matthiassb/auth-duo.py

## auth-duo.py
import duo_client
import ldap

auth_api = duo_client.Auth(
    ikey='<ikey>',
    skey='<skey>',
    host='<host>',
)

LDAP_SERVER = 'ldap://10.1.0.143'
DOMAIN = 'matthias.local'
ldap_client = None

def pam_sm_authenticate(pamh, flags, argv):
    #get username
    try:
        username = pamh.get_user()
    except pamh.exception:
        username = None

    if username == None:
        return pamh.PAM_USER_UNKNOWN

    #get password
    passwordPrompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF,
                          'Password: ')
    try:
        password = pamh.conversation(passwordPrompt)
    except pamh.exception:
        return pamh.PAM_SYSTEM_ERR

    #try bind
    try:
         ldap_client = ldap.initialize(LDAP_SERVER)
         ldap_client.set_option(ldap.OPT_REFERRALS,0)
         ldap_client.simple_bind_s(username + "@" + DOMAIN, password.resp)
    except ldap.INVALID_CREDENTIALS:
         return pamh.PAM_USER_UNKNOWN
    except ldap.SERVER_DOWN:
         return pamh.PAM_SYSTEM_ERR

    ldap_client.unbind()

    #get token
    tokenPrompt = pamh.Message(pamh.PAM_PROMPT_ECHO_ON,
                          'Enter DUO Token: ')
    try:
        token = pamh.conversation(tokenPrompt)
    except pamh.exception:
        return pamh.PAM_SYSTEM_ERR


    #check token
    response = auth_api.auth(
        username=username,
        passcode=token.resp,
        factor="passcode",
    )
    if response['status'] == "allow":
        return pamh.PAM_SUCCESS
    else:
        return pamh.PAM_USER_UNKNOWN

def pam_sm_setcred(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS

def pam_sm_chauthtok(pamh, flags, argv):
    return pamh.PAM_SUCCESS
	import duo_client
	import ldap

	auth_api = duo_client.Auth(
	ikey='<ikey>',
	skey='<skey>',
	host='<host>',
	)

	LDAP_SERVER = 'ldap://10.1.0.143'
	DOMAIN = 'matthias.local'
	ldap_client = None

	def pam_sm_authenticate(pamh, flags, argv):
	#get username
	try:
	username = pamh.get_user()
	except pamh.exception:
	username = None

	if username == None:
	return pamh.PAM_USER_UNKNOWN

	#get password
	passwordPrompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF,
	'Password: ')
	try:
	password = pamh.conversation(passwordPrompt)
	except pamh.exception:
	return pamh.PAM_SYSTEM_ERR

	#try bind
	try:
	ldap_client = ldap.initialize(LDAP_SERVER)
	ldap_client.set_option(ldap.OPT_REFERRALS,0)
	ldap_client.simple_bind_s(username + "@" + DOMAIN, password.resp)
	except ldap.INVALID_CREDENTIALS:
	return pamh.PAM_USER_UNKNOWN
	except ldap.SERVER_DOWN:
	return pamh.PAM_SYSTEM_ERR

	ldap_client.unbind()

	#get token
	tokenPrompt = pamh.Message(pamh.PAM_PROMPT_ECHO_ON,
	'Enter DUO Token: ')
	try:
	token = pamh.conversation(tokenPrompt)
	except pamh.exception:
	return pamh.PAM_SYSTEM_ERR


	#check token
	response = auth_api.auth(
	username=username,
	passcode=token.resp,
	factor="passcode",
	)
	if response['status'] == "allow":
	return pamh.PAM_SUCCESS
	else:
	return pamh.PAM_USER_UNKNOWN

	def pam_sm_setcred(pamh, flags, argv):
	return pamh.PAM_SUCCESS

	def pam_sm_acct_mgmt(pamh, flags, argv):
	return pamh.PAM_SUCCESS

	def pam_sm_open_session(pamh, flags, argv):
	return pamh.PAM_SUCCESS

	def pam_sm_close_session(pamh, flags, argv):
	return pamh.PAM_SUCCESS

	def pam_sm_chauthtok(pamh, flags, argv):
	return pamh.PAM_SUCCESS