This repository was archived by the owner on May 9, 2018. It is now read-only.
Add a customizable grace period to prevent TFA prompts after a recent successful login attempt #32
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n is not required if a successful login was completed recently
…t, so we can reuse this method
… /etc/motd or pam.d sshd motd on successful login
…as not sent" and the *success*sent* success check was matching a failure
|
Since this initial pull request, I've also added a feature to print out the default sshd MOTD, by checking whether it is either enforced in pam.d or set in /etc/motd. Also, fixed a bug where SMS request would fail but be matched as a success. |
…uest. IFS was incorrectly set which breaks seq.
Conflicts: README.md authy-ssh authy-ssh.sha1sum tests/test_protect.rb
erichunter2016
approved these changes
Mar 13, 2017
|
If this is to be merged, I think the URLs in 6e5ff18 needs to be changed as this now points to me repository. Sorry about that. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch enables a grace period feature in authy-ssh. One can set a grace period (in seconds) per user, that will prevent prompting for two-factor authentication if a successful login using two-factor authentication was completed recently. It also ensures to not grant the grace period unless the user is connecting from the same IP address.
This would also allow easier SFTP (GUI clients) use with authy-ssh. A user may first login to a normal ssh prompt using two-factor authentication. Once completed, if a grace period is set, SFTP will not require two-factor authentication.
One could further extend this patch to use $SSH_ORIGINAL_COMMAND, to limit the processes grace period should apply to. For example, grace time should apply to sftp-server but not an rsync command.
I've tried to keep things as clean as possible without knowing the ins and outs of Bash. So feel free to clean it up, if necessary.