ppmathis/duo_auth.sh

## duo_auth.sh
###########################################################
# Two factor authentication with DuoSecurity              #
#                                                         #
# (c) 2012 P. Mathis <pmathis@snapserv.net>               #
###########################################################
# This script will improve the normal UNIX integration    #
# of DuoSecurity. You can specify for each SSH subsystem  #
# if the two factor authentication is required.           #
#                                                         #
# I am not responsible for lost or breached servers,      #
# broken hearts, thermonuclear war, massive traffic costs #
# or unfulfilled sexual partners. Please do some research #
# if you have any concerns about features included in     #
# this script before using it!                            #
#                                                         #
# But don't worry, the worst thing that could happen      #
# is that your two factor authentication would always be  #
# bypassed, as long as you don't do other modifications.  #
###########################################################

###########################################################
# Configuration                                           #
###########################################################

# Specifies if the the two factor authentication should be
# used for normal SSH sessions or not. Please use yes / no
# Recommended: yes
SSH_ENFORCE_DS=yes

# You can allow specific SSH keyfile users to bypass the
# two factor authentication. To use that feature, you must
# do a few things:
# 1) You must set "PermitUserEnvironment" to "yes" in your
#    SSH configuration. Otherwise the keyfile won't work
#    anymore. (And you're locked out, if password
#    authentication is disabled.
#
# 2) Add the following text in front of every SSH key which
#    can bypass the two factor authentication. For example,
#    you can add the following text in front of your
#    ~/.ssh/authorized_keys file
#
#    environment="DUOSEC=BYPASS"
#
#    After this option the normal "ssh-rsa ..." text should
#    follow. Don't forget a space after the environment
#    option, otherwise your key won't work again.
#
# 3) Set the following option to "yes"
SSH_ALLOW_KEY_BYPASS=yes

# Specifies if the two factor authentication should be
# used for RSYNC connections.
# Recommended: no
RSYNC_ENFORCE_DS=no

# Specifies if the two factor authentication should be
# used for SSHFS / SFTP connections.
# Recommended: no
SFTP_ENFORCE_DS=no

###########################################################
# End of configuration - Do not touch anything below      #
###########################################################

# Disconnect clients when they quit the script with Ctrl+C
trap jail INT
jail() {
        echo "You must not quit this script."
        kill -9 $PPID
        exit 0
}

# SSH connections (normal SSH shell)
if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
        if [ "$SSH_ENFORCE_DS" = "yes" ]; then
                if [ "$DUOSEC" = "BYPASS" ] && [ "$SSH_ALLOW_KEY_BYPASS" = "yes" ]; then
                        # Give the user their shell
                        $SHELL -l
                        exit 0
                else
                        # Enforce DuoSecurity authentication
                        /usr/sbin/login_duo
                        exit 0
                fi
        else
                # Give the user their shell
                $SHELL -l
                exit 0
        fi
fi

# RSYNC connections
if [ `echo $SSH_ORIGINAL_COMMAND | awk '{print $1}'` = rsync ]; then
        if [ "$RSYNC_ENFORCE_DS" = "yes" ]; then
                # Enforce DuoSecurity authentication
                /usr/sbin/login_duo
                exit 0
        else
                # Allow the RSYNC connection directly
                $SHELL -c "$SSH_ORIGINAL_COMMAND"
                exit 0
        fi
fi

# SFTP / SSHFS connections
if [ `echo $SSH_ORIGINAL_COMMAND | awk '{print $1}'` = "/usr/lib/openssh/sftp-server" ]; then
        if [ "$SFTP_ENFORCE_DS" = "yes" ]; then
                # Enforce DuoSecurity authentication
                /usr/sbin/login_duo
                exit 0
        else
                # Allow the SSH / SFTP connection directly
                $SHELL -c "$SSH_ORIGINAL_COMMAND"
                exit 0
        fi
fi

# Invalid subsystem - deny it by default
kill -9 $PPID
exit 0
	###########################################################
	# Two factor authentication with DuoSecurity #
	# #
	# (c) 2012 P. Mathis <pmathis@snapserv.net> #
	###########################################################
	# This script will improve the normal UNIX integration #
	# of DuoSecurity. You can specify for each SSH subsystem #
	# if the two factor authentication is required. #
	# #
	# I am not responsible for lost or breached servers, #
	# broken hearts, thermonuclear war, massive traffic costs #
	# or unfulfilled sexual partners. Please do some research #
	# if you have any concerns about features included in #
	# this script before using it! #
	# #
	# But don't worry, the worst thing that could happen #
	# is that your two factor authentication would always be #
	# bypassed, as long as you don't do other modifications. #
	###########################################################

	###########################################################
	# Configuration #
	###########################################################

	# Specifies if the the two factor authentication should be
	# used for normal SSH sessions or not. Please use yes / no
	# Recommended: yes
	SSH_ENFORCE_DS=yes

	# You can allow specific SSH keyfile users to bypass the
	# two factor authentication. To use that feature, you must
	# do a few things:
	# 1) You must set "PermitUserEnvironment" to "yes" in your
	# SSH configuration. Otherwise the keyfile won't work
	# anymore. (And you're locked out, if password
	# authentication is disabled.
	#
	# 2) Add the following text in front of every SSH key which
	# can bypass the two factor authentication. For example,
	# you can add the following text in front of your
	# ~/.ssh/authorized_keys file
	#
	# environment="DUOSEC=BYPASS"
	#
	# After this option the normal "ssh-rsa ..." text should
	# follow. Don't forget a space after the environment
	# option, otherwise your key won't work again.
	#
	# 3) Set the following option to "yes"
	SSH_ALLOW_KEY_BYPASS=yes

	# Specifies if the two factor authentication should be
	# used for RSYNC connections.
	# Recommended: no
	RSYNC_ENFORCE_DS=no

	# Specifies if the two factor authentication should be
	# used for SSHFS / SFTP connections.
	# Recommended: no
	SFTP_ENFORCE_DS=no

	###########################################################
	# End of configuration - Do not touch anything below #
	###########################################################

	# Disconnect clients when they quit the script with Ctrl+C
	trap jail INT
	jail() {
	echo "You must not quit this script."
	kill -9 $PPID
	exit 0
	}

	# SSH connections (normal SSH shell)
	if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
	if [ "$SSH_ENFORCE_DS" = "yes" ]; then
	if [ "$DUOSEC" = "BYPASS" ] && [ "$SSH_ALLOW_KEY_BYPASS" = "yes" ]; then
	# Give the user their shell
	$SHELL -l
	exit 0
	else
	# Enforce DuoSecurity authentication
	/usr/sbin/login_duo
	exit 0
	fi
	else
	# Give the user their shell
	$SHELL -l
	exit 0
	fi
	fi

	# RSYNC connections
	if [ `echo $SSH_ORIGINAL_COMMAND \| awk '{print $1}'` = rsync ]; then
	if [ "$RSYNC_ENFORCE_DS" = "yes" ]; then
	# Enforce DuoSecurity authentication
	/usr/sbin/login_duo
	exit 0
	else
	# Allow the RSYNC connection directly
	$SHELL -c "$SSH_ORIGINAL_COMMAND"
	exit 0
	fi
	fi

	# SFTP / SSHFS connections
	if [ `echo $SSH_ORIGINAL_COMMAND \| awk '{print $1}'` = "/usr/lib/openssh/sftp-server" ]; then
	if [ "$SFTP_ENFORCE_DS" = "yes" ]; then
	# Enforce DuoSecurity authentication
	/usr/sbin/login_duo
	exit 0
	else
	# Allow the SSH / SFTP connection directly
	$SHELL -c "$SSH_ORIGINAL_COMMAND"
	exit 0
	fi
	fi

	# Invalid subsystem - deny it by default
	kill -9 $PPID
	exit 0