diff options
-rw-r--r-- | TODO | 9 | ||||
-rw-r--r-- | database/eurephiadb-driver_template.c | 17 | ||||
-rw-r--r-- | database/sqlite/eurephiadb-sqlite.c | 15 | ||||
-rw-r--r-- | eurephia.c | 13 |
4 files changed, 26 insertions, 28 deletions
@@ -15,6 +15,7 @@ - Show blacklist - Admin program should use eurephiaDB +* Add possibility to block blacklisted IPs also in firewall ** ** Release 1.1 requirements @@ -28,6 +29,10 @@ - This binary loads the firewall interface (dlopen) - The binary takes care of opening up and destruction of message queues and semaphores +* Admin program - add vpnpasswd program + - Uses PAM to authenticate local shell user + - Changes password in the eurephia user database for the current + shell user ** ** Wish list @@ -42,3 +47,7 @@ - Check that user/cert matches * Write MySQL driver (release 1.2?) + +* Implement Kerberos user authentication (release 1.3?) + - User/password authentication is done via Kerberos, using + userID(?) from Kerberos ... to replace openvpn_users diff --git a/database/eurephiadb-driver_template.c b/database/eurephiadb-driver_template.c index fc67510..d237c00 100644 --- a/database/eurephiadb-driver_template.c +++ b/database/eurephiadb-driver_template.c @@ -222,24 +222,13 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char org, cname, email, depth, digest */ - if( /*IF WE GOT A RESULT */ ) { + if( /* IF WE GOT A RESULT */ ) { certid = atoi_nullsafe(/* GET cert.certid FROM SQL RESULT */); blid = atoi_nullsafe(/* GET blid FROM SQL RESULT */); /* FREE SQL RESULT */ - // Check if we found certificate to be blacklisted or not. blid == NULL when NOT blacklisted - if( blid == NULL ) { - if( certid > 0 ) { - eurephia_log(ctx, LOG_INFO, 0, - "Found certid %i for user: %s/%s/%s", - certid, org, cname, email); - } else { - eurephia_log(ctx, LOG_INFO, 1, - "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)", - org, cname, email, depth, digest); - } - // Certificate is okay, certid contains the certificate ID - } else { + // Check if the certificate is blacklisted or not. blid != NULL when blacklisted + if( blid != NULL ) { // If the certificate or IP is blacklisted, update status and deny access. eurephia_log(ctx, LOG_WARNING, 0, "Attempt with BLACKLISTED certificate (certid %i)", certid); diff --git a/database/sqlite/eurephiadb-sqlite.c b/database/sqlite/eurephiadb-sqlite.c index 2a0b9be..644815f 100644 --- a/database/sqlite/eurephiadb-sqlite.c +++ b/database/sqlite/eurephiadb-sqlite.c @@ -205,19 +205,8 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char blid = strdup_nullsafe(sqlite_get_value(res, 0, 1)); sqlite_free_results(res); - // Check if we found certificate to be blacklisted or not. blid == NULL when NOT blacklisted - if( blid == NULL ) { - if( certid > 0 ) { - eurephia_log(ctx, LOG_INFO, 0, - "Found certid %i for user: %s/%s/%s", - certid, org, cname, email); - } else { - eurephia_log(ctx, LOG_INFO, 1, - "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)", - org, cname, email, depth, digest); - } - // Certificate is okay, certid contains the certificate ID - } else { + // Check if the certificate is blacklisted or not. blid != NULL when blacklisted + if( blid != NULL ) { // If the certificate or IP is blacklisted, update status and deny access. eurephia_log(ctx, LOG_WARNING, 0, "Attempt with BLACKLISTED certificate (certid %i)", certid); @@ -276,12 +276,21 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth) eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); } - free_certinfo(ci); if( result > 0 ) { + // Certificate is okay, result contains the certificate ID + eurephia_log(ctx, LOG_INFO, (depth == 0 ? 0 : 1), + "Found certid %i for user: %s/%s/%s", + result, ci->org, ci->common_name, ci->email); + // Reset attempt counter for certificate if it is okey eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest); + } else { + eurephia_log(ctx, LOG_WARNING, 0, + "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)", + ci->org, ci->common_name, ci->email, depth, tls_digest); } + free_certinfo(ci); DEBUG(ctx, 10, "** Function result: eurephia_tlsverify(...) == %i", result > 0); return (result > 0); @@ -350,6 +359,8 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_RESET, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_RESET, username); + + eurephia_log(ctx, LOG_INFO, 0, "User '%s' authenticated", username); } DEBUG(ctx, 10, "** Function result: eurephia_userauth(...) = %i", (result>0)); return (result > 0); |