I would like this. It has my OK for what it is worth here.
On 8 Dec 2015 11:41 am, "Stuart Henderson" <st...@openbsd.org> wrote:
> On 2015/11/25 00:14, Stuart Henderson wrote:
> > On 2015/11/24 11:24, Richard Johnson wrote:
> > > We use 2-factor authn for sudo & doas, as well as for most logins.
> > > Presently, we transport Yubikey and other HOTP strings across RADIUS
> to an
> > > otpd authserver
> >
> > Interesting...is that a fork of the TRI-D otpd? I found the googlecode
> > one and a github export but nothing that seems currently active and
> > nothing that supports Yubikey. (I'm on the lookout for things which
> > handles central Yubikey auth, none of the programs that I've found so
> > far are very appealing).
> >
> > > This is on systems with 1200+ user accounts, about 30 active daily.
> Users
> > > expect that if they can log in as username:radius or username:skey,
> they
> > > should be able to sudo -a radius or sudo -a skey.
> > >
> > > Moving away from Kerberos means possible increasing use of sudo or
> doas by
> > > regular users to run transfer commands to data archives. For this, it
> would
> > > be useful if doas supported "-a skey". Then I could just use doas; the
> > > command is otherwise plain enough.
> > >
> > > But that's not a lot of users across the entire OpenBSD installed base.
> > >
> > > Installing sudo from ports is still an option. I need to debug the -a
> > > failure there now. ;)
> > >
> > >
> > > Richard
> > >
> >
> > Personally my take on this is that as long as it's just done as -a
> > then it's small and simple to implement (pass a string from args to
> > auth_userokay), and there's no other way to provide access to this which
> > is an important, though lesser-known, part of bsd_auth. We already trust
> > auth_userokay with network-supplied strings for this (e.g. as part of
> > the username from ssh) so this doesn't seem to add any real exposure
> > risk.
> >
>
> Here's an updated version of Renaud's diff against -current after the
> change
> to auth_userchallenge.
>
> Index: doas.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/doas/doas.c,v
> retrieving revision 1.46
> diff -u -p -r1.46 doas.c
> --- doas.c 3 Dec 2015 08:12:15 -0000 1.46
> +++ doas.c 8 Dec 2015 01:26:19 -0000
> @@ -37,7 +37,8 @@
> static void __dead
> usage(void)
> {
> - fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command
> [args]\n");
> + fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u
> user]"
> + " command [args]\n");
> exit(1);
> }
>
> @@ -323,6 +324,7 @@ main(int argc, char **argv, char **envp)
> int nflag = 0;
> char cwdpath[PATH_MAX];
> const char *cwd;
> + char *login_style = NULL;
>
> if (pledge("stdio rpath getpw tty proc exec id", NULL) == -1)
> err(1, "pledge");
> @@ -331,8 +333,11 @@ main(int argc, char **argv, char **envp)
>
> uid = getuid();
>
> - while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
> + while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
> switch (ch) {
> + case 'a':
> + login_style = optarg;
> + break;
> case 'C':
> confpath = optarg;
> break;
> @@ -412,7 +417,7 @@ main(int argc, char **argv, char **envp)
> if (nflag)
> errx(1, "Authorization required");
>
> - if (!(as = auth_userchallenge(myname, NULL, "auth-doas",
> + if (!(as = auth_userchallenge(myname, login_style,
> "auth-doas",
> &challenge)))
> err(1, "auth challenge failed");
> if (!challenge) {
> Index: doas.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/doas/doas.1,v
> retrieving revision 1.14
> diff -u -p -r1.14 doas.1
> --- doas.1 27 Jul 2015 17:57:06 -0000 1.14
> +++ doas.1 8 Dec 2015 01:26:19 -0000
> @@ -22,6 +22,7 @@
> .Sh SYNOPSIS
> .Nm doas
> .Op Fl ns
> +.Op Fl a Ar style
> .Op Fl C Ar config
> .Op Fl u Ar user
> .Ar command
> @@ -40,6 +41,19 @@ is specified.
> .Pp
> The options are as follows:
> .Bl -tag -width tenletters
> ++.It Fl a Ar style
> ++The
> ++.Fl a
> ++(authentication style) option causes
> ++.Nm
> ++to use the specified authentication style when validating the user,
> ++as allowed by
> ++.Pa /etc/login.conf .
> ++The system administrator may specify a list of doas-specific
> ++authentication methods by adding an
> ++.Sq auth-doas
> ++entry in
> ++.Pa /etc/login.conf .
> .It Fl C Ar config
> Parse and check the configuration file
> .Ar config ,
>
>
