Previously a remote FAS could not use https protocol without generating
browser security errors or warnings so NDS enforced use of http.
A new FAS level, fas_secure_enabled = 3 is introduced here.
Level 3 is the same as level 2 except the use of https protocol is
enforced for FAS. In addition, the "authmon" daemon is loaded.
This daemon allows the external FAS, after client verification is complete,
to effectively traverse inbound firewalls and address translation to
achieve NDS authentication without generating browser security warnings.
or errors.
A fully functional https fas script is provided (fas-aes-https.php).
Signed-off-by: Rob White <rob@blue-wave.net>
The ndsctl json command now counts the number of trusted devices and
outputs a list of them in json array format.
Signed-off-by: Rob White <rob@blue-wave.net>
See issue #516
"#" is used as a comment indicator in nodogsplash.conf
This fix allows the character to be present as part of an option value.
If the character occurs at the beginning of the line,
the line will be considered as a comment.
"'" (single quote/asterisk) is used as a uci delimiter.
If this character is required in gatewayname then use the
htmlentity ' instead.
The default config files have been updated to reflect this.
The demo preauth scripts have been modified to ensure
gatewayname is properly escaped.
Signed-off-by: Rob White <rob@blue-wave.net>
See issue #515
MHD_get_version is used to determine the installed (runtime) version of
libmicrohttpd (MHD).
If the version is earlier than 0.9.69, then by default, NDS will terminate.
However, if option use_outdated_mhd is set to 1, NDS starts normally
but logs an error.
Signed-off-by: Rob White <rob@blue-wave.net>
The log file location is now determined by simply setting the variables
mountpoint, logdir and logname in the PreAuth and BinAuth examples.
The default is to use mountpoint /tmp with /run suggested for Raspbian.
These default locations are both tmpfs so protect system flash from wear
but will not survive a reboot.
More suitable storage can be chosen for a production system (eg usb stick)
The log file size is limited by a simple algorithm that takes into account
other useage of the storage:
F=available space
L=logsize
R=Ratio of available to log size
C=capacity, storage size less other non log usage
This gives two equations.
R=F/L
C=F+L
Solving for L:
L=C/(R+1)
If the minimum value of R is 10
then L(max)=(F(current)+L(current))/11
Signed-off-by: Rob White <rob@blue-wave.net>
See issue #503
If ndsctl is called within a Binauth script it deadlocks as NDS is in
the middle of its client authentication logic when BinAuth is called.
It should not be necessary to run ndsctl from Binauth anyway as it does not
provide any useful post authentation functionality.
This commit prevents ndsctl from being run using a modified version of
the existing ndsctl.lock logic.
Signed-off-by: Rob White <rob@blue-wave.net>
Disabled is 0 (default)
Enabled is 1
This allows custom unescape in MHD.
MHD needs to unescape characters sent in query strings by browsers.
When this option is disabled, MHD uses its builtin unescape.
When enabled, MHD uses /usr/lib/nodogsplash/unescape.sh
The unescape.sh library is safe as all incoming queries are escaped
by the client browser and the argument containing string to be unescaped
is quoted by NDS.
Signed-off-by: Rob White <rob@blue-wave.net>
Note on characters in gatewayname:
# ' and " are invalid in both uci config and nodogsplash.conf so cannot be used.
Signed-off-by: Rob White <rob@blue-wave.net>
Busybox provides "ash" which is compatible with "bash",
yet requires a shebang of "sh"
For systems not using Busybox (eg Debian) Makefile uses sed to change to "bash"
Signed-off-by: Rob White <rob@blue-wave.net>
This caused a subtle memory corruption resulting in MHD failing to start,
starting NDS from the command line to fail unless argument -d2 was used
and probably other strange anomalies. But only some targets eg RPi/Raspian,
but probably not seen on OpenWrt.
Fix was found by @skra72, many thanks.
Signed-off-by: Rob White <rob@blue-wave.net>
