proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-25 23:40:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add step/digits option to oath configuration

Browse Source
This commit is contained in:
Dietmar Maurer 2014-07-23 06:59:01 +02:00
parent 30be0de97a
commit 86cd805b63
2 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
PVE/AccessControl.pm
View File

@ -378,7 +378,7 @@ sub verify_one_time_pw {
yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy); yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
} elsif ($type eq 'oath') { } elsif ($type eq 'oath') {
my $keys = $usercfg->{users}->{$username}->{keys}; my $keys = $usercfg->{users}->{$username}->{keys};
oath_verify_otp($otp, $keys); oath_verify_otp($otp, $keys, $tfa_cfg->{step}, $tfa_cfg->{digits});
} else { } else {
die "unknown tfa type '$type'\n"; die "unknown tfa type '$type'\n";
} }
@ -1229,12 +1229,13 @@ sub yubico_verify_otp {
} }
sub oath_verify_otp { sub oath_verify_otp {
my ($otp, $keys) = @_; my ($otp, $keys, $step, $digits) = @_;
die "oath: missing password\n" if !defined($otp); die "oath: missing password\n" if !defined($otp);
die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/; die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
my $step = 30; $step = 30 if !$step;
$digits = 6 if !$digits;
my $found; my $found;
@ -1250,7 +1251,7 @@ sub oath_verify_otp {
foreach my $k (PVE::Tools::split_list($keys)) { foreach my $k (PVE::Tools::split_list($keys)) {
# Note: we generate 3 values to allow small time drift # Note: we generate 3 values to allow small time drift
my $now = localtime(time() - $step); my $now = localtime(time() - $step);
my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k]; my $cmd = ['oathtool', '--totp', '--digits', $digits, '-N', $now, '-s', $step, '-w', '2', '-b', $k];
eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); }; eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
last if $found; last if $found;
} }

4
PVE/Auth/Plugin.pm
View File

@ -116,6 +116,10 @@ sub parse_tfa_config {
$res->{key} = $1; $res->{key} = $1;
} elsif ($kvp =~ m/^url=(\S+)$/) { } elsif ($kvp =~ m/^url=(\S+)$/) {
$res->{url} = $1; $res->{url} = $1;
} elsif ($kvp =~ m/^digits=([6|7|8])$/) {
$res->{digits} = $1;
} elsif ($kvp =~ m/^step=([1-9]\d+)$/) {
$res->{step} = $1;
} else { } else {
return undef; return undef;
} }