OpenVAS Libraries  8.0.3
Data Structures | Macros | Typedefs | Functions | Variables
openvas_auth.c File Reference

Authentication mechanisms used by openvas-manager and openvas-administrator. More...

#include "openvas_auth.h"
#include "openvas_uuid.h"
#include "openvas_file.h"
#include "array.h"
#include <errno.h>
#include <gcrypt.h>
#include <glib/gstdio.h>

Data Structures

struct  authenticator
 Representation of an abstract authentication mechanism. More...
 

Macros

#define AUTH_CONF_FILE   "openvasmd/auth.conf"
 
#define GROUP_PREFIX_METHOD   "method:"
 
#define KEY_ORDER   "order"
 
#define G_LOG_DOMAIN   "lib auth"
 GLib logging domain. More...
 

Typedefs

typedef struct authenticatorauthenticator_t
 Authenticator type. More...
 

Functions

const gchar * auth_method_name (auth_method_t method)
 Return name of auth_method_t. More...
 
int openvas_auth_init_funcs (gchar *(*get_hash)(const gchar *), int(*set_role)(const gchar *, const gchar *, const gchar *), int(*user_exists_arg)(const gchar *, auth_method_t), gchar *(*get_uuid)(const gchar *, auth_method_t))
 Initializes the list of authentication methods. More...
 
void openvas_auth_tear_down (void)
 Free memory associated to authentication configuration. More...
 
int openvas_auth_write_config (GKeyFile *key_file)
 Writes the authentication mechanism configuration, merging with. More...
 
gchar * digest_hex (int gcrypt_algorithm, const guchar *digest)
 Generate a hexadecimal representation of a message digest. More...
 
gchar * get_password_hashes (int digest_algorithm, const gchar *password)
 Generate a pair of hashes to be used in the OpenVAS "auth/hash" file for the user. More...
 
int openvas_authenticate_method (const gchar *username, const gchar *password, auth_method_t *method)
 Authenticate a credential pair and expose the method used. More...
 
int openvas_user_exists (const char *name)
 Check whether a user exists. More...
 
gchar * openvas_user_uuid (const char *name)
 Return the UUID of a user from the OpenVAS user UUID file. More...
 

Variables

gchar *(* classic_get_hash )(const gchar *) = NULL
 
int(* user_uuid_method )(const char *method) = NULL
 
int(* user_set_role )(const gchar *, const gchar *, const gchar *) = NULL
 
gchar *(* user_get_uuid )(const gchar *, auth_method_t) = NULL
 
int(* user_exists )(const gchar *, auth_method_t) = NULL
 

Detailed Description

Authentication mechanisms used by openvas-manager and openvas-administrator.

Authentication Mechanisms

Three authentication mechanisms are supported:

These mechanisms are also used for authorization (role and access management).

Also a mixture can be used. To do so, a configuration file (PREFIX/var/lib/openvas/auth.conf) has to be used and the authentication system has to be initialised with a call to openvas_auth_init and can be freed with openvas_auth_tear_down .

In addition, there is an authentication mechanism that can be enabled per user and does not do authorization (role and access management).

The configuration file allows to specify details of a remote ldap-connect authentication and to assign an "order" value to the specified authentication mechanisms. Mechanisms with a lower order will be tried first.

User Directories

The directory of remotely authenticated users reside under OPENVAS_STATE_DIR/users-remote/[method] , where [method] currently can only be "ldap_connect".

A users directory will contain:

Macro Definition Documentation

#define AUTH_CONF_FILE   "openvasmd/auth.conf"
#define G_LOG_DOMAIN   "lib auth"

GLib logging domain.

#define GROUP_PREFIX_METHOD   "method:"
#define KEY_ORDER   "order"

Typedef Documentation

typedef struct authenticator* authenticator_t

Authenticator type.

Function Documentation

const gchar* auth_method_name ( auth_method_t  method)

Return name of auth_method_t.

Keep in sync with authentication_methods and authentication_method .

Parameters
methodAuth method.
Returns
Name of auth method.
gchar* digest_hex ( int  gcrypt_algorithm,
const guchar *  digest 
)

Generate a hexadecimal representation of a message digest.

Parameters
gcrypt_algorithmThe libgcrypt message digest algorithm used to create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in gcrypt.h).
digestThe binary representation of the digest.
Returns
A pointer to the hexadecimal representation of the message digest or NULL if an unavailable message digest algorithm was selected.
gchar* get_password_hashes ( int  digest_algorithm,
const gchar *  password 
)

Generate a pair of hashes to be used in the OpenVAS "auth/hash" file for the user.

The "auth/hash" file consist of two hashes, h_1 and h_2. h_2 (the "seed") is the message digest of (currently) 256 bytes of random data. h_1 is the message digest of h_2 concatenated with the password in plaintext.

The current implementation was taken from the openvas-adduser shell script provided with openvas-server.

Parameters
gcrypt_algorithmThe libgcrypt message digest algorithm used to create the digest (e.g. GCRY_MD_MD5; see the enum gcry_md_algos in gcrypt.h)
passwordThe password in plaintext.
Returns
A pointer to a gchar containing the two hashes separated by a space or NULL if an unavailable message digest algorithm was selected.
int openvas_auth_init_funcs ( gchar *(*)(const gchar *)  get_hash,
int(*)(const gchar *, const gchar *, const gchar *)  set_role,
int(*)(const gchar *, auth_method_t user_exists_arg,
gchar *(*)(const gchar *, auth_method_t get_uuid 
)

Initializes the list of authentication methods.

Parses PREFIX/var/lib/openvas/auth.conf and adds respective authenticators to the authenticators list.

Call once before calls to openvas_authenticate, otherwise the authentication method will default to file-system based authentication.

The list should be freed with openvas_auth_tear_down once no further authentication trials will be done.

A warning will be issued if openvas_auth_init is called a second time without a call to openvas_auth_tear_down in between. In this case, no reconfiguration will take place.

Returns
0 success, -1 error.
void openvas_auth_tear_down ( void  )

Free memory associated to authentication configuration.

This will have no effect if openvas_auth_init was not called.

Todo:
Close memleak, destroy list and content.
int openvas_auth_write_config ( GKeyFile *  key_file)

Writes the authentication mechanism configuration, merging with.

defaults and existing configuration.

If the passed key-file contains just method:ldap_connect, do not write the defaults of any other group.

Parameters
[in]keyfileThe KeyFile to merge and write. Can be NULL, in which case just the default will be written.
Returns
0 if file has been written successfully, 1 authdn validation failed, -1 error.
Todo:
Preserve comments in file.
int openvas_authenticate_method ( const gchar *  username,
const gchar *  password,
auth_method_t method 
)

Authenticate a credential pair and expose the method used.

Uses the configurable authenticators list, if available. Defaults to file-based (openvas users directory) authentication otherwise.

Parameters
usernameUsername.
passwordPassword.
method[out]Return location for the method that was used to authenticate the credential pair.
Returns
0 authentication success, otherwise the result of the last authentication trial: 1 authentication failure, -1 error.
int openvas_user_exists ( const char *  name)

Check whether a user exists.

Parameters
[in]nameUser name.
Returns
1 yes, 0 no, -1 error.
gchar* openvas_user_uuid ( const char *  name)

Return the UUID of a user from the OpenVAS user UUID file.

If the user exists, ensure that the user has a UUID (create that file).

Parameters
[in]nameUser name.
Returns
UUID of given user if (locally authenticated) user exists, else NULL.

Variable Documentation

gchar*(* classic_get_hash) (const gchar *) = NULL
int(* user_exists) (const gchar *, auth_method_t) = NULL
gchar*(* user_get_uuid) (const gchar *, auth_method_t) = NULL
int(* user_set_role) (const gchar *, const gchar *, const gchar *) = NULL
int(* user_uuid_method) (const char *method) = NULL