X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/8de670263c16a8b58fbde87d76e3e33da0ddf942..be2af2e5c1ddfe90802a67aa150cf17dbe903df0:/doc/plugins/contrib/unixauth.mdwn diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index 12f885c33..c97312b59 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -1,154 +1,21 @@ [[!template id=plugin name=unixauth core=0 author="[[schmonz]]"]] [[!tag type/auth]] +[[!template id=gitbranch branch=unixauth author="[[schmonz]]"]] + This plugin authenticates users against the Unix user database. It presents a similar UI to [[plugins/passwordauth]], but simpler, as there's no need to be able to register or change one's password. -[pwauth](http://www.unixpapa.com/pwauth/) must be installed and working. In particular, it must be configured to recognize the UID of the calling web server, or authentication will always fail. Set `pwauth_path` to the full path of your pwauth binary. +To authenticate, either [checkpassword](http://cr.yp.to/checkpwd.html) or [pwauth](http://www.unixpapa.com/pwauth/) must be installed and configured. `checkpassword` is strongly preferred. If your web server runs as an unprivileged user -- as it darn well should! -- then `checkpassword` needs to be setuid root. (Or your ikiwiki CGI wrapper, I guess, but don't do that.) Other checkpassword implementations are available, notably [checkpassword-pam](http://checkpasswd-pam.sourceforge.net/). -As [with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike with passwordauth, sniffing these credentials can get an attacker much further than mere wiki access. SSL with this plugin is a __must__. +Config variables that affect the behavior of `unixauth`: -[[!toggle id="code" text="unixauth.pm"]] +* `unixauth_type`: defaults to unset, can be "checkpassword" or "pwauth" +* `unixauth_command`: defaults to unset, should contain the full path and any arguments +* `unixauth_requiressl`: defaults to 1, can be 0 +* `sslcookie`: needs to be 1 if `unixauth_requiressl` is 1 (perhaps this should be done automatically?) -[[!toggleable id="code" text=""" +__Security__: [As with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing `unixauth` credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even _displaying_ the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. ;-) - #!/usr/bin/perl - # Ikiwiki unixauth authentication. - package IkiWiki::Plugin::unixauth; - - use warnings; - use strict; - use IkiWiki 2.00; - - sub import { #{{{ - hook(type => "formbuilder_setup", id => "unixauth", - call => \&formbuilder_setup); - hook(type => "formbuilder", id => "unixauth", - call => \&formbuilder); - hook(type => "sessioncgi", id => "unixauth", call => \&sessioncgi); - } # }}} - - # Checks if a string matches a user's password, and returns true or false. - sub checkpassword ($$;$) { #{{{ - my $user=shift; - my $password=shift; - my $field=shift || "password"; - - # It's very important that the user not be allowed to log in with - # an empty password! - if (! length $password) { - return 0; - } - - my $ret=0; - if (! exists $config{pwauth_path}) { - $config{pwauth_path}="/usr/libexec/pwauth"; - } - open PWAUTH, "|$config{pwauth_path}" or die("Could not run pwauth"); - print PWAUTH "$user\n$password\n"; - close PWAUTH; - $ret=!($?>>8); - - if ($ret) { - my $userinfo=IkiWiki::userinfo_retrieve(); - if (! length $user || ! defined $userinfo || - ! exists $userinfo->{$user} || ! ref $userinfo->{$user}) { - IkiWiki::userinfo_setall($user, { - 'email' => '', - 'regdate' => time, - }); - } - } - - return $ret; - } #}}} - - sub formbuilder_setup (@) { #{{{ - my %params=@_; - - my $form=$params{form}; - my $session=$params{session}; - my $cgi=$params{cgi}; - - if ($form->title eq "signin") { - $form->field(name => "name", required => 0); - $form->field(name => "password", type => "password", required => 0); - - if ($form->submitted) { - my $submittype=$form->submitted; - # Set required fields based on how form was submitted. - my %required=( - "Login" => [qw(name password)], - ); - foreach my $opt (@{$required{$submittype}}) { - $form->field(name => $opt, required => 1); - } - - # Validate password against name for Login. - if ($submittype eq "Login") { - $form->field( - name => "password", - validate => sub { - checkpassword($form->field("name"), shift); - }, - ); - } - - elsif ($submittype eq "Login") { - $form->field( - name => "name", - validate => sub { - my $name=shift; - length $name && - IkiWiki::userinfo_get($name, "regdate"); - }, - ); - } - } - else { - # First time settings. - $form->field(name => "name"); - if ($session->param("name")) { - $form->field(name => "name", value => $session->param("name")); - } - } - } - elsif ($form->title eq "preferences") { - $form->field(name => "name", disabled => 1, - value => $session->param("name"), force => 1, - fieldset => "login"); - $form->field(name => "password", disabled => 1, type => "password", - fieldset => "login"), - } - } - - sub formbuilder (@) { #{{{ - my %params=@_; - - my $form=$params{form}; - my $session=$params{session}; - my $cgi=$params{cgi}; - my $buttons=$params{buttons}; - - if ($form->title eq "signin") { - if ($form->submitted && $form->validate) { - if ($form->submitted eq 'Login') { - $session->param("name", $form->field("name")); - IkiWiki::cgi_postsignin($cgi, $session); - } - } - } - elsif ($form->title eq "preferences") { - if ($form->submitted eq "Save Preferences" && $form->validate) { - my $user_name=$form->field('name'); - } - } - } #}}} - - sub sessioncgi ($$) { #{{{ - my $q=shift; - my $session=shift; - } #}}} - - 1 +`unixauth` needs the `HTTPS` environment variable, available in ikiwiki 2.67 or later (fixed in #[502047](http://bugs.debian.org/502047)), without which it fails closed. -"""]] +The plugin has not been tested with newer versions of ikiwiki. [[schmonz]] hopes to have time to polish this plugin soon.