U2F login for SSH

f21515ad · Brandon Smith · ad8bf46e · f21515ad · f21515ad
Commit f21515ad authored Mar 02, 2016 by Brandon Smith
Hide whitespace changes
Inline Side-by-side

Showing with 149 additions and 9 deletions

privacyidea_pam.py privacyidea_pam.py +92 -9

ssh-u2f.py ssh-u2f.py +57 -0

No files found.
--- a/privacyidea_pam.py
+++ b/privacyidea_pam.py
@@ -33,6 +33,7 @@ privacyIDEA authentication system.
 The code is tested in test_pam_module.py
 """

+import json
 import requests
 import syslog
 import sqlite3
@@ -75,6 +76,18 @@ class Authenticator(object):
        self.debug = config.get("debug")
        self.sqlfile = config.get("sqlfile", "/etc/privacyidea/pam.sqlite")

+    def make_request(self, data):
+        response = requests.post(self.URL + "/validate/check", data=data,
+                                 verify=self.sslverify)
+
+        json_response = response.json
+        if callable(json_response):
+            syslog.syslog(syslog.LOG_DEBUG, "requests > 1.0")
+            json_response = json_response()
+
+        return json_response
+
+
    def authenticate(self, password):
        rval = self.pamh.PAM_SYSTEM_ERR
        # First we try to authenticate against the sqlitedb
@@ -91,13 +104,8 @@ class Authenticator(object):
                    "pass": password}
            if self.realm:
                data["realm"] = self.realm
-            response = requests.post(self.URL + "/validate/check", data=data,
-                                     verify=self.sslverify)

-            json_response = response.json
-            if callable(json_response):
-                syslog.syslog(syslog.LOG_DEBUG, "requests > 1.0")
-                json_response = json_response()
+            json_response = self.make_request(data)

            result = json_response.get("result")
            auth_item = json_response.get("auth_items")
@@ -105,8 +113,10 @@ class Authenticator(object):
            serial = detail.get("serial", "T%s" % time.time())
            tokentype = detail.get("type", "unknown")
            if self.debug:
-                syslog.syslog(syslog.LOG_DEBUG, "%s: result: %s" % (__name__,
-                                                                    result))
+                syslog.syslog(syslog.LOG_DEBUG,
+                              "%s: result: %s" % (__name__, result))
+                syslog.syslog(syslog.LOG_DEBUG,
+                              "%s: detail: %s" % (__name__, detail))

            if result.get("status"):
                if result.get("value"):
@@ -114,7 +124,41 @@ class Authenticator(object):
                    save_auth_item(self.sqlfile, self.user, serial, tokentype,
                                   auth_item)
                else:
-                    rval = self.pamh.PAM_AUTH_ERR
+                    transaction_id = detail.get("transaction_id")
+                    challenge = None
+
+                    if "attributes" in detail:
+                        attributes = detail.get("attributes")
+                        if "u2fSignRequest" in attributes:
+                            syslog.syslog(syslog.LOG_DEBUG,
+                                    "Prompting for U2F authentication")
+# In case of U2F the $attributes looks like this:
+# {
+#     "img": "static/css/FIDO-U2F-Security-Key-444x444.png#012",
+#     "hideResponseInput" "1",
+#     "u2fSignRequest": {
+#         "challenge": "yji-PL1V0QELilDL3m6Lc-1yahpKZiU-z6ye5Zz2mp8",
+#         "version": "U2F_V2",
+#         "keyHandle": "fxDKTr6o8EEGWPyEyRVDvnoeA0c6v-dgvbN-6Mxc6XBmEItsw",
+#         "appId": "https://172.16.200.138"
+#     }
+# }
+                            challenge = """
+----- BEGIN U2F CHALLENGE -----
+%s
+%s
+----- END U2F CHALLENGE -----""" % (self.URL, json.dumps(attributes["u2fSignRequest"]))
+                    if transaction_id:
+                        if challenge:
+                            rval = self.challenge_response(transaction_id,
+                                                           challenge)
+                        else:
+                            syslog.syslog(syslog.LOG_ERR,
+                                          "%s: unsupported challenge" %
+                                          __name__)
+
+                    else:
+                        rval = self.pamh.PAM_AUTH_ERR
            else:
                syslog.syslog(syslog.LOG_ERR,
                              "%s: %s" % (__name__,
@@ -122,6 +166,45 @@ class Authenticator(object):

        return rval

+    def challenge_response(self, transaction_id, challenge):
+        rval = self.pamh.PAM_SYSTEM_ERR
+
+        message = self.pamh.Message(self.pamh.PAM_PROMPT_ECHO_OFF, challenge)
+        response = self.pamh.conversation(message)
+        chal_response = json.loads(response.resp)
+
+        data = {"user": self.user,
+                "transaction_id": transaction_id,
+                "pass": self.pamh.authtok,
+                "signaturedata": chal_response.get("signatureData"),
+                "clientdata": chal_response.get("clientData")}
+        if self.realm:
+            data["realm"] = self.realm
+
+        json_response = self.make_request(data)
+
+        result = json_response.get("result")
+        detail = json_response.get("detail")
+
+        if self.debug:
+            syslog.syslog(syslog.LOG_DEBUG,
+                          "%s: result: %s" % (__name__, result))
+            syslog.syslog(syslog.LOG_DEBUG,
+                          "%s: detail: %s" % (__name__, detail))
+
+        if result.get("status"):
+            if result.get("value"):
+                rval = self.pamh.PAM_SUCCESS
+            else:
+                rval = self.pamh.PAM_AUTH_ERR
+        else:
+            syslog.syslog(syslog.LOG_ERR,
+                          "%s: %s" % (__name__,
+                                      result.get("error").get("message")))
+
+        return rval
+
+

 def pam_sm_authenticate(pamh, flags, argv):
    config = _get_config(argv)

--- a/ssh-u2f.py
+++ b/ssh-u2f.py
+#!/usr/bin/env python
+from __future__ import print_function
+
+import getpass,os,re,signal,subprocess,sys
+import pexpect
+
+ssh = None
+
+def handler(signum, frame):
+    if ssh:
+        ssh.kill(signum)
+    sys.exit(signum)
+
+signal.signal(signal.SIGQUIT, handler)
+signal.signal(signal.SIGTERM, handler)
+signal.signal(signal.SIGINT, handler)
+
+def winch_handler(signum, frame):
+    if ssh:
+        rows, cols = os.popen('stty size', 'r').read().split()
+        ssh.setwinsize(int(rows), int(cols))
+
+signal.signal(signal.SIGWINCH, winch_handler)
+
+ssh = pexpect.spawn("ssh", sys.argv[1:])
+winch_handler(None, None)
+
+index = -1
+pattern_list = ssh.compile_pattern_list([
+    "Enter additional factors:.*",
+    "----- BEGIN U2F CHALLENGE -----\r?\n([^\r\n]*)\r?\n(.*)\r?\n----- END U2F CHALLENGE -----",
+    "Welcome.*",
+    pexpect.EOF
+])
+while True:
+    index = ssh.expect_list(pattern_list)
+    if index == 0:
+        try:
+            pin = getpass.getpass(ssh.match.group())
+        except EOFError:
+            pin = ""
+        ssh.sendline(pin)
+    elif index == 1:
+        p = subprocess.Popen(["/usr/local/bin/u2f-host", "-aauthenticate",
+                              "-o", ssh.match.group(1)],
+                             env={"LD_LIBRARY_PATH": "/usr/local/lib"},
+                             stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+        out, err = p.communicate(ssh.match.group(2))
+        p.stdin.close()
+        p.wait()
+        ssh.sendline(out.strip())
+    else:
+        break
+if index == 3:
+    sys.exit(0)
+sys.stdout.write(ssh.match.group())
+ssh.interact()