once("functions.inc");
* radius_backed - this will allow you to use a radius server
* pam_backed - this uses the system's PAM facility .htpasswd file
*/
$auth_method="session_auth";
/* enable correct auth backend, default to htpasswd_backed */
$ldapcase = $config['system']['webgui']['backend'];
@ -59,11 +58,11 @@ switch($ldapcase)
$backing_method="ldap_backed";
break;
default:
$backing_method="htpasswd_backed";
$backing_method="local_backed";
}
/* Authenticate user - exit if failed */
if (!$auth_method($backing_method))
if (!session_auth($backing_method))
exit;
/*

View File

@ -1592,7 +1592,7 @@ function convert_config() {
$groups[] = $all;
$groups = array_merge($config['system']['group'],$groups);
$config['system']['group'] = $groups;
set_local_group($all);
local_group_set($all);
$config['version'] = 4.9;
}
@ -1643,7 +1643,7 @@ function convert_config() {
}
/* sync all local account information */
sync_local_accounts();
local_sync_accounts();
$config['version'] = 5.0;
}

View File

@ -2580,36 +2580,6 @@ function reload_interfaces() {
touch("/tmp/reload_interfaces");
}
/****f* pfsense-utils/sync_webgui_passwords
* NAME
* sync_webgui_passwords - syncs all www pwdb entries
* INPUTS
* none
* RESULT
* none
******/
function sync_webgui_passwords() {
global $config, $g, $groupindex, $userindex;
conf_mount_rw();
$fd = fopen("{$g['varrun_path']}/htpasswd", "w");
if (!$fd) {
log_error("Error: cannot open htpasswd in sync_webgui_passwords().\n");
return 1;
}
/* loop through custom users and add "virtual" entries */
if ($config['system']['user'])
foreach ($config['system']['user'] as $user)
fwrite($fd, "{$user['name']}:{$user['password']}\n");
fclose($fd);
chmod("{$g['varrun_path']}/htpasswd", 0600);
conf_mount_ro();
}
/****f* pfsense-utils/reload_all_sync
* NAME
* reload_all - reload all settings
@ -2693,7 +2663,7 @@ function reload_all_sync() {
system_routing_enable();
/* ensure passwords are sync'd */
system_password_configure();
// system_password_configure();
/* start dnsmasq service */
services_dnsmasq_configure();

View File

@ -142,7 +142,7 @@ function get_user_privileges(& $user) {
if (!is_array($privs))
$privs = array();
$names = get_local_user_groups($user, true);
$names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@ -162,7 +162,7 @@ function get_user_privdesc(& $user) {
if (!is_array($user_privs))
$user_privs = array();
$names = get_local_user_groups($user, true);
$names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@ -244,7 +244,7 @@ function getAllowedPages($username) {
// obtain local groups if we have a local user
if ($local_user) {
$allowed_groups = get_local_user_groups($local_user);
$allowed_groups = local_user_get_groups($local_user);
getPrivPages($local_user, $allowed_pages);
}

View File

@ -494,9 +494,6 @@ function system_webgui_start() {
sleep(1);
/* generate password file */
system_password_configure();
chdir($g['www_path']);
/* non-standard port? */
@ -592,9 +589,6 @@ function system_webgui_start_old() {
/* kill any running mini_httpd */
killbypid("{$g['varrun_path']}/mini_httpd.pid");
/* generate password file */
system_password_configure();
chdir($g['www_path']);
/* non-standard port? */
@ -1000,21 +994,6 @@ EOD;
}
function system_password_configure() {
global $config, $g;
if(isset($config['system']['developerspew'])) {
$mt = microtime();
echo "system_password_configure() being called $mt\n";
}
/* sync passwords */
sync_webgui_passwords();
/* !NOTE! conf_mount_ro is done by sync_webgui_passwords() */
return 0;
}
function system_timezone_configure() {
global $config, $g;
if(isset($config['system']['developerspew'])) {
@ -1308,4 +1287,4 @@ function enable_watchdog() {
}
}
?>
?>

View File

@ -148,9 +148,9 @@ function post_cvssync_commands() {
echo "===> Upgrading configuration (if needed)...\n";
convert_config();
echo "===> Syncing system passwords...\n";
sync_webgui_passwords();
local_sync_accounts();
echo "===> Restarting check_reload_status...\n";
exec("killall check_reload_status");

View File

@ -106,11 +106,6 @@
system_setup_sysctl();
echo "done.\n";
/* sync user passwords */
echo "Syncing user passwords...";
sync_webgui_passwords();
echo "done.\n";
echo "Starting Secure Shell Services...";
mwexec_bg("/etc/sshd");
echo "done.\n";
@ -216,7 +211,7 @@
system_routing_enable();
/* ensure passwords are sync'd */
system_password_configure();
// system_password_configure();
/* configure console menu */
system_console_configure();

View File

@ -41,17 +41,25 @@ The webConfigurator password will be reset to the default (which is "' . strtolo
gettext('Do you want to proceed [y|n]?');
if (strcasecmp(chop(fgets($fp)), "y") == 0) {
foreach ($config['system']['user'] as & $user) {
if (isset($user['uid']) && !$user['uid']) {
$user['name'] = "admin";
set_local_user($user, strtolower($g['product_name']));
write_config(gettext("password changed from console menu"));
system_password_configure();
break;
}
$admin_user =& getUserEntryByUID(0);
if (!$admin_user) {
echo "Failed to locate the admin user account! Attempting to restore access.\n";
$admin_user = array();
$admin_user['uid'] = 0;
$admin_user['priv'] = explode(",", "user-shell-access,page-all");
if (!is_array($config['system']['user']))
$config['system']['user'] = array();
$config['system']['user'][] = $admin_user;
}
$admin_user['name'] = "admin";
$admin_user['scope'] = "system";
$admin_user['blah'] = "set by console";
local_user_set_password($admin_user, strtolower($g['product_name']));
local_user_set($admin_user);
write_config(gettext("password changed from console menu"));
echo "\n" . gettext('
The password for the webConfigurator has been reset and
the default username has been set to "admin".') . "\n" .

View File

@ -65,9 +65,6 @@
touch("/var/log/lastlog");
}
/* reset passwords */
sync_webgui_passwords();
$sshConfigDir = "/etc/ssh";
if($config['system']['ssh']['port'] <> "") {

View File

@ -119,9 +119,6 @@ ob_flush();
/* mount rw fs */
conf_mount_rw();
/* resync password database to avoid out of sync issues */
sync_webgui_passwords();
switch($_GET['mode']) {
case "delete":
$id = get_pkg_id($_GET['pkg']);

View File

@ -117,9 +117,6 @@ if ($_POST) {
($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) {
$input_errors[] = "A valid TCP/IP port must be specified for the webConfigurator port.";
}
if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) {
$input_errors[] = "The passwords do not match.";
}
$t = (int)$_POST['timeupdateinterval'];
if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) {
@ -163,12 +160,6 @@ if ($_POST) {
unset($config['system']['dnsallowoverride']);
$config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false;
if ($_POST['password']) {
$config['system']['password'] = crypt($_POST['password']);
update_changedesc("password changed via webConfigurator");
sync_webgui_passwords();
}
/* which interface should the dns servers resolve through? */
if($_POST['dns1gwint'])
$config['system']['dns1gwint'] = $pconfig['dns1gwint'];
@ -205,7 +196,6 @@ if ($_POST) {
$retval = system_hostname_configure();
$retval |= system_hosts_generate();
$retval |= system_resolvconf_generate();
$retval |= system_password_configure();
$retval |= services_dnsmasq_configure();
$retval |= system_timezone_configure();
$retval |= system_ntp_configure();

View File

@ -63,7 +63,7 @@ if ($_GET['act'] == "delgroup") {
exit;
}
del_local_group($a_group[$_GET['id']]);
local_group_del($a_group[$_GET['id']]);
$groupdeleted = $a_group[$_GET['id']]['name'];
unset($a_group[$_GET['id']]);
write_config();
@ -84,7 +84,7 @@ if ($_GET['act'] == "delpriv") {
foreach ($a_group[$id]['member'] as $uid) {
$user = getUserEntryByUID($uid);
if ($user)
set_local_user($user);
local_user_set($user);
}
write_config();
@ -146,7 +146,7 @@ if ($_POST) {
$a_group[] = $group;
}
set_local_group($group);
local_group_set($group);
write_config();
header("Location: system_groupmanager.php");

View File

@ -85,7 +85,7 @@ if ($_POST) {
foreach ($a_group['member'] as $uid) {
$user = getUserEntryByUID($uid);
if ($user)
set_local_user($user);
local_user_set($user);
}
$retval = write_config();

View File

@ -67,11 +67,10 @@ if (isAllowedPage("system_usermanager")) {
exit;
}
del_local_user($a_user[$_GET['id']]);
local_user_del($a_user[$_GET['id']]);
$userdeleted = $a_user[$_GET['id']]['name'];
unset($a_user[$_GET['id']]);
write_config();
$retval = system_password_configure();
$savemsg = gettext("User")." {$userdeleted} ".
gettext("successfully deleted")."<br/>";
}
@ -96,7 +95,7 @@ if (isAllowedPage("system_usermanager")) {
if (isset($id) && $a_user[$id]) {
$pconfig['usernamefld'] = $a_user[$id]['name'];
$pconfig['fullname'] = $a_user[$id]['fullname'];
$pconfig['groups'] = get_local_user_groups($a_user[$id]);
$pconfig['groups'] = local_user_get_groups($a_user[$id]);
$pconfig['utype'] = $a_user[$id]['scope'];
$pconfig['uid'] = $a_user[$id]['uid'];
$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
@ -163,10 +162,14 @@ if (isAllowedPage("system_usermanager")) {
if (isset($id) && $a_user[$id])
$userent = $a_user[$id];
/* the user did change his username */
/* the user name was modified */
if ($_POST['usernamefld'] <> $_POST['oldusername'])
$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
/* the user password was mofified */
if ($_POST['passwordfld1'])
local_user_set_password($userent, $_POST['passwordfld1']);
$userent['name'] = $_POST['usernamefld'];
$userent['fullname'] = $_POST['fullname'];
@ -182,10 +185,9 @@ if (isAllowedPage("system_usermanager")) {
$a_user[] = $userent;
}
set_local_user($userent, $_POST['passwordfld1']);
set_local_user_groups($userent,$_POST['groups']);
local_user_set($userent);
local_user_set_groups($userent,$_POST['groups']);
write_config();
$retval = system_password_configure();
pfSenseHeader("system_usermanager.php");
}
@ -488,7 +490,7 @@ function presubmit() {
<td class="listr"><?=htmlspecialchars($userent['fullname']);?>&nbsp;</td>
<td class="listbg">
<font color="white">
<?=implode(",",get_local_user_groups($userent));?>
<?=implode(",",local_user_get_groups($userent));?>
</font>
&nbsp;
</td>
@ -563,10 +565,6 @@ function presubmit() {
$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1']));
write_config();
sync_webgui_passwords();
$retval = system_password_configure();
$savemsg = "Password successfully changed<br />";
}
}

View File

@ -86,7 +86,7 @@ if ($_POST) {
else
$a_user['priv'] = array_merge($a_user['priv'], $pconfig['sysprivs']);
set_local_user($a_user);
local_user_set($a_user);
$retval = write_config();
$savemsg = get_std_save_message($retval);

View File

@ -126,12 +126,8 @@ if ($_POST) {
else
unset($pconfig['ldapgroupattribute']);
write_config();
$retval = system_password_configure();
sync_webgui_passwords();
}
}

View File

@ -418,14 +418,10 @@
<stepsubmitphpaction>
if($_POST['adminpassword'] != "") {
if($_POST['adminpassword'] == $_POST['adminpasswordagain']) {
$fd = popen("/usr/sbin/pw usermod -n root -H 0", "w");
$salt = md5(time());
$crypted_pw = crypt($_POST['adminpassword'],$salt);
fwrite($fd, $crypted_pw);
pclose($fd);
$config['system']['password'] = crypt($_POST['adminpassword']);
$admin_user =& getUserEntryByUID(0);
local_user_set_password($admin_user, $_POST['adminpassword']);
local_user_set($admin_user);
write_config();
system_password_configure();
} else {
print_info_box_np("Passwords do not match! Please press back in your browser window and correct.");
die;