extern/KasmVNC
1
0
Fork 0
mirror of https://github.com/kasmtech/KasmVNC.git synced 2024-11-22 08:04:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable basicauth by default, remove the option to supply it on the command line

Browse Source
This commit is contained in:
Lauri Kasanen 2021-03-25 11:25:30 +02:00
parent 93d3bf052d
commit 1632f4888d
9 changed files with 24 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
common/network/TcpSocket.cxx
View File

@ -462,7 +462,7 @@ static uint8_t givecontrolCb(void *messager, const char name[])
WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr, WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
socklen_t listenaddrlen, socklen_t listenaddrlen,
bool sslonly, const char *cert, const char *certkey, bool sslonly, const char *cert, const char *certkey,
const char *basicauth, bool disablebasicauth,
const char *httpdir) const char *httpdir)
{ {
int one = 1; int one = 1;
@ -532,7 +532,7 @@ WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
settings.passwdfile = strdup(wexp.we_wordv[0]); settings.passwdfile = strdup(wexp.we_wordv[0]);
wordfree(&wexp); wordfree(&wexp);
settings.basicauth = basicauth; settings.disablebasicauth = disablebasicauth;
settings.cert = cert; settings.cert = cert;
settings.key = certkey; settings.key = certkey;
settings.ssl_only = sslonly; settings.ssl_only = sslonly;
@ -718,7 +718,7 @@ void network::createTcpListeners(std::list<SocketListener*> *listeners,
void network::createWebsocketListeners(std::list<SocketListener*> *listeners, void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
const struct addrinfo *ai, const struct addrinfo *ai,
bool sslonly, const char *cert, const char *certkey, bool sslonly, const char *cert, const char *certkey,
const char *basicauth, bool disablebasicauth,
const char *httpdir) const char *httpdir)
{ {
const struct addrinfo *current; const struct addrinfo *current;
@ -745,7 +745,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
try { try {
new_listeners.push_back(new WebsocketListener(current->ai_addr, new_listeners.push_back(new WebsocketListener(current->ai_addr,
current->ai_addrlen, current->ai_addrlen,
sslonly, cert, certkey, basicauth, sslonly, cert, certkey, disablebasicauth,
httpdir)); httpdir));
} catch (SocketException& e) { } catch (SocketException& e) {
// Ignore this if it is due to lack of address family support on // Ignore this if it is due to lack of address family support on
@ -774,7 +774,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
bool sslonly, bool sslonly,
const char *cert, const char *cert,
const char *certkey, const char *certkey,
const char *basicauth, bool disablebasicauth,
const char *httpdir) const char *httpdir)
{ {
if (addr && !strcmp(addr, "local")) { if (addr && !strcmp(addr, "local")) {
@ -802,7 +802,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
ai[1].ai_addrlen = sizeof(sa[1].u.sin6); ai[1].ai_addrlen = sizeof(sa[1].u.sin6);
ai[1].ai_next = NULL; ai[1].ai_next = NULL;
createWebsocketListeners(listeners, ai, sslonly, cert, certkey, basicauth, httpdir); createWebsocketListeners(listeners, ai, sslonly, cert, certkey, disablebasicauth, httpdir);
} else { } else {
struct addrinfo *ai, hints; struct addrinfo *ai, hints;
char service[16]; char service[16];
@ -825,7 +825,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
gai_strerror(result)); gai_strerror(result));
try { try {
createWebsocketListeners(listeners, ai, sslonly, cert, certkey, basicauth, httpdir); createWebsocketListeners(listeners, ai, sslonly, cert, certkey, disablebasicauth, httpdir);
} catch(...) { } catch(...) {
freeaddrinfo(ai); freeaddrinfo(ai);
throw; throw;

6
common/network/TcpSocket.h
View File

@ -91,7 +91,7 @@ namespace network {
public: public:
WebsocketListener(const struct sockaddr *listenaddr, socklen_t listenaddrlen, WebsocketListener(const struct sockaddr *listenaddr, socklen_t listenaddrlen,
bool sslonly, const char *cert, const char *certkey, bool sslonly, const char *cert, const char *certkey,
const char *basicauth, bool disablebasicauth,
const char *httpdir); const char *httpdir);
virtual int getMyPort(); virtual int getMyPort();
@ -116,7 +116,7 @@ namespace network {
bool sslonly, bool sslonly,
const char *cert, const char *cert,
const char *certkey, const char *certkey,
const char *basicauth, bool disablebasicauth,
const char *httpdir); const char *httpdir);
void createTcpListeners(std::list<SocketListener*> *listeners, void createTcpListeners(std::list<SocketListener*> *listeners,
const char *addr, const char *addr,
@ -128,7 +128,7 @@ namespace network {
bool sslonly, bool sslonly,
const char *cert, const char *cert,
const char *certkey, const char *certkey,
const char *basicauth, bool disablebasicauth,
const char *httpdir); const char *httpdir);
typedef struct vnc_sockaddr { typedef struct vnc_sockaddr {

9
common/network/websocket.c
View File

@ -1152,9 +1152,8 @@ ws_ctx_t *do_handshake(int sock) {
usleep(10); usleep(10);
} }
const char *colon;
unsigned char owner = 0; unsigned char owner = 0;
if ((colon = strchr(settings.basicauth, ':'))) { if (!settings.disablebasicauth) {
const char *hdr = strstr(handshake, "Authorization: Basic "); const char *hdr = strstr(handshake, "Authorization: Basic ");
if (!hdr) { if (!hdr) {
handler_emsg("BasicAuth required, but client didn't send any. 401 Unauth\n"); handler_emsg("BasicAuth required, but client didn't send any. 401 Unauth\n");
@ -1179,15 +1178,13 @@ ws_ctx_t *do_handshake(int sock) {
tmp[len] = '\0'; tmp[len] = '\0';
len = ws_b64_pton(tmp, response, 256); len = ws_b64_pton(tmp, response, 256);
char authbuf[4096]; char authbuf[4096] = "";
strncpy(authbuf, settings.basicauth, 4096);
authbuf[4095] = '\0';
// Do we need to read it from the file? // Do we need to read it from the file?
char *resppw = strchr(response, ':'); char *resppw = strchr(response, ':');
if (resppw && *resppw) if (resppw && *resppw)
resppw++; resppw++;
if (!colon[1] && settings.passwdfile) { if (settings.passwdfile) {
if (resppw && *resppw && resppw - response < 32) { if (resppw && *resppw && resppw - response < 32) {
char pwbuf[4096]; char pwbuf[4096];
struct kasmpasswd_t *set = readkasmpasswd(settings.passwdfile); struct kasmpasswd_t *set = readkasmpasswd(settings.passwdfile);

2
common/network/websocket.h
View File

@ -71,7 +71,7 @@ typedef struct {
unsigned int handler_id; unsigned int handler_id;
const char *cert; const char *cert;
const char *key; const char *key;
const char *basicauth; uint8_t disablebasicauth;
const char *passwdfile; const char *passwdfile;
int ssl_only; int ssl_only;
const char *httpdir; const char *httpdir;

3
common/rfb/Configuration.cxx
View File

@ -433,8 +433,7 @@ bool StringParameter::setParam(const char* v) {
if (immutable) return true; if (immutable) return true;
if (!v) if (!v)
throw rfb::Exception("setParam(<null>) not allowed"); throw rfb::Exception("setParam(<null>) not allowed");
if (strcasecmp(getName(), "BasicAuth")) // don't log the auth info vlog.debug("set %s(String) to %s", getName(), v);
vlog.debug("set %s(String) to %s", getName(), v);
CharArray oldValue(value); CharArray oldValue(value);
value = strDup(v); value = strDup(v);
return value != 0; return value != 0;

9
common/rfb/VNCSConnectionST.cxx
View File

@ -48,7 +48,7 @@ static LogWriter vlog("VNCSConnST");
static Cursor emptyCursor(0, 0, Point(0, 0), NULL); static Cursor emptyCursor(0, 0, Point(0, 0), NULL);
extern rfb::StringParameter basicauth; extern rfb::BoolParameter disablebasicauth;
VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s, VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
bool reverse) bool reverse)
@ -1044,13 +1044,12 @@ bool VNCSConnectionST::isShiftPressed()
bool VNCSConnectionST::getPerms(bool &write, bool &owner) const bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
{ {
bool found = false; bool found = false;
const char *colon = strchr(basicauth, ':'); if (disablebasicauth) {
if (!colon || colon[1]) { // We're running without basicauth
// We're running without basicauth, or with both user:pass on the command line
write = true; write = true;
return true; return true;
} }
if (colon && !colon[1] && user[0]) { if (user[0]) {
struct kasmpasswd_t *set = readkasmpasswd(kasmpasswdpath); struct kasmpasswd_t *set = readkasmpasswd(kasmpasswdpath);
unsigned i; unsigned i;
for (i = 0; i < set->num; i++) { for (i = 0; i < set->num; i++) {

1
common/rfb/VNCServerST.cxx
View File

@ -81,7 +81,6 @@ EncCache VNCServerST::encCache;
// //
static char kasmpasswdpath[4096]; static char kasmpasswdpath[4096];
extern rfb::StringParameter basicauth;
// -=- Constructors/Destructor // -=- Constructors/Destructor

6
unix/xserver/hw/vnc/Xvnc.man
View File

@ -339,9 +339,9 @@ are in the same file, use \fB-cert\fP.
Require SSL for websocket connections. Default off, non-SSL allowed. Require SSL for websocket connections. Default off, non-SSL allowed.
. .
.TP .TP
.B \-basicAuth \fIuser:pass\fP .B \-disableBasicAuth
Username and password for websocket connections. Default empty, no authentication required. Disable basic auth for websocket connections. Default enabled, details read from
If the password is empty, read it from the \fB-KasmPasswordFile\fP. the \fB-KasmPasswordFile\fP.
. .
.TP .TP
.B \-SecurityTypes \fIsec-types\fP .B \-SecurityTypes \fIsec-types\fP

4
unix/xserver/hw/vnc/vncExtInit.cc
View File

@ -89,7 +89,7 @@ rfb::IntParameter websocketPort("websocketPort", "websocket port to listen for",
rfb::StringParameter cert("cert", "SSL pem cert to use for websocket connections", ""); rfb::StringParameter cert("cert", "SSL pem cert to use for websocket connections", "");
rfb::StringParameter certkey("key", "SSL pem key to use for websocket connections (if separate)", ""); rfb::StringParameter certkey("key", "SSL pem key to use for websocket connections (if separate)", "");
rfb::BoolParameter sslonly("sslOnly", "Require SSL for websockets", false); rfb::BoolParameter sslonly("sslOnly", "Require SSL for websockets", false);
rfb::StringParameter basicauth("BasicAuth", "user:pass for HTTP basic auth for websockets", ""); rfb::BoolParameter disablebasicauth("DisableBasicAuth", "Disable basic auth for websockets", false);
rfb::StringParameter interface("interface", rfb::StringParameter interface("interface",
"listen on the specified network address", "listen on the specified network address",
"all"); "all");
@ -225,7 +225,7 @@ void vncExtensionInit(void)
if (!noWebsocket) if (!noWebsocket)
network::createWebsocketListeners(&listeners, websocketPort, network::createWebsocketListeners(&listeners, websocketPort,
localhostOnly ? "local" : addr, localhostOnly ? "local" : addr,
sslonly, cert, certkey, basicauth, httpDir); sslonly, cert, certkey, disablebasicauth, httpDir);
else if (localhostOnly) else if (localhostOnly)
network::createLocalTcpListeners(&listeners, port); network::createLocalTcpListeners(&listeners, port);
else else