diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 78e737fb8..9b3881ad6 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -560,6 +560,7 @@ class Config(dict): 'OTP_VALID_WINDOW': 2, 'OTP_ISSUER_NAME': 'JumpServer', + 'OTP_DIGEST': 'sha1', 'EMAIL_SUFFIX': 'example.com', # Terminal配置 diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py index 987a98291..d71965563 100644 --- a/apps/jumpserver/settings/auth.py +++ b/apps/jumpserver/settings/auth.py @@ -10,6 +10,7 @@ from . import exist_or_default # OTP settings OTP_ISSUER_NAME = CONFIG.OTP_ISSUER_NAME OTP_VALID_WINDOW = CONFIG.OTP_VALID_WINDOW +OTP_DIGEST = CONFIG.OTP_DIGEST # Auth LDAP settings AUTH_LDAP = CONFIG.AUTH_LDAP diff --git a/apps/users/utils.py b/apps/users/utils.py index 292dcc81b..e56c75796 100644 --- a/apps/users/utils.py +++ b/apps/users/utils.py @@ -7,6 +7,7 @@ import re import time from contextlib import contextmanager from urllib.parse import unquote +import hashlib import pyotp from django.conf import settings @@ -18,6 +19,7 @@ from common.utils import reverse, get_object_or_none, ip, safe_next_url from .models import User logger = logging.getLogger('jumpserver.users') +otp_digest = hashlib.sha256 if settings.OTP_DIGEST == 'sha256' else hashlib.sha1 def send_user_created_mail(user): @@ -69,7 +71,8 @@ def redirect_user_first_login_or_index(request, redirect_field_name): def generate_otp_uri(username, otp_secret_key=None, issuer="JumpServer"): if otp_secret_key is None: otp_secret_key = base64.b32encode(os.urandom(10)).decode('utf-8') - totp = pyotp.TOTP(otp_secret_key) + + totp = pyotp.TOTP(otp_secret_key, digest=otp_digest) otp_issuer_name = settings.OTP_ISSUER_NAME or issuer uri = totp.provisioning_uri(name=username, issuer_name=otp_issuer_name) return uri, otp_secret_key @@ -78,7 +81,8 @@ def generate_otp_uri(username, otp_secret_key=None, issuer="JumpServer"): def check_otp_code(otp_secret_key, otp_code): if not otp_secret_key or not otp_code: return False - totp = pyotp.TOTP(otp_secret_key) + + totp = pyotp.TOTP(otp_secret_key, digest=otp_digest) otp_valid_window = settings.OTP_VALID_WINDOW or 0 return totp.verify(otp=otp_code, valid_window=otp_valid_window)