Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Custom Login Component

https://support.nagios.com/forum/viewtopic.php?t=7378

Page 1 of 2

Custom Login Component

Posted: Thu Sep 13, 2012 8:50 am
by disrael
I wrote a component for our S3 authenticiation system. S3 is intergrated into our Apache server, when ever a request hits one of our protected sites it will redirect the user to login on the policy server and if the credentials are correct return them back to the server. It appears the component I wrote has an issue when I intergrate it. Is there anyway I can get the component to run, before we get the login page for nagios? Or is there anwyay I can pass information to the login screen w/ the username so it bypasses the login and goes directly into Nagios? I am using the LDAP and AD as a guide, though it looks like both of them use the nagios login page to collect the login information, where our users already have entered their creditals in the policy system.

Also is there anything wrong w/ using the $_SERVER['variable']?

Thanks

Doron

Re: Custom Login Component

Posted: Thu Sep 13, 2012 10:22 am
by scottwilkerson
It might help if you could post what you have. You will need a way to set the user_id for the user to setup the session, and this is going to have to happen in the Nagios server.

Can you just pass the login credential to the policy server the same way that the LDAP components verify their users (via php)?

Re: Custom Login Component

Posted: Fri Sep 14, 2012 7:15 am
by disrael
Here is a link to the code I started to use: http://support.nagios.com/forum/viewtop ... rgs#p30556

It looks like the function for the check authentication is not run, until after the some clicks "login". Though I see the init function is run on load of every page it looks like. I tested this with a "hello world". I am a little rusty with php though, all I think I need to do is pull the varaible from the header (which i already have), then use it to process the login form some how. When you click login I see nothing posted to the browser or the apache logs that would indicate that the username is being passed that way.

We are unable to have the page come first then pass the info to S3 as we have to maintain login page standards.

This is what I want to happen
user goes to url ==> hits apache ==> apache redirects protected site to S3 ==> user logins to S3 ==> if credientials are correct ==> user redirected to previously requested site ==> user info is passed into Nagios ==> user matches nagios user ==> user is authorized to be on the site.

I started to look at curl and wonder if that might help

-Hostage

Re: Custom Login Component

Posted: Fri Sep 14, 2012 10:44 am
by mguthrie
Ok, from what you describe you're going to need something different than what our other authentication components do. Unfortunately its also going to be harder. I tried playing with a few different ideas for your scenario, but so far none of them have worked. Upon looking into it some more I realized this is because Nagios XI has security features built-in to prevent session hijacking, which is a good thing, but it's also going to prevent an easy bypass of the login page.

Is it possible at your company to just modify the login.php page to match your company standards?

Re: Custom Login Component

Posted: Fri Sep 14, 2012 11:11 am
by disrael
I might have gotten to work in a very odd manner.

I need to do some testing though this is the best it looks so far.

I modified my script to look like this:

Code: Select all

<?php
// S3 Authentication Component
//
//
// $Id: s3auth.inc.php 197 2012-07-31 16:34:55Z disrael $

//include the helper file
require_once(dirname(__FILE__).'/../componenthelper.inc.php');


// respect the name
$s3auth_component_name="s3auth";

// run the initialization function
s3auth_component_init();

////////////////////////////////////////////////////////////////////////
// COMPONENT INIT FUNCTIONS
////////////////////////////////////////////////////////////////////////

function s3auth_component_init(){
        global $s3auth_component_name;

        $versionok=s3auth_component_checkversion();

        $desc="";
        if(!$versionok)
                $desc="<br><b>Error: This component requires Nagios XI 2009R1.3G or later.</b>";

        $args=array(

                // need a name
                COMPONENT_NAME => $s3auth_component_name,

                // informative information
                COMPONENT_AUTHOR => "D. Israel",
                COMPONENT_DESCRIPTION => "Provides S3 authentication for Nagios XI. ".$desc,
                COMPONENT_TITLE => "S3 Authentication",
                // configuration function (optional)
                //COMPONENT_CONFIGFUNCTION => "s3auth_component_config_func",
                );

        register_component($s3auth_component_name,$args);
        if (is_null($_COOKIE["s3"])){
                $xnum=1;
                setcookie("s3", $xnum);
        }
        if ($_COOKIE["s3"] < 2) {
                $_SERVER["REMOTE_USER"]=$_SERVER["HTTP_SM_USER"];
                $xnum=$_COOKIE["s3"]+1;
                setcookie("s3", $xnum);

        }
        if($versionok){
                // configure authentication callback
                register_callback(CALLBACK_PROCESS_AUTH_INFO,'s3auth_component_check_authentication');
                }

        }



///////////////////////////////////////////////////////////////////////////////////////////
// VERSION CHECK FUNCTIONS
///////////////////////////////////////////////////////////////////////////////////////////

function s3auth_component_checkversion(){

        if(!function_exists('get_product_release'))
                return false;
        if(get_product_release()<124)
                return false;

        return true;
        }

///////////////////////////////////////////////////////////////////////////////////////////
// AUTHENTICATION FUNCTIONS
///////////////////////////////////////////////////////////////////////////////////////////

function s3auth_component_check_authentication($cbtype,&$cbargs){

        // get the credentials the user is passing to us
        //$username=$_SERVER["HTTP_SM_USER"];
        //$_SERVER["REMOTE_USER"]="nagiosadmin";

        //$_SERVER["REMOTE_USER"]=$_SERVER["HTTP_SM_USER"];
        //$_SESSION["username"]=$_SERVER["HTTP_SM_USER"];
        //print "test123";
        // credentials were correct!

        // notify caller of authentication success
        //$cbargs["login_ok"]=1;

        //$cbargs["debug_messages"][]="Sucessfully authenticated against S3!";

        return;

}


?>

Re: Custom Login Component

Posted: Fri Sep 14, 2012 1:27 pm
by mguthrie
Is this machine on a closed system?

Cookies work for persistent data, but they're not secure at all against XSS attacks, so if you're on a closed system where outside attackers couldn't get at the XI box then it's probably not much of a problem, otherwise $_SESSION data is more secure.

At the moment the script you posted doesn't appear to do anything with the authentication callback. What is the behavior that you're getting right now?

Re: Custom Login Component

Posted: Fri Sep 14, 2012 2:13 pm
by disrael
Some interesting things:

1) I see this error message if a user clicks "logout" and then attempts to login w/ nagios login screen: "NSP: Sorry Dave, I can't let you do that" :)
-I will need to fix this some how if the user logouts and attempts to login for some reason. I may need to put a message, or modify it.
2) I modified the utils.inc.php code and removed the timeout setting on the cookies so it will expire when the user closes the browser. I had to do this or if more than one person logged into the same system and the previous person didn't log out, they would get logged into the previous person's session.
3) These systems will be protected by our authentication system and I "think" a firewall will protected it on our external network. I will need to double check on this.
4) I am some how leveraging HTTP BASIC authentication when the user intially logs in. Once the user clicks a link or refreshs the page, the Logout button appears on under the name.
5) I am so rusty with programming I remember just enough to be dangerous.

-Doron

Re: Custom Login Component

Posted: Fri Sep 14, 2012 2:29 pm
by mguthrie
1) I see this error message if a user clicks "logout" and then attempts to login w/ nagios login screen: "NSP: Sorry Dave, I can't let you do that" :)
-I will need to fix this some how if the user logouts and attempts to login for some reason. I may need to put a message, or modify it.
Yeah, that's the Nagios session protector trying to prevent you from hijacking the session, which is actually what you're attempting to do ;)
Some forms in XI pass an "nsp" session key around to protect against form hijacking and XSS attacks. You can play with disabling it in the code, but I'm the lead developer here and I'm not sure I would attempt that. Also remember that anytime you upgrade XI, we overwrite the php scripts that are not components, wizards, or dashlets. If you're going to make changes like this, I would try to make them all in one place, and my recommendation would the login.php file. Find some way for it to receive the valid credentials and auto-login or auto-submit from that page.

Re: Custom Login Component

Posted: Mon Sep 17, 2012 9:01 am
by disrael
The only thing I have modified was the utils and inside of that I only touched the cookie time settings. I set it so they would expire when the session closes. I am going to speak to my manager about this later.

Re: Custom Login Component

Posted: Mon Sep 17, 2012 10:15 am
by mguthrie
Ok, let us know what you find out and we'll see what we can make work
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited