From: Dietmar Maurer Date: Wed, 23 Jul 2014 04:59:01 +0000 (+0200) Subject: add step/digits option to oath configuration X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=86cd805b635299fd810ff80a79cac8a37f7e6a63 add step/digits option to oath configuration --- diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 5a74a8e..4ba612c 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -378,7 +378,7 @@ sub verify_one_time_pw { yubico_verify_otp($otp, $keys, $tfa_cfg->{url}, $tfa_cfg->{id}, $tfa_cfg->{key}, $proxy); } elsif ($type eq 'oath') { my $keys = $usercfg->{users}->{$username}->{keys}; - oath_verify_otp($otp, $keys); + oath_verify_otp($otp, $keys, $tfa_cfg->{step}, $tfa_cfg->{digits}); } else { die "unknown tfa type '$type'\n"; } @@ -1229,12 +1229,13 @@ sub yubico_verify_otp { } sub oath_verify_otp { - my ($otp, $keys) = @_; + my ($otp, $keys, $step, $digits) = @_; die "oath: missing password\n" if !defined($otp); die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/; - my $step = 30; + $step = 30 if !$step; + $digits = 6 if !$digits; my $found; @@ -1250,7 +1251,7 @@ sub oath_verify_otp { foreach my $k (PVE::Tools::split_list($keys)) { # Note: we generate 3 values to allow small time drift my $now = localtime(time() - $step); - my $cmd = ['oathtool', '--totp', '-N', $now, '-s', $step, '-w', '2', '-b', $k]; + my $cmd = ['oathtool', '--totp', '--digits', $digits, '-N', $now, '-s', $step, '-w', '2', '-b', $k]; eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); }; last if $found; } diff --git a/PVE/Auth/Plugin.pm b/PVE/Auth/Plugin.pm index 46b2d3b..6b0298c 100755 --- a/PVE/Auth/Plugin.pm +++ b/PVE/Auth/Plugin.pm @@ -116,6 +116,10 @@ sub parse_tfa_config { $res->{key} = $1; } elsif ($kvp =~ m/^url=(\S+)$/) { $res->{url} = $1; + } elsif ($kvp =~ m/^digits=([6|7|8])$/) { + $res->{digits} = $1; + } elsif ($kvp =~ m/^step=([1-9]\d+)$/) { + $res->{step} = $1; } else { return undef; }