From 64a61654368eef4c9a82cea7ab7b74b1010ddcb0 Mon Sep 17 00:00:00 2001 From: Dave Acklam Date: Mon, 21 Jun 2021 12:32:45 -0700 Subject: [PATCH 1/2] Update pam_linotp.py If server-messages were sent back to the client, the 'Otp:' prompt would be overwritten, resulting in no actual request for user action. This results in: bash$ sudo -i [sudo] password for a_unixuser: e-mail sent successfully The system would then hang at the end of 'successfully' waiting for unprompted input. If the user does not know to type their OTP, or presses 'enter' to see if the system is hung, auth fails. This change re-appends said prompt to the end of the challenge message, before it is sent back to PAM. [sudo] password for a_unixuser: e-mail sent successfully - OTP: --- src/pam_linotp.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/pam_linotp.py b/src/pam_linotp.py index c6a9716..b64523f 100644 --- a/src/pam_linotp.py +++ b/src/pam_linotp.py @@ -213,7 +213,9 @@ def check_response( pamh, ret, user, config ): elif len( ret ) > len( LINOTP_REJECT ) and ret.startswith( LINOTP_REJECT ): syslog.syslog( "in challenge mode" ) parts = ret.split( ' ' ) - challenge = "Otp: " + ## What you want users to be prompted for + challenge_prompt = "OTP:" + challenge = challenge_prompt state = "" if len( parts ) > 1: @@ -223,7 +225,8 @@ def check_response( pamh, ret, user, config ): del parts[0] del parts[0] challenge = " ".join( parts ) - + ## The original OTP prompt was overwritten by the message from the server. Add it back. + challenge=challenge+" - "+challenge_prompt msg = pamh.Message( pamh.PAM_PROMPT_ECHO_OFF, challenge ) rsp = pamh.conversation( msg ) pamh.authtok = rsp.resp From 25fe64d243059743c489c4edcf1127c2170f20b5 Mon Sep 17 00:00:00 2001 From: Dave Acklam Date: Mon, 21 Jun 2021 13:10:50 -0700 Subject: [PATCH 2/2] Make 'nosslcertverify' option work properly, Adds the ability to use self-signed certs via a 'nosslcertverify' parameter. Default behavior remains 'verify all ssl certificates'. --- src/pam_linotp.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/pam_linotp.py b/src/pam_linotp.py index b64523f..ed2d594 100644 --- a/src/pam_linotp.py +++ b/src/pam_linotp.py @@ -75,6 +75,7 @@ import urllib import urllib2 import pwd +import ssl LINOTP_FAIL = ":-/" LINOTP_OK = ":-)" @@ -96,7 +97,16 @@ def get_config( argv ): # split the config parameters if "debug" in argv: config["debug"] = True - + # Make nosslcertverify option work, allow people to use self-signed certs + if "nosslcertverify" in argv: + try: + _create_unverified_https_context = ssl._create_unverified_context + except AttributeError: + # Legacy Python that doesn't verify HTTPS certificates by default + pass + else: + # Handle target environment that doesn't support HTTPS verification + ssl._create_default_https_context = _create_unverified_https_context # parse parameter for arg in argv: