def requestAvatarId(self, creds): if creds.blob == keys.Key.fromString(keydata.publicRSA_openssh).blob(): if creds.signature is not None: obj = keys.Key.fromString(creds.blob) if obj.verify(creds.signature, creds.sigData): return creds.username else: raise ValidPublicKey() raise UnauthorizedLogin()
def verify(self, username, credentials, key): # Verify the public key signature # From twisted.conch.checkers.SSHPublicKeyDatabase._cbRequestAvatarId if not credentials.signature: # No signature ready return Failure(ValidPublicKey()) else: # Ready, verify it try: if key.verify(credentials.signature, credentials.sigData): return credentials.username except: log.err() return Failure(UnauthorizedLogin("key could not verified"))
def requestAvatarId(self, credentials): if not credentials.signature: raise ValidPublicKey() if keys.Key.fromString(credentials.blob).verify(credentials.signature, credentials.sigData): result = yield self.db.runQuery('SELECT * FROM sftp_user WHERE username = %s', [credentials.username]) if not(result): raise error.UnauthorizedLogin('Invalid login.') try: if(base64.decodestring(result[0]['ssh_public_key'].split()[1]) == credentials.blob): defer.returnValue(credentials.username) except binascii.Error, e: log.err("Couldn't decode ssh_public_key on file for %s: %s" % (credentials.username, e)) raise error.UnauthorizedLogin("invalid key")
def requestAvatarId(self, credentials): twunnel.logger.log( 3, "trace: SSHPrivateKeyCredentialsChecker.requestAvatarId") if len(self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"]) == 0: return defer.succeed(-1) if not credentials.signature: return defer.fail(ValidPublicKey()) i = 0 while i < len(self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"]): if self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"][i][ "NAME"] == credentials.username: j = 0 while j < len(self.configuration["REMOTE_PROXY_SERVER"] ["ACCOUNTS"][i]["KEYS"]): if self.configuration["REMOTE_PROXY_SERVER"]["ACCOUNTS"][ i]["KEYS"][j]["PUBLIC"]["FILE"] != "": key = keys.Key.fromFile( self.configuration["REMOTE_PROXY_SERVER"] ["ACCOUNTS"][i]["KEYS"][j]["PUBLIC"]["FILE"], passphrase=str( self.configuration["REMOTE_PROXY_SERVER"] ["ACCOUNTS"][i]["KEYS"][j]["PUBLIC"] ["PASSPHRASE"])) if key.blob() == credentials.blob: if key.verify(credentials.signature, credentials.sigData): return defer.succeed(i) j = j + 1 twunnel.logger.log(1, "ERROR_ACCOUNT_KEYS_PUBLIC") return defer.fail( UnauthorizedLogin("ERROR_ACCOUNT_KEYS_PUBLIC")) i = i + 1 twunnel.logger.log(1, "ERROR_ACCOUNT_NAME") return defer.fail(UnauthorizedLogin("ERROR_ACCOUNT_NAME"))
def requestAvatarId(self, credentials): logger.debug("SSHPrivateKeyCredentialsChecker.requestAvatarId") authorized = False if len(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"]) == 0: authorized = True if authorized == False: i = 0 while i < len(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"]): if self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["USERNAME"] == credentials.username: j = 0 while j < len(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"]): if self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"][j]["PUBLIC"]["FILE"] != "": key = keys.Key.fromFile(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"][j]["PUBLIC"]["FILE"], passphrase=str(self.configuration["REMOTE_PROXY_SERVER"]["AUTHENTICATION"][i]["KEYS"][j]["PUBLIC"]["PASSPHRASE"])) if key.blob() == credentials.blob: if credentials.signature is None: return defer.fail(ValidPublicKey("ERROR_CREDENTIALS_SIGNATURE")) if key.verify(credentials.signature, credentials.sigData): authorized = True if authorized == False: return defer.fail(UnauthorizedLogin("ERROR_CREDENTIALS_SIGNATURE")) break j = j + 1 if authorized == False: return defer.fail(UnauthorizedLogin("ERROR_CREDENTIALS_BLOB")) break i = i + 1 if authorized == False: return defer.fail(UnauthorizedLogin("ERROR_CREDENTIALS_USERNAME")) return defer.succeed(credentials.username)
def _sanityCheckKey(self, credentials): """ Check whether the provided credentials are a valid SSH key with a signature (does not actually verify the signature) @param credentials: The L{ISSHPrivateKey} provider credentials offered by the user. @raise ValidPublicKey: the credentials do not include a signature. See L{error.ValidPublicKey} for more information. @raise BadKeyError: the key included with the credentials is not recognized as a key @return: L{twisted.conch.ssh.keys.Key} of the key in the credentials """ if not credentials.signature: raise ValidPublicKey() return Key.fromString(credentials.blob)