Merge pull request #242 from himmelblau-idm/stable-0.6.x_hello_pin_hardening

Hello PIN length and offline fixes

Author: dmulder

Cargo.toml

@@ -16,7 +16,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.6.9"
+version = "0.6.10"
 authors = [
     "David Mulder <[email protected]>"
 ]
@@ -37,7 +37,7 @@ tracing-subscriber = "^0.3.17"
 tracing = "^0.1.37"
 himmelblau_unix_common = { path = "src/common" }
 kanidm_unix_common = { path = "src/glue" }
-libhimmelblau = { version = "0.3.4" }
+libhimmelblau = { version = "0.3.5" }
 clap = { version = "^4.5", features = ["derive", "env"] }
 clap_complete = "^4.4.1"
 reqwest = { version = "^0.12.2", features = ["json"] }
@@ -76,7 +76,7 @@ tracing-forest = "^0.1.6"
 rusqlite = "^0.32.0"
 hashbrown = { version = "0.14.0", features = ["serde", "inline-more", "ahash"] }
 lru = "^0.12.3"
-kanidm_lib_crypto = { path = "./src/crypto", version = "0.6.9" }
+kanidm_lib_crypto = { path = "./src/crypto", version = "0.6.10" }
 kanidm_utils_users = { path = "./src/users" }
 walkdir = "2"
 csv = "1.2.2"

src/cli/src/main.rs

@@ -31,7 +31,7 @@ use std::time::Duration;
 include!("./opt/tool.rs");
 
 macro_rules! match_sm_auth_client_response {
-    ($expr:expr, $req:ident, $($pat:pat => $result:expr),*) => {
+    ($expr:expr, $req:ident, $hello_pin_min_length:ident, $($pat:pat => $result:expr),*) => {
         match $expr {
             Ok(r) => match r {
                 $($pat => $result),*
@@ -56,7 +56,13 @@ macro_rules! match_sm_auth_client_response {
                     let mut confirm;
                     loop {
                         pin = match prompt_password("New PIN: ") {
-                            Ok(password) => password,
+                            Ok(password) => {
+                                if password.len() < $hello_pin_min_length {
+                                    println!("Chosen pin is too short! {} chars required.", $hello_pin_min_length);
+                                    continue;
+                                }
+                                password
+                            },
                             Err(err) => {
                                 println!("unable to get pin: {:?}", err);
                                 return ExitCode::FAILURE;
@@ -154,10 +160,11 @@ async fn main() -> ExitCode {
                     return ExitCode::FAILURE;
                 }
             };
+            let pin_min_len = cfg.get_hello_pin_min_length();
 
             let mut req = ClientRequest::PamAuthenticateInit(account_id.clone());
             loop {
-                match_sm_auth_client_response!(daemon_client.call_and_wait(&req, timeout), req,
+                match_sm_auth_client_response!(daemon_client.call_and_wait(&req, timeout), req, pin_min_len,
                     ClientResponse::PamAuthenticateStepResponse(PamAuthResponse::Password) => {
                         // Prompt for and get the password
                         let cred = match prompt_password("Password: ") {
@@ -210,7 +217,7 @@ async fn main() -> ExitCode {
                             // will shutdown. This allows the resolver to dynamically extend the
                             // timeout if needed, and removes logic from the front end.
                             match_sm_auth_client_response!(
-                                daemon_client.call_and_wait(&req, timeout), req,
+                                daemon_client.call_and_wait(&req, timeout), req, pin_min_len,
                                 ClientResponse::PamAuthenticateStepResponse(
                                         PamAuthResponse::MFAPollWait,
                                 ) => {

src/common/src/config.rs

@@ -5,11 +5,12 @@ use std::path::PathBuf;
 use tracing::{debug, error};
 
 use crate::constants::{
-    BROKER_APP_ID, CN_NAME_MAPPING, DEFAULT_CACHE_TIMEOUT, DEFAULT_CONFIG_PATH,
-    DEFAULT_CONN_TIMEOUT, DEFAULT_DB_PATH, DEFAULT_HELLO_ENABLED, DEFAULT_HOME_ALIAS,
-    DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX, DEFAULT_HSM_PIN_PATH, DEFAULT_ID_ATTR_MAP,
-    DEFAULT_ODC_PROVIDER, DEFAULT_SELINUX, DEFAULT_SFA_FALLBACK_ENABLED, DEFAULT_SHELL,
-    DEFAULT_SOCK_PATH, DEFAULT_TASK_SOCK_PATH, DEFAULT_USE_ETC_SKEL, SERVER_CONFIG_PATH,
+    BROKER_APP_ID, CN_NAME_MAPPING, DEFAULT_AUTHORITY_HOST, DEFAULT_CACHE_TIMEOUT,
+    DEFAULT_CONFIG_PATH, DEFAULT_CONN_TIMEOUT, DEFAULT_DB_PATH, DEFAULT_HELLO_ENABLED,
+    DEFAULT_HELLO_PIN_MIN_LEN, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX,
+    DEFAULT_HSM_PIN_PATH, DEFAULT_ID_ATTR_MAP, DEFAULT_ODC_PROVIDER, DEFAULT_SELINUX,
+    DEFAULT_SFA_FALLBACK_ENABLED, DEFAULT_SHELL, DEFAULT_SOCK_PATH, DEFAULT_TASK_SOCK_PATH,
+    DEFAULT_USE_ETC_SKEL, SERVER_CONFIG_PATH,
 };
 use crate::unix_config::{HomeAttr, HsmType};
 use idmap::DEFAULT_IDMAP_RANGE;
@@ -401,6 +402,33 @@ impl HimmelblauConfig {
             CN_NAME_MAPPING,
         )
     }
+
+    pub fn get_hello_pin_min_length(&self) -> usize {
+        match self.config.get("global", "hello_pin_min_length") {
+            Some(val) => match val.parse::<usize>() {
+                Ok(n) => n,
+                Err(_) => {
+                    error!("Failed parsing hello_pin_min_length from config: {}", val);
+                    DEFAULT_HELLO_PIN_MIN_LEN
+                }
+            },
+            None => DEFAULT_HELLO_PIN_MIN_LEN,
+        }
+    }
+
+    pub fn get_authority_host(&self, domain: &str) -> String {
+        match self.config.get(domain, "authority_host") {
+            Some(val) => val,
+            None => {
+                debug!("authority_host unset, using defaults");
+                String::from(DEFAULT_AUTHORITY_HOST)
+            }
+        }
+    }
+
+    pub fn get_tenant_id(&self, domain: &str) -> Option<String> {
+        self.config.get(domain, "tenant_id")
+    }
 }
 
 impl fmt::Debug for HimmelblauConfig {

src/common/src/constants.rs

@@ -26,3 +26,4 @@ pub const DEFAULT_ID_ATTR_MAP: IdAttr = IdAttr::Name;
 pub const BROKER_APP_ID: &str = "29d9ed98-a469-4536-ade2-f981bc1d605e";
 pub const BROKER_CLIENT_IDENT: &str = "38aa3b87-a06d-4817-b275-7a316988d93b";
 pub const CN_NAME_MAPPING: bool = true;
+pub const DEFAULT_HELLO_PIN_MIN_LEN: usize = 6;

src/common/src/idprovider/himmelblau.rs

@@ -5,6 +5,7 @@ use super::interface::{
 use crate::config::split_username;
 use crate::config::HimmelblauConfig;
 use crate::config::IdAttr;
+use crate::constants::DEFAULT_GRAPH;
 use crate::db::KeyStoreTxn;
 use crate::idprovider::interface::tpm;
 use crate::unix_proto::PamAuthRequest;
@@ -92,9 +93,23 @@ impl HimmelblauMultiProvider {
             debug!("Adding provider for domain {}", domain);
             let range = cfg.get_idmap_range(&domain);
             let mut idmap_lk = idmap.write().await;
-            let graph = Graph::new(&cfg.get_odc_provider(&domain), &domain)
-                .await
-                .map_err(|e| anyhow!("{:?}", e))?;
+            let authority_host = cfg.get_authority_host(&domain);
+            let tenant_id = cfg.get_tenant_id(&domain);
+            let graph = match Graph::new(
+                &cfg.get_odc_provider(&domain),
+                &domain,
+                Some(&authority_host),
+                tenant_id.as_deref(),
+                Some(DEFAULT_GRAPH),
+            )
+            .await
+            {
+                Ok(graph) => graph,
+                Err(e) => {
+                    error!("Failed initializing provider: {:?}", e);
+                    continue;
+                }
+            };
             let authority_host = graph.authority_host();
             let tenant_id = graph.tenant_id();
             idmap_lk

src/config/himmelblau.conf.example

@@ -32,6 +32,11 @@
 # when the host is public facing (such as via SSH).
 # enable_hello = true
 #
+# The minimum length of the Hello authentication PIN. This PIN length cannot
+# be less than 6, and cannot exceed 32 characters. These are hard requirements
+# for the encryption algorithm.
+# hello_pin_min_length = 6
+#
 # Whether to permit attempting a SFA (password only) authentication when MFA
 # methods are unavailable. Sometimes this is possible when MFA has yet to be
 # configured. This is disabled by default.

src/glue/src/unix_config.rs

@@ -1,5 +1,7 @@
 use himmelblau_unix_common::config::HimmelblauConfig;
-use himmelblau_unix_common::constants::{DEFAULT_CONN_TIMEOUT, DEFAULT_SOCK_PATH};
+use himmelblau_unix_common::constants::{
+    DEFAULT_CONN_TIMEOUT, DEFAULT_HELLO_PIN_MIN_LEN, DEFAULT_SOCK_PATH,
+};
 use himmelblau_unix_common::unix_passwd::parse_etc_passwd;
 use std::fs::File;
 use std::io::Read;
@@ -9,6 +11,7 @@ pub struct KanidmUnixdConfig {
     pub unix_sock_timeout: u64,
     pub sock_path: String,
     pub cn_name_mapping: bool,
+    pub hello_pin_min_length: usize,
 }
 
 impl KanidmUnixdConfig {
@@ -18,6 +21,7 @@ impl KanidmUnixdConfig {
             sock_path: DEFAULT_SOCK_PATH.to_string(),
             unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
             cn_name_mapping: false,
+            hello_pin_min_length: DEFAULT_HELLO_PIN_MIN_LEN,
         }
     }
 
@@ -28,6 +32,7 @@ impl KanidmUnixdConfig {
             sock_path: config.get_socket_path(),
             unix_sock_timeout: config.get_connection_timeout() * 2,
             cn_name_mapping: config.get_cn_name_mapping(),
+            hello_pin_min_length: config.get_hello_pin_min_length(),
         })
     }
 

src/pam/src/pam/mod.rs

@@ -112,7 +112,7 @@ pub struct PamKanidm;
 pam_hooks!(PamKanidm);
 
 macro_rules! match_sm_auth_client_response {
-    ($expr:expr, $opts:ident, $conv:ident, $req:ident, $authtok:ident, $($pat:pat => $result:expr),*) => {
+    ($expr:expr, $opts:ident, $conv:ident, $req:ident, $authtok:ident, $cfg:ident, $($pat:pat => $result:expr),*) => {
         match $expr {
             Ok(r) => match r {
                 $($pat => $result),*
@@ -147,7 +147,21 @@ macro_rules! match_sm_auth_client_response {
                     loop {
                         pin = match $conv.send(PAM_PROMPT_ECHO_OFF, "New PIN: ") {
                             Ok(password) => match password {
-                                Some(cred) => cred,
+                                Some(cred) => {
+                                    if cred.len() < $cfg.hello_pin_min_length {
+                                        match $conv.send(PAM_TEXT_INFO, &format!("Chosen pin is too short! {} chars required.", $cfg.hello_pin_min_length)) {
+                                            Ok(_) => {}
+                                            Err(err) => {
+                                                if $opts.debug {
+                                                    println!("Message prompt failed");
+                                                }
+                                                return err;
+                                            }
+                                        }
+                                        continue;
+                                    }
+                                    cred
+                                },
                                 None => {
                                     debug!("no pin");
                                     return PamResultCode::PAM_CRED_INSUFFICIENT;
@@ -373,7 +387,7 @@ impl PamHooks for PamKanidm {
         let mut req = ClientRequest::PamAuthenticateInit(account_id);
 
         loop {
-            match_sm_auth_client_response!(daemon_client.call_and_wait(&req, timeout), opts, conv, req, authtok,
+            match_sm_auth_client_response!(daemon_client.call_and_wait(&req, timeout), opts, conv, req, authtok, cfg,
                 ClientResponse::PamAuthenticateStepResponse(PamAuthResponse::Password) => {
                     let mut consume_authtok = None;
                     // Swap the authtok out with a None, so it can only be consumed once.
@@ -468,7 +482,7 @@ impl PamHooks for PamKanidm {
                         // will shutdown. This allows the resolver to dynamically extend the
                         // timeout if needed, and removes logic from the front end.
                         match_sm_auth_client_response!(
-                            daemon_client.call_and_wait(&req, timeout), opts, conv, req, authtok,
+                            daemon_client.call_and_wait(&req, timeout), opts, conv, req, authtok, cfg,
                             ClientResponse::PamAuthenticateStepResponse(
                                     PamAuthResponse::MFAPollWait,
                             ) => {