};
sub assemble_ticket {
- my ($username) = @_;
+ my ($data) = @_;
my $rsa_priv = get_privkey();
- return PVE::Ticket::assemble_rsa_ticket($rsa_priv, 'PVE', $username);
+ return PVE::Ticket::assemble_rsa_ticket($rsa_priv, 'PVE', $data);
}
sub verify_ticket {
$rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);
};
- my ($username, $age) = $check->();
+ my ($data, $age) = $check->();
# check with old, rotated key if current key failed
- ($username, $age) = $check->(1) if !defined($username);
+ ($data, $age) = $check->(1) if !defined($data);
- if (!defined($username)) {
+ my $auth_failure = sub {
if ($noerr) {
return undef;
} else {
# raise error via undef ticket
PVE::Ticket::verify_rsa_ticket(undef, 'PVE');
}
+ };
+
+ if (!defined($data)) {
+ return $auth_failure->();
+ }
+
+ my ($username, $tfa_info);
+ if ($data =~ m{^u2f!([^!]+)!([0-9a-zA-Z/.=_\-+]+)$}) {
+ # Ticket for u2f-users:
+ ($username, my $challenge) = ($1, $2);
+ if ($challenge eq 'verified') {
+ # u2f challenge was completed
+ $challenge = undef;
+ } elsif (!wantarray) {
+ # The caller is not aware there could be an ongoing challenge,
+ # so we treat this ticket as invalid:
+ return $auth_failure->();
+ }
+ $tfa_info = {
+ type => 'u2f',
+ challenge => $challenge,
+ };
+ } elsif ($data =~ /^tfa!(.*)$/) {
+ # TOTP and Yubico don't require a challenge so this is the generic
+ # 'missing 2nd factor ticket'
+ $username = $1;
+ $tfa_info = { type => 'tfa' };
+ } else {
+ # Regular ticket (full access)
+ $username = $data;
}
return undef if !PVE::Auth::Plugin::verify_username($username, $noerr);
- return wantarray ? ($username, $age) : $username;
+ return wantarray ? ($username, $age, $tfa_info) : $username;
}
# VNC tickets
my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
$plugin->authenticate_user($cfg, $realm, $ruid, $password);
- my $u2f;
-
my ($type, $tfa_data) = user_get_tfa($username, $realm);
if ($type) {
if ($type eq 'u2f') {
# Note that if the user did not manage to complete the initial u2f registration
# challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry:
- $u2f = $tfa_data if !exists $tfa_data->{challenge};
+ $tfa_data = undef if exists $tfa_data->{challenge};
+ } elsif (!defined($otp)) {
+ # The user requires a 2nd factor but has not provided one. Return success but
+ # don't clear $tfa_data.
} else {
my $keys = $tfa_data->{keys};
my $tfa_cfg = $tfa_data->{config};
verify_one_time_pw($type, $username, $keys, $tfa_cfg, $otp);
+ $tfa_data = undef;
+ }
+
+ # Return the type along with the rest:
+ if ($tfa_data) {
+ $tfa_data = {
+ type => $type,
+ data => $tfa_data,
+ };
}
}
- return wantarray ? ($username, $u2f) : $username;
+ return wantarray ? ($username, $tfa_data) : $username;
}
sub domain_set_password {
lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
}
-my $CUSTOM_TFA_TYPES = {
+my $USER_CONTROLLED_TFA_TYPES = {
u2f => 1,
oath => 1,
};
# The 'yubico' type requires yubico server settings, which have to be configured on the
# realm, so this is not supported here:
die "domain '$realm' does not support TFA type '$type'\n"
- if defined($data) && !$CUSTOM_TFA_TYPES->{$type};
+ if defined($data) && !$USER_CONTROLLED_TFA_TYPES->{$type};
}
# Custom TFA entries are stored in priv/tfa.cfg as they can be more complet: u2f uses a