2stage.c

/* 2stage v0
 * ---
 * Zachary Hamm
 * zsh@imipolexg.org
 *
 * I often have to ssh into systems from untrusted public computers. The
 * possibility of keyloggers makes me nervous (I'm the paranoid sort). I could
 * use an ssh key on a usb drive or somesuch but that's often not an option,
 * (plus, it's a nuisance to carry a precious usb drive around when I've got
 * my passwords all stored up in my noggin). So I use password authentication.
 * But those keyloggers torment me... keep me up at night...
 *
 * Googles two-stage auth  gives me the confidence to read my email at a public
 * computer. I made this so I could have the same confidence when ssh'ing
 * into my servers.
 *
 * Installation (requires libcurl and libreadline):
 *   1. Edit the #defines below for yourself.
 *   2. Build with cc 2stage.c -o 2stage -lcurl -lreadline
 *   3. Move to /bin or some such.
 *   4. Add /bin/2stage to /etc/shells
 *   5. Edit /etc/passwd and set your shell to /bin/2stage
 * And that's it. Try ssh'ing in.
 *
 *
 * TODO: * Make it configurable by each user via a dotfile in the home dir.
 *       * Option to remember trusted hosts for 30 days so you don't
 *      have to do this over and over from your main boxen.
 *       * Add logging of failed passcode attempts.
 *   * Does this break X11 forwarding? Must test.
 *   * Once all that is done, give it a proper autoconf and git host
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>

#include <curl/curl.h>
#include <readline/readline.h>
#include <readline/history.h>

#define MSG "From: %s\r\nTo: %s\r\n\r\nYour two-stage passcode is %d\r\n"

/* Configuration happens here */

/* You */
#define FROM "<zsh@imipolexg.org>"

/* Your SMS gateway or an email address if you don't want to use a phone */
#define TO "<XXXXXXXX@messaging.sprintpcs.com>"

/* Set your preferred shell here */
#define CONCH "/bin/bash"

int executeur(int argc, char **argv);
unsigned int stupid_random(void);
size_t mailbody(void *ptr, size_t size, size_t nitems, void *strm);
int send_passcode(void);

static unsigned int passcode;

int executeur(int argcount, char **argvee)
{
    char **args = (char **)malloc(sizeof(char *) * (argcount + 1));
    int i;

    args[0] = CONCH;
    for(i = 1 ; i < argcount ; i++)
    {
        args[i] = argvee[i];
    }
    args[argcount] = NULL;

    return execv(args[0], args);
}

unsigned int stupid_random(void)
{
    int urandom_fd;
    unsigned int randy = 0;

    urandom_fd = open("/dev/urandom", O_RDONLY);

    /* We want a number between 10^6 and 10^7 so that we get a 6 digit
       number */
    while (!(randy > (1000000 - 1) && randy < (10000000 - 1)))
    {
        /* read 3 bytes intead of 4 to insure less hits over
           the threshold (so we get our random number faster) */
        read(urandom_fd, &randy, sizeof(unsigned int)-1);
    }

    close(urandom_fd);

    return (unsigned int)randy;
}


/* Callback for CURLOPT_READFUNCTION */
size_t mailbody(void *ptr, size_t size, size_t nitems, void *strm)
{
    static unsigned int dirty = 0;
    char *s;
    size_t len = 0;

    if(!dirty)
    {
        /* 6 is the digit length of the ints from stupid_random()
           XXX: we assume malloc succeeds. this is sloppy. */
        s = (char *) malloc(strlen(MSG)+strlen(FROM)+strlen(TO)+6+1);
        passcode = stupid_random();
        sprintf(s, MSG, FROM, TO, passcode);
        len = strlen(s);
        memcpy(ptr, s, len);
        dirty = 1;
        free(s);

        return len;
    }

    return 0;
}

int send_passcode(void)
{
    CURL *curl;
    CURLcode res;
    struct curl_slist *targets = NULL;

    curl = curl_easy_init();
    if (!curl) {
        printf("Something bad happened to curl_easy_init()!");
        return -1;
    }

/*  curl_easy_setopt(curl, CURLOPT_VERBOSE, 1); */

    curl_easy_setopt(curl, CURLOPT_URL, "smtp://localhost");
    targets = curl_slist_append(targets, TO);
    curl_easy_setopt(curl, CURLOPT_MAIL_RCPT, targets);
    curl_easy_setopt(curl, CURLOPT_MAIL_FROM, FROM);

    curl_easy_setopt(curl, CURLOPT_READFUNCTION, mailbody);

    res = curl_easy_perform(curl);
    if(res != 0)
    {
        printf("Something bad happened!\n");
        return -1;
    }

    curl_slist_free_all(targets);
    curl_easy_cleanup(curl);

    return 0;
}

int main(int argc, char *argv[])
{
    char *input;

    printf("2stage! Sending the passcode to your phone.\n");
    if(send_passcode() != 0)
    {
        printf("Oh no! Badness! Try again or contact the admin...");
        return -1;
    }

    input = readline("Passcode sent! Have patience, then enter it: ");
    if(strtol(input, NULL, 10) == passcode)
    {
        printf("%s == %d!\nGood job!\n", input, passcode);
        free(input);
    }
    else
    {
        free(input);
        input = readline("No! Bad job! You get one more try: ");
        if(strtol(input, NULL, 10) == passcode)
        {
            printf("Good job!\n");
        }
        else
        {
            printf("Not this time, bub.\n");
            /* XXX: send textmsg about passcode failure. log it
               as well */
            return -1;
        }

        free(input);
    }

    if(executeur(argc, argv) == -1)
    {
        perror("execv");
        return -1;
    }

    return 0;
}