def app_auth(self, svc_ip, svc_port): """Authenticates to a requested application""" saddr = (svc_ip, svc_port) if not self.stkt or not self.ssession: raise KrbException("Service session key or ticket are blank, run request_svc_tkt") auth = Authenticator(user_id=self.name_realm) auth.send(self.sock, self.ssession.session_key, saddr) self.sock.sendto(self.stkt, saddr) authblob = self.recv(saddr) self.svcauth = Authenticator(blob=decrypt_data(authblob[1], self.ssession.session_key))
def datagramReceived(self, data, addr): """Handle a received datagram""" print("Connection from {}".format(addr[0])) sock = self.transport.socket # get the data type and keep track of clients dtype = unpack("!b", data[0])[0] if not addr[0] in self.clients.keys(): self.clients[addr[0]] = dict() # client authenticator received if dtype == CLI_AUTH: print("Got client auth") self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:] # Encrypted service ticket received elif dtype == SVC_TKT_RESP: try: stkt = ServiceTicket( blob=decrypt_data(data[1:], self.secret_key)) except: KrbError("Cannot decrypt service ticket").send(sock, addr) return try: cliauth = Authenticator(blob=decrypt_data( self.clients[addr[0]]["CLI_AUTH_BLOB"], stkt.session_key)) except: KrbError("Cannot decrypt client authenticator").send( sock, addr) return if cliauth.user_id != stkt.client_id: KrbError( "Client authenticator user id does not match service ticket id" ).send(sock, addr) elif stkt.net_addr != '0.0.0.0' and stkt.net_addr != addr[0]: KrbError( "Network addresses of the client and the service ticket do not match" ).send(sock, addr) else: svcauth = Authenticator(user_id=self.name_realm) print("Sending svcauth") svcauth.send(sock, stkt.session_key, addr) self.clients[addr[0]]["AUTHENTICATED"] = True print("Client " + addr[0] + " authenticated successfully") # unknown type else: KrbError("Unknown or incorrect protocol").send(sock, addr)
def request_svc_tkt(self, svc_name, svc_realm): """Communicates with the TGS to get the service ticket and the service session key""" if not self.ksession or not self.tgt: raise KrbException("TGS Session key or TGT are blank, run kinit") self.sock.sendto(self.tgt, self.auth_addr) auth = Authenticator(user_id=self.name_realm) auth.send(self.sock, self.ksession.session_key, self.auth_addr) req = ServiceTicketRequest(svc_id='@'.join([svc_name, svc_realm])) req.send(self.sock, self.auth_addr) data = [] data.append(self.recv(self.auth_addr)) data.append(self.recv(self.auth_addr)) for i in data: if i[0] == SVC_SESS_KEY: self.ssession = ServiceSessionKey(blob=decrypt_data(i[1], self.ksession.session_key)) if i[0] == SVC_TKT_RESP: self.stkt = pack("!b", SVC_TKT_RESP) + i[1]
def datagramReceived(self, data, addr): """Handle a received datagram""" print("Connection from {}".format(addr[0])) sock = self.transport.socket # get the data type and keep track of clients dtype = unpack("!b", data[0])[0] if not addr[0] in self.clients.keys(): self.clients[addr[0]] = dict() # client authenticator received if dtype == CLI_AUTH: print("Got client auth") self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:] # Encrypted service ticket received elif dtype == SVC_TKT_RESP: try: stkt = ServiceTicket(blob=decrypt_data(data[1:], self.secret_key)) except: KrbError("Cannot decrypt service ticket").send(sock, addr) return try: cliauth = Authenticator(blob=decrypt_data(self.clients[addr[0]]["CLI_AUTH_BLOB"], stkt.session_key)) except: KrbError("Cannot decrypt client authenticator").send(sock, addr) return if cliauth.user_id != stkt.client_id: KrbError("Client authenticator user id does not match service ticket id").send(sock, addr) elif stkt.net_addr != '0.0.0.0' and stkt.net_addr != addr[0]: KrbError("Network addresses of the client and the service ticket do not match").send(sock, addr) else: svcauth = Authenticator(user_id=self.name_realm) print("Sending svcauth") svcauth.send(sock, stkt.session_key, addr) self.clients[addr[0]]["AUTHENTICATED"] = True print("Client "+addr[0]+" authenticated successfully") # unknown type else: KrbError("Unknown or incorrect protocol").send(sock, addr)