Import ports/sysytils/login_duo. "reads good to me" landry@

login_duo provides two-factor authentication for Unix systems. When integrated with sshd(8) a challenge is sent to the users cell phone before access is granted.
2014-09-08 22:42:03 +00:00 · 2014-09-08 22:42:03 +00:00 · 62022fb943
commit 62022fb943
parent 86997b2be7
6 changed files with 156 additions and 0 deletions
--- a/sysutils/login_duo/Makefile
+++ b/sysutils/login_duo/Makefile
@ -0,0 +1,40 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2014/09/08 22:42:03 jturner Exp $
+
+COMMENT =		two-factor authentication for unix systems
+
+V =			1.9.11
+PKGNAME =		login_duo-${V}
+DISTNAME =		duo_unix-${V}
+CATEGORIES =		sysutils
+
+SHARED_LIBS =		duo 0.0 # 3.0
+
+MAINTAINER =		James Turner <james@calminferno.net>
+
+HOMEPAGE =		https://www.duosecurity.com/docs/duounix
+MASTER_SITES =		https://dl.duosecurity.com/
+
+# GPLv2
+PERMIT_PACKAGE_CDROM =	Yes
+
+MODULES =		lang/python
+
+WANTLIB =		c crypto ssl
+
+CONFIGURE_STYLE =	gnu
+CONFIGURE_ARGS =	--without-pam
+
+FAKE_FLAGS =		docdir="${PREFIX}/share/doc/login_duo" \
+			sbindir="${PREFIX}/libexec/auth" \
+			sysconfdir="${PREFIX}/share/examples/login_duo"
+
+# login_duo needs to be set up and running for tests to pass
+TEST_IS_INTERACTIVE =	Yes
+
+TEST_DEPENDS =		${MODPY_RUN_DEPENDS}
+
+pre-configure:
+	${SUBST_CMD} ${WRKSRC}/login_duo/login_duo.8
+	perl -pi -e 's,/usr/bin/env python,${MODPY_BIN},' ${WRKSRC}/tests/*.py
+
+.include <bsd.port.mk>
--- a/sysutils/login_duo/distinfo
+++ b/sysutils/login_duo/distinfo
@ -0,0 +1,2 @@
+SHA256 (duo_unix-1.9.11.tar.gz) = 9cmkTBeXJ+koSDfWwAmwefXu+6XyQaWjeuH/X/9Whxw=
+SIZE (duo_unix-1.9.11.tar.gz) = 463086
--- a/sysutils/login_duo/patches/patch-login_duo_login_duo_8
+++ b/sysutils/login_duo/patches/patch-login_duo_login_duo_8
@ -0,0 +1,42 @@
+$OpenBSD: patch-login_duo_login_duo_8,v 1.1.1.1 2014/09/08 22:42:03 jturner Exp $
+--- login_duo/login_duo.8.orig	Thu Aug 28 10:02:36 2014
+++ login_duo/login_duo.8	Thu Aug 28 10:04:47 2014
+@@ -20,7 +20,7 @@ The following options are available:
+ .Bl -tag -width ".Cm failmode"
+ .It Fl c
+ Specify an alternate configuration file to load. Default is
+-.Pa /etc/duo/login_duo.conf
+.Pa ${SYSCONFDIR}/login_duo.conf
+ .It Fl d
+ Debug mode; send logs to stderr instead of syslog.
+ .It Fl h
+@@ -142,7 +142,7 @@ in 
+ to capture any SSH remote login (including subsystems, remote
+ commands, and interactive login):
+ .Bd -literal -offset 8n
+-ForceCommand /usr/local/sbin/login_duo
+ForceCommand ${LOCALBASE}/libexec/auth/login_duo
+ .Ed
+ .Pp
+ Similarly, a group of administrators could require two-factor
+@@ -152,9 +152,9 @@ as the forced command for each public key in
+ .Pa ~root/.ssh/authorized_keys :
+ .Pp
+ .Bd -literal -offset 8n
+-command="/usr/local/sbin/login_duo \-f alice"
+command="${LOCALBASE}/libexec/auth/login_duo \-f alice"
+ ssh-rsa AAAAB2...19Q== alice@example.net
+-command="/usr/local/sbin/login_duo \-f bob"
+command="${LOCALBASE}/libexec/auth/login_duo \-f bob"
+ ssh-dss AAAAC3...51R== bob@example.net
+ .Ed
+ .Pp
+@@ -165,7 +165,7 @@ forced command mechanism and a user-installed (non-set
+ .Nm .
+ .Sh FILES
+ .Bl -tag -width ".Cm failmode"
+-.It Pa /etc/duo/login_duo.conf
+.It Pa ${SYSCONFDIR}/login_duo.conf
+ Default configuration file path
+ .El
+ .Sh AUTHORS
--- a/sysutils/login_duo/pkg/DESCR
+++ b/sysutils/login_duo/pkg/DESCR
@ -0,0 +1,3 @@
+login_duo provides two-factor authentication for Unix systems. When
+integrated with sshd(8) a challenge is sent to the users cell phone
+before access is granted.
--- a/sysutils/login_duo/pkg/PLIST
+++ b/sysutils/login_duo/pkg/PLIST
@ -0,0 +1,32 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2014/09/08 22:42:03 jturner Exp $
+include/duo.h
+include/util.h
+lib/libduo.a
+lib/libduo.la
+@lib lib/libduo.so.${LIBduo_VERSION}
+lib/pkgconfig/libduo.pc
+@group auth
+libexec/auth/
+@mode 4755
+@owner root
+@bin libexec/auth/login_duo
+@mode
+@owner
+@group
+@man man/man3/duo.3
+@man man/man8/login_duo.8
+share/doc/login_duo/
+share/doc/login_duo/AUTHORS
+share/doc/login_duo/CHANGES
+share/doc/login_duo/LICENSE
+share/doc/login_duo/README
+share/doc/pkg-readmes/${FULLPKGNAME}
+share/examples/login_duo/
+@mode 0444
+@owner root
+@group bin
+share/examples/login_duo/login_duo.conf
+@mode 0600
+@owner sshd
+@group wheel
+@sample ${SYSCONFDIR}/login_duo.conf
--- a/sysutils/login_duo/pkg/README
+++ b/sysutils/login_duo/pkg/README
@ -0,0 +1,37 @@
+$OpenBSD: README,v 1.1.1.1 2014/09/08 22:42:03 jturner Exp $
+
+-----------------------------------------------------------------------
+| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------
+
+First steps
+===========
+In order to use Duo Unix for two-factor authentication you have to first
+sign up for an account if you don't already have one.
+https://signup.duosecurity.com/
+
+Then create a new UNIX Integration to get an integration key, secret
+key, and API hostname. (See:
+https://www.duosecurity.com/docs/getting_started)
+
+Once you have this information, edit ${SYSCONFDIR}/login_duo.conf to
+match your keys.
+
+Test login_duo
+==============
+As a regular user, run ${LOCALBASE}/libexec/auth/login_duo. You should
+be provided with an enrollment link. Enroll your phone then run
+${LOCALBASE}/libexec/auth/login_duo again. Once you provide a valid pass
+code you should get a SUCCESS message.
+
+Enable SSH two-factor authentication
+====================================
+To enable two-factor authentication add
+
+ForceCommand ${LOCALBASE}/libexec/auth/login_duo
+
+to your ${SYSCONFDIR}/ssh/sshd_config. Duo Security recommends disabling
+PermitTunnel and AllowTcpForwarding when using two-factor
+authentication.
+
+When finished, restart sshd.