/etc/inc/auth.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/auth.inc @ f818439b

1	6fdc0ab2	Bill Marquette	<?php
2			/* $Id$ */
3			/*
4			Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>
5			All rights reserved.
6
7			Redistribution and use in source and binary forms, with or without
8			modification, are permitted provided that the following conditions are met:
9
10			1. Redistributions of source code must retain the above copyright notice,
11			this list of conditions and the following disclaimer.
12
13			2. Redistributions in binary form must reproduce the above copyright
14			notice, this list of conditions and the following disclaimer in the
15			documentation and/or other materials provided with the distribution.
16
17			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
18			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
19			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
21			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26			POSSIBILITY OF SUCH DAMAGE.
27			*/
28
29			require_once("config.inc");
30			require_once("globals.inc");
31
32			/* We only support file backed HTTP Basic auth right now */
33	bf786a5d	Bill Marquette	$auth_method="htpasswd_backed_basic_auth";
34	6fdc0ab2	Bill Marquette
35			/* Authenticate user - exit if failed (we should have a callback for this maybe) */
36			if (!$auth_method())
37			exit;
38
39			function basic_auth_prompt(){
40	95263be2	Scott Ullrich	header("WWW-Authenticate: Basic realm=\".\"");
41	6fdc0ab2	Bill Marquette	header("HTTP/1.0 401 Unauthorized");
42			echo "You must enter valid credentials to access this resource.";
43			exit;
44			}
45
46	bf786a5d	Bill Marquette	function passwd_backed_basic_auth() {
47	6fdc0ab2	Bill Marquette	global $HTTP_SERVER_VARS;
48
49			$authfile = file("/etc/master.passwd");
50
51			/* Prompt three times and give up */
52			for($attempt = 0; $attempt <= 3; basic_auth_prompt()){
53			$attempt++;
54	bf786a5d	Bill Marquette	/* Check for AUTH_USER */
55	063f8745	Bill Marquette	if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
56			$HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
57			$HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
58			}
59	bf786a5d	Bill Marquette	if (!isset($HTTP_SERVER_VARS['AUTH_USER']))
60	6fdc0ab2	Bill Marquette	continue;
61
62			/* Check to see if user even exists */
63	bf786a5d	Bill Marquette	$username = $HTTP_SERVER_VARS['AUTH_USER'];
64	6d526f38	Scott Ullrich	if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
65			continue;
66	6fdc0ab2	Bill Marquette
67			/* Get crypted password */
68	3e789a8b	Scott Ullrich	$matches = "";
69			preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
70	6fdc0ab2	Bill Marquette	$pass = $matches[1];
71			$salt = $matches[2];
72
73			/* Encrypt entered password with salt */
74	bf786a5d	Bill Marquette	$authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt);
75	6fdc0ab2	Bill Marquette
76			/* And finally validate password */
77			if($authpass == $pass)
78			return true;
79			else
80			continue;
81			}
82
83			/* Should only get here if user fails login three times */
84			return false;
85			}
86
87	bf786a5d	Bill Marquette	function htpasswd_backed_basic_auth() {
88			global $HTTP_SERVER_VARS;
89
90			$authfile = file("/var/run/htpasswd");
91
92	5a9edd86	Bill Marquette	/* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
93			unlink_if_exists("/usr/local/www/.htpasswd");
94
95	bf786a5d	Bill Marquette	/* Prompt three times and give up */
96			for($attempt = 0; $attempt <= 3; basic_auth_prompt()){
97			$attempt++;
98			/* Check for AUTH_USER */
99	063f8745	Bill Marquette	if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
100			$HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
101			$HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
102			}
103	bf786a5d	Bill Marquette	if (!isset($HTTP_SERVER_VARS['AUTH_USER']))
104			continue;
105
106	6d526f38	Scott Ullrich	/* Check to see if user even exists */
107			$username = $HTTP_SERVER_VARS['AUTH_USER'];
108			if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
109			continue;
110	bf786a5d	Bill Marquette
111			/* Get crypted password */
112	3e789a8b	Scott Ullrich	$matches = "";
113	7b52f88d	Bill Marquette	preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
114	bf786a5d	Bill Marquette	$pass = $matches[1];
115			$salt = $matches[2];
116
117			/* Encrypt entered password with salt */
118			$authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt);
119
120			/* And finally validate password */
121			if($authpass == $pass)
122			return true;
123			else
124			continue;
125			}
126
127			/* Should only get here if user fails login three times */
128			return false;
129			}
130
131	6d526f38	Scott Ullrich	?>

Project

General

Profile

pfSense