Merge remote-tracking branch 'upstream/master'

DigitalDJ · DigitalDJ · commit 6e5ff18964b1 · 2015-03-01T18:57:31.000+10:30
Conflicts:
	README.md
	authy-ssh
	authy-ssh.sha1sum
	tests/test_protect.rb
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,22 @@
+Copyright (c) 2014 Authy, Inc.
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@
 
 Type the following command in the terminal:
 
-    $ curl -O 'https://raw.githubusercontent.com/authy/authy-ssh/master/authy-ssh'
+    $ curl -O 'https://raw.githubusercontent.com/DigitalDJ/authy-ssh/master/authy-ssh'
     $ sudo bash authy-ssh install /usr/local/bin
 
 Then enable two-factor for your user:
@@ -31,7 +31,7 @@ Restart your SSH server (look below if you are not on Ubuntu).
 
 **Debian**
 
-    sudo /etc/init.d/sshd restart
+    sudo service sshd restart
 
 **RedHat and Fedora Core Linux**
 
@@ -45,7 +45,7 @@ Restart your SSH server (look below if you are not on Ubuntu).
 
 Type the following command in the terminal:
 
-    $ curl 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh
+    $ curl 'https://raw.githubusercontent.com/DigitalDJ/authy-ssh/master/authy-ssh' -o authy-ssh
     $ bash authy-ssh install ~/.authy-ssh/
 
 
@@ -54,6 +54,19 @@ Now protect your user:
     $ bash ~/.authy-ssh/authy-ssh protect
 
 
+## Enable two-factor auth on a user.
+
+After the installation is finished, you have to proactively enable the two-factor for the users you want to protect.
+
+To enable users type the following command and fill the form:
+
+    $ sudo authy-ssh enable
+
+If you want to do it in one line just type:
+
+    $ sudo authy-ssh enable <local-username> <user-email> <user-cellphone-country-code> <user-cellphone> [grace-period]
+
+
 ## How it works
 
 Authy-ssh uses the `sshd_config` directive `ForceCommand` to run itself before every login. Here's how your sshd_config will look after installing:
@@ -71,11 +84,10 @@ Here's an example:
     user=root:1:-1
     user=daniel:1:300
 
-In this case it means user root and daniel have two-factor enabled and that 1 is their `authy_id`. If a user is not in this list, `authy-ssh` will automatically let him in. 
+In this case it means user root and daniel have two-factor enabled and that 1 is their `authy_id`. If a user is not in this list, `authy-ssh` will automatically let him in.
 The user daniel has an optional `grace-period` of 300 seconds, allowing them to open a new session within 5 minutes of the last successful login without requiring two-factor authentication.
 On the other hand, the root user uses the default `grace-period` of -1, requiring all sessions to use two-factor authentication, regardless of recent successful logins.
 
-
 The `load_default_banner` option will show the operating system's default SSH banner when a successful login occurs. This checks to see if a MOTD is set in /etc/pam.d/sshd or /etc/motd. 
 Setting this to disable will suppress the default sshd MOTD.
 
@@ -103,20 +115,9 @@ Now that my root user is in the two-factor group, I edit my /etc/ssh/sshd_config
 Now force command will only operate on users that belong to the two-factor group.
 
 
-## Enable two-factor auth on a user.
-
-To enable users type the following command and fill the form:
-
-    $ sudo authy-ssh enable
-
-If you want to do it in one line just type:
-
-	$ sudo authy-ssh enable <local-username> <user-email> <user-cellphone-country-code> <user-cellphone> [grace-period]
+## `scp`, `sftp`, `mosh` and `git push` with two-factor authentication.
 
-
-## `scp`, `mosh` and `git push` with two-factor authentication.
-
-To enable non-interactive commands like `scp`, `mosh` and `git clone|fetch|push` you have to allow to pass the environment variable `AUTHY_TOKEN` from the client. To do so edit your `sshd_config` (normally located at `/etc` or `/etc/ssh/`) and add `AUTHY_TOKEN` to the AcceptEnv directive:
+To enable non-interactive commands like `scp`, `sftp`, `mosh` and `git clone|fetch|push` you have to allow to pass the environment variable `AUTHY_TOKEN` from the client. To do so edit your `sshd_config` (normally located at `/etc` or `/etc/ssh/`) and add `AUTHY_TOKEN` to the AcceptEnv directive:
 
 	AcceptEnv AUTHY_TOKEN
 
@@ -131,6 +132,9 @@ And finally pass the token before the command:
     AUTHY_TOKEN="valid-token" scp server:path/to/file local-file
     AUTHY_TOKEN="valid-token" mosh server
 
+### Note
+
+For cases like `sftp` if you enter an invalid token, you may receive a response like *"Received message too long 458961713"*. This is because the interactive command is not able to render the proper output text message returned by the program.
 
 ## Multiple users sharing the same unix account.
 
@@ -158,4 +162,10 @@ To uninstall type:
     $ sudo authy-ssh uninstall
     $ restart your SSH server
 
-	
+
+## Running Unit Tests
+
+Fork and clone the git repository https://github.com/DigitalDJ/authy-ssh.git
+
+    $ cd tests
+    $ rake test
diff --git a/authy-ssh b/authy-ssh
@@ -1,23 +1,26 @@
 #!/usr/bin/env bash
 
-VERSION="1.6.1"
+VERSION="1.7.1"
 AUTHY_URL="https://api.authy.com"
 APP_ROOT=`dirname $0`
 CONFIG_FILE="$APP_ROOT/authy-ssh.conf"
 LAST_LOGIN_FOLDER="$HOME/.authy-ssh/"
 LAST_LOGIN_FILE="$LAST_LOGIN_FOLDER/last-login"
-UPSTREAM_URL="https://raw.github.com/authy/authy-ssh/master/authy-ssh"
+UPSTREAM_URL="https://raw.githubusercontent.com/DigitalDJ/authy-ssh/master/authy-ssh"
 READ_TIMEOUT=60
+MIN_API_KEY_SIZE=12
 
 OK=0
 FAIL=1
+SEQ="seq"
 
 export TERM="xterm-256color"
 NORMAL=$(tput sgr0)
 GREEN=$(tput setaf 2; tput bold)
 YELLOW=$(tput setaf 3)
 RED=$(tput setaf 1)
 
+
 function red() {
     echo -e "$RED$*$NORMAL"
 }
@@ -37,6 +40,19 @@ function debug() {
     fi
 }
 
+function check_dependencies() {
+  if ! type "seq" > /dev/null 2>&1;
+  then
+    if ! type "jot" > /dev/null 2>&1;
+    then
+      red "You need installed on your system either 'seq' or 'jot' command"
+      exit $FAIL
+    else
+      SEQ="jot"
+    fi
+  fi
+}
+
 function escape_input() {
   sed "s/[;\`\"\$\' ]//g" <<<$*
 }
@@ -45,6 +61,10 @@ function escape_number() {
   sed 's/^-?[0-9]*//g' <<< $*
 }
 
+function os_version() {
+  echo `uname -srm`
+}
+
 function read_input() {
   read -t "$READ_TIMEOUT" input
   echo "$(escape_input $input)"
@@ -93,14 +113,19 @@ function require_curl() {
     return $FAIL
 }
 
+function user_agent() {
+  os="$(os_version)"
+  echo "User-Agent: AuthySSH/${VERSION} (${os})"
+}
+
 function find_sshd_config() {
     debug "Trying to find sshd_config file"
     if [[ -f /etc/sshd_config ]]
     then
         SSHD_CONFIG="/etc/sshd_config"
     elif [[ -f /etc/ssh/sshd_config ]]
     then
-        SSHD_CONFIG="/etc/ssh/sshd_config"       
+        SSHD_CONFIG="/etc/ssh/sshd_config"
     fi
 }
 
@@ -167,7 +192,7 @@ function install_authy() {
       echo -n "Enter the Authy API key: "
       read  authy_api_key
 
-      if [ ${#authy_api_key} != 32 ]
+      if [ ${#authy_api_key} -lt ${MIN_API_KEY_SIZE} ]
       then
         red "you have entered a wrong API key"
         return $FAIL
@@ -306,7 +331,7 @@ function check_config_file() {
 #   - anything else: exits the command
 function check_api_key() {
     debug "Checking api key"
-    if [[ "${#AUTHY_API_KEY}" != 32 ]]
+    if [ ${#AUTHY_API_KEY} -lt ${MIN_API_KEY_SIZE} ]
     then
         red "Cannot find a valid api key"
         run_shell
@@ -513,7 +538,8 @@ function register_user_on_authy() {
         return $FAIL
     fi
 
-    response=`curl --connect-timeout 10 "${url}" -d user[email]="${email}" -d user[country_code]="${country_code}" -d user[cellphone]="${cellphone}" -s 2>/dev/null`
+    useragent="$(user_agent)"
+    response=`curl --connect-timeout 10 "${url}" -A "${useragent}" -d user[email]="${email}" -d user[country_code]="${country_code}" -d user[cellphone]="${cellphone}" -s 2>/dev/null`
     ok=true
 
     debug "[register-user] url: $url | response: $response | curl exit stats: $?"
@@ -621,8 +647,17 @@ function login() {
       return $FAIL
     fi
 
+    size=${#authy_token} 
+    if [[ $size -lt 6 || $size -gt 10 ]]
+    then
+      red "You have to enter a valid token."
+      return $FAIL
+    fi
+
+    useragent="$(user_agent)"
     url="$AUTHY_URL/protected/json/verify/${authy_token}/${authy_id}?api_key=${AUTHY_API_KEY}&force=true"
-    response=`curl --connect-timeout 30 -sL -w "|%{http_code}" "${url}"`
+
+    response=`curl --connect-timeout 30 -sL -w "|%{http_code}" -A "${useragent}" "${url}"`
     curl_exit_code=$?
     IFS='|' response_body=($response) # convert to array
 
@@ -637,7 +672,7 @@ function login() {
     if [[ $default_verify_action == "disable" ]]
     then
         debug "Checking if authy service is up."
-        check_response=`curl --connect-timeout 10 -s "${AUTHY_URL}" -o /dev/null`
+        check_response=`curl --connect-timeout 10 -s "${AUTHY_URL}" -A "${useragent}" -o /dev/null`
         check_exit_code=$?
 
         if [[ $check_exit_code == 7 || $check_exit_code == 28 ]]
@@ -647,10 +682,10 @@ function login() {
         fi
     fi
 
-    if [[ "${response_body[1]}" == "200" ]] && [[ "${response_body[0]}" == *\"success\":\"true\"* ]]
+    if [[ "${response_body[1]}" == "200" ]] && [[ "${response_body[0]}" == *\"token\":\"is*valid\"* ]]
     then
         debug "Two-factor token was accepted."
-        if [[ "$AUTHY_TOKEN" == "" ]]
+        if [[ ! $AUTHY_TOKEN ]]
         then
             banner_text=$(read_config banner)
             if [[ $? == $OK ]];
@@ -679,7 +714,8 @@ function request_sms() {
     authy_id="$(escape_number $1)"
     url="$AUTHY_URL/protected/json/sms/${authy_id}?api_key=${AUTHY_API_KEY}&force=true"
 
-    response=`curl --connect-timeout 10 "${url}" 2>/dev/null`
+    useragent="$(user_agent)"
+    response=`curl --connect-timeout 10 -A "${useragent}" "${url}" 2>/dev/null`
     debug "[request sms] url: $url | response: $response | curl exit stats: $?"
 
     if [[ $response == *success*"was sent"* ]]
@@ -724,15 +760,15 @@ function ask_token_and_log_user_in() {
       update_last_login
       run_shell
     fi
-    
+
     times=3
     if [[ $AUTHY_TOKEN ]] # env var
     then
       times=1
     fi
-    
+
     unset IFS
-    for i in `seq 1 $times`
+    for i in `$SEQ 1 $times`
     do
         authy_token="$(escape_number $AUTHY_TOKEN)"
         if [[ ! $AUTHY_TOKEN ]]
@@ -760,7 +796,7 @@ function ask_token_and_log_user_in() {
 }
 
 function update_authy() {
-  temp_file="$(mktemp)"
+  temp_file="$(mktemp -t tmpXXXXXXXXX)"
   curl "${UPSTREAM_URL}" -o "$temp_file"
   chmod 755 "$temp_file"
 
@@ -785,9 +821,11 @@ cd - >/dev/null
 
 case $1 in
     install)
+        check_dependencies
         install_authy "$0" "$2"
         ;;
     update)
+        check_dependencies
         require_root
         update_authy
         ;;
@@ -797,11 +835,13 @@ case $1 in
         ;;
     test|check)
         check_config_file
+        check_dependencies
         AUTHY_API_KEY="$(read_config api_key)"
         check_api_key || exit
         ask_token_and_log_user_in "test"
         ;;
     enable|register)
+        check_dependencies
         require_root
         check_config_file "writable"
         AUTHY_API_KEY="$(read_config api_key)"
@@ -810,12 +850,14 @@ case $1 in
         ;;
     login)
         check_config_file
+        check_dependencies
         AUTHY_API_KEY="$(read_config api_key)"
         check_api_key
         ask_token_and_log_user_in "login" "$2" "$3"
         ;;
     protect)
         check_config_file
+        check_dependencies
         AUTHY_API_KEY="$(read_config api_key)"
         protect_user "$2"
         ;;
diff --git a/authy-ssh.sha1sum b/authy-ssh.sha1sum
@@ -1 +1 @@
-9aac50642fe69aeb65a5c03b5088d1a82edc3885  authy-ssh
+2323b34ac668deadb3aaf86ab14542303d351580  authy-ssh
diff --git a/tests/test_enable.rb b/tests/test_enable.rb
@@ -45,10 +45,10 @@
     stdin.puts "y"
   end
 
-  if read_until(stdout, /0 is not a valid country code/i)
-    print "Sending an invalid country code: 0"
+  if read_until(stdout, /country_code":"is invalid/i)
     green " [OK]"
   else
+
     red " [FAILED]"
   end
 end
diff --git a/tests/test_login.rb b/tests/test_login.rb
diff --git a/tests/test_protect.rb b/tests/test_protect.rb

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-9aac50642fe69aeb65a5c03b5088d1a82edc3885 authy-ssh`
	`1`	`+2323b34ac668deadb3aaf86ab14542303d351580 authy-ssh`