U2F login for SSH#1
Conversation
|
I like this idea a lot. Let me take a look at this. |
| ----- END U2F CHALLENGE -----""" % (self.URL, | ||
| json.dumps(attributes["u2fSignRequest"]), | ||
| str(detail.get("message", ""))) | ||
| if transaction_id: |
There was a problem hiding this comment.
Just from a logic standpoint I would first check for transaction_id, since transaction_id indicates, that we do a challenge_response.
Within the transaction_id if-branch, I would then check if it is U2F-Challenge and if not do "unsupported challenge". This way, we can add other challenges in the transaction_id if-branch later, easily.
(This could be stuff like SMS or TiQR...)
There was a problem hiding this comment.
I'll re-arrange it. I roughly copied the logic here from the simplesamlphp module, must have misunderstood part of it.
There was a problem hiding this comment.
...maybe also the simplesaml module is a bit crappy. Code gets better when looking on it a 2nd and 3rd time.
|
As soon as we are done, you are welcome to add a line at the top of the file as changelog like: 2016-03-XY your dataAdded U2F functionality.... or whatever... |
| "[^ \r\n]+", | ||
| pexpect.EOF]) | ||
|
|
||
| if index == 0: |
There was a problem hiding this comment.
Ah, are you using privacyIDEA PAM as your primary authentication as opposed to secondary? I totally forgot about that use case (we require publickey + U2F)
There was a problem hiding this comment.
Should work now.
|
in ssh-u2f.py I jump into the while loop before entering the password. Then I jump into the passthrough. But then I will never enter the while loop with a challenge again! I have an OTP PIN set! |
|
Ah, also hadn't occurred to me that people still use password auth for SSH. I'll have to do some work to support Password. |
|
Give the latest version a shot -- might still need lots of tweaking to work for specific people's SSH setups :( |
|
Hi, This worked for "login" but not for "ssh". It fails with pamh.conversation. |
|
If I can repro your ssh setup, I'll try to fix the ssh-u2f wrapper for it... |
Auto-enrollment with api key and email fixes privacyidea#2
I know there's some misc. cleanup needed in this code, but would like feedback at this point on whether this is a direction you're interested in.