108 			return usermanager.test_password(username, realm, password), true;

   108 			return usermanager.test_password(username, realm, password), true;

   109 		end

   109 		end

   110 	};

   110 	};

   111 	return new_sasl(realm, getpass_authentication_profile);

   111 	return new_sasl(realm, getpass_authentication_profile);

   112 end

   112 end

   114 module:provides("auth", provider);

   114 module:provides("auth", provider);

   115 

   115 

   116 function module.command(arg)

   116 function module.command(arg)

   117 	local command = arg[1];

   117 	local command = arg[1];

   118 	table.remove(arg, 1);

   118 	table.remove(arg, 1);

   120 		local user_jid = arg[1];

   120 		local user_jid = arg[1];

   121 		if not user_jid or user_jid == "help" then

   121 		if not user_jid or user_jid == "help" then

   122 			prosodyctl.show_usage([[mod_auth_internal_yubikey associate JID]], [[Set the Yubikey details for a user]]);

   122 			prosodyctl.show_usage([[mod_auth_internal_yubikey associate JID]], [[Set the Yubikey details for a user]]);

   123 			return 1;

   123 			return 1;

   124 		end

   124 		end

   126 		local username, host = jid.prepped_split(user_jid);

   126 		local username, host = jid.prepped_split(user_jid);

   127 		if not username or not host then

   127 		if not username or not host then

   128 			print("Invalid JID: "..user_jid);

   128 			print("Invalid JID: "..user_jid);

   129 			return 1;

   129 			return 1;

   130 		end

   130 		end

   132 		local password, public_id, private_id, key;

   132 		local password, public_id, private_id, key;

   134 		for i=2,#arg do

   134 		for i=2,#arg do

   135 			local k, v = arg[i]:match("^%-%-(%w+)=(.*)$");

   135 			local k, v = arg[i]:match("^%-%-(%w+)=(.*)$");

   136 			if not k then

   136 			if not k then

   137 				k, v = arg[i]:match("^%-(%w)(.*)$");

   137 				k, v = arg[i]:match("^%-(%w)(.*)$");

   138 			end

   138 			end

   144 				private_id = v;

   144 				private_id = v;

   145 			elseif k == "key" or k == "a" then

   145 			elseif k == "key" or k == "a" then

   146 				key = v;

   146 				key = v;

   147 			end

   147 			end

   148 		end

   148 		end

   150 		if not password then

   150 		if not password then

   151 			print(":: Password ::");

   151 			print(":: Password ::");

   152 			print("This is an optional password that should be always");

   152 			print("This is an optional password that should be always");

   153 			print("entered during login *before* the yubikey password.");

   153 			print("entered during login *before* the yubikey password.");

   154 			print("If the yubikey is lost/stolen, unless the attacker");

   154 			print("If the yubikey is lost/stolen, unless the attacker");

   158 			if not password then

   158 			if not password then

   159 				print("Cancelled.");

   159 				print("Cancelled.");

   160 				return 1;

   160 				return 1;

   161 			end

   161 			end

   162 		end

   162 		end

   165 			print(":: Public Yubikey ID ::");

   165 			print(":: Public Yubikey ID ::");

   166 			print("This is a fixed string of characters between 0 and 16");

   166 			print("This is a fixed string of characters between 0 and 16");

   167 			print("bytes long that the Yubikey prefixes to every token.");

   167 			print("bytes long that the Yubikey prefixes to every token.");

   168 			print("The ID should be entered in modhex encoding, meaning ");

   168 			print("The ID should be entered in modhex encoding, meaning ");

   169 			print("a string up to 32 characters. This *must* match");

   169 			print("a string up to 32 characters. This *must* match");

   179 				else

   179 				else

   180 					break;

   180 					break;

   181 				end

   181 				end

   182 			end

   182 			end

   183 		end

   183 		end

   185 		if not private_id then

   185 		if not private_id then

   186 			print(":: Private Yubikey ID ::");

   186 			print(":: Private Yubikey ID ::");

   187 			print("This is a fixed secret UID programmed into the yubikey");

   187 			print("This is a fixed secret UID programmed into the yubikey");

   188 			print("during configuration. It must be entered in hex (not modhex)");

   188 			print("during configuration. It must be entered in hex (not modhex)");

   189 			print("encoding. It is always 6 bytes long, which is 12 characters");

   189 			print("encoding. It is always 6 bytes long, which is 12 characters");

   198 					print("The key contains invalid characters - it must be in hex encoding (not modhex). Please try again.");

   198 					print("The key contains invalid characters - it must be in hex encoding (not modhex). Please try again.");

   199 				else

   199 				else

   200 					break;

   200 					break;

   201 				end

   201 				end

   202 			end

   202 			end

   205 		if not key then

   205 		if not key then

   206 			print(":: AES Encryption Key ::");

   206 			print(":: AES Encryption Key ::");

   207 			print("This is the secret key that the Yubikey uses to encrypt the");

   207 			print("This is the secret key that the Yubikey uses to encrypt the");

   208 			print("generated tokens. It is 32 characters in hex encoding.");

   208 			print("generated tokens. It is 32 characters in hex encoding.");

   209 			print("");

   209 			print("");

   217 				else

   217 				else

   218 					break;

   218 					break;

   219 				end

   219 				end

   220 			end

   220 			end

   221 		end

   221 		end

   223 		local hash = hashes.sha1(public_id..private_id..password, true);

   223 		local hash = hashes.sha1(public_id..private_id..password, true);

   224 		local account = {

   224 		local account = {

   225 			yubikey_hash = hash;

   225 			yubikey_hash = hash;

   226 			yubikey_key = key;

   226 			yubikey_key = key;

   227 		};

   227 		};