[pve-devel] [PATCH apiclient] fix #2227: enable totp codes to be passed in cli

Oguz Bektas o.bektas at proxmox.com
Wed Jul 17 17:25:58 CEST 2019 

hi,

On Wed, Jul 17, 2019 at 05:03:38PM +0200, Thomas Lamprecht wrote:
> On 7/17/19 4:50 PM, Oguz Bektas wrote:
> > this patch enables to pass totp codes during cluster join if tfa has been
> > enabled for root at pam (or any other user actually, but root seems to cause the
> > most problems).
> > 
> > Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> > ---
> > 
> > will start working on a gui patch soon.
> 
> does it work over gui like this? I mean maybe I'm missing something but
> wouldn't that need us to detect the "Enter TFA code for user .." in a
> task log and then open a input field?
it doesn't work atm. i've added the raise as you suggested in my v2,
which i'll be sending in a few minutes.
> 
> Another, quite different, way could be to let the do the initial API
> connection handle TFA there and pass the ticket then to the backend which
> can use it directly?
it seemed easier to do it this way now, since we already have
/access/tfa which handles almost everything tfa-related.
> 
> But we always knew that GUI would become a bit diffcult, the stuff for CLI
> looks already nice, thanks, some comments still inline.
> 
> > 
> >  PVE/APIClient/LWP.pm | 19 +++++++++++++------
> >  1 file changed, 13 insertions(+), 6 deletions(-)
> > 
> > diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm
> > index c0e30ff..33a26e0 100755
> > --- a/PVE/APIClient/LWP.pm
> > +++ b/PVE/APIClient/LWP.pm
> > @@ -92,6 +92,11 @@ sub update_ticket {
> >      $agent->default_header('Cookie', $cookie);
> >  }
> >  
> > +sub complete_tfa_challenge {
> > +    my ($self, $tfa_response) = @_;
> > +    return $self->post('/api2/json/access/tfa', {response => $tfa_response});
> > +}
> > +
> >  sub login {
> >      my ($self) = @_;
> >  
> > @@ -129,15 +134,17 @@ sub login {
> >      my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
> >  
> >      my $data = $extract_data->($res);
> > -
> > -    # TODO: make it possible to use tfa
> > -    if ($data->{ticket} =~ m/^PVE:tfa!/) {
> 
> we still need this for /^PVE:u2f!/

according to wolfgang, handling u2f will require us to package
libu2f-client (like we did with libu2f-server).

so for the moment i think i'll just add another warning for the u2f
case.

> 
> (missed even before...)
> 
> > -	raise("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
> > -    }
> > -
> >      $self->update_ticket($data->{ticket});
> >      $self->update_csrftoken($data->{CSRFPreventionToken});
> >  
> > +    # handle totp
> > +    if ($data->{ticket} =~ m/^PVE:tfa!/) {
> 
> may add a:
> raise("Two Factor Auth currently only works with a TTY") if !-t STDIN;
> 
> or not?
added in v2.
> 
> > +	print "\nEnter TFA code for user $username: ";
> > +	my $tfa_code = <STDIN>;
> > +	chomp $tfa_code;
> > +	$data = $self->complete_tfa_challenge($tfa_code);
> > +	$self->update_ticket($data->{ticket});
> > +    }
> >      return $data;
> >  }
> >  
> > 
>

More information about the pve-devel mailing list