Giter Club home page Giter Club logo

Comments (5)

ben-duo avatar ben-duo commented on August 15, 2024

Thank you for this observation! We will try to add it to our duo_unix documentation page in the future.

from duo_unix.

doublerebel avatar doublerebel commented on August 15, 2024

Great script! Definitely should be in the docs.

This script also runs when scp connects, however during scp there is no tty available and pkill throws an error. Best to add a check to prevent the error. Here is an example of a SmartOS version:

TTY=${SSH_TTY:4}
/opt/local/sbin/login_duo
if [ $? -ne 0 ] ; then echo "You are not authorized! Bye Bye!";
  if [[ $TTY != "" ]]; then pkill -HUP -t $TTY; fi
fi

from duo_unix.

shinji257 avatar shinji257 commented on August 15, 2024

Interesting observation however given that it also means that it won't kill the session for scp at all. We would need to identify a different way to cut off the session in the event it is denied by login_duo otherwise it will connect regardless of if it is approved or denied.

Just for the heck of it I checked sftp and it has a TTY generated but when I checked scp it didn't so that is weird or maybe that is expected behavior. Either way I don't think there is an effective way to terminate the session at this point which makes duo quite ineffective for scp transfers.

if [ ! -z $SSH_TTY ] ; then $HOME/sbin/login_duo -c $HOME/etc/duo/login_duo.conf; if [ $? -ne 0 ] ; then echo "You are not authorized! Bye Bye!"; pkill -SIGHUP -t $SSH_TTY; fi; fi

The above is a one liner now... It is wrapped in a if statement to check for a non-zero SSH_TTY variable before executing so it will skip it on any session that has no tty allocated and silence the error. If someone can figure out how to kill the session when a tty is not allocated then feel free to provide input on that front as I'd be interested as well.

from duo_unix.

doublerebel avatar doublerebel commented on August 15, 2024

@shinji257 On SmartOS (Joyent), my updated script does terminate the scp session if I deny the request through Duo. What platform/OS are you testing with?

from duo_unix.

shinji257 avatar shinji257 commented on August 15, 2024

@doublerebel Well it would of been NetBSD but I have not had it setup on that server for a long time. From what I remembered login_duo just exited with a return value to be checked. Maybe scp is handling this directly and closing the session?

from duo_unix.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.