Ejemplo n.º 1
0
def parse_auth_line(line):
    ldata = line.split(b"|")
    log("found %s fields", len(ldata))
    assert len(ldata) >= 4, "not enough fields"
    #parse fields:
    username = ldata[0]
    password = ldata[1]

    def getsysid(s, get_default_value):
        if s:
            try:
                return int(s)
            except:
                pass
        return get_default_value()

    uid = getsysid(ldata[2], os.getuid)
    gid = getsysid(ldata[3], os.getgid)
    displays = ldata[4].split(b",")
    env_options = {}
    session_options = {}
    if len(ldata) >= 6:
        env_options = parse_simple_dict(ldata[5], ";")
    if len(ldata) >= 7:
        session_options = parse_simple_dict(ldata[6], ";")
    return username, password, uid, gid, displays, env_options, session_options
Ejemplo n.º 2
0
 def authenticate(self, challenge_response, client_salt):
     if not self.salt:
         log.error("Error: illegal challenge response received - salt cleared or unset")
         return None
     #ensure this salt does not get re-used:
     if client_salt is None:
         salt = self.salt
     else:
         salt = xor(self.salt, client_salt)
     self.salt = None
     password = self.get_password()
     if not password:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
         return False
     verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
     log("authenticate(%s) password='******', hex(salt)=%s, hash=%s", challenge_response, nonl(password), binascii.hexlify(strtobytes(salt)), verify)
     if hasattr(hmac, "compare_digest"):
         eq = hmac.compare_digest(verify, challenge_response)
     else:
         eq = verify==challenge_response
     if not eq:
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match", self.username)
         return False
     return True
Ejemplo n.º 3
0
def getgid(v):
    try:
        return int(v)
    except:
        log("gid '%s' is not an int", v)
    if os.name=="posix":
        try:
            import grp          #@UnresolvedImport
            return grp.getgrnam(v or "nobody").gr_gid
        except Exception as e:
            log.error("Error: cannot find gid of '%s': %s", v, e)
        return os.getgid()
    return -1
Ejemplo n.º 4
0
def getuid(v):
    try:
        return int(v)
    except:
        log("uid '%s' is not an int", v)
    if os.name=="posix":
        try:
            import pwd
            return pwd.getpwnam(v or "nobody").pw_uid
        except Exception as e:
            log.error("Error: cannot find uid of '%s': %s", v, e)
        return os.getuid()
    return -1
Ejemplo n.º 5
0
def getgid(v):
    try:
        return int(v)
    except:
        log("gid '%s' is not an int", v)
    if os.name == "posix":
        try:
            import grp  #@UnresolvedImport
            return grp.getgrnam(v or "nobody").gr_gid
        except Exception as e:
            log.error("Error: cannot find gid of '%s': %s", v, e)
        return os.getgid()
    return -1
Ejemplo n.º 6
0
def getuid(v):
    try:
        return int(v)
    except:
        log("uid '%s' is not an int", v)
    if os.name == "posix":
        try:
            import pwd
            return pwd.getpwnam(v or "nobody").pw_uid
        except Exception as e:
            log.error("Error: cannot find uid of '%s': %s", v, e)
        return os.getuid()
    return -1
Ejemplo n.º 7
0
 def authenticate_hmac(self, challenge_response, client_salt):
     log("authenticate_hmac(%s, %s)", challenge_response, client_salt)
     self.sessions = None
     if not self.salt:
         log.error(
             "Error: illegal challenge response received - salt cleared or unset"
         )
         return None
     #ensure this salt does not get re-used:
     salt = self.get_response_salt(client_salt)
     entry = self.get_auth_info()
     if entry is None:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username,
                   self.password_filename)
         return None
     log("authenticate: auth-info(%s)=%s", self.username, entry)
     fpassword, uid, gid, displays, env_options, session_options = entry
     digestmod = get_digest_module(self.digest)
     verify = hmac.HMAC(strtobytes(fpassword),
                        strtobytes(salt),
                        digestmod=digestmod).hexdigest()
     log(
         "multifile authenticate_hmac(%s) password='******', hex(salt)=%s, hash=%s",
         challenge_response, fpassword, binascii.hexlify(strtobytes(salt)),
         verify)
     if not hmac.compare_digest(verify, challenge_response):
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match",
                   self.username)
         return False
     self.sessions = uid, gid, displays, env_options, session_options
     return True
Ejemplo n.º 8
0
 def authenticate_hmac(self, challenge_response, client_salt=None):
     if not self.salt:
         log.error("Error: illegal challenge response received - salt cleared or unset")
         return None
     salt = self.get_response_salt(client_salt)
     password = self.get_password()
     log("authenticate_hmac() get_password()=%s", obsc(password))
     if not password:
         log.warn("Warning: authentication failed")
         log.warn(" no password for '%s' in '%s'", self.username, self.password_filename)
         return False
     if not verify_digest(self.digest, password, salt, challenge_response):
         log.warn("Warning: %s challenge for '%s' does not match", self.digest, self.username)
         return False
     return True
Ejemplo n.º 9
0
def parse_auth_line(line):
    ldata = line.split(b"|")
    log("found %s fields", len(ldata))
    assert len(ldata) >= 4, "not enough fields"
    #parse fields:
    username = ldata[0]
    password = ldata[1]
    uid = getuid(ldata[2])
    gid = getgid(ldata[3])
    displays = ldata[4].split(b",")
    env_options = {}
    session_options = {}
    if len(ldata) >= 6:
        env_options = parse_simple_dict(ldata[5], ";")
    if len(ldata) >= 7:
        session_options = parse_simple_dict(ldata[6], ";")
    return username, password, uid, gid, displays, env_options, session_options
Ejemplo n.º 10
0
def parse_auth_line(line):
    ldata = line.split(b"|")
    log("found %s fields", len(ldata))
    assert len(ldata)>=4, "not enough fields"
    #parse fields:
    username = ldata[0]
    password = ldata[1]
    uid = getuid(ldata[2])
    gid = getgid(ldata[3])
    displays = ldata[4].split(b",")
    env_options = {}
    session_options = {}
    if len(ldata)>=6:
        env_options = parse_simple_dict(ldata[5], ";")
    if len(ldata)>=7:
        session_options = parse_simple_dict(ldata[6], ";")
    return username, password, uid, gid, displays, env_options, session_options
Ejemplo n.º 11
0
 def authenticate(self, challenge_response, client_salt):
     if not self.salt:
         log.error(
             "Error: illegal challenge response received - salt cleared or unset"
         )
         return None
     salt = self.get_response_salt(client_salt)
     password = self.get_password()
     if not password:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username,
                   self.password_filename)
         return False
     if not self.verify_hmac_md5(password, salt):
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match",
                   self.username)
         return False
     return True
Ejemplo n.º 12
0
 def authenticate_hmac(self, challenge_response, client_salt=None):
     log("authenticate_hmac(%r, %r)", challenge_response, client_salt)
     self.sessions = None
     if not self.salt:
         log.error(
             "Error: illegal challenge response received - salt cleared or unset"
         )
         return None
     #ensure this salt does not get re-used:
     salt = self.get_response_salt(client_salt)
     entry = self.get_auth_info()
     if entry is None:
         log.warn("Warning: authentication failed")
         log.warn(" no password for '%s' in '%s'", self.username,
                  self.password_filename)
         return None
     log("authenticate: auth-info(%s)=%s", self.username, entry)
     fpassword, uid, gid, displays, env_options, session_options = entry
     log("multifile authenticate_hmac password='******', hex(salt)=%s",
         fpassword, hexstr(salt))
     if not verify_digest(self.digest, fpassword, salt, challenge_response):
         log.warn("Warning: %s challenge for '%s' does not match",
                  self.digest, self.username)
         return False
     self.sessions = uid, gid, displays, env_options, session_options
     return True
Ejemplo n.º 13
0
 def parse_filedata(self, data):
     if not data:
         return {}
     auth_data = {}
     i = 0
     for line in data.splitlines():
         i += 1
         line = line.strip()
         log("line %s: %s", i, line)
         if not line or line.startswith(b"#"):
             continue
         try:
             v = parse_auth_line(line)
             if v:
                 username, password, uid, gid, displays, env_options, session_options = v
                 if username in auth_data:
                     log.error("Error: duplicate entry for username '%s' in '%s'", username, self.password_filename)
                 else:
                     auth_data[username] = password, uid, gid, displays, env_options, session_options
         except Exception as e:
             log("parsing error", exc_info=True)
             log.error("Error parsing password file '%s' at line %i:", self.password_filename, i)
             log.error(" '%s'", bytestostr(line))
             log.error(" %s", e)
             continue
     log("parsed auth data from file %s: %s", self.password_filename, auth_data)
     return auth_data
Ejemplo n.º 14
0
 def authenticate_hmac(self, challenge_response, client_salt):
     self.sessions = None
     if not self.salt:
         log.error("Error: illegal challenge response received - salt cleared or unset")
         return None
     #ensure this salt does not get re-used:
     if client_salt is None:
         salt = self.salt
     else:
         salt = xor(self.salt, client_salt)
     self.salt = None
     entry = self.get_auth_info()
     log("authenticate(%s) auth-info=%s", self.username, entry)
     if entry is None:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
         return None
     fpassword, uid, gid, displays, env_options, session_options = entry
     verify = hmac.HMAC(strtobytes(fpassword), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
     log("authenticate(%s) password='******', hex(salt)=%s, hash=%s", challenge_response, fpassword, binascii.hexlify(strtobytes(salt)), verify)
     if not hmac.compare_digest(verify, challenge_response):
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match", self.username)
         return False
     self.sessions = uid, gid, displays, env_options, session_options
     return True
Ejemplo n.º 15
0
 def parse_filedata(self, data):
     global socket_dir, socket_dirs
     if not data:
         return {}
     auth_data = {}
     i = 0
     for line in data.splitlines():
         i += 1
         line = line.strip()
         log("line %s: %s", i, line)
         if len(line)==0 or line.startswith(b"#"):
             continue
         try:
             v = parse_auth_line(line)
             if v:
                 username, password, uid, gid, displays, env_options, session_options = v
                 if username in auth_data:
                     log.error("Error: duplicate entry for username '%s' in '%s'", username, self.password_filename)
                 else:
                     auth_data[username] = password, uid, gid, displays, env_options, session_options
         except Exception as e:
             log("parsing error", exc_info=True)
             log.error("Error parsing password file '%s' at line %i:", self.password_filename, i)
             log.error(" '%s'", line)
             log.error(" %s", e)
             continue
     log("parsed auth data from file %s: %s", self.password_filename, auth_data)
     return auth_data
Ejemplo n.º 16
0
 def authenticate(self, challenge_response, client_salt):
     if not self.salt:
         log.error("Error: illegal challenge response received - salt cleared or unset")
         return None
     #ensure this salt does not get re-used:
     if client_salt is None:
         salt = self.salt
     else:
         salt = xor(self.salt, client_salt)
     self.salt = None
     password = self.get_password()
     if not password:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
         return False
     verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=hashlib.md5).hexdigest()
     log("authenticate(%s) password='******', hex(salt)=%s, hash=%s", challenge_response, nonl(password), binascii.hexlify(strtobytes(salt)), verify)
     if not hmac.compare_digest(verify, challenge_response):
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match", self.username)
         return False
     return True
Ejemplo n.º 17
0
 def authenticate_hmac(self, challenge_response, client_salt):
     if not self.salt:
         log.error("Error: illegal challenge response received - salt cleared or unset")
         return None
     salt = self.get_response_salt(client_salt)
     password = self.get_password()
     if not password:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username, self.password_filename)
         return False
     digestmod = get_digest_module(self.digest)
     if not digestmod:
         log.error("Error: %s authentication failed", self)
         log.error(" digest module '%s' is invalid", self.digest)
         return False
     verify = hmac.HMAC(strtobytes(password), strtobytes(salt), digestmod=digestmod).hexdigest()
     log("file authenticate(%s) password='******', salt=%s, hash=%s", nonl(challenge_response), nonl(password), binascii.hexlify(strtobytes(salt)), verify)
     if not hmac.compare_digest(verify, challenge_response):
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match", self.username)
         return False
     return True
Ejemplo n.º 18
0
def parse_auth_line(line):
    ldata = line.split(b"|")
    assert len(ldata)>=2, "not enough fields: %i" % (len(ldata))
    log("found %s fields", len(ldata))
    #parse fields:
    username = ldata[0]
    password = ldata[1]
    if len(ldata)>=5:
        uid = parse_uid(bytestostr(ldata[2]))
        gid = parse_gid(bytestostr(ldata[3]))
        displays = bytestostr(ldata[4]).split(",")
    else:
        #this will use the default value, usually "nobody":
        uid = parse_uid(None)
        gid = parse_gid(None)
        displays = []
    env_options = {}
    session_options = {}
    if len(ldata)>=6:
        env_options = parse_simple_dict(ldata[5], b";")
    if len(ldata)>=7:
        session_options = parse_simple_dict(ldata[6], b";")
    return username, password, uid, gid, displays, env_options, session_options
Ejemplo n.º 19
0
 def authenticate_hmac(self, challenge_response, client_salt):
     self.sessions = None
     if not self.salt:
         log.error(
             "Error: illegal challenge response received - salt cleared or unset"
         )
         return None
     #ensure this salt does not get re-used:
     salt = self.get_response_salt(client_salt)
     entry = self.get_auth_info()
     log("authenticate(%s) auth-info=%s", self.username, entry)
     if entry is None:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username,
                   self.password_filename)
         return None
     fpassword, uid, gid, displays, env_options, session_options = entry
     if not self.verify_hmac_md5(password, salt):
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match",
                   self.username)
         return False
     self.sessions = uid, gid, displays, env_options, session_options
     return True
Ejemplo n.º 20
0
 def authenticate_hmac(self, challenge_response, client_salt):
     self.sessions = None
     if not self.salt:
         log.error(
             "Error: illegal challenge response received - salt cleared or unset"
         )
         return None
     #ensure this salt does not get re-used:
     if client_salt is None:
         salt = self.salt
     else:
         salt = xor(self.salt, client_salt)
     self.salt = None
     entry = self.get_auth_info()
     log("authenticate(%s) auth-info=%s", self.username, entry)
     if entry is None:
         log.error("Error: authentication failed")
         log.error(" no password for '%s' in '%s'", self.username,
                   self.password_filename)
         return None
     fpassword, uid, gid, displays, env_options, session_options = entry
     verify = hmac.HMAC(strtobytes(fpassword),
                        strtobytes(salt),
                        digestmod=hashlib.md5).hexdigest()
     log("authenticate(%s) password='******', hex(salt)=%s, hash=%s",
         challenge_response, fpassword, binascii.hexlify(strtobytes(salt)),
         verify)
     if hasattr(hmac, "compare_digest"):
         eq = hmac.compare_digest(verify, challenge_response)
     else:
         eq = verify == challenge_response
     if not eq:
         log("expected '%s' but got '%s'", verify, challenge_response)
         log.error("Error: hmac password challenge for '%s' does not match",
                   self.username)
         return False
     self.sessions = uid, gid, displays, env_options, session_options
     return True
Ejemplo n.º 21
0
 def get_password(self):
     entry = self.get_auth_info()
     log("get_password() found entry=%s", entry)
     if entry is None:
         return None
     return entry[0]