(pam) switch to pam, with the option to disable our pam helper and switch back...

(pam) switch to pam, with the option to disable our pam helper and switch back to unix mode... for https://github.com/opnsense/core/issues/998

(pam) switch to pam, with the option to disable our pam helper and switch back...
(pam) switch to pam, with the option to disable our pam helper and switch back to unix mode... for https://github.com/opnsense/core/issues/998
f88eabc0 · Ad Schellevis · 089a3f07 · f88eabc0 · f88eabc0 · f88eabc0
Commit f88eabc0 authored Oct 25, 2016 by Ad Schellevis
4 changed files
--- a/src/etc/rc.configure_firmware
+++ b/src/etc/rc.configure_firmware
@@ -44,3 +44,4 @@ convert_config(true);

 system_firmware_configure();
 system_console_configure();
+configd_run('template reload OPNsense.Auth');
--- a/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
+++ b/src/opnsense/service/templates/OPNsense/Auth/+TARGETS
+sshd.pam:/etc/pam.d/sshd
--- a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
+++ b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
+#
+# $FreeBSD$
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+{% if system.disableintegratedauth|default('0') == '1' %}
+auth		required	pam_unix.so		no_warn try_first_pass
+{% else %}
+auth		required	pam_opnsense.so
+{% endif %}
+
+# account
+account		required	pam_nologin.so
+#account	required	pam_krb5.so
+account		required	pam_login_access.so
+account		required	pam_unix.so
+
+# session
+#session	optional	pam_ssh.so		want_agent
+session		required	pam_permit.so
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -42,6 +42,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
    $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttpredirect']);
    $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
+    $pconfig['disableintegratedauth'] = !empty($config['system']['disableintegratedauth']);
    $pconfig['sudo_allow_wheel'] = isset($config['system']['sudo_allow_wheel']);
    $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
    $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
@@ -116,6 +117,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            unset($config['system']['disableconsolemenu']);
        }

+        if (!empty($pconfig['disableintegratedauth'])) {
+            $config['system']['disableintegratedauth'] = true;
+        } elseif (isset($config['system']['disableintegratedauth'])) {
+            unset($config['system']['disableintegratedauth']);
+        }
+
        if ($pconfig['sudo_allow_wheel'] == "yes") {
            $config['system']['sudo_allow_wheel'] = true;
        } elseif (isset($config['system']['sudo_allow_wheel'])) {
@@ -249,6 +256,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        services_dnsmasq_configure(false);
        services_unbound_configure(false);
        services_dhcpd_configure();
+        configd_run('template reload OPNsense.Auth');

        if ($restart_sshd) {
            configd_run('sshd restart', true);
@@ -579,6 +587,16 @@ include("head.inc");
                    <strong><?= gettext('Allow administrators to use the Sudo utility') ?></strong>
                  </td>
                </tr>
+                <tr>
+                  <td><a id="help_for_disableintegratedauth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Integrated authentication") ?></td>
+                  <td width="78%">
+                    <input name="disableintegratedauth" type="checkbox" value="yes" <?= empty($pconfig['disableintegratedauth']) ? '' : 'checked="checked"' ?>  />
+                    <strong><?=gettext("Disable integrated authentication"); ?></strong>
+                    <div class="hidden" for="help_for_disableintegratedauth">
+                        <?=gettext("Disable OPNsense integrated authentication module for console access, falling back to normal unix authentication.");?>
+                    </div>
+                  </td>
+                </tr>
                <tr>
                  <td width="22%" valign="top">&nbsp;</td>
                  <td width="78%"><input name="Submit" type="submit" class="btn btn-primary" value="<?= gettext("Save") ?>" /></td>