Beispiel #1
0
 def _check_auth_password(self, address, realm, username, password):
     """Verify supplied username and password against user DB"""
     user = self.userMap[realm].get(username, None)
     if user is not None:
         # list of User login objects for username
         offered = password
         allowed = user.get('password_hash', None)
         if allowed is not None:
             #logger.debug("Password check for %s" % username)
             if check_password_hash(offered, allowed, self.hash_cache):
                 return True
     return False
Beispiel #2
0
    def validate_authentication(self, username, password, handler):
        """Password auth against usermap.

        Please note that we take serious steps to secure against password
        cracking, but that it _may_ still be possible to achieve with a big
        effort.

        Paranoid users / grid owners should not enable password access in the
        first place!
        """
        logger.debug("Authenticating %s" % username)
        self.update_logins(username)
        
        offered = None
        if hit_rate_limit(configuration, "ftps", handler.remote_ip, username):
            logger.warning("Rate limiting login from %s" % handler.remote_ip)
        elif 'password' in configuration.user_ftps_auth and \
               self.has_user(username):
            # list of User login objects for username
            entries = [self.user_table[username]]
            offered = password
            for entry in entries:
                if entry['pwd'] is not None:
                    allowed = entry['pwd']
                    logger.debug("Password check for %s" % username)
                    if check_password_hash(offered, allowed):
                        logger.info("Authenticated %s" % username)
                        self.authenticated_user = username
                        update_rate_limit(configuration, "ftps",
                                          handler.remote_ip, username, True)
                        return True
        err_msg = "Password authentication failed for %s" % username
        logger.error(err_msg)
        print err_msg
        self.authenticated_user = None
        update_rate_limit(configuration, "ftps", handler.remote_ip, username,
                          False)
        # Must raise AuthenticationFailed exception since version 1.0.0 instead
        # of returning bool
        raise AuthenticationFailed(err_msg)
Beispiel #3
0
    def check_auth_password(self, username, password):
        """Password auth against usermap.

        Please note that we take serious steps to secure against password
        cracking, but that it _may_ still be possible to achieve with a big
        effort.

        Paranoid users / grid owners should not enable password access in the
        first place!
        """
        offered = None
        if hit_rate_limit(configuration, "sftp-pw", self.client_addr[0],
                          username):
            logger.warning("Rate limiting login from %s" % self.client_addr[0])
        elif self.allow_password and self.users.has_key(username):
            # list of User login objects for username
            entries = self.users[username]
            offered = password
            for entry in entries:
                if entry.password is not None:
                    # TODO: Add ssh tunneling on resource frontends
                    #       before enforcing ip check
                    # and \
                    #(entry.ip_addr is None or
                    # entry.ip_addr == self.client_addr[0]):

                    allowed = entry.password
                    self.logger.debug("Password check for %s" % username)
                    if check_password_hash(offered, allowed):
                        self.logger.info("Authenticated %s" % username)
                        self.authenticated_user = username
                        update_rate_limit(configuration, "sftp-pw",
                                          self.client_addr[0], username, True)
                        return paramiko.AUTH_SUCCESSFUL
        err_msg = "Password authentication failed for %s" % username
        self.logger.error(err_msg)
        print err_msg
        update_rate_limit(configuration, "sftp-pw", self.client_addr[0],
                          username, False)
        return paramiko.AUTH_FAILED
Beispiel #4
0
 def _check_auth_password(self, username, password):
     """Verify supplied username and password against user DB"""
     offered = None
     if hit_rate_limit(configuration, "davs", self.client_address[0],
                       username):
         logger.warning("Rate limiting login from %s" % \
                        self.client_address[0])
     elif self.users.has_key(username):
         # list of User login objects for username
         entries = self.users[username]
         offered = password
         for entry in entries:
             if entry.password is not None:
                 allowed = entry.password
                 logger.debug("Password check for %s" % username)
                 if check_password_hash(offered, allowed):
                     self.authenticated_user = username
                     update_rate_limit(configuration, "davs",
                                       self.client_address[0], username,
                                       True)
                     return True
     update_rate_limit(configuration, "davs", self.client_address[0],
                       username, False)
     return False
Beispiel #5
0
    def validate_authentication(self, username, password, handler):
        """Password auth against internal DB built from login_map.

        Please note that we take serious steps to secure against password
        cracking, but that it _may_ still be possible to achieve with a big
        effort.

        The following is checked before granting auth:
        1) Valid username
        2) Valid user (Does user exist and enabled ftps)
        3) Valid 2FA session (if 2FA is enabled)
        4) Hit rate limit (Too many auth attempts)
        5) Valid password (if password enabled)
        """
        secret = None
        disconnect = False
        strict_password_policy = True
        password_offered = None
        password_enabled = False
        invalid_username = False
        invalid_user = False
        valid_password = False
        valid_twofa = False
        exceeded_rate_limit = False
        client_ip = handler.remote_ip
        client_port = handler.remote_port
        username = force_utf8(username)
        daemon_conf = configuration.daemon_conf
        max_user_hits = daemon_conf['auth_limits']['max_user_hits']
        user_abuse_hits = daemon_conf['auth_limits']['user_abuse_hits']
        proto_abuse_hits = daemon_conf['auth_limits']['proto_abuse_hits']
        max_secret_hits = daemon_conf['auth_limits']['max_secret_hits']
        logger.debug("Run authentication of %s from %s" %
                     (username, client_ip))
        logger.info("refresh user %s" % username)
        logger.debug("daemon_conf['allow_password']: %s" %
                     daemon_conf['allow_password'])

        # For e.g. GDP we require all logins to match active 2FA session IP,
        # but otherwise user may freely switch net during 2FA lifetime.
        if configuration.site_twofactor_strict_address:
            enforce_address = client_ip
        else:
            enforce_address = None

        # We don't have a handle_request for server so expire here instead

        if self.last_expire + self.min_expire_delay < time.time():
            self.last_expire = time.time()
            expire_rate_limit(configuration,
                              "ftps",
                              expire_delay=self.min_expire_delay)
        if hit_rate_limit(configuration,
                          'ftps',
                          client_ip,
                          username,
                          max_user_hits=max_user_hits):
            exceeded_rate_limit = True
        elif not default_username_validator(configuration, username):
            invalid_username = True
        elif daemon_conf['allow_password']:
            hash_cache = daemon_conf['hash_cache']
            password_offered = password
            secret = make_scramble(password_offered, None)
            # Only sharelinks should be excluded from strict password policy
            if configuration.site_enable_sharelinks and \
                    possible_sharelink_id(configuration, username):
                strict_password_policy = False
            logger.debug("refresh user %s" % username)
            self._update_logins(configuration, username)
            if not self.has_user(username):
                if not os.path.islink(
                        os.path.join(daemon_conf['root_dir'], username)):
                    invalid_user = True
                entries = []
            else:
                # list of User login objects for username
                entries = [self.user_table[username]]
            for entry in entries:
                if entry['pwd'] is not None:
                    password_enabled = True
                    password_allowed = entry['pwd']
                    logger.debug("Password check for %s" % username)
                    if check_password_hash(configuration, 'ftps', username,
                                           password_offered, password_allowed,
                                           hash_cache, strict_password_policy):
                        valid_password = True
                        break
            if valid_password and check_twofactor_session(
                    configuration, username, enforce_address, 'ftps'):
                valid_twofa = True

        # Update rate limits and write to auth log

        (authorized, disconnect) = validate_auth_attempt(
            configuration,
            'ftps',
            'password',
            username,
            client_ip,
            client_port,
            secret=secret,
            invalid_username=invalid_username,
            invalid_user=invalid_user,
            valid_twofa=valid_twofa,
            authtype_enabled=password_enabled,
            valid_auth=valid_password,
            exceeded_rate_limit=exceeded_rate_limit,
            user_abuse_hits=user_abuse_hits,
            proto_abuse_hits=proto_abuse_hits,
            max_secret_hits=max_secret_hits,
        )

        if disconnect:
            handler._shutdown_connecting_dtp()
        if authorized:
            self.authenticated_user = username
            return True
        else:
            # Must raise AuthenticationFailed exception since version 1.0.0 instead
            # of returning bool
            self.authenticated_user = None
            raise AuthenticationFailed()