shimun/fido2pam
1
0
Fork 0
Code Issues Pull Requests Releases 7 Wiki Activity

Compare commits

base: shimun:0.2.2
Branches Tags
shimun:master shimun:pkg
shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0
..
compare: shimun:0.2.4
Branches Tags
shimun:master shimun:pkg
shimun:0.2.7 shimun:0.2.6 shimun:0.2.5 shimun:0.2.4 shimun:0.2.3 shimun:0.2.2 shimun:0.2.1 shimun:0.2.0

3 Commits
0.2.2 ... 0.2.4

Author SHA1 Message Date
Shimun
c6e10471b8 added debug flag
All checks were successful
continuous-integration/drone/tag Build is passing
Details
2020-04-04 15:35:11 +02:00
shimun
70f37844d3 update dep
All checks were successful
continuous-integration/drone/push Build is passing
Details
2020-04-03 23:13:30 +02:00
shimun
de535c49e7 added test subcommand
All checks were successful
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build is passing
Details
2020-04-03 15:08:56 +02:00
6 changed files with 268 additions and 193 deletions
Expand all files Collapse all files

2
.drone.yml
View File

@@ -13,7 +13,7 @@ steps:
- apt update && apt install -y libpam-dev
- cargo build --release
- mkdir -p bin lib
- bash -c 'cp $${CARGO_TARGET_DIR:-target}/release/fido2-pam-credential bin/; cp $${CARGO_TARGET_DIR:-target}/release/libpam_fido2.so lib/'
- bash -c 'cp $${CARGO_TARGET_DIR:-target}/release/pam_fido2-cli bin/; cp $${CARGO_TARGET_DIR:-target}/release/libpam_fido2.so lib/'
- strip bin/*
- tar cvzf pam_fido2.tar.gz bin lib src Cargo.*
when:

21
Cargo.lock generated
View File

@@ -190,8 +190,8 @@ dependencies = [
[[package]]
name = "ctap_hmac"
version = "0.3.0"
source = "git+https://git.shimun.net/shimun/ctap?rev=1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1#1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1"
version = "0.4.0"
source = "git+https://git.shimun.net/shimun/ctap?rev=cc48719cfa1375909877265905264fad875d1fa3#cc48719cfa1375909877265905264fad875d1fa3"
dependencies = [
"byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)",
"cbor-codec 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -403,12 +403,13 @@ dependencies = [
[[package]]
name = "pam_fido2"
version = "0.2.2"
version = "0.2.4"
dependencies = [
"ctap_hmac 0.3.0 (git+https://git.shimun.net/shimun/ctap?rev=1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1)",
"ctap_hmac 0.4.0 (git+https://git.shimun.net/shimun/ctap?rev=cc48719cfa1375909877265905264fad875d1fa3)",
"ctrlc 3.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
"failure 0.1.6 (registry+https://github.com/rust-lang/crates.io-index)",
"hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
"pamsm 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
"pamsm 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
"rand 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
"regex 1.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
"structopt 0.3.11 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -416,12 +417,8 @@ dependencies = [
[[package]]
name = "pamsm"
version = "0.2.0"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)",
"time 0.1.42 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "ppv-lite86"
@@ -891,7 +888,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum crossbeam-queue 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c695eeca1e7173472a32221542ae469b3e9aac3a4fc81f7696bcad82029493db"
"checksum crossbeam-utils 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c3c7c73a2d1e9fc0886a08b93e98eb643461230d5f1925e4036204d5f2e261a8"
"checksum csv-core 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)" = "2b2466559f260f48ad25fe6317b3c8dac77b5bdb5763ac7d9d6103530663bc90"
"checksum ctap_hmac 0.3.0 (git+https://git.shimun.net/shimun/ctap?rev=1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1)" = "<none>"
"checksum ctap_hmac 0.4.0 (git+https://git.shimun.net/shimun/ctap?rev=cc48719cfa1375909877265905264fad875d1fa3)" = "<none>"
"checksum ctrlc 3.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "7a4ba686dff9fa4c1c9636ce1010b0cf98ceb421361b0bb3d6faeec43bd217a7"
"checksum darling 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "0d706e75d87e35569db781a9b5e2416cff1236a47ed380831f959382ccd5f858"
"checksum darling_core 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f0c960ae2da4de88a91b2d920c2a7233b400bc33cb28453a2987822d8392519b"
@@ -916,7 +913,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum nix 0.17.0 (registry+https://github.com/rust-lang/crates.io-index)" = "50e4785f2c3b7589a0d0c1dd60285e1188adac4006e8abd6dd578e1567027363"
"checksum num-derive 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)" = "eafd0b45c5537c3ba526f79d3e75120036502bebacbb3f3220914067ce39dbf2"
"checksum num-traits 0.2.8 (registry+https://github.com/rust-lang/crates.io-index)" = "6ba9a427cfca2be13aa6f6403b0b7e7368fe982bfa16fccc450ce74c46cd9b32"
"checksum pamsm 0.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "56d923d68b74200a15da0c04329bc38e9975939ad4f23d2ea2baaa5aa23fc80c"
"checksum pamsm 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "0477e904be95ca350676c9e9e73776d2316b7a33d3d9fb72bc56884a2366e307"
"checksum ppv-lite86 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "74490b50b9fbe561ac330df47c08f3f33073d2d00c150f719147d7c54522fa1b"
"checksum proc-macro-error 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)" = "e7959c6467d962050d639361f7703b2051c43036d03493c36f01d440fdd3138a"
"checksum proc-macro-error-attr 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)" = "e4002d9f55991d5e019fb940a90e1a95eb80c24e77cb2462dd4dc869604d543a"

11
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "pam_fido2"
version = "0.2.2"
version = "0.2.4"
authors = ["shimun <shimun@shimun.net>"]
edition = "2018"
@@ -12,15 +12,18 @@ path = "src/lib.rs"
crate-type = ["cdylib"]
[[bin]]
name = "pam_fido2-credential"
name = "pam_fido2-cli"
path = "src/main.rs"
[profile.release]
opt-level = 0
[dependencies]
ctap_hmac = { git = "https://git.shimun.net/shimun/ctap", rev = "1a8e83d81efa3ae2cd4d764ddbae72c95a5af3e1", features = ["assert_devices"] }
pamsm = "0.2.0"
ctap_hmac = { git = "https://git.shimun.net/shimun/ctap", rev = "cc48719cfa1375909877265905264fad875d1fa3", features = ["request_multiple"] }
pamsm = { version = "0.3.3", features = ["libpam"] }
regex = "1.3.1"
rand = "0.7.2"
hex = "0.4.0"
structopt = "0.3.11"
ctrlc = "3.1.4"
failure = "0.1.6"

150
src/lib.rs
View File

@@ -1,149 +1,7 @@
#[macro_use]
extern crate pamsm;
extern crate ctap_hmac as ctap;
use ctap::{get_assertion_devices, FidoAssertionRequestBuilder, FidoDevice, FidoErrorKind};
use pamsm::{Pam, PamError, PamFlag, PamServiceModule};
use rand::Rng;
use regex::Regex;
use std::collections::HashMap;
use std::fs::File;
use std::io::{prelude::*, BufReader};
use std::path::Path;
use std::time::{Duration, SystemTime};
struct PamFido2;
struct Settings {
pub device_timeout: Duration,
pub user_credentials: Vec<(String, String)>,
}
impl Default for Settings {
fn default() -> Self {
Settings {
device_timeout: Duration::from_secs(15),
user_credentials: vec![("091566e43802c5a29971c1e08d7865d959af862cc28af22dacf413ac26b90f6dea7d1ac491d9d3712c63f7b8d6cfadf86d057d099d382246dbe9c87f133ed167881b65030000".into(),".*".into())],
}
}
}
impl Settings {
pub fn from_args(args: Vec<String>) -> Self {
let args = args
.into_iter()
.filter_map(|arg| {
let mut parts = arg.split("=");
parts
.by_ref()
.next()
.map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
})
.collect::<HashMap<String, String>>();
let mut settings = Settings::load(
args.get("authfile")
.map(AsRef::as_ref)
.unwrap_or("/etc/fido2_pam.conf"),
);
let timeout = args
.get("timeout")
.map(|t| {
t.parse::<u64>()
.expect("invalid config timeout is supposed to be an int")
})
.map(Duration::from_secs);
if let Some(timeout) = timeout {
settings.device_timeout = timeout;
};
settings
}
pub fn load(path: impl AsRef<Path>) -> Settings {
let mut creds = Vec::new();
let file = File::open(path.as_ref()).unwrap();
let reader = BufReader::new(file);
for line in reader.lines() {
let line = line.unwrap();
let mut parts = line.split(":");
if let Some(user) = parts.by_ref().next() {
creds.push((
(&parts.collect::<Vec<_>>()[..].join(":")).to_string(),
user.to_string(),
));
}
}
Settings {
user_credentials: creds,
..Default::default()
}
}
pub fn get_credentials(&self, user: &str) -> Vec<ctap::FidoCredential> {
let mut creds = Vec::new();
for (cred, pattern) in self.user_credentials.iter() {
let re = Regex::new(&pattern).expect(&["Invalid regex pattern:", &pattern].join(" "));
if re.is_match(user) {
let mut parts = cred.split(":");
//TODO: use expect
let id = parts.by_ref().next().unwrap();
let key = parts.by_ref().next().unwrap();
creds.push(ctap::FidoCredential {
id: hex::decode(id).unwrap(),
public_key: hex::decode(key).ok(),
});
}
}
creds
}
}
impl PamServiceModule for PamFido2 {
fn authenticate(self: &Self, pamh: Pam, _: PamFlag, args: Vec<String>) -> PamError {
let settings = Settings::from_args(args);
let begin = SystemTime::now();
let challenge = rand::thread_rng().gen::<[u8; 32]>();
let credentials = settings.get_credentials(
&pamh
.get_cached_user()
.ok()
.map(|name| name.unwrap().to_str().unwrap().to_string())
.expect("Faied to get username"),
);
if credentials.is_empty() {
return PamError::AUTH_ERR;
}
let slice = credentials.iter().collect::<Vec<_>>();
let request = FidoAssertionRequestBuilder::default()
.rp_id("fido2pam")
.client_data_hash(&challenge[..])
.credentials(&slice[..])
.build()
.unwrap();
loop {
let mut devices = match ctap::get_devices() {
Ok(devices) => devices
.filter_map(|handle| FidoDevice::new(&handle).ok())
.collect::<Vec<_>>(),
Err(_) => return PamError::AUTH_ERR,
};
match get_assertion_devices(&request, devices.iter_mut()) {
Ok(_) => return PamError::SUCCESS,
Err(_) if begin.elapsed().unwrap() > settings.device_timeout => {
return PamError::AUTH_ERR
}
Err(e) if e.kind() == FidoErrorKind::DeviceUnsupported => continue,
Err(e) => eprintln!("{:?}", e),
}
}
}
}
pamsm_init!(Box::new(PamFido2));
#[cfg(test)]
mod tests {
#[test]
fn it_works() {
assert_eq!(2 + 2, 4);
}
}
mod pamfido2;
use crate::pamsm::PamServiceModule;
use pamfido2::PamFido2;
pam_module!(PamFido2);

97
src/main.rs
View File

@@ -1,47 +1,84 @@
extern crate ctap_hmac as ctap;
use ctap::{FidoCredentialRequestBuilder, FidoDevice};
extern crate pamsm;
mod pamfido2;
use ctap::{make_credential_devices, FidoCredentialRequestBuilder, FidoDevice};
use hex;
use std::env::args;
use pamfido2::PamFido2;
use failure::ResultExt;
use std::error::Error;
use std::io::stdout;
use std::io::Write;
use std::path::PathBuf;
use structopt;
use structopt::StructOpt;
#[derive(Debug, StructOpt)]
#[structopt(name = "fido2pam")]
struct CliOpt {
/// Whether the authenticator should promt the user for verification
#[structopt(short, long = "user-verification")]
uv: bool,
/// Username for which the credential will be requested
username: String,
#[structopt(subcommand)]
action: Action,
}
fn main() -> Result<(), ctap::FidoError> {
let opt = CliOpt::from_args();
let device_info = ctap::get_devices()?.next().expect("no device");
let mut device = ctap::FidoDevice::new(&device_info)?;
#[derive(Debug, StructOpt)]
enum Action {
/// Generate a new credential
Credential {
/// Whether the authenticator should promt the user for verification
#[structopt(short, long = "user-verification")]
uv: bool,
let req = FidoCredentialRequestBuilder::default()
.rp_id("fido2pam")
.user_name(opt.username.as_ref())
.uv(opt.uv)
.build()
.unwrap();
/// Username for which the credential will be requested
username: String,
},
/// Test your config
Test {
/// Path to the file containing the credentials generated by `credential`
auth_file: PathBuf,
/// The username to test for
username: String,
},
}
let cred = device.make_credential(&req)?;
fn main() -> Result<(), Box<dyn Error>> {
match CliOpt::from_args().action {
Action::Credential { uv, username } => {
let mut devices = ctap::get_devices()
.compat()?
.filter_map(|handle| FidoDevice::new(&handle).ok())
.collect::<Vec<_>>();
let req = FidoCredentialRequestBuilder::default()
.rp_id("fido2pam")
.user_name(username.as_ref())
.uv(uv)
.build()
.unwrap();
stdout()
.write_all(
&[
&opt.username,
&hex::encode(&cred.id)[..],
&hex::encode(&cred.public_key.unwrap())[..],
]
.join(":")
.as_bytes(),
)
.unwrap();
let cred = make_credential_devices(&req, devices.iter_mut()).compat()?;
stdout()
.write_all(
&[
&username,
&hex::encode(&cred.id)[..],
&hex::encode(&cred.public_key.unwrap())[..],
]
.join(":")
.as_bytes(),
)
.unwrap();
}
Action::Test {
auth_file: authfile,
username,
} => {
let res = PamFido2.fido_authenticate(
&username,
vec![["authfile=", authfile.to_str().unwrap()].join("")],
)?;
println!("{}", res)
}
};
Ok(())
}

180
src/pamfido2.rs Normal file
View File

@@ -0,0 +1,180 @@
use ctap::{get_assertion_devices, FidoAssertionRequestBuilder, FidoDevice, FidoErrorKind};
use pamsm::PamLibExt;
use pamsm::{Pam, PamError, PamFlag, PamServiceModule};
use rand::Rng;
use regex::Regex;
use std::collections::HashMap;
use std::error::Error;
use std::fs::File;
use std::io::{self, prelude::*, BufReader};
use std::path::Path;
use std::time::{Duration, SystemTime};
use failure::ResultExt;
pub struct PamFido2;
struct Settings {
pub device_timeout: Duration,
pub user_credentials: Vec<(String, String)>,
pub debug: bool,
}
impl Default for Settings {
fn default() -> Self {
Settings {
debug: false,
device_timeout: Duration::from_secs(15),
user_credentials: vec![("091566e43802c5a29971c1e08d7865d959af862cc28af22dacf413ac26b90f6dea7d1ac491d9d3712c63f7b8d6cfadf86d057d099d382246dbe9c87f133ed167881b65030000".into(),".*".into())],
}
}
}
impl Settings {
pub fn from_args(args: Vec<String>) -> Result<Self, Box<dyn Error>> {
let args = args
.into_iter()
.filter_map(|arg| {
let mut parts = arg.split("=");
parts
.by_ref()
.next()
.map(|key| (key.to_string(), parts.collect::<Vec<_>>().join("=")))
})
.collect::<HashMap<String, String>>();
let mut settings = Settings::load(
args.get("authfile")
.map(AsRef::as_ref)
.unwrap_or("/etc/fido2_pam.conf"),
)?;
let timeout = args
.get("timeout")
.map(|t| {
t.parse::<u64>()
.expect("invalid config timeout is supposed to be an int")
})
.map(Duration::from_secs);
if let Some(timeout) = timeout {
settings.device_timeout = timeout;
};
if let Some(debug) = args.get("debug").and_then(|d| d.parse::<bool>().ok()) {
settings.debug = debug;
}
Ok(settings)
}
pub fn load(path: impl AsRef<Path>) -> io::Result<Settings> {
let mut creds = Vec::new();
let file = File::open(path.as_ref())?;
let reader = BufReader::new(file);
for line in reader.lines() {
let line = line?;
let mut parts = line.split(":");
if let Some(user) = parts.by_ref().next() {
creds.push((
(&parts.collect::<Vec<_>>()[..].join(":")).to_string(),
user.to_string(),
));
}
}
Ok(Settings {
user_credentials: creds,
..Default::default()
})
}
pub fn get_credentials(&self, user: &str) -> Vec<ctap::FidoCredential> {
let mut creds = Vec::new();
for (cred, pattern) in self.user_credentials.iter() {
let re = Regex::new(&pattern).expect(&["Invalid regex pattern:", &pattern].join(" "));
if re.is_match(user) {
let mut parts = cred.split(":");
//TODO: use expect
let id = parts.by_ref().next().unwrap();
let key = parts.by_ref().next().unwrap();
creds.push(ctap::FidoCredential {
id: hex::decode(id).unwrap(),
public_key: hex::decode(key).ok(),
});
}
}
creds
}
}
impl PamFido2 {
pub fn fido_authenticate(
&self,
username: &str,
args: Vec<String>,
) -> Result<PamError, Box<dyn Error>> {
let settings = Settings::from_args(args)?;
let debug = |msg: &dyn Fn() -> String| {
if settings.debug {
eprintln!("{}", msg())
}
};
let begin = SystemTime::now();
let challenge = rand::thread_rng().gen::<[u8; 32]>();
let credentials = settings.get_credentials(username);
if credentials.is_empty() {
debug(&|| format!("Found no credentials for {}", username));
return Ok(PamError::AUTH_ERR);
}
debug(&|| format!("Found {} credentials for {}", credentials.len(), username));
let slice = credentials.iter().collect::<Vec<_>>();
let request = FidoAssertionRequestBuilder::default()
.rp_id("fido2pam")
.client_data_hash(&challenge[..])
.credentials(&slice[..])
.build()
.unwrap();
loop {
let mut devices = ctap::get_devices()
.compat()?
.filter_map(|handle| FidoDevice::new(&handle).ok())
.collect::<Vec<_>>();
if begin.elapsed().unwrap() > settings.device_timeout {
debug(&|| format!("Exceeded {:?} timeout", settings.device_timeout));
return Ok(PamError::AUTH_ERR);
}
if devices.is_empty() {
debug(&|| "Please connect your authenicator!".into());
std::thread::sleep(Duration::from_secs(1));
continue;
}
match get_assertion_devices(&request, devices.iter_mut()) {
Ok((cred, _)) => {
debug(&|| format!("Got assertion for credential: {}", hex::encode(&cred.id)));
return Ok(PamError::SUCCESS);
}
Err(_) if begin.elapsed().unwrap() > settings.device_timeout => {
debug(&|| format!("Exceeded {:?} timeout", settings.device_timeout));
return Ok(PamError::AUTH_ERR);
}
Err(e) if e.kind() == FidoErrorKind::DeviceUnsupported => continue,
Err(e) => Err(e).compat()?,
}
}
}
}
impl PamServiceModule for PamFido2 {
fn authenticate(pamh: Pam, _: PamFlag, args: Vec<String>) -> PamError {
let username = &pamh
.get_cached_user()
.ok()
.map(|name| name.unwrap().to_str().unwrap().to_string())
.expect("Failed to get username");
match PamFido2.fido_authenticate(username, args) {
Ok(e) => e,
Err(e) => {
eprintln!("{}", e);
PamError::AUTH_ERR
}
}
}
}