Commit 28a1b864 authored by laking's avatar laking

Update on certificte ssh-rsa authentication. Under construction are the shell plugins.

parent 892f21ac
-- database patch for rsa-key based shell access.
ALTER TABLE `sys_user` ADD `id_rsa` VARCHAR( 2000 ) NOT NULL ;
ALTER TABLE `sys_user` ADD `ssh_rsa` VARCHAR( 600 ) NOT NULL ;
ALTER TABLE `client` ADD `id_rsa` VARCHAR( 2000 ) NOT NULL ;
ALTER TABLE `client` ADD `ssh_rsa` VARCHAR( 600 ) NOT NULL ;
ALTER TABLE `shell_user` ADD `ssh_rsa` VARCHAR( 600 ) NOT NULL ;
......@@ -112,6 +112,8 @@ CREATE TABLE `client` (
`template_master` int(11) unsigned NOT NULL default '0',
`template_additional` varchar(255) NOT NULL default '',
`created_at` bigint(20) DEFAULT NULL,
`id_rsa` VARCHAR( 2000 ) NOT NULL default '',
`ssh_rsa` VARCHAR( 600 ) NOT NULL default '',
PRIMARY KEY (`client_id`)
) ENGINE=MyISAM AUTO_INCREMENT=1;
......@@ -1071,8 +1073,7 @@ CREATE TABLE `sys_user` (
`groups` varchar(255) NOT NULL default '',
`default_group` int(11) unsigned NOT NULL default '0',
`client_id` int(11) unsigned NOT NULL default '0',
`id_rsa` VARCHAR( 2000 ) NOT NULL default '',
`ssh_rsa` VARCHAR( 600 ) NOT NULL default '',
PRIMARY KEY (`userid`)
) ENGINE=MyISAM AUTO_INCREMENT=1;
......
......@@ -152,15 +152,12 @@ class page_action extends tform_actions {
//Generate ssh-rsa-keys
exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""');
$privatekey = file_get_contents('/tmp/id_rsa');
$publickey = file_get_contents('/tmp/id_rsa.pub');
$app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".file_get_contents('/tmp/id_rsa')."', ssh_rsa = '".file_get_contents('/tmp/id_rsa.pub')."' WHERE client_id = ".$this->id;
exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub');
// Create the controlpaneluser for the client
$sql = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id,id_rsa,ssh_rsa)
VALUES ('$username',md5('$password'),'$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,".$this->id.",'$privatekey','$publickey')";
$sql = "INSERT INTO sys_user (username,passwort,modules,startmodule,app_theme,typ,active,language,groups,default_group,client_id)
VALUES ('$username',md5('$password'),'$modules','$startmodule','$usertheme','$type','$active','$language',$groups,$groupid,".$this->id.")";
$app->db->query($sql);
//* If the user who inserted the client is a reseller (not admin), we will have to add this new client group
......@@ -170,7 +167,7 @@ class page_action extends tform_actions {
$app->db->query("UPDATE client SET parent_client_id = ".intval($_SESSION['s']['user']['client_id'])." WHERE client_id = ".$this->id);
}
$app->db->query("UPDATE client SET created_at = ".time()." WHERE client_id = ".$this->id);
/* If there is a client-template, process it */
applyClientTemplates($this->id);
......
......@@ -139,7 +139,7 @@ $form['tabs']['users'] = array (
'formtype' => 'TEXT',
'default' => '',
'datasource' => array ( 'type' => 'SQL',
'querystring' => 'SELECT id_rsa FROM sys_user WHERE {AUTHSQL}',
'querystring' => 'SELECT id_rsa FROM client WHERE {AUTHSQL}',
'valuefield'=> 'id_rsa'
),
'value' => ''
......@@ -149,7 +149,7 @@ $form['tabs']['users'] = array (
'formtype' => 'TEXT',
'default' => '',
'datasource' => array ( 'type' => 'SQL',
'querystring' => 'SELECT ssh_rsa FROM sys_user WHERE {AUTHSQL}',
'querystring' => 'SELECT ssh_rsa FROM client WHERE {AUTHSQL}',
'valuefield'=> 'ssh_rsa'
),
'value' => ''
......
......@@ -195,13 +195,17 @@ class shelluser_base_plugin {
}
function _setup_ssh_rsa() {
//global $app, $conf;
//$app->uses('system');
// Okay, here we have a question, .. how to determine the client id
//$var = "Var:".intval($this->app->system->getuid($this->data['new']['puser']));
//exec("echo $var >> /tmp/debug");
/*
// ssh-rsa authentication variables
$sshrsa = escapeshellcmd($this->data['new']['ssh_rsa']);
$usrdir = escapeshellcmd($this->data['new']['dir']);
$sshdir = escapeshellcmd($this->data['new']['dir']).'/.ssh';
$sshkeys= escapeshellcmd($this->data['new']['dir']).'/.ssh/authorized_keys';
global $app;
// determine the client id
$id = $this->data['new']['sys_groupid'];
......@@ -213,19 +217,12 @@ class shelluser_base_plugin {
// If this user has no key yet, generate a pair
if ($userkey == '')
{
{
//Generate ssh-rsa-keys
exec('ssh-keygen -t rsa -C '.$username.'-rsa-key-'.time().' -f /tmp/id_rsa -N ""');
$privatekey = file_get_contents('/tmp/id_rsa');
$publickey = file_get_contents('/tmp/id_rsa.pub');
$app->db->query("UPDATE client SET created_at = ".time().", id_rsa = '".file_get_contents('/tmp/id_rsa')."', ssh_rsa = '".file_get_contents('/tmp/id_rsa.pub')."' WHERE client_id = ".$this->id;
exec('rm -f /tmp/id_rsa /tmp/id_rsa.pub');
// Set the missing keypair
$app->db->query("UPDATE sys_user SET id_rsa='$privatekey' ,ssh_rsa='$publickey' WHERE client_id = ".$id);
$userkey = $publickey;
$this->app->log("ssh-rsa keypair generated for ".$username,LOGLEVEL_DEBUG);
};
......@@ -248,7 +245,7 @@ class shelluser_base_plugin {
// set proper file permissions
exec("chown -R ".escapeshellcmd($this->data['new']['puser']).":".escapeshellcmd($this->data['new']['pgroup'])." ".$usrdir);
exec("chmod 600 '$sshkeys'");
*/
$this->app->log("ssh-rsa key added to ".$sshkeys,LOGLEVEL_DEBUG);
}
......
......@@ -272,7 +272,7 @@ class shelluser_jailkit_plugin {
chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['pgroup']);
$this->app->log("Added created jailkit parent user home in : ".$this->data['new']['dir'].$jailkit_chroot_puserhome,LOGLEVEL_DEBUG);
/*
// ssh-rsa authentication variables
$sshrsa = escapeshellcmd($this->data['new']['ssh_rsa']);
$usrdir = escapeshellcmd($this->data['new']['dir']).'/'.$jailkit_chroot_userhome;
......@@ -327,7 +327,7 @@ class shelluser_jailkit_plugin {
exec("chmod 600 '$sshkeys'");
$this->app->log("ssh-rsa key added to ".$sshkeys,LOGLEVEL_DEBUG);
*/
}
//* Update the website root directory permissions depending on the security level
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment