VERSION=3.0
PACKAGE=libpve-access-control
-PKGREL=13
+PKGREL=14
DESTDIR=
PREFIX=/usr
mv $@.tmp $@
.PHONY: install
-install: pveum.1.pod pveum.1.gz
+install: pveum.1.pod pveum.1.gz oathkeygen
install -d ${DESTDIR}${BINDIR}
install -d ${DESTDIR}${SBINDIR}
install -m 0755 pveum ${DESTDIR}${SBINDIR}
+ install -m 0755 oathkeygen ${DESTDIR}${BINDIR}
make -C PVE install
perl -I. ./pveum verifyapi
install -d ${DESTDIR}/usr/share/man/man1
tfa => {
description => "Two-factor authentication provider.",
type => 'string',
- enum => [ 'yubico' ],
+ enum => [ 'yubico', 'oath' ],
optional => 1,
},
comment => { type => 'string', optional => 1 },
if ($type eq 'yubico') {
my $keys = $usercfg->{users}->{$username}->{keys};
yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
+ } elsif ($type eq 'oath') {
+ my $keys = $usercfg->{users}->{$username}->{keys};
+ oath_verify_otp($otp, $keys);
} else {
die "unknown tfa type '$type'\n";
}
$cfg->{users}->{$user}->{email} = $email;
$cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment;
$cfg->{users}->{$user}->{expire} = $expire;
- $cfg->{users}->{$user}->{keys} = $keys if $keys; # allowed yubico key ids
+ # keys: allowed yubico key ids or oath secrets (base32 encoded)
+ $cfg->{users}->{$user}->{keys} = $keys if $keys;
#$cfg->{users}->{$user}->{groups}->{$group} = 1;
#$cfg->{groups}->{$group}->{$user} = 1;
return $result;
}
+sub oath_verify_otp {
+ my ($otp, $keys) = @_;
+
+ die "oath: missing password\n" if !defined($otp);
+ die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
+
+ my $step = 30;
+
+ my $found;
+
+ my $parser = sub {
+ my $line = shift;
+
+ if ($line =~ m/^\d{6}$/) {
+ print "GOT:$line\n";
+ $found = 1 if $otp eq $line;
+ }
+ };
+
+ foreach my $k (PVE::Tools::split_list($keys)) {
+ # Note: we generate 3 values to allow small time drift
+ my $now = localtime(time() - $step);
+ my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k];
+ eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
+ last if $found;
+ }
+
+ die "oath auth failed\n" if !$found;
+}
+
1;
foreach my $kvp (split(/,/, $data)) {
- if ($kvp =~ m/^type=(yubico)$/) {
+ if ($kvp =~ m/^type=(yubico|oath)$/) {
$res->{type} = $1;
} elsif ($kvp =~ m/^id=(\S+)$/) {
$res->{id} = $1;
+libpve-access-control (3.0-14) unstable; urgency=low
+
+ * add oath two factor auth
+
+ * add oathkeygen binary to generate keys for oath
+
+ * add yubico two factor auth
+
+ * dedend on oathtool
+
+ * depend on libmime-base32-perl
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 17 Jul 2014 13:09:56 +0200
+
libpve-access-control (3.0-13) unstable; urgency=low
* use correct connection string for AD auth
Section: perl
Priority: optional
Architecture: @@ARCH@@
-Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl
+Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl, oathtool, libmime-base32-perl
Maintainer: Proxmox Support Team <support@proxmox.com>
Description: Proxmox VE access control library
This package contains the role based user management and access
--- /dev/null
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use MIME::Base32 qw(RFC); #libmime-base32-perl
+
+my $test;
+open(RND, "/dev/urandom");
+sysread(RND, $test, 10) == 10 || die "read randon data failed\n";
+print MIME::Base32::encode($test) . "\n";
+