def check_password(self, username, password): print('check_password', username) """The actual password checking logic. Separated from the authenticate code from Django for easier updating""" try: if SUPPORTS_VERIFY: print('verify') kerberos.checkPassword( username.lower(), password, getattr(settings, "KRB5_SERVICE", ""), getattr(settings, "KRB5_REALM", ""), getattr(settings, "KRB5_VERIFY_KDC", True)) else: print('do not verify') kerberos.checkPassword(username.lower(), password, getattr(settings, "KRB5_SERVICE", ""), getattr(settings, "KRB5_REALM", "")) return True except kerberos.BasicAuthError as e: print('BasicAuthError', e) if getattr(settings, "KRB5_DEBUG", False): logger.exception("Failure during authentication") return False except Exception as e: print('Error', e) if getattr(settings, "KRB5_DEBUG", False): logger.exception("Failure during authentication") # for all other execptions also deny access return False
def auth_basic(self, auth_header): """ Manages the basic authorization process with kerberos. Returns a username or raises a BasicAuthError. """ # The authorization header is base64 encoded, we need it decoded auth_decoded = base64.decodebytes(auth_header.encode('utf8')).decode() # Decoded format is <username>:<password> so we need to split it userstring, password = auth_decoded.split(':', maxsplit=1) try: # If the user specifies a realm in the username verify # it matches the configured SPNEGO realm so we # don't open ourselves up to KDC spoofing username, realm = userstring.split('@', maxsplit=1) if realm != settings.SPNEGO_REALM: raise NotAuthorized except ValueError: username = userstring kerberos.checkPassword( username, password, kerberos.getServerPrincipalDetails('HTTP', settings.SPNEGO_HOSTNAME), settings.SPNEGO_REALM) return username
def testCheckpassword(user, pswd, service, realm): try: kerberos.checkPassword(user, pswd, service, realm) except kerberos.BasicAuthError as e: print("Kerberos authentication for %s failed: %s" % (user, e[0])) else: print("Kerberos authentication for %s succeeded" % user)
def test_admin_login_fails_when_we_dont_know_the_password(): krb5_password = '******' with pytest.raises(kerberos.BasicAuthError) as e: kerberos.checkPassword('admin/admin', krb5_password, '', 'EXAMPLE.COM') error_message = e.value.args[0] assert 'Preauthentication failed' in error_message
def kerberos_authentication(username, password): try: import kerberos kerberos.checkPassword(username, password, settings.sso_service, settings.sso_realm) return dict(id='', username=username) except ImportError: return False except kerberos.BasicAuthError: return False
def _doBasicAuth(self): # Future improvement - we could also support LDAP authentication if we wanted to # If we're trying basic, that means that negotiate auth has already failed, so don't offer it again self.page.offerNegotiate = False self._getKerberosDetails() (user, password) = base64.b64decode(self.authToken).split(":", 1) try: kerberos.checkPassword(user, password, self._kerberosService, self._kerberosRealm) self.user = user print "Authenticated user %s" % user except: print "Failed to authenticate user %s" % user raise
def __call__(self, environ, start_response): def error(): start_response('500 Error', [ ('content-type', 'text/plain'), ]) return ['Internal error'] def noauth(msg=None): start_response('401 Unauthorized', [ ('content-type', 'text/plain'), ('WWW-Authenticate', 'Negotiate'), ('WWW-Authenticate', 'Basic realm="Web Service for CloudLab"') ]) if msg: return ['No auth. Error: %s' % msg] return ['No auth'] if 'HTTP_AUTHORIZATION' not in environ: return noauth() type, authstr = environ['HTTP_AUTHORIZATION'].split(' ', 1) if type == 'Negotiate': result, context = kerberos.authGSSServerInit(self.service) if result != 1: return error() gssstring = '' r = kerberos.authGSSServerStep(context, authstr) if r == 1: gssstring = kerberos.authGSSServerResponse(context) else: return noauth() def new_start_response(status, headers): start_response( status, [('WWW-Authenticate', 'Negotiate %s' % gssstring)] + headers) environ['REMOTE_USER'] = kerberos.authGSSServerUserName(context) kerberos.authGSSServerClean(context) elif type == 'Basic': username, password = b64decode(authstr).split(':', 1) try: kerberos.checkPassword(username, password, self.service, self.realm) except Exception, e: return noauth(e.message) new_start_response = start_response environ['REMOTE_USER'] = username
def check_password(self, username, password): """The actual password checking logic. Separated from the authenticate code from Django for easier updating""" try: kerberos.checkPassword(username.lower(), password, getattr(settings, "KRB5_SERVICE", ""), settings.KRB5_REALM) return True except kerberos.BasicAuthError: if getattr(settings, "KRB5_DEBUG", False): logger.exception("Failure during authentication") return False except: if getattr(settings, "KRB5_DEBUG", False): logger.exception("Failure during authentication") # for all other execptions also deny access return False
def __call__(self, environ, start_response): def error(): start_response('500 Error', [ ('content-type', 'text/plain'), ]) return ['Internal error'] def noauth(): start_response('401 Unauthorized', [ ('content-type', 'text/plain'), ('WWW-Authenticate','Negotiate'), ('WWW-Authenticate','Basic realm="Secured area"') ]) return ['No auth'] if 'HTTP_AUTHORIZATION' not in environ: return noauth() type, authstr = environ['HTTP_AUTHORIZATION'].split(' ', 1) if type == 'Negotiate': result, context = kerberos.authGSSServerInit(self.service) if result != 1: return error() gssstring='' r=kerberos.authGSSServerStep(context,authstr) if r == 1: gssstring=kerberos.authGSSServerResponse(context) else: return noauth() def new_start_response(status, headers): start_response( status, [ ('WWW-Authenticate','Negotiate %s' % gssstring) ]+headers ) environ['REMOTE_USER']=kerberos.authGSSServerUserName(context) kerberos.authGSSServerClean(context) elif type == 'Basic': username, password = b64decode(authstr).split(':',1) try: kerberos.checkPassword(username, password, self.service, self.realm) except: return noauth() new_start_response=start_response environ['REMOTE_USER']=username return self.wrapped(environ, new_start_response)
def requestAvatarId(self, credentials): # If there is no calendar principal URI then the calendar user is disabled. pcreds = IPrincipalCredentials(credentials) creds = pcreds.credentials if isinstance(creds, BasicKerberosCredentials): try: kerberos.checkPassword(creds.username, creds.password, creds.service, creds.default_realm) except kerberos.BasicAuthError, ex: self.log.error("%s" % (ex[0],)) raise error.UnauthorizedLogin("Bad credentials for: %s (%s: %s)" % (pcreds.authnURI, ex[0], ex[1])) else: return succeed((pcreds.authnPrincipal, pcreds.authzPrincipal))
def authenticate(self, username=None, password=None): try: kerberos.checkPassword(username, password, '', settings.KRB5_REALM) except kerberos.BasicAuthError: return None try: user = User.objects.get(username=username) except User.DoesNotExist: user = User.objects.create_user( username=username, email='%s@%s' % (username, settings.KRB5_REALM.lower())) user.set_unusable_password() user.save() return user
def __call__(self, environ, start_response): def error(): start_response("500 Error", [("content-type", "text/plain")]) return ["Internal error"] def noauth(msg=None): start_response( "401 Unauthorized", [ ("content-type", "text/plain"), ("WWW-Authenticate", "Negotiate"), ("WWW-Authenticate", 'Basic realm="Web Service for CloudLab"'), ], ) if msg: return ["No auth. Error: %s" % msg] return ["No auth"] if "HTTP_AUTHORIZATION" not in environ: return noauth() type, authstr = environ["HTTP_AUTHORIZATION"].split(" ", 1) if type == "Negotiate": result, context = kerberos.authGSSServerInit(self.service) if result != 1: return error() gssstring = "" r = kerberos.authGSSServerStep(context, authstr) if r == 1: gssstring = kerberos.authGSSServerResponse(context) else: return noauth() def new_start_response(status, headers): start_response(status, [("WWW-Authenticate", "Negotiate %s" % gssstring)] + headers) environ["REMOTE_USER"] = kerberos.authGSSServerUserName(context) kerberos.authGSSServerClean(context) elif type == "Basic": username, password = b64decode(authstr).split(":", 1) try: kerberos.checkPassword(username, password, self.service, self.realm) except Exception, e: return noauth(e.message) new_start_response = start_response environ["REMOTE_USER"] = username
def authenticate(username, password): service_principal = "%s/%s" % ( configuration.conf.get('kerberos', 'principal'), utils.get_fqdn() ) realm = configuration.conf.get("kerberos", "default_realm") try: user_realm = configuration.conf.get("security", "default_realm") except AirflowConfigException: user_realm = realm user_principal = utils.principal_from_username(username, user_realm) try: # this is pykerberos specific, verify = True is needed to prevent KDC spoofing if not kerberos.checkPassword(user_principal, password, service_principal, realm, True): raise AuthenticationError() except kerberos.KrbError as e: logging.error( 'Password validation for user ' '%s in realm %s failed %s', user_principal, realm, e) raise AuthenticationError(e) return
def auth_krb(jenni, input): """ This will authenticate a user off of AD Credentials If checkPassword returns True, add user to auth_list You must have sso_service and sso_realm in ~/.phenny/default.py """ global auth_list import kerberos split_it = [] nick = input.nick line = input.group(0) string_line = str(line) for item in string_line.split(): split_it.append(item) username = split_it[2] password = split_it[3] # Can only be done in prvmsg by an admin if input.sender.startswith('#'): return if input.admin: if nick in auth_list: return else: jenni.say(nick + " is being authenticated.") if kerberos.checkPassword(username,password,input.sso_service,input.sso_realm): jenni.say(nick + " authenticated.") auth_list.append(nick) else: jenni.say(nick + " NOT authorized!") auth_list.remove(nick)
def can_log_in(self, username, password): try: return kerberos.checkPassword(username.lower(), password, settings.AUTH_KERBEROS_SERVICE, settings.AUTH_KERBEROS_REALM, False) except: logger.exception("Failure during Kerberos authentication") return False
def can_log_in(self, username, password): try: return kerberos.checkPassword( username.lower(), password, settings.AUTH_KERBEROS_SERVICE, settings.AUTH_KERBEROS_REALM, False ) except: logger.exception("Failure during Kerberos authentication") return False
def authenticate(self, username=None, password=None): try: auth = kerberos.checkPassword( username, password, '', settings.KRB5_REALM ) except kerberos.BasicAuthError, e: return None
def auth_basic(self, auth_header, callback): """ Perform Basic authentication using Kerberos against self.settings['sso_realm']. """ auth_decoded = base64.decodestring(auth_header[6:]) username, password = auth_decoded.split(":", 2) try: kerberos.checkPassword(username, password, self.settings["sso_service"], self.settings["sso_realm"]) except Exception as e: # Basic auth failed if self.settings["debug"]: print(e) # Very useful for debugging Kerberos errors return self.authenticate_redirect() # NOTE: Basic auth just gives us the username without the @REALM part # so we have to add it: user = "******" % (username, self.settings["sso_realm"]) callback(user)
def authenticate_user(user, password): try: if kerberos.checkPassword(user, password, "krbtgt/SLAC.STANFORD.EDU", "SLAC.STANFORD.EDU"): return True except: pass return False
def requestAvatarId(self, credentials): # If there is no calendar principal URI then the calendar user is disabled. pcreds = IPrincipalCredentials(credentials) creds = pcreds.credentials if isinstance(creds, BasicKerberosCredentials): try: kerberos.checkPassword(creds.username, creds.password, creds.service, creds.default_realm) except kerberos.BasicAuthError, ex: self.log.error("{ex}", ex=ex[0]) raise error.UnauthorizedLogin("Bad credentials for: %s (%s: %s)" % (pcreds.authnURI, ex[0], ex[1],)) else: return succeed(( pcreds.authnPrincipal, pcreds.authzPrincipal, ))
def check_password(self, username, password): try: return kerberos.checkPassword( username, password, getattr(settings, 'AUTH_SERVICE_NAME', 'http/[email protected]'), getattr(settings, 'AUTH_SERVICE_REALM', 'example.com'), True) except kerberos.BasicAuthError: # logging.exception("username/password mismatch") return False
def check_password(username, password): try: # verify is an extra field implemented in https://github.com/02strich/pykerberos # it is needed to prevent KDC spoofing attacks, but require service authentication # with a keytab file specified in `KRB5_KTNAME`. return kerberos.checkPassword(username, password, settings.service, settings.realm, True) except kerberos.BasicAuthError: logging.exception("username/password mismatch") return False
def authenticate(self, username=None, password=None): try: kerberos.checkPassword( username, password, '', settings.KRB5_REALM ) except kerberos.BasicAuthError: return None try: user = User.objects.get(username=username) except User.DoesNotExist: user = User.objects.create_user( username=username, email='%s@%s' % (username, settings.KRB5_REALM.lower()) ) user.set_unusable_password() user.save() return user
def auth_basic(self, auth_header, callback): """ Perform Basic authentication using Kerberos against `self.settings['sso_realm']`. """ auth_decoded = base64.decodestring(auth_header[6:]) username, password = auth_decoded.split(':', 1) try: kerberos.checkPassword(username, password, self.settings['sso_service'], self.settings['sso_realm']) except Exception as e: # Basic auth failed if self.settings['debug']: print(e) # Very useful for debugging Kerberos errors return self.authenticate_redirect() # NOTE: Basic auth just gives us the username without the @REALM part # so we have to add it: user = "******" % (username, self.settings['sso_realm']) callback(user)
def auth(self, username, password): subauth.log('trying user: %s|%s|%s' % (username, self.domain, self.realm)) try: if kerberos.checkPassword(username, password, self.domain, self.realm): subauth.log("Success!") return True except Exception, e: subauth.log('Exception: %s' % e) pass
def authenticate(username, password): service_principal = "%s/%s" % (conf.get('kerberos', 'principal'), utils.get_fqdn()) realm = conf.get("kerberos", "default_realm") user_principal = utils.principal_from_username(username) try: # this is pykerberos specific, verify = True is needed to prevent KDC spoofing if not kerberos.checkPassword(user_principal, password, service_principal, realm, True): raise AuthenticationError() except kerberos.KrbError, e: logging.error('Password validation for principal %s failed %s', user_principal, e) raise AuthenticationError(e)
def authenticate(self, username, password): if '@' not in username: username = username + '@' + self.get_default_realm() try: if kerberos.checkPassword(username, password, '', '', 0): logger.info('Authenticated user ' + username + '.') if username.split('@', 1)[0] not in [u.username for u in self.users]: self.add_user(username.split('@', 1)[0], 'Firstname', 'Lastname', PRIV_LAYMAN) self.select_user(username) return True except kerberos.BasicAuthError: return False
def authenticate(self, request, username=None, password=None, **kwargs): import kerberos try: kerberos.checkPassword( username, password, '', settings.KRB5_REALM ) except kerberos.BasicAuthError: return None try: user = User.objects.get(username=username) except User.DoesNotExist: user = User.objects.create_user( username=username, email='{}@{}'.format(username, settings.KRB5_REALM.lower()) ) user.set_unusable_password() user.save() return user
def authenticate(self, username=None, password=None, **kwargs): if not kerberos: return None UserModel = get_user_model() if username is None: username = kwargs.get(UserModel.USERNAME_FIELD) try: kerberos.checkPassword(username, password, '', settings.KRB5_REALM) except kerberos.BasicAuthError: return None try: user = UserModel.objects.get(username=username) except UserModel.DoesNotExist: user = UserModel.objects.create_user( username=username, email='%s@%s' % (username, settings.KRB5_REALM.lower())) user.set_unusable_password() user.save() return user
def authenticate(cls, mail_user, password): mail_user = mail_user.internal_username.split("+")[-1] # Allow to have more than 1 krb-authenticated account for user mail_user = mail_user.split("@") if len(mail_user) != 2: # Failed to split to [username, domain] return False username, domain = mail_user[0], mail_user[1].upper() # Kerberos uses uppercase domains mail_user = "******".join((username, domain)) try: result = kerberos.checkPassword(mail_user, password.encode('utf-8'), "", domain) except kerberos.KrbError: return False return result
def authenticate(self, username=None, password=None, **kwargs): if not kerberos: return None UserModel = get_user_model() if username is None: username = kwargs.get(UserModel.USERNAME_FIELD) try: kerberos.checkPassword(username, password, "", settings.KRB5_REALM) except kerberos.BasicAuthError: return None try: user = UserModel.objects.get(username=username) except UserModel.DoesNotExist: user = UserModel.objects.create_user( username=username, email="%s@%s" % (username, settings.KRB5_REALM.lower()) ) user.set_unusable_password() user.save() return user
def login(email, password): allowed_domains = ALLOWED_DOMAINS + [REALM] validate_email = EmailValidator(whitelist=allowed_domains) # user is allowed to type just the username. In this case, the REALM # will be appended as the domain to form a complete e-mail address if '@' in email: try: validate_email(email) except ValidationError as err: raise KERBEROSLoginError({"error_message": str(err)}) username, domain = email.split('@') else: username, domain = email, DEFAULT_DOMAIN email = username + '@' + domain if domain not in allowed_domains: errmsg = "Invalid e-mail: domain not allowed" raise KERBEROSLoginError({"error_message": errmsg}) try: kerberos.checkPassword(username, password, '', REALM) except kerberos.BasicAuthError as err: errmsg, _ = err.args if errmsg == "Cannot contact any KDC for requested realm": errmsg = "Error connecting to KERBEROS server" raise KERBEROSLoginError({"error_message": errmsg}) elif errmsg == "Decrypt integrity check failed": errmsg = "KERBEROS account or password incorrect" raise KERBEROSLoginError({"error_message": errmsg}) else: raise KERBEROSLoginError({"error_message": errmsg}) except Exception: errmsg = "KERBEROS authentication failed" raise KERBEROSLoginError({"error_message": errmsg}) return (email, username)
def _parse_krb_basic_auth(self, username, password): krb_auth = self.metrique_config.krb_auth # kerberos module must be available, krb auth enabled, realm defined # and username/password provided realm = self.metrique_config.realm ok = (kerberos and krb_auth and realm and username and password) if ok: try: ok = kerberos.checkPassword(username, password, '', realm) except kerberos.BasicAuthError as e: logger.debug('KRB ERROR [%s]: %s' % (username, e)) ok = False logger.debug('KRB AUTH [%s]: %s' % (username, ok)) return ok
def login(): error = None if request.method == 'GET': return render_template('login.html', error=error) username = request.form['username'] allusers = softwareService.getAllUsers() if username not in allusers: error = "'" + username + "' is not entitled for this application" return render_template('login.html', error=error) password = request.form['password'] kerberosname = username + '@UTORONTO.CA' app.logger.info('%s try login', kerberosname) try: kerberos.checkPassword(kerberosname, password, '', '') session['username'] = request.form['username'] app.logger.info('[%s] login', session['username']) except: e = sys.exc_info()[0] app.logger.info('authenticate error %s', e) error = "invalid credential" return render_template('login.html', error=error) fullname = "" if "name" in allusers[username]: fullname = allusers[username]["name"] email="" if "email" in allusers[username]: email = allusers[username]["email"] if fullname and email: return redirect(url_for('index')) else: return render_template('register.html', id=username, name=fullname, email=email)
def checkPassword(user, password): # First try their local password if user.password and user.password == User.crypt(user.username, password): return True # Then try Kerberos if possible if settings.kerberosRealm: try: import kerberos try: if kerberos.checkPassword(user.username, password, '', settings.kerberosRealm): return True except (kerberos.KrbError, kerberos.BasicAuthError): pass except ImportError: pass return False
def login(self, session, username, password, generic_password): krb_realm = self.server.config('KRB_REALM', default='CHALMERS.SE') if generic_password and password == generic_password: session.set("authuser", username) session.set("authrealm", krb_realm) return if AuthenticationManager.has_krb5(): import kerberos service = "krbtgt/" + self.function.server.instance_address # Get in control of which realm we're using" if "@" in username: (username,) = username.split('@') if kerberos.checkPassword(username, password, service, krb_realm): session.set("authuser", username) session.set("authrealm", krb_realm) else: raise exterror.ExtAuthenticationFailedError() else: raise exterror.ExtAuthenticationFailedError()
def checkPassword(self, credentials): try: res = kerberos.checkPassword( credentials.username, credentials.password, self.service, self.default_realm ) except kerberos.KrbError as e: msg = repr(e) log.msg(msg) raise UnauthorizedLogin(msg) if not res: raise UnauthorizedLogin() username, sep, realm = credentials.username.rpartition('@') if sep != '@': return '%s@%s' % (credentials.username, self.default_realm) return credentials.username
def authenticateKerberos(self, event): try: self.authenticated = kerberos.checkPassword(self.username.get(), self.password.get(), \ 'krbtgt/CC.COLUMBIA.EDU', 'CC.COLUMBIA.EDU') except kerberos.KrbError as ae: print ae self.authTriesRemaining -= 1 self.message.set('Password incorrect, try again.') self.text['fg'] = 'red' if self.authenticated: self.text['fg'] = 'darkgreen' self.message.set('Password accepted') print 'User %s authenticated successfully' % ( self.username.get(), ) self.after(600, self.event_generate, '<<CloseDialog>>') else: print 'Authentication unsuccessful' print 'authTriesRemaining: %d' % self.authTriesRemaining if self.authTriesRemaining < 1: self.event_generate('<<CloseDialog>>')
def login(self, session, username, password, generic_password): krb_realm = self.server.config('KRB_REALM', default='CHALMERS.SE') if generic_password and password == generic_password: session.set("authuser", username) session.set("authrealm", krb_realm) return if AuthenticationManager.has_krb5(): import kerberos service = "krbtgt/" + self.function.server.instance_address # Get in control of which realm we're using" if "@" in username: (username, ) = username.split('@') if kerberos.checkPassword(username, password, service, krb_realm): session.set("authuser", username) session.set("authrealm", krb_realm) else: raise exterror.ExtAuthenticationFailedError() else: raise exterror.ExtAuthenticationFailedError()
# Make sure resolver setting to access DC. import kerberos # Domain information user = "******" dc_address = "192.168.2.170" domain = "EXAMPLE.COM" # Password list password_list = ['123456','password','12345678','1234','pussy','12345','dragon','qwerty','696969','mustang','letmein','baseball','master','michael','football','shadow','monkey','abc123','pass','f****e','6969','jordan','harley','ranger','iwantu','jennifer','hunter','f**k','2000','test','batman','trustno1','thomas','tigger','robert','access','love','buster','1234567','soccer','hockey','killer','george','sexy','andrew','charlie','superman','asshole','fuckyou','dallas','jessica','panties','pepper','1111','austin','william','daniel','golfer','summer','heather','hammer','yankees','joshua','maggie','biteme','enter','ashley','thunder','cowboy','silver','richard','f****r','orange','merlin','michelle','corvette','bigdog','cheese','matthew','121212','patrick','martin','freedom','ginger','b*****b','nicole','sparky','yellow','camaro','secret','dick','falcon','taylor','111111','131313','123123','bitch','hello','scooter','please','porsche','guitar','chelsea','black','diamond','nascar','jackson','cameron','654321','computer','amanda','wizard','xxxxxxxx','money','phoenix','mickey','bailey','knight','iceman','tigers','purple','andrea','horny','dakota','aaaaaa','player','sunshine','morgan','starwars','boomer','cowboys','edward','charles','girls','booboo','coffee','xxxxxx','bulldog','ncc1701','rabbit','peanut','john','johnny','gandalf','spanky','winter','brandy','compaq','carlos','tennis','james','mike','brandon','fender','anthony','blowme','ferrari','cookie','chicken','maverick','chicago','joseph','diablo','sexsex','hardcore','666666','willie','welcome','chris','panther','yamaha','justin','banana','driver','marine','angels','fishing','david','maddog','hooters','wilson','butthead','dennis','f*****g','captain','bigdick','chester','smokey','xavier','steven','viking','snoopy','blue','eagles','winner','samantha','house','miller','flower','jack','firebird','butter','united','turtle','steelers','tiffany','zxcvbn','tomcat','golf','bond007','bear','tiger','doctor','gateway','gators','angel','junior','thx1138','porno','badboy','debbie','spider','melissa','booger','1212','flyers','fish','p**n','matrix','teens','scooby','jason','walter','cumshot','boston','braves','yankee','lover','barney','victor','tucker','princess','mercedes','5150','doggie','zzzzzz','gunner','horney','bubba','2112','fred','johnson','xxxxx','t**s','member','boobs','donald','bigdaddy','bronco','penis','voyager','rangers','birdie','trouble','white','topgun','bigtits','bitches','green','super','qazwsx','magic','lakers','rachel','slayer','scott','2222','asdf','video','london','7777','marlboro','srinivas','internet','action','carter','jasper','monster','teresa','jeremy','11111111','bill','crystal','peter','pussies','c**k','beer','rocket','theman','oliver','prince','beach','amateur','7777777','muffin','redsox','star','testing','shannon','murphy','frank','hannah','dave','eagle1','11111','mother','nathan','raiders','steve','forever','angela','viper','ou812','jake','lovers','suckit','gregory','buddy','whatever','young','nicholas','lucky','helpme','jackie','monica','midnight','college','baby','c**t','brian','mark','startrek','sierra','leather','232323','4444','beavis','bigcock','happy','sophie','ladies','naughty','giants','booty','blonde','f****d','golden','0','fire','sandra','pookie','packers','einstein','dolphins','0','chevy','winston','warrior','sammy','s**t','8675309','zxcvbnm','nipples','power','victoria','asdfgh','v****a','toyota','travis','hotdog','paris','rock','xxxx','extreme','redskins','erotic','dirty','ford','freddy','arsenal','access14','wolf','nipple','iloveyou','alex','florida','eric','legend','movie','success','rosebud','jaguar','great','cool','cooper','1313','scorpio','mountain','madison','987654','brazil','lauren','japan','naked','squirt','stars','apple','alexis','aaaa','bonnie','peaches','jasmine','kevin','matt','qwertyui','danielle','beaver','4321','4128','runner','swimming','dolphin','gordon','casper','stupid','shit','saturn','gemini','apples','august','3333','canada','blazer','cumming','hunting','kitty','rainbow','112233','arthur','cream','calvin','shaved','surfer','samson','kelly','paul','mine','king','racing','5555','eagle','hentai','newyork','little','redwings','smith','sticky','cocacola','animal','broncos','private','skippy','marvin','blondes','enjoy','girl','apollo','parker','qwert','time','sydney','women','voodoo','magnum','juice','abgrtyu','777777','dreams','maxwell','music','rush2112','russia','scorpion','rebecca','tester','mistress','phantom','billy','6666','albert'] n = 0 for password in password_list: try: kerberos.checkPassword(user, password, dc_address, domain) print("Password is " + password) break except kerberos.BasicAuthError as error: # Get 'Preauthentication failed' phrase from exception message if str(error).split("'")[1] == 'Preauthentication failed': n += 1 if (n % 10) == 0: print('Trial count is ' + str(n)) if n == len(password_list): print('Not matched') else: print(error)
def authenticate(self, username=None, password=None): try: auth = kerberos.checkPassword(username, password, '', settings.KRB5_REALM) except kerberos.BasicAuthError, e: return None
def login(): if request.method == 'GET': return redirect(url_for('default')) else: try: ## Check password with kerberos kerberos.checkPassword(request.form['username'], request.form['password'], app.config['KRB5_SERVICE'], app.config['KRB5_DOMAIN']) except kerberos.BasicAuthError as e: flash('Incorrect username and/or password', 'alert-danger') return redirect(url_for('default')) except kerberos.KrbError as e: flash('Kerberos Error: ' + e.__str__(), 'alert-danger') return redirect(url_for('default')) except kerberos.GSSError as e: flash('GSS Error: ' + e.__str__(), 'alert-danger') return redirect(url_for('default')) except Exception as e: mysqladm.errors.fatal(e) ## Set logged in session['logged_in'] = True session['username'] = request.form['username'] ## is user in mysqladm management group group = grp.getgrnam(app.config['ACCESS_GROUP']) if request.form['username'] in group.gr_mem: session['admin'] = True else: ## Make sure the user is in the permissions table ## if they are not...then they should not be able to logon ## Load the dictionary based cursor cur = g.db.cursor() ## Execute a SQL select cur.execute("SELECT COUNT(*) FROM `permissions` WHERE `name` = %s", (session['username'])) ## Get results num = cur.fetchone() if not int(num[0]) > 0: session.pop('logged_in', None) session.pop('username', None) flash('You do not have permission to use this system', 'alert-danger') return redirect(url_for('default')) ## Set admin flag off session['admin'] = False ## Check if the user selected "Log me out when I close the browser" permanent = request.form.get('sec', default="") ## Set session as permanent or not if permanent == 'sec': session.permanent = True else: session.permanent = False ## Set defaults for hidden files session['hidden_files'] = 'hide' ## Log a successful login app.logger.info('User "' + session['username'] + '" logged in from "' + request.remote_addr + '" using ' + request.user_agent.string) ## determine if "next" variable is set (the URL to be sent to) next = request.form.get('next', default=None) if next == None: return redirect(url_for('database_list')) else: return redirect(next)
def test_admin_login_succeeds_when_default_password_is_provided(): krb5_password = os.getenv('KRB5_PASS') kerberos.checkPassword('admin/admin', krb5_password, '', 'EXAMPLE.COM')
def test_basic_check_password(): service = "HTTP/%s" % hostname actual = kerberos.checkPassword(username, password, service, realm.upper()) assert actual, "Checking of the password failed"
def _login(user, pwd, remember): """Try to login user with kerberos""" try: kerberos.checkPassword(user, pwd, _SERVICE_NAME, _REALM) except kerberos.BasicAuthError: return False
def auth(username, password): app.logger.debug("bargate.lib.user.auth " + username) if len(username) == 0: app.logger.debug("bargate.lib.user.auth empty username") return False if len(password) == 0: app.logger.debug("bargate.lib.user.auth empty password") return False if app.config['AUTH_TYPE'] == 'kerberos' or app.config['AUTH_TYPE'] == 'krb5': app.logger.debug("bargate.lib.user.auth auth type kerberos") ## Kerberos authentication. ## As of May 2015, DO NOT USE THIS. checkPassword does not verify the KDC is the right one. ## Of course, this can only be verified if the local machine is actually joined to the domain? and thus has a local host/ principal? try: kerberos.checkPassword(request.form['username'], request.form['password'], app.config['KRB5_SERVICE'], app.config['KRB5_DOMAIN']) except kerberos.BasicAuthError as e: return False except kerberos.KrbError as e: flash('Unexpected kerberos authentication error: ' + e.__str__(),'alert-danger') return False except kerberos.GSSError as e: flash('Unexpected kerberos gss authentication error: ' + e.__str__(),'alert-danger') return False app.logger.debug("bargate.lib.user.auth auth kerberos success") return True elif app.config['AUTH_TYPE'] == 'smb': app.logger.debug("bargate.lib.user.auth auth type smb") ## "SMB" auth. This is a bit odd. It just tries to connect to an SMB share and list the contents. If this succeeds, assume SUCCESS! try: g.smb_username = username g.smb_password = password ctx = smbc.Context(auth_fn=bargate.lib.user.get_smbc_auth_logon) ctx.opendir(app.config['SMB_AUTH_URI']).getdents() except smbc.PermissionError: app.logger.debug("bargate.lib.user.auth smb permission denied") return False except Exception as ex: app.logger.debug("bargate.lib.user.auth smb exception: " + str(ex)) flash('Unexpected SMB authentication error: ' + str(ex),'alert-danger') return False app.logger.debug("bargate.lib.user.auth auth smb success") return True elif app.config['AUTH_TYPE'] == 'ldap': app.logger.debug("bargate.lib.user.auth auth type ldap") ## LDAP auth. This is preferred as of May 2015 due to issues with python-kerberos. ## connect to LDAP and turn off referals l = ldap.initialize(app.config['LDAP_URI']) l.set_option(ldap.OPT_REFERRALS, 0) ## and bind to the server with a username/password if needed in order to search for the full DN for the user who is logging in. try: if app.config['LDAP_ANON_BIND']: l.simple_bind_s() else: l.simple_bind_s( (app.config['LDAP_BIND_USER']), (app.config['LDAP_BIND_PW']) ) except ldap.LDAPError as e: flash('Internal Error - Could not connect to LDAP directory: ' + str(e),'alert-danger') app.logger.error("Could not bind to LDAP: " + str(e)) abort(500) app.logger.debug("bargate.lib.user.auth ldap searching for username in base " + app.config['LDAP_SEARCH_BASE'] + " looking for attribute " + app.config['LDAP_USER_ATTRIBUTE']) ## Now search for the user object to bind as try: results = l.search_s(app.config['LDAP_SEARCH_BASE'], ldap.SCOPE_SUBTREE,(app.config['LDAP_USER_ATTRIBUTE']) + "=" + username) except ldap.LDAPError as e: app.logger.debug("bargate.lib.user.auth no object found in ldap") return False app.logger.debug("bargate.lib.user.auth ldap found results from dn search") ## handle the search results for result in results: dn = result[0] attrs = result[1] if dn == None: ## No dn returned. Return false. return False else: app.logger.debug("bargate.lib.user.auth ldap found dn " + str(dn)) ## Found the DN. Yay! Now bind with that DN and the password the user supplied try: app.logger.debug("bargate.lib.user.auth ldap attempting ldap simple bind as " + str(dn)) lauth = ldap.initialize(app.config['LDAP_URI']) lauth.set_option(ldap.OPT_REFERRALS, 0) lauth.simple_bind_s( (dn), (password) ) except ldap.LDAPError as e: ## password was wrong app.logger.debug("bargate.lib.user.auth ldap bind failed as " + str(dn)) return False app.logger.debug("bargate.lib.user.auth ldap bind succeeded as " + str(dn)) ## Should we use the ldap home dir attribute? if app.config['LDAP_HOMEDIR']: ## Now look up the LDAP HOME ATTRIBUTE as well if (app.config['LDAP_HOME_ATTRIBUTE']) in attrs: if type(attrs[app.config['LDAP_HOME_ATTRIBUTE']]) is list: homedir_attribute = attrs[app.config['LDAP_HOME_ATTRIBUTE']][0] else: homedir_attribute = str(attrs[app.config['LDAP_HOME_ATTRIBUTE'] ]) if homedir_attribute == None: app.logger.error('ldap_get_homedir returned None for user ' + username) flash("Profile Error: I could not find your home directory location","alert-danger") abort(500) else: session['ldap_homedir'] = homedir_attribute app.logger.debug('User "' + username + '" LDAP home attribute ' + session['ldap_homedir']) if app.config['LDAP_HOMEDIR_IS_UNC']: if session['ldap_homedir'].startswith('\\\\'): session['ldap_homedir'] = session['ldap_homedir'].replace('\\\\','smb://',1) session['ldap_homedir'] = session['ldap_homedir'].replace('\\','/') ## Overkill but log it again anyway just to make sure we really have the value we think we should app.logger.debug('User "' + username + '" home SMB path ' + session['ldap_homedir']) ## Return that LDAP auth succeeded app.logger.debug("bargate.lib.user.auth ldap success") return True ## Catch all return false for LDAP auth return False
def _login(user, pwd, remember): '''Try to login user with kerberos''' try: kerberos.checkPassword(user, pwd, _SERVICE_NAME, _REALM) except kerberos.BasicAuthError: return False
def authUser(self,user,password): return kerberos.checkPassword(user,password,"",self.daemon)
def auth(username, server, password): username = username.lower() try: kerberos.checkPassword(username, password, "login", "EXAMPLE.COM") except kerberos.BasicAuthError, e: return False
def authenticate(self, username=None, password=None, **kwargs): UserModel = get_user_model() if username is None: username = kwargs.get(UserModel.USERNAME_FIELD) # print "trying to authenticate ", username, password try: kerberos.checkPassword(username, password, "", settings.KRB5_REALM) except kerberos.BasicAuthError: # print "Kerberos auth failed" return None # print "kerberos succeeded" # TODO: think how to better integrate this with the # django permission system. depending on group # membership, assign different permissions. # this requires a better understanding of the # way django permissions are expressed :-( if False and settings.RUN_ON_WEBAPP: webappgroup = dict(getent.group('mhb-app')) if username not in webappgroup['members']: return None user, created = User.objects.get_or_create( username=username ) # print "user, created: ", user, type(user), created if created: # no local password for such users user.set_unusable_password() # allow everybody access to admin: user.is_staff = True # we do not make anybody superuser here; # that should happen manually try: # have to set a reasonable default group g = Group.objects.get(name="lehrender") user.groups.add(g) except: # print "adding user to group did not work" pass # try to get the real-world user name : try: d = dict(getent.passwd(username)) gecos = d['gecos'] f, l = gecos.split(' ', 1) user.first_name = f user.last_name = l except: pass user.save() return user
import kerberos # import random while True: try: # unknown users (principles) cause more CPU! """ print kerberos.checkPassword("user", \ "badpassword@123", \ "krbtgt/client.example.com", \ "EXAMPLE.COM") """ # known users (principles) cause more CPU! print kerberos.checkPassword("user1", \ "badpassword@123", \ "krbtgt/client.example.com", \ "EXAMPLE.COM") except Exception, exc: # print exc pass