X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=f03f6b5bba4e67fbb6f2a90d9210d62e344f37be;hp=b5dffadda4432ed783459ec50ca714de74dba2b2;hb=e4f8fc2e7e5f31691629a5361000636f8a2b2398;hpb=83d1f13ec0a64632003f2773f024c73e92fa0e3c diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index b5dffad..f03f6b5 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -1,6 +1,7 @@ package PVE::AccessControl; use strict; +use warnings; use Encode; use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; @@ -214,21 +215,66 @@ sub verify_vnc_ticket { } sub assemble_spice_ticket { - my ($username, $path) = @_; + my ($username, $vmid, $node) = @_; my $rsa_priv = get_privkey(); - my $timestamp = sprintf("%08X", time()); + my $timestamp = sprintf("%08x", time()); - my $plain = "PVESPICE:$timestamp"; + my $randomstr = "PVESPICE:$timestamp:$vmid:$node:" . rand(10); - $path = normalize_path($path); + # this should be uses as one-time password + # max length is 60 chars (spice limit) + # we pass this to qemu set_pasword and limit lifetime there + # keep this secret + my $ticket = Digest::SHA::sha1_hex($rsa_priv->sign($randomstr)); - my $full = "$plain:$path"; + # Note: spice proxy connects with HTTP, so $proxyticket is exposed to public + # we use a signature/timestamp to make sure nobody can fake such ticket + # an attacker can use this $proxyticket, but he will fail because $ticket is + # private. + # The proxy need to be able to extract/verify the ticket + # Note: data needs to be lower case only, because virt-viewer needs that + # Note: RSA signature are too long (>=256 charaters) and makes problems with remote-viewer - my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), ''); + my $secret = &$get_csrfr_secret(); + my $plain = "pvespiceproxy:$timestamp:$vmid:" . lc($node); - return $ticket; + # produces 40 characters + my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret())); + + #my $sig = unpack("H*", $rsa_priv->sign($plain)); # this produce too long strings (512) + + my $proxyticket = $plain . "::" . $sig; + + return ($ticket, $proxyticket); +} + +sub verify_spice_connect_url { + my ($connect_str) = @_; + + # Note: we pass the spice ticket as 'host', so the + # spice viewer connects with "$ticket:$port" + + return undef if !$connect_str; + + if ($connect_str =~m/^pvespiceproxy:([a-z0-9]{8}):(\d+):(\S+)::([a-z0-9]{40}):(\d+)$/) { + my ($timestamp, $vmid, $node, $hexsig, $port) = ($1, $2, $3, $4, $5, $6); + my $ttime = hex($timestamp); + my $age = time() - $ttime; + + # use very limited lifetime - is this enough? + return undef if !(($age > -20) && ($age < 40)); + + my $plain = "pvespiceproxy:$timestamp:$vmid:$node"; + my $sig = unpack("H*", Digest::SHA::sha1($plain, &$get_csrfr_secret())); + + if ($sig eq $hexsig) { + return ($vmid, $node, $port); + } + } + + return undef; } sub check_user_exist { @@ -260,6 +306,7 @@ sub check_user_enabled { } # password should be utf8 encoded +# Note: some pluging delay/sleep if auth fails sub authenticate_user { my ($username, $password) = @_; @@ -271,32 +318,19 @@ sub authenticate_user { my $usercfg = cfs_read_file('user.cfg'); - eval { check_user_enabled($usercfg, $username); }; - if (my $err = $@) { - sleep(2); - die $err; - } + check_user_enabled($usercfg, $username); my $ctime = time(); my $expire = $usercfg->{users}->{$username}->{expire}; - if ($expire && ($expire < $ctime)) { - sleep(2); - die "account expired\n" - } + die "account expired\n" if $expire && ($expire < $ctime); my $domain_cfg = cfs_read_file('domains.cfg'); - eval { - my $cfg = $domain_cfg->{ids}->{$realm}; - die "auth domain '$realm' does not exists\n" if !$cfg; - my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); - $plugin->authenticate_user($cfg, $realm, $ruid, $password); - }; - if (my $err = $@) { - sleep(2); # timeout after failed auth - die $err; - } + my $cfg = $domain_cfg->{ids}->{$realm}; + die "auth domain '$realm' does not exists\n" if !$cfg; + my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); + $plugin->authenticate_user($cfg, $realm, $ruid, $password); return $username; } @@ -509,7 +543,7 @@ sub normalize_path { $path = "/$path" if $path !~ m|^/|; - return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|; + return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|; return $path; }