Merge pull request #2 from pyama86/pam

add pam wrapper
pyama86 · Feb 11, 2020 · 3f618c6 · 3f618c6
2 parents 7a33c2b + 9563a23
commit 3f618c6
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -6,15 +6,41 @@ this provides you with multi-factor authentication.
 
 ![demo](https://github.com/pyama86/google-web-oauth/blob/master/media/demo.gif)
 ## Usage
+### USE PAM
+for ubuntu
 
 1. Get the oAuth client ID on google.
 2. Please place the secret file to `/etc/google-web-oauth/client_secret.json`
-3. Write the following in sshd_config and restart sshd process.
+3. set binary.
+   - /lib/x86_64-linux-gnu/security/google-web-oauth.so
+   - /usr/bin/google-web-oauth
+4. Write the following in /etc/pam.d/sshd
+```
+auth    required google-web-oauth.so
+#@include common-auth # must comment out.
+```
+
+5. Write the following in sshd_config and restart sshd process.
 
 ```
-ForceCommand sudo SSH_CONNECTION="$SSH_CONNECTION" /usr/bin/google-web-oauth && eval ${SSH_ORIGINAL_COMMAND:-/bin/bash}
+KbdInteractiveAuthentication yes
+UsePAM yes
+AuthenticationMethods publickey,keyboard-interactive
 ```
 
+### USE SSH
+
+> In this case, they skip ForceCommand when use ProxyCommand, it is vulnerable...
+
+1. Get the oAuth client ID on google.
+2. Please place the secret file to `/etc/google-web-oauth/client_secret.json`
+3. set binary.
+   - /usr/bin/google-web-oauth
+4. Write the following in sshd_config and restart sshd process.
+
+```
+ForceCommand sudo SSH_CONNECTION="$SSH_CONNECTION" /usr/bin/google-web-oauth && eval ${SSH_ORIGINAL_COMMAND:-/bin/bash}
+```
 
 ## blog
 - [SSHログイン時に公開鍵認証とGoogle OAuthで多要素認証する](https://ten-snapon.com/archives/2306)

diff --git a/pam/pam.c b/pam/pam.c
@@ -51,21 +51,36 @@ static char *request_pass(pam_handle_t *pamh, int echocode, PAM_CONST char *prom
   return ret;
 }
 
-int exec_cmd(const char *user, char *cmd, char *arg, char *res)
+int exec_cmd(pam_handle_t *pamh, char *cmd, char *arg, char *res)
 {
+  const char *user;
+  const void *void_from = NULL;
+  const char *from;
   FILE *fp;
   char *c;
+  char user_env[MAXBUF], host_env[MAXBUF];
   char buf[MAXBUF];
+  if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL || *user == '\0') {
+    return PAM_USER_UNKNOWN;
+  }
+  sprintf(user_env, "USER=%s", user);
+  putenv(user_env);
+
+  if (pam_get_item(pamh, PAM_RHOST, &void_from) != PAM_SUCCESS) {
+    return PAM_ABORT;
+  }
+
+  from = void_from;
+  sprintf(host_env, "SSH_CONNECTION=%s", from);
+  putenv(host_env);
+
   if (arg != NULL) {
     c = malloc(strlen(cmd) + strlen(arg) + 2);
     sprintf(c, "%s %s", cmd, arg);
   } else {
     c = cmd;
   }
 
-  sprintf(buf, "USER=%s", user);
-  putenv(buf);
-
   if ((fp = popen(c, "r")) == NULL) {
     goto err;
   }
@@ -91,16 +106,9 @@ int exec_cmd(const char *user, char *cmd, char *arg, char *res)
 
 int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-  const char *user;
-  int retval;
   char buf[MAXBUF], res[MAXBUF];
-  retval = pam_get_item(pamh, PAM_USER, (void *)&user);
-
-  if (retval != PAM_SUCCESS) {
-    return retval;
-  }
+  int ret = exec_cmd(pamh, "/usr/bin/google-web-oauth", "-only-url", res);
 
-  int ret = exec_cmd(user, "/usr/bin/google-web-oauth", "-only-url", res);
   if (ret != 0) {
     return PAM_AUTHINFO_UNAVAIL;
   }
@@ -112,7 +120,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar
   }
 
   sprintf(buf, "-code %s", code);
-  ret = exec_cmd(user, "/usr/bin/google-web-oauth", buf, res);
+  ret = exec_cmd(pamh, "/usr/bin/google-web-oauth", buf, res);
   if (ret != 0) {
     goto err;
   }