proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-06-07 16:57:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add oath two factor auth, bump version to 3.0-14

Browse Source
This commit is contained in:
Dietmar Maurer 2014-07-17 13:59:53 +02:00
parent 077f078cd6
commit 1abc2c0aee
7 changed files with 66 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -2,7 +2,7 @@ RELEASE=3.2
VERSION=3.0 VERSION=3.0
PACKAGE=libpve-access-control PACKAGE=libpve-access-control
PKGREL=13 PKGREL=14
DESTDIR= DESTDIR=
PREFIX=/usr PREFIX=/usr
@ -35,10 +35,11 @@ pveum.1.pod: pveum
mv $@.tmp $@ mv $@.tmp $@
.PHONY: install .PHONY: install
install: pveum.1.pod pveum.1.gz install: pveum.1.pod pveum.1.gz oathkeygen
install -d ${DESTDIR}${BINDIR} install -d ${DESTDIR}${BINDIR}
install -d ${DESTDIR}${SBINDIR} install -d ${DESTDIR}${SBINDIR}
install -m 0755 pveum ${DESTDIR}${SBINDIR} install -m 0755 pveum ${DESTDIR}${SBINDIR}
install -m 0755 oathkeygen ${DESTDIR}${BINDIR}
make -C PVE install make -C PVE install
perl -I. ./pveum verifyapi perl -I. ./pveum verifyapi
install -d ${DESTDIR}/usr/share/man/man1 install -d ${DESTDIR}/usr/share/man/man1

2
PVE/API2/Domains.pm
View File

@ -37,7 +37,7 @@ __PACKAGE__->register_method ({
tfa => { tfa => {
description => "Two-factor authentication provider.", description => "Two-factor authentication provider.",
type => 'string', type => 'string',
enum => [ 'yubico' ], enum => [ 'yubico', 'oath' ],
optional => 1, optional => 1,
}, },
comment => { type => 'string', optional => 1 }, comment => { type => 'string', optional => 1 },

36
PVE/AccessControl.pm
View File

@ -376,6 +376,9 @@ sub verify_one_time_pw {
if ($type eq 'yubico') { if ($type eq 'yubico') {
my $keys = $usercfg->{users}->{$username}->{keys}; my $keys = $usercfg->{users}->{$username}->{keys};
yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy); yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
} elsif ($type eq 'oath') {
my $keys = $usercfg->{users}->{$username}->{keys};
oath_verify_otp($otp, $keys);
} else { } else {
die "unknown tfa type '$type'\n"; die "unknown tfa type '$type'\n";
} }
@ -753,7 +756,8 @@ sub parse_user_config {
$cfg->{users}->{$user}->{email} = $email; $cfg->{users}->{$user}->{email} = $email;
$cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment; $cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment;
$cfg->{users}->{$user}->{expire} = $expire; $cfg->{users}->{$user}->{expire} = $expire;
$cfg->{users}->{$user}->{keys} = $keys if $keys; # allowed yubico key ids # keys: allowed yubico key ids or oath secrets (base32 encoded)
$cfg->{users}->{$user}->{keys} = $keys if $keys;
#$cfg->{users}->{$user}->{groups}->{$group} = 1; #$cfg->{users}->{$user}->{groups}->{$group} = 1;
#$cfg->{groups}->{$group}->{$user} = 1; #$cfg->{groups}->{$group}->{$user} = 1;
@ -1224,4 +1228,34 @@ sub yubico_verify_otp {
return $result; return $result;
} }
sub oath_verify_otp {
my ($otp, $keys) = @_;
die "oath: missing password\n" if !defined($otp);
die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
my $step = 30;
my $found;
my $parser = sub {
my $line = shift;
if ($line =~ m/^\d{6}$/) {
print "GOT:$line\n";
$found = 1 if $otp eq $line;
}
};
foreach my $k (PVE::Tools::split_list($keys)) {
# Note: we generate 3 values to allow small time drift
my $now = localtime(time() - $step);
my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k];
eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
last if $found;
}
die "oath auth failed\n" if !$found;
}
1; 1;

2
PVE/Auth/Plugin.pm
View File

@ -108,7 +108,7 @@ sub parse_tfa_config {
foreach my $kvp (split(/,/, $data)) { foreach my $kvp (split(/,/, $data)) {
if ($kvp =~ m/^type=(yubico)$/) { if ($kvp =~ m/^type=(yubico|oath)$/) {
$res->{type} = $1; $res->{type} = $1;
} elsif ($kvp =~ m/^id=(\S+)$/) { } elsif ($kvp =~ m/^id=(\S+)$/) {
$res->{id} = $1; $res->{id} = $1;

14
changelog.Debian
View File

@ -1,3 +1,17 @@
libpve-access-control (3.0-14) unstable; urgency=low
* add oath two factor auth
* add oathkeygen binary to generate keys for oath
* add yubico two factor auth
* dedend on oathtool
* depend on libmime-base32-perl
-- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
libpve-access-control (3.0-13) unstable; urgency=low libpve-access-control (3.0-13) unstable; urgency=low
* use correct connection string for AD auth * use correct connection string for AD auth

2
control.in
View File

@ -3,7 +3,7 @@ Version: @@VERSION@@-@@PKGRELEASE@@
Section: perl Section: perl
Priority: optional Priority: optional
Architecture: @@ARCH@@ Architecture: @@ARCH@@
Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl, oathtool, libmime-base32-perl
Maintainer: Proxmox Support Team <support@proxmox.com> Maintainer: Proxmox Support Team <support@proxmox.com>
Description: Proxmox VE access control library Description: Proxmox VE access control library
This package contains the role based user management and access This package contains the role based user management and access

11
oathkeygen Executable file
View File

@ -0,0 +1,11 @@
#!/usr/bin/perl
use strict;
use warnings;
use MIME::Base32 qw(RFC); #libmime-base32-perl
my $test;
open(RND, "/dev/urandom");
sysread(RND, $test, 10) == 10 || die "read randon data failed\n";
print MIME::Base32::encode($test) . "\n";