Add FIDO/U2F support to Duo authentication

[pdecat]

This PR adds support for FIDO/U2F to Duo authentication.

If Duo reports U2F is supported for the user, it is used concurrently to the default authentication method.

It's a rough draft that works but needs cleanup, hence the WIP.
I opened the PR now to get early feedback if possible.

Right now, if Duo reports U2F is supported for the user, only that authentication method is used.

Example usage shown here: #127 (comment)

Tested in USB mode with:

• Yubikey Neo
• Yubikey 5 NFC
• Yubikey 5 Nano

It should support NFC mode too but that is not tested yet.

TODO:

• manage default authentication (call or push) concurrently to U2F
• manage multiple U2F better (right now, each device is tried sequentially)
• cleanup code
• add tests
• add documentation

[venth]

Is it ready to be merged or still it’s a work in progress there?

[pdecat]

Hi @venth, right now it works great for me, but I feel like it could have some more real world testing from others. I've asked some colleagues to give it a go, waiting for their feedback.

Also, there are some improvements I'd like to address like still having the default authentication (call or push) happen in parallel to U2F (that may be really useful if U2F key is e.g. forgotten at home).

Another thing that may be changed could be making fido2 an optional dependency, especially as it is only needed/supported for Duo right now, not for the other providers.

At last, please have a look a the code change and do not hesitate to report any comments or questions you may have. I'll be glad to address them.

Thanks!

PS: I'll be AFK for the next two weeks so I won't be able to work on that before the second half of August.

[pdecat]

Alright, got feedback from co-workers: it works fine on Linux and Windows (native, not WSL as it does not have access USB devices). And I've been using it myself exclusively for two months.

I'm resuming work on this to implement the first two items on the Todo list:

• manage default authentication (call or push) concurrently to U2F
• manage multiple U2F better (right now, each device is tried sequentially)

As those need the ability to perform asynchronous tasks, I'm considering the use of python 3.5 features like async/await.

As python 2.7 is soon EOL (2020-01-01) and python 3.4 is already EOL (2019-03-18); I guess dropping support for those could be acceptable, maybe releasing a new major version of aws-adfs.
If it isn't, I'll look into alternative options, maybe threading.

Update: the fido2 library already relies on threading so I'll go that way, no need to drop support for any python version.

[pdecat]

Support for prompting multiple U2F devices concurrently has been implemented with threading.

With a single USB device:

# rm ~/.aws/adfs_cookies
# aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-09-19 15:45:02,470 [authenticator authenticator.py:authenticate] [6905-MainProcess] [140102118655808-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw7)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw7)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'

With two USB devices:

# rm ~/.aws/adfs_cookies
# aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-09-19 15:47:07,604 [authenticator authenticator.py:authenticate] [13535-MainProcess] [139727676925760-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw7)'
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw3)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw3)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'

[pdecat]

Support for triggering default authentication (call or push) concurrently to U2F has been implemented.

With no USB device and answering the default authentication method (push here):

# rm ~/.aws/adfs_cookies
# aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-09-23 15:48:43,870 [authenticator authenticator.py:authenticate] [14957-MainProcess] [139755917858624-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Sending request for authentication
Waiting for additional authentication
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'

With a single USB device and answering the default authentication method (push here):

2019-09-23 15:50:59,251 [authenticator authenticator.py:authenticate] [23179-MainProcess] [140027943323456-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw3)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'

With a single USB device and touching it, ignoring the default authentication method that also happens:

# rm ~/.aws/adfs_cookies
# aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-09-23 15:47:41,232 [authenticator authenticator.py:authenticate] [11187-MainProcess] [140135042541376-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw3)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw3)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : '******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::******:role/******'
            * ADFS Server                       : '******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'

With a two USB devices and touching one of them, ignoring the default authentication method that also happens:

# rm ~/.aws/adfs_cookies
# aws-adfs login --env --profile=****** --region=eu-west-1 --adfs-host=****** --ssl-verification --session-duration=14400 --no-sspi
2019-09-23 15:53:29,980 [authenticator authenticator.py:authenticate] [31971-MainProcess] [140592882558784-MainThread] - ERROR: Cannot extract saml assertion. Re-authentication needed?
Sending request for authentication
Waiting for additional authentication
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw7)'
Activate your FIDO U2F authenticator now: 'CtapHidDevice(/dev/hidraw3)'
Got response from FIDO U2F authenticator: 'CtapHidDevice(/dev/hidraw7)'
Going for aws roles

        Prepared ADFS configuration as follows:
            * AWS CLI profile                   : ''******'
            * AWS region                        : 'eu-west-1'
            * Output format                     : 'json'
            * SSL verification of ADFS Server   : 'ENABLED'
            * Selected role_arn                 : 'arn:aws:iam::'******:role/'******'
            * ADFS Server                       : ''******'
            * ADFS Session Duration in seconds  : '28800'
            * Provider ID                       : 'urn:amazon:webservices'
            * S3 Signature Version              : 'None'
            * STS Session Duration in seconds   : '14400'

[pdecat]

Remove WIP from PR title, ready for review.

[pdecat]

This could probably be moved to another flag as this makes it very verbose.

[pdecat]

I can probably go one step further and make it an option to only trigger the default authentification to avoid needless pushes/calls on the phone when no U2F device is plugged.

[venth]

I can probably go one step further and make it an option to only trigger the default authentification to avoid needless pushes/calls on the phone when no U2F device is plugged.

Would be awesome. I think that it could be tackled in a separate PR.

[venth]

released in version 1.18.0

[pdecat]

Thanks @venth!