16.2.1.2. Application class¶
These are the applications that can be assigned to machines in privacyIDEA.
An application must be inherited from the MachineApplicationBase class.
16.2.1.2.1. Base class¶
- class privacyidea.lib.applications.base.MachineApplication[source]¶
- allow_bulk_call = False¶
- application_name = 'base'¶
If bulk_call is false, the administrator may only retrieve authentication items for the very host he is starting the request.
- privacyidea.lib.applications.base.get_application_types()[source]¶
This function returns a dictionary of application types with the corresponding available attributes.
Example:
{ "luks": { "options": { "totp": { "slot": {"type": "int"}, "partition": {"type": "str"}}}}, "ssh": { "options": { "sshkey": { "user": {"type": "str"}}}} }
- Returns:
dictionary describing the applications
- Return type:
dict
- privacyidea.lib.applications.base.get_auth_item(application, token_type, serial, challenge=None, options=None, filter_param=None, user_agent=None)[source]¶
- privacyidea.lib.applications.base.get_machine_application_class_dict()[source]¶
get a dictionary of the application classes with the type as the key.
Example:
{ "base": <class 'privacyidea.lib.applications.base.MachineApplicationBase'> "luks": <class 'privacyidea.lib.applications.base.MachineApplication'> }- Returns:
Dictionary of application classes
- Return type:
dict
16.2.1.2.2. LUKS module¶
- class privacyidea.lib.applications.luks.MachineApplication[source]¶
This is the application for LUKS.
- required options:
slot partition
- application_name = 'luks'¶
If bulk_call is false, the administrator may only retrieve authentication items for the very host he is starting the request.
- static get_authentication_item(token_type, serial, challenge=None, options=None, filter_param=None, user_agent=None)[source]¶
- Parameters:
token_type – the type of the token. At the moment we only support yubikeys, tokentype “TOTP”.
serial – the serial number of the token. The challenge response token needs to start with “UBOM”.
challenge (hex string) – A challenge, for which a response get calculated. If none is presented, we create one.
- Return auth_item:
For Yubikey token type it returns a dictionary with a “challenge” and a “response”.
16.2.1.2.3. Offline module¶
- class privacyidea.lib.applications.offline.MachineApplication[source]¶
This is the application for Offline authentication with PAM or the privacyIDEA credential provider.
The machine application returns a list of salted OTP hashes to be used with offline authentication. The token then is disabled, so that it can not be used for online authentication anymore, to avoid reusing a fished OTP value.
The server stores the information, which OTP values were issued.
- options:
user: a username.
count: is the number of OTP values returned
- application_name = 'offline'¶
If bulk_call is false, the administrator may only retrieve authentication items for the very host he is starting the request.
- static generate_new_refilltoken(token, user_agent=None)[source]¶
Generate new refill token and store it in the tokeninfo of the token. :param token: token in question :param user_agent: name of the machine, taken from the user-agent header :return: a string
- static get_authentication_item(token_type, serial, challenge=None, options=None, filter_param=None, user_agent=None)[source]¶
- Parameters:
token_type – the type of the token. At the moment we support HOTP and WebAuthn/Passkey tokens.
serial – the serial number of the token.
challenge (basestring) – this can contain the password (otp pin + otp value) so that we can put the OTP PIN into the hashed response.
options – options
filter_param – parameters
user_agent – The user agent of the request
- Return auth_item:
A list of hashed OTP values or pubKey, rpId and credentialId for WebAuthn token
- static get_offline_otps(token, otppin, amount, rounds=6549)[source]¶
Retrieve the desired number of passwords (= PIN + OTP), hash them and return them in a dictionary. Increase the token counter.
- Parameters:
token – token in question
otppin – The OTP PIN to prepend in the passwords. The PIN is not validated!
amount – Number of OTP values (non-negative!)
rounds – Number of PBKDF2 rounds
- Returns:
dictionary
- static get_refill(token, password, options=None)[source]¶
Returns new authentication OTPs to refill the client
To do so we also verify the password, which may consist of PIN + OTP.
- Parameters:
token – Token object
password – PIN + OTP
options – dict that might contain “count” and “rounds”
- Returns:
a dictionary of auth items
16.2.1.2.4. SSH module¶
This file is tested in tests/test_lib_machinetokens.py
- class privacyidea.lib.applications.ssh.MachineApplication[source]¶
This is the application for SSH.
- Possible options:
user
- allow_bulk_call = True¶
- application_name = 'ssh'¶
as the authentication item is no sensitive information, we can set bulk_call to True. Thus the admin can call all public keys to distribute them via salt. FIXME: This is only true for SSH pub keys. If we would support OTP with SSH, this might be sensitive information!
- static get_authentication_item(token_type, serial, challenge=None, options=None, filter_param=None, user_agent=None)[source]¶
- Parameters:
token_type – the type of the token. At the moment we support the tokenype “sshkey”
serial – the serial number of the token.
- Return auth_item:
Return the SSH pub keys.
