Date: Fri, 31 Oct 2014 20:41:58 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 194723] New: update for variable time windows when using google_authenticator for totp authn Message-ID: <bug-194723-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194723 Bug ID: 194723 Summary: update for variable time windows when using google_authenticator for totp authn Product: Ports Tree Version: Latest Hardware: Any OS: Any Status: Needs Triage Severity: Affects Only Me Priority: Normal Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: paul@dokas.name I have need to use the pam_google_authenticator.so to authenticate users who have been issued TOTP hardware tokens. Unfortunately, the hardware tokens use a 60 second period and pam_google_authenticator is hardcoded for 30 second periods. Searching for a solution, I ran across this set of patches: https://code.google.com/p/google-authenticator/issues/detail?id=192 I adapted it for security/pam_google_authenticator. The patches are below How-To-Repeat: Attempt to use pam_google_authenticator with devices that use anything other than 30 second periods. Fix: Patch #1 for security/pam_google_authenticator/Makefile: *** Makefile.orig Fri Oct 31 20:35:18 2014 --- ./Makefile Fri Oct 31 19:51:11 2014 *************** *** 3,8 **** --- 3,9 ---- PORTNAME= pam_google_authenticator PORTVERSION= 20140826 + PORTREVISION= 1 CATEGORIES= security MASTER_SITES= LOCAL/riggs/google-authenticator DISTNAME= google-authenticator-${PORTVERSION} *************** *** 12,21 **** --- 13,31 ---- LICENSE= APACHE20 + OPTIONS_DEFINE= STEPSIZE + STEPSIZE_DESC= Allow time steps other than the default of 30 seconds + USES= gmake PLIST_FILES= bin/google-authenticator lib/pam_google_authenticator.so + .include <bsd.port.options.mk> + + .if ${PORT_OPTIONS:MSTEPSIZE} + CFLAGS+= -DSTEPSIZE + .endif + do-install: ${INSTALL_PROGRAM} ${WRKSRC}/google-authenticator \ ${STAGEDIR}${PREFIX}/bin/google-authenticator I also created a patch for pam_google_authenticator.c based on the URL in this PR's description. The following diff needs to be dropped into the port as security/pam_google_authenticator/files/patch-pam_google_authenticator.c. ------------------------------------CUT-HERE------------------------------------ *** pam_google_authenticator.c.orig Thu Jan 30 15:17:38 2014 --- pam_google_authenticator.c Fri Oct 31 19:42:43 2014 *************** *** 503,512 **** } #endif - static int get_timestamp(void) { - return get_time()/30; - } - static int comparator(const void *a, const void *b) { return *(unsigned int *)a - *(unsigned int *)b; } --- 503,508 ---- *************** *** 538,543 **** --- 534,574 ---- return NULL; } + #if !defined(STEPSIZE) + static int get_timestamp(void) { + return get_time()/30; + } + #else + static int get_timestamp(pam_handle_t *pamh, const char *secret_filename, + const char *buf) { + const char *value = get_cfg_value(pamh, "STEP_SIZE", buf); + if (!value) { + // Default step size is 30. + free((void *)value); + return 30; + } else if (value == &oom) { + // Out of memory. This is a fatal error. + return 0; + } + + char *endptr; + errno = 0; + int step = (int)strtoul(value, &endptr, 10); + if (errno || !*value || value == endptr || + (*endptr && *endptr != ' ' && *endptr != '\t' && + *endptr != '\n' && *endptr != '\r') || + step < 1 || step > 60) { + free((void *)value); + log_message(LOG_ERR, pamh, "Invalid STEP_SIZE option in \"%s\"", + secret_filename); + return 0; + } + free((void *)value); + + return get_time()/step; + } + #endif + static int set_cfg_value(pam_handle_t *pamh, const char *key, const char *val, char **buf) { size_t key_len = strlen(key); *************** *** 1162,1168 **** } // Compute verification codes and compare them with user input ! const int tm = get_timestamp(); const char *skew_str = get_cfg_value(pamh, "TIME_SKEW", *buf); if (skew_str == &oom) { // Out of memory. This is a fatal error --- 1193,1199 ---- } // Compute verification codes and compare them with user input ! const int tm = get_timestamp(pamh, secret_filename, *buf); const char *skew_str = get_cfg_value(pamh, "TIME_SKEW", *buf); if (skew_str == &oom) { // Out of memory. This is a fatal error ------------------------------------CUT-HERE------------------------------------ I tested these diffs with Feitian c200 TOTP tokens (http://www.ftsafe.com/product/otp/totp) and they work. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-194723-13>