Virtual Users

From ProVide DocWiki
Revision as of 15:07, 24 March 2014 by Viktor Gustavsson (talk | contribs) (Created page with "== Overview == Have ProVide integrate with any system for user authentication and configuration! With virtual script-based integration ProVide can connect to just about ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

Have ProVide integrate with any system for user authentication and configuration! With virtual script-based integration ProVide can connect to just about any data source (e.g. databases, management information systems, flat-files, ...) to verify and configure accounts. All you have to do is setup two access points; one for verifying that a user will be allowed access, and one that tells ProVide the user configuration (home directory structure, limitations, security settings, etc.).

Tip 1: Use the graphical user interface to create a user account the way you want the setup to be. Then use this account file as a template for your user file creations.

Tip 2: Use groups to define basic functionalities and then simply return which groups a user should get its configuration from.

Examples

A basic example

The example presented below display the basics with virtual user integration; two virtual accounts with different passwords and different home directory configuration.

Verification script in ProVide:

C:\Scripts\login.cmd "%IP%" "%USERNAME%" "%PASSWORD%"

Contents of file "C:\Scripts\login.cmd":

@echo off

rem Extract IP and remove quotes
set IP=%1
for /f "useback tokens=*" %%a in ('%IP%') do set IP=%%~a

rem Extract Username and remove quotes
set USER=%2
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Extract Password and remove quotes
set PASS=%3
for /f "useback tokens=*" %%a in ('%PASS%') do set PASS=%%~a

rem Check for valid logins

if /I "%USER%" == "testuser1" (
   if "%PASS%" == "pass pass" (
      exit 0
   )
)

if /I "%USER%" == "testuser2" (
   if "%PASS%" == "password" (
      if "%IP%" == "127.0.0.1" (
         exit 0
      )
   )
)

rem No valid login found - Deny access
exit 1

Configuration script in ProVide:

C:\Scripts\userconfig.cmd "%USERNAME%"

Contents of file "C:\Scripts\userconfig.cmd":

@echo off

rem Extract username and remove quotes
set USER=%1
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Configure accounts

if /I "%USER%" == "testuser1" (
   echo !Restriction - VirtualAccount
   echo /Virtual folder for testuser1^|^|
   echo /^|C:\^|RF,LD,RR
)

if /I "%USER%" == "testuser2" (
   echo !Restriction - VirtualAccount
   echo /a virtual folder^|^|
   echo /^|C:\^|RF,LD,RR
)

Requiring public/private key authentication and SFTP with virtual users

The example presented below shows how to require public/private key authentication. When using virtual users the two scripts "verification" and "configuration" are actually called separately; "verification" is only called once the user supplies a password to be verified, and "configuration" is called as soon as the server needs the complete setup of an account.

Thus, if the "configuration" script is to return a requirement that the user needs public key authentication then that will be required.

Note: The line containing the public key ("!Security - PubKey: [...]") must be on one long line.

Verification script in ProVide:

C:\Scripts\login.cmd "%IP%" "%USERNAME%" "%PASSWORD%"

Contents of file "C:\Scripts\login.cmd":

@echo off

rem Extract IP and remove quotes
set IP=%1
for /f "useback tokens=*" %%a in ('%IP%') do set IP=%%~a

rem Extract Username and remove quotes
set USER=%2
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Extract Password and remove quotes
set PASS=%3
for /f "useback tokens=*" %%a in ('%PASS%') do set PASS=%%~a

rem We do not allow any password verifications for virtual users - Deny all access

exit 1

Configuration script in ProVide:

C:\Scripts\userconfig.cmd "%USERNAME%"

Contents of file "C:\Scripts\userconfig.cmd":

@echo off

rem Extract username and remove quotes
set USER=%1
for /f "useback tokens=*" %%a in ('%USER%') do set USER=%%~a

rem Configure accounts

if /I "%USER%" == "testuser1" (
   echo !Restriction - VirtualAccount
   echo /Virtual folder for testuser1^|^|
   echo /^|C:\^|RF,LD,RR
   echo !Security - AllowFTP: False
   echo !Security - AllowFTPS: False
   echo !Security - AllowSFTP: True
   echo !Security - AllowTFTP: False
   echo !Security - AllowPubKey: False
   echo !Security - RequirePasswordIfNoPubKey: False
   echo !Security - RequirePubKey: True
   echo !Security - PubKey: ---- BEGIN SSH2 PUBLIC KEY ----\nComment: "rsa-key-20120316"\nAAAAB3Nza[...]\n---- END SSH2 PUBLIC KEY ----\n
)

if /I "%USER%" == "testuser2" (
   echo !Restriction - VirtualAccount
   echo /a virtual folder^|^|
   echo /^|C:\^|RF,LD,RR
   echo !Security - AllowFTP: False
   echo !Security - AllowFTPS: False
   echo !Security - AllowSFTP: True
   echo !Security - AllowTFTP: False
   echo !Security - AllowPubKey: False
   echo !Security - RequirePasswordIfNoPubKey: False
   echo !Security - RequirePubKey: True
   echo !Security - PubKey: ---- BEGIN SSH2 PUBLIC KEY ----\nComment: "rsa-key-20120316"\nn0N9zoHof[...]\n---- END SSH2 PUBLIC KEY ----\n
)