def do_GET(self): authz = self.headers.get('Authorization', '') if authz.startswith('Negotiate '): authz = authz[len('Negotiate '):] print authz data = authz.decode('base64') sa = sspi.ServerAuth('Negotiate') sa.reset() err, sec_buffer = sa.authorize(data) if err == 0: username = sa.ctxt.QueryContextAttributes( sspicon.SECPKG_ATTR_NAMES) self.send_response(200) self.send_header('Content-type', 'text/html') self.end_headers() self.wfile.write( '<HTML><body>Authenticated! Username: %s</body></HTML>' % username) return else: print "Error: ", err self.send_response(401) self.send_header('Content-type', 'text/html') self.send_header('WWW-Authenticate', 'Negotiate') self.end_headers() self.wfile.write('<HTML><body>Must authenticate</body></HTML>')
def authenticateCredentials(self, credentials): """ See IAuthenticationPlugin. o We expect the credentials to be those returned by ILoginPasswordExtractionPlugin. """ # We only authenticate when our challenge mechanism extracted # the ticket if credentials.get('plugin') != self.getId(): return None request = self.REQUEST response = request.RESPONSE remote_host = request.getClientAddr() # We are actually already authenticated... maybe we are in a subrequest if request.get('AUTHENTICATED_USER', None) is not None: username = request.AUTHENTICATED_USER.getName() return username, username ticket = credentials['ticket'] if WINDOWS: sa = sspi.ServerAuth('Negotiate') sa.reset() data = ticket.decode('base64') err, sec_buffer = sa.authorize(data) if err == 0: username = sa.ctxt.QueryContextAttributes( sspicon.SECPKG_ATTR_NAMES) else: raise Forbidden else: service = self.service if not service: service = "HTTP/" + urlparse.urlsplit( request.SERVER_URL).netloc result, context = kerberos.authGSSServerInit(service) if result != 1: raise ValueError, "Kerberos authetication error" gssstring = '' try: r = kerberos.authGSSServerStep(context, ticket) if r == 1: gssstring = kerberos.authGSSServerResponse(context) else: raise Forbidden except GSSError, e: LOG('SPNEGO plugin', ERROR, "%s: GSSError %s" % (remote_host, e)) raise Forbidden username = kerberos.authGSSServerUserName(context) kerberos.authGSSServerClean(context)
def _doAuth(self, pkg_name): sspiclient = sspi.ClientAuth(pkg_name, targetspn=win32api.GetUserName()) sspiserver = sspi.ServerAuth(pkg_name) sec_buffer = None err = 1 while err != 0: err, sec_buffer = sspiclient.authorize(sec_buffer) err, sec_buffer = sspiserver.authorize(sec_buffer) return sspiclient, sspiserver
def __init__(self, broker, pkgName): PI.IServerAuthenticationPlugin.__init__(self, broker) flags = sspicon.ASC_REQ_INTEGRITY | \ sspicon.ASC_REQ_SEQUENCE_DETECT | \ sspicon.ASC_REQ_REPLAY_DETECT | \ sspicon.ASC_REQ_CONFIDENTIALITY | \ sspicon.ASC_REQ_DELEGATE self.mServer = sspi.ServerAuth(pkgName, scflags=flags) self.mLogger = logging.getLogger('maestrod.auth.%s' % pkgName)
def _init_session(): global _sessions, _sessions_lock logger.debug("Init session") if 'uuid' not in session: session['uuid'] = uuid = uuid4().bytes # init uuid on client else: uuid = session['uuid'] with _sessions_lock: if uuid not in _sessions: # make sure _sessions[uuid] = { 'sa': sspi.ServerAuth(_PKG_NAME), 'lock': threading.Lock(), 'last_access': datetime.datetime.now(), } cleanup_sessions()
def ssh_accept_sec_context(self, hostname, username, recv_token): """ Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned """ self._gss_host = hostname self._username = username targ_name = "host/" + self._gss_host self._gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=targ_name) error, token = self._gss_srv_ctxt.authorize(recv_token) token = token[0].Buffer if error == 0: self._gss_srv_ctxt_status = True token = None return token
""" pkg_name='Kerberos' sspiclient=SSPIClient(pkg_name, win32api.GetUserName(), ## target spn is ourself None, None, ## use none for client name and authentication information for current context ## u'username', (u'username',u'domain.com',u'passwd'), sspicon.ISC_REQ_INTEGRITY|sspicon.ISC_REQ_SEQUENCE_DETECT|sspicon.ISC_REQ_REPLAY_DETECT| sspicon.ISC_REQ_DELEGATE|sspicon.ISC_REQ_CONFIDENTIALITY|sspicon.ISC_REQ_USE_SESSION_KEY) sspiserver=SSPIServer(pkg_name, None, sspicon.ASC_REQ_INTEGRITY|sspicon.ASC_REQ_SEQUENCE_DETECT|sspicon.ASC_REQ_REPLAY_DETECT| sspicon.ASC_REQ_DELEGATE|sspicon.ASC_REQ_CONFIDENTIALITY|sspicon.ASC_REQ_STREAM|sspicon.ASC_REQ_USE_SESSION_KEY) """ pkg_name = 'NTLM' # Setup the 2 contexts. sspiclient = sspi.ClientAuth(pkg_name) sspiserver = sspi.ServerAuth(pkg_name) # Perform the authentication dance, each loop exchanging more information # on the way to completing authentication. sec_buffer = None while 1: err, sec_buffer = sspiclient.authorize(sec_buffer) err, sec_buffer = sspiserver.authorize(sec_buffer) if err == 0: break # The server can now impersonate the client. In this demo the 2 users will # always be the same. sspiserver.ctxt.ImpersonateSecurityContext() print('Impersonated user: ', win32api.GetUserNameEx(win32api.NameSamCompatible))
def _gssapi_sspi_test(self): """ Test the used methods of python-gssapi or sspi, sspicon from pywin32. """ try: import gssapi if ( hasattr(gssapi, "__title__") and gssapi.__title__ == "python-gssapi" ): _API = "PYTHON-GSSAPI-OLD" else: _API = "PYTHON-GSSAPI-NEW" except ImportError: import sspicon import sspi _API = "SSPI" c_token = None gss_ctxt_status = False mic_msg = b"G'day Mate!" if _API == "PYTHON-GSSAPI-OLD": if self.server_mode: gss_flags = ( gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_MUTUAL_FLAG, gssapi.C_DELEG_FLAG, ) else: gss_flags = ( gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_DELEG_FLAG, ) # Initialize a GSS-API context. ctx = gssapi.Context() ctx.flags = gss_flags krb5_oid = gssapi.OID.mech_from_string(self.krb5_mech) target_name = gssapi.Name( "host@" + self.targ_name, gssapi.C_NT_HOSTBASED_SERVICE ) gss_ctxt = gssapi.InitContext( peer_name=target_name, mech_type=krb5_oid, req_flags=ctx.flags ) if self.server_mode: c_token = gss_ctxt.step(c_token) gss_ctxt_status = gss_ctxt.established self.assertEquals(False, gss_ctxt_status) # Accept a GSS-API context. gss_srv_ctxt = gssapi.AcceptContext() s_token = gss_srv_ctxt.step(c_token) gss_ctxt_status = gss_srv_ctxt.established self.assertNotEquals(None, s_token) self.assertEquals(True, gss_ctxt_status) # Establish the client context c_token = gss_ctxt.step(s_token) self.assertEquals(None, c_token) else: while not gss_ctxt.established: c_token = gss_ctxt.step(c_token) self.assertNotEquals(None, c_token) # Build MIC mic_token = gss_ctxt.get_mic(mic_msg) if self.server_mode: # Check MIC status = gss_srv_ctxt.verify_mic(mic_msg, mic_token) self.assertEquals(0, status) elif _API == "PYTHON-GSSAPI-NEW": if self.server_mode: gss_flags = ( gssapi.RequirementFlag.protection_ready, gssapi.RequirementFlag.integrity, gssapi.RequirementFlag.mutual_authentication, gssapi.RequirementFlag.delegate_to_peer, ) else: gss_flags = ( gssapi.RequirementFlag.protection_ready, gssapi.RequirementFlag.integrity, gssapi.RequirementFlag.delegate_to_peer, ) # Initialize a GSS-API context. krb5_oid = gssapi.MechType.kerberos target_name = gssapi.Name( "host@" + self.targ_name, name_type=gssapi.NameType.hostbased_service, ) gss_ctxt = gssapi.SecurityContext( name=target_name, flags=gss_flags, mech=krb5_oid, usage="initiate", ) if self.server_mode: c_token = gss_ctxt.step(c_token) gss_ctxt_status = gss_ctxt.complete self.assertEquals(False, gss_ctxt_status) # Accept a GSS-API context. gss_srv_ctxt = gssapi.SecurityContext(usage="accept") s_token = gss_srv_ctxt.step(c_token) gss_ctxt_status = gss_srv_ctxt.complete self.assertNotEquals(None, s_token) self.assertEquals(True, gss_ctxt_status) # Establish the client context c_token = gss_ctxt.step(s_token) self.assertEquals(None, c_token) else: while not gss_ctxt.complete: c_token = gss_ctxt.step(c_token) self.assertNotEquals(None, c_token) # Build MIC mic_token = gss_ctxt.get_signature(mic_msg) if self.server_mode: # Check MIC status = gss_srv_ctxt.verify_signature(mic_msg, mic_token) self.assertEquals(0, status) else: gss_flags = ( sspicon.ISC_REQ_INTEGRITY | sspicon.ISC_REQ_MUTUAL_AUTH | sspicon.ISC_REQ_DELEGATE ) # Initialize a GSS-API context. target_name = "host/" + socket.getfqdn(self.targ_name) gss_ctxt = sspi.ClientAuth( "Kerberos", scflags=gss_flags, targetspn=target_name ) if self.server_mode: error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertEquals(0, error) # Accept a GSS-API context. gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name) error, token = gss_srv_ctxt.authorize(c_token) s_token = token[0].Buffer # Establish the context. error, token = gss_ctxt.authorize(s_token) c_token = token[0].Buffer self.assertEquals(None, c_token) self.assertEquals(0, error) # Build MIC mic_token = gss_ctxt.sign(mic_msg) # Check MIC gss_srv_ctxt.verify(mic_msg, mic_token) else: error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertNotEquals(0, error)
def _init_session(): logger.debug("Init session") session['uuid'] = uuid.uuid4().bytes _sessions[session['uuid']] = {} _sessions[session['uuid']]['sa'] = sspi.ServerAuth( _PKG_NAME) # one per session
def test_2_gssapi_sspi(self): """ Test the used methods of python-gssapi or sspi, sspicon from pywin32. """ _API = "MIT" try: import gssapi except ImportError: import sspicon import sspi _API = "SSPI" c_token = None gss_ctxt_status = False mic_msg = b"G'day Mate!" if _API == "MIT": if server_mode: gss_flags = (gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_MUTUAL_FLAG, gssapi.C_DELEG_FLAG) else: gss_flags = (gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_DELEG_FLAG) # Initialize a GSS-API context. ctx = gssapi.Context() ctx.flags = gss_flags krb5_oid = gssapi.OID.mech_from_string(krb5_mech) target_name = gssapi.Name("host@" + targ_name, gssapi.C_NT_HOSTBASED_SERVICE) gss_ctxt = gssapi.InitContext(peer_name=target_name, mech_type=krb5_oid, req_flags=ctx.flags) if server_mode: c_token = gss_ctxt.step(c_token) gss_ctxt_status = gss_ctxt.established self.assertEquals(False, gss_ctxt_status) # Accept a GSS-API context. gss_srv_ctxt = gssapi.AcceptContext() s_token = gss_srv_ctxt.step(c_token) gss_ctxt_status = gss_srv_ctxt.established self.assertNotEquals(None, s_token) self.assertEquals(True, gss_ctxt_status) # Establish the client context c_token = gss_ctxt.step(s_token) self.assertEquals(None, c_token) else: while not gss_ctxt.established: c_token = gss_ctxt.step(c_token) self.assertNotEquals(None, c_token) # Build MIC mic_token = gss_ctxt.get_mic(mic_msg) if server_mode: # Check MIC status = gss_srv_ctxt.verify_mic(mic_msg, mic_token) self.assertEquals(0, status) else: gss_flags = (sspicon.ISC_REQ_INTEGRITY | sspicon.ISC_REQ_MUTUAL_AUTH | sspicon.ISC_REQ_DELEGATE) # Initialize a GSS-API context. target_name = "host/" + socket.getfqdn(targ_name) gss_ctxt = sspi.ClientAuth("Kerberos", scflags=gss_flags, targetspn=target_name) if server_mode: error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertEquals(0, error) # Accept a GSS-API context. gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name) error, token = gss_srv_ctxt.authorize(c_token) s_token = token[0].Buffer # Establish the context. error, token = gss_ctxt.authorize(s_token) c_token = token[0].Buffer self.assertEquals(None, c_token) self.assertEquals(0, error) # Build MIC mic_token = gss_ctxt.sign(mic_msg) # Check MIC gss_srv_ctxt.verify(mic_msg, mic_token) else: error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertNotEquals(0, error)
def __init__(self, *args, **kw): socketserver.TCPServer.__init__(self, *args, **kw) self.sa = sspi.ServerAuth(options.package)
def _gssapi_sspi_test(self): try: import gssapi _API = "MIT-NEW" except ImportError: import sspicon import sspi _API = "SSPI" c_token = None gss_ctxt_status = False mic_msg = b"G'day Mate!" if _API == "MIT-NEW": if self.server_mode: gss_flags = (gssapi.RequirementFlag.protection_ready, gssapi.RequirementFlag.integrity, gssapi.RequirementFlag.mutual_authentication, gssapi.RequirementFlag.delegate_to_peer) else: gss_flags = (gssapi.RequirementFlag.protection_ready, gssapi.RequirementFlag.integrity, gssapi.RequirementFlag.delegate_to_peer) # Initialize a GSS-API context. krb5_oid = gssapi.MechType.kerberos target_name = gssapi.Name( "host@" + self.targ_name, name_type=gssapi.NameType.hostbased_service) gss_ctxt = gssapi.SecurityContext(name=target_name, flags=gss_flags, mech=krb5_oid, usage='initiate') if self.server_mode: c_token = gss_ctxt.step(c_token) gss_ctxt_status = gss_ctxt.complete self.assertEqual(False, gss_ctxt_status) # Accept a GSS-API context. gss_srv_ctxt = gssapi.SecurityContext(usage='accept') s_token = gss_srv_ctxt.step(c_token) gss_ctxt_status = gss_srv_ctxt.complete self.assertNotEqual(None, s_token) self.assertEqual(True, gss_ctxt_status) # Establish the client context c_token = gss_ctxt.step(s_token) self.assertEqual(None, c_token) else: while not gss_ctxt.complete: c_token = gss_ctxt.step(c_token) self.assertNotEqual(None, c_token) # Build MIC mic_token = gss_ctxt.get_signature(mic_msg) if self.server_mode: # Check MIC status = gss_srv_ctxt.verify_signature(mic_msg, mic_token) self.assertEqual(0, status) else: gss_flags = (sspicon.ISC_REQ_INTEGRITY | sspicon.ISC_REQ_MUTUAL_AUTH | sspicon.ISC_REQ_DELEGATE) # Initialize a GSS-API context. target_name = "host/" + socket.getfqdn(self.targ_name) gss_ctxt = sspi.ClientAuth("Kerberos", scflags=gss_flags, targetspn=target_name) if self.server_mode: error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertEqual(0, error) # Accept a GSS-API context. gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name) error, token = gss_srv_ctxt.authorize(c_token) s_token = token[0].Buffer # Establish the context. error, token = gss_ctxt.authorize(s_token) c_token = token[0].Buffer self.assertEqual(None, c_token) self.assertEqual(0, error) # Build MIC mic_token = gss_ctxt.sign(mic_msg) # Check MIC gss_srv_ctxt.verify(mic_msg, mic_token) else: error, token = gss_ctxt.authorize(c_token) c_token = token[0].Buffer self.assertNotEqual(0, error)