Home Explore Help
Register Sign In
ortiche.net
/
pureftpd-auth
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
pureftpd-auth
/
pureftpd-auth.pl

pureftpd-auth.pl 6.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197 
  1. #!/usr/bin/perl
    2. 

  2. 

  3. ### v.2.0.2 by zio 06/4/2012 
    4. 

  4. ### v.3.0.0 by gine 11/10/2015 
    5. 

  5. ### v.3.0.1 by gine 22/10/2015 
    6. 

  6. 

  7. 

  8. ### uses
    9. 

  9. #
    10. 

  10. use DBI;
    11. 

  11. #use Crypt::Random;
    12. 

  12. #use Crypt::Passwd::XS qw(unix_sha256_crypt);
    13. 

  13. #use Crypt::Passwd::XS qw(unix_md5_crypt);
    14. 

  14. use Crypt::Passwd::XS;				### The blowfish crypt() scheme is currently unsupported by Crypt::Passwd::XS::crypt() ,
    15. 

  15. use Crypt::Eksblowfish::Bcrypt qw(bcrypt);	### so additional Crypt::Eksblowfish::Bcrypt::bcrypt() is being used 
    16. 

  16. use Digest::SHA qw(sha256_hex);
    17. 

  17. use Log::Log4perl qw(get_logger :levels);
    18. 

  18. 

  19. ### conf
    20. 

  20. #
    21. 

  21. $SCRIPT_DIR="/usr/local/ortiche/pureftpd-auth";
    22. 

  22. $AUTH_DIR="$SCRIPT_DIR/auth";
    23. 

  23. require "$AUTH_DIR/pureftpd.pl";
    24. 

  24. 

  25. $AUTH_LOG="/var/log/pure-ftpd/auth.log";		### log kept for debug, to remove in future because of privacy !!!
    26. 

  26. 

  27. $SHA256_DEFAULT_ROUNDS = 5000;
    28. 

  28. 

  29. ### variables read from environment ( pure-authd )
    30. 

  30. #
    31. 

  31. $REQ_USER=$ENV{AUTHD_ACCOUNT};                        ### TODO: sanitize input ?
    32. 

  32. $REQ_PASS=$ENV{AUTHD_PASSWORD};                       #
    33. 

  33. $SERVER_IP=$ENV{AUTHD_LOCAL_IP};
    34. 

  34. #AUTHD_LOCAL_PORT
    35. 

  35. #AUTHD_REMOTE_IP
    36. 

  36. #AUTHD_ENCRYPTED
    37. 

  37. 

  38. @numbers = split(/\./, $SERVER_IP);
    39. 

  39. $ip_number = pack("C4", @numbers);
    40. 

  40. ($server_name) = (gethostbyaddr($ip_number, 2))[0];
    41. 

  41. if (not $server_name)
    42. 

  42. {
    43. 

  43. 	$server_name=$SERVER_IP;
    44. 

  44. }
    45. 

  45. 

  46. ### variables shared with subs
    47. 

  47. #
    48. 

  48. my $DB_conn;
    49. 

  49. my $auth_logger;
    50. 

  50. 

  51. ### always returns with sub auth_return() ...
    52. 

  52. #
    53. 

  53. sub auth_return
    54. 

  54. {
    55. 

  55. 	my ( $RET_AUTH, $RET_DIR ) = @_;
    56. 

  56. 

  57. 	$auth_logger->info("auth_ok:", $RET_AUTH, " , reason: auth terminated, user: ", $REQ_USER);
    58. 

  58. 

  59. 	if ( $RET_AUTH == 1 )				### add extra checks on fields...
    60. 

  60. 	{
    61. 

  61. 	       	print "auth_ok:1\n";
    62. 

  62. #	        print "uid:", $RET_UID, "\n";		#### TODO: fix DB and user creation scripts instead!!!
    63. 

  63. #	        print "gid:", $RET_GID, "\n";		##
    64. 

  64. 	        print "uid:33\n";			##
    65. 

  65. 	        print "gid:33\n";			##
    66. 

  66. 	        print "dir:", $RET_DIR, "\n";
    67. 

  67. 	        print "end\n";
    68. 

  68. 		exit 0;
    69. 

  69. 	}
    70. 

  70. 	else
    71. 

  71. 	{
    72. 

  72. 	        print "auth_ok:", $RET_AUTH, "\n";
    73. 

  73.         	print "end\n";
    74. 

  74. 		exit 1;
    75. 

  75. 	}
    76. 

  76. }
    77. 

  77. 

  78. 

  79. ### logging subs
    80. 

  80. #
    81. 

  81. sub auth_log_init
    82. 

  82. {
    83. 

  83. # log4perl levels:
    84. 

  84. # 	DEBUG INFO WARN ERROR FATAL 
    85. 

  85. 	Log::Log4perl->easy_init({
    86. 

  86. 		file  => ">> $AUTH_LOG",
    87. 

  87. 		level => $INFO,
    88. 

  88. 		layout => "[3.0.1] [%d{yy/MM/dd-HH:mm}] [%p] (%F{2} line %L) %m%n",
    89. 

  89. 	},{
    90. 

  90. 		file  => "STDERR",
    91. 

  91. 		level => $DEBUG,
    92. 

  92. 		layout => "[3.0.1] [%d{yy/MM/dd-HH:mm}] [%p] (%F{2} line %L) %m%n",
    93. 

  93. 	});
    94. 

  94. 	$auth_logger = Log::Log4perl->get_logger();
    95. 

  95. }
    96. 

  96. 

  97. 

  98. ### digests, salts and crypt() subs
    99. 

  99. #
    100. 

  100. sub check_crypt {
    101. 

  101. 	my ( $plain_password, $hashed_password ) = @_;
    102. 

  102. 	my $encrypted;
    103. 

  103.     if ( $hashed_password =~ /(\$2a\$[0-9]{2}\$[A-Za-z0-9.\/]{22})/ ) {
    104. 

  104. 		$encrypted = Crypt::Eksblowfish::Bcrypt::bcrypt($plain_password, $hashed_password);	### Blowfish scheme
    105. 

  105.     } else {
    106. 

  106. 		$encrypted = Crypt::Passwd::XS::crypt($plain_password, $hashed_password);		### MD5, SHA256 schemes
    107. 

  107. 	}
    108. 

  108. 

  109. 	return ( $encrypted eq $hashed_password );
    110. 

  110. }
    111. 

  111. 

  112. sub sha256_salt {
    113. 

  113. #	my $salt = en_base64(Crypt::Random::makerandom_octet(Length=>16));
    114. 

  114. 	my @letters = ('A' .. 'Z', 'a' .. 'z', '0' .. '9', '/', '.');
    115. 

  115. 	my $salt;
    116. 

  116. 	for (1 .. 16) { $salt .= $letters[rand@letters]; }
    117. 

  117. 	return '$5$'.'rounds='.$SHA256_DEFAULT_ROUNDS.'$'.$salt;
    118. 

  118. }
    119. 

  119. 

  120. #sub migra_update_pw {
    121. 

  121. #	my ( $req_user, $req_pass ) = @_;
    122. 

  122. #	my $p_sha256 = sha256_hex($req_pass);
    123. 

  123. #	my $p_sha256_crypt_salt = Crypt::Passwd::XS::crypt($req_pass, sha256_salt());
    124. 

  124. #	my $UPD_QUERY = "UPDATE $DB_TABLE SET password = NULL, password_sha256 = '$p_sha256', password_crypt = '$p_sha256_crypt_salt' WHERE username = '$req_user'";
    125. 

  125. #	$auth_logger->info("updated password for hrd style: ".$REQ_USER);	
    126. 

  126. #	return $DB_conn->do($UPD_QUERY);
    127. 

  127. #}
    128. 

  128. 

  129. #deprecated
    130. 

  130. sub migra_pw {
    131. 

  131. 	my ( $req_user, $req_pass ) = @_;
    132. 

  132. 	my $p_sha256_crypt_salt = Crypt::Passwd::XS::crypt($req_pass, sha256_salt());
    133. 

  133. 	$auth_logger->info("going to run password migration, user: ".$REQ_USER);	
    134. 

  134. 	my $UPD_QUERY = "UPDATE $DB_TABLE SET password = NULL, password_crypt = '$p_sha256_crypt_salt' WHERE username = '$req_user'";
    135. 

  135. 	return $DB_conn->do($UPD_QUERY);
    136. 

  136. }
    137. 

  137. 

  138. sub update_hrd_pw {
    139. 

  139. 	my ( $req_user, $req_pass ) = @_;
    140. 

  140. 	my $p_sha256 = sha256_hex($req_pass);
    141. 

  141. 	my $UPD_QUERY = "UPDATE $DB_TABLE SET password_sha256 = '$p_sha256' WHERE username = '$req_user'";
    142. 

  142. 	$auth_logger->info("updated password for hrd style, user: ".$REQ_USER);	
    143. 

  143. 	return $DB_conn->do($UPD_QUERY);
    144. 

  144. }
    145. 

  145. 

  146. ### end of subs
    147. 

  147. 

  148. ### begins setting up log
    149. 

  149. #
    150. 

  150. auth_log_init();
    151. 

  151. $auth_logger->info("reason: auth begun , user: ", $REQ_USER);	
    152. 

  152. $server_name='web01.indivia.net';
    153. 

  153. #$auth_logger->debug("server ip: '$SERVER_IP'\n");
    154. 

  154. #$auth_logger->debug("server name: '$server_name'\n");
    155. 

  155. 

  156. if ( $REQ_USER eq "" )
    157. 

  157. {
    158. 

  158. 	$auth_logger->fatal("reason: empty user");
    159. 

  159. 	auth_return(-1, "");
    160. 

  160. }
    161. 

  161. 

  162. $DB_conn = DBI->connect("DBI:mysql:database=$DB_DB;host=$DB_HOST", $DB_USER, $DB_PASS)
    163. 

  163. 			|| $auth_logger->fatal("fatal: connect() to DB") 
    164. 

  164. 			&& auth_return(-1, "");
    165. 

  165. 

  166. ### runs query and checks
    167. 

  167. #
    168. 

  168. my $QUERY_pureftpd = $DB_conn->prepare("SELECT path, password_sha256, password_crypt FROM $DB_TABLE JOIN directories USING (dir_id) JOIN hosts_urls USING (url_id) JOIN hosts USING (host_id) WHERE username='$REQ_USER' AND ftp = 'Y' AND hostname = '$server_name'")
    169. 

  169. 	|| $auth_logger->fatal("prepare() query, reason: no user? no ftp=Y? wrong \$server_name ?, user: ".$REQ_USER) 
    170. 

  170. 	&& auth_return(-1, "");
    171. 

  171. 

  172. $QUERY_pureftpd->execute() 
    173. 

  173. 	|| $auth_logger->fatal("execute() query, reason: no user? no ftp=Y? wrong \$server_name ?, user: ".$REQ_USER)
    174. 

  174. 	&& auth_return(-1, "");
    175. 

  175. 	
    176. 

  176. my ( $READ_path, $READ_hrd_sha256, $READ_new_crypt ) = $QUERY_pureftpd->fetchrow_array();
    177. 

  177. 

  178. ### TODO: place here separated checks on ftp = 'Y' AND hostname = '$server_name' ; remove clause from above SELECT
    179. 

  179. ###
    180. 

  180. 

  181. if ( $READ_path eq "" ) { $auth_logger->warn("warning: empty field PATH"); }
    182. 

  182. if ( $READ_hrd_sha256 eq "" ) { $auth_logger->warn("warning: empty field HRD_SHA256"); }
    183. 

  183. if ( $READ_new_crypt eq "" ) { $auth_logger->warn("warning: empty field NEW_CRYPT"); }
    184. 

  184. 

  185. if ( $QUERY_pureftpd->rows == 0 ) {
    186. 

  186. 	$auth_logger->error("user not found, reason: no user? no ftp=Y ? wrong \$server_name ?, user: ".$REQ_USER);
    187. 

  187. 	auth_return(0, "");	
    188. 

  188. } else {							
    189. 

  189. 	$auth_logger->info("User: ".$REQ_USER);
    190. 

  190. 	if (check_crypt($REQ_PASS, $READ_new_crypt)) {
    191. 

  191. 		$auth_logger->info("auth_ok:1, GOOD pwd match!, user: ".$REQ_USER);
    192. 

  192. 		auth_return(1, $READ_path);
    193. 

  193. 	} else {
    194. 

  194. 		$auth_logger->info("auth_ok:-1, reason: wrong password from check_crypt(), user: ".$REQ_USER);	
    195. 

  195. 		auth_return(-1, "");	
    196. 

  196. 	}
    197. 

  197. }
    198.