On 2015/11/25 00:14, Stuart Henderson wrote:
> On 2015/11/24 11:24, Richard Johnson wrote:
> > We use 2-factor authn for sudo & doas, as well as for most logins.
> > Presently, we transport Yubikey and other HOTP strings across RADIUS to an
> > otpd authserver
>
> Interesting...is that a fork of the TRI-D otpd? I found the googlecode
> one and a github export but nothing that seems currently active and
> nothing that supports Yubikey. (I'm on the lookout for things which
> handles central Yubikey auth, none of the programs that I've found so
> far are very appealing).
>
> > This is on systems with 1200+ user accounts, about 30 active daily. Users
> > expect that if they can log in as username:radius or username:skey, they
> > should be able to sudo -a radius or sudo -a skey.
> >
> > Moving away from Kerberos means possible increasing use of sudo or doas by
> > regular users to run transfer commands to data archives. For this, it would
> > be useful if doas supported "-a skey". Then I could just use doas; the
> > command is otherwise plain enough.
> >
> > But that's not a lot of users across the entire OpenBSD installed base.
> >
> > Installing sudo from ports is still an option. I need to debug the -a
> > failure there now. ;)
> >
> >
> > Richard
> >
>
> Personally my take on this is that as long as it's just done as -a
> then it's small and simple to implement (pass a string from args to
> auth_userokay), and there's no other way to provide access to this which
> is an important, though lesser-known, part of bsd_auth. We already trust
> auth_userokay with network-supplied strings for this (e.g. as part of
> the username from ssh) so this doesn't seem to add any real exposure
> risk.
>
Here's an updated version of Renaud's diff against -current after the change
to auth_userchallenge.
Index: doas.c
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.46
diff -u -p -r1.46 doas.c
--- doas.c 3 Dec 2015 08:12:15 -0000 1.46
+++ doas.c 8 Dec 2015 01:26:19 -0000
@@ -37,7 +37,8 @@
static void __dead
usage(void)
{
- fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command
[args]\n");
+ fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]"
+ " command [args]\n");
exit(1);
}
@@ -323,6 +324,7 @@ main(int argc, char **argv, char **envp)
int nflag = 0;
char cwdpath[PATH_MAX];
const char *cwd;
+ char *login_style = NULL;
if (pledge("stdio rpath getpw tty proc exec id", NULL) == -1)
err(1, "pledge");
@@ -331,8 +333,11 @@ main(int argc, char **argv, char **envp)
uid = getuid();
- while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
+ while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
switch (ch) {
+ case 'a':
+ login_style = optarg;
+ break;
case 'C':
confpath = optarg;
break;
@@ -412,7 +417,7 @@ main(int argc, char **argv, char **envp)
if (nflag)
errx(1, "Authorization required");
- if (!(as = auth_userchallenge(myname, NULL, "auth-doas",
+ if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
&challenge)))
err(1, "auth challenge failed");
if (!challenge) {
Index: doas.1
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.1,v
retrieving revision 1.14
diff -u -p -r1.14 doas.1
--- doas.1 27 Jul 2015 17:57:06 -0000 1.14
+++ doas.1 8 Dec 2015 01:26:19 -0000
@@ -22,6 +22,7 @@
.Sh SYNOPSIS
.Nm doas
.Op Fl ns
+.Op Fl a Ar style
.Op Fl C Ar config
.Op Fl u Ar user
.Ar command
@@ -40,6 +41,19 @@ is specified.
.Pp
The options are as follows:
.Bl -tag -width tenletters
++.It Fl a Ar style
++The
++.Fl a
++(authentication style) option causes
++.Nm
++to use the specified authentication style when validating the user,
++as allowed by
++.Pa /etc/login.conf .
++The system administrator may specify a list of doas-specific
++authentication methods by adding an
++.Sq auth-doas
++entry in
++.Pa /etc/login.conf .
.It Fl C Ar config
Parse and check the configuration file
.Ar config ,
