Exemplo n.º 1
0
 def __init__(self, tgsname, realm, kdcfile):
     """Initializes the Authentication server protocol with a name, realm, and KDC db file"""
     self.clients = {}
     self.session = CreateAndGetSession(kdcfile)
     try:
         tgs = self.session.query(KDC).filter_by(id=1).one()
     except:
         tgs = register(kdcfile, tgsname, Random.new().read(32), realm)
         if tgs.name != tgsname or tgs.realm != realm or tgs.id != 1:
             raise Exception("TGS must be id 1 and match the name and realm the server was constructed with")
     self.tgs = tgs
Exemplo n.º 2
0
class KerberosAuthServerProtocol(DatagramProtocol):
    """Authentication server protocol class
       Inherits: twisted DatagramProtocol
    """
    def datagramReceived(self, data, addr):
        """Receives a datagram from the reactor and decides what to do with it"""
        print("Connection from {}".format(addr[0]))
        sock = self.transport.socket

        # Get data type and maintain clients dict
        dtype = unpack("!b", data[0])[0]
        if not addr[0] in self.clients.keys():
            self.clients[addr[0]] = dict()

        # Ticket Granting Ticket Request packet received
        if dtype == TGT_REQ:
            print("Got tgt req")
            try:
                tgtreq = TGTRequest(blob=data[1:])
            except:
                KrbError("Malformed TGT Request").send(sock, addr)
            self.clients[addr[0]]["TGT_REQ"] = tgtreq
            try:
                # lookup the client in the KDC database
                name, realm = tgtreq.user_id.split("@")
                client = self.session.query(KDC).filter_by(name=name, realm=realm).one()
            except:
                KrbError("Client is not in the KDC database or name is invalid").send(sock, addr)
                return
            # create and send the TGS session key and TGT to the client
            skey = TGSSessionKey(tgs_id=self.tgs.name, valid_until=tgtreq.req_validity)
            tgt = TGT(client_id=client.name_realm, tgs_id=self.tgs.name,
                      net_addr=tgtreq.net_addr, valid_until=tgtreq.req_validity,
                      session_key=skey.session_key)
            skey.send(sock, client.secret_key_raw, addr)
            tgt.send(sock, self.tgs.secret_key_raw, addr)

        # Client Authenticator packet received, store it for later
        elif dtype == CLI_AUTH:
            print("Got cli_auth")
            self.clients[addr[0]]["CLI_AUTH_BLOB"] = data[1:]

        # Service ticket request received
        elif dtype == SVC_TKT_REQ:
            print("Got svc tkt req")
            try:
                # Decrypt the authenticator that was received previously
                auth = Authenticator(blob=decrypt_data(self.clients[addr[0]]["CLI_AUTH_BLOB"], self.clients[addr[0]]["TGT"].session_key))
            except:
                KrbError("Cannot decrypt client authenticator").send(sock, addr)
                return
            # do some checks
            if self.clients[addr[0]]["TGT"].client_id != auth.user_id:
                KrbError("Authenticator user ID does not match user id in the TGT").send(sock, addr)
            elif (self.clients[addr[0]]["TGT_REQ"].net_addr != '0.0.0.0' and
                    self.clients[addr[0]]["TGT"].net_addr != addr[0]):
                KrbError("Network addresses of the client and the TGT do not match").send(sock, addr)
            else:
                # checks passed, parse service ticket request from client
                svctktreq = ServiceTicketRequest(blob=data[1:])
                svcname, svcrealm = svctktreq.svc_id.split("@")
                try:
                    # look up the service in the KDC database
                    svc = self.session.query(KDC).filter_by(name=svcname, realm=svcrealm).one()
                except:
                    KrbError("The requested service does not exist in the database").send(sock, addr)
                # create and send the service ticket and service session key to the client
                svctkt = ServiceTicket(client_id=self.clients[addr[0]]["TGT"].client_id,
                                    svc_id=svc.name_realm,
                                    net_addr=self.clients[addr[0]]["TGT"].net_addr,
                                    valid_until=self.clients[addr[0]]["TGT"].valid_until)
                svc_sess_key = ServiceSessionKey(svc_id=svc.name_realm,
                                                session_key=svctkt.session_key,
                                                valid_until=self.clients[addr[0]]["TGT"].valid_until)
                svctkt.send(sock, svc.secret_key_raw, addr)
                svc_sess_key.send(sock, self.clients[addr[0]]["TGT"].session_key, addr)

        # TGT received from client
        elif dtype == TGT_RESP:
            print("Got tgt resp")
            try:
                self.clients[addr[0]]["TGT"] = TGT(blob=decrypt_data(data[1:], self.tgs.secret_key_raw))
            except:
                KrbError("Cannot decrypt received TGT").send(sock, addr)

        # Unknown packet type received
        else:
            print("Unknown packet type: " + str(dtype))
            KrbError("Unknown packet type").send(sock, addr)

    def __init__(self, tgsname, realm, kdcfile):
        """Initializes the Authentication server protocol with a name, realm, and KDC db file"""
        self.clients = {}
        self.session = CreateAndGetSession(kdcfile)
        try:
            tgs = self.session.query(KDC).filter_by(id=1).one()
        except:
            tgs = register(kdcfile, tgsname, Random.new().read(32), realm)
            if tgs.name != tgsname or tgs.realm != realm or tgs.id != 1:
                raise Exception("TGS must be id 1 and match the name and realm the server was constructed with")
        self.tgs = tgs