This module provide functionality to improve security and mail handling.
Since the main module is hidden on "admin/modules" there is no UI to deactivate. You need a helper like Drush. This concept and code is copied from the module "paranoia" which is also recommended to improve security.
# The drush commands are now following the "gate logic" with "open and closed".
# The gates "onetimelink-adminrole" and "pwlogin-adminrole" can't block user 1.
# For this the gates "onetimelink-user1" and "pwlogin-user1" have to be closed
# separately.
Basic functionality and rules for flexibility
The main module allows a simple way to block password-login for user 1 and admin role. This is useful if administrators have access to drupal via drush and the admin processes should be organized only with drush. If the "direct-login" or the "direct-mail" gate are closed, there there are "keys" needed to move on.
For an advanced security and mail controlling strategy there is a submodule for rules integration. There are rules actions provided to open the gates in multifactor-login processes and mail sending based on your own rules.
Drush is highly recommended
Drush is always important to take control of this module and to deactivate because it's hidden from the UI Page ("admin/modules"). To increase security and to avoid an accidental complete lock out when drush isn't available there is no graphical user interface of main functions.
The status of the main open/close variables can be checked by "drush gate-status" and can be changed with the commands "drush gate-open" and "drush gate-close".
If the gate "direct-login" is closed the Onetime-Login link generated by "drush uli" won't work because of a missing "gate-token". The command "drush gate-uli" helps to bypass this gate.
Where the gate hooks on
This module is operating on hook_user_login, hook_user_mail to operate on mail and login process. Also the forms 'user_login', 'user_login_block' and 'user_pass' are altered. There are rules events for all these hooks and rules actions to operate there.
WARNING:
This module allows several way for a complete lock-out of your system. Using drush is strongly recommended. If drush is not available you need a direct access to your database and how to modify variables.
There are some simple security options like blocking the password or request forms for passwort reset/onetime-login links. If there are other ways in your system to login via password or send a onetime login link the gate can be be bypassed. Please check and maybe use the direct-login gate to control on a deeper level.
The direct-mail gate is only operating on the internal mail system of drupal. Contrib or custom modules can use their on mail system or do a direct call of the PHP mail function. Against the last possibility to bypass the gate you can control the mail sending via php.ini and route the mails through a separate script where gate mails can get the possibility to pass. For this there will be an optional mail header setting for checking in this external script.
If the gate is closed for standard onetime login requests
If you want to close the gate for onetime logins and you are thinking about how to send password recovery mails on another way to your users you can use rules with default rule action "Send account email" with type "Password recovery".
A link on user profiles created by the module rules_link and only accessible by administrators can help with that.
Rules action: Load value from $_SERVER variable
This action can retrieve data from php $_SERVER Variable (on Apache Server the "Environment" data). For example to check or use the information the Webserver about SSL Requests. This feature was inspired by rules_session_vars.module which is also retrieving data from php $_SESSION variable but can also write to it. The gate module is also reading and writing in $_SESSION variable. You can use rules_session_vars to extend this possibilities.
Modules to use the gate
The clientcert module will provide in near future a possibility to be another factor in login login process with SSL/TLS client certificates and to encrypt mails with the gate module.
concept, development and maintenance
The module is developed and maintained by Carsten Logemann (Company: Nodegard GmbH)
Project information
- Project categories: Automation, Security, Access control
2 sites report using this module- Created by c-logemann on , updated
Stable releases for this project are covered by the security advisory policy.
There are currently no supported stable releases.
