-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authy push authentication feature #164
base: master
Are you sure you want to change the base?
Conversation
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
@googlebot I signed it! |
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
Oooh, very cool. Things this needs before being mergable:
I won't have time look at the code today. but looks very promising. |
@googlebot I fixed it. |
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
@ThomasHabets: pull request is updated with the suggested changes |
configure.ac
Outdated
@@ -71,6 +71,38 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | |||
|
|||
AC_LANG_POP(C) | |||
|
|||
AC_ARG_ENABLE([authy], | |||
[AC_HELP_STRING([--enable-authy], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not enable it by default if the library is found?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I'm going to rewrite configure.ac
configure.ac
Outdated
[xenable_authy=no]) | ||
AM_CONDITIONAL([ENABLE_AUTHY], [false]) | ||
|
||
AC_CHECK_LIB([curl], [curl_global_init], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not an autoconf expert, but why not just AC_CHECK_LIB([curl], [curl_global_init])
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I'm going to rewrite configure.ac
src/pam_authy.c
Outdated
|
||
curl = curl_easy_init(); | ||
if (!curl) { | ||
log_message(LOG_ERR, pamh, "authy_err: curl init failed\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need for newline.
Applies to all calls to log_message
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree
src/pam_authy.c
Outdated
|
||
asprintf(&url, "https://api.authy.com/onetouch/json/approval_requests/%s", | ||
uuid); | ||
asprintf(&xheader, "X-Authy-API-Key: %s", api_key); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
asprintf
is a GNU extension, so I think this might reduce the portability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, asprintfs will be removed
src/pam_authy.c
Outdated
|
||
res = curl_easy_perform(curl); | ||
if (res != CURLE_OK) { | ||
log_message(LOG_ERR, pamh, "authy_err: curl call failed: %d (%s)\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove newline
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree
src/pam_authy.c
Outdated
|
||
static authy_rc_t authy_check_aproval(pam_handle_t *pamh, char *api_key, char *uuid) | ||
{ | ||
CURL *curl = NULL; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Define variables later. E.g. instead of what's here now, do:
CURL *curl = curl_easy_init();
That way the scope of variables is reduced making it clearer where they are set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, scope will be reduced
src/pam_authy.c
Outdated
free(jt); | ||
|
||
if (str) | ||
free(str); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
src/pam_authy.c
Outdated
} | ||
|
||
log_message(LOG_INFO, pamh, "authy_dbg: Waiting for Authy authentication approval\n"); | ||
start_time = time(NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use clock_gettime()
instead, so that this doesn't break if login happens when clock is set.
https://blog.habets.se/2010/09/gettimeofday-should-never-be-used-to-measure-time.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
asprintf(&data, "message=Login authentication"); | ||
asprintf(&data, "%s&details=%s at %s", data, username, hostname); | ||
asprintf(&data, "%s&seconds_to_expire=%d", data, timeout); | ||
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, strlen(data)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a client-side timeout in case the server hangs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, CURLOPT_TIMEOUT will be added to the curl call
authy_timeout = 30; | ||
} | ||
char *api_key = (char *)get_cfg_value_char(pamh, buf, "AUTHY_API_KEY"); | ||
arc = authy_login(pamh, authy_id, api_key, authy_timeout); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have as much code as possible be not-ifdefed.
How about this: create a second file called pam_no_authy.c
with an authy_login()
implementation that always fails, logging that module was not built with authy support. That way no added ifdef
in code, only in the Makefile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to minimize the changes introduced to the original code.
I see your point, I'll create a dummy authy_login()
function.
pam_no_authy.c contains a dummy authy_login() implementation that always fails. It is linked, when Authy support is disabled, limiting the number of 'ifdefs' in the pam_google_authenticator.c code.
@ThomasHabets Hello Thomas, how shall we continue with this pull request? |
@krzole I've not had time to look at this more yet. Although now I'm wondering if it actually belongs in the same module. How is this better than having a separate PAM module that does authy? The fallback logic is normally done in the PAM config. |
This pull request adds push authentication using Authy (https://authy.com/). If Authy authentication fails, continue with the classic Google OTP. See README.authy.md how to install and use.