From 6b46103dbca986566421d7789318534ee4785b95 Mon Sep 17 00:00:00 2001 From: mikemn Date: Wed, 11 Nov 2015 14:59:38 -0600 Subject: [PATCH 1/2] Add proxy support via Curl --- pam_yubico.8.txt | 3 +++ pam_yubico.c | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/pam_yubico.8.txt b/pam_yubico.8.txt index 468399a..1466045 100644 --- a/pam_yubico.8.txt +++ b/pam_yubico.8.txt @@ -50,6 +50,9 @@ This option should not be used, please use the urllist option instead. Set the *capath*=_path_:: Specify the path where X509 certificates are stored. This is required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri' respectively. +*proxy*=_proxy_:: +Specify a proxy to connect to the validation server. Valid schemes are socks4://, socks4a://, socks5:// or socks5h://. Socks5h asks the proxy to do the dns resolving. If no scheme or port is specified HTTP proxy port 1080 will be used. E.g. socks5h://user:pass@10.10.0.1:1080 + *verbose_otp*:: This argument is used to show the OTP (One Time Password) when it is entered, i.e. to enable terminal echo of entered characters. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen. This requires the service using the PAM module to display custom fields. For example, OpenSSH requires you to configure "ChallengeResponseAuthentication no". diff --git a/pam_yubico.c b/pam_yubico.c index 801c4f5..bc12566 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -111,6 +111,7 @@ struct cfg const char *auth_file; const char *capath; const char *cainfo; + const char *proxy; const char *url; const char *urllist; const char *ldapserver; @@ -710,6 +711,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) cfg->capath = argv[i] + 7; if (strncmp (argv[i], "cainfo=", 7) == 0) cfg->cainfo = argv[i] + 7; + if (strncmp (argv[i], "proxy=", 6) == 0) + cfg->proxy = argv[i] + 6; if (strncmp (argv[i], "url=", 4) == 0) cfg->url = argv[i] + 4; if (strncmp (argv[i], "urllist=", 8) == 0) @@ -772,6 +775,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) D (("urllist=%s", cfg->urllist ? cfg->urllist : "(null)")); D (("capath=%s", cfg->capath ? cfg->capath : "(null)")); D (("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)")); + D (("proxy=%s", cfg->proxy ? cfg->proxy : "(null)")); D (("token_id_length=%d", cfg->token_id_length)); D (("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" )); D (("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)")); @@ -883,6 +887,9 @@ pam_sm_authenticate (pam_handle_t * pamh, if (cfg->cainfo) ykclient_set_ca_info (ykc, cfg->cainfo); + if (cfg->proxy) + ykclient_set_proxy (ykc, cfg->proxy); + if (cfg->url) { rc = ykclient_set_url_template (ykc, cfg->url); From e231b8217cdfc25bffc7181a1270dfd840a3aebf Mon Sep 17 00:00:00 2001 From: mikemn Date: Thu, 12 Nov 2015 15:02:49 -0600 Subject: [PATCH 2/2] Update Readme with proxy parameter description --- README | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README b/README index c7ecc75..7461f64 100644 --- a/README +++ b/README @@ -188,6 +188,12 @@ specify the path where X509 certificates are stored. This is required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri' respectively. +proxy:: +specify a proxy to connect to the validation server. Valid schemes are +socks4://, socks4a://, socks5:// or socks5h://. Socks5h asks the proxy +to do the dns resolving. If no scheme or port is specified HTTP proxy +port 1080 will be used. + verbose_otp:: This argument is used to show the OTP (One-Time Password) when it is entered, i.e. to enable terminal echo of entered characters.