Skip to content

O
OpnSense
Commit 66d982fd authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

system: allow random password reset; closes #1351

parent f4942899
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 16 deletions
src/etc/inc/auth.inc
View file @ 66d982fd
......@@ -497,10 +497,16 @@ function local_user_del($user)
local_group_del_user($user);
}
function local_user_set_password(&$user, $password)
function local_user_set_password(&$user, $password = null)
{
$cost = 10;
if ($password == null) {
/* generate a random password */
$bytes = openssl_random_pseudo_bytes(50);
$password = pack('H*',bin2hex($bytes));
}
$hash = password_hash($password, PASSWORD_BCRYPT, [ 'cost' => $cost ]);
if ($hash !== false) {
/*
......
src/www/system_usermanager.php
View file @ 66d982fd
......@@ -232,8 +232,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext("The username is longer than 16 characters.");
}
if (($pconfig['passwordfld1']) && ($pconfig['passwordfld1'] != $pconfig['passwordfld2'])) {
$input_errors[] = gettext("The passwords do not match.");
if (!empty($pconfig['passwordfld1'])) {
if ($pconfig['passwordfld1'] != $pconfig['passwordfld2']) {
$input_errors[] = gettext('The passwords do not match.');
}
if (!empty($pconfig['gen_new_password'])) {
$input_errors[] = gettext('Cannot set random password due to explicit input.');
}
}
if (!empty($pconfig['disabled']) && $_SESSION['Username'] === $a_user[$id]['name']) {
......@@ -305,6 +310,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
/* the user password was modified */
if (!empty($pconfig['passwordfld1'])) {
local_user_set_password($userent, $pconfig['passwordfld1']);
} elseif (!empty($pconfig['gen_new_password'])) {
local_user_set_password($userent);
}
isset($pconfig['scope']) ? $userent['scope'] = $pconfig['scope'] : $userent['scope'] = "system";
......@@ -572,8 +579,9 @@ $( document ).ready(function() {
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Password");?></td>
<td>
<input name="passwordfld1" type="password" class="formfld pwd" id="passwordfld1" size="20" value="" /><br/>
<input name="passwordfld2" type="password" class="formfld pwd" id="passwordfld2" size="20" value="" />&nbsp;
<small><?= gettext("(confirmation)"); ?></small>
<input name="passwordfld2" type="password" class="formfld pwd" id="passwordfld2" size="20" value="" />
<small><?= gettext("(confirmation)"); ?></small><br/><br/>
<input type="checkbox" name="gen_new_password"/>&nbsp;<small><?=gettext('Generate new random password') ?></small>
</td>
</tr>
<tr>
......@@ -822,7 +830,7 @@ $( document ).ready(function() {
<td><a id="help_for_otp_seed" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("OTP seed");?></td>
<td>
<input name="otp_seed" type="text" value="<?=$pconfig['otp_seed'];?>"/>
<input type="checkbox" name="gen_otp_seed"/>&nbsp;<small><?=gettext("generate new (160bit) secret");?></small>
<input type="checkbox" name="gen_otp_seed"/>&nbsp;<small><?= gettext('Generate new secret (160 bit)') ?></small>
<div class="hidden" for="help_for_otp_seed">
<?=gettext("OTP (base32) seed to use when a one time password authenticator is used");?><br/>
<?php
......
src/www/system_usermanager_import_ldap.php
View file @ 66d982fd
......@@ -30,13 +30,10 @@
require_once("guiconfig.inc");
require_once("auth.inc");
function add_local_user($username, $userdn, $userfullname) {
function add_local_user($username, $userdn, $userfullname)
{
global $config;
// generate new random user_password
$bytes = openssl_random_pseudo_bytes(50);
$user_password = pack('H*',bin2hex($bytes));
foreach ($config['system']['user'] as &$user) {
if ($user['name'] == $username && $user['name'] != 'root') {
// link local user to remote server by updating user_dn
......@@ -44,7 +41,7 @@ function add_local_user($username, $userdn, $userfullname) {
// trash user password when linking to ldap, avoid accidental login
// using fall-back local password. User could still reset it's
// local password, but only by choice.
local_user_set_password($user, $user_password);
local_user_set_password($user);
local_user_set($user);
return;
}
......@@ -55,7 +52,7 @@ function add_local_user($username, $userdn, $userfullname) {
$new_user['name'] = $username;
$new_user['user_dn'] = $userdn;
$new_user['descr'] = $userfullname;
local_user_set_password($new_user, $user_password);
local_user_set_password($new_user);
$new_user['uid'] = $config['system']['nextuid']++;
$config['system']['user'][] = $new_user;
local_user_set($new_user);
......
src/www/system_usermanager_passwordmg.php
View file @ 66d982fd
......@@ -35,8 +35,8 @@ if (isset($_POST['save'])) {
$input_errors = array();
/* input validation */
$reqdfields = explode(" ", "passwordfld0 passwordfld1 passwordfld2");
$reqdfieldsn = array(gettext("Password"));
$reqdfields = explode(' ', 'passwordfld0 passwordfld1');
$reqdfieldsn = array(gettext('Old password'), gettext('New password'));
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if ($_POST['passwordfld1'] != $_POST['passwordfld2'] ||
......@@ -49,6 +49,7 @@ if (isset($_POST['save'])) {
foreach ($config['system']['user'] as $user) {
if ($user['name'] == $username) {
$userFound = true;
break;
}
}
......@@ -57,7 +58,6 @@ if (isset($_POST['save'])) {
}
if (count($input_errors) == 0) {
// all values are okay --> saving changes
local_user_set_password($config['system']['user'][$userindex[$username]], $_POST['passwordfld1']);
local_user_set($config['system']['user'][$userindex[$username]]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023