Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add options to trigger or not the default authentication method when U2F is available #135

Merged
merged 2 commits into from
Oct 13, 2019
Merged

Add options to trigger or not the default authentication method when U2F is available #135

merged 2 commits into from
Oct 13, 2019

Conversation

pdecat
Copy link
Collaborator

@pdecat pdecat commented Oct 10, 2019

This PR adds --u2f-trigger-default/--no-u2f-trigger-default options to determine whether to trigger the default authentication method when U2F is available (only works with Duo for now).

TODO:

  • maybe find a better name for the CLI options

@pdecat
Copy link
Collaborator Author

pdecat commented Oct 10, 2019

With no new option, defaults to previous behavior:

# rm ~/.aws/adfs_cookies
# username=****** aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-10-10 11:10:27,548 [authenticator authenticator.py:authenticate] [25707-MainProcess] [140318379849536-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Failed to read password from env
Password:
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw4)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw4)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'
            * SSPI:                             : 'False'
            * U2F and default method            : 'True'

With --u2f-trigger-default, like default behavior:

# rm ~/.aws/adfs_cookies
# username=****** aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi --u2f-trigger-default
2019-10-10 11:17:11,002 [authenticator authenticator.py:authenticate] [17359-MainProcess] [140493693032256-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Failed to read password from env
Password: 
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw4)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw4)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'
            * SSPI:                             : 'False'
            * U2F and default method            : 'True'

With --no-u2f-trigger-default:

# rm ~/.aws/adfs_cookies
# username=****** aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi --no-u2f-trigger-default
2019-10-10 11:01:10,775 [authenticator authenticator.py:authenticate] [26498-MainProcess] [140069065361216-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Failed to read password from env
Password:
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw4)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw4)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'
            * SSPI:                             : 'False'
            * U2F and default method            : 'False'

@pdecat
Add --u2f-trigger-default/--no-u2f-trigger-default options to determi…
ff64a6a 
…ne whether to trigger the default authentication method when U2F is available (only works with Duo for now)
@pdecat
Copy link
Collaborator Author

pdecat commented Oct 10, 2019

Added a message to make it more obvious.

With no new option, defaults to previous behavior:

# sed -i 's/adfs_config.u2f_trigger_default = .*$//g' ~/.aws/config
# rm ~/.aws/adfs_cookies
# username=****** aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-10-10 11:57:14,804 [authenticator authenticator.py:authenticate] [23852-MainProcess] [139815736092480-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Failed to read password from env
Password: 
Sending request for authentication
Waiting for additional authentication
Triggering default authentication method: 'Duo Push'
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw4)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw4)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'
            * SSPI:                             : 'False'
            * U2F and default method            : 'True'

With --u2f-trigger-default, like default behavior:

# sed -i 's/adfs_config.u2f_trigger_default = .*$//g' ~/.aws/config
# rm ~/.aws/adfs_cookies
# username=****** aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi --u2f-trigger-default
2019-10-10 11:57:49,896 [authenticator authenticator.py:authenticate] [25865-MainProcess] [139991969261376-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Failed to read password from env
Password: 
Sending request for authentication
Waiting for additional authentication
Triggering default authentication method: 'Duo Push'
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw4)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw4)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'
            * SSPI:                             : 'False'
            * U2F and default method            : 'True'

With --no-u2f-trigger-default:

# sed -i 's/adfs_config.u2f_trigger_default = .*$//g' ~/.aws/config
# rm ~/.aws/adfs_cookies
# username=****** aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi --no-u2f-trigger-default
2019-10-10 11:58:34,183 [authenticator authenticator.py:authenticate] [28701-MainProcess] [140245834884928-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Failed to read password from env
Password: 
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw4)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw4)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'
            * SSPI:                             : 'False'
            * U2F and default method            : 'False'

@pdecat pdecat changed the title WIP: add options to trigger or not the default authentication method when U2F is available Add options to trigger or not the default authentication method when U2F is available Oct 10, 2019
@venth venth merged commit 27e017b into venth:master Oct 13, 2019
@pdecat pdecat deleted the u2f-trigger-default branch October 13, 2019 09:01
@venth
Copy link
Owner

venth commented Oct 15, 2019

Released with version 1.19.0. Thank you 👍

@pdecat
Copy link
Collaborator Author

pdecat commented Oct 15, 2019

Thanks @venth!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@venth venth venth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pdecat @venth