0) {
sleep(2);
if ($return_var == 5) {
$error = '' . _('Account has been suspended') . '';
} elseif ($return_var == 1) {
$error = '' . _('Unsupported hash method') . '';
} else {
$error = '' . _('Invalid username or password') . '';
}
return $error;
} else {
$salt = $pam[$user]['SALT'];
$method = $pam[$user]['METHOD'];
if ($method == 'md5') {
$hash = crypt($password, '$1$' . $salt . '$');
}
if ($method == 'sha-512') {
$hash = crypt($password, '$6$rounds=5000$' . $salt . '$');
$hash = str_replace('$rounds=5000', '', $hash);
}
if ($method == 'yescrypt') {
$v_password = tempnam("/tmp", "vst");
$fp = fopen($v_password, "w");
fwrite($fp, $password."\n");
fclose($fp);
exec(HESTIA_CMD . 'v-check-user-password '. $v_user.' '. $v_password. ' '.$v_ip.' yes', $output, $return_var);
$hash = $output[0];
unset($output);
}
if ($method == 'des') {
$hash = crypt($password, $salt);
}
// Send hash via tmp file
$v_hash = exec('mktemp -p /tmp');
$fp = fopen($v_hash, 'w');
fwrite($fp, $hash."\n");
fclose($fp);
// Check user hash
exec(HESTIA_CMD . 'v-check-user-hash ' . $v_user . ' ' . $v_hash . ' ' . $v_ip, $output, $return_var);
unset($output);
// Remove tmp file
unlink($v_hash);
// Check API answer
if ($return_var > 0) {
sleep(2);
$error = '' . _('Invalid username or password') . '';
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent, $output, $return_var);
return $error;
} else {
// Get user specific parameters
exec(HESTIA_CMD . 'v-list-user ' . $v_user . ' json', $output, $return_var);
$data = json_decode(implode('', $output), true);
unset($output);
if ($data[$user]['LOGIN_DISABLED'] === 'yes') {
sleep(2);
$error = '' . _('Invalid username or password') . '';
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Login disabled for this user"', $output, $return_var);
return $error;
}
if ($data[$user]['LOGIN_USE_IPLIST'] === 'yes') {
$v_login_user_allowed_ips = explode(',', $data[$user]['LOGIN_ALLOW_IPS']);
$v_login_user_allowed_ips = array_map('trim', $v_login_user_allowed_ips);
if (!in_array($ip, $v_login_user_allowed_ips, true)) {
sleep(2);
$error = '' . _('Invalid username or password') . '';
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Ip not in allowed list"', $output, $return_var);
return $error;
}
}
if ($data[$user]['TWOFA'] != '') {
exec(HESTIA_CMD . "v-check-user-2fa " . $v_user . " " . $v_twofa, $output, $return_var);
$error = "" . _('Invalid or missing 2FA token') . "";
if (empty($twofa)) {
$_SESSION['login']['username'] = $user;
$_SESSION['login']['password'] = $password;
return false;
} else {
$v_twofa = escapeshellarg($twofa);
exec(HESTIA_CMD .'v-check-user-2fa '.$v_user.' '.$v_twofa, $output, $return_var);
unset($output);
if ($return_var > 0) {
sleep(2);
$error = '' ._('Invalid or missing 2FA token') . '';
$_SESSION['login']['username'] = $user;
$_SESSION['login']['password'] = $password;
$v_session_id = escapeshellarg($_POST['token']);
if (isset($_SESSION['failed_twofa'])) {
//allow a few failed attemps before start of logging.
if ($_SESSION['failed_twofa'] > 2) {
exec(HESTIA_CMD.'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Invalid or missing 2FA token"', $output, $return_var);
}
$_SESSION['failed_twofa']++;
} else {
$_SESSION['failed_twofa'] = 1;
}
unset($_POST['twofa']);
return $error;
}
}
}
// Define session user
$_SESSION['user'] = key($data);
$v_user = $_SESSION['user'];
//log successfull login attempt
$v_session_id = escapeshellarg($_POST['token']);
exec(HESTIA_CMD."v-log-user-login ".$v_user." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
$_SESSION['LAST_ACTIVITY'] = time();
$_SESSION['MURMUR'] = $_POST['murmur'];
// Define user role / context
$_SESSION['userContext'] = $data[$user]['ROLE'];
// Set active user theme on login
$_SESSION['userTheme'] = $data[$user]['THEME'];
if ($_SESSION['POLICY_USER_CHANGE_THEME'] !== 'yes') {
unset($_SESSION['userTheme']);
}
$_SESSION['userSortOrder'] = (!empty($data[$user]['PREF_UI_SORT'])) ? $data[$user]['PREF_UI_SORT'] : 'name';
// Define language
$output = '';
exec(HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
$languages = json_decode(implode('', $output), true);
$_SESSION['language'] = (in_array($data[$v_user]['LANGUAGE'], $languages)) ? $data[$user]['LANGUAGE'] : 'en';
// Regenerate session id to prevent session fixation
session_regenerate_id(true);
// Redirect request to control panel interface
if (!empty($_SESSION['request_uri'])) {
header('Location: ' . $_SESSION['request_uri']);
unset($_SESSION['request_uri']);
exit;
} else {
if ($_SESSION['userContext'] === 'admin') {
header('Location: /list/user/');
} else {
if ($data[$user]['WEB_DOMAINS'] != '0') {
header('Location: /list/web/');
} elseif ($data[$user]['DNS_DOMAINS'] != '0') {
header('Location: /list/dns/');
} elseif ($data[$user]['MAIL_DOMAINS'] != '0') {
header('Location: /list/mail/');
} elseif ($data[$user]['DATABASES'] != '0') {
header('Location: /list/db/');
} elseif ($data[$user]['CRON_JOBS'] != '0') {
header('Location: /list/cron/');
} elseif ($data[$user]['BACKUPS'] != '0') {
header('Location: /list/backup/');
} else {
header('Location: /error/');
}
}
exit;
}
}
}
} else {
unset($_POST);
unset($_GET);
unset($_SESSION);
// Delete old session and start a new one
session_write_close();
session_unset();
session_destroy();
session_start();
return false;
}
}
if (empty($_POST['user'])) {
$user = '';
} else {
if (preg_match('/^[[:alnum:]][-|\.|_[:alnum:]]{0,28}[[:alnum:]]$/', $_POST['user'])) {
$_SESSION['login']['username'] = $_POST['user'];
} else {
$user = '';
}
}
if (!empty($_SESSION['login']['username']) && !empty($_SESSION['login']['password']) && !empty($_POST['twofa'])) {
$error = authenticate_user($_SESSION['login']['username'], $_SESSION['login']['password'], $_POST['twofa']);
unset($_POST);
} elseif (!empty($_SESSION['login']['username']) && !empty($_POST['password'])) {
$error = authenticate_user($_SESSION['login']['username'], $_POST['password']);
unset($_POST);
}
// Check system configuration
load_hestia_config();
// Detect language
if (empty($_SESSION['language'])) {
$output = '';
exec(HESTIA_CMD . 'v-list-sys-config json', $output, $return_var);
$config = json_decode(implode('', $output), true);
$lang = $config['config']['LANGUAGE'];
$output = '';
exec(HESTIA_CMD . 'v-list-sys-languages json', $output, $return_var);
$languages = json_decode(implode('', $output), true);
$_SESSION['language'] = (in_array($lang, $languages)) ? $lang : 'en';
}
// Generate CSRF token
$token = bin2hex(random_bytes(16));
$_SESSION['token'] = $token;
require_once('../templates/header.html');
if (!empty($_SESSION['login']['password'])) {
require_once('../templates/pages/login/login_2.html');
} elseif (empty($_SESSION['login']['username'])) {
require_once('../templates/pages/login/login' . (($_SESSION['LOGIN_STYLE'] != 'old') ? '' : '_a') . '.html');
} elseif (empty($_POST['password'])) {
require_once('../templates/pages/login/login_1.html');
} else {
require_once('../templates/pages/login/login' . (($_SESSION['LOGIN_STYLE'] != 'old') ? '' : '_a') . '.html');
}