Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
There is no legitimate reason to do this. Setting header X-Frame-Options
to "sameorigin" is necessary for displaying some collectd graphs on the
WebUI.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.
This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Add X-Content-Type-Options header to prevent Internet Explorer
from interpreting the MIME type of a server answer on its own,
which could lead to security risks.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Remove configuration lines in Apache vhosts files which
are not used anymore (old dial.cgi stuff).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated to apache 2.4
- Updated the htpasswd generation to use the more secure bcrypt algorithm
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.
Both information might make a successful attack much easier.
This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* Konfiguration fuer Apache2
Kernelupgrade auf 2.4.33.3
Syslinux-Upgrade
Gefixt:
* /tmp/ROOTFILES hat nichts in der ISO zu suchen.
* Fehler im Installer wegen Apache2.
git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@283 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8
