Project

General

Profile

Actions

Feature #15745

open

Add User Manager Setting to control Remote Authentication fallback behavior

Added by Jim Pingle 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default

Description

Currently pfSense software ensures an administrator always maintains access to the installation by treating any remote authentication failure, including rejected credentials, equivalently and falling back to local authentication. This is because a remote authentication server can fail in ways where it is still accessible, but rejecting valid credentials.

Some administrators prefer to only fall back to local authentication in cases where the remote authentication server is inaccessible, but that behavior is not currently offered as an option.

The RADIUS and LDAP authentication functions already support this distinction, however. They return null when it cannot connect to a server and false when the server actively rejected the authentication attempt (e.g. bad credentials).

We could create a new option under the User Manager , on the Settings tab, to control this behavior. If the option is enabled and the authentication result is null then it can perform the fallback.

As a basic example, the following diff changes the main GUI authentication test to only fall back when a remote authentication server is unreachable:

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index a3411ab56c..bae514b759 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -2183,7 +2183,7 @@ function session_auth() {
     if (isset($_POST['login']) && !empty($_POST['usernamefld'])) {
         $authcfg = auth_get_authserver(config_get_path('system/webgui/authmode'));
         $remoteauth = authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes);
-        if ($remoteauth || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+        if ($remoteauth || ((is_null($remoteauth) && authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])))) {
             // Generate a new id to avoid session fixation
             session_regenerate_id();
             $_SESSION['Logged_In'] = "True";

That sort of change would need to be combined with the new option test. Every location in the code that uses authenticate_user() would need similar treatment.

Actions #1

Updated by Jim Pingle 3 months ago

  • Description updated (diff)
Actions

Also available in: Atom PDF