Project

General

Profile

Download (3.57 KB) Statistics
| Branch: | Tag: | Revision:
1
#!/usr/local/bin/php-cgi -f
2
<?php
3
/*
4
 * ipsec.auth-user.php
5
 *
6
 * part of pfSense (https://www.pfsense.org)
7
 * Copyright (c) 2008 Shrew Soft Inc
8
 * Copyright (c) 2008-2013 BSD Perimeter
9
 * Copyright (c) 2013-2016 Electric Sheep Fencing
10
 * Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)
11
 * All rights reserved.
12
 *
13
 * Licensed under the Apache License, Version 2.0 (the "License");
14
 * you may not use this file except in compliance with the License.
15
 * You may obtain a copy of the License at
16
 *
17
 * http://www.apache.org/licenses/LICENSE-2.0
18
 *
19
 * Unless required by applicable law or agreed to in writing, software
20
 * distributed under the License is distributed on an "AS IS" BASIS,
21
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22
 * See the License for the specific language governing permissions and
23
 * limitations under the License.
24
 */
25

    
26
/*
27
 * ipsec calls this script to authenticate a user
28
 * based on a username and password. We lookup these
29
 * in our config.xml file and check the credentials.
30
 */
31

    
32
require_once("globals.inc");
33
require_once("config.inc");
34
require_once("auth.inc");
35
require_once("interfaces.inc");
36

    
37
global $config;
38

    
39
/* setup syslog logging */
40
openlog("charon", LOG_ODELAY, LOG_AUTH);
41

    
42
if (isset($_GET['username'])) {
43
	$authmodes = explode(",", $_GET['authcfg']);
44
	$username = $_GET['username'];
45
	$password = $_GET['password'];
46
	$common_name = $_GET['cn'];
47
} else {
48
	/* read data from environment */
49
	$username = getenv("username");
50
	$password = getenv("password");
51
	$common_name = getenv("common_name");
52
	$authmodes = explode(",", getenv("authcfg"));
53
}
54

    
55
if (!$username) {
56
	syslog(LOG_ERR, "invalid user authentication environment");
57
	if (isset($_GET['username'])) {
58
		echo "FAILED";
59
		closelog();
60
		return;
61
	} else {
62
		closelog();
63
		exit (-1);
64
	}
65
}
66

    
67
$authenticated = false;
68

    
69
if (($strictusercn === true) && ($common_name != $username)) {
70
	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.");
71
	if (isset($_GET['username'])) {
72
		echo "FAILED";
73
		closelog();
74
		return;
75
	} else {
76
		closelog();
77
		exit (1);
78
	}
79
}
80

    
81
$attributes = array("nas_identifier" => "xauthIPsec");
82
if (($config['ipsec']['client']['group_source'] == 'enabled') &&
83
    !empty($config['ipsec']['client']['auth_groups'])) {
84
	$ipsec_groups = explode(",", ($config['ipsec']['client']['auth_groups']));
85
} else { 
86
	$ipsec_groups = '';
87
}
88
foreach ($authmodes as $authmode) {
89
	$authcfg = auth_get_authserver($authmode);
90
	if (!$authcfg && $authmode != "Local Database") {
91
		continue;
92
	}
93

    
94
	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
95
	if ($authenticated == true) {
96
		$userGroups = getUserGroups($username, $authcfg, $attributes);
97
		if ($authmode == "Local Database") {
98
			$user = getUserEntry($username);
99
			if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin") ||
100
			    (!empty($ipsec_groups) && (count(array_intersect($userGroups, $ipsec_groups)) == 0))) {
101
				$authenticated = false;
102
				syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPsec since the required privileges are missing.");
103
				continue;
104
			}
105
		}
106
		break;
107
	}
108
}
109

    
110
if ($authenticated == false) {
111
	syslog(LOG_WARNING, "user '{$username}' could not authenticate.");
112
	if (isset($_GET['username'])) {
113
		echo "FAILED";
114
		closelog();
115
		return;
116
	} else {
117
		closelog();
118
		exit (-1);
119
	}
120
}
121

    
122
if (file_exists("/etc/inc/ipsec.attributes.php")) {
123
	include_once("/etc/inc/ipsec.attributes.php");
124
}
125

    
126
syslog(LOG_NOTICE, "user '{$username}' authenticated");
127
closelog();
128

    
129
if (isset($_GET['username'])) {
130
	echo "OK";
131
} else {
132
	exit (0);
133
}
134

    
135
?>
(26-26/62)