From 755d7f5f94b720b028d085cf971c5935c130dec1 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Mon, 4 Jul 2022 12:24:59 -0400 Subject: Implemented TLS encrypted connections Implemented TLS encrypted connections. Added command line argument and configuration file option to accept invalid (self-signed) certificates. Fixed a couple of unrelated issues. --- pam/pam_mfa.py | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) (limited to 'pam') diff --git a/pam/pam_mfa.py b/pam/pam_mfa.py index 85d0a82..5a5a112 100755 --- a/pam/pam_mfa.py +++ b/pam/pam_mfa.py @@ -1,5 +1,6 @@ #!/usr/bin/python3 import socket +import ssl import argparse import time import sys @@ -33,9 +34,11 @@ def parse_arguments(): default="/etc/mfa/mfa.conf") parser.add_argument("--server",type=str,help="MFA server address") parser.add_argument("--port",type=str,help="MFA server PAM connection port") + parser.add_argument("--insecure",action="store_true", + help="Accept invalid TLS certificates") return parser.parse_args() -def init_connection(mfa_server, pam_port): +def init_connection(mfa_server, pam_port, insecure): # Attempts to connect to MFA server with provided address and port # Repeats connection attempts once per second until timeout is reached # Returns the socket if connection was successful or None otherwise @@ -43,13 +46,22 @@ def init_connection(mfa_server, pam_port): timeout = 0 timeout_length = 5 sleep_length = 1 + context = ssl.create_default_context() + if insecure: + context.check_hostname = False + context.verify_mode = 0 while connection == None and timeout < timeout_length: try: - connection = socket.create_connection((mfa_server,pam_port)) + #connection = socket.create_connection((mfa_server,client_port)) + connection = context.wrap_socket(socket.socket(socket.AF_INET), + server_hostname=mfa_server) + connection.connect((mfa_server,int(pam_port))) return connection except (ConnectionError,ConnectionRefusedError): time.sleep(sleep_length) timeout += sleep_length + except ssl.SSLCertVerificationError: + die("error: server presented invalid certificate") return None @@ -82,24 +94,28 @@ def get_vars(args,confparser): server = None port = None + insecure = None # Set values from config file first if confparser.has_section("pam"): server = confparser.get("pam","server",fallback=None) port = confparser.get("pam","port",fallback=None) + insecure = bool(confparser.get("pam","insecure",fallback=False)) # Let command line args overwrite any values - if args.server: + if args.server != None: server = args.server - if args.port: + if args.port != None: port = args.port + if args.insecure: + insecure = args.insecure # Exit if any value is null if None in [server,port]: print("error: one or more items unspecified") sys.exit(1) - return server,port + return server,port,insecure def main(): @@ -109,7 +125,7 @@ def main(): # Get arguments args = parse_arguments() confparser = read_config(args.config) - mfa_server,pam_port = get_vars(args,confparser) + mfa_server,pam_port,insecure = get_vars(args,confparser) user = args.user service = args.service @@ -130,7 +146,7 @@ def main(): # Initalize connection to MFA server. Quit if unable to connect. - connection = init_connection(mfa_server,pam_port) + connection = init_connection(mfa_server,pam_port,insecure) if connection == None: print(failed) sys.exit(1) -- cgit v1.2.3