From 08c588789bb4663f38cbe53e2055b530d2029b60 Mon Sep 17 00:00:00 2001 From: laking Date: Mon, 4 Apr 2011 03:53:30 +0000 Subject: [PATCH] Implemented passwordless ssh-rsa authentication support. --- interface/web/client/client_edit.php | 15 +++- interface/web/sites/form/shell_user.tform.php | 9 ++- .../web/sites/templates/shell_user_edit.htm | 4 ++ .../web/sites/templates/web_domain_ssl.htm | 2 +- .../web/tools/form/user_settings.tform.php | 22 +++++- .../web/tools/lib/lang/de_usersettings.lng | 2 +- .../web/tools/lib/lang/en_usersettings.lng | 2 +- .../web/tools/lib/lang/hu_usersettings.lng | 2 +- .../web/tools/templates/user_settings.htm | 8 +++ .../shelluser_base_plugin.inc.php | 71 ++++++++++++++++++- .../shelluser_jailkit_plugin.inc.php | 56 +++++++++++++++ 11 files changed, 182 insertions(+), 11 deletions(-) diff --git a/interface/web/client/client_edit.php b/interface/web/client/client_edit.php index 0cee48a6ab..9b57d72951 100644 --- a/interface/web/client/client_edit.php +++ b/interface/web/client/client_edit.php @@ -149,9 +149,17 @@ class page_action extends tform_actions { $active = 1; $language = $app->db->quote($this->dataRecord["language"]); + //Generate ssh-rsa-keys + exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""'); + + $privatekey = file_get_contents('/tmp/id_rsa'); + $publickey = file_get_contents('/tmp/id_rsa.pub'); + + exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub'); + // Create the controlpaneluser for the client - $sql = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id) - VALUES ('$username',md5('$password'),'$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,".$this->id.")"; + $sql = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id,id_rsa,ssh_rsa) + VALUES ('$username',md5('$password'),'$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,".$this->id.",'$privatekey','$publickey')"; $app->db->query($sql); //* If the user who inserted the client is a reseller (not admin), we will have to add this new client group @@ -214,6 +222,7 @@ class page_action extends tform_actions { $sql = "UPDATE sys_user SET modules = '$modules' WHERE client_id = $client_id"; $app->db->query($sql); } + /* * If there is a client-template, process it */ applyClientTemplates($this->id); @@ -225,4 +234,4 @@ class page_action extends tform_actions { $page = new page_action; $page->onLoad(); -?> \ No newline at end of file +?> diff --git a/interface/web/sites/form/shell_user.tform.php b/interface/web/sites/form/shell_user.tform.php index 0b009bb459..ec7b612761 100644 --- a/interface/web/sites/form/shell_user.tform.php +++ b/interface/web/sites/form/shell_user.tform.php @@ -127,6 +127,13 @@ $form["tabs"]['shell'] = array ( 'default' => 'y', 'value' => array(0 => 'n',1 => 'y') ), + 'ssh_rsa' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'maxlength' => '600' + ), ################################## # ENDE Datatable fields ################################## @@ -193,4 +200,4 @@ $form["tabs"]['advanced'] = array ( } -?> \ No newline at end of file +?> diff --git a/interface/web/sites/templates/shell_user_edit.htm b/interface/web/sites/templates/shell_user_edit.htm index 765574350d..6e2c3d9f81 100644 --- a/interface/web/sites/templates/shell_user_edit.htm +++ b/interface/web/sites/templates/shell_user_edit.htm @@ -43,6 +43,10 @@

 MB

+
+ + +

{tmpl_var name='active_txt'}

diff --git a/interface/web/sites/templates/web_domain_ssl.htm b/interface/web/sites/templates/web_domain_ssl.htm index 9e86006921..e28201547f 100644 --- a/interface/web/sites/templates/web_domain_ssl.htm +++ b/interface/web/sites/templates/web_domain_ssl.htm @@ -33,7 +33,7 @@
- +
diff --git a/interface/web/tools/form/user_settings.tform.php b/interface/web/tools/form/user_settings.tform.php index 516031a18d..df3f5a8675 100644 --- a/interface/web/tools/form/user_settings.tform.php +++ b/interface/web/tools/form/user_settings.tform.php @@ -133,6 +133,26 @@ $form['tabs']['users'] = array ( 'maxlength' => '2', 'rows' => '', 'cols' => '' + ), + 'id_rsa' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => '', + 'datasource' => array ( 'type' => 'SQL', + 'querystring' => 'SELECT id_rsa FROM sys_user WHERE {AUTHSQL}', + 'valuefield'=> 'id_rsa' + ), + 'value' => '' + ), + 'ssh_rsa' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => '', + 'datasource' => array ( 'type' => 'SQL', + 'querystring' => 'SELECT ssh_rsa FROM sys_user WHERE {AUTHSQL}', + 'valuefield'=> 'ssh_rsa' + ), + 'value' => '' ) ################################## # ENDE Datenbankfelder @@ -141,4 +161,4 @@ $form['tabs']['users'] = array ( ); -?> \ No newline at end of file +?> diff --git a/interface/web/tools/lib/lang/de_usersettings.lng b/interface/web/tools/lib/lang/de_usersettings.lng index 28b1f74e9c..1791b71dec 100644 --- a/interface/web/tools/lib/lang/de_usersettings.lng +++ b/interface/web/tools/lib/lang/de_usersettings.lng @@ -3,6 +3,6 @@ $wb['passwort_txt'] = 'Passwort'; $wb['language_txt'] = 'Sprache'; $wb['password_mismatch'] = 'Die Passwörter stimmen nicht überein.'; $wb['password_strength_txt'] = 'Passwortkomplexität'; -$wb['Form to edit the user password and language.'] = 'Formular, um das Benutzerpasswort und die Sprache zu bearbeiten.'; +$wb['Form to edit the user password and language.'] = 'Formular, um das Benutzerpasswort, die Sprache und die authentication zu bearbeiten.'; $wb['Settings'] = 'Einstellungen'; ?> diff --git a/interface/web/tools/lib/lang/en_usersettings.lng b/interface/web/tools/lib/lang/en_usersettings.lng index bfe487113b..4169e8cce2 100644 --- a/interface/web/tools/lib/lang/en_usersettings.lng +++ b/interface/web/tools/lib/lang/en_usersettings.lng @@ -3,6 +3,6 @@ $wb["passwort_txt"] = 'Password'; $wb["password_strength_txt"] = 'Password strength'; $wb["language_txt"] = 'Language'; $wb["password_mismatch"] = 'The password in the second password field does not match the first password.'; -$wb["Form to edit the user password and language."] = 'Form to edit the user password and language.'; +$wb["Form to edit the user password and language."] = 'Form to edit the user password, language, and authentication.'; $wb["Settings"] = 'Settings'; ?> diff --git a/interface/web/tools/lib/lang/hu_usersettings.lng b/interface/web/tools/lib/lang/hu_usersettings.lng index 89dc62835e..d9cc0bf9d1 100644 --- a/interface/web/tools/lib/lang/hu_usersettings.lng +++ b/interface/web/tools/lib/lang/hu_usersettings.lng @@ -2,7 +2,7 @@ $wb['passwort_txt'] = 'Jelszó'; $wb['language_txt'] = 'Nyelv'; $wb['password_mismatch'] = 'Jelszavak nem egyeznek meg.'; -$wb['Form to edit the user password and language.'] = 'Jelszó és nyelv beállító oldal.'; +$wb['Form to edit the user password and language.'] = 'Jelszó, nyelv és hitelesítés beállító oldal.'; $wb['Settings'] = 'Beállítások'; $wb['password_strength_txt'] = 'Jelszó erősség'; ?> diff --git a/interface/web/tools/templates/user_settings.htm b/interface/web/tools/templates/user_settings.htm index 658b94faff..a3202adb77 100644 --- a/interface/web/tools/templates/user_settings.htm +++ b/interface/web/tools/templates/user_settings.htm @@ -24,6 +24,14 @@ {tmpl_var name='language'}
+
+ + +
+
+ + +
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php index 69348f58f0..22c5f5f4e5 100755 --- a/server/plugins-available/shelluser_base_plugin.inc.php +++ b/server/plugins-available/shelluser_base_plugin.inc.php @@ -88,6 +88,12 @@ class shelluser_base_plugin { exec($command); $app->log("Executed command: ".$command,LOGLEVEL_DEBUG); $app->log("Added shelluser: ".$data['new']['username'],LOGLEVEL_DEBUG); + + // call the ssh-rsa update function + $app->uses("getconf"); + $this->data = $data; + $this->app = $app; + $this->_setup_ssh_rsa(); //* Create .bash_history file touch(escapeshellcmd($data['new']['dir']).'/.bash_history'); @@ -134,7 +140,12 @@ class shelluser_base_plugin { exec($command); $app->log("Executed command: $command ",LOGLEVEL_DEBUG); $app->log("Updated shelluser: ".$data['old']['username'],LOGLEVEL_DEBUG); - + + // call the ssh-rsa update function + $app->uses("getconf"); + $this->data = $data; + $this->app = $app; + $this->_setup_ssh_rsa(); //* Create .bash_history file if(!is_file($data['new']['dir']).'/.bash_history') { @@ -183,7 +194,63 @@ class shelluser_base_plugin { } - + function _setup_ssh_rsa() { + + // ssh-rsa authentication variables + $sshrsa = escapeshellcmd($this->data['new']['ssh_rsa']); + $usrdir = escapeshellcmd($this->data['new']['dir']); + $sshdir = escapeshellcmd($this->data['new']['dir']).'/.ssh'; + $sshkeys= escapeshellcmd($this->data['new']['dir']).'/.ssh/authorized_keys'; + global $app; + + // determine the client id + $id = $this->data['new']['sys_groupid']; + if ($id>0) $id = $id -1; + + $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ".$id); + $userkey = $user['ssh_rsa']; + $username= $user['username']; + + // If this user has no key yet, generate a pair + if ($userkey == '') + { + //Generate ssh-rsa-keys + exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""'); + + $privatekey = file_get_contents('/tmp/id_rsa'); + $publickey = file_get_contents('/tmp/id_rsa.pub'); + + exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub'); + + // Set the missing keypair + $app->db->query("UPDATE sys_user SET id_rsa='$privatekey' ,ssh_rsa='$publickey' WHERE client_id = ".$id); + $userkey = $publickey; + + $this->app->log("ssh-rsa keypair generated for ".$username,LOGLEVEL_DEBUG); + + }; + + if (!file_exists($sshkeys)) + { + // add root's key + exec("mkdir '$sshdir'"); + exec("cat /root/.ssh/authorized_keys > '$sshkeys'"); + exec("echo '' >> '$sshkeys'"); + + // add the user's key + exec("echo '$userkey' >> '$sshkeys'"); + exec("echo '' >> '$sshkeys'"); + } + // add the custom key + exec("echo '$sshrsa' >> '$sshkeys'"); + exec("echo '' >> '$sshkeys'"); + + // set proper file permissions + exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$usrdir); + exec("chmod 600 '$sshkeys'"); + + $this->app->log("ssh-rsa key added to ".$sshkeys,LOGLEVEL_DEBUG); + } } // end class diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php index b1ee45e2ff..ca7b5abaf1 100755 --- a/server/plugins-available/shelluser_jailkit_plugin.inc.php +++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php @@ -272,6 +272,62 @@ class shelluser_jailkit_plugin { chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['pgroup']); $this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG); + + // ssh-rsa authentication variables + $sshrsa = escapeshellcmd($this->data['new']['ssh_rsa']); + $usrdir = escapeshellcmd($this->data['new']['dir']).'/'.$jailkit_chroot_userhome; + $sshdir = escapeshellcmd($this->data['new']['dir']).'/'.$jailkit_chroot_userhome.'/.ssh'; + $sshkeys= escapeshellcmd($this->data['new']['dir']).'/'.$jailkit_chroot_userhome.'/.ssh/authorized_keys'; + global $app; + + // determine the client id + $id = $this->data['new']['sys_groupid']; + if ($id>0) $id = $id -1; + + $user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ".$id); + $userkey = $user['ssh_rsa']; + $username= $user['username']; + + // If this user has no key yet, generate a pair + if ($userkey == '') + { + //Generate ssh-rsa-keys + exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""'); + + $privatekey = file_get_contents('/tmp/id_rsa'); + $publickey = file_get_contents('/tmp/id_rsa.pub'); + + exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub'); + + // Set the missing keypair + $app->db->query("UPDATE sys_user SET id_rsa='$privatekey' ,ssh_rsa='$publickey' WHERE client_id = ".$id); + $userkey = $publickey; + + $this->app->log("ssh-rsa keypair generated for ".$username,LOGLEVEL_DEBUG); + + }; + + if (!file_exists($sshkeys)) + { + // add root's key + exec("mkdir '$sshdir'"); + exec("cat /root/.ssh/authorized_keys > '$sshkeys'"); + exec("echo '' >> '$sshkeys'"); + + // add the user's key + exec("echo '$userkey' >> '$sshkeys'"); + exec("echo '' >> '$sshkeys'"); + } + // add the custom key + exec("echo '$sshrsa' >> '$sshkeys'"); + exec("echo '' >> '$sshkeys'"); + + // set proper file permissions + exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$usrdir); + exec("chmod 600 '$sshkeys'"); + + $this->app->log("ssh-rsa key added to ".$sshkeys,LOGLEVEL_DEBUG); + } //* Update the website root directory permissions depending on the security level -- GitLab