Mercurial > prosody-modules
annotate mod_auth_internal_yubikey/mod_auth_internal_yubikey.lua @ 809:1d51c5e38faa
Add LDAP plugin suite
author | rob@hoelz.ro |
---|---|
date | Sun, 02 Sep 2012 15:35:50 +0200 |
parents | f801ce6826d5 |
children | 881ec9919144 |
rev | line source |
---|---|
341
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- Prosody IM |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 -- |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 -- COPYING file in the source package for more information. |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 -- |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local datamanager = require "util.datamanager"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local storagemanager = require "core.storagemanager"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local log = require "util.logger".init("auth_internal_yubikey"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 local type = type; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local error = error; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local ipairs = ipairs; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local hashes = require "util.hashes"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local jid = require "util.jid"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 local jid_bare = require "util.jid".bare; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 local config = require "core.configmanager"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 local usermanager = require "core.usermanager"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local new_sasl = require "util.sasl".new; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local nodeprep = require "util.encodings".stringprep.nodeprep; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 local hosts = hosts; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 local prosody = _G.prosody; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 local yubikey = require "yubikey".new_authenticator({ |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 prefix_length = module:get_option_number("yubikey_prefix_length", 0); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 check_credentials = function (ret, state, data) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 local account = data.account; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 local yubikey_hash = hashes.sha1(ret.public_id..ret.private_id..(ret.password or ""), true); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 if yubikey_hash == account.yubikey_hash then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 return true; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 return false, "invalid-otp"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 end; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 store_device_info = function (state, data) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 local new_account = {}; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 for k, v in pairs(data.account) do |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 new_account[k] = v; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 new_account.yubikey_state = state; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 datamanager.store(data.username, data.host, "accounts", new_account); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 end; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 }); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 local global_yubikey_key = module:get_option_string("yubikey_key"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 function new_default_provider(host) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 local provider = { name = "internal_yubikey" }; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 log("debug", "initializing default authentication provider for host '%s'", host); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 function provider.test_password(username, password) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 log("debug", "test password '%s' for user %s at host %s", password, username, module.host); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 local account_info = datamanager.load(username, host, "accounts") or {}; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 local yubikey_key = account_info.yubikey_key or global_yubikey_key; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 if account_info.yubikey_key then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 log("debug", "Authenticating Yubikey OTP for %s", username); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 local authed, err = yubikey:authenticate(password, account_info.yubikey_key, account_info.yubikey_state or {}, { account = account_info, username = username, host = host }); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 if not authed then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 log("debug", "Failed to authenticate %s via OTP: %s", username, err); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 return authed, err; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 return authed; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 elseif account_info.password and password == account_info.password then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 -- No yubikey configured for this user, treat as normal password |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 log("debug", "No yubikey configured for %s, successful login using password auth", username); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 return true; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 else |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 return nil, "Auth failed. Invalid username or password."; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 function provider.get_password(username) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 log("debug", "get_password for username '%s' at host '%s'", username, module.host); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 return (datamanager.load(username, host, "accounts") or {}).password; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 function provider.set_password(username, password) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 local account = datamanager.load(username, host, "accounts"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 if account then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 account.password = password; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 return datamanager.store(username, host, "accounts", account); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 return nil, "Account not available."; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
86 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
88 function provider.user_exists(username) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
89 local account = datamanager.load(username, host, "accounts"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
90 if not account then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
91 log("debug", "account not found for username '%s' at host '%s'", username, module.host); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
92 return nil, "Auth failed. Invalid username"; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
93 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
94 return true; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
95 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
96 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
97 function provider.create_user(username, password) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
98 return datamanager.store(username, host, "accounts", {password = password}); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
99 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
100 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 function provider.delete_user(username) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 return datamanager.store(username, host, "accounts", nil); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
103 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
104 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 function provider.get_sasl_handler() |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 local realm = module:get_option("sasl_realm") or module.host; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
107 local getpass_authentication_profile = { |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
108 plain_test = function(sasl, username, password, realm) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 local prepped_username = nodeprep(username); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 if not prepped_username then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
111 log("debug", "NODEprep failed on username: %s", username); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
112 return false, nil; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
113 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
114 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
115 return usermanager.test_password(username, realm, password), true; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
116 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 }; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
118 return new_sasl(realm, getpass_authentication_profile); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
119 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
120 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
121 return provider; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
122 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
123 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
124 module:add_item("auth-provider", new_default_provider(module.host)); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 function module.command(arg) |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 local command = arg[1]; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
128 table.remove(arg, 1); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
129 if command == "associate" then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 local user_jid = arg[1]; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 if not user_jid or user_jid == "help" then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 prosodyctl.show_usage([[mod_auth_internal_yubikey associate JID]], [[Set the Yubikey details for a user]]); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 return 1; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
134 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
135 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
136 local username, host = jid.prepped_split(user_jid); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
137 if not username or not host then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
138 print("Invalid JID: "..user_jid); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
139 return 1; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
140 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
141 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
142 local password, public_id, private_id, key; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
143 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
144 for i=2,#arg do |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
145 local k, v = arg[i]:match("^%-%-(%w+)=(.*)$"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
146 if not k then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
147 k, v = arg[i]:match("^%-(%w)(.*)$"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
148 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
149 if k == "password" then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
150 password = v; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
151 elseif k == "fixed" then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
152 public_id = v; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
153 elseif k == "uid" then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
154 private_id = v; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
155 elseif k == "key" or k == "a" then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
156 key = v; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
157 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
158 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
159 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 if not password then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
161 print(":: Password ::"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 print("This is an optional password that should be always"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 print("entered during login *before* the yubikey password."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 print("If the yubikey is lost/stolen, unless the attacker"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 print("knows this prefix, they cannot access the account."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
166 print(""); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 password = prosodyctl.read_password(); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
168 if not password then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
169 print("Cancelled."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
170 return 1; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
171 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
172 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
173 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
174 if not public_id then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
175 print(":: Public Yubikey ID ::"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
176 print("This is a fixed string of characters between 0 and 16"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
177 print("bytes long that the Yubikey prefixes to every token."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
178 print("The ID should be entered in modhex encoding, meaning "); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
179 print("a string up to 32 characters. This *must* match"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
180 print("exactly the fixed string programmed into the yubikey."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 print(""); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
182 io.write("Enter fixed id (modhex): "); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
183 while true do |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
184 public_id = io.read("*l"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
185 if #public_id > 32 then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
186 print("The fixed id must be 32 characters or less. Please try again."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
187 elseif public_id:match("[^cbdefghijklnrtuv]") then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
188 print("The fixed id contains invalid characters. It must be entered in modhex encoding. Please try again."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
189 else |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
190 break; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
191 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
192 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
193 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
194 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
195 if not private_id then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
196 print(":: Private Yubikey ID ::"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
197 print("This is a fixed secret UID programmed into the yubikey"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
198 print("during configuration. It must be entered in hex (not modhex)"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
199 print("encoding. It is always 6 bytes long, which is 12 characters"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
200 print("in hex encoding."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
201 print(""); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
202 while true do |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
203 io.write("Enter private UID (hex): "); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
204 private_id = io.read("*l"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
205 if #private_id ~= 12 then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
206 print("The id length must be 12 characters in hex encoding. Please try again."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
207 elseif private_id:match("%X") then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
208 print("The key contains invalid characters - it must be in hex encoding (not modhex). Please try again."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
209 else |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
210 break; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
211 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
212 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
213 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
214 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
215 if not key then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
216 print(":: AES Encryption Key ::"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
217 print("This is the secret key that the Yubikey uses to encrypt the"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
218 print("generated tokens. It is 32 characters in hex encoding."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
219 print(""); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
220 while true do |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
221 io.write("Enter AES key (hex): "); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
222 key = io.read("*l"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
223 if #key ~= 32 then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
224 print("The key length must be 32 characters in hex encoding. Please try again."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
225 elseif key:match("%X") then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
226 print("The key contains invalid characters - it must be in hex encoding (not modhex). Please try again."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
227 else |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
228 break; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
229 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
230 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
231 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
232 |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
233 local hash = hashes.sha1(public_id..private_id..password, true); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
234 local account = { |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
235 yubikey_hash = hash; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
236 yubikey_key = key; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
237 }; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
238 storagemanager.initialize_host(host); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
239 local ok, err = datamanager.store(username, host, "accounts", account); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
240 if not ok then |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
241 print("Error saving configuration:"); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
242 print("", err); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
243 return 1; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
244 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
245 print("Saved."); |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
246 return 0; |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 end |
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 end |