sub verify_ticket {
my ($ticket, $noerr) = @_;
- if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
+ if ($ticket && $ticket =~ m/^(PVE:\S+)::([^:\s]+)$/) {
my $plain = $1;
my $sig = $2;
return undef;
}
+# VNC tickets
+# - they do not contain the username in plain text
+# - they are restricted to a specific resource path (example: '/vms/100')
+sub assemble_vnc_ticket {
+ my ($username, $path) = @_;
+
+ my $rsa_priv = get_privkey();
+
+ my $timestamp = sprintf("%08X", time());
+
+ my $plain = "PVEVNC:$timestamp";
+
+ $path = normalize_path($path);
+
+ my $full = "$plain:$username:$path";
+
+ my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), '');
+
+ return $ticket;
+}
+
+sub verify_vnc_ticket {
+ my ($ticket, $username, $path, $noerr) = @_;
+
+ if ($ticket && $ticket =~ m/^(PVEVNC:\S+)::([^:\s]+)$/) {
+ my $plain = $1;
+ my $sig = $2;
+ my $full = "$plain:$username:$path";
+
+ my $rsa_pub = get_pubkey();
+ # Note: sign only match if $username and $path is correct
+ if ($rsa_pub->verify($full, decode_base64($sig))) {
+ if ($plain =~ m/^PVEVNC:([A-Z0-9]{8})$/) {
+ my $ttime = hex($1);
+
+ my $age = time() - $ttime;
+
+ if (($age > -20) && ($age < 40)) {
+ return 1;
+ }
+ }
+ }
+ }
+
+ die "permission denied - invalid vnc ticket\n" if !$noerr;
+
+ return undef;
+}
+
+
sub authenticate_user_shadow {
my ($userid, $password) = @_;
}
}
-sub user_enabled {
- my ($usercfg, $username) = @_;
+sub check_user_enabled {
+ my ($usercfg, $username, $noerr) = @_;
- $username = verify_username($username, 1);
+ $username = verify_username($username, $noerr);
return undef if !$username;
return 1 if $usercfg && $usercfg->{users}->{$username} &&
return 1 if $username eq 'root@pam'; # root is always enabled
- return 0;
+ die "no such user ('$username')\n" if !$noerr;
+
+ return undef;
}
# password should be utf8 encoded
my $usercfg = cfs_read_file('user.cfg');
- if (!user_enabled($usercfg, $username)) {
+ eval { check_user_enabled($usercfg, $username); };
+ if (my $err = $@) {
sleep(2);
- die "no such user ('$username')\n"
+ die $err;
}
my $ctime = time();
server1 => '[\w\d]+(.[\w\d]+)*',
server2 => '[\w\d]+(.[\w\d]+)*',
domain => '\S+',
- port => '\d*',
+ port => '\d+',
secure => '',
comment => '.*',
},
base_dn => '\w+=[\w\s]+(,\s*\w+=[\w\s]+)*',
user_attr => '\S{2,}',
secure => '',
- port => '\d*',
+ port => '\d+',
comment => '.*',
}
};
$wrote_default = 1;
} elsif (defined($formats->{$k})) {
if (!$formats->{$k}) {
- $data .= "\t$k\n";
+ $data .= "\t$k\n" if $v;
} elsif ($v =~ m/^$formats->{$k}$/) {
$v = PVE::Tools::encode_text($v) if $k eq 'comment';
$data .= "\t$k $v\n";
warn "ignoring domain '$realm' - missing user attribute\n";
} elsif (($entry->{type} eq "ldap") && !$entry->{base_dn}) {
warn "ignoring domain '$realm' - missing base_dn attribute\n";
+ } elsif (($entry->{type} eq "ad") && !$entry->{domain}) {
+ warn "ignoring domain '$realm' - missing domain attribute\n";
} else {
$cfg->{$realm} = $entry;
}
my $data = '';
foreach my $user (keys %{$cfg->{users}}) {
- next if $user eq 'root@pam';
-
my $d = $cfg->{users}->{$user};
my $firstname = $d->{firstname} ? PVE::Tools::encode_text($d->{firstname}) : '';
my $lastname = $d->{lastname} ? PVE::Tools::encode_text($d->{lastname}) : '';
my $email = $d->{email} || '';
my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';
- my $expire = int($d->{expire}) || 0;
+ my $expire = int($d->{expire} || 0);
my $enable = $d->{enable} ? 1 : 0;
$data .= "user:$user:$enable:$expire:$firstname:$lastname:$email:$comment:\n";
}
projects / pve-access-control.git / blobdiff