Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEAT: Add user authentication for network services #998

Merged
merged 40 commits into from
Jul 15, 2023
Merged

FEAT: Add user authentication for network services #998

merged 40 commits into from
Jul 15, 2023

Conversation

tGecko
Copy link
Member

@tGecko tGecko commented Jul 10, 2023
edited by XK9274
Loading

This allows for password-authed SMB-shares and can also be used in other network services for authentication.

Remount /etc/passwd and /etc/group to files we have control over, manually added the user and group to the files.
Password generated using mkpasswd.
user:password = onion:onion

SSH/FTP/SMB now use this user for authentication.

Test process
Preparation

  • Perform fresh install incl. format. Skip Package Manager
  • Enable & connect Wifi

SMB

  • Make sure you can't connect to SMB
  • Enable SMB without touching auth
  • Try connecting SMB, it should work.
  • Enable SMB auth
  • The next time you enter to a different folder, you should be prompted for authentication
  • Try root with empty password, it must not work
  • Try onion:onion, it should work. make sure to not save the password
  • Disable auth again, make sure it still works.

HTTP

  • Make sure you can't connect to HTTP
  • Enable HTTP without touching auth
  • Connect to HTTP. You should not get a login prompt
  • Enable HTTP auth, then press F5 in the browser
  • You should get a logout button on the left side, click it
  • Login with admin:admin, make sure that it works

SSH

  • Make sure you can't connect to SSH
  • Enable SSH
  • Connect with root@IP and observe you can login without password
  • Enable SSH auth, observe that the session is closed.
  • Connect with root@IP again and make sure it doesn't work
  • Connect with onion@IP and login with the password onion
  • You should now be connected again

FTP

  • Make sure you can't connect to FTP
  • Enable FTP
  • Connect as anonymous user, observe that it works
  • Enable auth. Your session will be closed.
  • Try to login as anonymous or root again, it must not work.
  • Connect with onion:onion, make sure it works.

Telnet

  • Make sure you can't connect to Telnet
  • Enable Telnet
  • Connect and observe you are logged in as root

@tGecko
PoC: Add a second user and use it for auth in smbd
ef425ea 
sdcard is password protected by default (pw smbOnion)
needs work.
@tGecko
move/remvove comment
e304ad6
@Aemiii91 Aemiii91 changed the title FEAT: Add a seperate user to be used for authentication with services FEAT: Add user authentication for network services Jul 10, 2023
@Aemiii91 Aemiii91 added this to the v4.2 milestone Jul 10, 2023
@Aemiii91 Aemiii91 added enhancement New or improved feature and removed enhancement New or improved feature labels Jul 10, 2023
tGecko and others added 18 commits July 11, 2023 09:26
@tGecko
don't export PASS
025d06d
@XK9274
Remove reliance on the .auth file for bftpd
8ff2e0d 
bftpd now uses the user "onion" from the new passwd file (provided it's mounted)
@XK9274
Remove reliance on the .auth file for dropbear
c3b69fa 
dropbear now uses any user from the new passwd file (provided it's mounted)
@XK9274
Remove reliance on the .auth file for telnetd
5dee6e7 
telnetd now uses any user from the new passwd file (provided it's mounted) - however to note; telnetd will run the /etc/profile script again when you login - we should consider mounting this script and adding a tracking file somewhere (a .run_script_once check). It's harmless when logged in as a none root user, but when logged in as root it will cause problems.
@XK9274
Remove duplicate log entry for SSH
6a3fc48
@XK9274
Remove old authfile for telnetd
8b22459
@XK9274
Remove old auth file
d21ec50 
Will not be required when we fully move over to /etc/passwd
@tGecko
Add authentication toggle to Samba settings
4dcf4ea
@tGecko @actions-user
🎨 apply clang-format changes
4570d46
@tGecko
Change password of user onion to 'onion'
10ab7a7
@tGecko
noone saw that :)
550d170
@tGecko
not that one either
5c7dd6b
@tGecko
Changed password in .password.txt
7f7d736
@tGecko
Fix authed telnet by remounting /etc/profile
e8275b5 
Add a little welcome message :)
@tGecko
add missing newline at the end of smb.conf
95cb378 
this caused toggling the share to mess up the config
@tGecko
Use available instead of browsable to disable the shares
d647107
@tGecko
Kill smbd after enabling authentication to reset session
01238f4
@tGecko
remove repetition
75016cc
@XK9274
Copy link
Member

XK9274 commented Jul 12, 2023
edited
Loading

This checklist is stale due to other changes.

@tGecko tGecko marked this pull request as ready for review July 14, 2023 16:44
@tGecko
Copy link
Member Author

tGecko commented Jul 14, 2023

need to remove telnet auth in tweaks still.. working on it

tGecko and others added 5 commits July 14, 2023 19:22
@tGecko
Remove authTelnet from Tweaks and update_networking
003bfc5 
actually change root password to '' this time
@tGecko
Fix non-auth HTTP not working without toggling auth at least once
f5e1686 
Remve unneeded telnet menu and put telnet at the bottom
(because it is the only item without submenus
@tGecko
Remove welcome :'(
d3b2131
@tGecko
Remove unneeded welcome mount
631406a
@XK9274
Add EOL entry for passwd/group
8468730
@XK9274
Copy link
Member

XK9274 commented Jul 14, 2023
edited
Loading

Test checklist complete - made 1 change to fix EOL for passwd & group on 8468730

Wiki draft page updated

@Aemiii91 Aemiii91 requested a review from XK9274 July 15, 2023 00:35
XK9274
XK9274 approved these changes Jul 15, 2023
View reviewed changes
Copy link
Member

@XK9274 XK9274 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ran full checklist twice, works as expected.

When merged wiki entries for auth section on:

  • Samba
  • Telnet
  • SSH
  • FTP

Need updating

@Aemiii91 Aemiii91 added this pull request to the merge queue Jul 15, 2023
Merged via the queue into main with commit 175eb82 Jul 15, 2023
@Aemiii91 Aemiii91 deleted the auth-services-upgrade branch July 15, 2023 14:15
@Aemiii91 Aemiii91 added the enhancement New or improved feature label Oct 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aemiii91 Aemiii91 Aemiii91 left review comments

@XK9274 XK9274 XK9274 approved these changes

Assignees

@tGecko tGecko

Labels
enhancement New or improved feature
Projects
Onion Development
Status: No status
Milestone
v4.2
Development

Successfully merging this pull request may close these issues.
3 participants
@tGecko @XK9274 @Aemiii91