shimun/fido2pam
1
0
Fork 0
Code Issues Pull Requests Releases 7 Wiki Activity

Compare commits

base: shimun:0.2.1
Branches Tags
shimun:master shimun:pkg
shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:pkg
Branches Tags
shimun:master shimun:pkg
shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

7 Commits
0.2.1 ... pkg

Author SHA1 Message Date
shimun
f49e7162e3 nixpkg
Some checks failed
continuous-integration/drone/push Build is failing
Details
2020-04-04 16:10:06 +02:00
Shimun
96f64fff11 always check timeout condition
Some checks reported errors
continuous-integration/drone/push Build was killed
Details
2020-04-04 15:33:18 +02:00
Shimun
70d66f6a74 added debug flag
Some checks failed
continuous-integration/drone/tag Build is failing
Details
2020-04-04 15:26:49 +02:00
shimun
70f37844d3 update dep
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-04-03 23:13:30 +02:00
shimun
de535c49e7 added test subcommand
All checks were successful
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2020-04-03 15:08:56 +02:00
shimun
ed84b4dfcd rename
All checks were successful
continuous-integration/drone/tag Build is passing
Details
2020-04-03 01:56:04 +02:00
shimun
f3a3b600d6 parse pam config args
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-04-03 01:39:04 +02:00
8 changed files with 427 additions and 185 deletions
Expand all files Collapse all files

6
.drone.yml
View File

@@ -6,14 +6,14 @@ steps:
image: rust:1.41.0 image: rust:1.41.0
commands: commands:
- apt update && apt install -y libpam-dev - apt update && apt install -y libpam-dev
- cargo test --release - cargo test --debug
- name: build_relase - name: build_relase
image: rust:1.41.0 image: rust:1.41.0
commands: commands:
- apt update && apt install -y libpam-dev - apt update && apt install -y libpam-dev
- cargo build --release - cargo build --debug
- mkdir -p bin lib - mkdir -p bin lib
- bash -c 'cp $${CARGO_TARGET_DIR:-target}/release/fido2-pam-credential bin/; cp $${CARGO_TARGET_DIR:-target}/release/libpam_fido2.so lib/' - bash -c 'cp $${CARGO_TARGET_DIR:-target}/debug/pam_fido2-cli bin/; cp $${CARGO_TARGET_DIR:-target}/debug/libpam_fido2.so lib/'
- strip bin/* - strip bin/*
- tar cvzf pam_fido2.tar.gz bin lib src Cargo.* - tar cvzf pam_fido2.tar.gz bin lib src Cargo.*
when: when:

41
Cargo.lock generated
View File

@@ -190,8 +190,8 @@ dependencies = [
[[package]] [[package]]
name = "ctap_hmac" name = "ctap_hmac"
version = "0.3.0" version = "0.4.0"
source = "git+https://git.shimun.net/shimun/ctap?rev=1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1#1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1" source = "git+https://git.shimun.net/shimun/ctap?rev=cc48719cfa1375909877265905264fad875d1fa3#cc48719cfa1375909877265905264fad875d1fa3"
dependencies = [ dependencies = [
"byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)", "byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
"cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)", "cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -292,19 +292,6 @@ dependencies = [
"synstructure 0.12.1 (registry+https://github.com/rust-lang/crates.io-index)", "synstructure 0.12.1 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "fido2_pam"
version = "0.1.0"
dependencies = [
"ctap_hmac 0.3.0 (git+https://git.shimun.net/shimun/ctap?rev=1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1)",
"ctrlc 3.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"pamsm 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
"rand 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
"regex 1.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
"structopt 0.3.11 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]] [[package]]
name = "fnv" name = "fnv"
version = "1.0.6" version = "1.0.6"
@@ -415,14 +402,24 @@ dependencies = [
] ]
[[package]] [[package]]
name = "pamsm" name = "pam_fido2"
version = "0.2.0" version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [ dependencies = [
"libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)", "ctap_hmac 0.4.0 (git+https://git.shimun.net/shimun/ctap?rev=cc48719cfa1375909877265905264fad875d1fa3)",
"time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)", "ctrlc 3.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
"failure 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"pamsm 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
"rand 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
"regex 1.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
"structopt 0.3.11 (registry+https://github.com/rust-lang/crates.io-index)",
] ]
[[package]]
name = "pamsm"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
[[package]] [[package]]
name = "ppv-lite86" name = "ppv-lite86"
version = "0.2.6" version = "0.2.6"
@@ -891,7 +888,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum crossbeam-queue 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db" "checksum crossbeam-queue 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
"checksum crossbeam-utils 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8" "checksum crossbeam-utils 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
"checksum csv-core 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90" "checksum csv-core 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
"checksum ctap_hmac 0.3.0 (git+https://git.shimun.net/shimun/ctap?rev=1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1)" = "<none>" "checksum ctap_hmac 0.4.0 (git+https://git.shimun.net/shimun/ctap?rev=cc48719cfa1375909877265905264fad875d1fa3)" = "<none>"
"checksum ctrlc 3.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "7a4ba686dff9fa4c1c9636ce1010b0cf98ceb421361b0bb3d6faeec43bd217a7" "checksum ctrlc 3.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "7a4ba686dff9fa4c1c9636ce1010b0cf98ceb421361b0bb3d6faeec43bd217a7"
"checksum darling 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "0d706e75d87e35569db781a9b5e2416cff1236a47ed380831f959382ccd5f858" "checksum darling 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "0d706e75d87e35569db781a9b5e2416cff1236a47ed380831f959382ccd5f858"
"checksum darling_core 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b" "checksum darling_core 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
@@ -916,7 +913,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum nix 0.17.0 (registry+https://github.com/rust-lang/crates.io-index)" = "50e4785f2c3b7589a0d0c1dd60285e1188adac4006e8abd6dd578e1567027363" "checksum nix 0.17.0 (registry+https://github.com/rust-lang/crates.io-index)" = "50e4785f2c3b7589a0d0c1dd60285e1188adac4006e8abd6dd578e1567027363"
"checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2" "checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
"checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32" "checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
"checksum pamsm 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "56d923d68b74200a15da0c04329bc38e9975939ad4f23d2ea2baaa5aa23fc80c" "checksum pamsm 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "0477e904be95ca350676c9e9e73776d2316b7a33d3d9fb72bc56884a2366e307"
"checksum ppv-lite86 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "74490b50b9fbe561ac330df47c08f3f33073d2d00c150f719147d7c54522fa1b" "checksum ppv-lite86 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "74490b50b9fbe561ac330df47c08f3f33073d2d00c150f719147d7c54522fa1b"
"checksum proc-macro-error 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)" = "e7959c6467d962050d639361f7703b2051c43036d03493c36f01d440fdd3138a" "checksum proc-macro-error 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)" = "e7959c6467d962050d639361f7703b2051c43036d03493c36f01d440fdd3138a"
"checksum proc-macro-error-attr 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)" = "e4002d9f55991d5e019fb940a90e1a95eb80c24e77cb2462dd4dc869604d543a" "checksum proc-macro-error-attr 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)" = "e4002d9f55991d5e019fb940a90e1a95eb80c24e77cb2462dd4dc869604d543a"

13
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package] [package]
name = "fido2_pam" name = "pam_fido2"
version = "0.2.1" version = "0.2.4"
authors = ["shimun <shimun@shimun.net>"] authors = ["shimun <shimun@shimun.net>"]
edition = "2018" edition = "2018"
@@ -12,15 +12,18 @@ path = "src/lib.rs"
crate-type = ["cdylib"] crate-type = ["cdylib"]
[[bin]] [[bin]]
name = "fido2-pam-credential" name = "pam_fido2-cli"
path = "src/main.rs" path = "src/main.rs"
[profile.release]
opt-level = 0
[dependencies] [dependencies]
ctap_hmac = { git = "https://git.shimun.net/shimun/ctap", branch = "assert_multiple", features = ["request_multiple"] } ctap_hmac = { git = "https://git.shimun.net/shimun/ctap", rev = "cc48719cfa1375909877265905264fad875d1fa3", features = ["request_multiple"] }
pamsm = "0.2.0" pamsm = { version = "0.3.3", features = ["libpam"] }
regex = "1.3.1" regex = "1.3.1"
rand = "0.7.2" rand = "0.7.2"
hex = "0.4.0" hex = "0.4.0"
structopt = "0.3.11" structopt = "0.3.11"
ctrlc = "3.1.4" ctrlc = "3.1.4"
failure = "0.1.6"

25
default.nix Normal file
View File

@@ -0,0 +1,25 @@
{ stdenv, fetchgit, pkgconfig, libu2f-host, pam, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "pam_fido2";
version = "0.2.4";
src = fetchgit {
url = "https://git.shimun.net/shimun/fido2pam.git";
rev = "${version}";
sha256 = "0i1x0axhdnbza9sx8nyh8dqmc2hacjqya54415kixfm9ddx519q0";
};
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ pam ];
cargoSha256 = "0qjw3hrjdldqbv57i1sx3vmr5rhvmjf5axc2ypn9rzkb1sa500rz";
meta = with stdenv.lib; {
homepage = "https://git.shimun.net/shimun/fido2pam";
description = "A PAM module for allowing authentication with a FIDO2 device";
license = licenses.lgpl2;
platforms = platforms.unix;
maintainers = with maintainers; [ shimun ];
};
}

121
src/.lib.rs.rustfmt Normal file
View File

@@ -0,0 +1,121 @@
#[macro_use]
extern crate pamsm;
extern crate ctap_hmac as ctap;
use pamsm::{Pam, PamError, PamFlag, PamServiceModule};
use rand::Rng;
use regex::Regex;
use std::fs::File;
use std::io::{self, prelude::*, BufReader};
use std::time::{Duration, SystemTime};
struct PamFido2;
struct Settings {
pub device_timeout: Duration,
pub user_credentials: Vec<(String, String)>,
}
impl Default for Settings {
fn default() -> Self {
Settings {
device_timeout: Duration::from_secs(15),
user_credentials: vec![("091566e43802c5a29971c1e08d7865d959af862cc28af22dacf413ac26b90f6dea7d1ac491d9d3712c63f7b8d6cfadf86d057d099d382246dbe9c87f133ed167881b65030000".into(),".*".into())],
}
}
}
impl Settings {
/*pub fn load(file: impl Read) -> io::Result<Settings> {
}*/
pub fn load() -> Settings {
let mut creds = Vec::new();
for path in &["/etc/pam_fido2.conf"] {
let file = match File::open(&path) {
Ok(file) => file,
_ => continue,
};
let reader = BufReader::new(file);
for line in reader.lines() {
let line = line.unwrap();
let mut parts = line.split(":");
let user = parts.by_ref().next().unwrap();
creds.push((
(&parts.collect::<Vec<_>>()[..].join(":")).to_string(),
user.to_string(),
));
}
}
Settings {
user_credentials: creds,
..Default::default()
}
}
pub fn get_credential(&self, user: &str) -> Option<ctap::FidoCredential> {
for (cred, pattern) in self.user_credentials.iter() {
let re = Regex::new(&pattern).expect(&["Invalid regex pattern:", &pattern].join(" "));
if re.is_match(user) {
let mut parts = cred.split(":");
//TODO: use expect
let id = parts.by_ref().next().unwrap();
let key = parts.by_ref().next().unwrap();
return Some(ctap::FidoCredential {
id: hex::decode(id).unwrap(),
public_key: hex::decode(key).unwrap(),
rp_id: "pam".into(),
});
}
}
None
}
}
impl PamFido2 {
fn settings(&self) -> Settings {
Settings::load()
}
}
impl PamServiceModule for PamFido2 {
fn authenticate(self: &Self, pamh: Pam, _: PamFlag, _args: Vec<String>) -> PamError {
let settings = self.settings();
let begin = SystemTime::now();
let mut device = loop {
if let Ok(mut devices) = ctap::get_devices() {
if let Some(dev) = devices.next() {
break ctap::FidoDevice::new(&dev).unwrap();
}
}
if begin.elapsed().unwrap() > settings.device_timeout {
return PamError::AUTH_ERR;
}
};
let challenge = rand::thread_rng().gen::<[u8; 32]>();
let credential = match settings
.get_credential(
&pamh
.get_cached_user()
.ok()
.map(|name| name.unwrap().to_str().unwrap().to_string())
.expect("Faied to get username"),
) { Some(cred) => cred, _ => return PamError::CRED_UNAVAIL };
match device.get_assertion(&credential, &challenge) {
Ok(true) => PamError::SUCCESS,
_ => PamError::AUTH_ERR,
}
}
}
pamsm_init!(Box::new(PamFido2));
#[cfg(test)]
mod tests {
#[test]
fn it_works() {
assert_eq!(2 + 2, 4);
}
}

129
src/lib.rs
View File

@@ -1,128 +1,7 @@
#[macro_use] #[macro_use]
extern crate pamsm; extern crate pamsm;
extern crate ctap_hmac as ctap; extern crate ctap_hmac as ctap;
use ctap::{get_assertion_devices, FidoAssertionRequestBuilder, FidoDevice}; mod pamfido2;
use pamsm::{Pam, PamError, PamFlag, PamServiceModule}; use crate::pamsm::PamServiceModule;
use rand::Rng; use pamfido2::PamFido2;
use regex::Regex; pam_module!(PamFido2);
use std::fs::File;
use std::io::{self, prelude::*, BufReader};
use std::time::{Duration, SystemTime};
struct PamFido2;
struct Settings {
pub device_timeout: Duration,
pub user_credentials: Vec<(String, String)>,
}
impl Default for Settings {
fn default() -> Self {
Settings {
device_timeout: Duration::from_secs(15),
user_credentials: vec![("091566e43802c5a29971c1e08d7865d959af862cc28af22dacf413ac26b90f6dea7d1ac491d9d3712c63f7b8d6cfadf86d057d099d382246dbe9c87f133ed167881b65030000".into(),".*".into())],
}
}
}
impl Settings {
pub fn load() -> Settings {
let mut creds = Vec::new();
for path in &["./pam_fido2.conf", "/etc/pam_fido2.conf"] {
let file = match File::open(&path) {
Ok(file) => file,
_ => continue,
};
let reader = BufReader::new(file);
for line in reader.lines() {
let line = line.unwrap();
let mut parts = line.split(":");
if let Some(user) = parts.by_ref().next() {
creds.push((
(&parts.collect::<Vec<_>>()[..].join(":")).to_string(),
user.to_string(),
));
}
}
}
Settings {
user_credentials: creds,
..Default::default()
}
}
pub fn get_credentials(&self, user: &str) -> Vec<ctap::FidoCredential> {
let mut creds = Vec::new();
for (cred, pattern) in self.user_credentials.iter() {
let re = Regex::new(&pattern).expect(&["Invalid regex pattern:", &pattern].join(" "));
if re.is_match(user) {
let mut parts = cred.split(":");
//TODO: use expect
let id = parts.by_ref().next().unwrap();
let key = parts.by_ref().next().unwrap();
creds.push(ctap::FidoCredential {
id: hex::decode(id).unwrap(),
public_key: hex::decode(key).ok(),
});
}
}
creds
}
}
impl PamFido2 {
fn settings(&self) -> Settings {
Settings::load()
}
}
impl PamServiceModule for PamFido2 {
fn authenticate(self: &Self, pamh: Pam, _: PamFlag, _args: Vec<String>) -> PamError {
let settings = self.settings();
let begin = SystemTime::now();
let challenge = rand::thread_rng().gen::<[u8; 32]>();
let credentials = settings.get_credentials(
&pamh
.get_cached_user()
.ok()
.map(|name| name.unwrap().to_str().unwrap().to_string())
.expect("Faied to get username"),
);
if credentials.is_empty() {
return PamError::AUTH_ERR;
}
let slice = credentials.iter().collect::<Vec<_>>();
let request = FidoAssertionRequestBuilder::default()
.rp_id("fido2pam")
.client_data_hash(&challenge[..])
.credentials(&slice[..])
.build()
.unwrap();
loop {
let mut devices = match ctap::get_devices() {
Ok(devices) => devices
.filter_map(|handle| FidoDevice::new(&handle).ok())
.collect::<Vec<_>>(),
Err(_) => return PamError::AUTH_ERR,
};
match get_assertion_devices(&request, devices.iter_mut()) {
Ok(_) => return PamError::SUCCESS,
Err(_) if begin.elapsed().unwrap() > settings.device_timeout => {
return PamError::AUTH_ERR
}
Err(e) => eprintln!("{:?}", e),
}
}
}
}
pamsm_init!(Box::new(PamFido2));
#[cfg(test)]
mod tests {
#[test]
fn it_works() {
assert_eq!(2 + 2, 4);
}
}

59
src/main.rs
View File

@@ -1,41 +1,66 @@
extern crate ctap_hmac as ctap; extern crate ctap_hmac as ctap;
use ctap::{FidoCredentialRequestBuilder, FidoDevice}; extern crate pamsm;
mod pamfido2;
use ctap::{make_credential_devices, FidoCredentialRequestBuilder, FidoDevice};
use hex; use hex;
use std::env::args; use pamfido2::PamFido2;
use failure::ResultExt;
use std::error::Error;
use std::io::stdout; use std::io::stdout;
use std::io::Write; use std::io::Write;
use std::path::PathBuf;
use structopt; use structopt;
use structopt::StructOpt; use structopt::StructOpt;
#[derive(Debug, StructOpt)] #[derive(Debug, StructOpt)]
#[structopt(name = "fido2pam")] #[structopt(name = "fido2pam")]
struct CliOpt { struct CliOpt {
#[structopt(subcommand)]
action: Action,
}
#[derive(Debug, StructOpt)]
enum Action {
/// Generate a new credential
Credential {
/// Whether the authenticator should promt the user for verification /// Whether the authenticator should promt the user for verification
#[structopt(short, long = "user-verification")] #[structopt(short, long = "user-verification")]
uv: bool, uv: bool,
/// Username for which the credential will be requested /// Username for which the credential will be requested
username: String, username: String,
},
/// Test your config
Test {
/// Path to the file containing the credentials generated by `credential`
auth_file: PathBuf,
/// The username to test for
username: String,
},
} }
fn main() -> Result<(), ctap::FidoError> { fn main() -> Result<(), Box<dyn Error>> {
let opt = CliOpt::from_args(); match CliOpt::from_args().action {
let device_info = ctap::get_devices()?.next().expect("no device"); Action::Credential { uv, username } => {
let mut device = ctap::FidoDevice::new(&device_info)?; let mut devices = ctap::get_devices()
.compat()?
.filter_map(|handle| FidoDevice::new(&handle).ok())
.collect::<Vec<_>>();
let req = FidoCredentialRequestBuilder::default() let req = FidoCredentialRequestBuilder::default()
.rp_id("fido2pam") .rp_id("fido2pam")
.user_name(opt.username.as_ref()) .user_name(username.as_ref())
.uv(opt.uv) .uv(uv)
.build() .build()
.unwrap(); .unwrap();
let cred = device.make_credential(&req)?; let cred = make_credential_devices(&req, devices.iter_mut()).compat()?;
stdout() stdout()
.write_all( .write_all(
&[ &[
&opt.username, &username,
&hex::encode(&cred.id)[..], &hex::encode(&cred.id)[..],
&hex::encode(&cred.public_key.unwrap())[..], &hex::encode(&cred.public_key.unwrap())[..],
] ]
@@ -43,5 +68,17 @@ fn main() -> Result<(), ctap::FidoError> {
.as_bytes(), .as_bytes(),
) )
.unwrap(); .unwrap();
}
Action::Test {
auth_file: authfile,
username,
} => {
let res = PamFido2.fido_authenticate(
&username,
vec![["authfile=", authfile.to_str().unwrap()].join("")],
)?;
println!("{}", res)
}
};
Ok(()) Ok(())
} }

180
src/pamfido2.rs Normal file
View File

@@ -0,0 +1,180 @@
use ctap::{get_assertion_devices, FidoAssertionRequestBuilder, FidoDevice, FidoErrorKind};
use pamsm::PamLibExt;
use pamsm::{Pam, PamError, PamFlag, PamServiceModule};
use rand::Rng;
use regex::Regex;
use std::collections::HashMap;
use std::error::Error;
use std::fs::File;
use std::io::{self, prelude::*, BufReader};
use std::path::Path;
use std::time::{Duration, SystemTime};
use failure::ResultExt;
pub struct PamFido2;
struct Settings {
pub device_timeout: Duration,
pub user_credentials: Vec<(String, String)>,
pub debug: bool,
}
impl Default for Settings {
fn default() -> Self {
Settings {
debug: false,
device_timeout: Duration::from_secs(15),
user_credentials: vec![("091566e43802c5a29971c1e08d7865d959af862cc28af22dacf413ac26b90f6dea7d1ac491d9d3712c63f7b8d6cfadf86d057d099d382246dbe9c87f133ed167881b65030000".into(),".*".into())],
}
}
}
impl Settings {
pub fn from_args(args: Vec<String>) -> Result<Self, Box<dyn Error>> {
let args = args
.into_iter()
.filter_map(|arg| {
let mut parts = arg.split("=");
parts
.by_ref()
.next()
.map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
})
.collect::<HashMap<String, String>>();
let mut settings = Settings::load(
args.get("authfile")
.map(AsRef::as_ref)
.unwrap_or("/etc/fido2_pam.conf"),
)?;
let timeout = args
.get("timeout")
.map(|t| {
t.parse::<u64>()
.expect("invalid config timeout is supposed to be an int")
})
.map(Duration::from_secs);
if let Some(timeout) = timeout {
settings.device_timeout = timeout;
};
if let Some(debug) = args.get("debug").and_then(|d| d.parse::<bool>().ok()) {
settings.debug = debug;
}
Ok(settings)
}
pub fn load(path: impl AsRef<Path>) -> io::Result<Settings> {
let mut creds = Vec::new();
let file = File::open(path.as_ref())?;
let reader = BufReader::new(file);
for line in reader.lines() {
let line = line?;
let mut parts = line.split(":");
if let Some(user) = parts.by_ref().next() {
creds.push((
(&parts.collect::<Vec<_>>()[..].join(":")).to_string(),
user.to_string(),
));
}
}
Ok(Settings {
user_credentials: creds,
..Default::default()
})
}
pub fn get_credentials(&self, user: &str) -> Vec<ctap::FidoCredential> {
let mut creds = Vec::new();
for (cred, pattern) in self.user_credentials.iter() {
let re = Regex::new(&pattern).expect(&["Invalid regex pattern:", &pattern].join(" "));
if re.is_match(user) {
let mut parts = cred.split(":");
//TODO: use expect
let id = parts.by_ref().next().unwrap();
let key = parts.by_ref().next().unwrap();
creds.push(ctap::FidoCredential {
id: hex::decode(id).unwrap(),
public_key: hex::decode(key).ok(),
});
}
}
creds
}
}
impl PamFido2 {
pub fn fido_authenticate(
&self,
username: &str,
args: Vec<String>,
) -> Result<PamError, Box<dyn Error>> {
let settings = Settings::from_args(args)?;
let debug = |msg: &dyn Fn() -> String| {
if settings.debug {
eprintln!("{}", msg())
}
};
let begin = SystemTime::now();
let challenge = rand::thread_rng().gen::<[u8; 32]>();
let credentials = settings.get_credentials(username);
if credentials.is_empty() {
debug(&|| format!("Found no credentials for {}", username));
return Ok(PamError::AUTH_ERR);
}
debug(&|| format!("Found {} credentials for {}", credentials.len(), username));
let slice = credentials.iter().collect::<Vec<_>>();
let request = FidoAssertionRequestBuilder::default()
.rp_id("fido2pam")
.client_data_hash(&challenge[..])
.credentials(&slice[..])
.build()
.unwrap();
loop {
let mut devices = ctap::get_devices()
.compat()?
.filter_map(|handle| FidoDevice::new(&handle).ok())
.collect::<Vec<_>>();
if begin.elapsed().unwrap() > settings.device_timeout {
debug(&|| format!("Exceeded {:?} timeout", settings.device_timeout));
return Ok(PamError::AUTH_ERR);
}
if devices.is_empty() {
debug(&|| "Please connect your authenicator!".into());
std::thread::sleep(Duration::from_secs(1));
continue;
}
match get_assertion_devices(&request, devices.iter_mut()) {
Ok((cred, _)) => {
debug(&|| format!("Got assertion for credential: {}", hex::encode(&cred.id)));
return Ok(PamError::SUCCESS);
}
Err(_) if begin.elapsed().unwrap() > settings.device_timeout => {
debug(&|| format!("Exceeded {:?} timeout", settings.device_timeout));
return Ok(PamError::AUTH_ERR);
}
Err(e) if e.kind() == FidoErrorKind::DeviceUnsupported => continue,
Err(e) => Err(e).compat()?,
}
}
}
}
impl PamServiceModule for PamFido2 {
fn authenticate(pamh: Pam, _: PamFlag, args: Vec<String>) -> PamError {
let username = &pamh
.get_cached_user()
.ok()
.map(|name| name.unwrap().to_str().unwrap().to_string())
.expect("Failed to get username");
match PamFido2.fido_authenticate(username, args) {
Ok(e) => e,
Err(e) => {
eprintln!("{}", e);
PamError::AUTH_ERR
}
}
}
}