OpenVAS Libraries
8.0.3
|
Authentication mechanisms used by openvas-manager and openvas-administrator. More...
#include "openvas_auth.h"
#include "openvas_uuid.h"
#include "openvas_file.h"
#include "array.h"
#include <errno.h>
#include <gcrypt.h>
#include <glib/gstdio.h>
Data Structures | |
struct | authenticator |
Representation of an abstract authentication mechanism. More... | |
Macros | |
#define | AUTH_CONF_FILE "openvasmd/auth.conf" |
#define | GROUP_PREFIX_METHOD "method:" |
#define | KEY_ORDER "order" |
#define | G_LOG_DOMAIN "lib auth" |
GLib logging domain. More... | |
Typedefs | |
typedef struct authenticator * | authenticator_t |
Authenticator type. More... | |
Functions | |
const gchar * | auth_method_name (auth_method_t method) |
Return name of auth_method_t. More... | |
int | openvas_auth_init_funcs (gchar *(*get_hash)(const gchar *), int(*set_role)(const gchar *, const gchar *, const gchar *), int(*user_exists_arg)(const gchar *, auth_method_t), gchar *(*get_uuid)(const gchar *, auth_method_t)) |
Initializes the list of authentication methods. More... | |
void | openvas_auth_tear_down (void) |
Free memory associated to authentication configuration. More... | |
int | openvas_auth_write_config (GKeyFile *key_file) |
Writes the authentication mechanism configuration, merging with. More... | |
gchar * | digest_hex (int gcrypt_algorithm, const guchar *digest) |
Generate a hexadecimal representation of a message digest. More... | |
gchar * | get_password_hashes (int digest_algorithm, const gchar *password) |
Generate a pair of hashes to be used in the OpenVAS "auth/hash" file for the user. More... | |
int | openvas_authenticate_method (const gchar *username, const gchar *password, auth_method_t *method) |
Authenticate a credential pair and expose the method used. More... | |
int | openvas_user_exists (const char *name) |
Check whether a user exists. More... | |
gchar * | openvas_user_uuid (const char *name) |
Return the UUID of a user from the OpenVAS user UUID file. More... | |
Variables | |
gchar *(* | classic_get_hash )(const gchar *) = NULL |
int(* | user_uuid_method )(const char *method) = NULL |
int(* | user_set_role )(const gchar *, const gchar *, const gchar *) = NULL |
gchar *(* | user_get_uuid )(const gchar *, auth_method_t) = NULL |
int(* | user_exists )(const gchar *, auth_method_t) = NULL |
Authentication mechanisms used by openvas-manager and openvas-administrator.
Three authentication mechanisms are supported:
These mechanisms are also used for authorization (role and access management).
Also a mixture can be used. To do so, a configuration file (PREFIX/var/lib/openvas/auth.conf) has to be used and the authentication system has to be initialised with a call to openvas_auth_init and can be freed with openvas_auth_tear_down .
In addition, there is an authentication mechanism that can be enabled per user and does not do authorization (role and access management).
The configuration file allows to specify details of a remote ldap-connect authentication and to assign an "order" value to the specified authentication mechanisms. Mechanisms with a lower order will be tried first.
The directory of remotely authenticated users reside under OPENVAS_STATE_DIR/users-remote/[method] , where [method] currently can only be "ldap_connect".
A users directory will contain:
#define AUTH_CONF_FILE "openvasmd/auth.conf" |
#define G_LOG_DOMAIN "lib auth" |
GLib logging domain.
#define GROUP_PREFIX_METHOD "method:" |
#define KEY_ORDER "order" |
typedef struct authenticator* authenticator_t |
Authenticator type.
const gchar* auth_method_name | ( | auth_method_t | method | ) |
Return name of auth_method_t.
Keep in sync with authentication_methods and authentication_method .
method | Auth method. |
gchar* digest_hex | ( | int | gcrypt_algorithm, |
const guchar * | digest | ||
) |
Generate a hexadecimal representation of a message digest.
gcrypt_algorithm | The libgcrypt message digest algorithm used to create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in gcrypt.h). |
digest | The binary representation of the digest. |
gchar* get_password_hashes | ( | int | digest_algorithm, |
const gchar * | password | ||
) |
Generate a pair of hashes to be used in the OpenVAS "auth/hash" file for the user.
The "auth/hash" file consist of two hashes, h_1 and h_2. h_2 (the "seed") is the message digest of (currently) 256 bytes of random data. h_1 is the message digest of h_2 concatenated with the password in plaintext.
The current implementation was taken from the openvas-adduser shell script provided with openvas-server.
gcrypt_algorithm | The libgcrypt message digest algorithm used to create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in gcrypt.h) |
password | The password in plaintext. |
int openvas_auth_init_funcs | ( | gchar *(*)(const gchar *) | get_hash, |
int(*)(const gchar *, const gchar *, const gchar *) | set_role, | ||
int(*)(const gchar *, auth_method_t) | user_exists_arg, | ||
gchar *(*)(const gchar *, auth_method_t) | get_uuid | ||
) |
Initializes the list of authentication methods.
Parses PREFIX/var/lib/openvas/auth.conf and adds respective authenticators to the authenticators list.
Call once before calls to openvas_authenticate, otherwise the authentication method will default to file-system based authentication.
The list should be freed with openvas_auth_tear_down once no further authentication trials will be done.
A warning will be issued if openvas_auth_init is called a second time without a call to openvas_auth_tear_down in between. In this case, no reconfiguration will take place.
void openvas_auth_tear_down | ( | void | ) |
Free memory associated to authentication configuration.
This will have no effect if openvas_auth_init was not called.
int openvas_auth_write_config | ( | GKeyFile * | key_file | ) |
Writes the authentication mechanism configuration, merging with.
defaults and existing configuration.
If the passed key-file contains just method:ldap_connect, do not write the defaults of any other group.
[in] | keyfile | The KeyFile to merge and write. Can be NULL, in which case just the default will be written. |
int openvas_authenticate_method | ( | const gchar * | username, |
const gchar * | password, | ||
auth_method_t * | method | ||
) |
Authenticate a credential pair and expose the method used.
Uses the configurable authenticators list, if available. Defaults to file-based (openvas users directory) authentication otherwise.
username | Username. |
password | Password. |
method[out] | Return location for the method that was used to authenticate the credential pair. |
int openvas_user_exists | ( | const char * | name | ) |
Check whether a user exists.
[in] | name | User name. |
gchar* openvas_user_uuid | ( | const char * | name | ) |
Return the UUID of a user from the OpenVAS user UUID file.
If the user exists, ensure that the user has a UUID (create that file).
[in] | name | User name. |
gchar*(* classic_get_hash) (const gchar *) = NULL |
int(* user_exists) (const gchar *, auth_method_t) = NULL |
gchar*(* user_get_uuid) (const gchar *, auth_method_t) = NULL |
int(* user_set_role) (const gchar *, const gchar *, const gchar *) = NULL |
int(* user_uuid_method) (const char *method) = NULL |