def kadmin(self): """ Initiate the kadmin interface. @return: self on success, False otherwise. """ try: sub = subprocess.Popen([ self.config.kinitpath, '-c', self.krb5admincc, '-S', 'kadmin/admin', '%s@%s' % (self.user, self.config.krb5realm) ], stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE) (sout, serr) = sub.communicate(self.pw + '\n') sub = subprocess.Popen( [self.config.klistpath, '-c', self.krb5admincc], stdout=subprocess.PIPE) sout, serr = sub.communicate() logging.debug('krb5_keytab:krb5: %s', sout) logging.debug('krb5_keytab:krb5: %s', serr) (self.krb5admincc, user) = krb5.parse_name(sout) if not (self.krb5cc and user): raise (str(serr)) logging.debug('Successfully got kadmin ticket for %s\n', user) self.kadm = [self.config.kadminpath, '-c', self.krb5admincc] return self except Exception, err: logging.warning( 'Error while trying get admin credentials. Programm execution will continue, but we wont have any admin privileges in the authen backend\n' + str(err))
def authenticate(self, **args): """user authen is already done by third party. This will extract the kerberos principal and data in the ticket file. without arguments we get the ticket provided by the environment. @param ccpath: path to the kerberos ticket cache. may be prefixed with 'FILE:' for compatibility reason. If not specified, we use KRB5CCNAME environment variable. @type ccpath: string @return: returns the I{Full qualified user name}. This includes the kerberos realm! """ try: self.krb5cc = args.pop('ccpath') if self.krb5cc.find(':') > 0: self.krb5cc = self.krb5cc.split(':')[1] sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout=subprocess.PIPE) except KeyError: sub = subprocess.Popen([self.config.klistpath], stdout=subprocess.PIPE) sout, serr = sub.communicate() logging.debug('krb5_apache:krb5: %s', sout) logging.debug('krb5_apache:krb5: %s', serr) (self.krb5cc, self.user) = krb5.parse_name(sout) if not (self.krb5cc and self.user): return False self.user = self.user.split('@')[0] logging.info('krb5_apache:Got krb5path from ticket: %s', self.krb5cc) logging.info('krb5_apache:Got principal from ticket: %s', self.user) os.environ['KRB5CCNAME'] = self.krb5cc self.is_authenticated = True return self
def authenticate(self, **args): """user authen is already done by third party. This will extract the kerberos principal and data in the ticket file. without arguments we get the ticket provided by the environment. @param ccpath: path to the kerberos ticket cache. may be prefixed with 'FILE:' for compatibility reason. If not specified, we use KRB5CCNAME environment variable. @type ccpath: string @return: returns the I{Full qualified user name}. This includes the kerberos realm! """ try: self.krb5cc = args.pop('ccpath') if self.krb5cc.find(':') > 0: self.krb5cc = self.krb5cc.split(':')[1] sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout = subprocess.PIPE) except KeyError: sub = subprocess.Popen([self.config.klistpath], stdout = subprocess.PIPE) sout, serr = sub.communicate() logging.debug('krb5_apache:krb5: %s', sout) logging.debug('krb5_apache:krb5: %s', serr) (self.krb5cc, self.user) = krb5.parse_name(sout) if not (self.krb5cc and self.user): return False self.user = self.user.split('@')[0] logging.info( 'krb5_apache:Got krb5path from ticket: %s', self.krb5cc) logging.info( 'krb5_apache:Got principal from ticket: %s', self.user) os.environ['KRB5CCNAME'] = self.krb5cc self.is_authenticated = True return self
def authenticate(self, **args): """ authenticate a user using a keytab file @param keytab: the keytab location. If not set, we use the keytab specified in the config object. @type keytab: string @return: returns self or False """ self.keytab = args.get('keytab', self.config.krb5keytab) self.user = args.get('user', 'host/%s' % hostname()) if os.access(self.keytab, os.R_OK): sub = subprocess.call([self.config.kinitpath, '-c',self.krb5cc, '-k','-t',self.keytab, '-p',self.user]) if sub == 0: sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout = subprocess.PIPE) sout, serr = sub.communicate() logging.debug('krb5_keytab:krb5: %s', sout) logging.debug('krb5_keytab:krb5: %s', serr) (krb5cc, self.user) = krb5.parse_name(sout) if not (krb5cc and self.user): logging.warning('krb5_keytab:Invalid keycache at %s', krb5cc) return False if not krb5cc == self.krb5cc: logging.warning('krb5_keytab: Using wrong keytab %s %s', krb5cc, self.krb5cc) self.user = self.user.split('@')[0] logging.debug( 'krb5_apache:Got krb5path from ticket: %s', self.krb5cc) logging.info( 'krb5_apache:Got principal from ticket: %s', self.user) self.is_authenticated = True return self logging.warning('Something went wrong while trying to kinit.') else: logging.error('Can not read from keytab file \'%s\'. Authentication failed.', self.keytab) return False
def authenticate(self, **args): """ authenticate user. Will ask for password B{interactively}. If no Username is passed in, we will ask for that too. @param user: if set, the login name to authenticate. if not set, this function asks interactively for a username @type user: string @param password: if set, the password for this user. if not set, this function asks interactively for a password @type password: string @return: returns self on success, False otherwise """ self.user = args.get('user', False) if not self.user: print "\nWelcome to the UnixDomain" print "=============================" try: while not self.user: self.user = raw_input('account name : ') except KeyboardInterrupt: return False self.pw = args.get('pw', '') # ONLY use this for testing!!! while not self.pw: self.pw = getpass('password : '******'-c', self.krb5cc, '%s@%s' % (self.user, self.config.krb5realm) ], stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE) (sout, serr) = sub.communicate(self.pw + '\n') sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout=subprocess.PIPE) (sout, serr) = sub.communicate() logging.debug('krb5_keytab:krb5: %s', sout) logging.debug('krb5_keytab:krb5: %s', serr) (self.krb5cc, self.user) = krb5.parse_name(sout) if not (self.krb5cc and self.user): logging.warning('krb5_keytab:Invalid keycache at %s', self.krb5cc) return False self.user = self.user.split('@')[0] self.is_authenticated = True return self
def authenticate(self, **args): """ authenticate a user using a keytab file @param keytab: the keytab location. If not set, we use the keytab specified in the config object. @type keytab: string @return: returns self or False """ self.keytab = args.get('keytab', self.config.krb5keytab) self.user = args.get('user', 'host/%s' % hostname()) if os.access(self.keytab, os.R_OK): sub = subprocess.call([ self.config.kinitpath, '-c', self.krb5cc, '-k', '-t', self.keytab, '-p', self.user ]) if sub == 0: sub = subprocess.Popen( [self.config.klistpath, '-c', self.krb5cc], stdout=subprocess.PIPE) sout, serr = sub.communicate() logging.debug('krb5_keytab:krb5: %s', sout) logging.debug('krb5_keytab:krb5: %s', serr) (krb5cc, self.user) = krb5.parse_name(sout) if not (krb5cc and self.user): logging.warning('krb5_keytab:Invalid keycache at %s', krb5cc) return False if not krb5cc == self.krb5cc: logging.warning('krb5_keytab: Using wrong keytab %s %s', krb5cc, self.krb5cc) self.user = self.user.split('@')[0] logging.debug('krb5_apache:Got krb5path from ticket: %s', self.krb5cc) logging.info('krb5_apache:Got principal from ticket: %s', self.user) self.is_authenticated = True return self logging.warning('Something went wrong while trying to kinit.') else: logging.error( 'Can not read from keytab file \'%s\'. Authentication failed.', self.keytab) return False
def kadmin(self): """ Initiate the kadmin interface. @return: self on success, False otherwise. """ try: sub = subprocess.Popen([self.config.kinitpath, '-c', self.krb5admincc, '-S', 'kadmin/admin', '%s@%s' %(self.user, self.config.krb5realm)], stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE) (sout, serr) = sub.communicate(self.pw + '\n') sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5admincc], stdout=subprocess.PIPE) sout, serr = sub.communicate() logging.debug('krb5_keytab:krb5: %s', sout) logging.debug('krb5_keytab:krb5: %s', serr) (self.krb5admincc, user) = krb5.parse_name(sout) if not (self.krb5cc and user): raise(str(serr)) logging.debug('Successfully got kadmin ticket for %s\n', user) self.kadm = [self.config.kadminpath, '-c', self.krb5admincc] return self except Exception, err: logging.warning('Error while trying get admin credentials. Programm execution will continue, but we wont have any admin privileges in the authen backend\n' + str(err))
def authenticate(self, **args): """ authenticate user. Will ask for password B{interactively}. If no Username is passed in, we will ask for that too. @param user: if set, the login name to authenticate. if not set, this function asks interactively for a username @type user: string @param password: if set, the password for this user. if not set, this function asks interactively for a password @type password: string @return: returns self on success, False otherwise """ self.user = args.get('user', False) if not self.user: print "\nWelcome to the UnixDomain" print "=============================" try: while not self.user: self.user = raw_input('account name : ') except KeyboardInterrupt: return False self.pw = args.get('pw', '') # ONLY use this for testing!!! while not self.pw : self.pw = getpass('password : '******'-c', self.krb5cc, '%s@%s' %(self.user, self.config.krb5realm)], stdin=subprocess.PIPE, stderr=subprocess.PIPE, stdout=subprocess.PIPE) (sout, serr) = sub.communicate(self.pw + '\n') sub = subprocess.Popen([self.config.klistpath, '-c', self.krb5cc], stdout=subprocess.PIPE) (sout, serr) = sub.communicate() logging.debug('krb5_keytab:krb5: %s', sout) logging.debug('krb5_keytab:krb5: %s', serr) (self.krb5cc, self.user) = krb5.parse_name(sout) if not (self.krb5cc and self.user): logging.warning('krb5_keytab:Invalid keycache at %s', self.krb5cc) return False self.user = self.user.split('@')[0] self.is_authenticated = True return self