40 | | Note that if you're using two-factor authentication, or username-password |
41 | | authentication, this might require used to re-enter their 2FA token or |
42 | | usernamne and password. To avoid this, do not use --auth-nocache, and enable |
43 | | <insert-correct-name> on the server side to ask for 2FA once per session only. |
| 40 | Note that if you're using two-factor authentication, or username-password authentication, this might require users to re-enter their 2FA token or usernamne and password. To avoid this, do not use {{{--auth-nocache}}}, and use the {{{auth-token}}} option (see below) in the client-connect and auth-user-pass-verify scripts on the server side to ask for 2FA once per session only. |
45 | | <some text on the single-2FA-per-session option> |
| 42 | The (undocumented) {{{auth-token}}} option can be pushed by a client-connect script (running on the server) to instruct the connecting client to return this token as the password during the next authentication. The auth-user-pass-verify script (running on the server) should accept this token during the next authentication sessions, until the token expires. |
| 43 | |
| 44 | The following client-connect and auth-user-pass-verify scripts illustrate how these options can be used. Note that these scripts are examples for auth-token usage only, and should be adapted to your own needs before using them. These scripts should not be used as-is! |
| 45 | |
| 46 | client-connect: |
| 47 | {{{ |
| 48 | #!/usr/bin/env python |
| 49 | |
| 50 | import base64 |
| 51 | import hmac |
| 52 | import os |
| 53 | import sys |
| 54 | import time |
| 55 | |
| 56 | username = os.environ['username'] |
| 57 | |
| 58 | # Create an authentication 'cookie' that binds to the current user and time |
| 59 | ts = time.time() |
| 60 | to_auth = str(ts) + ":" + username |
| 61 | |
| 62 | h = hmac.new('mysecret') |
| 63 | h.update(to_auth) |
| 64 | digest = base64.b64encode(h.digest()) |
| 65 | |
| 66 | auth_token = "push \"auth-token " + str(ts) + ":" + digest + "\"" |
| 67 | |
| 68 | print "Sending auth-token:", auth_token |
| 69 | |
| 70 | open(sys.argv[1], 'w').write(auth_token) |
| 71 | }}} |
| 72 | |
| 73 | auth-user-pass-verify: |
| 74 | {{{ |
| 75 | #!/usr/bin/env python |
| 76 | |
| 77 | import base64 |
| 78 | import hmac |
| 79 | import os |
| 80 | import time |
| 81 | |
| 82 | username = os.environ['username'] |
| 83 | password = os.environ['password'] |
| 84 | |
| 85 | # Try password auth first |
| 86 | if (password == "mysecretpassword"): |
| 87 | print "password OK" |
| 88 | exit(0) |
| 89 | |
| 90 | # Otherwise verify auth-token |
| 91 | token = password.split(":") |
| 92 | |
| 93 | to_auth = token[0] + ":" + os.environ['username'] |
| 94 | |
| 95 | h = hmac.new('mysecret') |
| 96 | h.update(to_auth) |
| 97 | digest = h.digest() |
| 98 | |
| 99 | # Exit with error if authentication fails |
| 100 | if digest != base64.b64decode(token[1]): |
| 101 | print "Auth-token incorrect" |
| 102 | exit(1) |
| 103 | |
| 104 | # Exit with error if auth-token expired |
| 105 | if time.time() - float(token[0]) > 60: |
| 106 | print "Auth-token expired" |
| 107 | exit(1) |
| 108 | |
| 109 | # All went well! |
| 110 | exit(0) |
| 111 | }}} |