def requestAvatarId(self, creds):
if creds.blob == keys.Key.fromString(keydata.publicRSA_openssh).blob():
if creds.signature is not None:
obj = keys.Key.fromString(creds.blob)
if obj.verify(creds.signature, creds.sigData):
return creds.username
else:
raise ValidPublicKey()
raise UnauthorizedLogin()
def verify(self, username, credentials, key):
# Verify the public key signature
# From twisted.conch.checkers.SSHPublicKeyDatabase._cbRequestAvatarId
if not credentials.signature:
# No signature ready
return Failure(ValidPublicKey())
else:
# Ready, verify it
try:
if key.verify(credentials.signature, credentials.sigData):
return credentials.username
except:
log.err()
return Failure(UnauthorizedLogin("key could not verified"))
def requestAvatarId(self, credentials):
if not credentials.signature:
raise ValidPublicKey()
if keys.Key.fromString(credentials.blob).verify(credentials.signature, credentials.sigData):
result = yield self.db.runQuery('SELECT * FROM sftp_user WHERE username = %s', [credentials.username])
if not(result):
raise error.UnauthorizedLogin('Invalid login.')
try:
if(base64.decodestring(result[0]['ssh_public_key'].split()[1]) == credentials.blob):
defer.returnValue(credentials.username)
except binascii.Error, e:
log.err("Couldn't decode ssh_public_key on file for %s: %s" % (credentials.username, e))
raise error.UnauthorizedLogin("invalid key")
def requestAvatarId(self, credentials):
twunnel.logger.log(
3, "trace: SSHPrivateKeyCredentialsChecker.requestAvatarId")
if len(self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"]) == 0:
return defer.succeed(-1)
if not credentials.signature:
return defer.fail(ValidPublicKey())
i = 0
while i < len(self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"]):
if self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"][i][
"NAME"] == credentials.username:
j = 0
while j < len(self.configuration["REMOTE_PROXY_SERVER"]
["ACCOUNTS"][i]["KEYS"]):
if self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"][
i]["KEYS"][j]["PUBLIC"]["FILE"] != "":
key = keys.Key.fromFile(
self.configuration["REMOTE_PROXY_SERVER"]
["ACCOUNTS"][i]["KEYS"][j]["PUBLIC"]["FILE"],
passphrase=str(
self.configuration["REMOTE_PROXY_SERVER"]
["ACCOUNTS"][i]["KEYS"][j]["PUBLIC"]
["PASSPHRASE"]))
if key.blob() == credentials.blob:
if key.verify(credentials.signature,
credentials.sigData):
return defer.succeed(i)
j = j + 1
twunnel.logger.log(1, "ERROR_ACCOUNT_KEYS_PUBLIC")
return defer.fail(
UnauthorizedLogin("ERROR_ACCOUNT_KEYS_PUBLIC"))
i = i + 1
twunnel.logger.log(1, "ERROR_ACCOUNT_NAME")
return defer.fail(UnauthorizedLogin("ERROR_ACCOUNT_NAME"))
def requestAvatarId(self, credentials):
logger.debug("SSHPrivateKeyCredentialsChecker.requestAvatarId")
authorized = False
if len(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"]) == 0:
authorized = True
if authorized == False:
i = 0
while i < len(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"]):
if self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["USERNAME"] == credentials.username:
j = 0
while j < len(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"]):
if self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"][j]["PUBLIC"]["FILE"] != "":
key = keys.Key.fromFile(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"][j]["PUBLIC"]["FILE"], passphrase=str(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"][j]["PUBLIC"]["PASSPHRASE"]))
if key.blob() == credentials.blob:
if credentials.signature is None:
return defer.fail(ValidPublicKey("ERROR_CREDENTIALS_SIGNATURE"))
if key.verify(credentials.signature, credentials.sigData):
authorized = True
if authorized == False:
return defer.fail(UnauthorizedLogin("ERROR_CREDENTIALS_SIGNATURE"))
break
j = j + 1
if authorized == False:
return defer.fail(UnauthorizedLogin("ERROR_CREDENTIALS_BLOB"))
break
i = i + 1
if authorized == False:
return defer.fail(UnauthorizedLogin("ERROR_CREDENTIALS_USERNAME"))
return defer.succeed(credentials.username)
def _sanityCheckKey(self, credentials):
"""
Check whether the provided credentials are a valid SSH key with a
signature (does not actually verify the signature)
@param credentials: The L{ISSHPrivateKey} provider credentials
offered by the user.
@raise ValidPublicKey: the credentials do not include a signature. See
L{error.ValidPublicKey} for more information.
@raise BadKeyError: the key included with the credentials is not
recognized as a key
@return: L{twisted.conch.ssh.keys.Key} of the key in the credentials
"""
if not credentials.signature:
raise ValidPublicKey()
return Key.fromString(credentials.blob)
