|
|
|
@ -3,6 +3,7 @@
|
|
|
|
|
'''
|
|
|
|
|
pam-custom
|
|
|
|
|
Copyright (C) 2013 Loris Tisisno <loris.tissino@gmail.com>
|
|
|
|
|
Copyright (C) 2017 Netsyms Technologies <admin@netsyms.com>
|
|
|
|
|
|
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
@ -19,9 +20,41 @@
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
import requests
|
|
|
|
|
import json
|
|
|
|
|
|
|
|
|
|
api_url = "http://localhost/portal/api.php"
|
|
|
|
|
api_key = "123"
|
|
|
|
|
|
|
|
|
|
def totp_verify(user, totp):
|
|
|
|
|
req = {"key": api_key, "action": "verifytotp", "username": user, "code": totp}
|
|
|
|
|
resp = requests.post(api_url, data=req)
|
|
|
|
|
if resp.json()['status'] == "OK":
|
|
|
|
|
if resp.json()['valid'] == True:
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def totp_check(user, pamh):
|
|
|
|
|
req = {"key": api_key, "action": "hastotp", "username": user}
|
|
|
|
|
resp = requests.post(api_url, data=req)
|
|
|
|
|
if resp.json()['status'] == "OK":
|
|
|
|
|
if resp.json()['otp'] == True:
|
|
|
|
|
otpmsg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "[Portal] enter 2-factor auth code for " + user + ": ")
|
|
|
|
|
rsp = pamh.conversation(otpmsg)
|
|
|
|
|
otpcode = rsp.resp
|
|
|
|
|
return totp_verify(user, otpcode)
|
|
|
|
|
else:
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def portal_auth(user, password, pamh):
|
|
|
|
|
req = {"key": api_key, "action": "auth", "username": user, "password": password}
|
|
|
|
|
resp = requests.post(api_url, data=req)
|
|
|
|
|
if resp.json()['status'] == "OK":
|
|
|
|
|
return totp_check(user, pamh)
|
|
|
|
|
else:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def custom_auth(user, password, command):
|
|
|
|
|
return os.system(command + ' ' + user + ' ' + password) == 0
|
|
|
|
|
|
|
|
|
|
def pam_sm_authenticate(pamh, flags, argv):
|
|
|
|
|
|
|
|
|
@ -36,18 +69,18 @@ def pam_sm_authenticate(pamh, flags, argv):
|
|
|
|
|
password = pamh.authtok
|
|
|
|
|
if password == None:
|
|
|
|
|
## got no password in authtok - trying through conversation...
|
|
|
|
|
passmsg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Custom auth: ")
|
|
|
|
|
passmsg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "[Portal] enter password for " + user + ": ")
|
|
|
|
|
rsp = pamh.conversation(passmsg)
|
|
|
|
|
password = rsp.resp
|
|
|
|
|
# so we should at this point have the password either through the
|
|
|
|
|
# prompt or from previous module
|
|
|
|
|
|
|
|
|
|
if custom_auth(user, password, argv[1]):
|
|
|
|
|
if portal_auth(user, password, pamh):
|
|
|
|
|
return pamh.PAM_SUCCESS
|
|
|
|
|
else:
|
|
|
|
|
return pamh.PAM_AUTH_ERR
|
|
|
|
|
|
|
|
|
|
except pamh.exception, e:
|
|
|
|
|
except pamh.exception as e:
|
|
|
|
|
return e.pam_result
|
|
|
|
|
|
|
|
|
|
def pam_sm_setcred(pamh, flags, argv):
|
|
|
|
|