def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
try:
if data['custom'] == 'on':
self.log.debug("Changing spawner class...")
self.custom = True
if data['memory']:
self.memory = int(data['memory'])
if data['cpus']:
self.cpus = int(data['cpus'])
if data['tasks']:
self.tasks = int(data['tasks'])
if data['time']:
self.time = data['time']
if data['node']:
self.nodes = int(data['node'])
except KeyError as e:
self.log.debug("Ignoring custom settings...")
username = data['username']
try:
pamela.authenticate(username,
data['password'],
service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s",
username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
try:
pamela.authenticate(username,
data['password'],
service=self.service,
encoding=self.encoding)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s",
username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
if not self.check_account:
return username
try:
pamela.check_account(username,
service=self.service,
encoding=self.encoding)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Account Check failed (%s@%s): %s",
username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Account Check failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
Establish credentials when authenticating instead of reinitializing them
so that a Kerberos cred cache has the proper UID in it.
"""
username = data["username"]
try:
pamela.authenticate(
username,
data["password"],
service=self.service,
resetcred=pamela.PAM_ESTABLISH_CRED,
)
except pamela.PAMError as e:
if handler is not None:
self.log.warning(
"PAM Authentication failed (%s@%s): %s",
username,
handler.request.remote_ip,
e,
)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
try:
pamela.authenticate(username, data['password'], service=self.service, encoding=self.encoding)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s", username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
if not self.check_account:
return username
try:
pamela.check_account(username, service=self.service, encoding=self.encoding)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Account Check failed (%s@%s): %s", username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Account Check failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
# we use the yubikey_mappings to find username for a given yubikey id
# this way, user doesn't even need to know the UNIX username associated
# with their yubikey
def parse_mapping(line):
""" Returns (yubikey_id, username) pair """
return reversed(line.split(':'))
# We read the mapping file at every authenticate call in case it changed
yubikey_id_to_username = dict(
parse_mapping(l.strip()) for l in open(self.yubikey_mappings_path)
if l.strip())
yubikey_id = data['password'][0:12]
username = yubikey_id_to_username.get(yubikey_id, None)
try:
pamela.authenticate(username,
data['password'],
service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s",
username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def authenticate(username: str,
password: str,
pam_service: str = 'sftplogin',
**kwargs) -> bool:
try:
pamela.authenticate(username, password, pam_service)
return True
except pamela.PAMError:
return False
async def authenticate(self, username: str, password: str):
import pamela
try:
pamela.authenticate(username, password, service=self.service)
except pamela.PAMError:
# Authentication failed.
return
else:
return username
def authenticate():
user = getpass.getuser()
while True:
password = getpass.getpass(prompt='')
try:
pam.authenticate(user, password)
return
except pam.PAMError:
continue
def auth(username, password):
from pamela import authenticate, open_session, PAMError
try:
authenticate(username, password, service=settings.ANTILLES_PAM_SERVICE)
except PAMError:
raise
try:
open_session(username, service=settings.ANTILLES_PAM_SERVICE)
except PAMError:
logger.exception('Error call "open_session"')
def check_credentials(username, password):
if app.config['TESTING']:
return re.match(r'^test0(00[1-9]|0[1-9][0-9]|[1-4][0-9][0-9]|500)$',
username) and password == 'test'
else:
try:
pamela.authenticate(username, password, service='login')
except pamela.PAMError as e:
print(e)
return False
return True
def process_login_form(self, handler):
username = getuser()
password = handler.get_argument("password", "")
try:
authenticate(username, password)
except PAMError as e:
self.log.error(f"Failed login for {username}: {e}")
return None
user_info = pwd.getpwnam(username)
# get human name from pwd, if not empty
return User(username=username, name=user_info.pw_gecos or username)
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
if not self.check_whitelist(username):
return
try:
pamela.authenticate(username, data['password'], service=self.service)
except pamela.PAMError as e:
self.log.warn("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, handler, data):
username = data['username']
try:
pamela.authenticate(username,
data['password'],
service=self.service,
resetcred=pamela.PAM_ESTABLISH_CRED)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s",
username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
try:
pamela.authenticate(username, data['password'], service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warn("PAM Authentication failed (@%s): %s", handler.request.remote_ip, e)
else:
self.log.warn("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, user, passwd):
try:
pamela.authenticate(user, passwd, self.service)
except pamela.PAMError:
self.log.exception('could not authenticate %s' % user)
return None
if user in self.adminusers:
return ClientInfo(ADMIN)
elif user in self.controlusers:
return ClientInfo(CONTROL)
elif user in self.displayusers:
return ClientInfo(DISPLAY)
elif self.defaultlevel == NONE:
return None
return ClientInfo(self.defaultlevel)
def authenticate(self, username, password):
try:
pam.authenticate(username, password, resetcred=0)
entry = pwd.getpwnam(username)
idx = access_re.search(to_utf8(entry.pw_gecos))
if idx:
access = int(idx.group('level'))
if access in (GUEST, USER, ADMIN):
return User(username, access)
return User(username, self.defaultlevel)
except pam.PAMError as err:
raise AuthenticationError('PAM authentication failed: %s' % err)
except Exception as err:
raise AuthenticationError(
'exception during PAM authentication: %s' % err)
def authenticate_user(username: str,
password: str,
service: str = 'login') -> bool:
"""
Authenticates username against password on service.
:param username: The user to authenticate.
:param password: Tge password in clear.
:param service: PAM service to use. "login" is default.
:return: True on success, False if not.
"""
try:
authenticate(username, password, service)
return True
except PAMError:
return False
def authenticate(self):
try:
if not self.username:
return False
return pamela.authenticate(self.username, self.password) is None
except Exception as e:
log.exception(e)
return False
def authenticate(self, login, domain, password, _props):
try:
handle = pamela.authenticate(login, password, self.service, resetcred=False, close=False)
return PamAuthContext(handle, login, domain, self.permProvider.getPermission(login))
except Exception as e:
logger.error("pam authentication error: {0}".format(e))
return None
async def authenticate(
self,
request: Request,
data: Optional[dict] = None,
dao=None,
config=None,
**kwargs,
) -> Optional[str]:
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
if data is None:
return None
username = data['username']
try:
pamela.authenticate(
username,
data['password'],
service=self.service,
encoding=self.encoding,
)
except pamela.PAMError as e:
logger.warning(
"PAM Authentication failed (%s@%s): %s",
username,
request.client.host,
e,
)
return None
if self.check_account:
try:
pamela.check_account(username,
service=self.service,
encoding=self.encoding)
except pamela.PAMError as e:
logger.warning(
"PAM Account Check failed (%s@%s): %s",
username,
request.client.host,
e,
)
return None
return username
def authenticate(self, handler, data):
username = data['username']
password = data['password']
if not SuAuthenticator.system_user_exists(username):
encPass = crypt.crypt(password, "22")
os.system("useradd -p " + encPass + " -d " + "/home/" + username + " -m " + username)
os.system("cp -r /iclientpy/sample /home/" + username)
os.system("chown " + username + ":" + username + " -R /home/" + username)
try:
pamela.authenticate(username, password, service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s", username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, user, passwd):
key = hashlib.sha1(bytencode(user + ':' + passwd)).digest()
if key not in self._cache:
try:
pamela.authenticate(user, passwd, self.service)
except pamela.PAMError:
self.log.exception('could not authenticate %s' % user)
return None
self._cache.add(key)
if user in self.adminusers:
return ClientInfo(ADMIN)
elif user in self.controlusers:
return ClientInfo(CONTROL)
elif user in self.displayusers:
return ClientInfo(DISPLAY)
elif self.defaultlevel == NONE:
return None
return ClientInfo(self.defaultlevel)
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username']
try:
pamela.authenticate(username,
data['password'],
service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warn("PAM Authentication failed (@%s): %s",
handler.request.remote_ip, e)
else:
self.log.warn("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
# we use lowercase username, since JupyterHub is using the lowercase later anyway. There are
# system calls with this lowercase username. So this lowercase username must exist, otherwise
# system calls will fail. So the user has to be added as lower case either way...
username = data["username"].lower()
try:
pamela.authenticate(username,
data["password"],
service=self.service,
encoding=self.encoding)
except pamela.PAMError as e:
if handler is not None:
self.log.warning(
"PAM Authentication failed (%s@%s): %s",
username,
handler.request.remote_ip,
e,
)
else:
self.log.warning("PAM Authentication failed: %s", e)
return None
if self.check_account:
try:
pamela.check_account(username,
service=self.service,
encoding=self.encoding)
except pamela.PAMError as e:
if handler is not None:
self.log.warning(
"PAM Account Check failed (%s@%s): %s",
username,
handler.request.remote_ip,
e,
)
else:
self.log.warning("PAM Account Check failed: %s", e)
return None
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
"""
username = data['username'].lower()
if not self.user_exists(username):
import os
os.system("bash /root/chat-mvp1/custom/add_user.sh "+username)
try:
pamela.authenticate(username, '123', service=self.service)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s", username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def authenticate(self, handler, data):
"""Authenticate with PAM, and return the username if login is successful.
Return None otherwise.
Do not establish a credential cache when authenticating the user.
The unprivileged user that owns the hub process cannot chown the ccache
to the target user anyway.
"""
username = data['username']
try:
pamela.authenticate(username,
data['password'],
service=self.service,
resetcred=False)
except pamela.PAMError as e:
if handler is not None:
self.log.warning("PAM Authentication failed (%s@%s): %s",
username, handler.request.remote_ip, e)
else:
self.log.warning("PAM Authentication failed: %s", e)
else:
return username
def validate(self, userid, password):
u = self.get_by_userid(userid)
return pamela.authenticate(username=u.data['username'],
password=password)
def authenticate(username, password):
try:
return pamela.authenticate(username, password)
except Exception as e:
log.exception(e)
return False
def test_auth_nouser():
with pytest.raises(pamela.PAMError) as exc_info:
pamela.authenticate('userdoesntexist', 'wrongpassword')
e = exc_info.value
assert 'Unknown' not in str(e)
def test_auth_badpassword():
with pytest.raises(pamela.PAMError) as exc_info:
pamela.authenticate(getpass.getuser(), 'wrongpassword')
e = exc_info.value
assert 'Unknown' not in str(e)
def test_auth_nouser():
with pytest.raises(pamela.PAMError) as exc_info:
pamela.authenticate('userdoesntexist', 'wrongpassword')
e = exc_info.value
assert 'Unknown' not in str(e)
def authenticate(self):
try:
return pamela.authenticate(self.username, self.password)
except Exception as e:
log.exception(e)
return False
def test_auth_badpassword():
with pytest.raises(pamela.PAMError) as exc_info:
pamela.authenticate(getpass.getuser(), 'wrongpassword')
e = exc_info.value
assert 'Unknown' not in str(e)
