def auth(user, password):
class AuthConv:
def __init__(self, password):
self.password = password
def __call__(self, auth, query_list, userData):
resp = []
for query, qt in query_list:
if qt == PAM.PAM_PROMPT_ECHO_ON:
resp.append((self.password, 0))
elif qt == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((self.password, 0))
elif qt == PAM.PAM_PROMPT_ERROR_MSG or type == PAM.PAM_PROMPT_TEXT_INFO:
print query
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start("passwd")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, AuthConv(password))
try:
auth.authenticate()
auth.acct_mgmt()
return True
except PAM.error, resp:
if resp[1] == 9:
print "error: TcosPAM error in pam connection. Are you root?"
else:
print "error: TcosPAM user:%s error:%s" % (user, resp)
return False
def handle_user_login(request):
'''
The request argument is an instance of class tornado.web.RequestHandler.
This function authenticates the username and password contained in the
request.
The request is expected to contain values for "username" and "password".
This function returns True if the authentication succeeds else returns
False.
'''
global val
service = 'rest'
auth = PAM.pam()
auth.start(service)
user = request.get_argument("username")
val = request.get_argument("password")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
except:
return False
else:
request.set_secure_cookie("user",
request.get_argument("username"),
expires_days=EXPIRES_DAYS,
secure=True)
return True
def _auth(result):
def _pam_conv(auth, query_list, userData=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG:
cherrypy.log.error_log.error(
f'PAM authenticate prompt error: {query}')
resp.append(('', 0))
elif qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
result.value = 0
except PAM.error as e:
result.value = e.args[1]
def _auth(result):
def _pam_conv(auth, query_list, userData=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG:
cherrypy.log.error_log.error(
"PAM authenticate prompt error: %s" % query)
resp.append(('', 0))
elif qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
result.value = 0
except PAM.error, (resp, code):
result.value = code
def authenticate(self, environ, identity):
try:
login = identity['login']
password = identity['password']
except KeyError:
return None
def pam_conv(auth, query_list, userData):
resp = []
for i in range(len(query_list)):
query, type = query_list[i]
if type == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
else:
return None
return resp
auth = PAM.pam()
auth.start(self.service)
auth.set_item(PAM.PAM_USER, login)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error, resp:
return None
def __init__(self, pam_service='python-auth_krb5'):
self.pam = PAM.pam()
if not os.path.exists("/etc/pam.d/" + pam_service):
logger.warn("%s might not be a valid pam service!", pam_service)
self.pam_service = pam_service
self.debugPrintPassword = False
self.error = ''
def PAM_authenticate(username, password):
def _pam_conv(auth, query_list):
resp = []
for query, q_type in query_list:
if q_type in [PAM.PAM_PROMPT_ECHO_ON, PAM.PAM_PROMPT_ECHO_OFF]:
resp.append((password, 0))
elif q_type in [PAM.PAM_PROMPT_ERROR_MSG,
PAM.PAM_PROMPT_TEXT_INFO]:
resp.append(('', 0))
return resp
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error:
raise AssertionError('Invalid user / password')
return True
def is_authorized(self, username, password):
"""
Returns true is a user is authorised via PAM.
Note: We use the 'login' PAM stack rather than inventing our own.
"""
pam_auth = PAM.pam()
pam_auth.start('login')
pam_auth.set_item(PAM.PAM_USER, username)
pam_auth.set_item(PAM.PAM_TTY, 'console')
def _pam_conv(auth, query_list, user_data=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
else:
return None
return resp
pam_auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
pam_auth.authenticate()
pam_auth.acct_mgmt()
except Exception, e:
print 'Error with PAM: %s' % e
return False
def _on_current_password_changed(self, widget, event):
self.infobar.hide()
if self.current_password.get_text() != "":
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, GLib.get_user_name())
auth.set_item(PAM.PAM_CONV, self.pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error as resp:
self.current_password.set_icon_from_stock(
Gtk.EntryIconPosition.SECONDARY, Gtk.STOCK_DIALOG_WARNING)
self.current_password.set_icon_tooltip_text(
Gtk.EntryIconPosition.SECONDARY, _("Wrong password"))
self.current_password.set_tooltip_text(_("Wrong password"))
self.correct_current_password = False
except:
print('Internal error')
else:
self.current_password.set_icon_from_stock(
Gtk.EntryIconPosition.SECONDARY, None)
self.current_password.set_tooltip_text("")
self.correct_current_password = True
self.check_passwords()
def checkAuthentication(user, password): """ Test authentication in linux :param shadowPwdDb: Shadow password database entry for the user :type shadowPwdDb: spwd :param password: Account password to test :type password: str """ def pam_conv(auth, queryList, userData): resp = [] resp.append( (password, 0)) return resp service = 'passwd' auth = PAM.pam() auth.start(service) auth.set_item(PAM.PAM_USER, user) auth.set_item(PAM.PAM_CONV, pam_conv) try: auth.authenticate() auth.acct_mgmt() except PAM.error, resp: return False
def authenticate(username, password, service="passwd"):
'''Returns True if authenticate is OK via PAM.'''
def _pam_conv(auth, query_list, userData=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG:
cherrypy.log.error_log.error("PAM authenticate prompt error "
"message: %s" % query)
resp.append(('', 0))
elif qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
except PAM.error:
raise
return True
def chk_pwd(self, pwd):
user = os.getenv('USER')
if pwd == None:
return False
if PAM_LIB:
def pam_conv(a, q, d):
return [(pwd, 0)]
auth = PAM.pam()
auth.start("passwd")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except:
return False
else:
return True
else:
auth = pam.pam()
return auth.authenticate(user, pwd)
def login(self,user,passwd,ok):
def pam_conv(aut, query_list, user_data):
resp = []
for item in query_list:
query, qtype = item
# If PAM asks for an input, give the password
if qtype == PAM.PAM_PROMPT_ECHO_ON or qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((str(passwd), 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG or qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
return resp
auth = PAM.pam()
auth.start('login')
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, pam_conv)
#if user == 'root' and passwd == 'raspberry':
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error,resp:
raise cherrypy.HTTPRedirect('/?errMsg=Invalid%20credentials')
def startSession(self, signature, nonceid, cli_key, pboxid, salt, passwd):
if pboxid in self.active_sessions.keys():
self.killSession(pboxid)
ret = False
if int(nonceid) < 0:
pwd = self.server.decryptData(passwd)
(pwd_hash, s) = self.server.genHash(pwd, salt)
# PAM conversation
def pam_conv(auth, query_list, userData):
resp = []
for i in range(len(query_list)):
query, type = query_list[i]
if query == 'Original:':
resp.append(('', 0))
elif query == 'Signature:':
resp.append(('', 0))
else:
resp.append((pwd_hash, 0))
return resp
auth = PAM.pam()
auth.start('myservice')
auth.set_item(PAM.PAM_USER, str(pboxid))
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
except PAM.error, resp:
print 'AUTH FAIL (%s)' % resp
except:
def login(username,password):
"""fonction qui renvoit true si l'on s'est bien connecte
en domainadmins
"""
def pam_conv(auth, query_list, userData):
#pam password authentification utility
resp = []
for i in range(len(query_list)):
query, type = query_list[i]
#print query, type
if type == PAM.PAM_PROMPT_ECHO_ON or type == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif type == PAM.PAM_PROMPT_ERROR_MSG or type == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start('WPKGjs')
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, pam_conv)
if not 'DomainAdmins' in [g.gr_name for g in grp.getgrall() if username in g.gr_mem]:
return False
try:
#print "auth.authenticate()"
auth.authenticate()
auth.acct_mgmt()
print "auth.authenticate"
return True
except PAM.error, resp:
print 'Go away! (%s)' % resp
return False
def handle_user_login(request):
'''
The request argument is an instance of class tornado.web.RequestHandler.
This function authenticates the username and password contained in the
request.
The request is expected to contain values for "username" and "password".
This function returns True if the authentication succeeds else returns
False.
'''
global val
service = 'rest'
auth = PAM.pam()
auth.start(service)
user = request.get_argument("username")
val = request.get_argument("password")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
except:
return False
else:
request.set_secure_cookie("user", request.get_argument("username"))
return True
def auth_basic(self, auth_header, callback):
"""
Perform Basic authentication using self.settings['pam_realm'].
"""
auth_decoded = base64.decodestring(auth_header[6:])
username, password = auth_decoded.split(':', 2)
def _pam_conv(auth, query_list, user_data=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
else:
return None
return resp
pam_auth = PAM.pam()
pam_auth.start(self.settings['pam_service'])
pam_auth.set_item(PAM.PAM_USER, username)
pam_auth.set_item(PAM.PAM_TTY, 'console')
pam_auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
pam_auth.authenticate()
pam_auth.acct_mgmt()
except Exception as e: # Basic auth failed
if self.settings['debug']:
print(e) # Very useful for debugging Kerberos errors
return self.authenticate_redirect()
# NOTE: Basic auth just gives us the username without the @REALM part
# so we have to add it:
user = "******" % (username, self.settings['pam_realm'])
callback(user)
def password_check(self, bt, en):
#------------Sets Password
def pam_conv(auth, query_list, userData):
password = en.entry
resp = []
for i in range(len(query_list)):
query, type = query_list[i]
if type == PAM.PAM_PROMPT_ECHO_ON or type == PAM.PAM_PROMPT_ECHO_OFF:
val = password
resp.append((val, 0))
elif type == PAM.PAM_PROMPT_ERROR_MSG or type == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
#------------Username & Service To Use
username = getpass.getuser()
service = 'passwd'
#------------Start Password Test
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error, resp:
pw_error_popup(bt, self.mainWindow)
en.entry = ""
en.focus = True
logging.info("Invalid password! Please try again.")
return
def PAM_authenticate(username, password):
def _pam_conv(auth, query_list):
resp = []
for query, q_type in query_list:
if q_type in [PAM.PAM_PROMPT_ECHO_ON, PAM.PAM_PROMPT_ECHO_OFF]:
resp.append((password, 0))
elif q_type in [
PAM.PAM_PROMPT_ERROR_MSG, PAM.PAM_PROMPT_TEXT_INFO
]:
resp.append(('', 0))
return resp
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error:
raise AssertionError(_('Invalid user / password'))
return True
def pam_auth(self, nick, pam, pam_group, recv_pass):
if not pam: return False
# Check if user is in groups (main or others)
if pam_group:
import pwd
import grp
try:
user_group_id = pwd.getpwnam(nick).pw_gid
group_data = grp.getgrnam(pam_group)
pam_group_id = group_data.gr_gid
group_members = group_data.gr_mem
check_group = user_group_id == pam_group_id \
or nick in group_members
except:
check_group = False
if not check_group: return False
# Check user authentication (via PAM)
import PAM
def pam_conv(auth, query_list, userData):
resp = []
resp.append((recv_pass, 0))
return resp
p = PAM.pam()
p.start('passwd')
p.set_item(PAM.PAM_USER, nick)
p.set_item(PAM.PAM_CONV, pam_conv)
try:
p.authenticate()
p.acct_mgmt()
except:
return False
else:
return True
def _auth(result):
def _pam_conv(auth, query_list, userData=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG:
cherrypy.log.error_log.error(
"PAM authenticate prompt error: %s" % query)
resp.append(('', 0))
elif qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
result.value = False
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
except PAM.error, (resp, code):
msg_args = {'username': username, 'code': code}
raise OperationFailed("KCHAUTH0001E", msg_args)
def authenticate(username, password, service="passwd"):
'''Returns True if authenticate is OK via PAM.'''
def _pam_conv(auth, query_list, userData=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG:
cherrypy.log.error_log.error("PAM authenticate prompt error "
"message: %s" % query)
resp.append(('', 0))
elif qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
auth.authenticate()
except PAM.error, (resp, code):
raise InvalidOperation(resp, code)
def PAMAuthenticate(self, inUsername, inPassword):
'''使用PAM的方式登录'''
def PAMConv(inAuth, inQueryList, *theRest):
# *theRest consumes the userData argument from later versions of PyPAM
retVal = []
for query in inQueryList:
if query[1] == PAM.PAM_PROMPT_ECHO_ON or query[1] == PAM.PAM_PROMPT_ECHO_OFF:
# Return inPassword from the scope that encloses this function
retVal.append((inPassword, 0)) # Append a tuple with two values (so double brackets)
return retVal
ovmLog('ProcessLogin....')
auth = PAM.pam()
auth.start('passwd')
#设置用户名
auth.set_item(PAM.PAM_USER, inUsername)
#设置密码
auth.set_item(PAM.PAM_CONV, PAMConv)
try:
#用户验证
auth.authenticate()
#用户超时设置
auth.acct_mgmt()
# No exception implies a successful login
except Exception, e:
# Display a generic message for all failures
raise Exception(Lang("The system could not log you in. Please check your access credentials and try again."))
def __init__(self,user,password,Lang): AuthBase.__init__(self,user,password,Lang) self.service = 'passwd' self.PamAuth = PAM.pam() self.PamAuth.start(self.service) self.PamAuth.set_item(PAM.PAM_USER, self.user) self.PamAuth.set_item(PAM.PAM_CONV, self._pam_conv)
def auth_basic(self, auth_header, callback):
"""
Perform Basic authentication using self.settings['pam_realm'].
"""
auth_decoded = base64.decodestring(auth_header[6:])
username, password = auth_decoded.split(':', 2)
def _pam_conv(auth, query_list, user_data=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
else:
return None
return resp
pam_auth = PAM.pam()
pam_auth.start(self.settings['pam_service'])
pam_auth.set_item(PAM.PAM_USER, username)
pam_auth.set_item(PAM.PAM_TTY, 'console')
pam_auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
pam_auth.authenticate()
pam_auth.acct_mgmt()
except Exception, e: # Basic auth failed
if self.settings['debug']:
print(e) # Very useful for debugging Kerberos errors
return self.authenticate_redirect()
def PAMAuthenticate(self, inUsername, inPassword):
def PAMConv(inAuth, inQueryList, *theRest):
# *theRest consumes the userData argument from later versions of PyPAM
retVal = []
for query in inQueryList:
if query[1] == PAM.PAM_PROMPT_ECHO_ON or query[
1] == PAM.PAM_PROMPT_ECHO_OFF:
# Return inPassword from the scope that encloses this function
retVal.append(
(inPassword, 0)
) # Append a tuple with two values (so double brackets)
return retVal
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, inUsername)
auth.set_item(PAM.PAM_CONV, PAMConv)
try:
auth.authenticate()
auth.acct_mgmt()
# No exception implies a successful login
except Exception, e:
# Display a generic message for all failures
raise Exception(
Lang(
"The system could not log you in. Please check your access credentials and try again."
))
def check_password(username, password, service):
global __username, __password
auth = PAM.pam()
auth.start(service, username, __pam_conv)
# Save the username and passwords in the globals, the conversation
# function needs access to them
__username = username
__password = password
try:
try:
auth.authenticate()
auth.acct_mgmt()
finally:
# Something to be always executed - cleanup
__username = __password = None
except PAM.error:
e = sys.exc_info()[1]
resp, code = e.args[:2]
log_error("Password check failed (%s): %s" % (code, resp))
return 0
except:
raise_with_tb(rhnException('Internal PAM error'), sys.exc_info()[2])
else:
# Good password
return 1
def auth_basic(self, auth_header, callback):
"""
Perform Basic authentication using self.settings['pam_realm'].
"""
auth_decoded = base64.decodestring(auth_header[6:])
username, password = auth_decoded.split(':', 1)
def _pam_conv(auth, query_list, user_data=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
else:
return None
return resp
pam_auth = PAM.pam()
pam_auth.start(self.settings['pam_service'])
pam_auth.set_item(PAM.PAM_USER, username)
pam_auth.set_item(PAM.PAM_TTY, 'console')
pam_auth.set_item(PAM.PAM_CONV, _pam_conv)
try:
pam_auth.authenticate()
pam_auth.acct_mgmt()
except Exception as e: # Basic auth failed
if self.settings['debug']:
logging.debug(e)
return self.authenticate_redirect()
# NOTE: Basic auth just gives us the username without the @REALM part
# so we have to add it:
user = "******" % (username, self.settings['pam_realm'])
callback(user)
def handle_function(function, command, message, connector, config, LOG):
switch_uid = config.get('tsi.switch_uid', True)
pam_enabled = config.get('tsi.open_user_sessions', False)
cmd_spawns = command in [ "TSI_EXECUTESCRIPT", "TSI_SUBMIT", "TSI_UFTP" ]
open_user_session = pam_enabled and cmd_spawns and switch_uid
if open_user_session:
# fork to avoid TSI process getting put into user slice
pid = os.fork()
if pid != 0:
os.waitpid(pid, 0)
return
try:
if switch_uid:
id_info = re.search(r".*#TSI_IDENTITY (\S+) (\S+)\n.*", message, re.M)
if id_info is None:
raise RuntimeError("No user/group info given")
user = id_info.group(1)
groups = id_info.group(2).split(":")
if open_user_session:
pam_module = config.get('tsi.pam_module', "unicore-tsi")
pam_session = PAM.PAM(LOG, module_name=pam_module)
pam_session.open_session(user)
user_switch_status = BecomeUser.become_user(user, groups, config, LOG)
if user_switch_status is not True:
raise RuntimeError(user_switch_status)
function(message, connector, config, LOG)
except:
connector.failed(str(sys.exc_info()[1]))
LOG.error("Error executing %s" % command)
if switch_uid:
BecomeUser.restore_id(config, LOG)
if open_user_session:
pam_session.close_session()
if open_user_session:
os._exit(0)
def _auth(result):
def _pam_conv(auth, query_list, userData=None):
resp = []
for i in range(len(query_list)):
query, qtype = query_list[i]
if qtype == PAM.PAM_PROMPT_ECHO_ON:
resp.append((username, 0))
elif qtype == PAM.PAM_PROMPT_ECHO_OFF:
resp.append((password, 0))
elif qtype == PAM.PAM_PROMPT_ERROR_MSG:
cherrypy.log.error_log.error(
f'PAM authenticate prompt error: {query}'
)
resp.append(('', 0))
elif qtype == PAM.PAM_PROMPT_TEXT_INFO:
resp.append(('', 0))
else:
return None
return resp
auth = PAM.pam()
try:
auth.start(service)
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, _pam_conv)
auth.authenticate()
result.value = 0
# Debian 10: handle differences on pam module
except AttributeError:
# Use default service as it may vary from Debian 10 to OpenSUSE 15.1
result.value = 0 if auth.authenticate(
username=username, password=password) else 1
except PAM.error as e:
result.value = e.args[1]
def pam(self, trainset, testset, k, k_for_cluster, isClassification):
pm = PAM.PAM(k_for_cluster, trainset)
medoids_class = pm.getClusters()
print("medoids received")
medoids_class = medoids_class.drop(columns=["cluster", "cost"])
medoids_class = medoids_class[testset.columns]
predicted = Knn.Knn().fit(medoids_class.values, testset, k,
isClassification)
return predicted, testset.iloc[:, -1]
def __init__(self, service = ""): if service == "": service = 'passwd' self.auth = PAM.pam() self.auth.start(service[:]) self.auth.set_item(PAM.PAM_CONV, self.pam_conv) self.passwd = "" self.AUTH_TYPE = "SYSTEM"
def command_AUTH(self, arg):
def pam_conv(auth, query_list, userData):
resp = []
for i in range(len(query_list)):
query, type = query_list[i]
if type == PAM.PAM_PROMPT_ECHO_OFF or type == PAM.PAM_PROMPT_ECHO_ON:
if query == "login:"******"Login:"******"ERR Usage AUTH <username> <base64 password>")
return
try:
self.user = arg.split()[0]
base64_password = arg.split()[1]
base64.b64decode(base64_password).decode('ascii')
except:
self.push("ERR Usage AUTH <username> <base64 password>")
return
if self.user == "root":
time.sleep(3)
self.push("ERR Root login disabled")
return
auth = PAM.pam()
auth.start('bifecaa')
auth.set_item(PAM.PAM_USER, self.user)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error:
self.push("ERR Authentication error")
else:
groups = [g.gr_name for g in grp.getgrall() if self.user in g.gr_mem]
gid = pwd.getpwnam(self.user).pw_gid
groups.append(grp.getgrgid(gid).gr_name)
if "sudo" in groups:
self.user_authenticated = 1
# TODO: load plugins
self.push("OK User %s authenticated" % self.user)
else:
if config.allow_non_admin == True:
self.user_authenticated = 2
self.push("OK User %s authenticated, access restrictions apply" % self.user)
else:
self.push("ERR User %s not in 'sudo' group" % self.user)
return
return
def auth_PyPAM(self):
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, GLib.get_user_name())
auth.set_item(PAM.PAM_CONV, self.pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
return True
except PAM.error as resp:
raise PasswordError("Invalid password")
def authenticate_pam(self, service):
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, self.username)
auth.set_item(PAM.PAM_CONV, self._pam_conv)
authenticated = False
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error, (resp, code):
raise AuthenticationError('(%s: %s)' % (resp, code))
def testConstructor(self):
"""The constructor works with no arguements and fails with
a TypeError when called with any arguments."""
pam = PAM.pam()
self.assertRaises(TypeError, PAM.pam, None)
self.assertRaises(TypeError, PAM.pam, 1)
self.assertRaises(TypeError, PAM.pam, "")
self.assertRaises(TypeError, PAM.pam, ())
self.assertRaises(TypeError, PAM.pam, [])
self.assertRaises(TypeError, PAM.pam, {})
def auth_PyPAM(self):
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, GLib.get_user_name())
auth.set_item(PAM.PAM_CONV, self.pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
return True
except PAM.error as resp:
raise PasswordError("Invalid password")
def pam_auth():
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error, resp:
#print resp #os prints podem gerar erro na tentativas posteriores
sys.exit(1)
def authenticate(self, username, password):
is_authenticated = False
auth = _PAM.pam()
auth.start("passwd")
auth.set_item(_PAM.PAM_USER, username)
self._password = str(password) # FIXME Bug in binding
auth.set_item(_PAM.PAM_CONV, lambda a, q: self._pam_conv(a, q))
try:
auth.authenticate()
is_authenticated = True
except _PAM.error, (resp, code):
self.logger.debug("Failed to authenticate: %s %s" % (resp, code))
def authenticate(self, username, password):
is_authenticated = False
auth = _PAM.pam()
auth.start("passwd")
auth.set_item(_PAM.PAM_USER, username)
self._password = str(password) # FIXME Bug in binding
auth.set_item(_PAM.PAM_CONV, lambda a, q: self._pam_conv(a, q))
try:
auth.authenticate()
is_authenticated = True
except _PAM.error, (resp, code):
self.logger.debug("Failed to authenticate: %s %s" % (resp, code))
def authenticate(self, username=None, password=None):
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, username)
auth.set_item(PAM.PAM_CONV, pam_conv)
global thePass
thePass = password
try:
auth.authenticate()
auth.acct_mgmt()
except Exception, e:
return None
def _changeLocalPassword(self, user_name, old_password, new_password):
pam = PAM.pam()
pam.start(self.appname)
pam.set_item(PAM.PAM_USER, user_name)
pam.set_item(PAM.PAM_CONV, pam_conv)
pam.set_userdata(
dict(old_password=old_password, new_password=new_password))
try:
pam.chauthtok()
except PAM.error, args:
pam.close_session()
raise passwd.PasswdException(args[0])
def _changeLocalPassword(self, user_name, old_password, new_password):
pam = PAM.pam()
pam.start(self.appname)
pam.set_item(PAM.PAM_USER, user_name)
pam.set_item(PAM.PAM_CONV, pam_conv)
pam.set_userdata(dict(old_password=old_password,
new_password=new_password))
try:
pam.chauthtok()
except PAM.error, args:
pam.close_session()
raise passwd.PasswdException(args[0])
def _authenticate(self, user_name, password):
pam = PAM.pam()
pam.start(self.appname)
pam.set_item(PAM.PAM_USER, user_name)
pam.set_item(PAM.PAM_CONV, pam_conv)
pam.set_userdata(dict(password=password))
try:
pam.authenticate()
pam.acct_mgmt()
except PAM.error, args:
pam.close_session()
raise auth.AuthException(args[0], args[1])
def _authenticate(self, user_name, password):
pam = PAM.pam()
pam.start(self.appname)
pam.set_item(PAM.PAM_USER, user_name)
pam.set_item(PAM.PAM_CONV, pam_conv)
pam.set_userdata(dict(password=password))
try:
pam.authenticate()
pam.acct_mgmt()
except PAM.error, args:
pam.close_session()
raise auth.AuthException(args[0], args[1])
def try_auth():
pam = PAM.pam()
pam.start("login")
pam.set_item(PAM.PAM_USER, "root")
pam.set_item(PAM.PAM_TTY, "tty1")
pam.set_item(PAM.PAM_CONV, pam_conv)
try:
pam.authenticate()
pam.acct_mgmt()
except Exception as e:
return False
return True
def __init__(self, user):
self.service = "safebox"
self.auth = PAM.pam()
self.auth.start(self.service)
if user != None:
self.auth.set_item(PAM.PAM_USER, user)
self.auth.set_item(PAM.PAM_CONV, self.pam_conv)
self.token = "!!!".encode('base64')
self.signed = "!!!".encode('base64')
self.match = "!!!"
self.user = user
def test_pam_authentication(self):
'''Test pam authentication'''
service = 'passwd'
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, self.user.login)
auth.set_item(PAM.PAM_CONV, self._pam_callback)
auth.authenticate()
auth.acct_mgmt()
def __init__(self, user):
self.service = "safebox"
self.auth = PAM.pam()
self.auth.start(self.service)
if user != None:
self.auth.set_item(PAM.PAM_USER, user)
self.auth.set_item(PAM.PAM_CONV, self.pam_conv)
self.token = "!!!".encode('base64')
self.signed = "!!!".encode('base64')
self.match = "!!!"
self.user = user
def authenticate(self):
service = 'passwd'
auth = PAM.pam()
auth.start(service)
auth.set_item(PAM.PAM_USER, self._user)
auth.set_item(PAM.PAM_CONV, self._pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
return True
except PAM.error, resp:
return False
def auth(self,user, secret):
def provide_secret(auth, query_list, userData):
return [(secret,0)]
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, provide_secret)
try:
auth.authenticate()
except PAM.error,resp:
print '%s' % resp
return 0
def check(username, password):
log("PAM check(%s, [..])", username)
auth = PAM.pam()
auth.start(PAM_SERVICE)
auth.set_item(PAM.PAM_USER, username)
conv = PAM_conv(password)
auth.set_item(PAM.PAM_CONV, conv.pam_conv_password)
try:
auth.authenticate()
return True
#auth.acct_mgmt()
except PAM.error, resp:
log.error("PAM.authenticate() error: %s", resp)
return False
def check_pam_login(self, user, password):
global pam_password
pam_password = password
auth = PAM.pam()
auth.start('sssd')
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except PAM.error, resp:
print 'Bad autentication! (%s)' % resp
return False
def password_is_good_PAM(login, password):
def pam_conv(dummy_auth, dummy_query_list, dummy_userData):
return [(password, 0)]
auth = PAM.pam()
auth.start('passwd')
auth.set_item(PAM.PAM_USER, login)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except:
return False
return True
