proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 15:53:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

support registering yubico otp keys

Browse Source 
In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).

For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-11-09 12:27:02 +01:00 committed by Thomas Lamprecht
parent 07692c72ff
commit 8c1e3ab3e9
2 changed files with 41 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/PVE/API2/TFA.pm
View File

@ -395,9 +395,15 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $userid =
my ($userid, $realm) =
root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
my $type = delete $param->{type};
my $value = delete $param->{value};
if ($type eq 'yubico') {
$value = validate_yubico_otp($userid, $realm, $value);
}
return PVE::AccessControl::lock_tfa_config(sub {
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
@ -406,9 +412,9 @@ __PACKAGE__->register_method ({
$userid,
$param->{description},
$param->{totp},
$param->{value},
$value,
$param->{challenge},
$param->{type},
$type,
);
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
@ -417,6 +423,28 @@ __PACKAGE__->register_method ({
});
}});
sub validate_yubico_otp : prototype($$) {
my ($userid, $realm, $value) = @_;
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
die "auth domain '$realm' does not exist\n" if !$realm_cfg;
my $realm_tfa = $realm_cfg->{tfa};
die "no yubico otp configuration available for realm $realm\n"
if !$realm_tfa;
$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
die "realm is not setup for Yubico OTP\n"
if !$realm_tfa || $realm_tfa->{type} ne 'yubico';
my $public_key = substr($value, 0, 12);
PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);
return $public_key;
}
__PACKAGE__->register_method ({
name => 'update_tfa_entry',
path => '{userid}/{id}',

15
src/PVE/AccessControl.pm
View File

@ -806,16 +806,21 @@ sub authenticate_yubico_new : prototype($$$) {
my $keys = $tfa_cfg->get_yubico_keys($username);
die "no keys configured\n" if !defined($keys) || !length($keys);
# Defer to after unlocking the TFA config:
# fixme: proxy support?
my $proxy;
PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
authenticate_yubico_do($otp, $keys, $realm);
# return `undef` to clear the tfa challenge.
return undef;
}
sub authenticate_yubico_do : prototype($$$) {
my ($value, $keys, $realm) = @_;
# fixme: proxy support?
my $proxy = undef;
PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
}
sub configure_u2f_and_wa : prototype($) {
my ($tfa_cfg) = @_;