Loading ReadMe.md +1 −1 Original line number Diff line number Diff line Loading @@ -7,7 +7,7 @@ ## Getting secrets/link to a QR code for Google Authenticator ``` docker run --entrypoint="" ubuntu_sshd_2fa cat /home/test/auth_secrets docker exec <container_id> cat /home/test/auth/auth_secrets ``` # PAM module in Python Loading server_side/Dockerfile +2 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,8 @@ FROM no2fa AS with2fa RUN apt-get install -y libpam-google-authenticator COPY sshd_2fa /etc/pam.d/sshd ENV OIDC_CHECK_2FA=1 COPY start_2fa.sh /tmp/oidc/ RUN chmod 777 /tmp/oidc/start_2fa.sh Loading server_side/oidc-pam.py +12 −5 Original line number Diff line number Diff line Loading @@ -65,19 +65,27 @@ def pam_sm_authenticate(pamh, _flags, _argv): config = config_fd.read() config_fd.close() config = json.loads(config) except Exception as error: logit('Error loading configuration: %s' % error) return pamh.PAM_AUTH_ERR use_first_pass = 'use_first_pass' in _argv # get user&token try: user = pamh.get_user(None) if user is None: return pamh.PAM_USER_UNKNOWN if use_first_pass: access_token = pamh.authtok if access_token is None: logit('empty access_token token with use_first_pass') return pamh.PAM_AUTH_ERR else: access_token = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Passcode or token: ')).resp if len(access_token) < 20: pamh.authtok = access_token return pamh.PAM_AUTH_ERR next_token_part = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Next: ')).resp while (next_token_part != 'token_end') and (next_token_part != ''): access_token = access_token + next_token_part Loading @@ -88,13 +96,12 @@ def pam_sm_authenticate(pamh, _flags, _argv): except pamh.exception as error: return error.pam_result # todo: check user same as in token try: url = config['introspection_url'] logit(access_token) data = {'token': access_token.strip(), 'client_id': config['client_id'], 'client_secret': config['client_secret']} response = requests.post(url, data=data) response = requests.post(url, data=data, timeout=5) if response.status_code != requests.status_codes.codes.ok: logit('Error checking introspecting token, server returned %d %s' % response.status_code, response.text) return pamh.PAM_AUTH_ERR Loading server_side/sshd +1 −1 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=1 default=ignore] pam_unix.so auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py use_first_pass # Standard Un*x authentication. @include common-auth Loading server_side/sshd_2fa +5 −3 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=ignore default=1] pam_unix.so auth [success=1 default=die] pam_google_authenticator.so auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py #auth [success=ignore default=1] pam_unix.so #auth [success=1 default=die] pam_google_authenticator.so #auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py auth [success=done default=ignore] pam_python.so /etc/security/oidc/oidc-pam.py auth [success=done default=die] pam_google_authenticator.so use_first_pass secret=${HOME}/auth/.google_authenticator # Standard Un*x authentication. @include common-auth Loading Loading
ReadMe.md +1 −1 Original line number Diff line number Diff line Loading @@ -7,7 +7,7 @@ ## Getting secrets/link to a QR code for Google Authenticator ``` docker run --entrypoint="" ubuntu_sshd_2fa cat /home/test/auth_secrets docker exec <container_id> cat /home/test/auth/auth_secrets ``` # PAM module in Python Loading
server_side/Dockerfile +2 −0 Original line number Diff line number Diff line Loading @@ -30,6 +30,8 @@ FROM no2fa AS with2fa RUN apt-get install -y libpam-google-authenticator COPY sshd_2fa /etc/pam.d/sshd ENV OIDC_CHECK_2FA=1 COPY start_2fa.sh /tmp/oidc/ RUN chmod 777 /tmp/oidc/start_2fa.sh Loading
server_side/oidc-pam.py +12 −5 Original line number Diff line number Diff line Loading @@ -65,19 +65,27 @@ def pam_sm_authenticate(pamh, _flags, _argv): config = config_fd.read() config_fd.close() config = json.loads(config) except Exception as error: logit('Error loading configuration: %s' % error) return pamh.PAM_AUTH_ERR use_first_pass = 'use_first_pass' in _argv # get user&token try: user = pamh.get_user(None) if user is None: return pamh.PAM_USER_UNKNOWN if use_first_pass: access_token = pamh.authtok if access_token is None: logit('empty access_token token with use_first_pass') return pamh.PAM_AUTH_ERR else: access_token = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Passcode or token: ')).resp if len(access_token) < 20: pamh.authtok = access_token return pamh.PAM_AUTH_ERR next_token_part = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Next: ')).resp while (next_token_part != 'token_end') and (next_token_part != ''): access_token = access_token + next_token_part Loading @@ -88,13 +96,12 @@ def pam_sm_authenticate(pamh, _flags, _argv): except pamh.exception as error: return error.pam_result # todo: check user same as in token try: url = config['introspection_url'] logit(access_token) data = {'token': access_token.strip(), 'client_id': config['client_id'], 'client_secret': config['client_secret']} response = requests.post(url, data=data) response = requests.post(url, data=data, timeout=5) if response.status_code != requests.status_codes.codes.ok: logit('Error checking introspecting token, server returned %d %s' % response.status_code, response.text) return pamh.PAM_AUTH_ERR Loading
server_side/sshd +1 −1 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=1 default=ignore] pam_unix.so auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py use_first_pass # Standard Un*x authentication. @include common-auth Loading
server_side/sshd_2fa +5 −3 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=ignore default=1] pam_unix.so auth [success=1 default=die] pam_google_authenticator.so auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py #auth [success=ignore default=1] pam_unix.so #auth [success=1 default=die] pam_google_authenticator.so #auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py auth [success=done default=ignore] pam_python.so /etc/security/oidc/oidc-pam.py auth [success=done default=die] pam_google_authenticator.so use_first_pass secret=${HOME}/auth/.google_authenticator # Standard Un*x authentication. @include common-auth Loading
