def _gssapi_authenticate(token): ''' Performs GSSAPI Negotiate Authentication On success also stashes the server response token for mutual authentication at the top of request context with the name kerberos_token, along with the authenticated user principal with the name kerberos_user. @param token: GSSAPI Authentication Token @type token: str @returns gssapi return code or None on failure @rtype: int or None ''' state = None ctx = stack.top try: rc, state = kerberos.authGSSServerInit(_SERVICE_NAME) if rc != kerberos.AUTH_GSS_COMPLETE: return None rc = kerberos.authGSSServerStep(state, token) if rc == kerberos.AUTH_GSS_COMPLETE: ctx.kerberos_token = kerberos.authGSSServerResponse(state) ctx.kerberos_user = kerberos.authGSSServerUserName(state) return rc elif rc == kerberos.AUTH_GSS_CONTINUE: return kerberos.AUTH_GSS_CONTINUE else: return None except kerberos.GSSError: return None finally: if state: kerberos.authGSSServerClean(state)
def auth_negotiate(self, auth_header, callback): """ Perform Negotiate (GSSAPI/SSO) authentication via Kerberos. """ auth_str = auth_header.split()[1] # Initialize Kerberos Context context = None try: result, context = kerberos.authGSSServerInit( self.settings['sso_service']) if result is not kerberos.AUTH_GSS_COMPLETE: raise tornado.web.HTTPError(500, "Kerberos Init failed") result = kerberos.authGSSServerStep(context, auth_str) if result is kerberos.AUTH_GSS_COMPLETE: gss_string = kerberos.authGSSServerResponse(context) self.set_header('WWW-Authenticate', f"Negotiate {gss_string}") else: # Fall back to Basic auth self.auth_basic(auth_header, callback) # NOTE: The user we get from Negotiate is a full UPN (user@REALM) user = kerberos.authGSSServerUserName(context) except (kerberos.GSSError, pywintypes_error) as e: logging.error(f"Kerberos Error: {e}") raise tornado.web.HTTPError(500, "Kerberos Init failed") finally: if context: kerberos.authGSSServerClean(context) callback(user)
def _gssapi_authenticate(token, service_name=None): """ Performs GSSAPI Negotiate Authentication On success also stashes the server response token for mutual authentication at the top of request context with the name kerberos_token, along with the authenticated user principal with the name kerberos_user. :param token: GSSAPI Authentication Token :type token: str :param service_name: Service name for example - "*****@*****.**" :type service_name: str :returns gssapi return code or None on failure :rtype: int or None """ state = None service_name = service_name or _service_name try: logger.debug(f'Kerberos: service name is {service_name}') result, state = kerberos.authGSSServerInit(service_name) if result != kerberos.AUTH_GSS_COMPLETE: return None logger.debug(f'Kerberos: state is {state}') result = kerberos.authGSSServerStep(state, token) if result == kerberos.AUTH_GSS_COMPLETE: _kerberos_token.set(kerberos.authGSSServerResponse(state)) _kerberos_user.set(kerberos.authGSSServerUserName(state)) return result elif result == kerberos.AUTH_GSS_CONTINUE: return kerberos.AUTH_GSS_CONTINUE else: return None except (kerberos.GSSError, pywintypes_error) as error: logger.debug(f'Kerberos: {error}') return None finally: if state: kerberos.authGSSServerClean(state)
response = k.authGSSClientResponse(client) if sres == k.AUTH_GSS_CONTINUE: sres = k.authGSSServerStep(server, response) if sres == -1: print( "serverstep error") break response = k.authGSSServerResponse(server) print( "round:", round) print( "server status :", sres) print( "client status :", cres) round += 1 if sres == k.AUTH_GSS_COMPLETE and cres == k.AUTH_GSS_COMPLETE: print( "client: my username:"******"server: who authenticated to me:", k.authGSSServerUserName(server)) print( "server: my spn:", k.authGSSServerTargetName(server)) print( "********* encryption test ***********") err=k.authGSSClientWrap(client, encodestring(b("Hello"))) if err == 1: encstring=k.authGSSClientResponse(client) print( "encstring:", encstring, encodestring(b("Hello"))) decerr=k.authGSSClientUnwrap(server, encstring) if decerr == 1: encstring=k.authGSSServerResponse(server) print( decodestring(encstring)) # user case on wrap import struct import logging logging.basicConfig(level=logging.INFO)
response = "" counter = 0 while server_response == kerberos.AUTH_GSS_CONTINUE or client_response == kerberos.AUTH_GSS_CONTINUE: if client_response == kerberos.AUTH_GSS_CONTINUE: client_response = kerberos.authGSSClientStep(client, response) if client_response == -1: print("Client step error") break response = kerberos.authGSSClientResponse(client) if server_response == kerberos.AUTH_GSS_CONTINUE: server_response = kerberos.authGSSServerStep(server, response) if server_response == -1: print("Server step error") break response = kerberos.authGSSServerResponse(server) print("Counter: ", counter) print("Server status: ", server_response) print("Client status: ", client_response) counter += 1 if server_response == kerberos.AUTH_GSS_COMPLETE and client_response == kerberos.AUTH_GSS_COMPLETE: print("client: my username:"******"server: who authenticated to me:", kerberos.authGSSServerUserName(server)) print("server: my spn:", kerberos.authGSSServerTargetName(server)) else: print("failed!")
response = k.authGSSClientResponse(client) if sres == k.AUTH_GSS_CONTINUE: sres = k.authGSSServerStep(server, response) if sres == -1: print("serverstep error") break response = k.authGSSServerResponse(server) print("round:", round) print("server status :", sres) print("client status :", cres) round += 1 if sres == k.AUTH_GSS_COMPLETE and cres == k.AUTH_GSS_COMPLETE: print("client: my username:"******"server: who authenticated to me:", k.authGSSServerUserName(server)) print("server: my spn:", k.authGSSServerTargetName(server)) print("********* encryption test ***********") err = k.authGSSClientWrap(client, encodestring(b("Hello"))) if err == 1: encstring = k.authGSSClientResponse(client) print("encstring:", encstring, encodestring(b("Hello"))) decerr = k.authGSSClientUnwrap(server, encstring) if decerr == 1: encstring = k.authGSSServerResponse(server) print(decodestring(encstring)) # user case on wrap import struct import logging logging.basicConfig(level=logging.INFO)