X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=ef158fb62fb4ac1a1b98a58c2ae24120dca624be;hp=f41d7ffcdee6221649ea8bd595a4308761732483;hb=077f078cd6b7d292e06d92048881180edac32ef8;hpb=63691fc66a15c2ab3b4c20df35354812ca46aae8 diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index f41d7ff..ef158fb 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -8,6 +8,9 @@ use Crypt::OpenSSL::RSA; use Net::SSLeay; use MIME::Base64; use Digest::SHA; +use Digest::HMAC_SHA1; +use URI::Escape; +use LWP::UserAgent; use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print); use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); use PVE::JSONSchema; @@ -360,10 +363,28 @@ sub check_user_enabled { return undef; } +sub verify_one_time_pw { + my ($usercfg, $username, $tfa_cfg, $otp) = @_; + + my $type = $tfa_cfg->{type}; + + die "missing one time password for Factor-two authentication '$type'\n" if !$otp; + + # fixme: proxy support? + my $proxy; + + if ($type eq 'yubico') { + my $keys = $usercfg->{users}->{$username}->{keys}; + yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy); + } else { + die "unknown tfa type '$type'\n"; + } +} + # password should be utf8 encoded # Note: some pluging delay/sleep if auth fails sub authenticate_user { - my ($username, $password) = @_; + my ($username, $password, $otp) = @_; die "no username specified\n" if !$username; @@ -387,6 +408,11 @@ sub authenticate_user { my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); $plugin->authenticate_user($cfg, $realm, $ruid, $password); + if ($cfg->{tfa}) { + my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($cfg->{tfa}); + verify_one_time_pw($usercfg, $username, $tfa_cfg, $otp); + } + return $username; } @@ -695,7 +721,7 @@ sub parse_user_config { my $et = shift @data; if ($et eq 'user') { - my ($user, $enable, $expire, $firstname, $lastname, $email, $comment) = @data; + my ($user, $enable, $expire, $firstname, $lastname, $email, $comment, $keys) = @data; my (undef, undef, $realm) = PVE::Auth::Plugin::verify_username($user, 1); if (!$realm) { @@ -727,6 +753,7 @@ sub parse_user_config { $cfg->{users}->{$user}->{email} = $email; $cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment; $cfg->{users}->{$user}->{expire} = $expire; + $cfg->{users}->{$user}->{keys} = $keys if $keys; # allowed yubico key ids #$cfg->{users}->{$user}->{groups}->{$group} = 1; #$cfg->{groups}->{$group}->{$user} = 1; @@ -872,7 +899,8 @@ sub write_user_config { my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : ''; my $expire = int($d->{expire} || 0); my $enable = $d->{enable} ? 1 : 0; - $data .= "user:$user:$enable:$expire:$firstname:$lastname:$email:$comment:\n"; + my $keys = $d->{keys} ? $d->{keys} : ''; + $data .= "user:$user:$enable:$expire:$firstname:$lastname:$email:$comment:$keys:\n"; } $data .= "\n"; @@ -1098,4 +1126,102 @@ sub remove_vm_from_pool { lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed"); } +# experimental code for yubico OTP verification + +sub yubico_compute_param_sig { + my ($param, $api_key) = @_; + + my $paramstr = ''; + foreach my $key (sort keys %$param) { + $paramstr .= '&' if $paramstr; + $paramstr .= "$key=$param->{$key}"; + } + + my $sig = uri_escape(encode_base64(Digest::HMAC_SHA1::hmac_sha1($paramstr, decode_base64($api_key || '')), '')); + + return ($paramstr, $sig); +} + +sub yubico_verify_otp { + my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_; + + die "yubico: missing password\n" if !defined($otp); + die "yubico: missing API ID\n" if !defined($api_id); + die "yubico: missing API KEY\n" if !defined($api_key); + die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/; + + die "yubico: wrong OTP lenght\n" if (length($otp) < 32) || (length($otp) > 48); + + # we always use http, because https cert verification always make problem, and + # some proxies does not work with https. + + $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url); + + my $params = { + nonce => Digest::HMAC_SHA1::hmac_sha1_hex(time(), rand()), + id => $api_id, + otp => uri_escape($otp), + timestamp => 1, + }; + + my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key); + + $paramstr .= "&h=$sig" if $api_key; + + my $req = HTTP::Request->new('GET' => "$url?$paramstr"); + + my $ua = LWP::UserAgent->new(protocols_allowed => ['http'], timeout => 30); + + if ($proxy) { + $ua->proxy(['http'], $proxy); + } else { + $ua->env_proxy; + } + + my $response = $ua->request($req); + my $code = $response->code; + + if ($code != 200) { + my $msg = $response->message || 'unknown'; + die "Invalid response from server: $code $msg\n"; + } + + my $raw = $response->decoded_content; + + my $result = {}; + foreach my $kvpair (split(/\n/, $raw)) { + chomp $kvpair; + if($kvpair =~ /^\S+=/) { + my ($k, $v) = split(/=/, $kvpair, 2); + $v =~ s/\s//g; + $result->{$k} = $v; + } + } + + my $rsig = $result->{h}; + delete $result->{h}; + + if ($api_key) { + my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key); + $vsig = uri_unescape($vsig); + die "yubico: result signature verification failed\n" if $rsig ne $vsig; + } + + die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK'; + + my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12); + + my $found; + foreach my $k (PVE::Tools::split_list($keys)) { + if ($k eq $publicid) { + $found = 1; + last; + } + } + + die "yubico auth failed: key does not belong to user\n" if !$found; + + return $result; +} + 1;