Loading server_side/.gitlab-ci.yml +3 −3 Original line number Diff line number Diff line variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" 2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: Loading @@ -19,8 +19,8 @@ docker-build: script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -f server_side/Dockerfile -t $NO2FA_URL/$CI_COMMIT_REF_NAME:latest --target no2fa ./server_side - docker build -f server_side/Dockerfile -t $2FA_URL/$CI_COMMIT_REF_NAME:latest --target with2fa ./server_side - docker build -f server_side/Dockerfile -t $WITH2FA_URL/$CI_COMMIT_REF_NAME:latest --target with2fa ./server_side - docker push $NO2FA_URL/$CI_COMMIT_REF_NAME:latest - docker push $2FA_URL/$CI_COMMIT_REF_NAME:latest - docker push $WITH2FA_URL/$CI_COMMIT_REF_NAME:latest tags: - rse-multi-builder server_side/Dockerfile +9 −7 Original line number Diff line number Diff line Loading @@ -9,13 +9,19 @@ RUN mkhomedir_helper test RUN echo test:123 | chpasswd RUN mkdir /run/sshd COPY oidc-pam.py /etc/securuty/oidc/oidc-pam.py COPY oidc-pam.json /etc/securuty/oidc/oidc-pam.json COPY oidc-pam.py /etc/security/oidc/oidc-pam.py COPY sshd /etc/pam.d/ COPY sshd_pam.conf /etc/ssh/sshd_config.d/ COPY docker-entrypoint.sh /tmp/oidc/ COPY update_oidc_config.py /tmp/oidc/ COPY oidc-pam.json /tmp/oidc/ RUN chmod 777 /tmp/oidc/docker-entrypoint.sh EXPOSE 22 ENTRYPOINT /usr/sbin/sshd -D ENTRYPOINT /tmp/oidc/docker-entrypoint.sh #2FA Loading @@ -25,8 +31,4 @@ FROM no2fa AS with2fa RUN apt-get install -y libpam-google-authenticator COPY sshd_2fa /etc/pam.d/sshd USER test RUN google-authenticator -t -d -f -W -u > /home/test/auth_secrets USER root server_side/docker-entrypoint.sh 0 → 100644 +15 −0 Original line number Diff line number Diff line #!/bin/bash su test if [ ! -e "/home/test/auth_secrets" ]; then bash -c "google-authenticator -t -d -f -W -u" > /home/test/auth_secrets fi su root cd /tmp/oidc python2 /tmp/oidc/update_oidc_config.py /usr/sbin/sshd -D No newline at end of file server_side/oidc-pam.py +25 −24 Original line number Diff line number Diff line Loading @@ -8,12 +8,9 @@ PAM module for authenticating users via a OIDC token import json import os import sys import logging import requests def logit(data): ''' Logs data to stderr and syslog Loading @@ -21,10 +18,9 @@ def logit(data): data (*): Data to log Returns: None ''' logging.basicConfig(filename='/tmp/pam.log', encoding='utf-8', level=logging.DEBUG) data_str = str(data) sys.stderr.write('%s\n' % data_str) logging.debug(data_str) def pam_sm_setcred(pamh, _flags, _argv): ''' Loading @@ -32,24 +28,28 @@ def pam_sm_setcred(pamh, _flags, _argv): ''' return pamh.PAM_SUCCESS def pam_sm_acct_mgmt(pamh, _flags, _argv): ''' Default ''' return pamh.PAM_SUCCESS def pam_sm_open_session(pamh, _flags, _argv): ''' Default ''' return pamh.PAM_SUCCESS def pam_sm_close_session(pamh, _flags, _argv): ''' Default ''' return pamh.PAM_SUCCESS def pam_sm_chauthtok(pamh, _flags, _argv): ''' Default Loading Loading @@ -79,9 +79,8 @@ def pam_sm_authenticate(pamh, _flags, _argv): if user is None: return pamh.PAM_USER_UNKNOWN access_token = pamh.authtok # if len(access_token)<20: #cannot be token, should be wrong password # return pamh.PAM_AUTH_ERR if len(access_token)>5: if len(access_token) < 20: return pamh.PAM_AUTH_ERR next_token_part = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Next: ')).resp while (next_token_part != 'token_end') and (next_token_part != ''): access_token = access_token + next_token_part Loading @@ -96,14 +95,16 @@ def pam_sm_authenticate(pamh, _flags, _argv): try: url = config['introspection_url'] logit(access_token) data = {'token': access_token.strip(),'client_id': config['client_id'], 'client_secret':config['client_secret']} data = {'token': access_token.strip(), 'client_id': config['client_id'], 'client_secret': config['client_secret']} response = requests.post(url, data=data) if response.status_code != requests.status_codes.codes.ok: logit('Error checking introspecting token, server returned %d %s' % response.status_code, response.text) return pamh.PAM_AUTH_ERR token_info = response.json() if token_info['active'] != True: logit('Error checking introspecting token, token %s invalid, server response: %s' %(access_token, response.text)) logit('Error checking introspecting token, token %s invalid, server response: %s' % ( access_token, response.text)) return pamh.PAM_AUTH_ERR logit(response.json()) except Exception as error: Loading server_side/sshd +1 −1 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=1 default=ignore] pam_unix.so auth sufficient pam_python.so /etc/securuty/oidc/oidc-pam.py auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py # Standard Un*x authentication. @include common-auth Loading Loading
server_side/.gitlab-ci.yml +3 −3 Original line number Diff line number Diff line variables: NO2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd" 2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" WITH2FA_URL: "${CI_REGISTRY_IMAGE}/ubuntu_sshd_2fa" # This import is for the func_rse_docker_* functions before_script: Loading @@ -19,8 +19,8 @@ docker-build: script: - docker login --username=$CI_REGISTRY_USER --password=$CI_REGISTRY_PASSWORD $CI_REGISTRY - docker build -f server_side/Dockerfile -t $NO2FA_URL/$CI_COMMIT_REF_NAME:latest --target no2fa ./server_side - docker build -f server_side/Dockerfile -t $2FA_URL/$CI_COMMIT_REF_NAME:latest --target with2fa ./server_side - docker build -f server_side/Dockerfile -t $WITH2FA_URL/$CI_COMMIT_REF_NAME:latest --target with2fa ./server_side - docker push $NO2FA_URL/$CI_COMMIT_REF_NAME:latest - docker push $2FA_URL/$CI_COMMIT_REF_NAME:latest - docker push $WITH2FA_URL/$CI_COMMIT_REF_NAME:latest tags: - rse-multi-builder
server_side/Dockerfile +9 −7 Original line number Diff line number Diff line Loading @@ -9,13 +9,19 @@ RUN mkhomedir_helper test RUN echo test:123 | chpasswd RUN mkdir /run/sshd COPY oidc-pam.py /etc/securuty/oidc/oidc-pam.py COPY oidc-pam.json /etc/securuty/oidc/oidc-pam.json COPY oidc-pam.py /etc/security/oidc/oidc-pam.py COPY sshd /etc/pam.d/ COPY sshd_pam.conf /etc/ssh/sshd_config.d/ COPY docker-entrypoint.sh /tmp/oidc/ COPY update_oidc_config.py /tmp/oidc/ COPY oidc-pam.json /tmp/oidc/ RUN chmod 777 /tmp/oidc/docker-entrypoint.sh EXPOSE 22 ENTRYPOINT /usr/sbin/sshd -D ENTRYPOINT /tmp/oidc/docker-entrypoint.sh #2FA Loading @@ -25,8 +31,4 @@ FROM no2fa AS with2fa RUN apt-get install -y libpam-google-authenticator COPY sshd_2fa /etc/pam.d/sshd USER test RUN google-authenticator -t -d -f -W -u > /home/test/auth_secrets USER root
server_side/docker-entrypoint.sh 0 → 100644 +15 −0 Original line number Diff line number Diff line #!/bin/bash su test if [ ! -e "/home/test/auth_secrets" ]; then bash -c "google-authenticator -t -d -f -W -u" > /home/test/auth_secrets fi su root cd /tmp/oidc python2 /tmp/oidc/update_oidc_config.py /usr/sbin/sshd -D No newline at end of file
server_side/oidc-pam.py +25 −24 Original line number Diff line number Diff line Loading @@ -8,12 +8,9 @@ PAM module for authenticating users via a OIDC token import json import os import sys import logging import requests def logit(data): ''' Logs data to stderr and syslog Loading @@ -21,10 +18,9 @@ def logit(data): data (*): Data to log Returns: None ''' logging.basicConfig(filename='/tmp/pam.log', encoding='utf-8', level=logging.DEBUG) data_str = str(data) sys.stderr.write('%s\n' % data_str) logging.debug(data_str) def pam_sm_setcred(pamh, _flags, _argv): ''' Loading @@ -32,24 +28,28 @@ def pam_sm_setcred(pamh, _flags, _argv): ''' return pamh.PAM_SUCCESS def pam_sm_acct_mgmt(pamh, _flags, _argv): ''' Default ''' return pamh.PAM_SUCCESS def pam_sm_open_session(pamh, _flags, _argv): ''' Default ''' return pamh.PAM_SUCCESS def pam_sm_close_session(pamh, _flags, _argv): ''' Default ''' return pamh.PAM_SUCCESS def pam_sm_chauthtok(pamh, _flags, _argv): ''' Default Loading Loading @@ -79,9 +79,8 @@ def pam_sm_authenticate(pamh, _flags, _argv): if user is None: return pamh.PAM_USER_UNKNOWN access_token = pamh.authtok # if len(access_token)<20: #cannot be token, should be wrong password # return pamh.PAM_AUTH_ERR if len(access_token)>5: if len(access_token) < 20: return pamh.PAM_AUTH_ERR next_token_part = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Next: ')).resp while (next_token_part != 'token_end') and (next_token_part != ''): access_token = access_token + next_token_part Loading @@ -96,14 +95,16 @@ def pam_sm_authenticate(pamh, _flags, _argv): try: url = config['introspection_url'] logit(access_token) data = {'token': access_token.strip(),'client_id': config['client_id'], 'client_secret':config['client_secret']} data = {'token': access_token.strip(), 'client_id': config['client_id'], 'client_secret': config['client_secret']} response = requests.post(url, data=data) if response.status_code != requests.status_codes.codes.ok: logit('Error checking introspecting token, server returned %d %s' % response.status_code, response.text) return pamh.PAM_AUTH_ERR token_info = response.json() if token_info['active'] != True: logit('Error checking introspecting token, token %s invalid, server response: %s' %(access_token, response.text)) logit('Error checking introspecting token, token %s invalid, server response: %s' % ( access_token, response.text)) return pamh.PAM_AUTH_ERR logit(response.json()) except Exception as error: Loading
server_side/sshd +1 −1 Original line number Diff line number Diff line # PAM configuration for the Secure Shell service auth [success=1 default=ignore] pam_unix.so auth sufficient pam_python.so /etc/securuty/oidc/oidc-pam.py auth sufficient pam_python.so /etc/security/oidc/oidc-pam.py # Standard Un*x authentication. @include common-auth Loading
