Commit f548b894 authored by Marcus Pedersén's avatar Marcus Pedersén
Browse files

Made config to build deb package

parent e6b05560
......@@ -3,6 +3,9 @@ name = "add-totp"
version = "0.9.0"
authors = ["Marcus Pedersén <marcus.pedersen@slu.se>"]
edition = "2018"
license = "GPL-3.0-or-later"
description = "Add an additional TOTP prompt at login"
readme = "README.md"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
......@@ -16,3 +19,35 @@ log = "0.4.11"
boringauth = "0.9.0"
rpassword = "5.0.0"
signal-hook = "0.1.16"
[package.metadata.deb]
# To crete deb package
# cargo install cargo-deb
# cargo deb
maintainer = "Marcus Pedersén <marcus.pedersen@slu.se>"
copyright = "2020, Marcus Pedersén <marcus.pedersen@slu.se>"
license-file = ["LICENSE", "0"]
extended-description = """\
The aim is to present an extra prompt for TOTP.
The main problem that it solves is that when you use ssh with public key
it does not use pam that is configured with oath tool and you will not
be prompted with the TOTP password.
That is what add-totp is solving, if user is logging in with public key
then user is prompted for TOTP password. If not valid, user is logged out.
add-totp can be used in other cases as well, just change the config file
and you will be prompted when that way of logging in is used."""
depends = "$auto"
section = "utility"
priority = "optional"
revision = "1"
changelog = "changelog"
conf-files = ["/etc/add-totp.conf"]
assets = [
["target/release/add-totp", "usr/sbin/add-totp", "4111"],
["add-totp.man.1.gz", "usr/share/man/man1/add-totp.1.gz", "644"],
["add-totp.conf.man.5.gz", "usr/share/man/man5/add-totp.conf.5.gz", "644"],
["add-totp.log", "var/log/add-totp.log", "640"],
["add-totp.logrotate", "etc/logrotate.d/add-totp", "644"],
["add-totp.conf.template", "etc/add-totp.conf", "644"],
]
\ No newline at end of file
......@@ -96,3 +96,14 @@ https://projects.interbull.org/marcus/add-totp.git
* Config logrotate, see man add-totp(1)
* Add /usr/sbin/add-totp to /etc/profile
**WARNING!** Make sure that you have tested thoroughly before you add it to profile, otherwise you can lock yourself out of the system.
### Debian package installation amd64
Find the latest release at:
```
https://projects.interbull.org/marcus/add-totp.git
```
* Download the debian package: add-totp_x.x.x-x_amd64.deb
* Install with: apt install /path/to/deb/package/add-totp_x.x.x-x_amd64.deb
* Add /usr/sbin/add-totp to /etc/profile
**WARNING!** Make sure that you have tested thoroughly before you add it to profile, otherwise you can lock yourself out of the system.
.TH ADD-TOTP.CONF 5 "November 2020" "add-totp-0.9.0" "User manuals"
.SH NAME
\fBadd-totp.conf \fP- Config file for program add-totp.
\fB
.SH SYNOPSIS
.nf
.fam C
\fB/etc/add-totp.conf\fP
.fam T
.fi
.fam T
.fi
.SH DESCRIPTION
Config file for program add-totp. Options in this file controls how add-totp will behave and when user will be presented with an oauth TOTP prompt.
.br
This config file is using the toml format.
.br
More information on toml can be found at: <https://toml.io>
.br
For the options in this file the syntax is as follows:
.br
option = "value"
.br
where "something" represent a string. All options are string values.
.br
If wrong or no value is set for an option, the default value will be used.
.br
If config file or option is missing, the default values specified at each option will be used.
.SH OPTIONS
.TP
.B
auth_path
Default value: "/var/log/auth.log" (auth_path = "/var/log/auth.log")
.br
Static file path to the login log that logs all login on the system.
.br
Usually:
.br
/var/log/auth.log or /var/log/secure
.br
\fBWARNING!\fP Make sure that this path is correct otherwise all users will be logged out trying to login and you can lock yourself out.
.TP
.B
oauth_user_path
Default value: "/etc/security/users.oath" (oauth_user_path = "/etc/security/users.oath")
.br
Static file path to the oath file that contains all users and oath codes.
.br
If file is missing or user is missing in the file, the user will still be prompted for a TOTP password but will not be able to login.
.TP
.B
access_path
Default value: "/etc/security/access-local.conf" (access_path = "/etc/security/access-local.conf")
.br
Static file path to the access file. File that contains IP numbers to allowed networks, networks that do not need the oath login prompt.
.br
This file is the same file used with pam_oauth.so to control when to show prompt for password.
.br
If file is missing, all users will be prompted for TOTP password.
.TP
.B
login_type
Default value: "PublicKey" (login_type = "PublicKey")
.br
Login type where this extra login should be used.
.br
Valid values are: Password, PublicKey, KeyboardInteractive, Local, Unknown
.TP
.B
log_path
Default value: "/var/log/add-totp.log" (log_path = "/var/log/add-totp.log")
.br
Static file path to log file. This is where all logging is written, all errors, all logins aso.
.TP
.B
hash
.br
Default value: "Sha1" (hash = "Sha1")
.br
Hash function that add-totp should use to calculate TOTP code.
.br
Valid values are: Sha1, Sha256, Sha512
.SH AUTHOR
Written by Marcus Pedersén.
.SH REPORTING BUGS
Report bugs by creating an issue at: <https://projects.interbull.org/marcus/add-totp>
.SH COPYRIGHT
Copyright © 2020 Marcus Pedersén. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
.br
This is free software: you are free to change and redistribute it. There is no WARRANTY, to the extent permitted by law.
.SH SEE ALSO
.B
add-totp(1)
.br
For source code and binaries see: <https://projects.interbull.org/marcus/add-totp>
/var/log/add-totp.log {
weekly
rotate 10
compress
delaycompress
missingok
notifempty
create 640 root root
}
.TH ADD-TOTP 1 "November 2020" "add-totp-0.9.0" "User manuals"
.SH NAME
\fBadd-totp \fP- Add an additional TOTP prompt at login
\fB
.SH SYNOPSIS
.nf
.fam C
\fBadd-totp\fP [\fIOPTION\fP]
.fam T
.fi
.fam T
.fi
.SH DESCRIPTION
The aim is to present an extra prompt for TOTP.
The main problem that it solves is that when you use ssh with public key
it does not use pam that is configured with oath tool and you will not
be prompted with the TOTP password.
That is what add-totp is solving, if user is logging in with public key
then user is prompted for TOTP password. If not valid, user is logged out.
add-totp can be used in other cases as well, just change the config file
and you will be prompted when that way of logging in is used.
.PP
add-totp checks in login file if your type of login is the same as specified in config file.
.br
If login type is the same, the access file is checked if your IP address is in one of the
allowed networks.
.br
If not in an allowed network you will be prompted for the oauth TOTP password.
.SH OPTIONS
.TP
.B
no args
Prompt for TOTP password if config is configured
.br
to prompt with used login.
.br
If password pass fail, user is logged out
.TP
.B
\fB-h\fP, \fB--help\fP
Print this help text and exit
.TP
.B
\fB--version\fP
output version information and exit
.RE
.PP
.SH CONFIG
If you want to change any configuration and not want to use default values,
.br
add-totp expect to find the config file here:
.br
/etc/add.totp.conf
.SH LOG
Default location of log is:
.br
/var/log/add-totp.log
.br
It can be worth to setup logrotation for the log file as it can become quite lengthy over time.
.br
All logins and failures are written to log.
.TP
Logrotation example:
.PP
.br
Create the following file:
.br
/etc/logrotate.d/add-totp
.br
and fill it with the following text:
.TP
/var/log/add-totp.log {
.br
weekly
.br
rotate 10
.br
compress
.br
delaycompress
.br
missingok
.br
notifempty
.br
create 640 root root
.br
}
.PP
.SH SETUP
To setup add-totp to run for all users at login add a line to /etc/profile containing:
.br
/usr/sbin/add-totp
.br
or
.TP
Create a script in a file /etc/profile.d/add-totp.sh, containing:
.br
#!/bin/bash
.br
/usr/sbin/add-totp
.PP
add-totp will then run for all users at login.
.TP
\fBWARNING!\fP Make sure that you have tested thoroughly before you add it to profile, otherwise you can lock yourself out of the system.
.PP
.SH FILES
Default files used by add-totp:
.br
/etc/add-totp.conf - if file is missing default values will be used. See add-totp.conf(5)
.br
/etc/security/users.oath - if oath user file is missing, user will be presented with a prompt, but will not be able to login
.br
/etc/security/access-local.conf - if access file is missing all users will be prompted for TOTP password
.br
/var/log/add-totp.log
.br
/var/log/auth.log or /var/log/secure - if file is missing all users will be logged out.
.SH AUTHOR
Written by Marcus Pedersén.
.SH REPORTING BUGS
Report bugs by creating an issue at: <https://projects.interbull.org/marcus/add-totp>
.SH COPYRIGHT
Copyright © 2020 Marcus Pedersén. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
.br
This is free software: you are free to change and redistribute it. There is no WARRANTY, to the extent permitted by law.
.SH SEE ALSO
.B
add-totp.conf(5)
.br
For source code and binaries see: <https://projects.interbull.org/marcus/add-totp>
add-totp (0.9.0-1) unstable; urgency=low
* Initial release. (Closes: #nnnn) <nnnn is the bug number of your ITP>
-- Marcus Pedersén <marcus.pedersen@slu.se> Fri, 6 Nov 20200 10:52:31 +0100
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment