Auto-login - Platform - BlueCat Gateway - 18.2.1

Gateway Administration Guide
prodname
BlueCat Gateway
version_custom
18.2.1

The DNS Integrity Gateway can be configured to automatically log in users upon visiting the index page. BlueCat recommends that passwords never be hardcoded in the configuration file, so the responsibility of fetching login credentials must be delegated to helper functions.

To enable auto-login, modify the bluecat_portal/config.py to include:

# Since config.py is a full Python script file we can use this to create a
# more secure way of storing authentication credentials
from bluecat_portal.ps.autologin import get_autologin_user
from bluecat_portal.ps.autologin import get_autologin_password

# Autologin must be set to *True* in order to trigger the feature
autologin = True
autologin_username = get_autologin_user()
autologin_password = get_autologin_password()

The auto-login functions open up an authentication file, bluecat_portal/autologin_auth.json, which contains {"username": "portalUser","password": "portalPassword"}.

To increase the security of the system ensure that the file is owned by the active DNS Integrity Gateway user and the permissions are set to 400 (Readonly for owner).

Ensure that the active DNS Integrity Gateway user has ownership of the file using the chown and chmod commands. chmod 400 will set the unix permission so that only the owner has read permissions on the authentication file. chown <USER>:<USER> will set the owner and group of the file to be the specified user. Any other user on the system that does not have sudo access will not be able to read or modify the contents of the file.

sudo chown <GATEWAY_USER>:<GATEWAY_USER> bluecat_portal/autologin_auth.json
sudo chmod 400 bluecat_portal/autologin_auth.json
# Functions implementing the retrieval of the credentials.
def get_autologin_user(autologin):
        """
        Retrieves the autologin username

        :param autologin: [Bool] is autologin enabled
        :return: The obtained string username, or None if error or autologin is not enabled
        """
        if autologin:
                logging.info('Retrieving autologin user')
                try:
                        authfile = 'bluecat_portal/autologin_auth.json'
                        return json.load(open(authfile))['username']
                except Exception as e:
                        logging.critical('Unable to load autologin username: %s' % str(e))
                        return None

        else:
                logging.info('Autologin not enabled skipping autologin username retrieval: %s' % str(e))
                return None

def get_autologin_password(autologin):
        """
        Retrieves the autologin password

        :param autologin: [Bool] is autologin enabled
        :return: The obtained string password, or None if error or autologin is not enabled
        """
        if autologin:
                logging.info('Retrieving autologin password')
                try:
                        authfile = 'bluecat_portal/autologin_auth.json'
                        return json.load(open(authfile))['password']
                except Exception as e:
                        logging.critical('Unable to load autologin password: %s' % str(e))
                        return None

        else:
                logging.info('Autologin not enabled skipping autologin password retrieval: %s' % str(e))
                return None
Attention: The auto-login feature poses a potential security risk and as such BlueCat advises you to take further precautions to ensure the security of the DNS Integrity Gateway, such as limiting which IP addresses are able to connect to the system.

Do not use curl -L with the auto-login feature, curl will follow all redirects and as a result will keepg spawning new user sessions until all resources are used up, or curl reaches maximum redirects (50 by default).