Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weird OTP problem #156

Open
addelovein opened this issue Jan 24, 2024 · 12 comments
Open

Weird OTP problem #156

addelovein opened this issue Jan 24, 2024 · 12 comments
Assignees
@jhollowe
Labels
backend:https type:bug 🐞 The software does not function as intended

Comments

@addelovein
Copy link

addelovein commented Jan 24, 2024
edited

Most likely im doing something wrong...

import proxmoxer
username = "user@pve"
passwd = "pass123"
totp=639359
print( username, passwd, totp )
proxmox = proxmoxer.ProxmoxAPI(
                    host="MYHOST",
                    user=username,
                    password=passwd,
                    otp=totp,
                    verify_ssl=True,
                    port=443
                )
print(proxmox.get("cluster/options"))

Returns
proxmoxer.core.AuthenticationError: Couldn't authenticate user: user@pve to https://MYHOST:443/api2/json/access/ticket

If i remove OTP and try a user without TFA... It logs in.
The user that fails can log in directly to proxmox using OTP
The failing user works if i remove TFA from proxmox and OTP here...

Am i missing someting? Going a bit crazy here....
@addelovein
Copy link
Author 

    proxmox = proxmoxer.ProxmoxAPI(
              ^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\core.py", line 210, in __init__
    self._backend = importlib.import_module(f".backends.{backend}", "proxmoxer").Backend(
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 302, in __init__
    self.auth = ProxmoxHTTPAuth(
                ^^^^^^^^^^^^^^^^
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 59, in __init__
    self._get_new_tokens(password=password, otp=otp)
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 77, in _get_new_tokens
    raise AuthenticationError(
proxmoxer.core.AuthenticationError: Couldn't authenticate use```

@jhollowe
Copy link
Contributor

jhollowe commented Jan 24, 2024
edited

Please try having the OTP be a strongstring rather than an integer. I don't know if that is the issue, but I think it might be

@addelovein
Copy link
Author

strong

Same issue if I declare totp with totp="292695"

@jhollowe
Copy link
Contributor

Can you look at the network traffic in your browser and see what data the api2/json/access/ticket request has?

@jhollowe jhollowe added type:bug 🐞 The software does not function as intended backend:https labels Jan 27, 2024
@jhollowe jhollowe self-assigned this Jan 27, 2024
@addelovein
Copy link
Author

addelovein commented Jan 27, 2024
edited

You mean when I log in to proxmox via browser?

First ticket:

Request

username: adde
password: test123
realm: pve
new-format: 1

Response

{
    "success": 1,
    "data": {
        "ticket": "PVE:!tfa!{\"totp\"%3Atrue}:***********::JElr2K5oW2*************************BbxjQsa/HvhIfYrfoe*********************ULU57YW1S9pvD417VesGsKWLMLnXllg9CKSO9k*****************lSLEu7OUikT78mZ56JIIMw1IMyUXBV35+TpkR0wyZ0Lb28VpAnsFOABOqd5vZGT1e7N1ZJEx7QEXDBSqH7vhnSu0Qk1CSUQQfgyOy0V/x1GLQqLbj0jF3elamU69KiR*************************g==",
        "username": "adde@pve",
        "NeedTFA": 1,
        "CSRFPreventionToken": "65B4DD50:URrwhOOq+7tWqbOsBW6Xg2EJ3yn24R05XRqV9PpsOTc"
    }
}

Second Ticket (The Real Authentication)

Request

username: adde@pve
tfa-challenge: PVE:!tfa!{"totp"%3Atrue}:***********::JElr2K5oW2*************************BbxjQsa/HvhIfYrfoe*********************ULU57YW1S9pvD417VesGsKWLMLnXllg9CKSO9k*****************lSLEu7OUikT78mZ56JIIMw1IMyUXBV35+TpkR0wyZ0Lb28VpAnsFOABOqd5vZGT1e7N1ZJEx7QEXDBSqH7vhnSu0Qk1CSUQQfgyOy0V/x1GLQqLbj0jF3elamU69KiR*************************g=="
password: totp:473543

Response
Authenticated.....

That should be enough data ;-)

@jhollowe
Copy link
Contributor

I'm not sure. You might try asking in the proxmox forums how to pass OTP values to the api2/json/access/ticket API endpoint. proxmoxer does not do the two-step OTP process and instead just passes the username, password, and OTP all in one request. This may be no longer supported by the Proxmox auth layer and we may need to adjust the login flow if an OTP value is provided.

@addelovein
Copy link
Author

It sure is supported, this code works... Just wrote it based of how proxmox itself authenticates its webui...

import sys
import requests, json

pvehost = "pve.yourdomain.se"
pveport = "8006"
username = "adde"
password = "test123"
realm = "pve"


headers = {'Content-Type': 'application/x-www-form-urlencoded'}

data = {"realm": realm, "username": username, "password": password, "new-format": 1}
print("\nSending Payload: ", data)
r = requests.post(f'https://{pvehost}:{pveport}/api2/json/access/ticket', headers=headers, data=data, verify=True)
if r.status_code!=200:
    print("Auth Failed at Step One, cant proceed with OTP")
    sys.exit()

bytes_value = r.content
jsonval = bytes_value.decode('utf8').replace("'", '"')
jsondata = json.loads(jsonval)
print("RESPONSE: ",jsondata['data'])

ticket = jsondata['data']['ticket']
code = input("\n\tEnter your value: ") 

totp={"tfa-challenge" : ticket, "username": username, "password": f"totp:{code}","realm": realm }

print("\nSending Payload: ", totp)
r2 = requests.post(f'https://{pvehost}:{pveport}/api2/json/access/ticket', headers=headers, data=totp, verify=True)
bytes_value = r2.content
jsonval = bytes_value.decode('utf8').replace("'", '"')
jsondata = json.loads(jsonval)


if r2.status_code==200:
        print("Auth Success: ", r2.json)
else:
        print("Auth Failed: ", r2.json)

@addelovein
Copy link
Author

No response on this at all?

@jpattWPC
Copy link

I added #158 to address this on the HTTPS backend. Please let me know if this can be merged into a release.

@jhollowe
Copy link
Contributor

@addelovein sorry for the slow response, this fell off my radar.

Thanks @jpattWPC for the PR!

I've started a thread in the PVE forums to see if the single request flow is still supported or if this meeds to move to the two-step flow:
https://forum.proxmox.com/threads/single-post-auth-with-otp-no-longer-supported.141830/

@addelovein
Copy link
Author

I posted a working example...

@jpattWPC
Copy link

jpattWPC commented Mar 24, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhollowe jhollowe

Labels
backend:https type:bug 🐞 The software does not function as intended
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jhollowe @jpattWPC @addelovein