From: Dietmar Maurer <dietmar@proxmox.com>
Date: Thu, 17 Jul 2014 11:59:53 +0000 (+0200)
Subject: add oath two factor auth, bump version to 3.0-14
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=1abc2c0aeea26040cda69d40e43a7791f77e400c

add oath two factor auth, bump version to 3.0-14
---

diff --git a/Makefile b/Makefile
index 561b71c..eb7cb80 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ RELEASE=3.2
 
 VERSION=3.0
 PACKAGE=libpve-access-control
-PKGREL=13
+PKGREL=14
 
 DESTDIR=
 PREFIX=/usr
@@ -35,10 +35,11 @@ pveum.1.pod: pveum
 	mv $@.tmp $@
 
 .PHONY: install
-install: pveum.1.pod pveum.1.gz
+install: pveum.1.pod pveum.1.gz oathkeygen
 	install -d ${DESTDIR}${BINDIR}
 	install -d ${DESTDIR}${SBINDIR}
 	install -m 0755 pveum ${DESTDIR}${SBINDIR}
+	install -m 0755 oathkeygen ${DESTDIR}${BINDIR}
 	make -C PVE install
 	perl -I. ./pveum verifyapi 
 	install -d ${DESTDIR}/usr/share/man/man1
diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index dac5660..fff3734 100644
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -37,7 +37,7 @@ __PACKAGE__->register_method ({
 		tfa => {
 		    description => "Two-factor authentication provider.",
 		    type => 'string',
-		    enum => [ 'yubico' ],
+		    enum => [ 'yubico', 'oath' ],
 		    optional => 1,
 		},
 		comment => { type => 'string', optional => 1 },
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index ef158fb..5a74a8e 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -376,6 +376,9 @@ sub verify_one_time_pw {
     if ($type eq 'yubico') {
 	my $keys = $usercfg->{users}->{$username}->{keys};
 	yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy);
+    } elsif ($type eq 'oath') {
+	my $keys = $usercfg->{users}->{$username}->{keys};
+	oath_verify_otp($otp, $keys);
     } else {
 	die "unknown tfa type '$type'\n";
     }
@@ -753,7 +756,8 @@ sub parse_user_config {
 	    $cfg->{users}->{$user}->{email} = $email;
 	    $cfg->{users}->{$user}->{comment} = PVE::Tools::decode_text($comment) if $comment;
 	    $cfg->{users}->{$user}->{expire} = $expire;
-	    $cfg->{users}->{$user}->{keys} = $keys if $keys; # allowed yubico key ids
+	    # keys: allowed yubico key ids or oath secrets (base32 encoded)
+	    $cfg->{users}->{$user}->{keys} = $keys if $keys; 
 
 	    #$cfg->{users}->{$user}->{groups}->{$group} = 1;
 	    #$cfg->{groups}->{$group}->{$user} = 1;
@@ -1224,4 +1228,34 @@ sub yubico_verify_otp {
     return $result;
 }
 
+sub oath_verify_otp {
+    my ($otp, $keys) = @_;
+
+    die "oath: missing password\n" if !defined($otp);
+    die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/; 
+
+    my $step = 30;
+
+    my $found;
+
+    my $parser = sub {
+	my $line = shift;
+
+	if ($line =~ m/^\d{6}$/) {
+	    print "GOT:$line\n";
+	    $found = 1 if $otp eq $line;
+	}
+    };
+
+    foreach my $k (PVE::Tools::split_list($keys)) {
+	# Note: we generate 3 values to allow small time drift
+	my $now = localtime(time() - $step);
+	my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k];
+	eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
+	last if $found;
+    }
+
+    die "oath auth failed\n" if !$found;
+}
+
 1;
diff --git a/PVE/Auth/Plugin.pm b/PVE/Auth/Plugin.pm
index f19a33c..1308340 100755
--- a/PVE/Auth/Plugin.pm
+++ b/PVE/Auth/Plugin.pm
@@ -108,7 +108,7 @@ sub parse_tfa_config {
 
     foreach my $kvp (split(/,/, $data)) {
 
-	if ($kvp =~ m/^type=(yubico)$/) {
+	if ($kvp =~ m/^type=(yubico|oath)$/) {
 	    $res->{type} = $1;
 	} elsif ($kvp =~ m/^id=(\S+)$/) {
 	    $res->{id} = $1;
diff --git a/changelog.Debian b/changelog.Debian
index 5ee9bb2..cc6d1b7 100644
--- a/changelog.Debian
+++ b/changelog.Debian
@@ -1,3 +1,17 @@
+libpve-access-control (3.0-14) unstable; urgency=low
+  
+  * add oath two factor auth
+
+  * add oathkeygen binary to generate keys for oath
+  
+  * add yubico two factor auth
+
+  * dedend on oathtool
+  
+  * depend on libmime-base32-perl
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 17 Jul 2014 13:09:56 +0200
+
 libpve-access-control (3.0-13) unstable; urgency=low
 
   * use correct connection string for AD auth
diff --git a/control.in b/control.in
index fffccb8..876d3dd 100644
--- a/control.in
+++ b/control.in
@@ -3,7 +3,7 @@ Version: @@VERSION@@-@@PKGRELEASE@@
 Section: perl
 Priority: optional
 Architecture: @@ARCH@@
-Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl
+Depends: libc6 (>= 2.3), perl (>= 5.6.0-16), libcrypt-openssl-rsa-perl, libcrypt-openssl-random-perl, libjson-xs-perl, libjson-perl, libterm-readline-gnu-perl,libnet-ldap-perl, libpve-common-perl, pve-cluster, libauthen-pam-perl, libnet-ssleay-perl, libdigest-hmac-perl, liburi-perl, libwww-perl, oathtool, libmime-base32-perl
 Maintainer: Proxmox Support Team <support@proxmox.com>
 Description: Proxmox VE access control library
  This package contains the role based user management and access
diff --git a/oathkeygen b/oathkeygen
new file mode 100755
index 0000000..84b6441
--- /dev/null
+++ b/oathkeygen
@@ -0,0 +1,11 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use MIME::Base32 qw(RFC); #libmime-base32-perl
+
+my $test;
+open(RND, "/dev/urandom");
+sysread(RND, $test, 10) == 10 || die "read randon data failed\n";
+print MIME::Base32::encode($test) . "\n";
+