From 5301a3c5bbdd55b12c87af080b08b8cd6889453b Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 14 Jun 2014 04:33:38 +0930 Subject: [PATCH 01/16] Add support for a grace time period, so that two-factor authentication is not required if a successful login was completed recently --- authy-ssh | 130 +++++++++++++++++++++++++++++++++++++++++----- authy-ssh.sha1sum | 2 +- 2 files changed, 117 insertions(+), 15 deletions(-) diff --git a/authy-ssh b/authy-ssh index 405c14a..123cb21 100755 --- a/authy-ssh +++ b/authy-ssh @@ -4,6 +4,8 @@ VERSION="1.4" AUTHY_URL="https://api.authy.com" APP_ROOT=`dirname $0` CONFIG_FILE="$APP_ROOT/authy-ssh.conf" +LAST_LOGIN_FOLDER="$HOME/.authy-ssh/" +LAST_LOGIN_FILE="$LAST_LOGIN_FOLDER/last-login" UPSTREAM_URL="https://raw.github.com/authy/authy-ssh/master/authy-ssh" READ_TIMEOUT=60 @@ -40,7 +42,7 @@ function escape_input() { } function escape_number() { - sed 's/[^0-9]*//g' <<< $* + sed 's/^-?[0-9]*//g' <<< $* } function read_input() { @@ -53,6 +55,19 @@ function read_number() { echo "$(escape_number $number)" } +function get_date() { + echo "$(date +%s)" +} + +function update_last_login() { + mkdir -p "$LAST_LOGIN_FOLDER" + echo "$USER|$(get_date)|$(get_ssh_client_ip)" > $LAST_LOGIN_FILE +} + +function get_ssh_client_ip() { + echo "$(echo $SSH_CLIENT | awk '{ print $1}')" +} + function require_root() { debug "Checking if user is root" find_sshd_config @@ -183,16 +198,20 @@ function install_authy() { if [[ $SUDO_USER ]] then - green " sudo ${dest} enable $SUDO_USER " - green " Example: sudo $0 enable $SUDO_USER myuser@example.com 1 401-390-9987" + green " sudo ${dest} enable $SUDO_USER [grace-period]" + green " Example: sudo $0 enable $SUDO_USER myuser@example.com 1 401-390-9987 -1" else - green " sudo ${dest} enable $USER " - green " Example: sudo $0 enable $USER myuser@example.com 1 401-390-9987" + green " sudo ${dest} enable $USER [grace-period]" + green " Example: sudo $0 enable $USER myuser@example.com 1 401-390-9987 -1" fi echo "" echo "To enable two-factor authentication on user account type: " echo "" - green " sudo ${dest} enable " + green " sudo ${dest} enable [grace-period]" + echo "" + echo "Where grace-period, optionally, specify the number of seconds two-factor authentication will not be" + echo " required for creating a new session, after a successful login, from the same user and IP address." + echo " Using the value of -1 will always require two-factor authentication and is the default if not specified." echo "" echo "To uninstall Authy SSH type:" echo "" @@ -261,6 +280,46 @@ function check_api_key() { return $OK } +function check_grace_period() { + # check if we have a last login file + if [[ -f "$LAST_LOGIN_FILE" ]] + then + # read in the last_login file, don't use colons: ipv6! + IFS="|"; declare -a last_login=($(head -n 1 "$LAST_LOGIN_FILE")) + # if the user in the file is current user and the IP matches + if [[ ${last_login[0]} == $USER && ${last_login[2]} == $(get_ssh_client_ip) ]] + then + grace_period="$(escape_number "$1")" + + # if grace_period not sent in by key + if [ -z $grace_period ] + then + # read in the user config + for user in `read_config user` + do + IFS=":"; declare -a authy_user=($user) + # for this user, check if it has a grace period + if [[ ${authy_user[0]} == $USER && ${#authy_user[@]} -gt 2 && $(escape_number ${authy_user[2]}) -gt -1 ]] + then + grace_period="$(escape_number ${authy_user[2]})" + fi + done + fi + + # once we have grace period + if [ ! -z $grace_period ] + then + # if last login time plus grace period is less than current time + if [[ $(($(escape_number ${last_login[1]}) + $grace_period)) -ge $(escape_number $(get_date)) ]] + then + return $OK + fi + fi + fi + fi + return $FAIL +} + # Usage: $(read_config banner) function read_config() { key="$1" @@ -316,8 +375,20 @@ function protect_user() { then exit $FAIL fi + + echo -n "Enter your desired grace-period (in seconds) [-1]: " + read grace_period + + if [[ $grace_period == "" ]] + then + grace_period=-1 + elif ! [[ $grace_period =~ ^(-1|[0-9]+)$ ]] + then + yellow "grace-period is invalid" + exit $FAIL + fi - echo "command=\"$COMMAND login $authy_user_id\" $ssh_key" >> "${auth_keys}" + echo "command=\"$COMMAND login $authy_user_id $grace_period\" $ssh_key" >> "${auth_keys}" if [[ $(whoami) == "root" ]] then chown "$local_user" "$auth_keys" @@ -325,7 +396,7 @@ function protect_user() { green "The user is now protected with authy" } -# usage: register_user "local_user" "" "" "" +# usage: register_user "local_user" "" "" "" "" function register_user() { register_user_on_authy $* @@ -334,9 +405,19 @@ function register_user() { exit $FAIL fi - if [[ $authy_user_id ]] + grace_period="$(escape_number $5)" + if [ -z $grace_period ] + then + grace_period=-1 + elif ! [[ $grace_period =~ ^(-1|[0-9]+)$ ]] + then + yellow "grace-period is invalid" + exit $FAIL + fi + + if [[ $authy_user_id && $grace_period ]] then - echo "user=$local_user:$authy_user_id" >> $CONFIG_FILE + echo "user=$local_user:$authy_user_id:$grace_period" >> $CONFIG_FILE green "User was registered" else red "Cannot register user: $response" @@ -518,6 +599,8 @@ function login() { fi fi + update_last_login + if [[ $mode != "test" ]] then run_shell @@ -554,6 +637,7 @@ function request_sms() { function ask_token_and_log_user_in() { mode="$(escape_input $1)" authy_id="$(escape_number $2)" + grace_period="$(escape_number $3)" if [[ $authy_id == "" ]] then @@ -578,6 +662,14 @@ function ask_token_and_log_user_in() { then times=1 fi + + check_grace_period $grace_period + if [[ $? == $OK ]] + then + debug "Grace period allowed" + update_last_login + run_shell + fi for i in `seq 1 $times` do @@ -653,13 +745,13 @@ case $1 in check_config_file "writable" AUTHY_API_KEY="$(read_config api_key)" check_api_key - register_user "$2" "$3" "$4" "$5" + register_user "$2" "$3" "$4" "$5" "$6" ;; login) check_config_file AUTHY_API_KEY="$(read_config api_key)" check_api_key - ask_token_and_log_user_in "login" "$2" + ask_token_and_log_user_in "login" "$2" "$3" ;; protect) check_config_file @@ -699,9 +791,19 @@ Available commands: enable receives a list of arguments needed to register a user. usage: - sudo $0 enable [local-user] [email] [numeric country code] [cellphone] + sudo $0 enable [local-user] [email] [numeric country code] [cellphone] + + Where grace-period, optionally, specifies the number of seconds two-factor authentication will not be + required for creating a new session, after a successful login, from the same user and IP address. + Using the value of -1 will always require two-factor authentication and is the default if not specified. + + Always require two-factor authentication: + + Example: sudo $0 enable myuser myuser@example.com 1 401-390-9987 -1 + + Allow 300 seconds after a successful login before requiring two-factor authentication again: - Example: sudo $0 enable myuser myuser@example.com 1 401-390-9987 + Example: sudo $0 enable myuser myuser@example.com 1 401-390-9987 300 protect installs authy-ssh for the given user diff --git a/authy-ssh.sha1sum b/authy-ssh.sha1sum index 21b6501..cb3f61b 100644 --- a/authy-ssh.sha1sum +++ b/authy-ssh.sha1sum @@ -1 +1 @@ -714c024641558f2c5bd9742cc7d2126153c30aa4 authy-ssh +64d454de21b768ab2c968204bf0b07c662ca80af authy-ssh From 37d3a13354030cf1b2acf1c7b9fbd8579666a52e Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 14 Jun 2014 04:34:36 +0930 Subject: [PATCH 02/16] Update README for grace-time argument --- README.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a61418f..1ce0d61 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Type the following command in the terminal: Then enable two-factor for your user: - $ sudo /usr/local/bin/authy-ssh enable `whoami` + $ sudo /usr/local/bin/authy-ssh enable `whoami` [grace-period] Test everything is working: @@ -67,10 +67,12 @@ Here's an example: [root@ip-10-2-113-233 ~]# cat /usr/local/bin/authy-ssh.conf banner=Good job! You've securely logged in with Authy. api_key=05c783f2db87b73b198f11fe45dd8bfb - user=root:1 - user=daniel:1 + user=root:1:-1 + user=daniel:1:300 -In this case it means user root and daniel have two-factor enabled and that 1 is their `authy_id`. If a user is not in this list, `authy-ssh` will automatically let him in. +In this case it means user root and daniel have two-factor enabled and that 1 is their `authy_id`. If a user is not in this list, `authy-ssh` will automatically let him in. +The user daniel has an optional `grace-period` of 300 seconds, allowing them to open a new session within 5 minutes of the last successful login without requiring two-factor authentication. +On the other hand, the root user uses the default `grace-period` of -1, requiring all sessions to use two-factor authentication, regardless of recent successful logins. ## Using two-factor auth with automated deployment tools. @@ -104,7 +106,7 @@ To enable users type the following command and fill the form: If you want to do it in one line just type: - $ sudo authy-ssh enable + $ sudo authy-ssh enable [grace-period] ## `scp`, `mosh` and `git push` with two-factor authentication. @@ -139,8 +141,8 @@ and then for each person add their ssh key using the following command: you should end up with an authorized_keys file that looks like: - command="/usr/local/bin/authy-ssh login 13386" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGRJbWu+WLVXYVADY3iQPE1kA7CIOSqHmskPM8qIAzKzq+1eRdmPwDZNmAvIQnN/0N7317Rt1bmTRLBwhl6vfSgL6677vUwsevPo27tIxdja67ELTh55xVLcJ3O8x2qkZsySgkLP/n+w3MUwLe1ht31AZOAsV7J7imhWipDijiysNgvHyeSWsHqExaL1blPOYJVHcqPbKY4SxFRq/MWeyPf/Sm24MFSKEaY6u0kNx8MLJ1X9X/YxmY9rdvzsZdQ7Z/PYhYt2Ja/0mzfYx2leeP2JQBsVfZZzAoFEPpw6mSP9kJREGe2tXvS9cRenhz/+V0+mvSJKG0f0Zzh428pTzN - command="/usr/local/bin/authy-ssh login 20" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyvj2d0rSDukDT04mK7njUxtXffUrOnDCm2Bqub0zN7LQS733nBHp89aMuBI5ENjw1SQ2qXhLxvK1Xhr0pQr+dOWNn3emQjQuiA+YL39yp2RLLpflerJ3KAVY09CHYLFxdKj/DJgXsH+LMAPe2uVmWCP2xAV5ZcLnz3CdS2SX/EVlbNrftesZx9uAbmwKPLY1pmW7q/75AhJRow8VTP7zM/VS7jEHkj03g51BZGB8tMI3G8RDVEDtu2jVwZiq+8BaNCyjYVlsLfu6uGhnXeeUS3swu/atlt+pxy+QTf/HGvrJR58tER+foqheWtV3LqXN4oLckzqTVkDDmnNJlmrpYQ== + command="/usr/local/bin/authy-ssh login 13386 -1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGRJbWu+WLVXYVADY3iQPE1kA7CIOSqHmskPM8qIAzKzq+1eRdmPwDZNmAvIQnN/0N7317Rt1bmTRLBwhl6vfSgL6677vUwsevPo27tIxdja67ELTh55xVLcJ3O8x2qkZsySgkLP/n+w3MUwLe1ht31AZOAsV7J7imhWipDijiysNgvHyeSWsHqExaL1blPOYJVHcqPbKY4SxFRq/MWeyPf/Sm24MFSKEaY6u0kNx8MLJ1X9X/YxmY9rdvzsZdQ7Z/PYhYt2Ja/0mzfYx2leeP2JQBsVfZZzAoFEPpw6mSP9kJREGe2tXvS9cRenhz/+V0+mvSJKG0f0Zzh428pTzN + command="/usr/local/bin/authy-ssh login 20 300" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyvj2d0rSDukDT04mK7njUxtXffUrOnDCm2Bqub0zN7LQS733nBHp89aMuBI5ENjw1SQ2qXhLxvK1Xhr0pQr+dOWNn3emQjQuiA+YL39yp2RLLpflerJ3KAVY09CHYLFxdKj/DJgXsH+LMAPe2uVmWCP2xAV5ZcLnz3CdS2SX/EVlbNrftesZx9uAbmwKPLY1pmW7q/75AhJRow8VTP7zM/VS7jEHkj03g51BZGB8tMI3G8RDVEDtu2jVwZiq+8BaNCyjYVlsLfu6uGhnXeeUS3swu/atlt+pxy+QTf/HGvrJR58tER+foqheWtV3LqXN4oLckzqTVkDDmnNJlmrpYQ== The previous command will ask you the user ssh public key, cellphone and email. From 65fa25ba11faf1e8b257fc54da055ceb61fda99f Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 14 Jun 2014 04:37:43 +0930 Subject: [PATCH 03/16] Update test cases to test invalid grace-time values for enable and protect commands --- tests/test_enable.rb | 28 ++++++++++++++++++++++++++++ tests/test_protect.rb | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/tests/test_enable.rb b/tests/test_enable.rb index dff7c0f..c846c59 100644 --- a/tests/test_enable.rb +++ b/tests/test_enable.rb @@ -80,3 +80,31 @@ red " [FAILED]" end end + +authy_ssh("enable #{ENV["USER"]} 'test;;;@authy.com' '1|}+)(&%' '111;|};111#-/:1111' aaa", {}, true) do |stdin, stdout| + + if read_until(stdout, /Do you want to enable this user/i) + stdin.puts "y" + end + + if read_until(stdout, /grace-time is invalid/i) + print "Setting an invalid grace-time: aaa" + green " [OK]" + else + red " [FAILED]" + end +end + +authy_ssh("enable #{ENV["USER"]} test@authy.com 0 111-111-1111 -2", {}, true) do |stdin, stdout| + + if read_until(stdout, /Do you want to enable this user/i) + stdin.puts "y" + end + + if read_until(stdout, /grace-time is invalid/i) + print "Setting an invalid grace-time: -2" + green " [OK]" + else + red " [FAILED]" + end +end diff --git a/tests/test_protect.rb b/tests/test_protect.rb index addd933..0499c89 100644 --- a/tests/test_protect.rb +++ b/tests/test_protect.rb @@ -87,4 +87,37 @@ else red " [FAILED]" end +end + +authy_ssh("protect #{ENV["USER"]}") do |stdin, stdout| + if read_until(stdout, /Enter your public ssh key/i) + stdin.puts "#{SSH_KEY}" + end + + if read_until(stdout, /Your country code/i) + stdin.puts "1" + end + + if read_until(stdout, /Your cellphone/i) + stdin.puts "123456" + end + + if read_until(stdout, /Your email/i) + stdin.puts "test@authy.com" + end + + if read_until(stdout, /Do you want to enable this user/i) + stdin.puts "y" + end + + if read_until(stdout, /Enter your desired grace-period/i) + print "Setting an invalid grace-time" + stdin.puts "aaa" + end + + if read_until(stdout, /grace-period is invalid/i) + green " [OK]" + else + red " [FAILED]" + end end \ No newline at end of file From 59e7a30974d022d73f7fdb641dd9b957b0b78190 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 14 Jun 2014 04:39:11 +0930 Subject: [PATCH 04/16] Bump version to 1.5 --- authy-ssh | 2 +- authy-ssh.sha1sum | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/authy-ssh b/authy-ssh index 123cb21..e94b1c8 100755 --- a/authy-ssh +++ b/authy-ssh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -VERSION="1.4" +VERSION="1.5" AUTHY_URL="https://api.authy.com" APP_ROOT=`dirname $0` CONFIG_FILE="$APP_ROOT/authy-ssh.conf" diff --git a/authy-ssh.sha1sum b/authy-ssh.sha1sum index cb3f61b..f3eaa63 100644 --- a/authy-ssh.sha1sum +++ b/authy-ssh.sha1sum @@ -1 +1 @@ -64d454de21b768ab2c968204bf0b07c662ca80af authy-ssh +e13ddca3d324ead9ab1dac14c81c079b66b03690 authy-ssh From bbfb41d2afcf4baf662ae3cf0c19851e544c3a01 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 14 Jun 2014 15:43:41 +0930 Subject: [PATCH 05/16] The last login file should only be readwrite by that user --- authy-ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/authy-ssh b/authy-ssh index e94b1c8..4248077 100755 --- a/authy-ssh +++ b/authy-ssh @@ -62,6 +62,7 @@ function get_date() { function update_last_login() { mkdir -p "$LAST_LOGIN_FOLDER" echo "$USER|$(get_date)|$(get_ssh_client_ip)" > $LAST_LOGIN_FILE + chmod 600 $LAST_LOGIN_FILE } function get_ssh_client_ip() { From df143ba226172db48a85e121b6e8e72986492453 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 14 Jun 2014 16:03:23 +0930 Subject: [PATCH 06/16] Fix shell closing after requesting an SMS token --- authy-ssh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/authy-ssh b/authy-ssh index 4248077..467d0ae 100755 --- a/authy-ssh +++ b/authy-ssh @@ -658,12 +658,6 @@ function ask_token_and_log_user_in() { run_shell fi - times=3 - if [[ $AUTHY_TOKEN ]] # env var - then - times=1 - fi - check_grace_period $grace_period if [[ $? == $OK ]] then @@ -671,7 +665,13 @@ function ask_token_and_log_user_in() { update_last_login run_shell fi - + + times=3 + if [[ $AUTHY_TOKEN ]] # env var + then + times=1 + fi + for i in `seq 1 $times` do authy_token="$(escape_number $AUTHY_TOKEN)" From 75384268da4c84ad47922e945c54bcc3b64e0f82 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 00:46:19 +0930 Subject: [PATCH 07/16] Add some extra folder security to the folder containing the last-login grace file --- authy-ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/authy-ssh b/authy-ssh index 467d0ae..9ffda84 100755 --- a/authy-ssh +++ b/authy-ssh @@ -61,6 +61,7 @@ function get_date() { function update_last_login() { mkdir -p "$LAST_LOGIN_FOLDER" + chmod 755 "$LAST_LOGIN_FOLDER" echo "$USER|$(get_date)|$(get_ssh_client_ip)" > $LAST_LOGIN_FILE chmod 600 $LAST_LOGIN_FILE } From b6f1036e1bb5fab7d3f3971e4fdb2ead92640fda Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 00:47:41 +0930 Subject: [PATCH 08/16] Move error message about missing sshd file to some place more relevant, so we can reuse this method --- authy-ssh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/authy-ssh b/authy-ssh index 9ffda84..d79d16f 100755 --- a/authy-ssh +++ b/authy-ssh @@ -100,9 +100,9 @@ function find_sshd_config() { SSHD_CONFIG="/etc/sshd_config" elif [[ -f /etc/ssh/sshd_config ]] then - SSHD_CONFIG="/etc/ssh/sshd_config" - else - red "Cannot find sshd_config in your server. Authy SSH will be enabled when you add the ForceCommand to it" + SSHD_CONFIG="/etc/ssh/sshd_config" + fi +} fi } @@ -120,6 +120,8 @@ function add_force_command() { echo "" red " MAKE SURE YOU DO NOT MOVE/REMOVE ${authy_ssh_command} BEFORE UNINSTALLING AUTHY SSH" sleep 5 + else + red "Cannot find sshd_config in your server. Authy SSH will be enabled when you add the ForceCommand to it" fi } From 0ee677b1930221deeab718023ec08da83e8f6e55 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 00:48:32 +0930 Subject: [PATCH 09/16] Add a load_default_banner option to config that will show the default /etc/motd or pam.d sshd motd on successful login --- authy-ssh | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/authy-ssh b/authy-ssh index d79d16f..2337893 100755 --- a/authy-ssh +++ b/authy-ssh @@ -103,6 +103,15 @@ function find_sshd_config() { SSHD_CONFIG="/etc/ssh/sshd_config" fi } + +function find_pamd_sshd() { + debug "Trying to find pam sshd file" + if [[ -f /etc/pam.d/sshd ]] + then + PAM_SSHD_CONFIG="/etc/pam.d/sshd" + elif [[ -f /etc/pam.conf ]] + then + PAM_SSHD_CONFIG="/etc/pam.conf" fi } @@ -184,9 +193,31 @@ function install_authy() { return $FAIL ;; esac + + echo "Show default MOTD / Banner on successful login: " + echo "" + echo " 1. Show the default sshd MOTD / Banner on login" + echo " 2. Suppress the default sshd MOTD / Banner on login" + echo "" + echo -n "type 1 or 2 to select the option: " + read load_default_banner + + case $load_default_banner in + 1) + load_default_banner="enable" + ;; + 2) + load_default_banner="disable" + ;; + *) + red "you have entered an invalid option" + return $FAIL + ;; + esac yellow "Generating initial config on ${config_file}..." echo "banner=Good job! You've securely logged in with Authy." > "${config_file}" + echo "load_default_banner=${load_default_banner}" echo "api_key=${authy_api_key}" >> "${config_file}" echo "default_verify_action=${default_verify_action}" >> "${config_file}" else @@ -526,6 +557,31 @@ function run_shell() { elif [ $SHELL ] # when user runs: ssh server then debug "running shell: $SHELL" + load_default_banner=$(read_config load_default_banner) + if [[ $? == $OK && "$load_default_banner" == "enable" ]]; + then + find_pamd_sshd + # if we found pam + if [[ -r $PAM_SSHD_CONFIG ]] + then + debug "Found $PAM_SSHD_CONFIG" + # pam says load motd from specific file for sshd + # find an uncommented line for session or sshd containing pam_motd and motd variable + BANNER="`sed -n 's/^\(session\|sshd\).*pam_motd.*motd=\(\S*\)\s*.*$/\2/p' /etc/pam.d/sshd`" + if [[ ! -z $BANNER && -r "/var/$BANNER" ]] + then + debug "Showing /var/$BANNER" + cat "/var/$BANNER" + fi + fi + + # if motd exists, print that out too + if [[ -r "/etc/motd" ]] + then + debug "Showing /etc/motd" + cat "/etc/motd" + fi + fi exec -l $SHELL fi From 356ca52a0a589e6ce6f8b107c0cf95404a7df839 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 00:50:14 +0930 Subject: [PATCH 10/16] SMS shell closure fix pt.2 Sometimes the response via API says "SMS was not sent" and the *success*sent* success check was matching a failure --- authy-ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authy-ssh b/authy-ssh index 2337893..b109329 100755 --- a/authy-ssh +++ b/authy-ssh @@ -682,7 +682,7 @@ function request_sms() { response=`curl --connect-timeout 10 "${url}" 2>/dev/null` debug "[request sms] url: $url | response: $response | curl exit stats: $?" - if [[ $response == *success*sent* ]] + if [[ $response == *success*"was sent"* ]] then green "SMS message was sent" elif [[ $response == *not*enabled* ]] From 8589efdcef480fed28b1891335bdb0c45255de12 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 00:54:15 +0930 Subject: [PATCH 11/16] Add documentation for load_default_banner --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 1ce0d61..6f71786 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ Here's an example: [root@ip-10-2-113-233 ~]# cat /usr/local/bin/authy-ssh.conf banner=Good job! You've securely logged in with Authy. + load_default_banner=enable api_key=05c783f2db87b73b198f11fe45dd8bfb user=root:1:-1 user=daniel:1:300 @@ -74,6 +75,10 @@ In this case it means user root and daniel have two-factor enabled and that 1 is The user daniel has an optional `grace-period` of 300 seconds, allowing them to open a new session within 5 minutes of the last successful login without requiring two-factor authentication. On the other hand, the root user uses the default `grace-period` of -1, requiring all sessions to use two-factor authentication, regardless of recent successful logins. + +The `load_default_banner` option will show the operating system's default SSH banner when a successful login occurs. This checks to see if a MOTD is set in /etc/pam.d/sshd or /etc/motd. +Setting this to disable will suppress the default sshd MOTD. + ## Using two-factor auth with automated deployment tools. From 64145e65fa559474b56a9b0fb553539d5a4ad008 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 01:01:36 +0930 Subject: [PATCH 12/16] Update install unit test for load_default_banner --- tests/test_install.rb | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/tests/test_install.rb b/tests/test_install.rb index ca14838..d416dc9 100644 --- a/tests/test_install.rb +++ b/tests/test_install.rb @@ -56,11 +56,16 @@ print "Select the option 1: Disable two factor authentication until api.authy.com is back" stdin.puts "1" end + + if read_until(stdout, /type 1 or 2 to select the option/i) + print "Select the option 1: show default MOTD" + stdin.puts "1" + end if read_until(stdout, /Restart the SSH server to apply changes/i) config_path = File.expand_path("../authy-ssh.conf", __FILE__) config = File.read(config_path) - if config =~ /default_verify_action=disable/ + if config =~ /default_verify_action=disable/ and config =~ /load_default_banner=enable/ green " [OK]" else yellow " Option not configured" @@ -80,11 +85,16 @@ print "Select the option 2: Don't allow logins until api.authy.com is back" stdin.puts "2" end + + if read_until(stdout, /type 1 or 2 to select the option/i) + print "Select the option 2: suppress default MOTD" + stdin.puts "2" + end if read_until(stdout, /Restart the SSH server to apply changes/i) config_path = File.expand_path("../authy-ssh.conf", __FILE__) config = File.read(config_path) - if config =~ /default_verify_action=enforce/ + if config =~ /default_verify_action=enforce/ and config =~ /load_default_banner=disable/ green " [OK]" else yellow " Option not configured" @@ -112,3 +122,25 @@ end system("sudo rm authy-ssh") end + +authy_ssh("install .", {}, true) do |stdin, stdout| + if read_until(stdout, /Enter the Authy API key/i) + stdin.puts "0cd08abec2e9b9641e40e9470a7fc336" + end + + if read_until(stdout, /type 1 or 2 to select the option/i) + stdin.puts "2" + end + + if read_until(stdout, /type 1 or 2 to select the option/i) + print "Select an invalid option: 9" + stdin.puts "9" + end + + if read_until(stdout, /you have entered an invalid option/i) + green " [OK]" + else + red " [FAILED]" + end + system("sudo rm authy-ssh") +end From aa899c02d9515de1e6a0b7737993043bed61de1a Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Tue, 17 Jun 2014 01:02:39 +0930 Subject: [PATCH 13/16] Version bump 1.6 --- authy-ssh | 2 +- authy-ssh.sha1sum | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/authy-ssh b/authy-ssh index b109329..0154663 100755 --- a/authy-ssh +++ b/authy-ssh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -VERSION="1.5" +VERSION="1.6" AUTHY_URL="https://api.authy.com" APP_ROOT=`dirname $0` CONFIG_FILE="$APP_ROOT/authy-ssh.conf" diff --git a/authy-ssh.sha1sum b/authy-ssh.sha1sum index f3eaa63..19fdcf6 100644 --- a/authy-ssh.sha1sum +++ b/authy-ssh.sha1sum @@ -1 +1 @@ -e13ddca3d324ead9ab1dac14c81c079b66b03690 authy-ssh +c59d8e349f47e7bfcf68cff93e1cdfee5791030e authy-ssh From a7813629b01cb033cda593112f65346fb69585ba Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Fri, 4 Jul 2014 22:18:49 +0930 Subject: [PATCH 14/16] Fix URL in curl command to github's redirected URL --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6f71786..fa25e83 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Type the following command in the terminal: - $ curl -O 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' + $ curl -O 'https://raw.githubusercontent.com/authy/authy-ssh/master/authy-ssh' $ sudo bash authy-ssh install /usr/local/bin Then enable two-factor for your user: From 9b29aa9dde9ad33927a0c06e8e6a2618291b046f Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Fri, 4 Jul 2014 22:20:02 +0930 Subject: [PATCH 15/16] Finally fix problem with disconnecting after invalid token or sms request. IFS was incorrectly set which breaks seq. --- authy-ssh | 3 ++- authy-ssh.sha1sum | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/authy-ssh b/authy-ssh index 0154663..5fe1d84 100755 --- a/authy-ssh +++ b/authy-ssh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -VERSION="1.6" +VERSION="1.6.1" AUTHY_URL="https://api.authy.com" APP_ROOT=`dirname $0` CONFIG_FILE="$APP_ROOT/authy-ssh.conf" @@ -731,6 +731,7 @@ function ask_token_and_log_user_in() { times=1 fi + unset IFS for i in `seq 1 $times` do authy_token="$(escape_number $AUTHY_TOKEN)" diff --git a/authy-ssh.sha1sum b/authy-ssh.sha1sum index 19fdcf6..153e618 100644 --- a/authy-ssh.sha1sum +++ b/authy-ssh.sha1sum @@ -1 +1 @@ -c59d8e349f47e7bfcf68cff93e1cdfee5791030e authy-ssh +9aac50642fe69aeb65a5c03b5088d1a82edc3885 authy-ssh From 28ecd1244a8e5795e6b0935bfa840ed79eee28f9 Mon Sep 17 00:00:00 2001 From: Grant Pannell Date: Sat, 4 Oct 2014 12:45:17 +0930 Subject: [PATCH 16/16] Save load_default_banner to config file --- authy-ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authy-ssh b/authy-ssh index 5fe1d84..03b3fd6 100755 --- a/authy-ssh +++ b/authy-ssh @@ -217,7 +217,7 @@ function install_authy() { yellow "Generating initial config on ${config_file}..." echo "banner=Good job! You've securely logged in with Authy." > "${config_file}" - echo "load_default_banner=${load_default_banner}" + echo "load_default_banner=${load_default_banner}" >> "${config_file}" echo "api_key=${authy_api_key}" >> "${config_file}" echo "default_verify_action=${default_verify_action}" >> "${config_file}" else