static char *get_hash(request_rec *r, char *user, char *auth_pwfile) { configfile_t *f; char l[MAX_STRING_LEN]; const char *rpw; char *w, *x; if (!(f = ap_pcfg_openfile(r->pool, auth_pwfile))) { ap_log_error(APLOG_MARK, APLOG_ERR, r->server, "Could not open password file: %s", auth_pwfile); return NULL; } while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { if ((l[0] == '#') || (!l[0])) continue; rpw = l; w = ap_getword(r->pool, &rpw, ':'); x = ap_getword(r->pool, &rpw, ':'); if (x && w && !strcmp(user, w) && !strcmp(ap_auth_name(r), x)) { ap_cfg_closefile(f); return ap_pstrdup(r->pool, rpw); } } ap_cfg_closefile(f); return NULL; }
static char *get_pw(request_rec *r, char *user, char *auth_pwfile) { ap_configfile_t *f; char l[MAX_STRING_LEN]; const char *rpw, *w; apr_status_t status; if ((status = ap_pcfg_openfile(&f, r->pool, auth_pwfile)) != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "Could not open password file: %s", auth_pwfile); return NULL; } while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { if ((l[0] == '#') || (!l[0])) { continue; } rpw = l; w = ap_getword(r->pool, &rpw, ':'); if (!strcmp(user, w)) { ap_cfg_closefile(f); return ap_getword(r->pool, &rpw, ':'); } } ap_cfg_closefile(f); return NULL; }
static authn_status check_password(request_rec *r, const char *user, const char *password) { #ifndef APACHE2NGINX authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config, &authn_file_module); ap_configfile_t *f; char l[MAX_STRING_LEN]; apr_status_t status; char *file_password = NULL; if (!conf->pwfile) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AuthUserFile not specified in the configuration"); return AUTH_GENERAL_ERROR; } status = ap_pcfg_openfile(&f, r->pool, conf->pwfile); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "Could not open password file: %s", conf->pwfile); return AUTH_GENERAL_ERROR; } while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { const char *rpw, *w; /* Skip # or blank lines. */ if ((l[0] == '#') || (!l[0])) { continue; } rpw = l; w = ap_getword(r->pool, &rpw, ':'); if (!strcmp(user, w)) { file_password = ap_getword(r->pool, &rpw, ':'); break; } } ap_cfg_closefile(f); if (!file_password) { return AUTH_USER_NOT_FOUND; } status = apr_password_validate(password, file_password); if (status != APR_SUCCESS) { return AUTH_DENIED; } #endif return AUTH_GRANTED; }
static authn_status get_realm_hash(request_rec *r, const char *user, const char *realm, char **rethash) { #ifndef APACHE2NGINX authn_file_config_rec *conf = ap_get_module_config(r->per_dir_config, &authn_file_module); ap_configfile_t *f; char l[MAX_STRING_LEN]; apr_status_t status; char *file_hash = NULL; if (!conf->pwfile) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "AuthUserFile not specified in the configuration"); return AUTH_GENERAL_ERROR; } status = ap_pcfg_openfile(&f, r->pool, conf->pwfile); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "Could not open password file: %s", conf->pwfile); return AUTH_GENERAL_ERROR; } while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { const char *rpw, *w, *x; /* Skip # or blank lines. */ if ((l[0] == '#') || (!l[0])) { continue; } rpw = l; w = ap_getword(r->pool, &rpw, ':'); x = ap_getword(r->pool, &rpw, ':'); if (x && w && !strcmp(user, w) && !strcmp(realm, x)) { /* Remember that this is a md5 hash of user:realm:password. */ file_hash = ap_getword(r->pool, &rpw, ':'); break; } } ap_cfg_closefile(f); if (!file_hash) { return AUTH_USER_NOT_FOUND; } *rethash = file_hash; #endif return AUTH_USER_FOUND; }
/* * selinux_lookup_mapfile * * It lookups a matched entry from the given configuration file, * and returns 1 with a copied cstring, if found. Otherwise, it returns 0. */ static int selinux_lookup_mapfile(request_rec *r, const char *filename, char **domain) { const char *white_space = " \t\r\n"; ap_configfile_t *filp; char buffer[MAX_STRING_LEN]; apr_status_t status; char *user, *context, *pos; int lineno = 0; status = ap_pcfg_openfile(&filp, r->pool, filename); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, LOG_WARNING, status, r, "Unable to open: %s", filename); return -1; } while (ap_cfg_getline(buffer, sizeof(buffer), filp) == 0) { lineno++; /* skip empty line */ pos = strchr(buffer, '#'); if (pos) *pos = '\0'; user = strtok_r(buffer, white_space, &pos); if (!user) continue; context = strtok_r(NULL, white_space, &pos); if (!context || strtok_r(NULL, white_space, &pos)) { ap_log_rerror(APLOG_MARK, LOG_WARNING, 0, r, "syntax error at %s:%d", filename, lineno); continue; } if (!strcmp(user, "*") || (r->user && !strcmp(user, r->user)) || (!r->user && !strcmp(user, "__anonymous__"))) { *domain = apr_pstrdup(r->pool, context); ap_cfg_closefile(filp); return 1; } } /* not found */ ap_cfg_closefile(filp); return 0; }
static apr_status_t groups_for_user(apr_pool_t *p, char *user, char *grpfile, apr_table_t ** out) { ap_configfile_t *f; apr_table_t *grps = apr_table_make(p, 15); apr_pool_t *sp; struct ap_varbuf vb; const char *group_name, *ll, *w; apr_status_t status; apr_size_t group_len; if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) { return status ; } apr_pool_create(&sp, p); ap_varbuf_init(p, &vb, VARBUF_INIT_LEN); while (!(ap_varbuf_cfg_getline(&vb, f, VARBUF_MAX_LEN))) { if ((vb.buf[0] == '#') || (!vb.buf[0])) { continue; } ll = vb.buf; apr_pool_clear(sp); group_name = ap_getword(sp, &ll, ':'); group_len = strlen(group_name); while (group_len && apr_isspace(*(group_name + group_len - 1))) { --group_len; } while (ll[0]) { w = ap_getword_conf(sp, &ll); if (!strcmp(w, user)) { apr_table_setn(grps, apr_pstrmemdup(p, group_name, group_len), "in"); break; } } } ap_cfg_closefile(f); apr_pool_destroy(sp); ap_varbuf_free(&vb); *out = grps; return APR_SUCCESS; }
static char *getSharedKey(request_rec *r,char *filename, char **static_pw) { ap_regmatch_t regmatch[AP_MAX_REG_MATCH]; char l[MAX_STRING_LEN]; char *sharedKey = 0L; apr_status_t status; ap_configfile_t *f; authn_google_config_rec *conf = ap_get_module_config(r->per_dir_config, &authn_google_module); status = ap_pcfg_openfile(&f, r->pool, filename); ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "OPENING FILENAME %s",filename); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "check_password: Couldn't open password file: %s", filename); return 0L; } while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { /* If we have a password entry - return it, if the caller has asked for it */ if ((static_pw) && (!ap_regexec(passwd_regexp, l, AP_MAX_REG_MATCH, regmatch, 0))) { *static_pw = ap_pregsub(r->pool, "$1", l,AP_MAX_REG_MATCH,regmatch); if (conf->debugLevel) ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Using static password \"%s\"",*static_pw); } /* Skip comment or blank lines. */ if ((l[0] == '"') || (!l[0])) { continue; } if (!sharedKey) { sharedKey = apr_pstrdup(r->pool,l); } /* Scratch codes to follow */ } ap_cfg_closefile(f); return sharedKey; }
static apr_table_t *groups_for_user(request_rec *r, char *user, char *grpfile) { apr_pool_t *p = r->pool; ap_configfile_t *f; apr_table_t *grps = apr_table_make(p, 15); apr_pool_t *sp; char l[MAX_STRING_LEN]; const char *group_name, *ll, *w; apr_status_t status; if ((status = ap_pcfg_openfile(&f, p, grpfile)) != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "Could not open group file: %s", grpfile); return NULL; } apr_pool_create(&sp, p); while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { if ((l[0] == '#') || (!l[0])) { continue; } ll = l; apr_pool_clear(sp); group_name = ap_getword(sp, &ll, ':'); while (ll[0]) { w = ap_getword_conf(sp, &ll); if (!strcmp(w, user)) { apr_table_setn(grps, apr_pstrdup(p, group_name), "in"); break; } } } ap_cfg_closefile(f); apr_pool_destroy(sp); return grps; }
static const char *proxylist_read(cmd_parms *cmd, void *cfg, const char *filename) { char lbuf[MAX_STRING_LEN]; char *arg; const char *args; const char *errmsg; ap_configfile_t *cfp; apr_status_t rv; filename = ap_server_root_relative(cmd->temp_pool, filename); rv = ap_pcfg_openfile(&cfp, cmd->temp_pool, filename); if (rv != APR_SUCCESS) { return apr_psprintf(cmd->pool, "%s: Could not open file %s: %s", cmd->cmd->name, filename, apr_strerror(rv, lbuf, sizeof(lbuf))); } while (!(ap_cfg_getline(lbuf, MAX_STRING_LEN, cfp))) { args = lbuf; while (*(arg = ap_getword_conf(cmd->temp_pool, &args)) != '\0') { if (*arg == '#') { break; } errmsg = proxies_set(cmd, cfg, arg); if (errmsg) { ap_cfg_closefile(cfp); errmsg = apr_psprintf(cmd->pool, "%s at line %d of %s", errmsg, cfp->line_number, filename); return errmsg; } } } ap_cfg_closefile(cfp); return NULL; }
static table *groups_for_user(pool *p, char *user, char *grpfile) { configfile_t *f; table *grps = ap_make_table(p, 15); pool *sp; char l[MAX_STRING_LEN]; const char *group_name, *ll, *w; if (!(f = ap_pcfg_openfile(p, grpfile))) { /*add? aplog_error(APLOG_MARK, APLOG_ERR, NULL, "Could not open group file: %s", grpfile);*/ return NULL; } sp = ap_make_sub_pool(p); while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { if ((l[0] == '#') || (!l[0])) continue; ll = l; ap_clear_pool(sp); group_name = ap_getword(sp, &ll, ':'); while (ll[0]) { w = ap_getword_conf(sp, &ll); if (!strcmp(w, user)) { ap_table_setn(grps, ap_pstrdup(p, group_name), "in"); break; } } } ap_cfg_closefile(f); ap_destroy_pool(sp); return grps; }
/* This provides a simple UI for accessing the key database * used to grant access to users owning a yubikey or not. * * This is primarily a web version of htaccess. */ static int authn_yubikey_handler(request_rec *r) { ap_configfile_t *f; char l[MAX_STRING_LEN]; apr_status_t status; char *file_password = NULL; char *yubiKeyId = NULL; char *realName = NULL; apr_file_t *dbFormFile = NULL; yubiauth_dir_cfg *cfg = ap_get_module_config(r->per_dir_config, &authn_yubikey_module); if (strcmp(r->handler, "authn_yubikey")) { return DECLINED; } r->content_type = "text/html"; /* Post back */ if (r->method_number == M_POST) { const char *postbackContent = NULL; char *tmp = NULL; char buffer[1024]; //Read the POST data sent from the client ap_setup_client_block(r, REQUEST_CHUNKED_DECHUNK); if ( ap_should_client_block(r) == 1 ) { while ( ap_get_client_block(r, buffer, 1024) > 0 ) { postbackContent = apr_pstrcat(r->pool, buffer, tmp, NULL); //tmp = apr_pstrdup(r->pool, postbackContent); } } else { ap_rputs("No POST data available",r); } //We have the data now, now process it and save it into the db ap_set_content_type(r, "text/plain;"); ap_rprintf(r, "Postback content: %s", postbackContent); return OK; } /* Serve content if it's a GET request */ if (!r->header_only) { ap_rputs("<html><head><title>YubiAuth user management</title></head><body>", r); ap_rputs("<h1>Welcome to the YubiAuth user Mgmt.</h1><br>", r); ap_rputs("The following users could be found inside the database:<br>", r); //Open userDb file for looped output status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, LOG_PREFIX "Could not open YubiAuthUserDb file: %s", cfg->userAuthDbFilename); return HTTP_INTERNAL_SERVER_ERROR; } ap_rputs("<table><thead><tr><th>TokenId</th><th>Real Name</th></tr></thead><tbody>\n", r); while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { const char *rpw, *w; /* Skip # or blank lines. */ if ((l[0] == '#') || (!l[0])) { continue; } rpw = l; w = ap_getword(r->pool, &rpw, ':'); //yubiKeyId = apr_pstrndup(r->pool, password, (apr_size_t) 12); //realName = ap_getword(r->pool, &rpw, ':'); ap_rputs("<tr>", r); ap_rprintf(r, "<td>%s</td>", w); ap_rprintf(r, "<td>%s</td>\n", rpw); ap_rputs("</tr>", r); } ap_cfg_closefile(f); ap_rputs("</tbody></table>", r); ap_rputs("<h1>Want to add a user?</h1>.", r); ap_rputs("<form name=\"addUser\" method=\"POST\" action=\"/authme\">", r); ap_rputs("<input type=\"text\" name=\"tokenId\">", r); ap_rputs("<input type=\"text\" name=\"realUser\">", r); ap_rputs("<input type=\"submit\" value=\"Add User\">", r); ap_rputs("</form>", r); ap_rputs("</body></html>", r); } //If we receive a POST to this location, we probably want to update the userdb //be sure to check if there is a user set and that this user is allowed to change information // inside the userdb, we cn authenticate the user with the OTP token here too. //We should make the administrative user configurable, by specifying the token which is allowed // access ... return OK; }
static int isUserValid(const char *user, const char *password, yubiauth_dir_cfg *cfg, request_rec *r) { ap_configfile_t *f; char l[MAX_STRING_LEN]; apr_status_t status; char *file_password = NULL; char *yubiKeyId = NULL; char *userPassword = NULL; apr_size_t passwordLength = 0; char *realName = NULL; int userWasFound = FALSE; /* This is TRUE when we store a combination of yubikeyId:username:password, * we then have a two factor authentication. */ int tokenHasPassword = FALSE; status = ap_pcfg_openfile(&f, r->pool, cfg->userAuthDbFilename); if (status != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, LOG_PREFIX "Could not open AuthYkUserFile file: %s", cfg->userAuthDbFilename); return FALSE; } /* Do length check of at least the password part, * to be a yubikey token, it has to have at least 44 * characters from where the first 12 are the ID of the user. */ if (strlen(password) < YUBIKEY_TOKEN_LENGTH) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, LOG_PREFIX "The entered password cannot be a yubikey generated token"); ap_cfg_closefile(f); return FALSE; } /* If the password is bigger then 44 characters, then we have an additional password * set into the field, since the produced token by the yubikey is 44 characters long */ passwordLength = (apr_size_t) strlen(password) - YUBIKEY_TOKEN_LENGTH; ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "The length of the entered password is: %d", passwordLength); /* We have to distinct between a 44 character string which is the * toke output only and a longer string, which would contain a * password at its beginning */ if (strlen(password) > YUBIKEY_TOKEN_LENGTH) { /* copy off the password part from the password string */ userPassword = apr_pstrndup(r->pool, password, passwordLength); ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "The entered password is: %s", userPassword); } /* Now move the password pointer forward the number of calculatd characters for the userPassword, * we move the pointer beyond the last read character (not -1), to start reading the real stuff */ yubiKeyId = apr_pstrndup(r->pool, &password[passwordLength], (apr_size_t) YUBIKEY_ID_LENGTH); ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "The calculated YubiKey ID is: %s", yubiKeyId); /* Find the TokenID/UN:PW solution in the file */ while (!(ap_cfg_getline(l, MAX_STRING_LEN, f))) { const char *rpw, *w; char *unPw = NULL; /* Skip # or blank lines. */ if ((l[0] == '#') || (!l[0])) { continue; } rpw = l; w = ap_getword(r->pool, &rpw, ':'); /* The first 12 chars are the ID which must be available in this file * else the user might be a yubikey user, but possibly a user we don't * want. */ if (!strncmp(yubiKeyId, w, 12)) { /* This would fetch the real username, * after the ID could be located */ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "Could find the ID: %s", w); /* remember, since we are working with the passwd * utility, this realName is hashed */ realName = ap_getword(r->pool, &rpw, '\n'); apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_OF); ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "The looked up realname is: %s", realName); ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "The looked up userPassword is: %s", userPassword); /* this results in username:password as it should be entered in the install dialog */ if (userPassword) { unPw = apr_pstrcat(r->pool, user, ":", userPassword, NULL); apr_table_set(r->headers_in, HDR_YK_AUTH_TYPE, YK_AUTH_TYPE_TF); ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "The built un:pw combo is: %s", unPw); } /* If there is a password set, use the username:password combo, * else just compare the username */ status = apr_password_validate(userPassword?unPw:user, realName); if (status == APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_DEBUG, 0, r, LOG_PREFIX "Could map ID %s to User: %s", w, user); userWasFound = TRUE; break; } } } ap_cfg_closefile(f); return userWasFound; }