def authenticate(name, password):
"""
Returns true or false depending on the success of the name-password combination using
the shadows or passwd file (The shadow file is preferred if it exists)
"""
try:
success = pam.pam().authenticate(name, password)
if success is True:
return success
except Exception as e:
logging.warning(e)
return False
if path.exists("/etc/shadow"):
try:
if six.PY3:
shadow = spwd.getspnam(name).sp_pwdp # https://docs.python.org/3.4/library/spwd.html#module-spwd
else:
shadow = spwd.getspnam(name).sp_pwd
except KeyError as e:
return False
else:
shadow = pwd.getpwnam(name).pw_passwd
salt_pattern = compile_regex(r"\$.*\$.*\$")
try:
salt = salt_pattern.match(shadow).group()
except AttributeError as a:
logging.warning(a)
return False
return crypt(password, salt) == shadow
def login():
logger.debug('Autenticando usuario')
try:
auth = request.authorization
if not auth or not auth.username or not auth.password:
logger.error(
'No se ha podido autenticar al usuario: faltan las credenciales!'
)
return json_response(status=400)
p = pam.pam()
# user = p.authenticate(username=auth.username, password=auth.password, service='dvls')
user = p.authenticate(username=auth.username, password=auth.password)
if user and (auth.username == app.config['CONN_USER']):
token = jwt.encode(
dict(username=auth.username,
exp=datetime.utcnow() + timedelta(minutes=60)),
app.config['SECRET_KEY'])
return json_response(data=dict(token=token.decode('UTF-8')))
logger.error(
'No se ha podido autenticar al usuario: las credenciales son incorrectas!'
)
return json_response(status=403)
except Exception as e:
logger.error('No se ha podido autenticar al usuario: %s', str(e))
return json_response(status=500)
def login(user, password):
users = config.get('DEFAULT', 'users', fallback=None)
if users and not user in users.split(','):
# User not is in the valid user list
return False
# Validate user with password
return pam().authenticate(user, password)
def page_reset_tor():
check_logged_in()
p = pam.pam()
pw = request.form.get('password_reset_tor')
if pw == None or p.authenticate("admin", pw) == False:
flash("Invalid Password", category="error")
return redirect(url_for(".page_settings"))
else:
check_and_mark_reboot_action("reset_tor")
# Successful Auth
reset_tor()
# Trigger reboot
t = Timer(1.0, reboot_device)
t.start()
# Wait until device is restarted
templateData = {
"title": "myNode Reboot",
"header_text": "Restarting",
"subheader_text": "This will take several minutes...",
"ui_settings": read_ui_settings()
}
return render_template('reboot.html', **templateData)
def __inner_authorize(self, user: str, passwd: str) -> bool:
if self.__allow_users and user not in self.__allow_users:
get_logger().error("User %r not in allow-list", user)
return False
if self.__deny_users and user in self.__deny_users:
get_logger().error("User %r in deny-list", user)
return False
if self.__allow_uids_at > 0:
try:
uid = pwd.getpwnam(user).pw_uid
except Exception:
get_logger().exception("Can't find UID of user %r", user)
return False
else:
if uid < self.__allow_uids_at:
get_logger().error(
"Unallowed UID of user %r: uid=%d < allow_uids_at=%d",
user, uid, self.__allow_uids_at)
return False
pam_obj = pam.pam()
if not pam_obj.authenticate(user, passwd, service=self.__service):
get_logger().error(
"Can't authorize user %r using PAM: code=%d; reason=%s", user,
pam_obj.code, pam_obj.reason)
return False
return True
def checkpass(self, username, password):
auth = pam.pam().authenticate(username, password)
if auth is True:
logging.debug("Authentication Success")
else:
logging.debug("Authentication Failure")
return auth
def get_authenticated_user(self, username, password):
"""
:param username:
:param password:
:return:
"""
import pam
from models import User
if self._current_user.is_authenticated:
return self._current_user
else:
auth_engine = pam.pam()
if auth_engine.authenticate(username, password):
try:
connection = ElementXMLRPC(url=settings.ELEMENT_URL)
self._element_session_id = connection.authenticate(username, password)
except ElementError as e:
raise AuthenticationError(str(e))
# Until we have a backend, we might have to pickle and de-pickle this
# When we do, store the object and return the username
user = User(username, self._element_session_id)
return user
else:
raise AuthenticationError("Login failed: [{0}] {1}".format(auth_engine.code, auth_engine.reason))
def auth_user(pam_config, username, password):
"""
Authenticate user with PAM.
"""
LOG.debug('Authenticating user with PAM.')
auth = pam.pam()
if auth.authenticate(username, password):
allowed_users = pam_config.get("users") \
or []
allowed_group = pam_config.get("groups")\
or []
if not allowed_users and not allowed_group:
# If no filters are set, only authentication is needed.
return True
else:
if username in allowed_users:
# The user is allowed by username.
return True
# Otherwise, check group memeberships. If any of the user's
# groups are an allowed groupl, the user is allowed.
groups = [g.gr_name for g in grp.getgrall()
if username in g.gr_mem]
gid = pwd.getpwnam(username).pw_gid
groups.append(grp.getgrgid(gid).gr_name)
return not set(groups).isdisjoint(
set(pam_config.get("groups")))
return False
def login():
if request.method == 'POST':
p = pam.pam()
if p.authenticate(request.form['username'], request.form['password']):
session['logged_in'] = True
return redirect(url_for('start_compaign'))
return render_template('index.html', error='invalid username/password')
def __try_auth_pam(self, auth_string):
if self.__is_method_enabled("pam"):
username, pw = auth_string.split(":")
auth = pam.pam()
if auth.authenticate(username, pw):
allowed_users = self.__auth_config["method_pam"].get("users") \
or []
allowed_group = self.__auth_config["method_pam"].get("groups")\
or []
if len(allowed_users) == 0 and len(allowed_group) == 0:
# If no filters are set, only authentication is needed.
return True
else:
if username in allowed_users:
# The user is allowed by username.
return True
# Otherwise, check group memeberships. If any of the user's
# groups are an allowed groupl, the user is allowed.
groups = [g.gr_name for g in grp.getgrall()
if username in g.gr_mem]
gid = pwd.getpwnam(username).pw_gid
groups.append(grp.getgrgid(gid).gr_name)
return not set(groups).isdisjoint(
set(self.__auth_config["method_pam"].get("groups")))
return False
async def check_password(self, user_id, password):
""" Attempt to authenticate a user against PAM
and register an account if none exists.
Returns:
True if authentication against PAM was successful,
False if not
"""
if not password:
return False
# user_id is of the form @foo:bar.com
localpart = user_id.split(":", 1)[0][1:]
# check if localpart is a valid mxid.
# If not, bail out without even checking PAM because
# we can't create a user with that id anyway.
if types.contains_invalid_mxid_characters(localpart):
return False
# Now check the password
if not pam.pam().authenticate(localpart, password, service='matrix-synapse'):
return False
# From here on, the user is authenticated
if (await self.account_handler.check_user_exists(user_id)):
return True
if self.create_users:
user_id = await self.account_handler.register_user(localpart=localpart)
return bool(user_id)
return False
def login():
import pam
# what handles this during normal boot?
subprocess.call(['rm', '/run/nologin', '/etc/nologin'])
try:
subprocess.call(['clear'])
print('Welcome to HadesOS!')
print()
session_type = input('Session type (graphical/text): ') or 'text'
if session_type not in ('graphical', 'text'):
print('Bad session type.')
return
if session_type == 'text':
# For text sessions, use login - it sets up controlling terminals etc correctly
os.execvp('login', ['login'])
return
user_name = input('Login: '******'graphical':
os.execvp('hades', ['hades', 'startx', '--', user_name])
else:
print('Authentication failed.')
except (KeyboardInterrupt, EOFError):
pass
def login():
if request.method == 'POST':
request_username = request.form['username']
request_passwd = request.form['password']
current_url = request.form['url']
if AUTH == 'ldap':
try:
l = ldap.initialize('ldap://%s:%d' % (LDAP_HOST, LDAP_PORT))
l.set_option(ldap.OPT_REFERRALS, 0)
l.protocol_version = 3
l.simple_bind(LDAP_BIND_DN, LDAP_PASS)
q = l.search_s(LDAP_BASE, ldap.SCOPE_SUBTREE, '(&(objectClass=' + OBJECT_CLASS + ')(' + ID_MAPPING + '=' + request_username + '))', [])[0]
l.bind_s(q[0], request_passwd, ldap.AUTH_SIMPLE)
#set the parameters for user by ldap objectClass
user = {
'username': q[1][ID_MAPPING][0].decode('utf8'),
'name': q[1][DISPLAY_MAPPING][0].decode('utf8'),
'su': 'Yes'
}
except Exception, e:
print(str(e))
user = None
elif AUTH == 'htpasswd':
from lwp.utils import check_htpasswd
user = None
if check_htpasswd(HTPASSWD_FILE, request_username, request_passwd):
user = {
'username': request_username,
'name': request_username,
'su': 'Yes'
}
elif AUTH == 'pam':
user = None
p = pam.pam()
if p.authenticate(request_username, request_passwd, service=PAM_SERVICE):
user = {
'username': request_username,
'name': request_username,
'su': 'Yes'
}
else:
request_passwd = hash_passwd(request_passwd)
user = query_db('select name, username, su from users where username=? and password=?', [request_username, request_passwd], one=True)
if user:
session['logged_in'] = True
session['token'] = get_token()
session['last_activity'] = int(time.time())
session['username'] = user['username']
session['name'] = user['name']
session['su'] = user['su']
flash(u'You are logged in!', 'success')
if current_url == url_for('auth.login'):
return redirect(url_for('main.home'))
return redirect(current_url)
flash(u'Invalid username or password!', 'error')
def validate(self):
if not self.is_valid():
return False
user = self.cleaned_data.get('username')
passwd = self.cleaned_data.get('password')
p = pam.pam()
return p.authenticate(user, passwd)
def auth_user(pam_config, username, password):
"""
Authenticate user with PAM.
"""
LOG.debug('Authenticating user with PAM.')
auth = pam.pam()
if auth.authenticate(username, password):
allowed_users = pam_config.get("users") \
or []
allowed_group = pam_config.get("groups")\
or []
if len(allowed_users) == 0 and len(allowed_group) == 0:
# If no filters are set, only authentication is needed.
return True
else:
if username in allowed_users:
# The user is allowed by username.
return True
# Otherwise, check group memeberships. If any of the user's
# groups are an allowed groupl, the user is allowed.
groups = [g.gr_name for g in grp.getgrall()
if username in g.gr_mem]
gid = pwd.getpwnam(username).pw_gid
groups.append(grp.getgrgid(gid).gr_name)
return not set(groups).isdisjoint(
set(pam_config.get("groups")))
return False
def chk_pwd(self, pwd):
user = os.getenv('USER')
if pwd == None:
return False
if PAM_LIB:
def pam_conv(a, q, d):
return [(pwd, 0)]
auth = PAM.pam()
auth.start("passwd")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except:
return False
else:
return True
else:
auth = pam.pam()
return auth.authenticate(user, pwd)
class PamBackend(object):
"""
The user running the application (the apache user on CentOS)
must be a member of the /etc/shadow group.
"""
_pam = pam.pam()
def authenticate(self, username=None, password=None):
"""
All users that are recognized by the operating system will be returned
(or created, then returned).
"""
user = None
# If the user is authenticated by the operating system then...
if self._pam.authenticate(username, password):
try:
user = User.objects.get(username=username)
logging.info("User %s logged in." % username)
except User.DoesNotExist:
# we don't care what the password is, as it won't be used.
password = User.objects.make_random_password()
user = User(username=username, password=password)
user.save()
logging.info("User %s was created." % username)
else:
logging.warning('User %s failed to log in. Code: %s Reason: %s' %
(username, self._pam.code, self._pam.reason))
return user
def get_user(self, user_id):
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None
def __try_auth_pam(self, auth_string):
if self.__is_method_enabled("pam"):
username, pw = auth_string.split(":")
auth = pam.pam()
if auth.authenticate(username, pw):
allowed_users = self.__auth_config["method_pam"].get("users") \
or []
allowed_group = self.__auth_config["method_pam"].get("groups")\
or []
if len(allowed_users) == 0 and len(allowed_group) == 0:
# If no filters are set, only authentication is needed.
return True
else:
if username in allowed_users:
# The user is allowed by username.
return True
# Otherwise, check group memeberships. If any of the user's
# groups are an allowed groupl, the user is allowed
groups = [g.gr_name for g in grp.getgrall()
if username in g.gr_mem]
gid = pwd.getpwnam(username).pw_gid
groups.append(grp.getgrgid(gid).gr_name)
return not set(groups).isdisjoint(
set(self.__auth_config["method_pam"].get("groups")))
return False
def is_authenticated(self):
auth = flask.request.authorization
if not auth or not 'username' in auth.keys() or not 'password' in auth.keys():
return False
p = pam.pam()
return p.authenticate(auth['username'], auth['password'])
def page_lnd_change_alias():
check_logged_in()
# Load page
p = pam.pam()
pw = request.form.get('password_change_alias')
if pw == None or p.authenticate("admin", pw) == False:
flash("Invalid Password", category="error")
return redirect(url_for(".page_lnd"))
# Change alias
alias = request.form.get('alias')
if alias == None or alias == "":
flash("Empty Alias", category="error")
return redirect(url_for(".page_lnd"))
if len(alias) > 34:
flash("Invalid Alias", category="error")
return redirect(url_for(".page_lnd"))
with open("/mnt/hdd/mynode/settings/.lndalias", "w") as f:
utf8_alias = alias.decode('utf-8', 'ignore')
f.write(utf8_alias)
f.close()
# Reboot
t = Timer(1.0, reboot_device)
t.start()
# Wait until device is restarted
templateData = {
"title": "myNode Reboot",
"header_text": "Restarting",
"subheader_text": "This will take several minutes...",
"ui_settings": read_ui_settings()
}
return render_template('reboot.html', **templateData)
def change_password_page():
if not request:
return redirect("/settings")
message = "<div class='success_message'>Successfully changed password!</div>"
# Verify current password
p = pam.pam()
current = request.form.get('current_password')
if current == None or p.authenticate("admin", current) == False:
message = "<div class='error_message'>Incorrect password</div>"
templateData = {
"title": "myNode Settings",
"password_message": Markup(message)
}
return render_template('settings.html', **templateData)
p1 = request.form.get('password1')
p2 = request.form.get('password2')
if p1 == None or p2 == None or p1 == "" or p2 == "" or p1 != p2:
message = "<div class='error_message'>Passwords did not match or were empty!</div>"
else:
# Change password
subprocess.call(['/usr/bin/mynode_chpasswd.sh', p1])
templateData = {
"title": "myNode Settings",
"password_message": Markup(message)
}
return render_template('settings.html', **templateData)
def login():
if request.method == 'POST':
p = pam.pam()
if p.authenticate(request.form['username'], request.form['password']):
session['logged_in'] = True
return redirect(url_for('start_compaign'))
return render_template('index.html', error='invalid username/password')
def change_password_page():
if not request:
return redirect("/settings")
message = "<div class='success_message'>Successfully changed password!</div>"
# Verify current password
p = pam.pam()
current = request.form.get('current_password')
if current == None or p.authenticate("admin", current) == False:
return redirect(
url_for(".page_settings", error_message="Invalid Password"))
p1 = request.form.get('password1')
p2 = request.form.get('password2')
if p1 == None or p2 == None or p1 == "" or p2 == "" or p1 != p2:
return redirect(
url_for(".page_settings",
error_message="Passwords did not match or were empty!"))
else:
# Change password
subprocess.call(['/usr/bin/mynode_chpasswd.sh', p1])
return redirect(
url_for(".page_settings", success_message="Password Updated!"))
def is_ssh_default_password_changed():
"""API called to check if the default password for SSH is changed.
This will populate the ssh enabled radio button in the UI.
Returns:
dict: Execution status if the API call was successful, flag to indicate
if default ssh password is changed and with error reason if
call fails.
"""
webserver_node = webserver_publisher_node.get_webserver_node()
webserver_node.get_logger().info("Providing ssh enabeld as response")
try:
# Authenticate against default password
if pam.pam().authenticate(DEFAULT_USER, DEFAULT_SSH_PASSWORD):
return jsonify(success=True,
isDefaultSshPasswordChanged=False,
reason="Default password not changed")
else:
return jsonify(success=True,
isDefaultSshPasswordChanged=True,
reason="Default password changed")
except Exception as ex:
webserver_node.get_logger().error(
f"Failed check if the ssh password is default: {ex}")
return jsonify(success=False,
isDefaultSshPasswordChanged=False,
reason="Error")
def login(password):
p = pam.pam()
if password == None or p.authenticate("admin", password) == False:
return False
else:
session["logged_in"] = True
session.permanent = True
return True
def __init__(self, users=None):
self.event = threading.Event()
self.users = users
self.users_keys = {}
if have_pam:
self.pam = pam.pam()
else:
self.pam = None
def __init__(self, users=None):
self.event = threading.Event()
self.users = users
self.users_keys = {}
if have_pam:
self.pam = pam.pam()
else:
self.pam = None
def __init__(self, configuration):
super().__init__(configuration)
self.configuration = configuration
if "pam_service" not in self.configuration.options("auth"):
self.service = 'login'
else:
self.service = self.configuration.get("auth", "pam_service")
self.pam = pam()
def page_lnd_lndconnect():
check_logged_in()
# Load page
if request.method == 'GET':
return redirect(url_for(".page_lnd"))
p = pam.pam()
pw = request.form.get('password_lndconnect')
from_homepage = request.form.get('lndconnect_from_homepage')
if pw == None or p.authenticate("admin", pw) == False:
if from_homepage != None:
flash("Invalid Password", category="error")
return redirect("/")
else:
flash("Invalid Password", category="error")
return redirect(url_for(".page_lnd"))
lndconnect_local_grpc_text = get_text_contents(
"/tmp/mynode_lndconnect/lndconnect_local_grpc.txt")
lndconnect_local_rest_text = get_text_contents(
"/tmp/mynode_lndconnect/lndconnect_local_rest.txt")
lndconnect_tor_grpc_text = get_text_contents(
"/tmp/mynode_lndconnect/lndconnect_tor_grpc.txt")
lndconnect_tor_rest_text = get_text_contents(
"/tmp/mynode_lndconnect/lndconnect_tor_rest.txt")
if is_community_edition():
lndconnect_tor_grpc_text = "Premium Feature"
lndconnect_tor_rest_text = "Premium Feature"
lndconnect_local_grpc_img = get_image_contents(
"/tmp/mynode_lndconnect/lndconnect_local_grpc.png")
lndconnect_local_rest_img = get_image_contents(
"/tmp/mynode_lndconnect/lndconnect_local_rest.png")
lndconnect_tor_grpc_img = get_image_contents(
"/tmp/mynode_lndconnect/lndconnect_tor_grpc.png")
lndconnect_tor_rest_img = get_image_contents(
"/tmp/mynode_lndconnect/lndconnect_tor_rest.png")
if is_community_edition():
lndconnect_tor_grpc_img = get_image_contents(
"/var/www/mynode/static/images/dots.png")
lndconnect_tor_rest_img = get_image_contents(
"/var/www/mynode/static/images/dots.png")
# Show lndconnect page
templateData = {
"title": "myNode Lightning Wallet",
"lndconnect_local_grpc_text": lndconnect_local_grpc_text,
"lndconnect_local_rest_text": lndconnect_local_rest_text,
"lndconnect_tor_grpc_text": lndconnect_tor_grpc_text,
"lndconnect_tor_rest_text": lndconnect_tor_rest_text,
"lndconnect_local_grpc_img": lndconnect_local_grpc_img,
"lndconnect_local_rest_img": lndconnect_local_rest_img,
"lndconnect_tor_grpc_img": lndconnect_tor_grpc_img,
"lndconnect_tor_rest_img": lndconnect_tor_rest_img,
"ui_settings": read_ui_settings()
}
return render_template('lndconnect.html', **templateData)
def authenticate(self,
user: str = None,
password: str = None,
**kwargs) -> str:
p = pam.pam()
r = p.authenticate(user, password, service=config.login.pam_service)
if not r:
raise self.LoginError("PAM authentication failed")
return user
def authenticate_user(username, password):
try:
from pam import pam
if pam().authenticate(username, password):
return True, None
else:
return False, "Incorrect password"
except ImportError:
return False, "Authentication modules is not available"
def __init__(self, db, session_manager):
self.db = db
self.session_manager = session_manager
if config['api'].getboolean('pam', False):
import pam
self.pam = pam.pam()
else:
self.pam = None
def login(request):
if request.REQUEST_METHOD == 'POST':
if pam().authenticate(request.POST['username'], request.POST['password']):
request.set_session('auth', request.POST['username'], path='/', http_only=True, secure=True, domain='panel.techraptor.us')
refresh_users()
return '', 303, {'Location': request.GET.get('next', '/')}
elif 'auth' in request.COOKIE:
return '', 303, {'Location': request.GET.get('next', '/')}
return serve('html/login.html')
def page_download_ovpn():
p = pam.pam()
pw = request.form.get('password_download_ovpn')
if pw == None or p.authenticate("admin", pw) == False:
flash("Invalid Password", category="error")
return redirect(url_for(".page_vpn_info"))
# Download ovpn
return send_from_directory(directory="/home/pivpn/ovpns/",
filename="mynode_vpn.ovpn")
def check_password(username, password, service):
try:
auth = pam.pam()
if not auth.authenticate(username, password, service=service):
log_error("Password check failed (%s): %s" % (auth.code, auth.reason))
return 0
else:
return 1
except:
raise_with_tb(rhnException('Internal PAM error'), sys.exc_info()[2])
def post(self, request):
user = request.data.get("user")
password = request.data.get("password")
if not user or not password:
return Response({"message": f"user name is NA"}, status=status.HTTP_401_UNAUTHORIZED)
pam_p = pam.pam()
if not pam_p.authenticate(user, password):
return Response({"message": f"user {user} is unauthorized"}, status=status.HTTP_401_UNAUTHORIZED)
user_obj, _ = User.objects.get_or_create({"name": user}, name=user)
return Response({"check_flg": True, "user_id": user_obj.pk})
def lnd_macaroon():
p = pam.pam()
pw = request.form.get('password_download_macaroon')
if pw == None or p.authenticate("admin", pw) == False:
return redirect(url_for(".page_lnd", error_message="Invalid Password"))
# Download macaroon
return send_from_directory(
directory="/mnt/hdd/mynode/lnd/data/chain/bitcoin/mainnet/",
filename="admin.macaroon")
def __init__(self, wsgidav_app, config):
super(PAMDomainController, self).__init__(wsgidav_app, config)
self.pam = pam.pam()
# auth_conf = config["http_authenticator"]
dc_conf = config.get("pam_dc", {})
self.pam_service = dc_conf.get("service", "login")
self.pam_encoding = dc_conf.get("encoding", "utf-8")
self.pam_resetcreds = dc_conf.get("resetcreds", True)
def pwgroupauth(username, password, group):
"""Authenticate user."""
try:
if username not in grp.getgrnam(group)[3]:
return False
except KeyError:
return False
if pam.pam().authenticate(username, password):
return True
return False
def __os_auth(self):
p = pam.pam()
sys_info = self.__sys_details()
pass_msg = ''' KeyChain password ({0}@{1} Auth): '''
keyring_user = getpass.getuser()
keyring_pass = getpass.getpass(
pass_msg.format(keyring_user, sys_info['hostname']))
if not p.authenticate(keyring_user, keyring_pass):
print "Authentication Error: {0} - {1}".format(p.code, p.reason)
return False
return True
def __init__(self, wsgidav_app, config):
super(PAMDomainController, self).__init__(wsgidav_app, config)
self.pam = pam.pam()
# auth_conf = config["http_authenticator"]
dc_conf = config.get("pam_dc", {})
self.pam_service = dc_conf.get("service", "login")
self.pam_encoding = dc_conf.get("encoding", "utf-8")
self.pam_resetcreds = dc_conf.get("resetcreds", True)
def child_routine(self):
"""
The main routine that is executed by the child after the object forks.
This loop does not exit unless a stop request is made.
"""
self.logger = logging.getLogger('KingPhisher.Server.Authenticator.Child')
while True:
request = self._raw_recv(timeout=None)
if 'action' not in request:
self.logger.warning('request received without a specified action')
continue
if not isinstance(request.get('sequence'), int):
self.logger.warning('request received without a valid sequence number')
continue
action = request.get('action', 'UNKNOWN')
self.logger.debug("received request with sequence number {0} and action '{1}'".format(request['sequence'], action))
if action == 'stop':
break
elif action != 'authenticate':
continue
username = str(request['username'])
password = str(request['password'])
start_time = time.time()
pam_handle = pam.pam()
result = pam_handle.authenticate(username, password, service=self.service, resetcreds=False)
end_time = time.time() - start_time
self.logger.debug("pam returned code: {0} reason: '{1}' for user {2} after {3:.2f} seconds".format(pam_handle.code, pam_handle.reason, username, end_time))
result = {
'result': result,
'sequence': request['sequence'],
'username': username
}
if result['result']:
if self.required_group:
result['result'] = False
try:
assert self.required_group in get_groups_for_user(username)
except AssertionError:
self.logger.warning("authentication failed for user: {0} reason: lack of group membership".format(username))
except KeyError:
self.logger.error("encountered a KeyError while looking up group membership for user: {0}".format(username))
else:
result['result'] = True
else:
self.logger.warning("authentication failed for user: {0} reason: bad username or password".format(username))
self._raw_send(result)
def check_password(realm, username, password, timeout=datetime.timedelta(seconds=5)):
try:
import pam
groups = []
pServer = pam.pam()
returnCode = pServer.authenticate(username, password)
if returnCode == True:
return True, groups
else:
cherrypy.log.error("PAM password check failed to authenticate %s" % username )
return False, groups
except Exception as e:
cherrypy.log.error("%s" % e)
return False, groups
def preload(self, root=False):
if not root:
p = pam.pam()
if not p.authenticate(self.login, self.password):
raise Exception('Not Authenticated - %s (%s) ("%s":"%s"):' % (p.code, p.reason, self.login, self.password))
self.set_customer_uid()
signal.signal(signal.SIGTERM, self._on_sigterm)
# Изменяем имя процесса для мониторинга
process_title = ' - ' + self.name + ' ' + setproctitle.getproctitle()
setproctitle.setproctitle(process_title)
self.logger.info("%s process started PID = %s , Title = %s" % (str(self.__class__.__name__),
str(self.pid), str(process_title)))
self.on_running(self.status_id, pid=self.pid, pname=self.name)
def authenticate(self, username, password):
if self.cfg is None or not self.cfg.has_section(username):
return False
source = 'internal'
if self.cfg.has_option(username, 'source'):
source = self.cfg[username]['source']
if source == 'internal':
return self.cfg[username]['password'] == password
elif source == 'pam':
p = pam.pam()
return p.authenticate(username, password)
raise PermissionDenied()
def user_authorization(self):
if not self.__is_autorization:
p = pam.pam()
ret = p.authenticate(self.user, self.password)
if ret is True:
self.__is_autorization = True
# получаю идентификаторы пользователя
if self.__get_uid_guid() is False:
return False
# Изменяем права процесса
os.setgid(self.__UID)
os.setegid(self.__UID)
os.setuid(self.__GID)
os.seteuid(self.__GID)
else:
self.__is_autorization = False
return ret
def unixUserLogin(userName, password):
"""
returns if unix user can login, using unix login
If successful, returns MGIUser object from database
"""
logger.debug('%s - attempting to authenticate' % userName)
user = None
# authenticate using Python-PAM
authenticated = pam().authenticate(userName, password)
if authenticated:
logger.debug('%s - authentication successful' % userName)
# now look up user in database
user = MGIUser.query.filter_by(login=userName).first()
if not user:
logger.debug('%s - does not exist in MGI_User table' % userName)
return user
def authenticate(self, username=None, password=None):
try:
rc_user = RcLdapUser.objects.get(username=username)
except RcLdapUser.DoesNotExist:
return None
p = pam.pam()
authed = p.authenticate(username, password, service=settings.PAM_SERVICES['default'])
if authed:
user_dict = {
'first_name': rc_user.first_name,
'last_name': rc_user.last_name,
'email': rc_user.email,
'is_staff': False,
}
user, created = User.objects.update_or_create(
username=rc_user.username,
defaults=user_dict
)
return user
return None
def chk_pwd(self, pwd):
user = os.getenv('USER')
if pwd == None:
return False
if PAM_LIB:
def pam_conv(a, q, d):
return [(pwd, 0)]
auth = PAM.pam()
auth.start("passwd")
auth.set_item(PAM.PAM_USER, user)
auth.set_item(PAM.PAM_CONV, pam_conv)
try:
auth.authenticate()
auth.acct_mgmt()
except:
return False
else:
return True
else:
auth = pam.pam()
return auth.authenticate(user, pwd)
def auth_pam(self):
if not pam.pam().authenticate(GLib.get_user_name(), self.current_password.get_text(), 'passwd'):
raise PasswordError("Invalid password")
#!/usr/bin/python
# pam_authenticate.py: a script to check a user's password against PAM.
# part of the pywiki project, see https://github.com/pepaslabs/pywiki
# written by jason pepas, released under the terms of the MIT license.
# usage: pipe a password into this script, giving the username as the first argument.
# a zero exit status indicates successful authentication.
import sys
import pam # pip install python-pam
p = pam.pam()
logged_in = False
try:
user = sys.argv[1]
passwd = sys.stdin.read()
logged_in = p.authenticate(user, passwd)
except Exception as e:
sys.exit(2)
else:
if logged_in == True:
sys.exit(0)
else:
sys.exit(1)
import pam
except ImportError:
log.debug('PAM auth helper: Could not import pam module')
sys.exit(1)
def handle_timeout(signum, stack):
raise IOError("Timed out reading input")
# set timeout so we don't block on reading stdin
signal.alarm(TIMEOUT)
pam_service = sys.stdin.readline().strip()
pam_username = sys.stdin.readline().strip()
pam_password = sys.stdin.readline().strip()
# cancel the alarm
signal.alarm(0)
p_auth = pam.pam()
authenticated = p_auth.authenticate(pam_username, pam_password, service=pam_service)
if authenticated:
log.debug('PAM auth helper: authentication successful for {}'.format(pam_username))
sys.stdout.write('True\n')
sys.exit(0)
else:
log.debug('PAM auth helper: authentication failed for {}'.format(pam_username))
sys.stdout.write('False\n')
sys.exit(1)
def authenticate(self, email, username, password, options):
pam_username = None
auto_register_username = None
auto_register_email = None
force_fail = False
if not options['redact_username_in_logs']:
log.debug("use username: {} use email {} email {} username {}".format(options.get('login-use-username'), options.get('login-use-email', False), email, username))
# check email based login first because if email exists in Galaxy DB
# we will be given the "public name" as username
if string_as_bool(options.get('login-use-email', False)) and email is not None:
if '@' in email:
(email_user, email_domain) = email.split('@')
pam_username = email_user
if email_domain == options.get('maildomain', None):
auto_register_email = email
if username is not None:
auto_register_username = username
else:
auto_register_username = email_user
else:
log.debug('PAM authenticate: warning: email does not match configured PAM maildomain')
# no need to fail: if auto-register is not enabled, this
# might still be a valid user
else:
log.debug('PAM authenticate: email must be used to login, but no valid email found')
force_fail = True
elif string_as_bool(options.get('login-use-username', False)):
# if we get here via authenticate_user then
# user will be "public name" and
# email address will be as per registered user
if username is not None:
pam_username = username
if email is not None:
auto_register_email = email
elif options.get('maildomain', None) is not None:
# we can register a user with this username and mail domain
# if auto registration is enabled
auto_register_email = '{}@{}'.format(username, options['maildomain'])
auto_register_username = username
else:
log.debug('PAM authenticate: username login selected but no username provided')
force_fail = True
else:
log.debug('PAM authenticate: could not find username for PAM')
force_fail = True
if force_fail:
return None, '', ''
pam_service = options.get('pam-service', 'galaxy')
use_helper = string_as_bool(options.get('use-external-helper', False))
log.debug("PAM auth: will use external helper: {}".format(use_helper))
authenticated = False
if use_helper:
authentication_helper = options.get('authentication-helper-script', '/bin/false').strip()
log.debug("PAM auth: external helper script: {}".format(authentication_helper))
if not authentication_helper.startswith('/'):
# don't accept relative path
authenticated = False
else:
auth_cmd = shlex.split('/usr/bin/sudo -n {}'.format(authentication_helper))
log.debug("PAM auth: external helper cmd: {}".format(auth_cmd))
proc = Popen(auth_cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
message = '{}\n{}\n{}\n'.format(pam_service, pam_username, password)
(output, error) = proc.communicate(message)
status = proc.wait()
if status != 0 and error != '':
log.debug("PAM auth: external authentication script had errors: status {} error {}".format(status, error))
if output.strip() == 'True':
authenticated = True
else:
authenticated = False
else:
try:
import pam
except ImportError:
log.debug('PAM authenticate: could not load pam module, PAM authentication disabled')
return None, '', ''
p_auth = pam.pam()
authenticated = p_auth.authenticate(pam_username, password, service=pam_service)
if authenticated:
log.debug('PAM authentication successful for {}'.format('redacted' if options['redact_username_in_logs'] else pam_username))
return True, auto_register_email, auto_register_username
else:
log.debug('PAM authentication failed for {}'.format('redacted' if options['redact_username_in_logs'] else pam_username))
return False, '', ''
def pam_authenticate(*args, **kwargs):
return pam.pam().authenticate(*args, **kwargs)
#!/usr/bin/env python2
import pam
import fileinput
import sys
import json
lines = list(fileinput.input())
if len(lines) < 2:
print("Expected only two lines: user, password")
sys.exit(1)
auth = pam.authenticate if hasattr(pam, "authenticate") else pam.pam().authenticate
if auth(lines[0].replace("\n", "").strip(), lines[1].replace("\n", "").strip()):
print("Success")
sys.exit(0)
print("Error")
sys.exit(1)
__version__ = "0.0.8"
__author__ = "Anton Hvornum"
pidfile = "/var/run/slim_smtp.pid"
DOMAIN = "example.com"
core = {
"_socket": {"listen": "", "ports": [25, 587]},
"SSL": {
"enabled": True,
"key": "/etc/ssl/hvornum.se.key_nopass",
"cert": "/etc/ssl/hvornum.se.crt",
"VERSION": ssl.PROTOCOL_TLSv1,
}, # |ssl.PROTOCOL_SSLv3},
"domain": DOMAIN,
"supports": [DOMAIN, "SIZE 10240000", "STARTTLS", "AUTH PLAIN", "ENHANCEDSTATUSCODES", "8BITMIME", "DSN"],
"users": {b"testuser": {"password": "******"}, "@POSTGRESQL": False, "@PAM": pam.pam()},
"relay": {"active": False, "host": "smtp.t3.se", "port": 25, "TLS": False},
"external": {"enforce_tls": True},
"storages": {
"testuser@" + DOMAIN: "/home/anton/Maildir/",
"default": "/home/anton/Maildir/",
"@POSTGRESQL": True,
"@PAM": False,
},
"postgresql": {"db": "example", "dbuser": "******", "dbpass": "******"},
}
def decompress(b):
import gzip
from io import BytesIO
import hashlib
import pam
from base64 import b64encode
import env
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.header import Header
from datetime import datetime
import json
from log import logger
from lvmtool import *
email_from_address = env.getenv('EMAIL_FROM_ADDRESS')
admin_email_address = env.getenv('ADMIN_EMAIL_ADDRESS')
PAM = pam.pam()
fspath = env.getenv('FS_PREFIX')
data_quota = env.getenv('DATA_QUOTA')
data_quota_cmd = env.getenv('DATA_QUOTA_CMD')
if (env.getenv('EXTERNAL_LOGIN').lower() == 'true'):
from plugin import external_receive
def administration_required(func):
@wraps(func)
def wrapper(*args, **kwargs):
if ( ('cur_user' in kwargs) == False):
return {"success":'false', "reason":"Cannot get cur_user"}
cur_user = kwargs['cur_user']
if ((cur_user.user_group == 'admin') or (cur_user.user_group == 'root')):
import argparse
import logging
import os
import pam
import socket
import sys
import traceback
import paramiko
from paramiko.common import DEBUG, INFO
from collections import deque
from threading import Thread
HOST, PORT = '0.0.0.0', 2222
BACKLOG = 10
PAM_AUTH = pam.pam()
_CONFIG = {}
log_name = 'ssh_coupler.main'
root_logger = paramiko.util.get_logger(log_name)
class Server(paramiko.ServerInterface):
def check_auth_password(self, username, password):
if PAM_AUTH.authenticate(username, password):
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
def check_auth_publickey(self, username, key):
# Testing: all are allowed
return paramiko.AUTH_SUCCESSFUL
def setUp(self):
self.p = pam.pam()
