| 40 | | Note that if you're using two-factor authentication, or username-password |
| 41 | | authentication, this might require used to re-enter their 2FA token or |
| 42 | | usernamne and password. To avoid this, do not use --auth-nocache, and enable |
| 43 | | <insert-correct-name> on the server side to ask for 2FA once per session only. |
| | 40 | Note that if you're using two-factor authentication, or username-password authentication, this might require users to re-enter their 2FA token or usernamne and password. To avoid this, do not use {{{--auth-nocache}}}, and use the {{{auth-token}}} option (see below) in the client-connect and auth-user-pass-verify scripts on the server side to ask for 2FA once per session only. |
| 45 | | <some text on the single-2FA-per-session option> |
| | 42 | The (undocumented) {{{auth-token}}} option can be pushed by a client-connect script (running on the server) to instruct the connecting client to return this token as the password during the next authentication. The auth-user-pass-verify script (running on the server) should accept this token during the next authentication sessions, until the token expires. |
| | 43 | |
| | 44 | The following client-connect and auth-user-pass-verify scripts illustrate how these options can be used. Note that these scripts are examples for auth-token usage only, and should be adapted to your own needs before using them. These scripts should not be used as-is! |
| | 45 | |
| | 46 | client-connect: |
| | 47 | {{{ |
| | 48 | #!/usr/bin/env python |
| | 49 | |
| | 50 | import base64 |
| | 51 | import hmac |
| | 52 | import os |
| | 53 | import sys |
| | 54 | import time |
| | 55 | |
| | 56 | username = os.environ['username'] |
| | 57 | |
| | 58 | # Create an authentication 'cookie' that binds to the current user and time |
| | 59 | ts = time.time() |
| | 60 | to_auth = str(ts) + ":" + username |
| | 61 | |
| | 62 | h = hmac.new('mysecret') |
| | 63 | h.update(to_auth) |
| | 64 | digest = base64.b64encode(h.digest()) |
| | 65 | |
| | 66 | auth_token = "push \"auth-token " + str(ts) + ":" + digest + "\"" |
| | 67 | |
| | 68 | print "Sending auth-token:", auth_token |
| | 69 | |
| | 70 | open(sys.argv[1], 'w').write(auth_token) |
| | 71 | }}} |
| | 72 | |
| | 73 | auth-user-pass-verify: |
| | 74 | {{{ |
| | 75 | #!/usr/bin/env python |
| | 76 | |
| | 77 | import base64 |
| | 78 | import hmac |
| | 79 | import os |
| | 80 | import time |
| | 81 | |
| | 82 | username = os.environ['username'] |
| | 83 | password = os.environ['password'] |
| | 84 | |
| | 85 | # Try password auth first |
| | 86 | if (password == "mysecretpassword"): |
| | 87 | print "password OK" |
| | 88 | exit(0) |
| | 89 | |
| | 90 | # Otherwise verify auth-token |
| | 91 | token = password.split(":") |
| | 92 | |
| | 93 | to_auth = token[0] + ":" + os.environ['username'] |
| | 94 | |
| | 95 | h = hmac.new('mysecret') |
| | 96 | h.update(to_auth) |
| | 97 | digest = h.digest() |
| | 98 | |
| | 99 | # Exit with error if authentication fails |
| | 100 | if digest != base64.b64decode(token[1]): |
| | 101 | print "Auth-token incorrect" |
| | 102 | exit(1) |
| | 103 | |
| | 104 | # Exit with error if auth-token expired |
| | 105 | if time.time() - float(token[0]) > 60: |
| | 106 | print "Auth-token expired" |
| | 107 | exit(1) |
| | 108 | |
| | 109 | # All went well! |
| | 110 | exit(0) |
| | 111 | }}} |
