Adding our Rep Taylor so she can see.

I have both the Admin and the Auth API keys.

Just need some help on making the HMAC SH1 string and then basic authentication.

i.e. It would be nice to this broken into more steps

https://duo.com/docs/authapi#api-details

Maybe try not concatenating the request with that newline character?

Like instead of:

REQ="$NOW\nGET\n$API\n$URL\n"

Try:

REQ="$NOW
GET
$API
$URL
"

When I try what you have posted here I get actual \n in the request (I am on a Mac though right now).

ETA: I saw a StackOverflow post tagged with Linux and bash where someone noted that \n was inserting whitespace, which would also throw off the signature.

It did not work for me.ANyone had any shell script that worked for the Duo Admin API

I haven’t got it working with Bash either. But I did have someone get it working in Python, but I can’t use that.

The support shown for this kind of stuff here is…

They provide some simple PoC code based on unit tests and from there on, you’re on your own. No functional-ready-to-copy-paste code that you can use.

I managed to build a wrapper shell script against the nodejs module they provide, so I have, so far (I’m just adding commands as we need them):

Anyway it should be easy (I think) too for python wrapping a shell script against this basic command structure:

python -m duo_client.client --ikey nnn --skey nnn --host nnn --path /admin/blah/blah limit=200 --method GET/POST/DELETE

(I don’t know how you specify the parameters there sorry, maybe just in the way the “limit” is specified above).

Regards.

I know this is a fairly old thread, but it was the hint I needed to figure out how to use bash to successfully make requests via curl so here goes.

Personal note: I didn’t have much luck with the var=$(command) notation for executing and capturing output to variables. So I used var=`command` notation instead. May be my system or that I am just dense and missing something so take that with a grain of sand.

So here is what I had to change to get this working from a bash script
1> You are not including a blank line in your request where parameters would go if you had any.
2> I used the ${var} notation to make sure that bash didn’t have any ambiguity issues when building strings from variables
3> Lastly you didn’t need to base64 encode the auth string, using --basic with -u ikey:hmac curl will take care of the encoding

So here is my example bash code to talk to the admin api

#!/usr/bin/bash
type='Content-Type: application/x-www-form-urlencoded'
now=`/usr/bin/date -R`
method="GET"
ikey='####################'
skey='########################################'
host='■■■■■■■■■■■■■■■■■■■■■■■■■■■■'
path='/admin/v1/users'
params=''
req="${now}
${method}
${host}
${path}
${params}"
hmac=`/usr/bin/echo -n "${req}" | /usr/bin/openssl sha1 -hmac ${skey} | /usr/bin/cut -d" " -f 2`

/usr/bin/curl -s -H "Date: ${now}" -H "${type}" -u "${ikey}:${hmac}" --basic https://${host}${path}

Just in case anyone is looking for examples of using the api to post updates. Here is the snippet I added to the system setup script I use for building new VMs. It does assume that there is a pam_duo.conf.skel file in the same location as the setup script.

## ------------------- DUO MFA ------------------- ##
## use duo api to generate host specific 'app' for use in setting up pam_duo
## gather timestamp and host for header and request body
myhost=`hostname -s`
duonow=`/usr/bin/date -R`
## set content type header and http method
duoctype="Content-Type: application/x-www-form-urlencoded"
duomethod="POST"

## set vars for message signing, authentication, host, and path  obtained from duo
## should really be pulled from a secure repository of some sort
duoikey="####################"
duoskey="########################################"
duohost="■■■■■■■■■■■■■■■■■■■■■■■■■■■■"
duopath="/admin/v1/integrations"

## build params string
duoparams="groups_allowed=####################&name=${myhost}&type=unix&username_normalization_policy=Simple"

## build request for generating hmac sig
duoreq="${duonow}
${duomethod}
${duohost}
${duopath}
${duoparams}"

## generate sig for auth
duohmac=`/usr/bin/echo -n "${duoreq}" | /usr/bin/openssl sha1 -hmac ${duoskey} | /usr/bin/cut -d" " -f 2`

## make call and capture json response
duoresponse=`/usr/bin/curl -s -H "Date: ${duonow}" -H "${duoctype}" -u "${duoikey}:${duohmac}" -X POST --basic https://${duohost}${duopath}?${duoparams}`

## capture new ikey and skey
ikey=`/usr/bin/echo ${duoresponse} | /usr/bin/jq -j '.response.integration_key'`
skey=`/usr/bin/echo ${duoresponse} | /usr/bin/jq -j '.response.secret_key'`

## set up /etc/duo/pam_duo.conf
/usr/bin/cp ./pam_duo.conf.skel /etc/duo/pam_duo.conf
/usr/bin/sed -i "s/.*ikey.*/ikey = ${ikey}/" /etc/duo/pam_duo.conf
/usr/bin/sed -i "s/.*skey.*/skey = ${skey}/" /etc/duo/pam_duo.conf
/usr/bin/sed -i "s/.*host.*/host = ${duohost}/" /etc/duo/pam_duo.conf
/usr/bin/echo -e '/etc/duo/pam_duo.conf configured'