Project

General

Profile

Feature #15745

Updated by Jim Pingle about 2 months ago

Currently pfSense software ensures an administrator always maintains access to the installation by treating any remote authentication failure, including rejected credentials, equivalently and "falling back to local authentication":https://docs.netgate.com/pfsense/en/latest/usermanager/settings.html. This is because a remote authentication server can fail in ways where it is still accessible, but rejecting valid credentials. 

 Some administrators prefer to only fall back to local authentication in cases where the remote authentication server is inaccessible, but that behavior is not currently offered as an option. 

 The RADIUS and LDAP authentication functions already support this distinction, however. They return @null@ when it cannot connect to a server and @false@ when the server actively rejected the authentication attempt (e.g. bad credentials). 

 We could create a new option under the *User Manager* , on the *Settings* tab, to control this behavior. If the option is enabled and the authentication result is @null@ then it can perform the fallback. 

 As a basic example, the following diff changes the main GUI authentication test to only fall back when a remote authentication server is unreachable: 

 <pre><code class="diff"> 
 diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc 
 index a3411ab56c..bae514b759 100644 
 --- a/src/etc/inc/auth.inc 
 +++ b/src/etc/inc/auth.inc 
 @@ -2183,7 +2183,7 @@ function session_auth() { 
 	 if (isset($_POST['login']) && !empty($_POST['usernamefld'])) { 
 		 $authcfg = auth_get_authserver(config_get_path('system/webgui/authmode')); 
 		 $remoteauth = authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes); 
 - 		 if ($remoteauth || authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { 
 + 		 if ($remoteauth || ((is_null($remoteauth) (is_null($remoteauth) && authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])))) $_POST['passwordfld']))) { 
 			 // Generate a new id to avoid session fixation 
 			 session_regenerate_id(); 
 			 $_SESSION['Logged_In'] = "True"; 
 </code></pre> 

 That sort of change would need to be combined with the new option test. Every location in the code that uses @authenticate_user()@ would need similar treatment. 

Back