Project

General

Profile

Actions
Copy link

Feature #15745

open

Add User Manager Setting to control Remote Authentication fallback behavior

Added by Jim Pingle about 1 month ago. Updated 29 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
CE-Next
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default

Description

Currently pfSense software ensures an administrator always maintains access to the installation by treating any remote authentication failure, including rejected credentials, equivalently and falling back to local authentication. This is because a remote authentication server can fail in ways where it is still accessible, but rejecting valid credentials.

Some administrators prefer to only fall back to local authentication in cases where the remote authentication server is inaccessible, but that behavior is not currently offered as an option.

The RADIUS and LDAP authentication functions already support this distinction, however. They return null when it cannot connect to a server and false when the server actively rejected the authentication attempt (e.g. bad credentials).

We could create a new option under the User Manager , on the Settings tab, to control this behavior. If the option is enabled and the authentication result is null then it can perform the fallback.

As a basic example, the following diff changes the main GUI authentication test to only fall back when a remote authentication server is unreachable:

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index a3411ab56c..bae514b759 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -2183,7 +2183,7 @@ function session_auth() {
     if (isset($_POST['login']) && !empty($_POST['usernamefld'])) {
         $authcfg = auth_get_authserver(config_get_path('system/webgui/authmode'));
         $remoteauth = authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes);
-        if ($remoteauth || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+        if ($remoteauth || ((is_null($remoteauth) && authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])))) {
             // Generate a new id to avoid session fixation
             session_regenerate_id();
             $_SESSION['Logged_In'] = "True";

That sort of change would need to be combined with the new option test. Every location in the code that uses authenticate_user() would need similar treatment.

Actions
Copy link
 #1

Updated by Jim Pingle 29 days ago

  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF