From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BECF47D89E for ; Tue, 9 Nov 2021 12:28:23 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 23C0BB018 for ; Tue, 9 Nov 2021 12:27:29 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id AA607AF8C for ; Tue, 9 Nov 2021 12:27:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 73DE9468FF for ; Tue, 9 Nov 2021 12:27:25 +0100 (CET) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Tue, 9 Nov 2021 12:27:02 +0100 Message-Id: <20211109112721.130935-14-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211109112721.130935-1-w.bumiller@proxmox.com> References: <20211109112721.130935-1-w.bumiller@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.531 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm, tfa.pm] Subject: [pve-devel] [PATCH access-control 07/10] support registering yubico otp keys X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Nov 2021 11:28:23 -0000 In PBS we don't support this, so the current TFA API in rust does not support this either (although the config does know about its *existence*). For now, yubico authentication will be done in perl. Adding it to rust the rust TFA crate would not make much sense anyway as we'd likely not want to use the same http client crate in pve and pbs anyway (since pve is all blocking code and pbs is async...) Signed-off-by: Wolfgang Bumiller --- src/PVE/API2/TFA.pm | 34 +++++++++++++++++++++++++++++++--- src/PVE/AccessControl.pm | 15 ++++++++++----- 2 files changed, 41 insertions(+), 8 deletions(-) diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm index 1888699..2fbc7a8 100644 --- a/src/PVE/API2/TFA.pm +++ b/src/PVE/API2/TFA.pm @@ -395,9 +395,15 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); - my $userid = + my ($userid, $realm) = root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password}); + my $type = delete $param->{type}; + my $value = delete $param->{value}; + if ($type eq 'yubico') { + $value = validate_yubico_otp($userid, $realm, $value); + } + return PVE::AccessControl::lock_tfa_config(sub { my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); PVE::AccessControl::configure_u2f_and_wa($tfa_cfg); @@ -406,9 +412,9 @@ __PACKAGE__->register_method ({ $userid, $param->{description}, $param->{totp}, - $param->{value}, + $value, $param->{challenge}, - $param->{type}, + $type, ); cfs_write_file('priv/tfa.cfg', $tfa_cfg); @@ -417,6 +423,28 @@ __PACKAGE__->register_method ({ }); }}); +sub validate_yubico_otp : prototype($$) { + my ($userid, $realm, $value) = @_; + + my $domain_cfg = cfs_read_file('domains.cfg'); + my $realm_cfg = $domain_cfg->{ids}->{$realm}; + die "auth domain '$realm' does not exist\n" if !$realm_cfg; + + my $realm_tfa = $realm_cfg->{tfa}; + die "no yubico otp configuration available for realm $realm\n" + if !$realm_tfa; + + $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa); + die "realm is not setup for Yubico OTP\n" + if !$realm_tfa || $realm_tfa->{type} ne 'yubico'; + + my $public_key = substr($value, 0, 12); + + PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa); + + return $public_key; +} + __PACKAGE__->register_method ({ name => 'update_tfa_entry', path => '{userid}/{id}', diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index fd80368..cd46507 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -806,16 +806,21 @@ sub authenticate_yubico_new : prototype($$$) { my $keys = $tfa_cfg->get_yubico_keys($username); die "no keys configured\n" if !defined($keys) || !length($keys); - # Defer to after unlocking the TFA config: - - # fixme: proxy support? - my $proxy; - PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy); + authenticate_yubico_do($otp, $keys, $realm); # return `undef` to clear the tfa challenge. return undef; } +sub authenticate_yubico_do : prototype($$$) { + my ($value, $keys, $realm) = @_; + + # fixme: proxy support? + my $proxy = undef; + + PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy); +} + sub configure_u2f_and_wa : prototype($) { my ($tfa_cfg) = @_; -- 2.30.2