Passing username and password from apache Passing username and password from apache
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Passing username and password from apache

Started by subcan, December 16, 2015, 12:15:51 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

subcan

I have searched this forum and Google for an answer. This is a last resort for help.

So far I have a successful installation of Coppermine and really like the gallery.

I have the gallery set up to require login of all users.

When the users go to url apache first authenticates them with smartcard authentication (based of <Files "login.php"> container)

This works great. Once they authenticate with smart card they are presented with Coppermine login page.

What I would like to do is auto populate the username and password of this login page.

I have apache setup with "+ExportCertData" so that the smartcard data will be available to external applications.

I just don't know where I need to call this data from?

I have looked at the login.php file and it doesn't seem to be the place to do this, but I could be wrong.

I found a web page https://cweiske.de/tagebuch/ssl-client-certificates.htm that kind of shows what I am trying to do.

Any help or links to applicable articles would be greatly appreciated.

Thanks for you help.
SUB

ron4mac

#1
You can try this:

In the index.php file at the root of your CPG install, add a line right after require('include/init.inc.php'); (at about line 26)
So it becomes:
require('include/init.inc.php');
$cpg_udb->login($_ENV['PHP_AUTH_USER'], $_ENV['PHP_AUTH_PW'], 0);

If the user has already registered, that should log them in.

[EDIT]
After actually trying the above code  :-[ , you will instead need to add these few lines right after require('include/init.inc.php'); (at about line 26):
if ($superCage->env->keyExists('PHP_AUTH_USER')) {
$cpg_udb->login($superCage->env->getRaw('PHP_AUTH_USER'), $superCage->env->getRaw('PHP_AUTH_PW'), 0);
}

subcan

Hey ron4mac,

Thanks for your reply. It is appreciated.

The code you seems to be for someone who registers, then they are automatically logged in?

What I was looking for was a way to pass user SSL certificate information from apache into CPG. I don't know if I was clear on my intentions. It is hard to describe something that you cannot figure out...lol.

I did a boatload more research and came up with a working solution... for now.

I found a post http://forum.coppermine-gallery.net/index.php/topic,75543.msg366736.html?PHPSESSID=t15n4cu9askkr1ukn6hd5f3hs3#msg366736
that shows adding:
<tr>
<td colspan=2 align=center>
<Iframe src="loginchoice.php" width="100%" height="450" frameborder=0 seamless></Iframe>
</td>
</tr>

right after line 162 of login.php.

This got me pointed in the right direction. At least I think so. I am concerned about security, so hopefully my methods aren't leaving too much "in the clear."

I added the following code to login.php, after line 136
line 136: $login_method = $lang_login_php[$CONFIG['login_method']];

This code starts a session and sets the header info picked up from apache to $_SESSION variables that can be shared with loginchoice.php

// Start a session to pass apache SSL values to loginchoice.php
session_start();
foreach (getallheaders() as $name => $value) {
    //echo "$name: $value <br />\n";
    switch ($name) {
        case "SSL_CLIENT_S_DN":
            $_SESSION["SSL_CLIENT_S_DN"] = $value;
            break;
        case "SSL_CLIENT_VERIFY":
            $_SESSION["SSL_CLIENT_VERIFY"] = $value;
            break;
        case "SSL_CLIENT_I_DN":
            $_SESSION["SSL_CLIENT_I_DN"] = $value;
            break;
        case "SSL_CLIENT_S_DN_CN":
            $_SESSION["SSL_CLIENT_S_DN_CN"] = $value;
            break;
    }
}


In apache I sent the certificate details using:

RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}s
RequestHeader set SSL_CLIENT_VERIFY %{SSL_CLIENT_VERIFY}s
RequestHeader set SSL_CLIENT_I_DN %{SSL_CLIENT_I_DN}s
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}s


Then in loginchoice.php I put in a bunch of validation code and used PHP explode function to grab the pieces of the SSL certs that I needed.
The part needed to add a button to the login page, that once clicked logs the user in with prefilled username and password is:

echo <<< EOT
        <form action="login.php" method="post" name="loginbox" id="cpgform" target="_top" >
        <input type="hidden" name="username"  value="{$username}" />
        <input type="hidden" name="password" value="{$password}" />
        <input type="submit" class="buttonStyle0"  name="submitted" value="Auto-SignIn as {$username}" />
        </form>
EOT;


Now when a user logs in with their smartcard, the username and password is automatically put into the button.

I hope that this is a secure way of doing this. The only way to access the Coppermine Gallery is to login with a smartcard. I believe that this username and password are just redundant.

The reason for it is that I wanted users to be able to see who has posted what pictures (by their name) and not some "wonky" username that they make up.

Sorry for the long reply... I just wanted to share this... just in case someone else down the road wants to do something similar.

My big concern with this CMS is that all these modifications seem to require modifying core files, such as index.php, login.php, etc...
What happens when I update to the next Copermine release? That is a lot of stuff to keep track of.

I know I have to figure out how to write plugins, but first I need my site up and running.

Thanks again for your reply,
SUB

ron4mac

#3
From what I see, you will still need to have a user registered (exist in the user database) before they can log in.

[edit]
You might be able to use methods from my joomla to cpg tunnel plugin (see tunnel_createUserIfNeeded in the file initialize.inc.php) to automatically create users.