Add check for user-ssh-tunnel to give users access to the ssh tunnel shell
Flip this test around so it is easier to follow/read.
Sync groups first, since users may rely on group changes.
Make sure a user gets deleted from the 'all' group.
Clean up this code.
Remove home directory when deleting a user.
Bypass the DNS Rebind attack checks if accessing by IP address.
Check for locally configured IPs in DNS rebind checks, so people who port forward from WAN to the LAN IP can still work.
Add a text box where someone can enter in alternate hostnames for the system to bypass the DNS rebind checks.
Add a checkbox to disable DNS rebinding checks if needed.
More fixes for DNS rebinding checks (Most of this code is Scott's, with some minor fixes by me)
Correct check
Check for 127.0.0.1 as well
Oops, correct check
Add localhost as a valid host for SSH forwarding cases
Wrap the dns rebind check in a test to see if our error function exists. If it doesn't, it's probably being called from captive portal, so skip the check. Fixes #721
Move the skel dir to /etc/skel, where it's easier to manage from a build point of view.
Slight fix to dyndns check
Check dyndns hostnames as well for DNS Rebind issues
^ Potential
Binding -> Rebinding
Comment what we are doing here and add the ticket #.
More dns-rebind checks. Ticket #708
Give users with ssh access a real shell, but make sure that admin still gets /etc/rc.initial
Set a skeleton directory for pw
Let pw handle the creation of the home directory rather than do it in php.
Give users who have "all" privileges shell access. Part of ticket #614
Remove some redundant code and make sure admin's home directory is /root - Fixes #218
Fixes #613. Add correctly users to all users group.
Do not include functions.inc just for pfSenseHeader which is not really the best place to use!
Fixes #660. Simplify some code and correctly do an exit after a redirect is issued. Thanks-to: Efonne for analysis.
Use mwexec where it does not make sense to use popen for something that does not take any parameters. Create a function to actually remove a user from its groups when the user itself is deleted.
Correct the shell for the admin account, this should be /etc/rc.initial. Not /bin/sh
Fix creation of admin user account with uid of 0. This fixes ticket #574
Allow the webui admin account to have a duplicate user ID of 0.Make sure to create that account before attempting to modify it's attributes
Ticket #389. Correctly make the ldap object picker work and handle various errors.
Ticket #378. Correctly handle a timeout of 0 to mean never timeout.
Allow users to send in the same POST authentication info and post fields. This will be allowed by authentication code if the special post var 'postafterlogin' isset.
Simplify code.
fix text
Add includes needed. Fix typo.
Fix bug where user wasn't being removed from groups upon deletion.
Add a function to get user groups based on authentication server. Use this function to show the groups the user i member of on Diag Authentication.
Remove the authentication fallback it does not have any meaning now.
Remove dead code.
Overhaul the user login system to use the Servers tab as its base.
Fix quite a few problems down the way.
Remove unused var and stale comment.
Add the neccesary foo for radius.inc to work.
Add copyrights of myself.
Allow the GUI auth API to be used for doing authentication against authentication servers specified. Teach Openvpn to use this API. Allow openvpn to authenticate against multiple servers that can be selected on the server configuration page.
Do not allow login for expired and disabled users. Fix this even in openvpn authentication script. While here clean up the code quite a bit.
User _ instead of so browser does not interpret it as html.
Do not show the passwd used to logon on logs. Also change the replace from $username to <username> so php does not try to do clever stuff.
fix previous commit
Change default session timeout to 4 hours. Clarify text description. Remove limit of < 999 and other invalid/unnecessary input validation. Use product_name
Remove "-G all" as it was causing the useradd operation to fail, leading to other failures. (Users were not added to passwd, home directories were not being made, etc)
Remove extra / to avoid having a double slash in the directory name. Also add curly braces around $user_home.
Home directory of uid 0 should be /root. Ticket #218
Add page global variable
Recommit #161 changes. It appears a different commit has broken firewall rules edit and firewall nat edit.
Revert "Redirect to / when logging in to avoid posting to forms accidently and clearing the form and causing all kinds of chaos. Ticket #161"
This reverts commit 6af7c40b296e0f95ec308d41aea55b3306c5e1ee.
Redirect to / when logging in to avoid posting to forms accidently and clearing the form and causing all kinds of chaos. Ticket #161
Use ['name'] when looking up items
Escape ' Ticket #143
Show ajax properly
Add disabled checkbox. Add code to check for disabled accounts.
Return after setting account expired
Honor account expiration
create a config include that just presents $config to the webgui (no boot code being parsed anymore in webgui now)
Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions
We need to be RW to modify user information.
Give admin user special treatment just like root.
Remove ^M or \r from this file its impossible to read in vi.
Give proper rights to file when creating since php is run as root and might change permissions in dirs while modifying/creating them. Reported-by: http://forum.pfsense.org/index.php/topic,16890.0.html
Use -q to hopefully git rid of messages such as: pw: WARNING account 'admin' will have a valid id of 0 (superuser access!)
Use mwexec() so we do not see this error on fresh installation:
cp: /root/.. is a directory (not copied).cp: /root/. is a directory (not copied).
Ensure $user_base directory exists and is writable. Kills ugly warning onfresh installation.
Modify captive portal to use centralized user management. The user manager hasbeen modified to include an account expiration option to support this service.
Choose the correct parameter to popen so syncing of a group can work correctly.
Open a write pipe so we can be sure the password goes to the stdinput of the command. This should fix the ssh password problems reported on the forums.
Add missing /
When a new user home directory is created, copy the . (dot) root files.
Use a MFS /home on CD-Rom.
Backout last commit, /var/home is a symlinnk
Use /home, even for embedded
Only mount for rw during sync function.
Another missed needed conf_mount_rw().
Oops, we need to mount rw before creating home dir.
Hopefully unbreal the user manager on embedded.
See: http://forum.pfsense.org/index.php/topic,12567.0/topicseen.html
Add global debug where needed
Only show debug Running commands if $debug is enabled
Moves the protocol and certificate options out of the general config pageto the Advanced admin access tab. The thought is that they should be nextto each other. The certificate management has also been modified to usethe centralized certificate manager. I took the liberty of removing the...
Remove the page locking privileges after discussion with Scott on IRC. Thefeature was confusing and offered little utility that I could see. If wereally need to provide serialized access to sections of the webui, IMO itshould be a global lock option and enabled or disabled manually and not a...
Now that we have given the mhash extension a bit of time to settle intothe tree, enable nthash password generation.
Silence warnings generated by pw during configuration update. Requested byScott.
Cleanup authentication code. The basic auth method, the passwd, htpasswdand pam backing functions have been removed. The basic auth method waslegacy code and the backing functions were redundant with no added valuethat I could see. A simplified replacement backing function named...
Add an option to set_local_group to clear the system user member list.
When performing a user configuration upgrade, make sure the all group getscreated before syncing accounts to the system.