/etc/inc/auth.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/auth.inc @ 01f3ce68

1	6fdc0ab2	Bill Marquette	<?php
2			/* $Id$ */
3			/*
4			Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>
5			All rights reserved.
6
7			Redistribution and use in source and binary forms, with or without
8			modification, are permitted provided that the following conditions are met:
9
10			1. Redistributions of source code must retain the above copyright notice,
11			this list of conditions and the following disclaimer.
12
13			2. Redistributions in binary form must reproduce the above copyright
14			notice, this list of conditions and the following disclaimer in the
15			documentation and/or other materials provided with the distribution.
16
17			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
18			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
19			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
21			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26			POSSIBILITY OF SUCH DAMAGE.
27			*/
28
29			require_once("config.inc");
30			require_once("globals.inc");
31
32			/* We only support file backed HTTP Basic auth right now */
33	bf786a5d	Bill Marquette	$auth_method="htpasswd_backed_basic_auth";
34	6fdc0ab2	Bill Marquette
35			/* Authenticate user - exit if failed (we should have a callback for this maybe) */
36			if (!$auth_method())
37			exit;
38
39			function basic_auth_prompt(){
40	95263be2	Scott Ullrich	header("WWW-Authenticate: Basic realm=\".\"");
41	6fdc0ab2	Bill Marquette	header("HTTP/1.0 401 Unauthorized");
42			echo "You must enter valid credentials to access this resource.";
43			exit;
44			}
45
46	bf786a5d	Bill Marquette	function passwd_backed_basic_auth() {
47	6fdc0ab2	Bill Marquette	global $HTTP_SERVER_VARS;
48
49			$authfile = file("/etc/master.passwd");
50
51			/* Prompt three times and give up */
52			for($attempt = 0; $attempt <= 3; basic_auth_prompt()){
53			$attempt++;
54	bf786a5d	Bill Marquette	/* Check for AUTH_USER */
55	063f8745	Bill Marquette	if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
56			$HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
57			$HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
58			}
59	bf786a5d	Bill Marquette	if (!isset($HTTP_SERVER_VARS['AUTH_USER']))
60	6fdc0ab2	Bill Marquette	continue;
61
62			/* Check to see if user even exists */
63	bf786a5d	Bill Marquette	$username = $HTTP_SERVER_VARS['AUTH_USER'];
64	6d526f38	Scott Ullrich	if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
65			continue;
66	6fdc0ab2	Bill Marquette
67			/* Get crypted password */
68	7b52f88d	Bill Marquette	preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
69	6fdc0ab2	Bill Marquette	$pass = $matches[1];
70			$salt = $matches[2];
71
72			/* Encrypt entered password with salt */
73	bf786a5d	Bill Marquette	$authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt);
74	6fdc0ab2	Bill Marquette
75			/* And finally validate password */
76			if($authpass == $pass)
77			return true;
78			else
79			continue;
80			}
81
82			/* Should only get here if user fails login three times */
83			return false;
84			}
85
86	bf786a5d	Bill Marquette	function htpasswd_backed_basic_auth() {
87			global $HTTP_SERVER_VARS;
88
89			$authfile = file("/var/run/htpasswd");
90
91	5a9edd86	Bill Marquette	/* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
92			unlink_if_exists("/usr/local/www/.htpasswd");
93
94	bf786a5d	Bill Marquette	/* Prompt three times and give up */
95			for($attempt = 0; $attempt <= 3; basic_auth_prompt()){
96			$attempt++;
97			/* Check for AUTH_USER */
98	063f8745	Bill Marquette	if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
99			$HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
100			$HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
101			}
102	bf786a5d	Bill Marquette	if (!isset($HTTP_SERVER_VARS['AUTH_USER']))
103			continue;
104
105	6d526f38	Scott Ullrich	/* Check to see if user even exists */
106			$username = $HTTP_SERVER_VARS['AUTH_USER'];
107			if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
108			continue;
109	bf786a5d	Bill Marquette
110			/* Get crypted password */
111	7b52f88d	Bill Marquette	preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
112	bf786a5d	Bill Marquette	$pass = $matches[1];
113			$salt = $matches[2];
114
115			/* Encrypt entered password with salt */
116			$authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt);
117
118			/* And finally validate password */
119			if($authpass == $pass)
120			return true;
121			else
122			continue;
123			}
124
125			/* Should only get here if user fails login three times */
126			return false;
127			}
128
129	6d526f38	Scott Ullrich	?>

Project

General

Profile

pfSense