GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 08:46:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

if gssapi authentication fails, switch to password auth if possible

Browse Source
This commit is contained in:
Nikos Mavrogiannopoulos
2015-02-13 15:55:37 +01:00
parent 06f2147155
commit 1f128219ae
2 changed files with 37 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/worker-auth.c
View File

@@ -93,11 +93,12 @@ int ws_switch_auth_to(struct worker_st *ws, unsigned auth)
{
unsigned i;
if (ws->selected_auth && ws->selected_auth->type & auth)
if (ws->selected_auth && ws->selected_auth->enabled != 0 &&
ws->selected_auth->type & auth)
return 1;
for (i=1;i<ws->config->auth_methods;i++) {
if ((ws->config->auth[i].type & auth) != 0) {
if (ws->config->auth[i].enabled && (ws->config->auth[i].type & auth) != 0) {
ws->selected_auth = &ws->config->auth[i];
return 1;
}
@@ -105,6 +106,17 @@ int ws_switch_auth_to(struct worker_st *ws, unsigned auth)
return 0;
}
void ws_disable_auth(struct worker_st *ws, unsigned auth)
{
unsigned i;
for (i=0;i<ws->config->auth_methods;i++) {
if ((ws->config->auth[i].type & auth) != 0) {
ws->config->auth[i].enabled = 0;
}
}
}
static int append_group_idx(worker_st * ws, str_st *str, unsigned i)
{
char temp[128];
@@ -194,6 +206,12 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg)
return -1;
oclog(ws, LOG_DEBUG, "sent sid: %s", context);
} else {
ret =
cstp_puts(ws,
"Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure\r\n");
if (ret < 0)
return -1;
}
ret = cstp_puts(ws, "Content-Type: text/xml\r\n");
@@ -1345,9 +1363,21 @@ int post_auth_handler(worker_st * ws, unsigned http_ver)
}
goto cleanup;
} else if (ret < 0) {
oclog(ws, LOG_ERR, "failed authentication for '%s'",
ws->username);
goto auth_fail;
if (ws->selected_auth->type & AUTH_TYPE_GSSAPI) {
/* Fallback from GSSAPI to USERNAME-PASSWORD */
ws_disable_auth(ws, AUTH_TYPE_GSSAPI);
oclog(ws, LOG_ERR, "failed gssapi authentication");
if (ws_switch_auth_to(ws, AUTH_TYPE_USERNAME_PASS) == 0)
goto auth_fail;
ws->auth_state = S_AUTH_INACTIVE;
ws->sid_set = 0;
goto ask_auth;
} else {
oclog(ws, LOG_ERR, "failed authentication for '%s'",
ws->username);
goto auth_fail;
}
}
oclog(ws, LOG_HTTP_DEBUG, "user '%s' obtained cookie", ws->username);

2
src/worker.h
View File

@@ -316,7 +316,9 @@ int send_tun_mtu(worker_st *ws, unsigned int mtu);
int handle_worker_commands(struct worker_st *ws);
int disable_system_calls(struct worker_st *ws);
void ocsigaltstack(struct worker_st *ws);
int ws_switch_auth_to(struct worker_st *ws, unsigned auth);
void ws_disable_auth(struct worker_st *ws, unsigned auth);
int connect_to_secmod(worker_st * ws);
inline static