[pve-devel] [PATCH apiclient] fix #2227: enable totp codes to be passed in cli

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jul 17 17:03:38 CEST 2019 

On 7/17/19 4:50 PM, Oguz Bektas wrote:
> this patch enables to pass totp codes during cluster join if tfa has been
> enabled for root at pam (or any other user actually, but root seems to cause the
> most problems).
> 
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> 
> will start working on a gui patch soon.

does it work over gui like this? I mean maybe I'm missing something but
wouldn't that need us to detect the "Enter TFA code for user .." in a
task log and then open a input field?

Another, quite different, way could be to let the do the initial API
connection handle TFA there and pass the ticket then to the backend which
can use it directly?

But we always knew that GUI would become a bit diffcult, the stuff for CLI
looks already nice, thanks, some comments still inline.

> 
>  PVE/APIClient/LWP.pm | 19 +++++++++++++------
>  1 file changed, 13 insertions(+), 6 deletions(-)
> 
> diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm
> index c0e30ff..33a26e0 100755
> --- a/PVE/APIClient/LWP.pm
> +++ b/PVE/APIClient/LWP.pm
> @@ -92,6 +92,11 @@ sub update_ticket {
>      $agent->default_header('Cookie', $cookie);
>  }
>  
> +sub complete_tfa_challenge {
> +    my ($self, $tfa_response) = @_;
> +    return $self->post('/api2/json/access/tfa', {response => $tfa_response});
> +}
> +
>  sub login {
>      my ($self) = @_;
>  
> @@ -129,15 +134,17 @@ sub login {
>      my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
>  
>      my $data = $extract_data->($res);
> -
> -    # TODO: make it possible to use tfa
> -    if ($data->{ticket} =~ m/^PVE:tfa!/) {

we still need this for /^PVE:u2f!/

(missed even before...)

> -	raise("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
> -    }
> -
>      $self->update_ticket($data->{ticket});
>      $self->update_csrftoken($data->{CSRFPreventionToken});
>  
> +    # handle totp
> +    if ($data->{ticket} =~ m/^PVE:tfa!/) {

may add a:
raise("Two Factor Auth currently only works with a TTY") if !-t STDIN;

or not?

> +	print "\nEnter TFA code for user $username: ";
> +	my $tfa_code = <STDIN>;
> +	chomp $tfa_code;
> +	$data = $self->complete_tfa_challenge($tfa_code);
> +	$self->update_ticket($data->{ticket});
> +    }
>      return $data;
>  }
>  
>

More information about the pve-devel mailing list