lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 16:14:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

(pam) switch to pam, with the option to disable our pam helper and switch back to unix mode... for https://github.com/opnsense/core/issues/998

Browse Source
This commit is contained in:
Ad Schellevis 2016-10-25 20:36:55 +02:00
parent 089a3f07d6
commit f88eabc00b
4 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/etc/rc.configure_firmware
View File

@ -44,3 +44,4 @@ convert_config(true);
system_firmware_configure();
system_console_configure();
configd_run('template reload OPNsense.Auth');

1
src/opnsense/service/templates/OPNsense/Auth/+TARGETS Normal file
View File

@ -0,0 +1 @@
sshd.pam:/etc/pam.d/sshd

30
src/opnsense/service/templates/OPNsense/Auth/sshd.pam Normal file
View File

@ -0,0 +1,30 @@
#
# $FreeBSD$
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
{% if system.disableintegratedauth|default('0') == '1' %}
auth required pam_unix.so no_warn try_first_pass
{% else %}
auth required pam_opnsense.so
{% endif %}
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

18
src/www/system_advanced_admin.php
View File

@ -42,6 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
$pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
$pconfig['sudo_allow_wheel'] = isset($config['system']['sudo_allow_wheel']);
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
$pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
@ -116,6 +117,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['disableconsolemenu']);
}
if (!empty($pconfig['disableintegratedauth'])) {
$config['system']['disableintegratedauth'] = true;
} elseif (isset($config['system']['disableintegratedauth'])) {
unset($config['system']['disableintegratedauth']);
}
if ($pconfig['sudo_allow_wheel'] == "yes") {
$config['system']['sudo_allow_wheel'] = true;
} elseif (isset($config['system']['sudo_allow_wheel'])) {
@ -249,6 +256,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
services_dnsmasq_configure(false);
services_unbound_configure(false);
services_dhcpd_configure();
configd_run('template reload OPNsense.Auth');
if ($restart_sshd) {
configd_run('sshd restart', true);
@ -579,6 +587,16 @@ include("head.inc");
<strong><?= gettext('Allow administrators to use the Sudo utility') ?></strong>
</td>
</tr>
<tr>
<td><a id="help_for_disableintegratedauth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Integrated authentication") ?></td>
<td width="78%">
<input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?> />
<strong><?=gettext("Disable integrated authentication"); ?></strong>
<div class="hidden" for="help_for_disableintegratedauth">
<?=gettext("Disable OPNsense integrated authentication module for console access, falling back to normal unix authentication.");?>
</div>
</td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%"><input name="Submit" type="submit" class="btn btn-primary" value="<?= gettext("Save") ?>" /></td>