Authenticate users by IP address?

Post general support questions here that do not specifically fall into the Linux or Windows categories.

Moderators: Developers, Moderators

Post Reply
hcsteve
Posts: 7
Joined: Fri Mar 20, 2009 1:02 pm

Authenticate users by IP address?

Post by hcsteve »

Hi,

I'm currently working on replacing a moderately sized MRTG installation (about 2 dozen devices, 4000 graphs) with Cacti. I love the user interface and the ease of management, but I'm having some trouble with a multi-user setup.

With our current MRTG system, we allow our customers to log in to the web server to view the graphs that are assigned to them. In order to do this, we set up some custom perl scripts, an htaccess file, and an htpasswd file for each of our customers. However, we also have a page that is only accessible from our management network that shows all the graphs for every single device. This page is also protected by an htaccess file that only permits connections from a certain IP range (our management network).

I'm trying to set up something similar in Cacti, but I don't really know where to start. I figured out how to create individual users and only allow those users access to certain graphs. However, I'm having trouble figuring out how to allow "all-access read-only" based only on IP address, without requiring the user to log in. The simple answer is to just require my network techs to log in with a username and password, but I'd like to avoid that if possible.

Is anyone else doing something like this? Any pointers on where to start? I searched the forums for things like "authenticate user by IP address", but I didn't find anything useful.

Thanks,
Steve
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

Not currently supported.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
Howie
Cacti Guru User
Posts: 5508
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Post by Howie »

I would look at using Basic authentication mode in Cacti, coupled with some Apache module that makes IP auth *look* like basic auth. It wouldn't be too hard to write a mod_perl module to do that, for example, where it has a list of IPs, and in response, it stuffs dummy basic auth credentials into the HTTP request.

Depends on if you have any programming resources, I guess.
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
User avatar
rony
Developer/Forum Admin
Posts: 6022
Joined: Mon Nov 17, 2003 6:35 pm
Location: Michigan, USA
Contact:

Post by rony »

IP support will be coming, I just don't know when.

And to be honest the past patches I have received have been lack luster.
[size=117][i][b]Tony Roman[/b][/i][/size]
[size=84][i]Experience is what causes a person to make new mistakes instead of old ones.[/i][/size]
[size=84][i]There are only 3 way to complete a project: Good, Fast or Cheap, pick two.[/i][/size]
[size=84][i]With age comes wisdom, what you choose to do with it determines whether or not you are wise.[/i][/size]
User avatar
CarLost
Posts: 23
Joined: Tue Oct 16, 2007 2:10 pm

Post by CarLost »

You can also, export the graphics at fixed intervals (or days) on another server and prepare a page to "show" this to the costumers, avoiding any security potential issue.

regards.
hcsteve
Posts: 7
Joined: Fri Mar 20, 2009 1:02 pm

Post by hcsteve »

Thanks for all the suggestions. I ended up making a quick and dirty hack to include/auth.php that will only allow guest access from my management network. Here's the diff:

Code: Select all

42c42,46
<               $guest_user_id = db_fetch_cell("select id from user_auth where username='" . read_config_option("guest_user") . "' and realm = 0 and enabled = 'on'");
---
>               /* Only allow guest access from $allowed_network */
>               $allowed_network = '172.17.0.';
>               if (substr($_SERVER['REMOTE_ADDR'], 0, strlen($allowed_network)) == $allowed_network) {
>                       $guest_user_id = db_fetch_cell("select id from user_auth where username='" . read_config_option("guest_user") . "' and realm = 0 and enabled = 'on'");
>               }
Granted, this is not the most robust or maintainable solution, but so far it looks like it does what I want. If anyone sees any obvious problems with this, I'd love to hear about it.
User avatar
Howie
Cacti Guru User
Posts: 5508
Joined: Thu Sep 16, 2004 5:53 am
Location: United Kingdom
Contact:

Post by Howie »

Howie wrote:I would look at using Basic authentication mode in Cacti, coupled with some Apache module that makes IP auth *look* like basic auth. It wouldn't be too hard to write a mod_perl module to do that, for example, where it has a list of IPs, and in response, it stuffs dummy basic auth credentials into the HTTP request.

Depends on if you have any programming resources, I guess.
Just replying to myself to close the loop, there's already some example code here that does almost what I described - require basic auth for most users, but allow certain IPs without auth while forcing a username into REMOTE_USER. With Cacti set up to use basic auth, that would do what you wanted. You'd lose the nice Cacti login screen, of course.
Weathermap 0.98a is out! & QuickTree 1.0. Superlinks is over there now (and built-in to Cacti 1.x).
Some Other Cacti tweaks, including strip-graphs, icons and snmp/netflow stuff.
(Let me know if you have UK DevOps or Network Ops opportunities, too!)
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests