From 0ccdd42ff4a4cf8f774689ce88439821da7d14f7 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 11 Jun 2023 08:15:38 -0400 Subject: Removed some debug statements and better error handling --- pam/Makefile | 14 -------------- server/mfad.py | 25 ++++++++++++------------- 2 files changed, 12 insertions(+), 27 deletions(-) delete mode 100644 pam/Makefile diff --git a/pam/Makefile b/pam/Makefile deleted file mode 100644 index 46c2cab..0000000 --- a/pam/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -all: pam_mfa - -pam_mfa: - gcc -fPIC -c pam_mfa.c - gcc -shared -o pam_mfa.so pam_mfa.o -lpam - -install: all - PAMDIR = /usr/lib/x86_64-linux-gnu/security/ - cp -f pam_mfa.so ${PAMDIR} - chmod 755 ${PAMDIR}/pam_mfa.so - -clean: - rm pam_mfa.so - rm pam_mfa.o diff --git a/server/mfad.py b/server/mfad.py index cc5073b..169e186 100755 --- a/server/mfad.py +++ b/server/mfad.py @@ -72,9 +72,6 @@ def read_config(config): def eval_mfa(db, client_key, mfa_methods, client_response): - print("response: " + client_response) - print("length: " + str(len(client_response))) - print("methods: " + str(mfa_methods)) # Evaluates MFA and decides if authenticated or denied # Returns 0 for authenticated on 1 for denied if "push" in mfa_methods and client_response == "allow": @@ -97,8 +94,6 @@ def validate_totp(db, client_key, client_response): client = c.fetchone() secret = client[CLIENT_SECRET_INDEX] totp = pyotp.TOTP(secret) - print("Client Response: " + str(client_response)) - print("Valid TOTP: " + str(totp.now())) if totp.verify(client_response): return AUTHED else: @@ -112,8 +107,6 @@ def validate_totp(db, client_key, client_response): # connection for identification # Client key is used to identify client throughout communication process -# //TODO RSA public/private key pairs for proper authentication - def get_client_key(db, username,hostname,service): # Correlates a PAM request to a registered client # This is done by checking the PAM request against a preconfigured @@ -127,9 +120,8 @@ def get_client_key(db, username,hostname,service): c.execute("""SELECT * FROM applications WHERE username=? AND hostname=? AND service=?""",(username,hostname,service)) application = c.fetchone() - # Return None if no results found if application == None: - return application + return (None,None) alias = application[DB_ALIAS_INDEX] c.execute("SELECT * FROM clients WHERE alias=?",(alias,)) @@ -142,6 +134,7 @@ def get_client_key(db, username,hostname,service): def prompt_client(client_key, user, host, service, methods, timeout=10): + print(client_connections.keys()) # Prompts client for MFA timer = 0 while timer < timeout: @@ -210,6 +203,10 @@ def handle_client(db, conn, addr): conn.send(ACK_MESSAGE.encode(FORMAT)) client_connections[key] = (conn,addr) print("client connected with key " + key) + poll_time = 5 + while True: + # Poll client + time.sleep(poll_time) def parse_pam_data(data): @@ -229,15 +226,17 @@ def handle_pam(db, conn, addr): # Correlate request to client client_key,mfa_methods = get_client_key(db, user,host,service) - mfa_methods = mfa_methods.split(' ') if client_key == None: - print("No applications found for user="+user+" host="+host+" service="+service) conn.send(str(DENIED).encode(FORMAT)) - return + die("No applications found for user="+user+" host="+host+" service="+service) + mfa_methods = mfa_methods.split(' ') # Prompt client response = prompt_client(client_key,user,host,service,mfa_methods) - + if response == 0: + conn.send(str(DENIED).encode(FORMAT)) + die("Did not receive response from client") + # Evaluate Response decision = eval_mfa(db, client_key, mfa_methods, response) -- cgit v1.2.3