X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/fd160168332e90569f0f87b573a39687797c3fcd..34e5f5eba3411855c9d3c733b6f11aa935f3d435:/doc/plugins/contrib/unixauth.mdwn diff --git a/doc/plugins/contrib/unixauth.mdwn b/doc/plugins/contrib/unixauth.mdwn index 2de6fc51f..6108ebfae 100644 --- a/doc/plugins/contrib/unixauth.mdwn +++ b/doc/plugins/contrib/unixauth.mdwn @@ -14,25 +14,9 @@ Config variables that affect the behavior of `unixauth`: __Security__: [As with passwordauth](/security/#index14h2), be wary of sending usernames and passwords in cleartext. Unlike passwordauth, sniffing `unixauth` credentials can get an attacker much further than mere wiki access. Therefore, this plugin defaults to not even _displaying_ the login form fields unless we're running under SSL. Nobody should be able to do anything remotely dumb until the admin has done at least a little thinking. After that, dumb things are always possible. ;-) -`unixauth` tests for the presence of the `HTTPS` environment variable. `Wrapper.pm` needs to be tweaked to pass it through; without that, the plugin fails closed. +`unixauth` needs the `HTTPS` environment variable, available in ikiwiki 2.67 or later (fixed in #[502047](http://bugs.debian.org/502047)), without which it fails closed. -[[!toggle id="diff" text="Wrapper.pm.diff"]] - -[[!toggleable id="diff" text=""" - - --- Wrapper.pm.orig 2008-07-29 00:09:10.000000000 -0400 - +++ Wrapper.pm - @@ -28,7 +28,7 @@ sub gen_wrapper () { #{{{ - my @envsave; - push @envsave, qw{REMOTE_ADDR QUERY_STRING REQUEST_METHOD REQUEST_URI - CONTENT_TYPE CONTENT_LENGTH GATEWAY_INTERFACE - - HTTP_COOKIE REMOTE_USER} if $config{cgi}; - + HTTP_COOKIE REMOTE_USER HTTPS} if $config{cgi}; - my $envsave=""; - foreach my $var (@envsave) { - $envsave.=<<"EOF" - -"""]] +The plugin has not been tested with newer versions of ikiwiki. [[schmonz]] hopes to have time to polish this plugin soon. [[!toggle id="code" text="unixauth.pm"]] @@ -46,16 +30,47 @@ __Security__: [As with passwordauth](/security/#index14h2), be wary of sending u use strict; use IkiWiki 2.00; - sub import { #{{{ + sub import { + hook(type => "getsetup", id => "unixauth", call => \&getsetup); hook(type => "formbuilder_setup", id => "unixauth", call => \&formbuilder_setup); hook(type => "formbuilder", id => "unixauth", call => \&formbuilder); hook(type => "sessioncgi", id => "unixauth", call => \&sessioncgi); - } # }}} + } + + sub getsetup () { + return + unixauth_type => { + type => "string", + example => "checkpassword", + description => "type of authenticator; can be 'checkpassword' or 'pwauth'", + safe => 0, + rebuild => 1, + }, + unixauth_command => { + type => "string", + example => "/path/to/checkpassword", + description => "full path and any arguments", + safe => 0, + rebuild => 1, + }, + unixauth_requiressl => { + type => "boolean", + example => "1", + description => "require SSL? strongly recommended", + safe => 0, + rebuild => 1, + }, + plugin => { + description => "Unix user authentication", + safe => 0, + rebuild => 1, + }, + } # Checks if a string matches a user's password, and returns true or false. - sub checkpassword ($$;$) { #{{{ + sub checkpassword ($$;$) { my $user=shift; my $password=shift; my $field=shift || "password"; @@ -100,9 +115,9 @@ __Security__: [As with passwordauth](/security/#index14h2), be wary of sending u } return $ret; - } #}}} + } - sub formbuilder_setup (@) { #{{{ + sub formbuilder_setup (@) { my %params=@_; my $form=$params{form}; @@ -173,7 +188,7 @@ __Security__: [As with passwordauth](/security/#index14h2), be wary of sending u } } - sub formbuilder (@) { #{{{ + sub formbuilder (@) { my %params=@_; my $form=$params{form}; @@ -194,12 +209,12 @@ __Security__: [As with passwordauth](/security/#index14h2), be wary of sending u my $user_name=$form->field('name'); } } - } #}}} + } - sub sessioncgi ($$) { #{{{ + sub sessioncgi ($$) { my $q=shift; my $session=shift; - } #}}} + } 1