Project

General

Profile

Download (3.1 KB) Statistics
| Branch: | Tag: | Revision:
1
#!/usr/local/bin/php-cgi -f
2
<?php
3
/*
4
 * ipsec.auth-user.php
5
 *
6
 * part of pfSense (https://www.pfsense.org)
7
 * Copyright (c) 2008 Shrew Soft Inc
8
 * Copyright (c) 2008-2018 Rubicon Communications, LLC (Netgate)
9
 * All rights reserved.
10
 *
11
 * Licensed under the Apache License, Version 2.0 (the "License");
12
 * you may not use this file except in compliance with the License.
13
 * You may obtain a copy of the License at
14
 *
15
 * http://www.apache.org/licenses/LICENSE-2.0
16
 *
17
 * Unless required by applicable law or agreed to in writing, software
18
 * distributed under the License is distributed on an "AS IS" BASIS,
19
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20
 * See the License for the specific language governing permissions and
21
 * limitations under the License.
22
 */
23

    
24
/*
25
 * ipsec calls this script to authenticate a user
26
 * based on a username and password. We lookup these
27
 * in our config.xml file and check the credentials.
28
 */
29

    
30
require_once("globals.inc");
31
require_once("config.inc");
32
require_once("auth.inc");
33
require_once("interfaces.inc");
34

    
35

    
36
/* setup syslog logging */
37
openlog("charon", LOG_ODELAY, LOG_AUTH);
38

    
39
if (isset($_GET['username'])) {
40
	$authmodes = explode(",", $_GET['authcfg']);
41
	$username = $_GET['username'];
42
	$password = $_GET['password'];
43
	$common_name = $_GET['cn'];
44
} else {
45
	/* read data from environment */
46
	$username = getenv("username");
47
	$password = getenv("password");
48
	$common_name = getenv("common_name");
49
	$authmodes = explode(",", getenv("authcfg"));
50
}
51

    
52
if (!$username || !$password) {
53
	syslog(LOG_ERR, "invalid user authentication environment");
54
	if (isset($_GET['username'])) {
55
		echo "FAILED";
56
		closelog();
57
		return;
58
	} else {
59
		closelog();
60
		exit (-1);
61
	}
62
}
63

    
64
$authenticated = false;
65

    
66
if (($strictusercn === true) && ($common_name != $username)) {
67
	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
68
	if (isset($_GET['username'])) {
69
		echo "FAILED";
70
		closelog();
71
		return;
72
	} else {
73
		closelog();
74
		exit (1);
75
	}
76
}
77

    
78
$attributes = array("nas_identifier" => "xauthIPsec");
79
foreach ($authmodes as $authmode) {
80
	$authcfg = auth_get_authserver($authmode);
81
	if (!$authcfg && $authmode != "Local Database") {
82
		continue;
83
	}
84

    
85
	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
86
	if ($authenticated == true) {
87
		if ($authmode == "Local Database") {
88
			$user = getUserEntry($username);
89
			if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
90
				$authenticated = false;
91
				syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.\n");
92
				continue;
93
			}
94
		}
95
		break;
96
	}
97
}
98

    
99
if ($authenticated == false) {
100
	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
101
	if (isset($_GET['username'])) {
102
		echo "FAILED";
103
		closelog();
104
		return;
105
	} else {
106
		closelog();
107
		exit (-1);
108
	}
109
}
110

    
111
if (file_exists("/etc/inc/ipsec.attributes.php")) {
112
	include_once("/etc/inc/ipsec.attributes.php");
113
}
114

    
115
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
116
closelog();
117

    
118
if (isset($_GET['username'])) {
119
	echo "OK";
120
} else {
121
	exit (0);
122
}
123

    
124
?>
(26-26/60)