mirror of
https://git.proxmox.com/git/pve-access-control
synced 2025-06-06 20:58:01 +00:00
add oath two factor auth, bump version to 3.0-14
This commit is contained in:
Dietmar Maurer
parent
077f078cd6
commit
1abc2c0aee
5
Makefile
5
Makefile
@ -2,7 +2,7 @@ RELEASE=3.2
|
||||
|
||||
VERSION=3.0
|
||||
PACKAGE=libpve-access-control
|
||||
PKGREL=13
|
||||
PKGREL=14
|
||||
|
||||
DESTDIR=
|
||||
PREFIX=/usr
|
||||
@ -35,10 +35,11 @@ pveum.1.pod: pveum
|
||||
mv $@.tmp $@
|
||||
|
||||
.PHONY: install
|
||||
install: pveum.1.pod pveum.1.gz
|
||||
install: pveum.1.pod pveum.1.gz oathkeygen
|
||||
install -d ${DESTDIR}${BINDIR}
|
||||
install -d ${DESTDIR}${SBINDIR}
|
||||
install -m 0755 pveum ${DESTDIR}${SBINDIR}
|
||||
install -m 0755 oathkeygen ${DESTDIR}${BINDIR}
|
||||
make -C PVE install
|
||||
perl -I. ./pveum verifyapi
|
||||
install -d ${DESTDIR}/usr/share/man/man1
|
||||
|
||||
@ -37,7 +37,7 @@ __PACKAGE__->register_method ({
|
||||
tfa => {
|
||||
description => "Two-factor authentication provider.",
|
||||
type => 'string',
|
||||
enum => [ 'yubico' ],
|
||||
enum => [ 'yubico', 'oath' ],
|
||||
optional => 1,
|
||||
},
|
||||
comment => { type => 'string', optional => 1 },
|
||||
|
||||
@ -376,6 +376,9 @@ sub verify_one_time_pw {
|
||||
if ($type eq 'yubico') {
|
||||
my $keys = $usercfg->{users}->{$username}->{keys};
|
||||
yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
|
||||
} elsif ($type eq 'oath') {
|
||||
my $keys = $usercfg->{users}->{$username}->{keys};
|
||||
oath_verify_otp($otp, $keys);
|
||||
} else {
|
||||
die "unknown tfa type '$type'\n";
|
||||
}
|
||||
@ -753,7 +756,8 @@ sub parse_user_config {
|
||||
$cfg->{users}->{$user}->{email} = $email;
|
||||
$cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment;
|
||||
$cfg->{users}->{$user}->{expire} = $expire;
|
||||
$cfg->{users}->{$user}->{keys} = $keys if $keys; # allowed yubico key ids
|
||||
# keys: allowed yubico key ids or oath secrets (base32 encoded)
|
||||
$cfg->{users}->{$user}->{keys} = $keys if $keys;
|
||||
|
||||
#$cfg->{users}->{$user}->{groups}->{$group} = 1;
|
||||
#$cfg->{groups}->{$group}->{$user} = 1;
|
||||
@ -1224,4 +1228,34 @@ sub yubico_verify_otp {
|
||||
return $result;
|
||||
}
|
||||
|
||||
sub oath_verify_otp {
|
||||
my ($otp, $keys) = @_;
|
||||
|
||||
die "oath: missing password\n" if !defined($otp);
|
||||
die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
|
||||
|
||||
my $step = 30;
|
||||
|
||||
my $found;
|
||||
|
||||
my $parser = sub {
|
||||
my $line = shift;
|
||||
|
||||
if ($line =~ m/^\d{6}$/) {
|
||||
print "GOT:$line\n";
|
||||
$found = 1 if $otp eq $line;
|
||||
}
|
||||
};
|
||||
|
||||
foreach my $k (PVE::Tools::split_list($keys)) {
|
||||
# Note: we generate 3 values to allow small time drift
|
||||
my $now = localtime(time() - $step);
|
||||
my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k];
|
||||
eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
|
||||
last if $found;
|
||||
}
|
||||
|
||||
die "oath auth failed\n" if !$found;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
@ -108,7 +108,7 @@ sub parse_tfa_config {
|
||||
|
||||
foreach my $kvp (split(/,/, $data)) {
|
||||
|
||||
if ($kvp =~ m/^type=(yubico)$/) {
|
||||
if ($kvp =~ m/^type=(yubico|oath)$/) {
|
||||
$res->{type} = $1;
|
||||
} elsif ($kvp =~ m/^id=(\S+)$/) {
|
||||
$res->{id} = $1;
|
||||
|
||||
@ -1,3 +1,17 @@
|
||||
libpve-access-control (3.0-14) unstable; urgency=low
|
||||
|
||||
* add oath two factor auth
|
||||
|
||||
* add oathkeygen binary to generate keys for oath
|
||||
|
||||
* add yubico two factor auth
|
||||
|
||||
* dedend on oathtool
|
||||
|
||||
* depend on libmime-base32-perl
|
||||
|
||||
-- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
|
||||
|
||||
libpve-access-control (3.0-13) unstable; urgency=low
|
||||
|
||||
* use correct connection string for AD auth
|
||||
|
||||
@ -3,7 +3,7 @@ Version: @@VERSION@@-@@PKGRELEASE@@
|
||||
Section: perl
|
||||
Priority: optional
|
||||
Architecture: @@ARCH@@
|
||||
Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl
|
||||
Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl, oathtool, libmime-base32-perl
|
||||
Maintainer: Proxmox Support Team <support@proxmox.com>
|
||||
Description: Proxmox VE access control library
|
||||
This package contains the role based user management and access
|
||||
|
||||
11
oathkeygen
Executable file
11
oathkeygen
Executable file
@ -0,0 +1,11 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use MIME::Base32 qw(RFC); #libmime-base32-perl
|
||||
|
||||
my $test;
|
||||
open(RND, "/dev/urandom");
|
||||
sysread(RND, $test, 10) == 10 || die "read randon data failed\n";
|
||||
print MIME::Base32::encode($test) . "\n";
|
||||
|
||||
Loading…
Reference in New Issue
Block a user