return 1 if $data->{enable};
- return 1 if $username eq 'root@pam'; # root is always enabled
-
die "user '$username' is disabled\n" if !$noerr;
return undef;
yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
} elsif ($type eq 'oath') {
my $keys = $usercfg->{users}->{$username}->{keys};
- oath_verify_otp($otp, $keys);
+ oath_verify_otp($otp, $keys, $tfa_cfg->{step}, $tfa_cfg->{digits});
} else {
die "unknown tfa type '$type'\n";
}
$cfg->{roles}->{$r} = $special_roles->{$r};
}
- # fixme: remove 'root' group (not required)?
-
- # add root user
- $cfg->{users}->{'root@pam'}->{enable} = 1;
+ # add root user if not exists
+ if (!$cfg->{users}->{'root@pam'}) {
+ $cfg->{users}->{'root@pam'}->{enable} = 1;
+ }
}
sub parse_user_config {
}
sub oath_verify_otp {
- my ($otp, $keys) = @_;
+ my ($otp, $keys, $step, $digits) = @_;
die "oath: missing password\n" if !defined($otp);
die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
- my $step = 30;
+ $step = 30 if !$step;
+ $digits = 6 if !$digits;
my $found;
my $line = shift;
if ($line =~ m/^\d{6}$/) {
- print "GOT:$line\n";
$found = 1 if $otp eq $line;
}
};
foreach my $k (PVE::Tools::split_list($keys)) {
# Note: we generate 3 values to allow small time drift
my $now = localtime(time() - $step);
- my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k];
+ my $cmd = ['oathtool', '--totp', '--digits', $digits, '-N', $now, '-s', $step, '-w', '2', '-b', $k];
eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
last if $found;
}