Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authy push authentication feature #164

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Authy push authentication feature #164

wants to merge 17 commits into from

Conversation

krzole
Copy link

@krzole krzole commented May 10, 2020

This pull request adds push authentication using Authy (https://authy.com/). If Authy authentication fails, continue with the classic Google OTP. See README.authy.md how to install and use.

@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@krzole
Copy link
Author

krzole commented May 10, 2020

@googlebot I signed it!

@googlebot
Copy link

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and then comment @googlebot I fixed it.. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

@ThomasHabets
Copy link
Collaborator

Oooh, very cool. Things this needs before being mergable:

  1. This new functionality, because it depends on two new libraries, needs to be optional.
  2. The README needs to reflect that it's not a fork. Probably the main README can point to the authy README since there's a fair difference.
  3. The email address I think needs to match, like googlebot said.

I won't have time look at the code today. but looks very promising.

@krzole
Copy link
Author

krzole commented May 10, 2020

@googlebot I fixed it.

@googlebot
Copy link

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@krzole
Copy link
Author

krzole commented May 11, 2020

@ThomasHabets: pull request is updated with the suggested changes

configure.ac Outdated
@@ -71,6 +71,38 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[

AC_LANG_POP(C)

AC_ARG_ENABLE([authy],
[AC_HELP_STRING([--enable-authy],
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not enable it by default if the library is found?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, I'm going to rewrite configure.ac

configure.ac Outdated
[xenable_authy=no])
AM_CONDITIONAL([ENABLE_AUTHY], [false])

AC_CHECK_LIB([curl], [curl_global_init],
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not an autoconf expert, but why not just AC_CHECK_LIB([curl], [curl_global_init]) ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, I'm going to rewrite configure.ac

src/pam_authy.c Outdated

curl = curl_easy_init();
if (!curl) {
log_message(LOG_ERR, pamh, "authy_err: curl init failed\n");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need for newline.
Applies to all calls to log_message

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree

src/pam_authy.c Outdated

asprintf(&url, "https://api.authy.com/onetouch/json/approval_requests/%s",
uuid);
asprintf(&xheader, "X-Authy-API-Key: %s", api_key);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

asprintf is a GNU extension, so I think this might reduce the portability.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, asprintfs will be removed

src/pam_authy.c Outdated

res = curl_easy_perform(curl);
if (res != CURLE_OK) {
log_message(LOG_ERR, pamh, "authy_err: curl call failed: %d (%s)\n",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove newline

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree

src/pam_authy.c Outdated

static authy_rc_t authy_check_aproval(pam_handle_t *pamh, char *api_key, char *uuid)
{
CURL *curl = NULL;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Define variables later. E.g. instead of what's here now, do:

CURL *curl = curl_easy_init();

That way the scope of variables is reduced making it clearer where they are set.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, scope will be reduced

src/pam_authy.c Outdated
free(jt);

if (str)
free(str);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

src/pam_authy.c Outdated
}

log_message(LOG_INFO, pamh, "authy_dbg: Waiting for Authy authentication approval\n");
start_time = time(NULL);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use clock_gettime() instead, so that this doesn't break if login happens when clock is set.

https://blog.habets.se/2010/09/gettimeofday-should-never-be-used-to-measure-time.html

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

asprintf(&data, "message=Login authentication");
asprintf(&data, "%s&details=%s at %s", data, username, hostname);
asprintf(&data, "%s&seconds_to_expire=%d", data, timeout);
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, strlen(data));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a client-side timeout in case the server hangs?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, CURLOPT_TIMEOUT will be added to the curl call

authy_timeout = 30;
}
char *api_key = (char *)get_cfg_value_char(pamh, buf, "AUTHY_API_KEY");
arc = authy_login(pamh, authy_id, api_key, authy_timeout);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have as much code as possible be not-ifdefed.

How about this: create a second file called pam_no_authy.c with an authy_login() implementation that always fails, logging that module was not built with authy support. That way no added ifdef in code, only in the Makefile.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to minimize the changes introduced to the original code.

I see your point, I'll create a dummy authy_login() function.

@krzole
Copy link
Author

krzole commented May 20, 2020

@ThomasHabets Hello Thomas, how shall we continue with this pull request?

@ThomasHabets
Copy link
Collaborator

@krzole I've not had time to look at this more yet.

Although now I'm wondering if it actually belongs in the same module. How is this better than having a separate PAM module that does authy? The fallback logic is normally done in the PAM config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants