diff options
author | Kim <kim.sidney@gmail.com> | 2021-10-31 14:05:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-31 14:05:28 +0100 |
commit | 629c169a43ffcff4a820cdafaeca430141815829 (patch) | |
tree | 3fb7e28ad4da617c29977d95dac6c41690b291c8 /src/op_mode/show_openvpn_mfa.py | |
parent | 062422db04f5ec6fd0a769f0d71faf4efa2d377f (diff) | |
parent | 28db7b15426fffc0f656e8d26db397d7bfb72aee (diff) | |
download | vyos-1x-629c169a43ffcff4a820cdafaeca430141815829.tar.gz vyos-1x-629c169a43ffcff4a820cdafaeca430141815829.zip |
openvpn: T3834: Support for Two Factor Authentication totp
Diffstat (limited to 'src/op_mode/show_openvpn_mfa.py')
-rwxr-xr-x | src/op_mode/show_openvpn_mfa.py | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/src/op_mode/show_openvpn_mfa.py b/src/op_mode/show_openvpn_mfa.py new file mode 100755 index 000000000..1ab54600c --- /dev/null +++ b/src/op_mode/show_openvpn_mfa.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 + +# Copyright 2017, 2021 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +import re +import socket +import urllib.parse +import argparse + +from vyos.util import popen + +otp_file = '/config/auth/openvpn/{interface}-otp-secrets' + +def get_mfa_secret(interface, client): + try: + with open(otp_file.format(interface=interface), "r") as f: + users = f.readlines() + for user in users: + if re.search('^' + client + ' ', user): + return user.split(':')[3] + except: + pass + +def get_mfa_uri(client, secret): + hostname = socket.gethostname() + fqdn = socket.getfqdn() + uri = 'otpauth://totp/{hostname}:{client}@{fqdn}?secret={secret}' + + return urllib.parse.quote(uri.format(hostname=hostname, client=client, fqdn=fqdn, secret=secret), safe='/:@?=') + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=False, description='Show two-factor authentication information') + parser.add_argument('--intf', action="store", type=str, default='', help='only show the specified interface') + parser.add_argument('--user', action="store", type=str, default='', help='only show the specified users') + parser.add_argument('--action', action="store", type=str, default='show', help='action to perform') + + args = parser.parse_args() + secret = get_mfa_secret(args.intf, args.user) + + if args.action == "secret" and secret: + print(secret) + + if args.action == "uri" and secret: + uri = get_mfa_uri(args.user, secret) + print(uri) + + if args.action == "qrcode" and secret: + uri = get_mfa_uri(args.user, secret) + qrcode,err = popen('qrencode -t ansiutf8', input=uri) + print(qrcode) + |