[pve-devel] [PATCH v3 apiclient] fix #2227: enable totp codes to be passed in cli

Oguz Bektas o.bektas at proxmox.com
Thu Jul 18 16:44:51 CEST 2019


this patch enables to pass totp codes during cluster join if tfa has been
enabled for root at pam (or any other user actually, but root seems to cause the
most problems).

u2f support is still not implemented.

Co-developed-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
Co-developed-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---

v2 -> v3:
implement thomas' suggestions, namely:
* factor out code and handle it outside of the login func
* pass $type and $challenge after detecting a two-factor-auth ticket
(the detection regex can be improved i think, but i'll leave it like
this for now)
* also if $type isn't detected, abort after doing a raise

 PVE/APIClient/LWP.pm | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm
index c0e30ff..2cf7ac7 100755
--- a/PVE/APIClient/LWP.pm
+++ b/PVE/APIClient/LWP.pm
@@ -92,6 +92,23 @@ sub update_ticket {
     $agent->default_header('Cookie', $cookie);
 }
 
+sub two_factor_auth_login {
+    my ($self, $type, $challenge) = @_;
+
+    if ($type eq 'PVE:tfa') {
+	raise("TFA-enabled join currently works only with a TTY.") if !-t STDIN;
+	print "\nEnter OTP code for user $self->{username}: ";
+	my $tfa_response = <STDIN>;
+	chomp $tfa_response;
+	return $self->post('/api2/json/access/tfa', {response => $tfa_response});
+    } elsif ($type eq 'PVE:u2f') {
+	# TODO: implement u2f-enabled join
+	raise("U2F-enabled join is currently not implemented.");
+    } else {
+	raise("Authentication type not recognized, aborting!");
+    }
+}
+
 sub login {
     my ($self) = @_;
 
@@ -129,15 +146,16 @@ sub login {
     my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
 
     my $data = $extract_data->($res);
-
-    # TODO: make it possible to use tfa
-    if ($data->{ticket} =~ m/^PVE:tfa!/) {
-	raise("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
-    }
-
     $self->update_ticket($data->{ticket});
     $self->update_csrftoken($data->{CSRFPreventionToken});
 
+    # handle two-factor login
+    if ($data->{ticket} =~ m{^([^\s!]+)![^!]*(!([0-9a-zA-Z/.=_\-+]+))?$}) {
+	my ($type, $challenge) = ($1, $2);
+	$data = $self->two_factor_auth_login($type, $challenge);
+	$self->update_ticket($data->{ticket});
+    }
+
     return $data;
 }
 
-- 
2.20.1




More information about the pve-devel mailing list