def app_auth(self, svc_ip, svc_port):
"""Authenticates to a requested application"""
saddr = (svc_ip, svc_port)
if not self.stkt or not self.ssession:
raise KrbException("Service session key or ticket are blank, run request_svc_tkt")
auth = Authenticator(user_id=self.name_realm)
auth.send(self.sock, self.ssession.session_key, saddr)
self.sock.sendto(self.stkt, saddr)
authblob = self.recv(saddr)
self.svcauth = Authenticator(blob=decrypt_data(authblob[1], self.ssession.session_key))
def datagramReceived(self, data, addr):
"""Handle a received datagram"""
print("Connection from {}".format(addr[0]))
sock = self.transport.socket
# get the data type and keep track of clients
dtype = unpack("!b", data[0])[0]
if not addr[0] in self.clients.keys():
self.clients[addr[0]] = dict()
# client authenticator received
if dtype == CLI_AUTH:
print("Got client auth")
self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:]
# Encrypted service ticket received
elif dtype == SVC_TKT_RESP:
try:
stkt = ServiceTicket(
blob=decrypt_data(data[1:], self.secret_key))
except:
KrbError("Cannot decrypt service ticket").send(sock, addr)
return
try:
cliauth = Authenticator(blob=decrypt_data(
self.clients[addr[0]]["CLI_AUTH_BLOB"], stkt.session_key))
except:
KrbError("Cannot decrypt client authenticator").send(
sock, addr)
return
if cliauth.user_id != stkt.client_id:
KrbError(
"Client authenticator user id does not match service ticket id"
).send(sock, addr)
elif stkt.net_addr != '0.0.0.0' and stkt.net_addr != addr[0]:
KrbError(
"Network addresses of the client and the service ticket do not match"
).send(sock, addr)
else:
svcauth = Authenticator(user_id=self.name_realm)
print("Sending svcauth")
svcauth.send(sock, stkt.session_key, addr)
self.clients[addr[0]]["AUTHENTICATED"] = True
print("Client " + addr[0] + " authenticated successfully")
# unknown type
else:
KrbError("Unknown or incorrect protocol").send(sock, addr)
def request_svc_tkt(self, svc_name, svc_realm):
"""Communicates with the TGS to get the service ticket and the service session key"""
if not self.ksession or not self.tgt:
raise KrbException("TGS Session key or TGT are blank, run kinit")
self.sock.sendto(self.tgt, self.auth_addr)
auth = Authenticator(user_id=self.name_realm)
auth.send(self.sock, self.ksession.session_key, self.auth_addr)
req = ServiceTicketRequest(svc_id='@'.join([svc_name, svc_realm]))
req.send(self.sock, self.auth_addr)
data = []
data.append(self.recv(self.auth_addr))
data.append(self.recv(self.auth_addr))
for i in data:
if i[0] == SVC_SESS_KEY:
self.ssession = ServiceSessionKey(blob=decrypt_data(i[1], self.ksession.session_key))
if i[0] == SVC_TKT_RESP:
self.stkt = pack("!b", SVC_TKT_RESP) + i[1]
def datagramReceived(self, data, addr):
"""Handle a received datagram"""
print("Connection from {}".format(addr[0]))
sock = self.transport.socket
# get the data type and keep track of clients
dtype = unpack("!b", data[0])[0]
if not addr[0] in self.clients.keys():
self.clients[addr[0]] = dict()
# client authenticator received
if dtype == CLI_AUTH:
print("Got client auth")
self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:]
# Encrypted service ticket received
elif dtype == SVC_TKT_RESP:
try:
stkt = ServiceTicket(blob=decrypt_data(data[1:], self.secret_key))
except:
KrbError("Cannot decrypt service ticket").send(sock, addr)
return
try:
cliauth = Authenticator(blob=decrypt_data(self.clients[addr[0]]["CLI_AUTH_BLOB"], stkt.session_key))
except:
KrbError("Cannot decrypt client authenticator").send(sock, addr)
return
if cliauth.user_id != stkt.client_id:
KrbError("Client authenticator user id does not match service ticket id").send(sock, addr)
elif stkt.net_addr != '0.0.0.0' and stkt.net_addr != addr[0]:
KrbError("Network addresses of the client and the service ticket do not match").send(sock, addr)
else:
svcauth = Authenticator(user_id=self.name_realm)
print("Sending svcauth")
svcauth.send(sock, stkt.session_key, addr)
self.clients[addr[0]]["AUTHENTICATED"] = True
print("Client "+addr[0]+" authenticated successfully")
# unknown type
else:
KrbError("Unknown or incorrect protocol").send(sock, addr)
