löschen der OTP-Authentifizierung möglich
Bernd Wurst commited on 2012-09-15 17:42:18
Zeige 6 geänderte Dateien mit 86 Einfügungen und 5 Löschungen.
- modules/googleauth/delete.php 0000000..6cafee6
- modules/googleauth/generate.php b4cb9b8..e4ad996
- modules/googleauth/include/googleauth.php fb96546..ca5c3a6
- modules/googleauth/overview.php 2bd3854..caeb628
- modules/googleauth/setup.php 6301b67..3f6ccfb
- modules/googleauth/test.php 630fc85..17fa1fb
| ... | ... |
@@ -0,0 +1,44 @@ |
| 1 |
+<?php |
|
| 2 |
+/* |
|
| 3 |
+This file belongs to the Webinterface of schokokeks.org Hosting |
|
| 4 |
+ |
|
| 5 |
+Written 2008-2012 by schokokeks.org Hosting, namely |
|
| 6 |
+ Bernd Wurst <bernd@schokokeks.org> |
|
| 7 |
+ Hanno Böck <hanno@schokokeks.org> |
|
| 8 |
+ |
|
| 9 |
+To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty. |
|
| 10 |
+ |
|
| 11 |
+You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see |
|
| 12 |
+http://creativecommons.org/publicdomain/zero/1.0/ |
|
| 13 |
+ |
|
| 14 |
+Nevertheless, in case you use a significant part of this code, we ask (but not require, see the license) that you keep the authors' names in place and return your changes to the public. We would be especially happy if you tell us what you're going to do with this code. |
|
| 15 |
+*/ |
|
| 16 |
+ |
|
| 17 |
+require_once('inc/base.php');
|
|
| 18 |
+require_role(ROLE_SYSTEMUSER); |
|
| 19 |
+ |
|
| 20 |
+require_once('googleauth.php');
|
|
| 21 |
+ |
|
| 22 |
+$id = (int) $_REQUEST['id']; |
|
| 23 |
+ |
|
| 24 |
+$account = accountname($id); |
|
| 25 |
+$sure = user_is_sure(); |
|
| 26 |
+if ($sure === NULL) |
|
| 27 |
+{
|
|
| 28 |
+ $section='googleauth_overview'; |
|
| 29 |
+ title("Sicherer Zugang zum Webmailer");
|
|
| 30 |
+ are_you_sure("id={$id}", "Möchten Sie den Google-Authenticator-Schutz für das Postfach »{$account}« wirklich entfernen?");
|
|
| 31 |
+} |
|
| 32 |
+elseif ($sure === true) |
|
| 33 |
+{
|
|
| 34 |
+ delete_googleauth($id); |
|
| 35 |
+ if (! $debugmode) |
|
| 36 |
+ header("Location: overview");
|
|
| 37 |
+} |
|
| 38 |
+elseif ($sure === false) |
|
| 39 |
+{
|
|
| 40 |
+ if (! $debugmode) |
|
| 41 |
+ header("Location: overview");
|
|
| 42 |
+} |
|
| 43 |
+ |
|
| 44 |
+ |
| ... | ... |
@@ -31,6 +31,7 @@ if (! validate_password($username, $oldpw)) {
|
| 31 | 31 |
store_webmail_password($username, $oldpw, $newpw); |
| 32 | 32 |
$secret = generate_secret($username); |
| 33 | 33 |
|
| 34 |
+$section='googleauth_overview'; |
|
| 34 | 35 |
title("Sicherer Zugang zum Webmailer");
|
| 35 | 36 |
|
| 36 | 37 |
output('<p>Bitte geben Sie den folgenden Initialisierungs-Code in Ihre Google-Authenticator-Software ein oder Scannen Sie den QR-Code mit der Google-Authenticator-App Ihres Mobiltelefons.</p>');
|
| ... | ... |
@@ -62,8 +62,9 @@ function store_webmail_password($username, $oldpw, $newpw) |
| 62 | 62 |
$code = base64_encode($code); |
| 63 | 63 |
DEBUG(array($oldpw, $newpw, $code)); |
| 64 | 64 |
|
| 65 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 65 | 66 |
|
| 66 |
- db_query("REPLACE INTO mail.webmail_googleauth (email, webmailpass) VALUES ('{$username}', '{$code}')");
|
|
| 67 |
+ db_query("REPLACE INTO mail.webmail_googleauth (useraccount, email, webmailpass) VALUES ({$uid}, '{$username}', '{$code}')");
|
|
| 67 | 68 |
} |
| 68 | 69 |
|
| 69 | 70 |
|
| ... | ... |
@@ -117,7 +118,7 @@ function generate_secret($username) |
| 117 | 118 |
function check_googleauth($username, $code) {
|
| 118 | 119 |
$username = mysql_real_escape_string($username); |
| 119 | 120 |
|
| 120 |
- $result = db_query("SELECT ga_secret FROM mail.webmail_googleauth WHERE email='{$username}'");
|
|
| 121 |
+ $result = db_query("SELECT ga_secret, failures FROM mail.webmail_googleauth WHERE email='{$username}' AND (unlock_timestamp IS NULL OR unlock_timestamp <= NOW())");
|
|
| 121 | 122 |
$tmp = mysql_fetch_assoc($result); |
| 122 | 123 |
$secret = $tmp['ga_secret']; |
| 123 | 124 |
|
| ... | ... |
@@ -126,8 +127,15 @@ function check_googleauth($username, $code) {
|
| 126 | 127 |
|
| 127 | 128 |
$checkResult = $ga->verifyCode($secret, $code, 2); // 2 = 2*30sec clock tolerance |
| 128 | 129 |
if ($checkResult) {
|
| 130 |
+ db_query("UPDATE mail.webmail_googleauth SET failures = 0, unlock_timestamp=NULL WHERE email='{$username}'");
|
|
| 129 | 131 |
DEBUG('OK');
|
| 130 | 132 |
} else {
|
| 133 |
+ if ($tmp['failures'] > 0 && $tmp['failures'] % 5 == 0) {
|
|
| 134 |
+ db_query("UPDATE mail.webmail_googleauth SET failures = failures+1, unlock_timestamp = NOW() + INTERVAL 5 MINUTE WHERE email='{$username}'");
|
|
| 135 |
+ } else {
|
|
| 136 |
+ db_query("UPDATE mail.webmail_googleauth SET failures = failures+1 WHERE email='{$username}'");
|
|
| 137 |
+ } |
|
| 138 |
+ |
|
| 131 | 139 |
DEBUG('FAILED');
|
| 132 | 140 |
} |
| 133 | 141 |
return $checkResult; |
| ... | ... |
@@ -161,8 +169,29 @@ function generate_qrcode_image($secret) {
|
| 161 | 169 |
$return_value = proc_close($process); |
| 162 | 170 |
|
| 163 | 171 |
return $pngdata; |
| 172 |
+ } else {
|
|
| 173 |
+ warning('Es ist ein interner Fehler im Webinterface aufgetreten, aufgrund dessen kein QR-Code erstellt werden kann. Sollte dieser Fehler mehrfach auftreten, kontaktieren Sie bitte die Administratoren.');
|
|
| 174 |
+ } |
|
| 175 |
+ |
|
| 176 |
+ |
|
| 164 | 177 |
} |
| 165 | 178 |
|
| 179 |
+function accountname($id) |
|
| 180 |
+{
|
|
| 181 |
+ $id = (int) $id; |
|
| 182 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 183 |
+ $result = db_query("SELECT email FROM mail.webmail_googleauth WHERE id={$id} AND useraccount={$uid}");
|
|
| 184 |
+ if ($tmp = mysql_fetch_assoc($result)) {
|
|
| 185 |
+ return $tmp['email']; |
|
| 186 |
+ } |
|
| 187 |
+} |
|
| 188 |
+ |
|
| 189 |
+ |
|
| 190 |
+function delete_googleauth($id) |
|
| 191 |
+{
|
|
| 192 |
+ $id = (int) $id; |
|
| 193 |
+ $uid = (int) $_SESSION['userinfo']['uid']; |
|
| 166 | 194 |
|
| 195 |
+ db_query("DELETE FROM mail.webmail_googleauth WHERE id={$id} AND useraccount={$uid}");
|
|
| 167 | 196 |
} |
| 168 | 197 |
|
| ... | ... |
@@ -70,7 +70,7 @@ if (count($sorted_by_domains) > 0) |
| 70 | 70 |
output('<div style="margin-left: 2em;"><p style="margin-left: -2em;"><strong>'.$username.'</strong></p>');
|
| 71 | 71 |
$id = account_has_googleauth($username); |
| 72 | 72 |
if ($id) {
|
| 73 |
- output(addnew('delete', 'Sicheren Zugang für dieses Postfach abschalten', 'username='.urlencode($username), 'style="background-image: url('.$prefix.'images/delete.png); color: red;"'));
|
|
| 73 |
+ output(addnew('delete', 'Sicheren Zugang für dieses Postfach abschalten', 'id='.$id, 'style="background-image: url('.$prefix.'images/delete.png); color: red;"'));
|
|
| 74 | 74 |
} else {
|
| 75 | 75 |
output(addnew('setup', 'Sicheren Zugang für dieses Postfach aktivieren', 'username='.urlencode($username)));
|
| 76 | 76 |
} |
| ... | ... |
@@ -20,6 +20,7 @@ require_role(ROLE_SYSTEMUSER); |
| 20 | 20 |
|
| 21 | 21 |
$username = urldecode($_REQUEST['username']); |
| 22 | 22 |
|
| 23 |
+$section='googleauth_overview'; |
|
| 23 | 24 |
title("Sicherer Zugang zum Webmailer");
|
| 24 | 25 |
|
| 25 | 26 |
output('<p><strong>Hinweise:</strong></p><ul><li>Nach Einrichtung der Zwei-Faktor-Authentifizierung funktioniert bei der Anmeldung über <a href="'.config('webmail_url').'">die zentrale Webmail-Login-Seite</a> nur noch dieses Passwort zusammen mit dem Einmal-Code, der mit dem Google-Authenticator erzeugt wird.</li>
|
| ... | ... |
@@ -20,6 +20,10 @@ require_role(ROLE_SYSTEMUSER); |
| 20 | 20 |
|
| 21 | 21 |
require_once('googleauth.php');
|
| 22 | 22 |
|
| 23 |
+$section='googleauth_overview'; |
|
| 24 |
+title('Test der Zwei-Faktor-authentifizierung');
|
|
| 25 |
+ |
|
| 26 |
+if (isset($_REQUEST['username'])) {
|
|
| 23 | 27 |
$username = $_REQUEST['username']; |
| 24 | 28 |
$webmailpw = $_REQUEST['webmailpass']; |
| 25 | 29 |
$ga_code = $_REQUEST['ga_code']; |
| ... | ... |
@@ -36,8 +40,6 @@ if (! check_googleauth($username, $ga_code)) {
|
| 36 | 40 |
$success = false; |
| 37 | 41 |
} |
| 38 | 42 |
|
| 39 |
-title('Test der Zwei-Faktor-authentifizierung');
|
|
| 40 |
- |
|
| 41 | 43 |
if ($success) {
|
| 42 | 44 |
output('<p>'.icon_ok().' Der Test war erfolgreich!');
|
| 43 | 45 |
} else {
|
| ... | ... |
@@ -46,6 +48,10 @@ if ($success) {
|
| 46 | 48 |
|
| 47 | 49 |
|
| 48 | 50 |
output('<h3>Weiterer Test</h3>');
|
| 51 |
+} else {
|
|
| 52 |
+ $username = ''; |
|
| 53 |
+ output('<p>Geben Sie hier die Login-Daten ein um Ihren Zugang zu testen.</p>');
|
|
| 54 |
+} |
|
| 49 | 55 |
|
| 50 | 56 |
$form = '<p>Ihr Webmail-Benutzername: <input type="text" name="username" value="'.filter_input_general($username).'" /></p> |
| 51 | 57 |
<p>Ihr neues Webmail-Passwort: <input type="password" name="webmailpass" /></p> |
| 52 | 58 |