use Net::SSLeay;
use Net::IP;
use MIME::Base64;
-use MIME::Base32; #libmime-base32-perl
use Digest::SHA;
+use IO::File;
+use File::stat;
+use PVE::OTP;
use PVE::Ticket;
-use URI::Escape;
-use LWP::UserAgent;
use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print);
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
-use PVE::JSONSchema;
+use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Auth::Plugin;
use PVE::Auth::AD;
use PVE::Auth::PVE;
use PVE::Auth::PAM;
-use Data::Dumper; # fixme: remove
-
# load and initialize all plugins
PVE::Auth::AD->register();
# $authdir must be writable by root only!
my $confdir = "/etc/pve";
my $authdir = "$confdir/priv";
-my $authprivkeyfn = "$authdir/authkey.key";
-my $authpubkeyfn = "$confdir/authkey.pub";
+
my $pve_www_key_fn = "$confdir/pve-www.key";
+my $pve_auth_key_files = {
+ priv => "$authdir/authkey.key",
+ pub => "$confdir/authkey.pub",
+ pubold => "$confdir/authkey.pub.old",
+};
+
+my $pve_auth_key_cache = {};
+
my $ticket_lifetime = 3600*2; # 2 hours
+# TODO: set to 24h for PVE 6.0
+my $authkey_lifetime = 3600*0; # rotation disabled
Crypt::OpenSSL::RSA->import_random_seed();
\&parse_user_config,
\&write_user_config);
-
sub verify_username {
PVE::Auth::Plugin::verify_username(@_);
}
}
}
-my $pve_auth_pub_key;
+my $cache_read_key = sub {
+ my ($type) = @_;
+
+ my $path = $pve_auth_key_files->{$type};
+
+ my $read_key_and_mtime = sub {
+ my $fh = IO::File->new($path, "r");
+
+ return undef if !defined($fh);
+
+ my $st = stat($fh);
+ my $pem = PVE::Tools::safe_read_from($fh, 0, 0, $path);
+
+ close $fh;
+
+ my $key;
+ if ($type eq 'pub' || $type eq 'pubold') {
+ $key = eval { Crypt::OpenSSL::RSA->new_public_key($pem); };
+ } elsif ($type eq 'priv') {
+ $key = eval { Crypt::OpenSSL::RSA->new_private_key($pem); };
+ } else {
+ die "Invalid authkey type '$type'\n";
+ }
+
+ return { key => $key, mtime => $st->mtime };
+ };
+
+ if (!defined($pve_auth_key_cache->{$type})) {
+ $pve_auth_key_cache->{$type} = $read_key_and_mtime->();
+ } else {
+ my $st = stat($path);
+ if (!$st || $st->mtime != $pve_auth_key_cache->{$type}->{mtime}) {
+ $pve_auth_key_cache->{$type} = $read_key_and_mtime->();
+ }
+ }
+
+ return $pve_auth_key_cache->{$type};
+};
+
sub get_pubkey {
+ my ($old) = @_;
+
+ my $type = $old ? 'pubold' : 'pub';
- return $pve_auth_pub_key if $pve_auth_pub_key;
+ my $res = $cache_read_key->($type);
+ return undef if !defined($res);
- my $input = PVE::Tools::file_get_contents($authpubkeyfn);
+ return wantarray ? ($res->{key}, $res->{mtime}) : $res->{key};
+}
- $pve_auth_pub_key = Crypt::OpenSSL::RSA->new_public_key($input);
+sub get_privkey {
+ my $res = $cache_read_key->('priv');
- return $pve_auth_pub_key;
+ if (!defined($res) || !check_authkey(1)) {
+ rotate_authkey();
+ $res = $cache_read_key->('priv');
+ }
+
+ return wantarray ? ($res->{key}, $res->{mtime}) : $res->{key};
+}
+
+sub check_authkey {
+ my ($quiet) = @_;
+
+ # skip check if non-quorate, as rotation is not possible anyway
+ return 1 if !PVE::Cluster::check_cfs_quorum(1);
+
+ my ($pub_key, $mtime) = get_pubkey();
+ if (!$pub_key) {
+ warn "auth key pair missing, generating new one..\n" if !$quiet;
+ return 0;
+ } else {
+ if (time() - $mtime >= $authkey_lifetime) {
+ warn "auth key pair too old, rotating..\n" if !$quiet;;
+ return 0;
+ } else {
+ warn "auth key new enough, skipping rotation\n" if !$quiet;;
+ return 1;
+ }
+ }
+}
+
+sub rotate_authkey {
+ return if $authkey_lifetime == 0;
+
+ cfs_lock_authkey(undef, sub {
+ # re-check with lock to avoid double rotation in clusters
+ return if check_authkey();
+
+ my $old = get_pubkey();
+
+ if ($old) {
+ eval {
+ my $pem = $old->get_public_key_x509_string();
+ PVE::Tools::file_set_contents($pve_auth_key_files->{pubold}, $pem);
+ };
+ die "Failed to store old auth key: $@\n" if $@;
+ }
+
+ my $new = Crypt::OpenSSL::RSA->generate_key(2048);
+ eval {
+ my $pem = $new->get_public_key_x509_string();
+ PVE::Tools::file_set_contents($pve_auth_key_files->{pub}, $pem);
+ };
+ if ($@) {
+ if ($old) {
+ warn "Failed to store new auth key - $@\n";
+ warn "Reverting to previous auth key\n";
+ eval {
+ my $pem = $old->get_public_key_x509_string();
+ PVE::Tools::file_set_contents($pve_auth_key_files->{pub}, $pem);
+ };
+ die "Failed to restore old auth key: $@\n" if $@;
+ } else {
+ die "Failed to store new auth key - $@\n";
+ }
+ }
+
+ eval {
+ my $pem = $new->get_private_key_string();
+ PVE::Tools::file_set_contents($pve_auth_key_files->{priv}, $pem);
+ };
+ if ($@) {
+ warn "Failed to store new auth key - $@\n";
+ warn "Deleting auth key to force regeneration\n";
+ unlink $pve_auth_key_files->{pub};
+ unlink $pve_auth_key_files->{priv};
+ }
+ });
+ die $@ if $@;
}
my $csrf_prevention_secret;
$secret, $username, $token, -300, $ticket_lifetime, $noerr);
}
-my $pve_auth_priv_key;
-sub get_privkey {
+my $get_ticket_age_range = sub {
+ my ($now, $mtime, $rotated) = @_;
- return $pve_auth_priv_key if $pve_auth_priv_key;
+ my $key_age = $now - $mtime;
+ $key_age = 0 if $key_age < 0;
- my $input = PVE::Tools::file_get_contents($authprivkeyfn);
+ my $min = -300;
+ my $max = $ticket_lifetime;
- $pve_auth_priv_key = Crypt::OpenSSL::RSA->new_private_key($input);
+ if ($rotated) {
+ # ticket creation after rotation is not allowed
+ $min = $key_age - 300;
+ } else {
+ if ($key_age > $authkey_lifetime && $authkey_lifetime > 0) {
+ if (PVE::Cluster::check_cfs_quorum(1)) {
+ # key should have been rotated, clamp range accordingly
+ $min = $key_age - $authkey_lifetime;
+ } else {
+ warn "Cluster not quorate - extending auth key lifetime!\n";
+ }
+ }
- return $pve_auth_priv_key;
-}
+ $max = $key_age + 300 if $key_age < $ticket_lifetime;
+ }
+
+ return undef if $min > $ticket_lifetime;
+ return ($min, $max);
+};
sub assemble_ticket {
my ($username) = @_;
sub verify_ticket {
my ($ticket, $noerr) = @_;
- my $rsa_pub = get_pubkey();
+ my $now = time();
+
+ my $check = sub {
+ my ($old) = @_;
- my ($username, $age) = PVE::Ticket::verify_rsa_ticket(
- $rsa_pub, 'PVE', $ticket, undef, -300, $ticket_lifetime, $noerr);
+ my ($rsa_pub, $rsa_mtime) = get_pubkey($old);
+ return undef if !$rsa_pub;
- return undef if $noerr && !defined($username);
+ my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
+ return undef if !$min;
+
+ return PVE::Ticket::verify_rsa_ticket(
+ $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);
+ };
+
+ my ($username, $age) = $check->();
+
+ # check with old, rotated key if current key failed
+ ($username, $age) = $check->(1) if !defined($username);
+
+ if (!defined($username)) {
+ if ($noerr) {
+ return undef;
+ } else {
+ # raise error via undef ticket
+ PVE::Ticket::verify_rsa_ticket(undef, 'PVE');
+ }
+ }
return undef if !PVE::Auth::Plugin::verify_username($username, $noerr);
sub verify_vnc_ticket {
my ($ticket, $username, $path, $noerr) = @_;
- my $rsa_pub = get_pubkey();
-
my $secret_data = "$username:$path";
+ my ($rsa_pub, $rsa_mtime) = get_pubkey();
+ if (!$rsa_pub || (time() - $rsa_mtime > $authkey_lifetime)) {
+ if ($noerr) {
+ return undef;
+ } else {
+ # raise error via undef ticket
+ PVE::Ticket::verify_rsa_ticket($rsa_pub, 'PVEVNC');
+ }
+ }
+
return PVE::Ticket::verify_rsa_ticket(
$rsa_pub, 'PVEVNC', $ticket, $secret_data, -20, 40, $noerr);
}
$secret, $username, $vmid, $node);
}
-
sub verify_spice_connect_url {
my ($connect_str) = @_;
if ($type eq 'yubico') {
my $keys = $usercfg->{users}->{$username}->{keys};
- yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
+ PVE::OTP::yubico_verify_otp($otp, $keys, $tfa_cfg->{url},
+ $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
} elsif ($type eq 'oath') {
my $keys = $usercfg->{users}->{$username}->{keys};
- oath_verify_otp($otp, $keys, $tfa_cfg->{step}, $tfa_cfg->{digits});
+ PVE::OTP::oath_verify_otp($otp, $keys, $tfa_cfg->{step}, $tfa_cfg->{digits});
} else {
die "unknown tfa type '$type'\n";
}
'VM.Migrate',
'VM.Monitor',
'VM.Snapshot',
+ 'VM.Snapshot.Rollback',
],
user => [
'VM.Config.CDROM', # change CDROM media
create_roles();
+sub create_priv_properties {
+ my $properties = {};
+ foreach my $priv (keys %$valid_privs) {
+ $properties->{$priv} = {
+ type => 'boolean',
+ optional => 1,
+ };
+ }
+ return $properties;
+}
+
+sub role_is_special {
+ my ($role) = @_;
+ return (exists $special_roles->{$role}) ? 1 : 0;
+}
+
sub add_role_privs {
my ($role, $usercfg, $privs) = @_;
return $path;
}
-
PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname {
my ($groupname, $noerr) = @_;
return $rolename;
}
-PVE::JSONSchema::register_format('pve-poolid', \&verify_groupname);
+PVE::JSONSchema::register_format('pve-poolid', \&verify_poolname);
sub verify_poolname {
my ($poolname, $noerr) = @_;
lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
}
-# hotp/totp code
-
-sub hotp($$;$) {
- my ($binsecret, $number, $digits) = @_;
-
- $digits = 6 if !defined($digits);
-
- my $bincounter = pack('Q>', $number);
- my $hmac = Digest::SHA::hmac_sha1($bincounter, $binsecret);
-
- my $offset = unpack('C', substr($hmac,19) & pack('C', 0x0F));
- my $part = substr($hmac, $offset, 4);
- my $otp = unpack('N', $part);
- my $value = ($otp & 0x7fffffff) % (10**$digits);
- return sprintf("%0${digits}d", $value);
-}
-
-# experimental code for yubico OTP verification
-
-sub yubico_compute_param_sig {
- my ($param, $api_key) = @_;
-
- my $paramstr = '';
- foreach my $key (sort keys %$param) {
- $paramstr .= '&' if $paramstr;
- $paramstr .= "$key=$param->{$key}";
- }
-
- # hmac_sha1_base64 does not add '=' padding characters, so we use encode_base64
- my $sig = uri_escape(encode_base64(Digest::SHA::hmac_sha1($paramstr, decode_base64($api_key || '')), ''));
-
- return ($paramstr, $sig);
-}
-
-sub yubico_verify_otp {
- my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_;
-
- die "yubico: missing password\n" if !defined($otp);
- die "yubico: missing API ID\n" if !defined($api_id);
- die "yubico: missing API KEY\n" if !defined($api_key);
- die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/;
-
- die "yubico: wrong OTP length\n" if (length($otp) < 32) || (length($otp) > 48);
-
- $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
-
- my $params = {
- nonce => Digest::SHA::hmac_sha1_hex(time(), rand()),
- id => $api_id,
- otp => uri_escape($otp),
- timestamp => 1,
- };
-
- my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key);
-
- $paramstr .= "&h=$sig" if $api_key;
-
- my $req = HTTP::Request->new('GET' => "$url?$paramstr");
-
- my $ua = LWP::UserAgent->new(protocols_allowed => ['http', 'https'], timeout => 30);
-
- if ($proxy) {
- $ua->proxy(['http', 'https'], $proxy);
- } else {
- $ua->env_proxy;
- }
-
- my $response = $ua->request($req);
- my $code = $response->code;
-
- if ($code != 200) {
- my $msg = $response->message || 'unknown';
- die "Invalid response from server: $code $msg\n";
- }
-
- my $raw = $response->decoded_content;
-
- my $result = {};
- foreach my $kvpair (split(/\n/, $raw)) {
- chomp $kvpair;
- if($kvpair =~ /^\S+=/) {
- my ($k, $v) = split(/=/, $kvpair, 2);
- $v =~ s/\s//g;
- $result->{$k} = $v;
- }
- }
-
- my $rsig = $result->{h};
- delete $result->{h};
-
- if ($api_key) {
- my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key);
- $vsig = uri_unescape($vsig);
- die "yubico: result signature verification failed\n" if $rsig ne $vsig;
- }
-
- die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK';
-
- my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12);
-
- my $found;
- foreach my $k (PVE::Tools::split_list($keys)) {
- if ($k eq $publicid) {
- $found = 1;
- last;
- }
- }
-
- die "yubico auth failed: key does not belong to user\n" if !$found;
-
- return $result;
-}
-
-sub oath_verify_otp {
- my ($otp, $keys, $step, $digits) = @_;
-
- die "oath: missing password\n" if !defined($otp);
- die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
-
- $step = 30 if !$step;
- $digits = 6 if !$digits;
-
- my $found;
- foreach my $k (PVE::Tools::split_list($keys)) {
- # Note: we generate 3 values to allow small time drift
- my $binkey;
- if ($k =~ /^[A-Z2-7=]{16}$/) {
- $binkey = MIME::Base32::decode_rfc3548($k);
- } elsif ($k =~ /^[A-Fa-f0-9]{40}$/) {
- $binkey = pack('H*', $k);
- } else {
- die "unrecognized key format, must be hex or base32 encoded\n";
- }
-
- # force integer division for time/step
- use integer;
- my $now = time()/$step - 1;
- $found = 1 if $otp eq hotp($binkey, $now+0, $digits);
- $found = 1 if $otp eq hotp($binkey, $now+1, $digits);
- $found = 1 if $otp eq hotp($binkey, $now+2, $digits);
- last if $found;
- }
-
- die "oath auth failed\n" if !$found;
-}
-
# bash completion helpers
+register_standard_option('userid-completed',
+ get_standard_option('userid', { completion => \&complete_username}),
+);
+
sub complete_username {
my $user_cfg = cfs_read_file('user.cfg');