search

thycotic-ps / thycotic.secretserver

PowerShell module for automating with Thycotic Secret Server REST API
https://thycotic-ps.github.io/thycotic.secretserver
MIT License
68 stars 22 forks source link

Add support for OTP to New-TssSession #130

Closed hawleyOSU closed 3 years ago

hawleyOSU commented 3 years ago

Describe the bug Users with MFA enabled, specifically Duo, can not authenticate with new-session, and receive an invalid Duo Pin code error.

To Reproduce Steps to reproduce the behavior:

  1. PowerShell script:
 $ses = new-tsssession -SecretServer $url -Credential $cred
  1. Error/issue observed:
Exception: C:\Program Files\WindowsPowerShell\Modules\Thycotic.SecretServer\functions\New-Session.ps1:138:25
Line |
 138 |                          throw $err
     |                          ~~~~~~~~~~
     | {"error":"Invalid Duo pin code."}

Expected behavior User should be able to provide an OTP pin or the string "push" as a parameter to new-tsssession. This value should be passed to Invoke-RestApi as $invokeParams.Header. Including $Headers = @{"OTP" = $OTP} in the header of the oauth2 request will cause Secret Server to issue the request for a push or validate the string as a user OTP.

Environment (please complete the following information):

Secret Server Build/Version: 10.9.0000035

PowerShell version

Name                           Value
----                           -----
PSVersion                      7.1.3
PSEdition                      Core
GitCommitId                    7.1.3
OS                             Microsoft Windows 10.0.18363
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
wsmelton commented 3 years ago

OTP support has not been added to the module as of yet.

hawleyOSU commented 3 years ago

It’s not TOTP, it’s Duo HOTP or Push, that’s missing. Any user with Duo can not use the module. If you want to contact me feel free. I looked at the code and it just needs to include the OTP in the token request’s header. I looked at the code and can even show you working code for this. Unfortunately at this time my employer does not allow me to share IP.

Feel free to reclassify this as a feature request if necessary, but until it supports MFA users with Duo can not use the module.

Andy Hawley

From: Shawn Melton @.> Sent: Thursday, March 25, 2021 1:01 PM To: thycotic-ps/thycotic.secretserver @.> Cc: Hawley, Andrew @.>; Author @.> Subject: Re: [thycotic-ps/thycotic.secretserver] [Bug] Users with (Duo) MFA Applied can not authenticate with New-Session (#130)

TOTP support has not been added to the module as if yet.

β€” You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/thycotic-ps/thycotic.secretserver/issues/130*issuecomment-807100355__;Iw!!KGKeukY!hdxbCohHeyzzQlItJxLgkM4BVvy53rBabI9ILwenD5zfAFPUk_fJ6HwMhEJmgGjEEQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AQLPTRPCJXXVA2R4DP6W3ETTFNT5FANCNFSM4ZZXRMJQ__;!!KGKeukY!hdxbCohHeyzzQlItJxLgkM4BVvy53rBabI9ILwenD5zfAFPUk_fJ6HwMhEL2J_ctNg$.

wsmelton commented 3 years ago

If users want to add a πŸ‘πŸ» to your request and a sufficient amount show interest in the need to support it then it can be moved up in priority.

I'm not aware of many using the module for interactive sessions at this time.