/ - Diff - pfSense - pfSense bugtracker

« Previous | Next »

Revision 8901958c

Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887

     /* read data from environment */
     $username = getenv("username");
     $password = getenv("password");
     $common_name = getenv("common_name");
     if (!$username || !$password) {
     	syslog(LOG_ERR, "invalid user authentication environment");
-...
     //<template>
     $authenticated = false;
     if (($strictusercn === true) && ($common_name != $username)) {
     	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
     	exit(1);
+    }
     foreach ($authmodes as $authmode) {
     	$authcfg = auth_get_authserver($authmode);
     	if (!$authcfg && $authmode != "local")

     						$firstsed = 1;
     						$sed .= "\"{$authcfg}\"";
+    					}
     					$sed .= ");";
     					$sed .= ");\\\n";
     					if (isset($settings['strictusercn']))
     						$sed .= "\$strictusercn = true;";
     					mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.php");
     					mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
     					$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";

Also available in: Unified diff