diff options
| author | Adam Goodman <akgood@duosecurity.com> | 2014-02-28 11:52:09 -0500 |
|---|---|---|
| committer | Adam Goodman <akgood@duosecurity.com> | 2014-02-28 12:05:30 -0500 |
| commit | b36342387ca8e629b469d2a7f5c22a0083f7a5fc (patch) | |
| tree | 9f6b3a730acbc8cc72726aeef9e13bf38f6748a9 | |
| parent | 463f56ecec12eb894d0d85bdeeeb9f777e6f9470 (diff) | |
| download | openvpn-duo-plugin-b36342387ca8e629b469d2a7f5c22a0083f7a5fc.tar.gz openvpn-duo-plugin-b36342387ca8e629b469d2a7f5c22a0083f7a5fc.zip | |
If a password is not provided (or blank), use the user's default out-of-band factor. This makes it possible to use the 'auth-user-pass-optional' server directive.
| -rwxr-xr-x | duo_openvpn.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/duo_openvpn.py b/duo_openvpn.py index 4d91db4..1b5d8b2 100755 --- a/duo_openvpn.py +++ b/duo_openvpn.py @@ -311,7 +311,7 @@ def preauth(client, control, username): result = response.get('result') if result == API_RESULT_AUTH: - return + return response['factors'].get('default') status = response.get('status') if not status: @@ -364,7 +364,7 @@ def main(Client=Client, environ=os.environ): password = environ.get('password') ipaddr = environ.get('ipaddr', '0.0.0.0') - if not control or not username or not password: + if not control or not username: log('required environment variables not found') sys.exit(1) @@ -389,11 +389,18 @@ def main(Client=Client, environ=os.environ): ) try: - preauth(client, control, username) + default_factor = preauth(client, control, username) except Exception, e: log(str(e)) failure(control) + if not (password or default_factor): + log('no password provided and no out-of-band factors ' + 'available for username {0:s}'.format(username)) + failure(control) + elif not password: + password = default_factor + try: auth(client, control, username, password, ipaddr) except Exception, e: |