zuthan / google-authenticator-pam Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 2.42 MB

Unix PAM for Google Authenticator

C 31.60% Python 0.06% Java 39.85% Objective-C 28.48%

google-authenticator-pam's People

Contributors

Watchers

google-authenticator-pam's Issues

Utility reports errors when config file contains non-utility options

It appears that the google-authenticator utility reports errors if it detects module-specific options in the config file.

aabdian@trusty:~$  cat /etc/google-authenticator.conf | egrep -v '^#|^$'
secret=/etc/google-authenticator/${USER}.secret
use_helper=/usr/sbin/gauth_chktoken
helper_owner=googleauth
time-based
disallow-reuse
label=trusty
qr-mode=ANSI
user=googleauth
aabdian@trusty:~$ google-authenticator
Unrecognized option "user=googleauth"
aabdian@trusty:~$

Failed to create secret file as non-root user when using helper

Getting this error when running google-authenticator utility as non-root user:

Failed to create "/etc/google-authenticator/aabdian.secret" (Permission denied)

Filesystem permissions & other settings are as follows:

root@trusty:~# ls -las /etc/google-authenticator
total 16
 4 drwxr-x---   2 googleauth googleauth  4096 Apr 23 14:26 .
12 drwxr-xr-x 135 root       root       12288 Apr 23 14:35 ..
root@trusty:~# ls -las /usr/sbin/gauth_chktoken /usr/local/bin/google-authenticator
60 -rwxr-xr-x 1 root       root       60423 Apr 23 13:10 /usr/local/bin/google-authenticator
52 -rwsr-sr-x 1 googleauth googleauth 50192 Apr 23 14:17 /usr/sbin/gauth_chktoken
root@trusty:~# egrep -v '^$|^#' /etc/google-authenticator.conf
secret=/etc/google-authenticator/${USER}.secret
use_helper=/usr/sbin/gauth_chktoken
helper_owner=googleauth
time-based
disallow-reuse
label=trusty
qr-mode=ANSI
root@trusty:~#

It makes sense that the user should get a permission denied error, because the use case here is that users cannot be trusted to maintain their own secret file. But to allow the user to run the utility and get right to the end isn't desirable either. I can see two options:
Option 1. If utility cannot write to the correct location, prompt the user with something along the lines of:

Failed to create "Failed to create "/etc/google-authenticator/aabdian.secret" (Permission denied)
You can save this file to your home directory instead. Note: Even if you say yes here, you still may need to ask your system administrator to copy this file to "/etc/google-authenticator/aabdian.secret" before your token becomes active.
Would you like this file to be written to "~/.google_authenticator" instead? (y/n)

Option 2. Abort straight away if the utility cannot write to the secret file (ie, dont wait until the end).

Executing a program via sudo fails: stdin is not a tty

When using the google authenticator PAM module for sudo, I get the following error:

aabdian@trusty:~$ sudo su -
[sudo] password for aabdian:
Verification code:
stdin: is not a tty
aabdian@trusty:~$

I can see that I have authenticated successfully because when I re-run the command it works without prompting me to authenticate:

aabdian@trusty:~$ sudo su -
root@trusty:~#

Here is a copy of my pam config file for sudo:

root@trusty:/etc/pam.d# cat /etc/pam.d/sudo
#%PAM-1.0

auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

auth    [success=ok default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_google_authenticator.so
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

@include common-account
@include common-session-noninteractive
root@trusty:/etc/pam.d#

Makefile installs module with 755 - should be 644

The Makefile installs pam_google_authenticator.so with 755 permissions, even though the rest of the PAM modules on the system are installed with 644.

Tested on Ubuntu Trusty (14.04)

Failed to change ownership of secret file to helper_owner when running utility as non-root user

When running the utility (as a non-root user) with the -s option and helper_owner is defined in /etc/google-authenticator.conf, I get the following error:

aabdian@trusty:~$ google-authenticator -s ~/.google_authenticator -l aabdian@trusty
<truncated>
Do you want me to update your "/home/aabdian/.google_authenticator" file (y/n) y
<truncated>
Failed to chown /home/aabdian/.google_authenticator as googleauth: Operation not permitted

Settings in /etc/google-authenticator.conf are:

aabdian@trusty:~$ egrep -v '^$|^#' /etc/google-authenticator.conf
secret=/etc/google-authenticator/${USER}.secret
use_helper=/usr/sbin/gauth_chktoken
helper_owner=googleauth
time-based
disallow-reuse
label=trusty
qr-mode=ANSI
aabdian@trusty:~$

I think the solution here is to simply not attempt to change the ownership of the secret file if the utility is being run as a non-root user.

Compiler warnings

Compiled on Ubuntu Trusty (14.04)

aabdian@trusty:~/src/google-authenticator-PAM/libpam$ uname -a
Linux trusty 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux


aabdian@trusty:~/src/google-authenticator-PAM/libpam$ make
# cc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘log_message’:
pam_google_authenticator.c:90:3: warning: format not a string literal and no format arguments [-Wformat-security]
   syslog(priority, current_msg);
   ^
pam_google_authenticator.c: In function ‘auth_helper’:
pam_google_authenticator.c:720:22: warning: suggest parentheses around comparison in operand of ‘&’ [-Wparentheses]
     for(int i = 0; i < 2 & !pw; i++){
                      ^
# cc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o support.o support.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c  -fvisibility=hidden  -o support.o support.c
cc -shared -g   -o pam_google_authenticator.so pam_google_authenticator.o support.o base32.o hmac.o sha1.o -lpam
# cc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c  -fvisibility=hidden  -o demo.o demo.c
demo.c: In function ‘pam_get_item’:
demo.c:88:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &service, sizeof(&service));
                                    ^
demo.c:93:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &user, sizeof(&user));
                                 ^
# cc -DDEMO --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
cc -DDEMO --std=gnu99 -Wall -O0 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_demo.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘log_message’:
pam_google_authenticator.c:90:3: warning: format not a string literal and no format arguments [-Wformat-security]
   syslog(priority, current_msg);
   ^
pam_google_authenticator.c: In function ‘auth_helper’:
pam_google_authenticator.c:720:22: warning: suggest parentheses around comparison in operand of ‘&’ [-Wparentheses]
     for(int i = 0; i < 2 & !pw; i++){
                      ^
cc -g   -rdynamic -o demo demo.o pam_google_authenticator_demo.o support.o base32.o hmac.o sha1.o  -ldl
# cc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o gauth_chktoken.o gauth_chktoken.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c  -fvisibility=hidden  -o gauth_chktoken.o gauth_chktoken.c
cc -g   -o gauth_chktoken gauth_chktoken.o support.o base32.o hmac.o sha1.o  -ldl
cc -DTESTING --std=gnu99 -Wall -O0 -g -fPIC -c  -fvisibility=hidden  -o gauth_chktoken_testing.o gauth_chktoken.c
cc -DTESTING --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o support_testing.o support.c
cc -g   -o gauth_chktoken_testing gauth_chktoken_testing.o support_testing.o base32.o hmac.o sha1.o  -ldl
cc -DTESTING --std=gnu99 -Wall -O0 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_testing.o pam_google_authenticator.c
pam_google_authenticator.c: In function ‘log_message’:
pam_google_authenticator.c:90:3: warning: format not a string literal and no format arguments [-Wformat-security]
   syslog(priority, current_msg);
   ^
pam_google_authenticator.c: In function ‘auth_helper’:
pam_google_authenticator.c:720:22: warning: suggest parentheses around comparison in operand of ‘&’ [-Wparentheses]
     for(int i = 0; i < 2 & !pw; i++){
                      ^
pam_google_authenticator.c: At top level:
pam_google_authenticator.c:522:12: warning: ‘parse_config_file’ defined but not used [-Wunused-function]
 static int parse_config_file(pam_handle_t *pamh, Params *params) {
            ^
cc -shared -g   -o pam_google_authenticator_testing.so pam_google_authenticator_testing.o support_testing.o base32.o hmac.o sha1.o -lpam
# cc --std=gnu99 -Wall -O2 -g -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
cc --std=gnu99 -Wall -g -O0 -fno-inline -fPIC -c  -fvisibility=hidden  -o pam_google_authenticator_unittest.o pam_google_authenticator_unittest.c
pam_google_authenticator_unittest.c: In function ‘pam_get_item’:
pam_google_authenticator_unittest.c:84:36: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &service, sizeof(&service));
                                    ^
pam_google_authenticator_unittest.c:89:33: warning: argument to ‘sizeof’ in ‘memcpy’ call is the same expression as the source; did you mean to remove the addressof? [-Wsizeof-pointer-memaccess]
       memcpy(item, &user, sizeof(&user));
                                 ^
In file included from pam_google_authenticator_unittest.c:19:0:
pam_google_authenticator_unittest.c: In function ‘main’:
pam_google_authenticator_unittest.c:498:63: warning: argument to ‘sizeof’ in ‘memcmp’ call is the same expression as the second source; did you mean to provide an explicit length? [-Wsizeof-pointer-memaccess]
         assert(!memcmp(rate_limit + 13, rate_limit_exp, sizeof(rate_limit_exp)));
                                                               ^
cc -g   -rdynamic -o pam_google_authenticator_unittest pam_google_authenticator_unittest.o base32.o hmac.o sha1.o -lc  -ldl
aabdian@trusty:~/src/google-authenticator-PAM/libpam$

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.