Exemple #1
0
 def app_auth(self, svc_ip, svc_port):
     """Authenticates to a requested application"""
     saddr = (svc_ip, svc_port)
     if not self.stkt or not self.ssession:
         raise KrbException("Service session key or ticket are blank, run request_svc_tkt")
     auth = Authenticator(user_id=self.name_realm)
     auth.send(self.sock, self.ssession.session_key, saddr)
     self.sock.sendto(self.stkt, saddr)
     authblob = self.recv(saddr)
     self.svcauth = Authenticator(blob=decrypt_data(authblob[1], self.ssession.session_key))
Exemple #2
0
    def datagramReceived(self, data, addr):
        """Handle a received datagram"""
        print("Connection from {}".format(addr[0]))
        sock = self.transport.socket

        # get the data type and keep track of clients
        dtype = unpack("!b", data[0])[0]
        if not addr[0] in self.clients.keys():
            self.clients[addr[0]] = dict()

        # client authenticator received
        if dtype == CLI_AUTH:
            print("Got client auth")
            self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:]

        # Encrypted service ticket received
        elif dtype == SVC_TKT_RESP:
            try:
                stkt = ServiceTicket(
                    blob=decrypt_data(data[1:], self.secret_key))
            except:
                KrbError("Cannot decrypt service ticket").send(sock, addr)
                return
            try:
                cliauth = Authenticator(blob=decrypt_data(
                    self.clients[addr[0]]["CLI_AUTH_BLOB"], stkt.session_key))
            except:
                KrbError("Cannot decrypt client authenticator").send(
                    sock, addr)
                return
            if cliauth.user_id != stkt.client_id:
                KrbError(
                    "Client authenticator user id does not match service ticket id"
                ).send(sock, addr)
            elif stkt.net_addr != '0.0.0.0' and stkt.net_addr != addr[0]:
                KrbError(
                    "Network addresses of the client and the service ticket do not match"
                ).send(sock, addr)
            else:
                svcauth = Authenticator(user_id=self.name_realm)
                print("Sending svcauth")
                svcauth.send(sock, stkt.session_key, addr)
                self.clients[addr[0]]["AUTHENTICATED"] = True
                print("Client " + addr[0] + " authenticated successfully")

        # unknown type
        else:
            KrbError("Unknown or incorrect protocol").send(sock, addr)
Exemple #3
0
 def request_svc_tkt(self, svc_name, svc_realm):
     """Communicates with the TGS to get the service ticket and the service session key"""
     if not self.ksession or not self.tgt:
         raise KrbException("TGS Session key or TGT are blank, run kinit")
     self.sock.sendto(self.tgt, self.auth_addr)
     auth = Authenticator(user_id=self.name_realm)
     auth.send(self.sock, self.ksession.session_key, self.auth_addr)
     req = ServiceTicketRequest(svc_id='@'.join([svc_name, svc_realm]))
     req.send(self.sock, self.auth_addr)
     data = []
     data.append(self.recv(self.auth_addr))
     data.append(self.recv(self.auth_addr))
     for i in data:
         if i[0] == SVC_SESS_KEY:
             self.ssession = ServiceSessionKey(blob=decrypt_data(i[1], self.ksession.session_key))
         if i[0] == SVC_TKT_RESP:
             self.stkt = pack("!b", SVC_TKT_RESP) + i[1]
Exemple #4
0
    def datagramReceived(self, data, addr):
        """Handle a received datagram"""
        print("Connection from {}".format(addr[0]))
        sock = self.transport.socket

        # get the data type and keep track of clients
        dtype = unpack("!b", data[0])[0]
        if not addr[0] in self.clients.keys():
            self.clients[addr[0]] = dict()

        # client authenticator received
        if dtype == CLI_AUTH:
            print("Got client auth")
            self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:]

        # Encrypted service ticket received
        elif dtype == SVC_TKT_RESP:
            try:
                stkt = ServiceTicket(blob=decrypt_data(data[1:], self.secret_key))
            except:
                KrbError("Cannot decrypt service ticket").send(sock, addr)
                return
            try:
                cliauth = Authenticator(blob=decrypt_data(self.clients[addr[0]]["CLI_AUTH_BLOB"], stkt.session_key))
            except:
                KrbError("Cannot decrypt client authenticator").send(sock, addr)
                return
            if cliauth.user_id != stkt.client_id:
                KrbError("Client authenticator user id does not match service ticket id").send(sock, addr)
            elif stkt.net_addr != '0.0.0.0' and stkt.net_addr != addr[0]:
                KrbError("Network addresses of the client and the service ticket do not match").send(sock, addr)
            else:
                svcauth = Authenticator(user_id=self.name_realm)
                print("Sending svcauth")
                svcauth.send(sock, stkt.session_key, addr)
                self.clients[addr[0]]["AUTHENTICATED"] = True
                print("Client "+addr[0]+" authenticated successfully")

        # unknown type
        else:
            KrbError("Unknown or incorrect protocol").send(sock, addr)