sub verify_ticket {
my ($ticket, $noerr) = @_;
- if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
+ if ($ticket && $ticket =~ m/^(PVE:\S+)::([^:\s]+)$/) {
my $plain = $1;
my $sig = $2;
return undef;
}
+# VNC tickets
+# - they do not contain the username in plain text
+# - they are restricted to a specific resource path (example: '/vms/100')
+sub assemble_vnc_ticket {
+ my ($username, $path) = @_;
+
+ my $rsa_priv = get_privkey();
+
+ my $timestamp = sprintf("%08X", time());
+
+ my $plain = "PVEVNC:$timestamp";
+
+ $path = normalize_path($path);
+
+ my $full = "$plain:$username:$path";
+
+ my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), '');
+
+ return $ticket;
+}
+
+sub verify_vnc_ticket {
+ my ($ticket, $username, $path, $noerr) = @_;
+
+ if ($ticket && $ticket =~ m/^(PVEVNC:\S+)::([^:\s]+)$/) {
+ my $plain = $1;
+ my $sig = $2;
+ my $full = "$plain:$username:$path";
+
+ my $rsa_pub = get_pubkey();
+ # Note: sign only match if $username and $path is correct
+ if ($rsa_pub->verify($full, decode_base64($sig))) {
+ if ($plain =~ m/^PVEVNC:([A-Z0-9]{8})$/) {
+ my $ttime = hex($1);
+
+ my $age = time() - $ttime;
+
+ if (($age > -20) && ($age < 40)) {
+ return 1;
+ }
+ }
+ }
+ }
+
+ die "permission denied - invalid vnc ticket\n" if !$noerr;
+
+ return undef;
+}
+
+
sub authenticate_user_shadow {
my ($userid, $password) = @_;
}
}
-sub check_user_enabled {
+sub check_user_exist {
my ($usercfg, $username, $noerr) = @_;
$username = verify_username($username, $noerr);
return undef if !$username;
- return 1 if $usercfg && $usercfg->{users}->{$username} &&
- $usercfg->{users}->{$username}->{enable};
+ return $usercfg->{users}->{$username} if $usercfg && $usercfg->{users}->{$username};
+
+ die "no such user ('$username')\n" if !$noerr;
+
+ return undef;
+}
+
+sub check_user_enabled {
+ my ($usercfg, $username, $noerr) = @_;
+
+ my $data = check_user_exist($usercfg, $username, $noerr);
+ return undef if !$data;
+
+ return 1 if $data->{enable};
return 1 if $username eq 'root@pam'; # root is always enabled
- die "no such user ('$username')\n" if !$noerr;
+ die "user '$username' is disabled\n" if !$noerr;
return undef;
}
Sys => {
root => [
'Sys.PowerMgmt',
- 'Sys.Modify', # edit/change node settings
+ 'Sys.Modify', # edit/change node settings
],
admin => [
'Sys.Console',
'Datastore.Audit',
],
},
+ User => {
+ root => [
+
+ ],
+ admin => [
+ 'User.Modify',
+ 'User.Add',
+ 'User.Delete',
+ ],
+ user => [],
+ audit => [],
+ },
};
my $valid_privs = {};