def _check_auth_password(self, address, realm, username, password): """Verify supplied username and password against user DB""" user = self.userMap[realm].get(username, None) if user is not None: # list of User login objects for username offered = password allowed = user.get('password_hash', None) if allowed is not None: #logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed, self.hash_cache): return True return False
def validate_authentication(self, username, password, handler): """Password auth against usermap. Please note that we take serious steps to secure against password cracking, but that it _may_ still be possible to achieve with a big effort. Paranoid users / grid owners should not enable password access in the first place! """ logger.debug("Authenticating %s" % username) self.update_logins(username) offered = None if hit_rate_limit(configuration, "ftps", handler.remote_ip, username): logger.warning("Rate limiting login from %s" % handler.remote_ip) elif 'password' in configuration.user_ftps_auth and \ self.has_user(username): # list of User login objects for username entries = [self.user_table[username]] offered = password for entry in entries: if entry['pwd'] is not None: allowed = entry['pwd'] logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed): logger.info("Authenticated %s" % username) self.authenticated_user = username update_rate_limit(configuration, "ftps", handler.remote_ip, username, True) return True err_msg = "Password authentication failed for %s" % username logger.error(err_msg) print err_msg self.authenticated_user = None update_rate_limit(configuration, "ftps", handler.remote_ip, username, False) # Must raise AuthenticationFailed exception since version 1.0.0 instead # of returning bool raise AuthenticationFailed(err_msg)
def check_auth_password(self, username, password): """Password auth against usermap. Please note that we take serious steps to secure against password cracking, but that it _may_ still be possible to achieve with a big effort. Paranoid users / grid owners should not enable password access in the first place! """ offered = None if hit_rate_limit(configuration, "sftp-pw", self.client_addr[0], username): logger.warning("Rate limiting login from %s" % self.client_addr[0]) elif self.allow_password and self.users.has_key(username): # list of User login objects for username entries = self.users[username] offered = password for entry in entries: if entry.password is not None: # TODO: Add ssh tunneling on resource frontends # before enforcing ip check # and \ #(entry.ip_addr is None or # entry.ip_addr == self.client_addr[0]): allowed = entry.password self.logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed): self.logger.info("Authenticated %s" % username) self.authenticated_user = username update_rate_limit(configuration, "sftp-pw", self.client_addr[0], username, True) return paramiko.AUTH_SUCCESSFUL err_msg = "Password authentication failed for %s" % username self.logger.error(err_msg) print err_msg update_rate_limit(configuration, "sftp-pw", self.client_addr[0], username, False) return paramiko.AUTH_FAILED
def _check_auth_password(self, username, password): """Verify supplied username and password against user DB""" offered = None if hit_rate_limit(configuration, "davs", self.client_address[0], username): logger.warning("Rate limiting login from %s" % \ self.client_address[0]) elif self.users.has_key(username): # list of User login objects for username entries = self.users[username] offered = password for entry in entries: if entry.password is not None: allowed = entry.password logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed): self.authenticated_user = username update_rate_limit(configuration, "davs", self.client_address[0], username, True) return True update_rate_limit(configuration, "davs", self.client_address[0], username, False) return False
def validate_authentication(self, username, password, handler): """Password auth against internal DB built from login_map. Please note that we take serious steps to secure against password cracking, but that it _may_ still be possible to achieve with a big effort. The following is checked before granting auth: 1) Valid username 2) Valid user (Does user exist and enabled ftps) 3) Valid 2FA session (if 2FA is enabled) 4) Hit rate limit (Too many auth attempts) 5) Valid password (if password enabled) """ secret = None disconnect = False strict_password_policy = True password_offered = None password_enabled = False invalid_username = False invalid_user = False valid_password = False valid_twofa = False exceeded_rate_limit = False client_ip = handler.remote_ip client_port = handler.remote_port username = force_utf8(username) daemon_conf = configuration.daemon_conf max_user_hits = daemon_conf['auth_limits']['max_user_hits'] user_abuse_hits = daemon_conf['auth_limits']['user_abuse_hits'] proto_abuse_hits = daemon_conf['auth_limits']['proto_abuse_hits'] max_secret_hits = daemon_conf['auth_limits']['max_secret_hits'] logger.debug("Run authentication of %s from %s" % (username, client_ip)) logger.info("refresh user %s" % username) logger.debug("daemon_conf['allow_password']: %s" % daemon_conf['allow_password']) # For e.g. GDP we require all logins to match active 2FA session IP, # but otherwise user may freely switch net during 2FA lifetime. if configuration.site_twofactor_strict_address: enforce_address = client_ip else: enforce_address = None # We don't have a handle_request for server so expire here instead if self.last_expire + self.min_expire_delay < time.time(): self.last_expire = time.time() expire_rate_limit(configuration, "ftps", expire_delay=self.min_expire_delay) if hit_rate_limit(configuration, 'ftps', client_ip, username, max_user_hits=max_user_hits): exceeded_rate_limit = True elif not default_username_validator(configuration, username): invalid_username = True elif daemon_conf['allow_password']: hash_cache = daemon_conf['hash_cache'] password_offered = password secret = make_scramble(password_offered, None) # Only sharelinks should be excluded from strict password policy if configuration.site_enable_sharelinks and \ possible_sharelink_id(configuration, username): strict_password_policy = False logger.debug("refresh user %s" % username) self._update_logins(configuration, username) if not self.has_user(username): if not os.path.islink( os.path.join(daemon_conf['root_dir'], username)): invalid_user = True entries = [] else: # list of User login objects for username entries = [self.user_table[username]] for entry in entries: if entry['pwd'] is not None: password_enabled = True password_allowed = entry['pwd'] logger.debug("Password check for %s" % username) if check_password_hash(configuration, 'ftps', username, password_offered, password_allowed, hash_cache, strict_password_policy): valid_password = True break if valid_password and check_twofactor_session( configuration, username, enforce_address, 'ftps'): valid_twofa = True # Update rate limits and write to auth log (authorized, disconnect) = validate_auth_attempt( configuration, 'ftps', 'password', username, client_ip, client_port, secret=secret, invalid_username=invalid_username, invalid_user=invalid_user, valid_twofa=valid_twofa, authtype_enabled=password_enabled, valid_auth=valid_password, exceeded_rate_limit=exceeded_rate_limit, user_abuse_hits=user_abuse_hits, proto_abuse_hits=proto_abuse_hits, max_secret_hits=max_secret_hits, ) if disconnect: handler._shutdown_connecting_dtp() if authorized: self.authenticated_user = username return True else: # Must raise AuthenticationFailed exception since version 1.0.0 instead # of returning bool self.authenticated_user = None raise AuthenticationFailed()