Loading server_side/.dockerignore→.dockerignore +0 −0 File moved. View file .gitlab-ci.yml +6 −7 Original line number Diff line number Diff line Loading @@ -5,7 +5,6 @@ variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/opensuse_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh Loading @@ -24,8 +23,8 @@ build-docker: script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - if [ $CI_COMMIT_REF_NAME == "main" ]; then export IMAGE_PREFIX=""; fi - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t no2fa --target no2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t with2fa --target with2fa ./server_side - docker build -f dockerfiles/Dockerfile.ubuntu -t no2fa --target no2fa . - docker build -f dockerfiles/Dockerfile.opensuse -t with2fa --target with2fa . - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest Loading @@ -36,10 +35,10 @@ build-docker: build-packages: stage: build script: - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t ubuntu22 --target package ./server_side - docker run --rm -v `pwd`:/tmp ubuntu22 bash -c "cp /src/c/build/*.deb /tmp" - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t opensuse --target package ./server_side - docker run --rm -v `pwd`:/tmp opensuse bash -c "cp /src/c/build/*.rpm /tmp" - docker build -f dockerfiles/Dockerfile.ubuntu -t ubuntu22 --target package . - docker run --rm -v `pwd`:/tmp ubuntu22 bash -c "cp /src/build/*.deb /tmp" - docker build -f dockerfiles/Dockerfile.opensuse -t opensuse --target package . - docker run --rm -v `pwd`:/tmp opensuse bash -c "cp /src/build/*.rpm /tmp" - fname=`ls *.rpm | head -n 1` - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file $fname "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rpm/0.3.0/$fname"' - fname=`ls *.deb | head -n 1` Loading ReadMe.md +52 −30 Original line number Diff line number Diff line # 2FA ## Links * https://goteleport.com/blog/ssh-2fa-tutorial/ * https://github.com/google/google-authenticator-libpam ## Getting secrets/link to a QR code for Google Authenticator ``` docker exec <container_id> cat /home/test/auth/auth_secrets ``` # PAM module in Python https://developers.onelogin.com/authentication/tools/linux-ssh-pam-module # Keycloak (just for manual tests, now in code) get token ```curl -d 'client_id=ndip' -d 'client_secret=ZLrwMJePHNqDbHzZOLwdQrHjaByI4mhK' -d 'username=gtest' -d 'password=1234' -d 'grant_type=password' 'http://localhost:8080/realms/NDIP/protocol/openid-connect/token'``` refresh token ```curl -X POST -d 'client_id=ndip' -d 'client_secret=ZLrwMJePHNqDbHzZOLwdQrHjaByI4mhK' -d 'grant_type=refresh_token' -d refresh_token=$rtoken http://localhost:8080/realms/NDIP/protocol/openid-connect/token``` introspect token curl -d token=$token -d 'client_id=ndip' -d 'client_secret=ZLrwMJePHNqDbHzZOLwdQrHjaByI4mhK' http://localhost:8080/realms/NDIP/protocol/openid-connect/token/introspect # SSH OIDC This repository is for developing a PAM module that authenticates users by using tokens instead of passwords, ssh keys, etc. Using keyboard-interactive authentication, the PAM module asks the user to supply an OIDC token when they try to SSH into a machine where it is installed. Due to the long sizes that tokens can grow to, there are multiple prompts. Users should split their token into three parts to properly connect. Note: Users will rarely if ever have to directly interact with this PAM module, so this shouldn't be something that they will have to do manually. ## Config In order to properly set up the PAM module the `oidc-config.json` file needs to be set with the proper configuration. This config is where you specify where logs should be written to, whether or not two-factor authentication is needed, and most importantly, the JWKS URI of your OIDC provider. This URI will determine which tokens you can properly validate, so it is important to make sure that it is correct. `oidc-config-test.json` is also provided for testing purposes if one needs to mess with configuration without touching the actual config file. ## Source Code There are two versions of the PAM module in this repository, one written in C and the other in Python. The Python version is handy if one wants to try out different implementations quickly, but the C version is what should be used in any sort of production or real-world environment. There are several Dockerfiles in the `dockerfiles/` directory that can be used to build each PAM module. For example, in order to build the python version you could run `docker build -f dockerfiles/Dockerfile.python -t oidc-pam-python`. There is also a provided build script in the `c/` directory named `build.sh` that you can use to compile the C PAM module. ## Testing While there are no official unit tests at the moment, both PAM modules can be tested fairly easily. For the C version, there is a provided main script `build/oidc-pam-main` built from `main.c`. You can run this script like so: `./oidc-pam-main <path-to-config> <oidc-token>`. This is a good way to test changes fairly quickly. The Python PAM module doesn't have a provided script for testing, but you can write your own, import the Python script, and test the functions directly. It is also possible to try out the PAM modules via ssh-ing into them directly, but this is a little bit more involved. First, build your image as described above. Then run said image as a container using `docker run <image> --name <name-for-container>`. Then grab the IP address of your running container by executing: `docker inspect -f "{{ .NetworkSettings.IPAddress }}" <name-of-container>`. You can then run `ssh <ip-address-of-container>` and complete the prompts. If successful, you should authenticate into the container. However, if this fails, we can still check logs from the PAM module by directly connecting to the container. We do this by running `docker exec -it <name-of-container> /bin/bash`. From here you can navigate to wherever your log file is (which, again, is specified in the config file `oidc-config.json`), and see the logs from the PAM module. PAM_MAX_RESP_SIZE No newline at end of file server_side/oidc-pam.json→config/oidc-pam.json +6 −0 Original line number Diff line number Diff line { "jwks_url": "https://login.microsoftonline.com/db3dbd43-4c4b-4544-9f8a-0553f9f5f25e/discovery/v2.0/keys", "jwks_url": "xxx", "check_2fa": false, "enable_log": true, "enable_log": false, "log_file": "/tmp/oidc.log" } server_side/c/sshd→config/sshd +0 −0 File moved. View file Loading
.gitlab-ci.yml +6 −7 Original line number Diff line number Diff line Loading @@ -5,7 +5,6 @@ variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/opensuse_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: - curl https://code.ornl.gov/rse-deployment/rse-sharables/raw/master/rse-bash-modules.sh -O - source rse-bash-modules.sh Loading @@ -24,8 +23,8 @@ build-docker: script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - if [ $CI_COMMIT_REF_NAME == "main" ]; then export IMAGE_PREFIX=""; fi - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t no2fa --target no2fa ./server_side - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t with2fa --target with2fa ./server_side - docker build -f dockerfiles/Dockerfile.ubuntu -t no2fa --target no2fa . - docker build -f dockerfiles/Dockerfile.opensuse -t with2fa --target with2fa . - docker tag no2fa $NO2FA_URL$IMAGE_PREFIX:latest - docker tag with2fa $WITH2FA_URL$IMAGE_PREFIX:latest - docker push $NO2FA_URL$IMAGE_PREFIX:latest Loading @@ -36,10 +35,10 @@ build-docker: build-packages: stage: build script: - docker build -f server_side/dockerfiles/Dockerfile.ubuntu -t ubuntu22 --target package ./server_side - docker run --rm -v `pwd`:/tmp ubuntu22 bash -c "cp /src/c/build/*.deb /tmp" - docker build -f server_side/dockerfiles/Dockerfile.opensuse -t opensuse --target package ./server_side - docker run --rm -v `pwd`:/tmp opensuse bash -c "cp /src/c/build/*.rpm /tmp" - docker build -f dockerfiles/Dockerfile.ubuntu -t ubuntu22 --target package . - docker run --rm -v `pwd`:/tmp ubuntu22 bash -c "cp /src/build/*.deb /tmp" - docker build -f dockerfiles/Dockerfile.opensuse -t opensuse --target package . - docker run --rm -v `pwd`:/tmp opensuse bash -c "cp /src/build/*.rpm /tmp" - fname=`ls *.rpm | head -n 1` - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file $fname "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rpm/0.3.0/$fname"' - fname=`ls *.deb | head -n 1` Loading
ReadMe.md +52 −30 Original line number Diff line number Diff line # 2FA ## Links * https://goteleport.com/blog/ssh-2fa-tutorial/ * https://github.com/google/google-authenticator-libpam ## Getting secrets/link to a QR code for Google Authenticator ``` docker exec <container_id> cat /home/test/auth/auth_secrets ``` # PAM module in Python https://developers.onelogin.com/authentication/tools/linux-ssh-pam-module # Keycloak (just for manual tests, now in code) get token ```curl -d 'client_id=ndip' -d 'client_secret=ZLrwMJePHNqDbHzZOLwdQrHjaByI4mhK' -d 'username=gtest' -d 'password=1234' -d 'grant_type=password' 'http://localhost:8080/realms/NDIP/protocol/openid-connect/token'``` refresh token ```curl -X POST -d 'client_id=ndip' -d 'client_secret=ZLrwMJePHNqDbHzZOLwdQrHjaByI4mhK' -d 'grant_type=refresh_token' -d refresh_token=$rtoken http://localhost:8080/realms/NDIP/protocol/openid-connect/token``` introspect token curl -d token=$token -d 'client_id=ndip' -d 'client_secret=ZLrwMJePHNqDbHzZOLwdQrHjaByI4mhK' http://localhost:8080/realms/NDIP/protocol/openid-connect/token/introspect # SSH OIDC This repository is for developing a PAM module that authenticates users by using tokens instead of passwords, ssh keys, etc. Using keyboard-interactive authentication, the PAM module asks the user to supply an OIDC token when they try to SSH into a machine where it is installed. Due to the long sizes that tokens can grow to, there are multiple prompts. Users should split their token into three parts to properly connect. Note: Users will rarely if ever have to directly interact with this PAM module, so this shouldn't be something that they will have to do manually. ## Config In order to properly set up the PAM module the `oidc-config.json` file needs to be set with the proper configuration. This config is where you specify where logs should be written to, whether or not two-factor authentication is needed, and most importantly, the JWKS URI of your OIDC provider. This URI will determine which tokens you can properly validate, so it is important to make sure that it is correct. `oidc-config-test.json` is also provided for testing purposes if one needs to mess with configuration without touching the actual config file. ## Source Code There are two versions of the PAM module in this repository, one written in C and the other in Python. The Python version is handy if one wants to try out different implementations quickly, but the C version is what should be used in any sort of production or real-world environment. There are several Dockerfiles in the `dockerfiles/` directory that can be used to build each PAM module. For example, in order to build the python version you could run `docker build -f dockerfiles/Dockerfile.python -t oidc-pam-python`. There is also a provided build script in the `c/` directory named `build.sh` that you can use to compile the C PAM module. ## Testing While there are no official unit tests at the moment, both PAM modules can be tested fairly easily. For the C version, there is a provided main script `build/oidc-pam-main` built from `main.c`. You can run this script like so: `./oidc-pam-main <path-to-config> <oidc-token>`. This is a good way to test changes fairly quickly. The Python PAM module doesn't have a provided script for testing, but you can write your own, import the Python script, and test the functions directly. It is also possible to try out the PAM modules via ssh-ing into them directly, but this is a little bit more involved. First, build your image as described above. Then run said image as a container using `docker run <image> --name <name-for-container>`. Then grab the IP address of your running container by executing: `docker inspect -f "{{ .NetworkSettings.IPAddress }}" <name-of-container>`. You can then run `ssh <ip-address-of-container>` and complete the prompts. If successful, you should authenticate into the container. However, if this fails, we can still check logs from the PAM module by directly connecting to the container. We do this by running `docker exec -it <name-of-container> /bin/bash`. From here you can navigate to wherever your log file is (which, again, is specified in the config file `oidc-config.json`), and see the logs from the PAM module. PAM_MAX_RESP_SIZE No newline at end of file
server_side/oidc-pam.json→config/oidc-pam.json +6 −0 Original line number Diff line number Diff line { "jwks_url": "https://login.microsoftonline.com/db3dbd43-4c4b-4544-9f8a-0553f9f5f25e/discovery/v2.0/keys", "jwks_url": "xxx", "check_2fa": false, "enable_log": true, "enable_log": false, "log_file": "/tmp/oidc.log" }
