summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--TODO9
-rw-r--r--database/eurephiadb-driver_template.c17
-rw-r--r--database/sqlite/eurephiadb-sqlite.c15
-rw-r--r--eurephia.c13
4 files changed, 26 insertions, 28 deletions
diff --git a/TODO b/TODO
index c13e630..e911a29 100644
--- a/TODO
+++ b/TODO
@@ -15,6 +15,7 @@
- Show blacklist
- Admin program should use eurephiaDB
+* Add possibility to block blacklisted IPs also in firewall
**
** Release 1.1 requirements
@@ -28,6 +29,10 @@
- This binary loads the firewall interface (dlopen)
- The binary takes care of opening up and destruction of message
queues and semaphores
+* Admin program - add vpnpasswd program
+ - Uses PAM to authenticate local shell user
+ - Changes password in the eurephia user database for the current
+ shell user
**
** Wish list
@@ -42,3 +47,7 @@
- Check that user/cert matches
* Write MySQL driver (release 1.2?)
+
+* Implement Kerberos user authentication (release 1.3?)
+ - User/password authentication is done via Kerberos, using
+ userID(?) from Kerberos ... to replace openvpn_users
diff --git a/database/eurephiadb-driver_template.c b/database/eurephiadb-driver_template.c
index fc67510..d237c00 100644
--- a/database/eurephiadb-driver_template.c
+++ b/database/eurephiadb-driver_template.c
@@ -222,24 +222,13 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char
org, cname, email, depth, digest
*/
- if( /*IF WE GOT A RESULT */ ) {
+ if( /* IF WE GOT A RESULT */ ) {
certid = atoi_nullsafe(/* GET cert.certid FROM SQL RESULT */);
blid = atoi_nullsafe(/* GET blid FROM SQL RESULT */);
/* FREE SQL RESULT */
- // Check if we found certificate to be blacklisted or not. blid == NULL when NOT blacklisted
- if( blid == NULL ) {
- if( certid > 0 ) {
- eurephia_log(ctx, LOG_INFO, 0,
- "Found certid %i for user: %s/%s/%s",
- certid, org, cname, email);
- } else {
- eurephia_log(ctx, LOG_INFO, 1,
- "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)",
- org, cname, email, depth, digest);
- }
- // Certificate is okay, certid contains the certificate ID
- } else {
+ // Check if the certificate is blacklisted or not. blid != NULL when blacklisted
+ if( blid != NULL ) {
// If the certificate or IP is blacklisted, update status and deny access.
eurephia_log(ctx, LOG_WARNING, 0,
"Attempt with BLACKLISTED certificate (certid %i)", certid);
diff --git a/database/sqlite/eurephiadb-sqlite.c b/database/sqlite/eurephiadb-sqlite.c
index 2a0b9be..644815f 100644
--- a/database/sqlite/eurephiadb-sqlite.c
+++ b/database/sqlite/eurephiadb-sqlite.c
@@ -205,19 +205,8 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char
blid = strdup_nullsafe(sqlite_get_value(res, 0, 1));
sqlite_free_results(res);
- // Check if we found certificate to be blacklisted or not. blid == NULL when NOT blacklisted
- if( blid == NULL ) {
- if( certid > 0 ) {
- eurephia_log(ctx, LOG_INFO, 0,
- "Found certid %i for user: %s/%s/%s",
- certid, org, cname, email);
- } else {
- eurephia_log(ctx, LOG_INFO, 1,
- "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)",
- org, cname, email, depth, digest);
- }
- // Certificate is okay, certid contains the certificate ID
- } else {
+ // Check if the certificate is blacklisted or not. blid != NULL when blacklisted
+ if( blid != NULL ) {
// If the certificate or IP is blacklisted, update status and deny access.
eurephia_log(ctx, LOG_WARNING, 0,
"Attempt with BLACKLISTED certificate (certid %i)", certid);
diff --git a/eurephia.c b/eurephia.c
index 82aa183..62c1f89 100644
--- a/eurephia.c
+++ b/eurephia.c
@@ -276,12 +276,21 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth)
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest);
}
- free_certinfo(ci);
if( result > 0 ) {
+ // Certificate is okay, result contains the certificate ID
+ eurephia_log(ctx, LOG_INFO, (depth == 0 ? 0 : 1),
+ "Found certid %i for user: %s/%s/%s",
+ result, ci->org, ci->common_name, ci->email);
+
// Reset attempt counter for certificate if it is okey
eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest);
+ } else {
+ eurephia_log(ctx, LOG_WARNING, 0,
+ "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)",
+ ci->org, ci->common_name, ci->email, depth, tls_digest);
}
+ free_certinfo(ci);
DEBUG(ctx, 10, "** Function result: eurephia_tlsverify(...) == %i", result > 0);
return (result > 0);
@@ -350,6 +359,8 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_RESET, ipaddr);
eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest);
eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_RESET, username);
+
+ eurephia_log(ctx, LOG_INFO, 0, "User '%s' authenticated", username);
}
DEBUG(ctx, 10, "** Function result: eurephia_userauth(...) = %i", (result>0));
return (result > 0);
generated by cgit (git 2.34.1) at 2024-04-30 10:04:32 +0000