From 0caeac27ccd23c9d940d3eac212ef1a70ce91468 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Sat, 4 Oct 2008 02:36:57 +0200 Subject: Added more ideas to TODO --- TODO | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/TODO b/TODO index c13e630..e911a29 100644 --- a/TODO +++ b/TODO @@ -15,6 +15,7 @@ - Show blacklist - Admin program should use eurephiaDB +* Add possibility to block blacklisted IPs also in firewall ** ** Release 1.1 requirements @@ -28,6 +29,10 @@ - This binary loads the firewall interface (dlopen) - The binary takes care of opening up and destruction of message queues and semaphores +* Admin program - add vpnpasswd program + - Uses PAM to authenticate local shell user + - Changes password in the eurephia user database for the current + shell user ** ** Wish list @@ -42,3 +47,7 @@ - Check that user/cert matches * Write MySQL driver (release 1.2?) + +* Implement Kerberos user authentication (release 1.3?) + - User/password authentication is done via Kerberos, using + userID(?) from Kerberos ... to replace openvpn_users -- cgit From b6f246bb5470ddfd0309769ec908d1fbad7c322d Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Wed, 8 Oct 2008 07:40:03 +0200 Subject: Moved TLS authentication logging from database module to eurephia.c Also differentiated log level from user certs (depth == 0) and other depths. --- database/eurephiadb-driver_template.c | 17 +++-------------- database/sqlite/eurephiadb-sqlite.c | 15 ++------------- eurephia.c | 11 ++++++++++- 3 files changed, 15 insertions(+), 28 deletions(-) diff --git a/database/eurephiadb-driver_template.c b/database/eurephiadb-driver_template.c index fc67510..d237c00 100644 --- a/database/eurephiadb-driver_template.c +++ b/database/eurephiadb-driver_template.c @@ -222,24 +222,13 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char org, cname, email, depth, digest */ - if( /*IF WE GOT A RESULT */ ) { + if( /* IF WE GOT A RESULT */ ) { certid = atoi_nullsafe(/* GET cert.certid FROM SQL RESULT */); blid = atoi_nullsafe(/* GET blid FROM SQL RESULT */); /* FREE SQL RESULT */ - // Check if we found certificate to be blacklisted or not. blid == NULL when NOT blacklisted - if( blid == NULL ) { - if( certid > 0 ) { - eurephia_log(ctx, LOG_INFO, 0, - "Found certid %i for user: %s/%s/%s", - certid, org, cname, email); - } else { - eurephia_log(ctx, LOG_INFO, 1, - "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)", - org, cname, email, depth, digest); - } - // Certificate is okay, certid contains the certificate ID - } else { + // Check if the certificate is blacklisted or not. blid != NULL when blacklisted + if( blid != NULL ) { // If the certificate or IP is blacklisted, update status and deny access. eurephia_log(ctx, LOG_WARNING, 0, "Attempt with BLACKLISTED certificate (certid %i)", certid); diff --git a/database/sqlite/eurephiadb-sqlite.c b/database/sqlite/eurephiadb-sqlite.c index 8fcbd65..1424ffd 100644 --- a/database/sqlite/eurephiadb-sqlite.c +++ b/database/sqlite/eurephiadb-sqlite.c @@ -202,19 +202,8 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char blid = strdup_nullsafe(sqlite_get_value(res, 0, 1)); sqlite_free_results(res); - // Check if we found certificate to be blacklisted or not. blid == NULL when NOT blacklisted - if( blid == NULL ) { - if( certid > 0 ) { - eurephia_log(ctx, LOG_INFO, 0, - "Found certid %i for user: %s/%s/%s", - certid, org, cname, email); - } else { - eurephia_log(ctx, LOG_INFO, 1, - "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)", - org, cname, email, depth, digest); - } - // Certificate is okay, certid contains the certificate ID - } else { + // Check if the certificate is blacklisted or not. blid != NULL when blacklisted + if( blid != NULL ) { // If the certificate or IP is blacklisted, update status and deny access. eurephia_log(ctx, LOG_WARNING, 0, "Attempt with BLACKLISTED certificate (certid %i)", certid); diff --git a/eurephia.c b/eurephia.c index 82aa183..5832a02 100644 --- a/eurephia.c +++ b/eurephia.c @@ -276,12 +276,21 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth) eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_REGISTER, tls_digest); } - free_certinfo(ci); if( result > 0 ) { + // Certificate is okay, result contains the certificate ID + eurephia_log(ctx, LOG_INFO, (depth == 0 ? 0 : 1), + "Found certid %i for user: %s/%s/%s", + result, ci->org, ci->common_name, ci->email); + // Reset attempt counter for certificate if it is okey eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest); + } else { + eurephia_log(ctx, LOG_WARNING, 0, + "Unknown certificate for: %s/%s/%s (depth %s, digest: %s)", + ci->org, ci->common_name, ci->email, depth, tls_digest); } + free_certinfo(ci); DEBUG(ctx, 10, "** Function result: eurephia_tlsverify(...) == %i", result > 0); return (result > 0); -- cgit From 62836d4745be7e72e638781bd2624aca1266e7fe Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Wed, 8 Oct 2008 07:52:06 +0200 Subject: Logging when username/password is authenticated --- eurephia.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/eurephia.c b/eurephia.c index 5832a02..62c1f89 100644 --- a/eurephia.c +++ b/eurephia.c @@ -359,6 +359,8 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_RESET, ipaddr); eDBregister_attempt(ctx, attempt_CERTIFICATE, ATTEMPT_RESET, tls_digest); eDBregister_attempt(ctx, attempt_USERNAME, ATTEMPT_RESET, username); + + eurephia_log(ctx, LOG_INFO, 0, "User '%s' authenticated", username); } DEBUG(ctx, 10, "** Function result: eurephia_userauth(...) = %i", (result>0)); return (result > 0); -- cgit