Skip to content
This repository was archived by the owner on Mar 8, 2023. It is now read-only.

U2F login for SSH#1

Merged
cornelinux merged 13 commits into
privacyidea:masterfrom
reardencode:master
Mar 4, 2016
Merged

U2F login for SSH#1
cornelinux merged 13 commits into
privacyidea:masterfrom
reardencode:master

Conversation

@reardencode

Copy link
Copy Markdown
Contributor

I know there's some misc. cleanup needed in this code, but would like feedback at this point on whether this is a direction you're interested in.

@cornelinux

Copy link
Copy Markdown
Member

I like this idea a lot. Let me take a look at this.
Hm - I also see I have to move the pam_python test from privacyidea/privacyidea here...

Comment thread privacyidea_pam.py Outdated
----- END U2F CHALLENGE -----""" % (self.URL,
json.dumps(attributes["u2fSignRequest"]),
str(detail.get("message", "")))
if transaction_id:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just from a logic standpoint I would first check for transaction_id, since transaction_id indicates, that we do a challenge_response.
Within the transaction_id if-branch, I would then check if it is U2F-Challenge and if not do "unsupported challenge". This way, we can add other challenges in the transaction_id if-branch later, easily.

(This could be stuff like SMS or TiQR...)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll re-arrange it. I roughly copied the logic here from the simplesamlphp module, must have misunderstood part of it.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...maybe also the simplesaml module is a bit crappy. Code gets better when looking on it a 2nd and 3rd time.

@cornelinux

Copy link
Copy Markdown
Member

As soon as we are done, you are welcome to add a line at the top of the file as changelog like:

2016-03-XY your data

Added U2F functionality.... or whatever...

Comment thread ssh-u2f.py Outdated
"[^ \r\n]+",
pexpect.EOF])

if index == 0:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get an "index == 1" here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, are you using privacyIDEA PAM as your primary authentication as opposed to secondary? I totally forgot about that use case (we require publickey + U2F)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should work now.

@cornelinux

Copy link
Copy Markdown
Member

in ssh-u2f.py I jump into the while loop before entering the password.
THere i get an index==2.
Which is logical, since I have not entered the OTP PIN and the request was not sent to privacyidea.
At this point, I have no challenge!!!

Then I jump into the passthrough. But then I will never enter the while loop with a challenge again!

I have an OTP PIN set!

@reardencode

Copy link
Copy Markdown
Contributor Author

Ah, also hadn't occurred to me that people still use password auth for SSH. I'll have to do some work to support Password.

@reardencode

Copy link
Copy Markdown
Contributor Author

Give the latest version a shot -- might still need lots of tweaking to work for specific people's SSH setups :(

cornelinux added a commit that referenced this pull request Mar 4, 2016
@cornelinux
cornelinux merged commit f080b8d into privacyidea:master Mar 4, 2016
@cornelinux

Copy link
Copy Markdown
Member

Hi,
It still does not work for me on SSH. It could have something to do with my SSH scenario.
I added code to also support "normal" challenge response with first providing PIN and than the OTP (i.e. with SMS or Email).

This worked for "login" but not for "ssh". It fails with pamh.conversation.

@reardencode

Copy link
Copy Markdown
Contributor Author

If I can repro your ssh setup, I'll try to fix the ssh-u2f wrapper for it...

qlux pushed a commit to qlux/pam_python that referenced this pull request Aug 17, 2020
Auto-enrollment with api key and email fixes privacyidea#2
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants