forked from privacyidea/pam_python
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssh-u2f.py
executable file
·109 lines (92 loc) · 3.1 KB
/
ssh-u2f.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/usr/bin/env python
#
# -*- coding: utf-8 -*-
#
# 2016-03-03 Brandon Smith <[email protected]>
# Initial Creation
#
# (c) Brandon Smith
# Info: http://www.privacyidea.org
#
# This code is free software; you can redistribute it and/or
# modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
# License as published by the Free Software Foundation; either
# version 3 of the License, or any later version.
#
# This code is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU AFFERO GENERAL PUBLIC LICENSE for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import getpass,os,re,signal,subprocess,sys
import pexpect
__doc__ = """This is an ssh (and ssh-like) wrapper that uses pexpect to
interact with privacyIDEA's pam_python module for u2f challenge/response.
Usage:
Make executable
Symlink ssh-u2f, scp-u2f, sftp-u2f, mosh-u2f, etc. into your PATH
Call just like ssh, eg. "ssh-u2f [email protected]"
"""
ssh = None
def handler(signum, frame):
global ssh
if ssh:
ssh.kill(signum)
sys.exit(signum)
signal.signal(signal.SIGQUIT, handler)
signal.signal(signal.SIGTERM, handler)
signal.signal(signal.SIGINT, handler)
def winch_handler(signum, frame):
global ssh
if ssh:
rows, cols = os.popen('stty size', 'r').read().split()
ssh.setwinsize(int(rows), int(cols))
signal.signal(signal.SIGWINCH, winch_handler)
try:
command = os.path.splitext(os.path.basename(__file__))[0].split("-")[0]
except:
command = None
ssh = pexpect.spawn(command or "ssh", sys.argv[1:])
winch_handler(None, None)
def passthrough():
print()
sys.stdout.write(ssh.match.group())
try:
ssh.interact()
except UnboundLocalError:
# Work around bug in pexpect 3.1
pass
sys.exit(0)
while True:
index = ssh.expect(["Authenticated with partial success.",
"([Pp]assword[^:\r\n]*|OTP): ?",
"----- BEGIN U2F CHALLENGE -----\r\n",
"[^ \r\n]+",
pexpect.EOF])
if index == 0:
print(ssh.match.group())
if index == 1:
try:
pin = getpass.getpass(ssh.match.group())
except EOFError:
pin = ""
ssh.sendline(pin.strip())
elif index == 2:
u2f_origin = ssh.readline().strip()
u2f_challenge = ssh.readline().strip()
ssh.expect("(.*)----- END U2F CHALLENGE -----")
message = ssh.match.group(1).strip()
print(message or "Interact with your U2F token.")
p = subprocess.Popen(["u2f-host", "-aauthenticate", "-o", u2f_origin],
stdin=subprocess.PIPE, stdout=subprocess.PIPE)
out, err = p.communicate(u2f_challenge)
p.wait()
ssh.sendline(out.strip())
elif index == 3:
passthrough()
elif index == 4:
sys.exit(0)