Mercurial > prosody-modules
annotate mod_auth_internal_yubikey/mod_auth_internal_yubikey.lua @ 737:e4ea03b060ed
mod_archive: switch from/to
The XEP-0136 is not very explicit about the meening of <from> and <to>
elements, but the examples are clear: <from> means it comes from the user in
the 'with' attribute of the collection.
That is the opposite of what is currently implemented in that module.
So for better compatibility with complient clients, this switch the 'from' and
'to' fields
| author | Olivier Goffart <ogoffart@woboq.com> |
|---|---|
| date | Wed, 04 Jul 2012 14:08:43 +0200 |
| parents | f801ce6826d5 |
| children | 881ec9919144 |
| rev | line source |
|---|---|
|
341
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 -- Prosody IM |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 -- |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 -- |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local datamanager = require "util.datamanager"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local storagemanager = require "core.storagemanager"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local log = require "util.logger".init("auth_internal_yubikey"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 local type = type; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 local error = error; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local ipairs = ipairs; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 local hashes = require "util.hashes"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local jid = require "util.jid"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 local jid_bare = require "util.jid".bare; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 local config = require "core.configmanager"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 local usermanager = require "core.usermanager"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local new_sasl = require "util.sasl".new; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local nodeprep = require "util.encodings".stringprep.nodeprep; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 local hosts = hosts; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 local prosody = _G.prosody; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 local yubikey = require "yubikey".new_authenticator({ |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 prefix_length = module:get_option_number("yubikey_prefix_length", 0); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 check_credentials = function (ret, state, data) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 local account = data.account; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 local yubikey_hash = hashes.sha1(ret.public_id..ret.private_id..(ret.password or ""), true); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 if yubikey_hash == account.yubikey_hash then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 return true; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 return false, "invalid-otp"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 end; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 store_device_info = function (state, data) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 local new_account = {}; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 for k, v in pairs(data.account) do |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 new_account[k] = v; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 new_account.yubikey_state = state; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 datamanager.store(data.username, data.host, "accounts", new_account); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 end; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 }); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 local global_yubikey_key = module:get_option_string("yubikey_key"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 function new_default_provider(host) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 local provider = { name = "internal_yubikey" }; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 log("debug", "initializing default authentication provider for host '%s'", host); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 function provider.test_password(username, password) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 log("debug", "test password '%s' for user %s at host %s", password, username, module.host); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 local account_info = datamanager.load(username, host, "accounts") or {}; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 local yubikey_key = account_info.yubikey_key or global_yubikey_key; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 if account_info.yubikey_key then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 log("debug", "Authenticating Yubikey OTP for %s", username); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 local authed, err = yubikey:authenticate(password, account_info.yubikey_key, account_info.yubikey_state or {}, { account = account_info, username = username, host = host }); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 if not authed then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 log("debug", "Failed to authenticate %s via OTP: %s", username, err); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 return authed, err; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 return authed; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 elseif account_info.password and password == account_info.password then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 -- No yubikey configured for this user, treat as normal password |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 log("debug", "No yubikey configured for %s, successful login using password auth", username); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 return true; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 else |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 return nil, "Auth failed. Invalid username or password."; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 function provider.get_password(username) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 log("debug", "get_password for username '%s' at host '%s'", username, module.host); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 return (datamanager.load(username, host, "accounts") or {}).password; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 function provider.set_password(username, password) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 local account = datamanager.load(username, host, "accounts"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 if account then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 account.password = password; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 return datamanager.store(username, host, "accounts", account); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 return nil, "Account not available."; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
86 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
88 function provider.user_exists(username) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
89 local account = datamanager.load(username, host, "accounts"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
90 if not account then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
91 log("debug", "account not found for username '%s' at host '%s'", username, module.host); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
92 return nil, "Auth failed. Invalid username"; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
93 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
94 return true; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
95 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
96 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
97 function provider.create_user(username, password) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
98 return datamanager.store(username, host, "accounts", {password = password}); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
99 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
100 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 function provider.delete_user(username) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 return datamanager.store(username, host, "accounts", nil); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
103 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
104 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 function provider.get_sasl_handler() |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 local realm = module:get_option("sasl_realm") or module.host; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
107 local getpass_authentication_profile = { |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
108 plain_test = function(sasl, username, password, realm) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 local prepped_username = nodeprep(username); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 if not prepped_username then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
111 log("debug", "NODEprep failed on username: %s", username); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
112 return false, nil; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
113 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
114 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
115 return usermanager.test_password(username, realm, password), true; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
116 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 }; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
118 return new_sasl(realm, getpass_authentication_profile); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
119 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
120 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
121 return provider; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
122 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
123 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
124 module:add_item("auth-provider", new_default_provider(module.host)); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 function module.command(arg) |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 local command = arg[1]; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
128 table.remove(arg, 1); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
129 if command == "associate" then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 local user_jid = arg[1]; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 if not user_jid or user_jid == "help" then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 prosodyctl.show_usage([[mod_auth_internal_yubikey associate JID]], [[Set the Yubikey details for a user]]); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 return 1; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
134 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
135 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
136 local username, host = jid.prepped_split(user_jid); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
137 if not username or not host then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
138 print("Invalid JID: "..user_jid); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
139 return 1; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
140 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
141 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
142 local password, public_id, private_id, key; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
143 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
144 for i=2,#arg do |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
145 local k, v = arg[i]:match("^%-%-(%w+)=(.*)$"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
146 if not k then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
147 k, v = arg[i]:match("^%-(%w)(.*)$"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
148 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
149 if k == "password" then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
150 password = v; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
151 elseif k == "fixed" then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
152 public_id = v; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
153 elseif k == "uid" then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
154 private_id = v; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
155 elseif k == "key" or k == "a" then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
156 key = v; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
157 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
158 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
159 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 if not password then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
161 print(":: Password ::"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 print("This is an optional password that should be always"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 print("entered during login *before* the yubikey password."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 print("If the yubikey is lost/stolen, unless the attacker"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 print("knows this prefix, they cannot access the account."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
166 print(""); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 password = prosodyctl.read_password(); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
168 if not password then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
169 print("Cancelled."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
170 return 1; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
171 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
172 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
173 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
174 if not public_id then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
175 print(":: Public Yubikey ID ::"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
176 print("This is a fixed string of characters between 0 and 16"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
177 print("bytes long that the Yubikey prefixes to every token."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
178 print("The ID should be entered in modhex encoding, meaning "); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
179 print("a string up to 32 characters. This *must* match"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
180 print("exactly the fixed string programmed into the yubikey."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 print(""); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
182 io.write("Enter fixed id (modhex): "); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
183 while true do |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
184 public_id = io.read("*l"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
185 if #public_id > 32 then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
186 print("The fixed id must be 32 characters or less. Please try again."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
187 elseif public_id:match("[^cbdefghijklnrtuv]") then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
188 print("The fixed id contains invalid characters. It must be entered in modhex encoding. Please try again."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
189 else |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
190 break; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
191 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
192 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
193 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
194 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
195 if not private_id then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
196 print(":: Private Yubikey ID ::"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
197 print("This is a fixed secret UID programmed into the yubikey"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
198 print("during configuration. It must be entered in hex (not modhex)"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
199 print("encoding. It is always 6 bytes long, which is 12 characters"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
200 print("in hex encoding."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
201 print(""); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
202 while true do |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
203 io.write("Enter private UID (hex): "); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
204 private_id = io.read("*l"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
205 if #private_id ~= 12 then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
206 print("The id length must be 12 characters in hex encoding. Please try again."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
207 elseif private_id:match("%X") then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
208 print("The key contains invalid characters - it must be in hex encoding (not modhex). Please try again."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
209 else |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
210 break; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
211 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
212 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
213 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
214 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
215 if not key then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
216 print(":: AES Encryption Key ::"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
217 print("This is the secret key that the Yubikey uses to encrypt the"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
218 print("generated tokens. It is 32 characters in hex encoding."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
219 print(""); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
220 while true do |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
221 io.write("Enter AES key (hex): "); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
222 key = io.read("*l"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
223 if #key ~= 32 then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
224 print("The key length must be 32 characters in hex encoding. Please try again."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
225 elseif key:match("%X") then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
226 print("The key contains invalid characters - it must be in hex encoding (not modhex). Please try again."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
227 else |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
228 break; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
229 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
230 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
231 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
232 |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
233 local hash = hashes.sha1(public_id..private_id..password, true); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
234 local account = { |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
235 yubikey_hash = hash; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
236 yubikey_key = key; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
237 }; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
238 storagemanager.initialize_host(host); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
239 local ok, err = datamanager.store(username, host, "accounts", account); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
240 if not ok then |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
241 print("Error saving configuration:"); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
242 print("", err); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
243 return 1; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
244 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
245 print("Saved."); |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
246 return 0; |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 end |
|
f801ce6826d5
mod_auth_internal_yubikey: New authentication provider for two-factor authentication with Yubikeys
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 end |