extern/KasmVNC
1
0
Fork 0
mirror of https://github.com/kasmtech/KasmVNC.git synced 2024-11-22 08:04:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable basicauth by default, remove the option to supply it on the command line

Browse Source
This commit is contained in:
Lauri Kasanen 2021-03-25 11:25:30 +02:00
parent 93d3bf052d
commit 1632f4888d
9 changed files with 24 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
common/network/TcpSocket.cxx
View File

@ -462,7 +462,7 @@ static uint8_t givecontrolCb(void *messager, const char name[])
WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
socklen_t listenaddrlen,
bool sslonly, const char *cert, const char *certkey,
const char *basicauth,
bool disablebasicauth,
const char *httpdir)
{
int one = 1;
@ -532,7 +532,7 @@ WebsocketListener::WebsocketListener(const struct sockaddr *listenaddr,
settings.passwdfile = strdup(wexp.we_wordv[0]);
wordfree(&wexp);
settings.basicauth = basicauth;
settings.disablebasicauth = disablebasicauth;
settings.cert = cert;
settings.key = certkey;
settings.ssl_only = sslonly;
@ -718,7 +718,7 @@ void network::createTcpListeners(std::list<SocketListener*> *listeners,
void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
const struct addrinfo *ai,
bool sslonly, const char *cert, const char *certkey,
const char *basicauth,
bool disablebasicauth,
const char *httpdir)
{
const struct addrinfo *current;
@ -745,7 +745,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
try {
new_listeners.push_back(new WebsocketListener(current->ai_addr,
current->ai_addrlen,
sslonly, cert, certkey, basicauth,
sslonly, cert, certkey, disablebasicauth,
httpdir));
} catch (SocketException& e) {
// Ignore this if it is due to lack of address family support on
@ -774,7 +774,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
bool sslonly,
const char *cert,
const char *certkey,
const char *basicauth,
bool disablebasicauth,
const char *httpdir)
{
if (addr && !strcmp(addr, "local")) {
@ -802,7 +802,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
ai[1].ai_addrlen = sizeof(sa[1].u.sin6);
ai[1].ai_next = NULL;
createWebsocketListeners(listeners, ai, sslonly, cert, certkey, basicauth, httpdir);
createWebsocketListeners(listeners, ai, sslonly, cert, certkey, disablebasicauth, httpdir);
} else {
struct addrinfo *ai, hints;
char service[16];
@ -825,7 +825,7 @@ void network::createWebsocketListeners(std::list<SocketListener*> *listeners,
gai_strerror(result));
try {
createWebsocketListeners(listeners, ai, sslonly, cert, certkey, basicauth, httpdir);
createWebsocketListeners(listeners, ai, sslonly, cert, certkey, disablebasicauth, httpdir);
} catch(...) {
freeaddrinfo(ai);
throw;

6
common/network/TcpSocket.h
View File

@ -91,7 +91,7 @@ namespace network {
public:
WebsocketListener(const struct sockaddr *listenaddr, socklen_t listenaddrlen,
bool sslonly, const char *cert, const char *certkey,
const char *basicauth,
bool disablebasicauth,
const char *httpdir);
virtual int getMyPort();
@ -116,7 +116,7 @@ namespace network {
bool sslonly,
const char *cert,
const char *certkey,
const char *basicauth,
bool disablebasicauth,
const char *httpdir);
void createTcpListeners(std::list<SocketListener*> *listeners,
const char *addr,
@ -128,7 +128,7 @@ namespace network {
bool sslonly,
const char *cert,
const char *certkey,
const char *basicauth,
bool disablebasicauth,
const char *httpdir);
typedef struct vnc_sockaddr {

9
common/network/websocket.c
View File

@ -1152,9 +1152,8 @@ ws_ctx_t *do_handshake(int sock) {
usleep(10);
}
const char *colon;
unsigned char owner = 0;
if ((colon = strchr(settings.basicauth, ':'))) {
if (!settings.disablebasicauth) {
const char *hdr = strstr(handshake, "Authorization: Basic ");
if (!hdr) {
handler_emsg("BasicAuth required, but client didn't send any. 401 Unauth\n");
@ -1179,15 +1178,13 @@ ws_ctx_t *do_handshake(int sock) {
tmp[len] = '\0';
len = ws_b64_pton(tmp, response, 256);
char authbuf[4096];
strncpy(authbuf, settings.basicauth, 4096);
authbuf[4095] = '\0';
char authbuf[4096] = "";
// Do we need to read it from the file?
char *resppw = strchr(response, ':');
if (resppw && *resppw)
resppw++;
if (!colon[1] && settings.passwdfile) {
if (settings.passwdfile) {
if (resppw && *resppw && resppw - response < 32) {
char pwbuf[4096];
struct kasmpasswd_t *set = readkasmpasswd(settings.passwdfile);

2
common/network/websocket.h
View File

@ -71,7 +71,7 @@ typedef struct {
unsigned int handler_id;
const char *cert;
const char *key;
const char *basicauth;
uint8_t disablebasicauth;
const char *passwdfile;
int ssl_only;
const char *httpdir;

3
common/rfb/Configuration.cxx
View File

@ -433,8 +433,7 @@ bool StringParameter::setParam(const char* v) {
if (immutable) return true;
if (!v)
throw rfb::Exception("setParam(<null>) not allowed");
if (strcasecmp(getName(), "BasicAuth")) // don't log the auth info
vlog.debug("set %s(String) to %s", getName(), v);
vlog.debug("set %s(String) to %s", getName(), v);
CharArray oldValue(value);
value = strDup(v);
return value != 0;

9
common/rfb/VNCSConnectionST.cxx
View File

@ -48,7 +48,7 @@ static LogWriter vlog("VNCSConnST");
static Cursor emptyCursor(0, 0, Point(0, 0), NULL);
extern rfb::StringParameter basicauth;
extern rfb::BoolParameter disablebasicauth;
VNCSConnectionST::VNCSConnectionST(VNCServerST* server_, network::Socket *s,
bool reverse)
@ -1044,13 +1044,12 @@ bool VNCSConnectionST::isShiftPressed()
bool VNCSConnectionST::getPerms(bool &write, bool &owner) const
{
bool found = false;
const char *colon = strchr(basicauth, ':');
if (!colon || colon[1]) {
// We're running without basicauth, or with both user:pass on the command line
if (disablebasicauth) {
// We're running without basicauth
write = true;
return true;
}
if (colon && !colon[1] && user[0]) {
if (user[0]) {
struct kasmpasswd_t *set = readkasmpasswd(kasmpasswdpath);
unsigned i;
for (i = 0; i < set->num; i++) {

1
common/rfb/VNCServerST.cxx
View File

@ -81,7 +81,6 @@ EncCache VNCServerST::encCache;
//
static char kasmpasswdpath[4096];
extern rfb::StringParameter basicauth;
// -=- Constructors/Destructor

6
unix/xserver/hw/vnc/Xvnc.man
View File

@ -339,9 +339,9 @@ are in the same file, use \fB-cert\fP.
Require SSL for websocket connections. Default off, non-SSL allowed.
.
.TP
.B \-basicAuth \fIuser:pass\fP
Username and password for websocket connections. Default empty, no authentication required.
If the password is empty, read it from the \fB-KasmPasswordFile\fP.
.B \-disableBasicAuth
Disable basic auth for websocket connections. Default enabled, details read from
the \fB-KasmPasswordFile\fP.
.
.TP
.B \-SecurityTypes \fIsec-types\fP

4
unix/xserver/hw/vnc/vncExtInit.cc
View File

@ -89,7 +89,7 @@ rfb::IntParameter websocketPort("websocketPort", "websocket port to listen for",
rfb::StringParameter cert("cert", "SSL pem cert to use for websocket connections", "");
rfb::StringParameter certkey("key", "SSL pem key to use for websocket connections (if separate)", "");
rfb::BoolParameter sslonly("sslOnly", "Require SSL for websockets", false);
rfb::StringParameter basicauth("BasicAuth", "user:pass for HTTP basic auth for websockets", "");
rfb::BoolParameter disablebasicauth("DisableBasicAuth", "Disable basic auth for websockets", false);
rfb::StringParameter interface("interface",
"listen on the specified network address",
"all");
@ -225,7 +225,7 @@ void vncExtensionInit(void)
if (!noWebsocket)
network::createWebsocketListeners(&listeners, websocketPort,
localhostOnly ? "local" : addr,
sslonly, cert, certkey, basicauth, httpDir);
sslonly, cert, certkey, disablebasicauth, httpDir);
else if (localhostOnly)
network::createLocalTcpListeners(&listeners, port);
else