diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2013-03-03 21:32:46 +0100 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2013-03-03 21:34:44 +0100 |
commit | 4436104929fb437fd0e323fcc6e542323db1aed6 (patch) | |
tree | dbd4a90ca144b59c038563f97c6bdc9108b8a709 | |
parent | a6675fde94aef0da259511fb7c581a07d88ab31e (diff) | |
download | eurephia-4436104929fb437fd0e323fcc6e542323db1aed6.tar.gz eurephia-4436104929fb437fd0e323fcc6e542323db1aed6.tar.xz eurephia-4436104929fb437fd0e323fcc6e542323db1aed6.zip |
New feature: Added config option auth_disable_internal
By setting this config option in the eurephia database, eurephia will
expect all user account/certificate links to be set up with an external
plug-in for username/password authentications.
Further, it is now ensured that system configuration issues or general
failures not related to the user authentication itself, is not counted
as a login attempt.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
-rw-r--r-- | common/eurephia_context.h | 1 | ||||
-rw-r--r-- | man/eurephia-variables.7 | 8 | ||||
-rw-r--r-- | plugin/eurephia.c | 30 |
3 files changed, 31 insertions, 8 deletions
diff --git a/common/eurephia_context.h b/common/eurephia_context.h index f8cf4ba..b21dde8 100644 --- a/common/eurephia_context.h +++ b/common/eurephia_context.h @@ -69,6 +69,7 @@ typedef struct { #else void *fwcfg; /**< Dummy pointer, if the firewall API is not enabled */ #endif + unsigned int nointernalauth; /**< If set, don't use internal eurephia authentication */ eAuthPluginCTX *authplugs; /**< Authentication plug-in contexts. May be NULL */ char *server_salt; /**< The in-memory password salt, used for the password cache */ eurephiaLOG *log; /**< Log context, used by eurephia_log() */ diff --git a/man/eurephia-variables.7 b/man/eurephia-variables.7 index d7bc0a3..1276653 100644 --- a/man/eurephia-variables.7 +++ b/man/eurephia-variables.7 @@ -1,4 +1,4 @@ -.TH "eurephia-variables" "7" "October 2010" "David Sommerseth" "" +.TH "eurephia-variables" "7" "March 2013" "David Sommerseth" "" .SH "NAME" eurephia-variables \- eurephia configuration variables .SH DESCRIPTION @@ -56,10 +56,14 @@ The \fBeurephiadm\fR utility uses XSLT templates for generating the output to th .TP .B openvpn_devtype The \fBeurephia-auth\fR plug-in will try to auto-detect the device type, which must be either tun or tap. If this auto-detection fails, this configuration variable needs to be set to \fBtun\fR or \fBtap\fR. This value must correspond to the OpenVPN configuration. +.SH "AUTHENTICATION" +.TP +.B auth_disable_internal +If this is set to \fB1\fR, \fBeurephia\fR will not authenticate users against the password hashes in the \fBeurephia\fR database. This will enforce usage of an external authentication source via additionally loaded authentication plug-ins. If not set or set to \fB0\fR, the eurephia database will be used if no authentication plug-ins have been configured or it has been disabled. .SH "SEE ALSO" \fBeurephiadm\-config\fR(7), \fBeurephia_init\fR(7), .br Administrators Tutorial and Manual .SH "AUTHOR" -Copyright (C) 2008\-2012 David Sommerseth <dazo@users.sourceforge.net> +Copyright (C) 2008\-2013 David Sommerseth <dazo@users.sourceforge.net> diff --git a/plugin/eurephia.c b/plugin/eurephia.c index c169dc7..3392724 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -212,6 +212,7 @@ eurephiaCTX *eurephiaInit(const char const **argv, const char const **envp) // Initialise authentication plug-ins. If no authentication plug-ins have been enabled, // the authplugs context will be NULL. ctx->authplugs = eAuthPlugin_Init(ctx); + ctx->nointernalauth = atoi_nullsafe(eGet_value(ctx->dbc->config, "auth_disable_internal")) > 0; // Prepare an empty disconnected list. // This one is used to track all clients IP addresses and their corresponding eurephia session ID @@ -480,20 +481,32 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) switch (authmeth->method) { case eAM_INTERNDB: - /* Authenticate against the internal eurephia database */ - result = eDBauth_user(ctx, certid, username, passwd); + DEBUG(ctx, 12, "Using internal authentication for user '%s'/certid %i", + username, certid); + if( ctx->nointernalauth == 0 ) { + /* Authenticate against the internal eurephia database */ + result = eDBauth_user(ctx, certid, username, passwd); + } else { + eurephia_log(ctx, LOG_WARNING, 0, + "Internal authentication has been disabled. Enable " + "authentication plug-in for user '%s' with certid %i", + username, certid); + result = 0; + } break; case eAM_PLUGIN: authplug = eAuthPlugin_Get(ctx->authplugs, authmeth->authplugid); if( authplug == NULL ) { eurephia_log(ctx, LOG_ERROR, 0, - "Failed to find authentication plug-in %i to authenticate" - "user '%s' with certid %i", - authmeth->authplugid, username, certid); + "Failed to find authentication plug-in %i to authenticate" + "user '%s' with certid %i", + authmeth->authplugid, username, certid); result = 0; goto exit; } + DEBUG(ctx, 12, "Using authentication plugin %i for user '%s'/certid %i", + authmeth->authplugid, username, certid); /* Authenticate the user via the auth plug-in */ authres = authplug->AuthenticateUser(ctx, authmeth->username, passwd); @@ -549,7 +562,12 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) break; case eAM_BLACKLISTED: + DEBUG(ctx, 12, "User '%s'/certid %i is blacklisted", username, certid); + result = -1; + break; + case eAM_INACTIVE: + DEBUG(ctx, 12, "User '%s' is not activated", username); result = -1; break; @@ -563,7 +581,7 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) eDBauth_FreeAuthMethodResult(ctx, authmeth); /* If the authentication failed, register the failed attempt */ - if( result < 1 ) { + if( result < 0 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_REGISTER, username); |