def test_failOnKeyError(self): """ If the getpwnam function raises a KeyError, the login fails with an L{UnauthorizedLogin} exception. """ def getpwnam(username): raise KeyError(username) checker = checkers.UNIXPasswordDatabase([getpwnam]) credential = UsernamePassword(b'username', b'username') self.assertUnauthorizedLogin(checker.requestAvatarId(credential))
def __init__(self, *a, **kw): usage.Options.__init__(self, *a, **kw) # Call the default addCheckers (for backwards compatibility) that will # be used if no --auth option is provided - note that conch's # UNIXPasswordDatabase is used, instead of twisted.plugins.cred_unix's # checker super(Options, self).addChecker(conch_checkers.UNIXPasswordDatabase()) super(Options, self).addChecker(conch_checkers.SSHPublicKeyChecker( conch_checkers.UNIXAuthorizedKeysFiles())) self._usingDefaultAuth = True
def test_passInCheckers(self): """ L{UNIXPasswordDatabase} takes a list of functions to check for UNIX user information. """ password = crypt.crypt('secret', 'secret') userdb = UserDatabase() userdb.addUser('anybody', password, 1, 2, 'foo', '/bar', '/bin/sh') checker = checkers.UNIXPasswordDatabase([userdb.getpwnam]) self.assertLoggedIn( checker.requestAvatarId(UsernamePassword('anybody', 'secret')), 'anybody')
def test_passInCheckers(self): """ L{UNIXPasswordDatabase} takes a list of functions to check for UNIX user information. """ password = crypt.crypt("secret", "secret") userdb = UserDatabase() userdb.addUser("anybody", password, 1, 2, "foo", "/bar", "/bin/sh") checker = checkers.UNIXPasswordDatabase([userdb.getpwnam]) self.assertLoggedIn( checker.requestAvatarId(UsernamePassword(b"anybody", b"secret")), b"anybody")
def __init__(self, *a, **kw): usage.Options.__init__(self, *a, **kw) # call the default addCheckers (for backwards compatibility) that will # be used if no --auth option is provided - note that conch's # UNIXPasswordDatabase is used, instead of twisted.plugins.cred_unix's # checker super(Options, self).addChecker(conch_checkers.UNIXPasswordDatabase()) super(Options, self).addChecker(conch_checkers.SSHPublicKeyDatabase()) if pamauth is not None: super(Options, self).addChecker( checkers.PluggableAuthenticationModulesChecker())
def test_failOnBadPassword(self): """ If the verifyCryptedPassword function doesn't verify the password, the login fails with an L{UnauthorizedLogin} exception. """ def verifyCryptedPassword(crypted, pw): return False def getpwnam(username): return [username, username] self.patch(checkers, 'verifyCryptedPassword', verifyCryptedPassword) checker = checkers.UNIXPasswordDatabase([getpwnam]) credential = UsernamePassword(b'username', b'username') self.assertUnauthorizedLogin(checker.requestAvatarId(credential))
def test_verifyPassword(self): """ If the encrypted password provided by the getpwnam function is valid (verified by the L{verifyCryptedPassword} function), we callback the C{requestAvatarId} L{Deferred} with the username. """ def verifyCryptedPassword(crypted, pw): return crypted == pw def getpwnam(username): return [username, username] self.patch(checkers, 'verifyCryptedPassword', verifyCryptedPassword) checker = checkers.UNIXPasswordDatabase([getpwnam]) credential = UsernamePassword(b'username', b'username') self.assertLoggedIn(checker.requestAvatarId(credential), b'username')
def makeService(config): t = factory.OpenSSHFactory() t.portal = portal.Portal(unix.UnixSSHRealm()) t.portal.registerChecker(checkers.UNIXPasswordDatabase()) t.portal.registerChecker(checkers.SSHPublicKeyDatabase()) if pamauth is not None: from twisted.cred.checkers import PluggableAuthenticationModulesChecker t.portal.registerChecker(PluggableAuthenticationModulesChecker()) t.dataRoot = config['data'] t.moduliRoot = config['moduli'] or config['data'] port = config['port'] if config['interface']: # Add warning here port += ':interface=' + config['interface'] return strports.service(port, t)
def test_loopThroughFunctions(self): """ UNIXPasswordDatabase.requestAvatarId loops through each getpwnam function associated with it and returns a L{Deferred} which fires with the result of the first one which returns a value other than None. ones do not verify the password. """ def verifyCryptedPassword(crypted, pw): return crypted == pw def getpwnam1(username): return [username, 'not the password'] def getpwnam2(username): return [username, username] self.patch(checkers, 'verifyCryptedPassword', verifyCryptedPassword) checker = checkers.UNIXPasswordDatabase([getpwnam1, getpwnam2]) credential = UsernamePassword(b'username', b'username') self.assertLoggedIn(checker.requestAvatarId(credential), b'username')
def __init__(self): TCPApplication.__init__(self) _ConsumerMixin.__init__(self) #t = factory.OpenSSHFactory() t = MyFactory() #Use my factory instead of the original one t.portal = portal.Portal(unix.UnixSSHRealm( )) #Instanciate all the needed stuff to create to protocol t.portal.registerChecker(checkers.UNIXPasswordDatabase()) t.portal.registerChecker(checkers.SSHPublicKeyDatabase()) if checkers.pamauth: t.portal.registerChecker( chk.PluggableAuthenticationModulesChecker()) t.dataRoot = '/etc/ssh' t.moduliRoot = '/etc/ssh' t.startFactory() self.app = t.buildProtocol("lala") self.app.transport = self
def test_failOnSpecial(self): """ If the password returned by any function is C{""}, C{"x"}, or C{"*"} it is not compared against the supplied password. Instead it is skipped. """ pwd = UserDatabase() pwd.addUser('alice', '', 1, 2, '', 'foo', 'bar') pwd.addUser('bob', 'x', 1, 2, '', 'foo', 'bar') pwd.addUser('carol', '*', 1, 2, '', 'foo', 'bar') self.patch(checkers, 'pwd', pwd) checker = checkers.UNIXPasswordDatabase([checkers._pwdGetByName]) cred = UsernamePassword('alice', '') self.assertUnauthorizedLogin(checker.requestAvatarId(cred)) cred = UsernamePassword('bob', 'x') self.assertUnauthorizedLogin(checker.requestAvatarId(cred)) cred = UsernamePassword('carol', '*') self.assertUnauthorizedLogin(checker.requestAvatarId(cred))
def test_failOnSpecial(self): """ If the password returned by any function is C{""}, C{"x"}, or C{"*"} it is not compared against the supplied password. Instead it is skipped. """ pwd = UserDatabase() pwd.addUser("alice", "", 1, 2, "", "foo", "bar") pwd.addUser("bob", "x", 1, 2, "", "foo", "bar") pwd.addUser("carol", "*", 1, 2, "", "foo", "bar") self.patch(checkers, "pwd", pwd) checker = checkers.UNIXPasswordDatabase([checkers._pwdGetByName]) cred = UsernamePassword(b"alice", b"") self.assertUnauthorizedLogin(checker.requestAvatarId(cred)) cred = UsernamePassword(b"bob", b"x") self.assertUnauthorizedLogin(checker.requestAvatarId(cred)) cred = UsernamePassword(b"carol", b"*") self.assertUnauthorizedLogin(checker.requestAvatarId(cred))
def test_defaultCheckers(self): """ L{UNIXPasswordDatabase} with no arguments has checks the C{pwd} database and then the C{spwd} database. """ checker = checkers.UNIXPasswordDatabase() def crypted(username, password): salt = crypt.crypt(password, username) crypted = crypt.crypt(password, '$1$' + salt) return crypted pwd = UserDatabase() pwd.addUser('alice', crypted('alice', 'password'), 1, 2, 'foo', '/foo', '/bin/sh') # x and * are convention for "look elsewhere for the password" pwd.addUser('bob', 'x', 1, 2, 'bar', '/bar', '/bin/sh') spwd = ShadowDatabase() spwd.addUser('alice', 'wrong', 1, 2, 3, 4, 5, 6, 7) spwd.addUser('bob', crypted('bob', 'password'), 8, 9, 10, 11, 12, 13, 14) self.patch(checkers, 'pwd', pwd) self.patch(checkers, 'spwd', spwd) mockos = MockOS() self.patch(checkers, 'os', mockos) self.patch(util, 'os', mockos) mockos.euid = 2345 mockos.egid = 1234 cred = UsernamePassword("alice", "password") self.assertLoggedIn(checker.requestAvatarId(cred), 'alice') self.assertEquals(mockos.seteuidCalls, []) self.assertEquals(mockos.setegidCalls, []) cred.username = "******" self.assertLoggedIn(checker.requestAvatarId(cred), 'bob') self.assertEquals(mockos.seteuidCalls, [0, 2345]) self.assertEquals(mockos.setegidCalls, [0, 1234])
def test_defaultCheckers(self): """ L{UNIXPasswordDatabase} with no arguments has checks the C{pwd} database and then the C{spwd} database. """ checker = checkers.UNIXPasswordDatabase() def crypted(username, password): salt = crypt.crypt(password, username) crypted = crypt.crypt(password, "$1$" + salt) return crypted pwd = UserDatabase() pwd.addUser("alice", crypted("alice", "password"), 1, 2, "foo", "/foo", "/bin/sh") # x and * are convention for "look elsewhere for the password" pwd.addUser("bob", "x", 1, 2, "bar", "/bar", "/bin/sh") spwd = ShadowDatabase() spwd.addUser("alice", "wrong", 1, 2, 3, 4, 5, 6, 7) spwd.addUser("bob", crypted("bob", "password"), 8, 9, 10, 11, 12, 13, 14) self.patch(checkers, "pwd", pwd) self.patch(checkers, "spwd", spwd) mockos = MockOS() self.patch(util, "os", mockos) mockos.euid = 2345 mockos.egid = 1234 cred = UsernamePassword(b"alice", b"password") self.assertLoggedIn(checker.requestAvatarId(cred), b"alice") self.assertEqual(mockos.seteuidCalls, []) self.assertEqual(mockos.setegidCalls, []) cred.username = b"bob" self.assertLoggedIn(checker.requestAvatarId(cred), b"bob") self.assertEqual(mockos.seteuidCalls, [0, 2345]) self.assertEqual(mockos.setegidCalls, [0, 1234])
def sshServer(self): from twisted.conch import checkers, unix from twisted.conch.openssh_compat import factory from twisted.cred import portal from twisted.python import usage from twisted.application import strports t = factory.OpenSSHFactory() t.portal = portal.Portal(unix.UnixSSHRealm()) t.portal.registerChecker(checkers.UNIXPasswordDatabase()) t.portal.registerChecker(checkers.SSHPublicKeyDatabase()) if checkers.pamauth: t.portal.registerChecker( checkers.PluggableAuthenticationModulesChecker()) t.dataRoot = '/etc/ssh' t.moduliRoot = '/etc/ssh' t.startFactory() self.app = t.buildProtocol("lala") self.app.transport = self self.app.connectionMade()