mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 00:07:26 +00:00
System: Access: Users - remove support for local passwords
Since https://github.com/opnsense/core/issues/998 we support our authenticators for all service types, for backward compatibility reasons we kept default unix authentication available, since this is hardly used anymore, after 8 years it's time to deprecate this option.
This commit is contained in:
Ad Schellevis
parent
6e9bcf7830
commit
514f87adb8
@ -300,7 +300,7 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
|
||||
|
||||
@mkdir('/home', 0755);
|
||||
|
||||
$user_pass = $user['password'];
|
||||
$user_pass = '*'; /* integrated authentication stores passwords, set local to unreachable */
|
||||
$user_name = $user['name'];
|
||||
$user_uid = $user['uid'];
|
||||
$comment = str_replace(array(':', '!', '@'), ' ', $user['descr']);
|
||||
@ -326,7 +326,6 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
|
||||
* authentication is off.
|
||||
*/
|
||||
$lock_account = 'unlock';
|
||||
$user_pass = '*';
|
||||
}
|
||||
|
||||
if ($user_uid == 0) {
|
||||
@ -344,11 +343,6 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
|
||||
$user_gid = $user_group == 'wheel' ? 0 : 65534;
|
||||
|
||||
if (!$force_password) {
|
||||
/* passwords only when integrated auth is disabled or forced */
|
||||
if (empty($config['system']['disableintegratedauth'])) {
|
||||
$user_pass = '*';
|
||||
}
|
||||
|
||||
/* read from pw db if not provided (batch mode) */
|
||||
if ($userattrs === null) {
|
||||
$fd = popen("/usr/sbin/pw usershow -n {$user_name}", 'r');
|
||||
@ -365,8 +359,7 @@ function local_user_set(&$user, $force_password = false, $userattrs = null)
|
||||
$user_op = 'useradd -m -k /usr/share/skel -o';
|
||||
} elseif (
|
||||
$userattrs[0] == $user_name &&
|
||||
/* match only if disabled or enabled in order to detect a change */
|
||||
($userattrs[1] == '*' && $user_pass == '*' || $userattrs[1] != '*' && $user_pass != '*') &&
|
||||
$userattrs[1] == '*' &&
|
||||
$userattrs[2] == $user_uid &&
|
||||
$userattrs[3] == $user_gid &&
|
||||
$userattrs[7] == $comment &&
|
||||
|
||||
@ -5,18 +5,14 @@
|
||||
# auth
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
{% if system.disableintegratedauth|default('0') == '0' %}
|
||||
auth sufficient pam_opnsense.so authtok_prompt=Password:
|
||||
{% endif %}
|
||||
auth required pam_unix.so no_warn try_first_pass authtok_prompt=Password:
|
||||
|
||||
# account
|
||||
account required pam_nologin.so
|
||||
#account required pam_krb5.so
|
||||
account required pam_login_access.so
|
||||
{% if system.disableintegratedauth|default('0') == '0' %}
|
||||
account sufficient pam_opnsense.so
|
||||
{% endif %}
|
||||
account required pam_unix.so
|
||||
|
||||
# session
|
||||
|
||||
@ -5,17 +5,13 @@
|
||||
# auth
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
{% if system.disableintegratedauth|default('0') == '0' %}
|
||||
auth sufficient pam_opnsense.so
|
||||
{% endif %}
|
||||
auth required pam_unix.so no_warn try_first_pass nullok
|
||||
|
||||
# account
|
||||
#account required pam_krb5.so
|
||||
account required pam_login_access.so
|
||||
{% if system.disableintegratedauth|default('0') == '0' %}
|
||||
account sufficient pam_opnsense.so
|
||||
{% endif %}
|
||||
account required pam_unix.so
|
||||
|
||||
# session
|
||||
|
||||
@ -63,7 +63,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$pconfig['httpaccesslog'] = isset($config['system']['webgui']['httpaccesslog']);
|
||||
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
|
||||
$pconfig['usevirtualterminal'] = isset($config['system']['usevirtualterminal']);
|
||||
$pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
|
||||
$pconfig['sudo_allow_wheel'] = $config['system']['sudo_allow_wheel'];
|
||||
$pconfig['sudo_allow_group'] = isset($config['system']['sudo_allow_group']) ? $config['system']['sudo_allow_group'] : null;
|
||||
$pconfig['user_allow_gen_token'] = isset($config['system']['user_allow_gen_token']) ? explode(",", $config['system']['user_allow_gen_token']) : [];
|
||||
@ -241,12 +240,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
unset($config['system']['usevirtualterminal']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['disableintegratedauth'])) {
|
||||
$config['system']['disableintegratedauth'] = true;
|
||||
} elseif (isset($config['system']['disableintegratedauth'])) {
|
||||
unset($config['system']['disableintegratedauth']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['sudo_allow_wheel'])) {
|
||||
$config['system']['sudo_allow_wheel'] = $pconfig['sudo_allow_wheel'];
|
||||
} elseif (isset($config['system']['sudo_allow_wheel'])) {
|
||||
@ -1042,16 +1035,6 @@ $(document).ready(function() {
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td></td>
|
||||
<td>
|
||||
<input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?> />
|
||||
<?=gettext("Disable integrated authentication"); ?>
|
||||
<div class="hidden" data-for="help_for_authmode">
|
||||
<?= gettext('When set, console login, SSH, and other system services can only use standard UNIX account authentication.') ?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_sudo_allow_wheel" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Sudo') ?></td>
|
||||
<td>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user