Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 523467 Details for
Bug 738879
authconfig does not support google-authenticator
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch to add google-authenticator support
authconfig-6.1.15-google-auth.patch (text/plain), 16.77 KB, created by
David Woodhouse
on 2011-09-16 00:42:03 UTC
(
hide
)
Description:
patch to add google-authenticator support
Filename:
MIME Type:
Creator:
David Woodhouse
Created:
2011-09-16 00:42:03 UTC
Size:
16.77 KB
patch
obsolete
>diff -ur authconfig-6.1.15/authconfig.glade authconfig-6.1.15.ga/authconfig.glade >--- authconfig-6.1.15/authconfig.glade 2011-07-22 11:36:59.000000000 +0100 >+++ authconfig-6.1.15.ga/authconfig.glade 2011-09-16 00:57:07.451873996 +0100 >@@ -642,6 +642,41 @@ > </packing> > </child> > <child> >+ <widget class="GtkAlignment" id="alignment37"> >+ <property name="visible">True</property> >+ <property name="xalign">0</property> >+ <property name="left_padding">12</property> >+ <child> >+ <widget class="GtkHBox" id="hbox24"> >+ <property name="visible">True</property> >+ <property name="spacing">12</property> >+ <child> >+ <widget class="GtkCheckButton" id="enablegoogleauth"> >+ <property name="label" translatable="yes">Enable _Google Authenticator support</property> >+ <property name="visible">True</property> >+ <property name="can_focus">True</property> >+ <property name="receives_default">False</property> >+ <property name="has_tooltip">True</property> >+ <property name="tooltip" translatable="yes">Google Authenticator allows you to log in using one-time passwords generated on your mobile device.</property> >+ <property name="use_underline">True</property> >+ <property name="draw_indicator">True</property> >+ </widget> >+ <packing> >+ <property name="expand">False</property> >+ <property name="fill">False</property> >+ <property name="position">0</property> >+ </packing> >+ </child> >+ </widget> >+ </child> >+ </widget> >+ <packing> >+ <property name="expand">False</property> >+ <property name="fill">False</property> >+ <property name="position">2</property> >+ </packing> >+ </child> >+ <child> > <widget class="GtkAlignment" id="alignment33"> > <property name="visible">True</property> > <property name="left_padding">12</property> >@@ -661,7 +696,7 @@ > <packing> > <property name="expand">False</property> > <property name="fill">False</property> >- <property name="position">2</property> >+ <property name="position">3</property> > </packing> > </child> > <child> >@@ -681,7 +716,7 @@ > <packing> > <property name="expand">False</property> > <property name="fill">False</property> >- <property name="position">3</property> >+ <property name="position">4</property> > </packing> > </child> > <child> >@@ -730,7 +765,7 @@ > </child> > </widget> > <packing> >- <property name="position">4</property> >+ <property name="position">5</property> > </packing> > </child> > <child> >@@ -763,7 +798,7 @@ > </child> > </widget> > <packing> >- <property name="position">6</property> >+ <property name="position">7</property> > </packing> > </child> > <child> >@@ -774,7 +809,7 @@ > <property name="use_markup">True</property> > </widget> > <packing> >- <property name="position">7</property> >+ <property name="position">8</property> > </packing> > </child> > <child> >@@ -797,7 +832,7 @@ > <packing> > <property name="expand">False</property> > <property name="fill">False</property> >- <property name="position">8</property> >+ <property name="position">9</property> > </packing> > </child> > <child> >@@ -818,7 +853,7 @@ > <packing> > <property name="expand">False</property> > <property name="fill">False</property> >- <property name="position">9</property> >+ <property name="position">10</property> > </packing> > </child> > <child> >@@ -833,7 +868,7 @@ > </child> > </widget> > <packing> >- <property name="position">10</property> >+ <property name="position">11</property> > </packing> > </child> > </widget> >diff -ur authconfig-6.1.15/authconfig.glade.h authconfig-6.1.15.ga/authconfig.glade.h >--- authconfig-6.1.15/authconfig.glade.h 2011-07-22 11:37:21.000000000 +0100 >+++ authconfig-6.1.15.ga/authconfig.glade.h 2011-09-16 00:57:20.605674106 +0100 >@@ -22,6 +22,7 @@ > char *s = N_("Domain:"); > char *s = N_("Download CA Certificate"); > char *s = N_("Enable _fingerprint reader support"); >+char *s = N_("Enable _Google Authenticator support"); > char *s = N_("Enable _local access control"); > char *s = N_("Enable _smart card support"); > char *s = N_("Fingerprint authentication allows you to log in by scanning your finger with the fingerprint reader."); >diff -ur authconfig-6.1.15/authconfig-gtk.py authconfig-6.1.15.ga/authconfig-gtk.py >--- authconfig-6.1.15/authconfig-gtk.py 2011-07-22 11:36:59.000000000 +0100 >+++ authconfig-6.1.15.ga/authconfig-gtk.py 2011-09-16 01:13:13.017168183 +0100 >@@ -81,6 +81,9 @@ > "enablefprintd": > ("enableFprintd", authinfo.PATH_PAM_FPRINTD, > "Fprintd", "pam_fprintd", None), >+ "enablegoogleauth": >+ ("enableGoogleAuth", authinfo.PATH_PAM_GOOGLE_AUTH, >+ "GoogleAuth", "pam_google_authenticator", None), > "enablepamaccess" : > ("enablePAMAccess", "", "", "", None), > "passwordalgo" : >diff -ur authconfig-6.1.15/authconfig.py authconfig-6.1.15.ga/authconfig.py >--- authconfig-6.1.15/authconfig.py 2011-07-22 11:36:59.000000000 +0100 >+++ authconfig-6.1.15.ga/authconfig.py 2011-09-16 00:36:12.102966994 +0100 >@@ -55,6 +55,7 @@ > self.sssd_avail = False > self.cache_avail = False > self.fprintd_avail = False >+ self.google_auth_avail = False > self.retval = 0 > > def module(self): >@@ -146,6 +147,11 @@ > parser.add_option("--disablefingerprint", action="store_true", > help=_("disable authentication with fingerprint readers by default")) > >+ parser.add_option("--enablegoogleauth", action="store_true", >+ help=_("enable authentication with google-authenticator one-time passcodes by default")) >+ parser.add_option("--disablegoogleauth", action="store_true", >+ help=_("disable authentication with google-authenticator one-time passcodes by default")) >+ > parser.add_option("--enableecryptfs", action="store_true", > help=_("enable automatic per-user ecryptfs")) > parser.add_option("--disableecryptfs", action="store_true", >@@ -345,6 +351,7 @@ > os.access(authinfo.PATH_LIBNSS_SSS, os.X_OK)) > self.cache_avail = os.access(authinfo.PATH_NSCD, os.X_OK) > self.fprintd_avail = os.access(authinfo.PATH_PAM_FPRINTD, os.X_OK) >+ self.google_auth_avail = os.access(authinfo.PATH_PAM_GOOGLE_AUTH, os.X_OK) > > def overrideSettings(self): > bool_settings = {"shadow":"enableShadow", >@@ -365,6 +372,7 @@ > "krb5realmdns":"kerberosRealmviaDNS", > "smartcard":"enableSmartcard", > "fingerprint":"enableFprintd", >+ "googleauth":"enableGoogleAuth", > "requiresmartcard":"forceSmartcard", > "winbind":"enableWinbind", > "winbindauth":"enableWinbindAuth", >@@ -532,6 +540,7 @@ > def getMainChoices(self): > warnCache = [authinfo.PATH_NSCD, _("caching"), "nscd", None] > warnFprintd = [authinfo.PATH_PAM_FPRINTD, _("Fingerprint reader"), "pam_fprintd", None] >+ warnGoogleAuth = [authinfo.PATH_PAM_GOOGLE_AUTH, _("Google Authenticator"), "pam_google_authenticator", None] > warnKerberos = [(authinfo.PATH_PAM_KRB5, authinfo.PATH_PAM_SSS), _("Kerberos"), ("pam_krb5", "sssd-client"), None] > warnLDAPAuth = [(authinfo.PATH_PAM_LDAP, authinfo.PATH_PAM_SSS), _("LDAP authentication"), ("pam_ldap", "sssd-client"), None] > warnLDAP = [(authinfo.PATH_LIBNSS_LDAP, authinfo.PATH_LIBNSS_SSS), _("LDAP"), ("nss-pam-ldapd", "sssd-client"), None] >@@ -580,6 +589,9 @@ > krb5 = cb = snack.Checkbox(_("Use Kerberos"), bool(self.info.enableKerberos)) > authGrid.setField(cb, 0, 4, anchorLeft=1, growx=1) > >+ googleauth = cb = snack.Checkbox(_("Use Google Authenticator"), bool(self.info.enableGoogleAuth)) >+ authGrid.setField(cb, 0, 5, anchorLeft=1, growx=1) >+ > fprintd = cb = snack.Checkbox(_("Use Fingerprint reader"), bool(self.info.enableFprintd)) > authGrid.setField(cb, 0, 5, anchorLeft=1, growx=1) > >@@ -630,12 +642,13 @@ > self.info.enableKerberos = krb5.selected() > self.info.enableWinbindAuth = winbindauth.selected() > self.info.enableLocAuthorize = locauthorize.selected() >+ self.info.enableGoogleAuth = googleauth.selected() > self.info.enableFprintd = fprintd.selected() > allwarnings = [(self.info.enableCache, warnCache), (self.info.enableLDAP, warnLDAP), > (self.info.enableNIS, warnNIS), (self.info.enableWinbind, warnWinbind), > (self.info.enableLDAPAuth, warnLDAPAuth), (self.info.enableKerberos, warnKerberos), >- (self.info.enableFprintd, warnFprintd), (self.info.enableShadow, warnShadow), >- (self.info.enableWinbindAuth, warnWinbindAuth)] >+ (self.info.enableFprintd, warnFprintd), (self.info.enableGoogleAuth, warnGoogleAuth), >+ (self.info.enableShadow, warnShadow), (self.info.enableWinbindAuth, warnWinbindAuth)] > for warning in allwarnings: > self.warn(warning[0], warning[1]) > >diff -ur authconfig-6.1.15/authinfo.py authconfig-6.1.15.ga/authinfo.py >--- authconfig-6.1.15/authinfo.py 2011-07-22 11:36:59.000000000 +0100 >+++ authconfig-6.1.15.ga/authinfo.py 2011-09-16 01:33:01.544081416 +0100 >@@ -109,6 +109,7 @@ > PATH_PAM_WINBIND = AUTH_MODULE_DIR + "/pam_winbind.so" > PATH_PAM_PKCS11 = AUTH_MODULE_DIR + "/pam_pkcs11.so" > PATH_PAM_FPRINTD = AUTH_MODULE_DIR + "/pam_fprintd.so" >+PATH_PAM_GOOGLE_AUTH = AUTH_MODULE_DIR + "/pam_google_authenticator.so" > PATH_PAM_SSS = AUTH_MODULE_DIR + "/pam_sss.so" > > PATH_WINBIND_NET = "/usr/bin/net" >@@ -339,6 +340,12 @@ > "use_first_pass" > ] > >+# The google-authenticator default is stupid and insecure >+argv_google_auth = [ >+ "no-drop-privs", >+ "secret=/etc/google-authenticator/${USER}" >+] >+ > argv_succeed_if_auth = [ > "uid >=", > "500", # this must be the second arg - to be replaced >@@ -424,6 +431,8 @@ > "permit", []], > [False, AUTH, LOGIC_SUFFICIENT, > "fprintd", []], >+ [False, AUTH, LOGIC_SUFFICIENT, >+ "google_authenticator",argv_google_auth], > [True, AUTH, LOGIC_SUFFICIENT, > "unix", argv_unix_auth], > [False, AUTH, LOGIC_REQUISITE, >@@ -539,6 +548,8 @@ > "env", []], > [False, AUTH, LOGIC_REQUIRED, > "deny", []], >+ [False, AUTH, LOGIC_SUFFICIENT, >+ "google_authenticator",argv_google_auth], > [True, AUTH, LOGIC_SUFFICIENT, > "unix", argv_unix_auth], > [False, AUTH, LOGIC_REQUISITE, >@@ -1302,6 +1313,7 @@ > self.forceBrokenShadow = None > self.forceSmartcard = None > self.enableFprintd = None >+ self.enableGoogleAuth = None > self.enableForceLegacy = None > self.implicitSSSD = False > self.implicitSSSDAuth = False >@@ -1312,6 +1324,7 @@ > self.joinPassword = "" > self.cracklibArgs = "" > self.passwdqcArgs = "" >+ self.googleAuthArgs = "no-drop-privs secret=/etc/google-authenticator/${USER}" > self.localuserArgs = "" > self.pamAccessArgs = "" > self.mkhomedirArgs = "" >@@ -1362,7 +1375,7 @@ > ("enableCompat", "b"), ("enableWINS", "b"), ("enableMDNS", "b"), > ("enableNIS3", "b"), ("enableNIS", "b"), > ("enableSSSD", "b"), ("preferDNSinHosts", "b"), ("implicitSSSD", "b")]), >- SaveGroup(self.writePAM, [("cracklibArgs", "c"), ("passwdqcArgs", "c"), >+ SaveGroup(self.writePAM, [("cracklibArgs", "c"), ("passwdqcArgs", "c"), ("googleAuthArgs", "c"), > ("localuserArgs", "c"), ("pamAccessArgs", "c"), ("enablePAMAccess", "b"), > ("mkhomedirArgs", "c"), ("enableMkHomeDir", "b"), ("algoRounds", "c"), > ("passwordAlgorithm", "i"), ("enableShadow", "b"), ("enableNIS", "b"), >@@ -1370,7 +1383,7 @@ > ("enableKerberos", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"), > ("enableWinbindAuth", "b"), ("enableMkHomeDir", "b"), ("enableAFS", "b"), > ("enableAFSKerberos", "b"), ("enableCracklib", "b"), ("enableEPS", "b"), >- ("enableEcryptfs", "b"), ("enableOTP", "b"), ("enablePasswdQC", "b"), >+ ("enableEcryptfs", "b"), ("enableOTP", "b"), ("enableGoogleAuth", "b"), ("enablePasswdQC", "b"), > ("enableLocAuthorize", "b"), ("enableSysNetAuth", "b"), ("winbindOffline", "b"), > ("enableSSSDAuth", "b"), ("enableFprintd", "b"), ("pamLinked", "b"), > ("implicitSSSDAuth", "b"), ("systemdArgs", "c"), ("uidMin", "i")]), >@@ -1379,7 +1392,7 @@ > ("enableEcryptfs", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"), > ("enableWinbindAuth", "b"), ("enableWinbind", "b"), ("enableDB", "b"), > ("enableHesiod", "b"), ("enableCracklib", "b"), ("enablePasswdQC", "b"), >- ("enableLocAuthorize", "b"), ("enablePAMAccess", "b"), >+ ("enableLocAuthorize", "b"), ("enablePAMAccess", "b"), ("enableGoogleAuth", "b"), > ("enableMkHomeDir", "b"), ("enableSysNetAuth", "b"), ("enableFprintd", "b"), > ("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b")]), > SaveGroup(self.writeNetwork, [("nisDomain", "c")])] >@@ -2000,6 +2013,10 @@ > if module.startswith("pam_fprintd"): > self.setParam("enableFprintd", True, ref) > continue >+ if module.startswith("pam_google_authenticator"): >+ self.setParam("enableGoogleAuth", True, ref) >+ if args: >+ self.setParam("googleAuthArgs", args, ref) > if module.startswith("pam_passwdqc"): > self.setParam("enablePasswdQC", True, ref) > if args: >@@ -2175,6 +2192,10 @@ > except ValueError: > pass > try: >+ self.enableGoogleAuth = shv.getBoolValue("USEGOOGLEAUTH") >+ except ValueError: >+ pass >+ try: > self.enablePasswdQC = shv.getBoolValue("USEPASSWDQC") > except ValueError: > pass >@@ -3393,6 +3414,8 @@ > args = " ".join(module[ARGV]) > if name == "winbind" and self.winbindOffline: > output += " cached_login" >+ if name == "google_authenticator": >+ args = self.googleAuthArgs > if name == "unix": > if stack == "password": > if self.passwordAlgorithm and self.passwordAlgorithm != "descrypt": >@@ -3456,6 +3479,7 @@ > forceSmartcard = self.forceSmartcard > enableSmartcard = self.enableSmartcard > enableFprintd = self.enableFprintd >+ enableGoogleAuth = self.enableGoogleAuth > warn = False > if service == STANDARD: > warn = True >@@ -3488,6 +3512,7 @@ > (enableSmartcard and forceSmartcard and module[NAME] == "deny") or > (enableFprintd and module[NAME] == "fprintd") or > (self.enableOTP and module[NAME] == "otp") or >+ (self.enableGoogleAuth and module[NAME] == "google_authenticator") or > (self.enablePasswdQC and module[NAME] == "passwdqc") or > (self.enableWinbindAuth and module[NAME] == "winbind") or > ((self.enableSSSDAuth or self.implicitSSSDAuth) and module[NAME] == "sss") or >@@ -3544,6 +3569,7 @@ > shv.setBoolValue("USESMARTCARD", self.enableSmartcard) > shv.setBoolValue("FORCESMARTCARD", self.forceSmartcard) > shv.setBoolValue("USEFPRINTD", self.enableFprintd) >+ shv.setBoolValue("USEGOOGLEAUTH", self.enableGoogleAuth) > shv.setValue("PASSWDALGORITHM", self.passwordAlgorithm) > shv.setValue("USEMD5", None) > shv.setBoolValue("USESHADOW", self.enableShadow) >@@ -3764,6 +3790,7 @@ > print " smartcard module = \"%s\"" % self.smartcardModule > print " smartcard removal action = \"%s\"" % self.smartcardAction > print "pam_fprintd is %s" % formatBool(self.enableFprintd) >+ print "pam_google_authenticator is %s" % formatBool(self.enableGoogleAuth) > print "pam_ecryptfs is %s" % (formatBool(self.enableEcryptfs)) > print "pam_winbind is %s" % formatBool(self.enableWinbindAuth) > print " SMB workgroup = \"%s\"" % self.smbWorkgroup
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=523467">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 738879
: 523467