support registering yubico otp keys

In PBS we don't support this, so the current TFA API in rust does not support this either (although the config does know about its *existence*). For now, yubico authentication will be done in perl. Adding it to rust the rust TFA crate would not make much sense anyway as we'd likely not want to use the same http client crate in pve and pbs anyway (since pve is all blocking code and pbs is async...) Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2025-10-04 14:18:28 +00:00 · 2021-11-09 12:27:02 +01:00 · 2021-11-09 12:27:02 +01:00 · 8c1e3ab3e9
commit 8c1e3ab3e9
parent 07692c72ff
2 changed files with 41 additions and 8 deletions
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@ -395,9 +395,15 @@ __PACKAGE__->register_method ({

 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
-	my $userid =
+	my ($userid, $realm) =
 	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

+	my $type = delete $param->{type};
+	my $value = delete $param->{value};
+	if ($type eq 'yubico') {
+	    $value = validate_yubico_otp($userid, $realm, $value);
+	}
+
 	return PVE::AccessControl::lock_tfa_config(sub {
 	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
 	    PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
@ -406,9 +412,9 @@ __PACKAGE__->register_method ({
 		$userid,
 		$param->{description},
 		$param->{totp},
-		$param->{value},
+		$value,
 		$param->{challenge},
-		$param->{type},
+		$type,
 	    );

 	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
@ -417,6 +423,28 @@ __PACKAGE__->register_method ({
 	});
    }});

+sub validate_yubico_otp : prototype($$) {
+    my ($userid, $realm, $value) = @_;
+
+    my $domain_cfg = cfs_read_file('domains.cfg');
+    my $realm_cfg = $domain_cfg->{ids}->{$realm};
+    die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+    my $realm_tfa = $realm_cfg->{tfa};
+    die "no yubico otp configuration available for realm $realm\n"
+	if !$realm_tfa;
+
+    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
+    die "realm is not setup for Yubico OTP\n"
+	if !$realm_tfa || $realm_tfa->{type} ne 'yubico';
+
+    my $public_key = substr($value, 0, 12);
+
+    PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);
+
+    return $public_key;
+}
+
 __PACKAGE__->register_method ({
    name => 'update_tfa_entry',
    path => '{userid}/{id}',
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@ -806,16 +806,21 @@ sub authenticate_yubico_new : prototype($$$) {
    my $keys = $tfa_cfg->get_yubico_keys($username);
    die "no keys configured\n" if !defined($keys) || !length($keys);

-    # Defer to after unlocking the TFA config:
-
-    # fixme: proxy support?
-    my $proxy;
-    PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+    authenticate_yubico_do($otp, $keys, $realm);

    # return `undef` to clear the tfa challenge.
    return undef;
 }

+sub authenticate_yubico_do : prototype($$$) {
+    my ($value, $keys, $realm) = @_;
+
+    # fixme: proxy support?
+    my $proxy = undef;
+
+    PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+}
+
 sub configure_u2f_and_wa : prototype($) {
    my ($tfa_cfg) = @_;