def password(report, user, password):
print(authenticate(user, password, service='sshd'))
if authenticate(user, password, service='sshd') == False:
report.write("\n<li>Insecure password changed for %s\n" % user)
print("Insecure password changed for %s" % user)
global found
found += 1
return
def pam_authenticate(resource, req, resp, *args, **kwargs):
"""
Authenticate against PAM with WWW Basic Auth credentials
"""
if optional and not req.get_param_as_bool("authenticate"):
return func(resource, req, resp, *args, **kwargs)
if not req.auth:
raise falcon.HTTPUnauthorized("Forbidden",
"Please authenticate",
("Basic", ))
if not req.auth.startswith("Basic "):
raise falcon.HTTPBadRequest("Bad request",
"Bad header: %s" % req.auth)
basic, token = req.auth.split(" ", 1)
user, passwd = b64decode(token).decode("ascii").split(":", 1)
import simplepam
if not simplepam.authenticate(user, passwd, "sshd"):
logger.critical(
"Basic authentication failed for user %s from %s, "
"are you sure server process has read access to /etc/shadow?",
repr(user), req.context.get("remote_addr"))
raise falcon.HTTPUnauthorized("Forbidden", "Invalid password",
("Basic", ))
req.context["user"] = User.objects.get(user)
return func(resource, req, resp, *args, **kwargs)
def pam_authenticate(resource, req, resp, *args, **kwargs):
"""
Authenticate against PAM with WWW Basic Auth credentials
"""
if optional and not req.get_param_as_bool("authenticate"):
return func(resource, req, resp, *args, **kwargs)
if not req.auth:
raise falcon.HTTPUnauthorized("Forbidden", "Please authenticate", ("Basic",))
if not req.auth.startswith("Basic "):
raise falcon.HTTPForbidden("Forbidden", "Bad header: %s" % req.auth)
from base64 import b64decode
basic, token = req.auth.split(" ", 1)
user, passwd = b64decode(token).split(":", 1)
import simplepam
if not simplepam.authenticate(user, passwd, "sshd"):
logger.critical(u"Basic authentication failed for user %s from %s",
repr(user), req.context.get("remote_addr"))
raise falcon.HTTPForbidden("Forbidden", "Invalid password")
req.context["user"] = User.objects.get(user)
return func(resource, req, resp, *args, **kwargs)
def accept_the_request():
file_list = file_to_list()
show_list(file_list)
try:
selected_command = input("please select which one do you want to approve or deny or 0 for cancelation: ")
if selected_command != 0:
if file_list[selected_command-1][3] != "Yes": #if it is not already done
admin_name = raw_input("username: "******"password: "******"Press a to Accept, d to Deny and c to cancel confirming this request: ")
if select_accept_deny.upper() != "C" and len(select_accept_deny)!= 0:
if select_accept_deny.upper() == "A":
if admin_name != file_list[selected_command-1][1]: #if the person does not want to accept his own request
file_list[selected_command-1][2] = admin_name
else:
print colors.BOLD+" You cannot accept your own request!"+colors.END
if select_accept_deny.upper() == "D":
file_list[selected_command-1][3] = "Denied"
file_list[selected_command-1][2] = admin_name
else:
print colors.BOLD+"Authentication failed"+ colors.END
else:
print colors.BOLD+" This request has been implemented successfully!"+colors.END
joining_list(file_list)
list_to_file(file_list)
print ""
except:
print""
print colors.BOLD+" You must insert a number"+ colors.END
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if authenticate(str(username), str(password)):
session['username'] = request.form['username']
return redirect(url_for('annotering'))
else:
return """
<head>
<style type="text/css">
body {
text-align: center;
background-size: 100%;
}
h1, h2 {
color: black;
font-family: "Courier New";
}
</style>
</head>
<h2>Forkert kode indtastet - <br> Hændelsen er logført<h2>
<form action="/login">
<input type="submit" value="Prøv igen" />
</form>
"""
'Invalid username/password'
return render_template("login.html")
def login():
params = request.json
auth_users = app.config.get('AUTH_USER', [])
try:
username = str(params.get('username', '').strip())
password = str(params.get('password', '').strip())
if auth_users and username not in auth_users:
abort(401, msg='user {0} has no privilege login'.format(username))
if username and password:
auth = authenticate(username,
password,
service='login',
encoding='utf-8',
resetcred=True)
if auth:
app.logger.info('user {0} login from {1}'.format(
username, session['remote_address']))
session['login'] = '******'.format(username, time.time())
return make_response(
jsonify(code=200, data={
'user': username,
'code': 200
}), 200)
else:
abort(401, msg='username and password is required')
except Exception as e:
abort(401, msg=str(e))
abort(401, msg='auth failed')
def run_accepted_request():
file_list = file_to_list()
show_list(file_list)
try:
selected_command = input("please select one one of your request for running or select or 0 for cancelation: ")
if selected_command != 0:
admin_name = raw_input("username: "******"password: "******"Denied" and file_list[selected_command-1][2] != "":
if file_list[selected_command-1][3] != "Yes": #if it is not already done
accepted_request = file_list[selected_command-1][0].split(" ")
running_accepted_request = call(accepted_request)
if running_accepted_request == 0:
file_list[selected_command-1][3] = "Yes"
else:
file_list[selected_command-1][3] = "Problem"
else:
print colors.BOLD+" This request is already successfully done!"+colors.END
else:
print colors.BOLD+"Your request is not accepted!"+ colors.END
else:
print colors.BOLD+"This is not your reuest!"+ colors.END
else:
print colors.BOLD+"Authentication failed"+ colors.END
joining_list(file_list)
list_to_file(file_list)
print ""
except:
print""
print colors.BOLD+" You must insert a number"+ colors.END
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if authenticate(str(username), str(password)):
session['username'] = request.form['username']
return (redirect(url_for('index')))
else:
return ('Invalid username/password')
def checkUser(user, password):
"""Authenticate user using PAM."""
auth = authenticate(user, password)
if auth:
logging.info("%s authenticated." % user)
return True
else:
logging.info("%s failed to authenticate: %s" % (user, auth))
return False
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if authenticate(str(username), str(password)):
session['username'] = request.form['username']
return redirect(url_for('index'))
else:
return 'Invalid username/password'
else:
return render_template("login.html")
def authenticate(name):
print("Authenticating",name, end=" ")
data = request.json
if not data:
print("FAIL (no password)")
abort(401, "Unable to authenticate: no password given.")
elif simplepam.authenticate(name, request.json['password']):
print("OK")
return None
print("FAIL (wrong password)")
abort(401, "Unable to authenticate.")
def login():
if request.method == "POST":
username = request.form.get('username', None)
password = request.form.get('password', None)
if authenticate(str(username), str(password)):
session['username'] = username
flash("Successful login")
return redirect(url_for("index"))
else:
abort(403)
else:
return render_template("login.html")
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
# simplepam wants bytes, not unicode
# see
busername = username.encode(self.encoding)
bpassword = data['password'].encode(self.encoding)
if simplepam.authenticate(busername, bpassword, service=self.service):
raise gen.Return(username)
def login():
if request.method == "POST":
username = request.form.get('username', None)
password = request.form.get('password', None)
print("Before authenticate {} {}".format(username, password))
if authenticate(str(username), str(password)):
session['username'] = username
return redirect(url_for("index"))
else:
abort(403)
else:
return render_template("login.html")
def home():
if request.method == 'POST':
userid = request.form.get('userid', None)
password = request.form.get('pwd', None)
print userid
print password
if authenticate(str(userid), str(password)):
session['userid'] = userid
return redirect(url_for('.summary'))
else:
return 'Invalid user id or password'
return render_template('home.html')
async def post(self):
username = self.get_argument("username", "")
password = self.get_argument("password", "")
if authenticate(username, password):
# `key` is the cookie name of code-server.
# We use the same cookie name so that user can exit
# code-server-hub when he click "logout" on the web page
# of code-server.
# The cookie would be overrided
# when we proxy the request to code-server.
self.set_secure_cookie("key", username)
return self.redirect("/")
return self.render_template("login.html", login_fail=True)
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
error = None
if authenticate(str(username), str(password)):
session.clear()
session['logged_in'] = True
return redirect(url_for('index'))
else:
flash('Invalid credentials.')
return render_template('auth/login.html')
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
if self.whitelist and username not in self.whitelist:
return
# simplepam wants bytes, not unicode
# see simplepam#3
busername = username.encode(self.encoding)
bpassword = data['password'].encode(self.encoding)
if simplepam.authenticate(busername, bpassword, service=self.service):
return username
def login():
form = LoginForm()
if form.validate_on_submit():
username = form.username.data
password = form.password.data
# User simple pam authentication.
if authenticate(str(username), str(password)):
session['username'] = username
return redirect(url_for('index'))
else:
flash('Invalid username or password')
return redirect(url_for('login'))
return render_template('login.html', title='Sign in', form=form)
def post(self):
un = self.get_argument('username')
pw = str(self.get_argument('password'))
if simplepam.authenticate(un, str(pw), service='login'):
self.set_secure_cookie('user', un)
self.redirect(settings.URL_PREFIX + "/")
else:
failed_attempts = self.get_secure_cookie("failedattempts")
if failed_attempts == False or failed_attempts == None:
failed_attempts = 0
self.set_secure_cookie("failedattempts",
str(int(failed_attempts) + 1))
self.set_status(403)
self.render('lib/templates/login.html',
error='Username or Password incorrect!')
def index():
# if 'username' in session:
# return 'Logged in as %s' % escape(session['username'])
# return 'You are not logged in'
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if authenticate(str(username), str(password)):
session['username'] = request.form['username']
return render_template('sassy.html',
item=escape(session['username']))
return 'NOOO'
else:
if 'username' in session:
return render_template('sassy.html',
item=escape(session['username']))
return render_template('index.html')
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if authenticate(str(username), str(password)):
username = request.form['username']
session['username'] = username
print(session['username'])
if username == 'root':
return render_template("home.html", username=username)
else:
return render_template("user_home.html", username=username)
else:
return redirect('/')
return redirect('index')
def request_for_running():
command = raw_input("Please insert the full command or press c for cancelation: ")
if command.upper() != "C" and len(command)!= 0 and command != " ":
admin_name = raw_input("username: "******"password: "******""
admin_permission = ""
running_checker = "Not Yet"
real_user = authenticate(admin_name, password)
if real_user == True:
requst_command = command + ";" + admin_name + ";" + admin_permission + ";"+ running_checker + "\n"
check_file = open("check_file.txt", "a")
check_file.write(requst_command)
check_file.close()
print colors.BOLD + "your request was successfully recorded, ask other administrators to accept it" + colors.END
else:
print colors.BOLD+"Authentication failed"+ colors.END
def index():
# if 'username' in session:
# return 'Logged in as %s' % escape(session['username'])
# return 'You are not logged in'
if request.method == 'POST':
username = request.args.get('uname')
password = request.args.get('pwd')
if authenticate(str(username), str(password)):
session['username'] = request.args.get('uname')
# deprecated render_template('sassy.html', item = escape(session['username']))
return 'loginSuccess'
return 'loginFailure'
else:
if 'username' in session:
return render_template('loggedHeader.html',
item=escape(session['username']))
return render_template('index.html')
def post(self):
creds = tornado.escape.json_decode(self.request.body)
un = creds['username']
pw = creds['password']
token = None
if un and pw:
if authenticate(un, str(pw), service='login'):
token = jwt.encode(
{'username':un},
global_settings.JWT_SECRET,
algorithm='HS256'
)
if token:
self.write({'token': token})
else:
raise tornado.web.HTTPError(403)
def verify_password():
try:
resp = errcode.get_error_result()
data = request.get_json()
user = data.get("user", None)
password = data.get("password", "")
if user:
if not authenticate(user, password, 'system-auth'):
resp = errcode.get_error_result(error="VerifyPasswordError")
else:
resp = errcode.get_error_result(error="MessageError")
return resp
except Exception as err:
current_app.logger.error(err)
current_app.logger.error(''.join(traceback.format_exc()))
resp = errcode.get_error_result(error="SystemError")
return resp
def login():
print(request.method)
if request.method == 'POST':
password = request.form['password']
username = request.form['username']
if authenticate(str(username), str(password)):
session['username'] = request.form['username']
return redirect('/')
else:
flash('Invalid username or password. This is NOT a test (or is it)')
return render_template('login.html')
elif request.method == 'GET':
if session.get('username'):
return redirect('/')
return render_template('login.html')
else:
return redirect('/')
def login():
print(request.method)
if request.method == 'POST':
password = request.form['password']
username = request.form['username']
if authenticate(str(username), str(password)):
session['username'] = request.form['username']
return redirect('/')
else:
flash(
'Invalid username or password. This is NOT a test (or is it)')
return render_template('login.html')
elif request.method == 'GET':
if session.get('username'):
return redirect('/')
return render_template('login.html')
else:
return redirect('/')
def authenticate(self, username, password, **token_context):
"""Performs authentication using simplepam
This function calls simplepam's authenticate function and returns
status of authentication using PAM and token object (of type
self.token_type)
:param username: username in Linux
:param password: password for username
:param **token_context: additional args with keys for token generator
"""
log.info("Trying to authenticate user: '******'", username)
if simplepam.authenticate(username, password):
expire = datetime.now() + timedelta(seconds=self.token_lifetime)
log.info("Token will be valid to %s", expire.strftime('%c'))
refresh_expire = -1
if self.refresh_token_lifetime != -1:
refresh_expire = datetime.now() + timedelta(
seconds=self.refresh_token_lifetime)
log.info("Refresh token will be valid to %s",
refresh_expire.strftime('%c'))
token = self.token_type(self.app.secret_key, username, expire,
**token_context)
token.context['salt'] = urandom(120).encode('base-64')
refresh_context = token_context.copy()
refresh_context['refresh_salt'] = urandom(120).encode('base-64')
refresh_token = self.token_type(self.app.secret_key, username,
refresh_expire, **refresh_context)
self.token_storage.set(token)
self.refresh_token_storage.set(refresh_token)
return (True, token, refresh_token)
log.warning("Couldn't authenticate user: %s", username)
return (False, None, None)
def validate(self):
"""Validate the form."""
initial_validation = super(LoginForm, self).validate()
if not initial_validation:
return False
self.user = User.query.filter_by(username=self.username.data).first()
if not self.user:
# Here, check against simplepam to see if the user name does in fact exist and can log in
if simplepam.authenticate(self.username.data, self.password.data):
return True
self.username.errors.append("Unknown username")
return False
if not self.user.check_password(self.password.data):
self.password.errors.append("Invalid password")
return False
if not self.user.active:
self.username.errors.append("User not activated")
return False
return True
def login():
"""
Uses simplepam to authenticate against Linux users
"""
username = request.form["username"]
password = request.form["password"]
from simplepam import authenticate
from grp import getgrall
groups = [g.gr_name for g in getgrall() if username in g.gr_mem]
if AUTH_GROUP in groups:
if authenticate(str(username), str(password)):
session["username"] = request.form["username"]
return redirect(url_for("index"))
flash(
_(
"You must log in with credentials for a user in the '%(group)s' group",
group=AUTH_GROUP,
),
"error",
)
return redirect(url_for("index"))
def wrapped(resource, req, resp, *args, **kwargs):
kerberized = False
if "kerberos" in config.AUTHENTICATION_BACKENDS:
for subnet in config.KERBEROS_SUBNETS:
if req.context.get("remote_addr") in subnet:
kerberized = True
if not req.auth: # no credentials provided
if optional: # optional allowed
req.context["user"] = None
return func(resource, req, resp, *args, **kwargs)
if kerberized:
logger.debug(
"No Kerberos ticket offered while attempting to access %s from %s",
req.env["PATH_INFO"], req.context.get("remote_addr"))
raise falcon.HTTPUnauthorized(
"Unauthorized",
"No Kerberos ticket offered, are you sure you've logged in with domain user account?",
["Negotiate"])
else:
logger.debug(
"No credentials offered while attempting to access %s from %s",
req.env["PATH_INFO"], req.context.get("remote_addr"))
raise falcon.HTTPUnauthorized("Unauthorized",
"Please authenticate",
("Basic", ))
if kerberized:
if not req.auth.startswith("Negotiate "):
raise falcon.HTTPBadRequest(
"Bad request",
"Bad header, expected Negotiate: %s" % req.auth)
os.environ["KRB5_KTNAME"] = config.KERBEROS_KEYTAB
try:
server_creds = gssapi.creds.Credentials(
usage='accept',
name=gssapi.names.Name('HTTP/%s' % const.FQDN))
except gssapi.raw.exceptions.BadNameError:
logger.error(
"Failed initialize HTTP service principal, possibly bad permissions for %s or /etc/krb5.conf"
% config.KERBEROS_KEYTAB)
raise
context = gssapi.sec_contexts.SecurityContext(
creds=server_creds)
token = ''.join(req.auth.split()[1:])
try:
context.step(b64decode(token))
except binascii.Error: # base64 errors
raise falcon.HTTPBadRequest("Bad request",
"Malformed token")
except gssapi.raw.exceptions.BadMechanismError:
raise falcon.HTTPBadRequest(
"Bad request",
"Unsupported authentication mechanism (NTLM?) was offered. Please make sure you've logged into the computer with domain user account. The web interface should not prompt for username or password."
)
try:
username, realm = str(context.initiator_name).split("@")
except AttributeError: # TODO: Better exception
raise falcon.HTTPForbidden(
"Failed to determine username, are you trying to log in with correct domain account?"
)
if realm != config.KERBEROS_REALM:
raise falcon.HTTPForbidden(
"Forbidden", "Cross-realm trust not supported")
if username.endswith("$") and optional:
# Extract machine hostname
# TODO: Assert LDAP group membership
req.context["machine"] = username[:-1].lower()
req.context["user"] = None
else:
# Attempt to look up real user
req.context["user"] = User.objects.get(username)
logger.debug(
"Succesfully authenticated user %s for %s from %s",
req.context["user"], req.env["PATH_INFO"],
req.context["remote_addr"])
return func(resource, req, resp, *args, **kwargs)
else:
if not req.auth.startswith("Basic "):
raise falcon.HTTPBadRequest(
"Bad request",
"Bad header, expected Basic: %s" % req.auth)
basic, token = req.auth.split(" ", 1)
user, passwd = b64decode(token).decode("ascii").split(":", 1)
if config.AUTHENTICATION_BACKENDS == {"pam"}:
if not simplepam.authenticate(user, passwd, "sshd"):
logger.critical(
"Basic authentication failed for user %s from %s, "
"are you sure server process has read access to /etc/shadow?",
repr(user), req.context.get("remote_addr"))
raise falcon.HTTPUnauthorized("Forbidden",
"Invalid password",
("Basic", ))
conn = None
elif "ldap" in config.AUTHENTICATION_BACKENDS:
upn = "%s@%s" % (user, config.KERBEROS_REALM)
click.echo("Connecting to %s as %s" %
(config.LDAP_AUTHENTICATION_URI, upn))
conn = ldap.initialize(config.LDAP_AUTHENTICATION_URI,
bytes_mode=False)
conn.set_option(ldap.OPT_REFERRALS, 0)
try:
conn.simple_bind_s(upn, passwd)
except ldap.STRONG_AUTH_REQUIRED:
logger.critical(
"LDAP server demands encryption, use ldaps:// instead of ldaps://"
)
raise
except ldap.SERVER_DOWN:
logger.critical(
"Failed to connect LDAP server at %s, are you sure LDAP server's CA certificate has been copied to this machine?",
config.LDAP_AUTHENTICATION_URI)
raise
except ldap.INVALID_CREDENTIALS:
logger.critical(
"LDAP bind authentication failed for user %s from %s",
repr(user), req.context.get("remote_addr"))
raise falcon.HTTPUnauthorized(
"Forbidden",
"Please authenticate with %s domain account username" %
const.DOMAIN, ("Basic", ))
req.context["ldap_conn"] = conn
else:
raise NotImplementedError(
"No suitable authentication method configured")
try:
req.context["user"] = User.objects.get(user)
except User.DoesNotExist:
raise falcon.HTTPUnauthorized("Unauthorized",
"Invalid credentials",
("Basic", ))
retval = func(resource, req, resp, *args, **kwargs)
if conn:
conn.unbind_s()
return retval
def verify_pw(username, password):
return authenticate(str(username), str(password))
import sys
from simplepam import authenticate
user = sys.argv[1]
passwd = sys.argv[2]
if authenticate(user, passwd):
#0 => means success in exit code
sys.exit(0)
else:
#=>anything else is an error of somekind
sys.exit(1)
from simplepam import authenticate import sys print 'OK' if authenticate(sys.argv[1], sys.argv[2]) else 'ERR'
def check_password(self, password):
return simplepam.authenticate(self.username, password)
def check_auth(self, user, password): return authenticate(user,password, self.service_name)
def check_auth(username, password, required_scopes=None):
if authenticate(username, password):
return {'sub': username}
return None
def check_password(self, value):
"""Check password."""
return simplepam.authenticate(self.username, self.password)
def check_auth(cls, username, password):
r = authenticate(str(username), str(password), service='sshd')
if not r:
current_app.logger.error(
'[Account System]: %s pam auth failed return: %s', username, r)
return r
def check_auth(username, password):
"""This function is called to check if a username /
password combination is valid.
"""
return simplepam.authenticate(username, password)
import sys from simplepam import authenticate user = sys.argv[1] passwd = sys.argv[2] if authenticate(user,passwd): #0 => means success in exit code sys.exit(0) else: #=>anything else is an error of somekind sys.exit(1)
def check_auth(cls, username, password):
r = authenticate(str(username), str(password), service='sshd')
if not r:
current_app.logger.error('[Account System]: %s pam auth failed return: %s',
username, r)
return r
def authenticate(self, username, password):
# XXX: Should we be picky and check for validity of the UID?
import simplepam
return simplepam.authenticate(username, password, self._service)
def __call__(self, login, password):
if simplepam.authenticate(login, password):
account = pwd.getpwnam(login)
return {"name": account.pw_gecos}
return None
