def authenticate(username, password, elist=_elist):
""" elist will be used to store an immutable dict (from the
function's point of view, it won't be reset each time the function is
called).
"""
global log
# service: PAM service to authenticate against, defaults to 'login'
service = 'login'
# login service seems to return faster,
if username == 'root':
service = 'passwd'
log.debug("authenticate, authenticating: %s " % username)
if not str(password).strip(): # password IS blank
log.debug("password is blank!")
if username in elist:
return False
else:
elist.append(username)
if pam.authenticate(username, password):
return True
else:
return False # didn't have this, and it authenticated a second time
# below, causing the first instance of a blank password to take
# twice as long to authenticate, duh!
else:
if pam.authenticate(username, password):
return True
else:
return False
def handle_client(sock):
data = json.loads(sock.recv(4096))
if data["request"] == "status":
f = open("/etc/hostname")
if os.path.exists("/var/run/genesis.pid"):
status = "active"
else:
status = "inactive"
sock.sendall(json.dumps({"response": "ok", "name": f.readline().strip("\n"), "status": status}))
f.close()
elif data["request"] == "reload":
if pam.authenticate(data["user"], data["pass"], service="account"):
sock.sendall(json.dumps({"response": "ok"}))
reload()
else:
sock.sendall(json.dumps({"response": "fail"}))
elif data["request"] == "shutdown":
if pam.authenticate(data["user"], data["pass"], service="account"):
sock.sendall(json.dumps({"response": "ok"}))
shutdown()
else:
sock.sendall(json.dumps({"response": "fail"}))
elif data["request"] == "reboot":
if pam.authenticate(data["user"], data["pass"], service="account"):
sock.sendall(json.dumps({"response": "ok"}))
reboot()
else:
sock.sendall(json.dumps({"response": "fail"}))
elif data["request"] == "ping":
sock.sendall(json.dumps({"response": "ok"}))
def pam_auth(username, password):
''' Accepts username and password and tried to use PAM for authentication.
Works only with root privileges
'''
return pam.authenticate(username, password, service="system-auth")
try:
return pam.authenticate(username, password, service="system-auth")
except:
return False
def handle_auth(pam_user, pam_rhost):
# Read parameters tunneled through password field
authtok = sys.stdin.readline().rstrip()[:-1]
auth_params = None
try:
auth_params = json.loads(authtok)
session_id = auth_params['SessionId']
password = auth_params['SshPassword']
except (ValueError, KeyError) as e:
# Backwards compatibility case
# Client sends a session ID prepended to the SSH password.
# Extract the sesssion ID, and then perform standard PAM
# authentication with the username and remaining password.
# Older backwards compatibility case: if the password length is
# not correct, skip the session ID logic.
# Two hex characters per byte
expected_authtok_length = (2 * (psi_config.SESSION_ID_BYTE_LENGTH +
psi_config.SSH_PASSWORD_BYTE_LENGTH))
if len(authtok) == expected_authtok_length:
session_id = authtok[0:psi_config.SESSION_ID_BYTE_LENGTH * 2]
password = authtok[psi_config.SESSION_ID_BYTE_LENGTH * 2:]
if 0 != len(
filter(lambda x: x not in psi_config.SESSION_ID_CHARACTERS,
session_id)):
return False
else:
# Older backwards compatibility case
session_id = None
password = authtok
# Authenticate user
try:
pam.authenticate(pam_user, password)
except pam.PamException as e:
return False
# Call 'auth' plugins
for plugin in plugins:
if hasattr(plugin, 'auth') and not plugin.auth(auth_params):
return False
# Store session_id/region mapping for stats
if session_id:
set_session_region(pam_rhost, session_id)
return True
def handle_auth(pam_user, pam_rhost):
# Read parameters tunneled through password field
authtok = sys.stdin.readline().rstrip()[:-1]
auth_params = None
try:
auth_params = json.loads(authtok)
session_id = auth_params['SessionId']
password = auth_params['SshPassword']
except (ValueError, KeyError) as e:
# Backwards compatibility case
# Client sends a session ID prepended to the SSH password.
# Extract the sesssion ID, and then perform standard PAM
# authentication with the username and remaining password.
# Older backwards compatibility case: if the password length is
# not correct, skip the session ID logic.
# Two hex characters per byte
expected_authtok_length = (
2*(psi_config.SESSION_ID_BYTE_LENGTH +
psi_config.SSH_PASSWORD_BYTE_LENGTH))
if len(authtok) == expected_authtok_length:
session_id = authtok[0:psi_config.SESSION_ID_BYTE_LENGTH*2]
password = authtok[psi_config.SESSION_ID_BYTE_LENGTH*2:]
if 0 != len(filter(lambda x : x not in psi_config.SESSION_ID_CHARACTERS, session_id)):
return False
else:
# Older backwards compatibility case
session_id = None
password = authtok
# Authenticate user
try:
pam.authenticate(pam_user, password)
except pam.PamException as e:
return False
# Call 'auth' plugins
for plugin in plugins:
if hasattr(plugin, 'auth') and not plugin.auth(auth_params):
return False
# Store session_id/region mapping for stats
if session_id:
set_session_region(pam_rhost, session_id)
return True
def check_auth(self, username, password):
if pam.authenticate(username, password,
desktop.conf.AUTH.PAM_SERVICE.get()):
is_super = False
if User.objects.count() == 0:
is_super = True
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL
profile.save()
user.is_superuser = is_super
default_group = get_default_user_group()
if default_group is not None:
user.groups.add(default_group)
user.save()
user = rewrite_user(user)
return user
return None
def authenticate(self, username=None, password=None):
if pam.authenticate(username, password, settings.PAM_SERVICE):
try:
user = User.objects.get(username=username)
user.set_password(password)
user.save()
except User.DoesNotExist:
user = User(username=username, password=password)
user.save()
if settings.USE_LDAP:
import ldap
l = ldap.initialize(settings.LDAP_HOST)
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.simple_bind_s(settings.LDAP_BIND_DN, settings.LDAP_BIND_PASS)
r = l.search(settings.LDAP_SEARCH_PATH, ldap.SCOPE_ONELEVEL, "(uid=%s)" % username,
[settings.LDAP_FIRST_NAME, settings.LDAP_LAST_NAME, settings.LDAP_EMAIL,
settings.LDAP_DATE_JOINED])
r = l.result(r)
user.first_name = r[1][0][1][settings.LDAP_FIRST_NAME][0]
user.last_name = r[1][0][1][settings.LDAP_LAST_NAME][0]
user.email = r[1][0][1][settings.LDAP_EMAIL][0]
date_joined = r[1][0][1][settings.LDAP_DATE_JOINED][0]
user.date_joined = datetime.strptime(date_joined[:-1], '%Y%m%d%H%M%S')
user.save()
return user
return None
def authenticate(self, request=None, username=None, password=None):
username = force_username_case(username)
if AUTH.PAM_USE_PWD_MODULE.get():
LOG.debug('Setting username to %s using PAM pwd module for user %s' % (getpwnam(username).pw_name, username))
username = getpwnam(username).pw_name
if pam.authenticate(username, password, AUTH.PAM_SERVICE.get()):
is_super = False
if User.objects.exclude(id=install_sample_user().id).count() == 0:
is_super = True
try:
if AUTH.IGNORE_USERNAME_CASE.get():
user = User.objects.get(username__iexact=username)
else:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL.name
profile.save()
user.is_superuser = is_super
ensure_has_a_group(user)
user.save()
user = rewrite_user(user)
return user
return None
def handle_request(self, parameters):
# fill in any missing userdn, etc.
self.validate(parameters)
is_root = (self.calleruid == 0) and parameters['asroot']
mods = []
# check if the the user passed the rootpwmoddn
if parameters['asroot']:
binddn = cfg.rootpwmoddn
# check if rootpwmodpw should be used
if not parameters['password'] and is_root and cfg.rootpwmodpw:
password = cfg.rootpwmodpw
else:
password = parameters['password']
else:
binddn = parameters['userdn']
password = parameters['password']
# write response header
self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
# check home directory modification
homedir = parameters['mods'].get(constants.NSLCD_USERMOD_HOMEDIR)
if homedir:
if is_root:
mods.append((ldap.MOD_REPLACE, passwd.attmap['homeDirectory'], [homedir]))
elif not os.path.isabs(homedir):
self.write_result(constants.NSLCD_USERMOD_HOMEDIR,
'should be an absolute path')
elif not os.path.isdir(homedir):
self.write_result(constants.NSLCD_USERMOD_HOMEDIR,
'not a directory')
else:
mods.append((ldap.MOD_REPLACE, passwd.attmap['homeDirectory'], [homedir]))
# check login shell modification
shell = parameters['mods'].get(constants.NSLCD_USERMOD_SHELL)
if shell:
if is_root:
mods.append((ldap.MOD_REPLACE, passwd.attmap['loginShell'], [shell]))
elif shell not in list_shells():
self.write_result(constants.NSLCD_USERMOD_SHELL,
'unlisted shell')
elif not os.path.isfile(shell) or not os.access(shell, os.X_OK):
self.write_result(constants.NSLCD_USERMOD_SHELL,
'not an executable')
else:
mods.append((ldap.MOD_REPLACE, passwd.attmap['loginShell'], [shell]))
# get a connection and perform the modification
if mods:
try:
conn, authz, msg = pam.authenticate(binddn, password)
conn.modify_s(parameters['userdn'], mods)
logging.info('changed information for %s', parameters['userdn'])
except (ldap.INVALID_CREDENTIALS, ldap.INSUFFICIENT_ACCESS) as e:
try:
msg = e[0]['desc']
except Exception:
msg = str(e)
logging.debug('modification failed: %s', msg)
self.write_result(constants.NSLCD_USERMOD_RESULT, msg)
# write closing statement
self.fp.write_int32(constants.NSLCD_USERMOD_END)
self.fp.write_int32(constants.NSLCD_RESULT_END)
def authenticate(self, request=None, username=None, password=None):
username = force_username_case(username)
if pam.authenticate(username, password, AUTH.PAM_SERVICE.get()):
is_super = False
if User.objects.count() == 0:
is_super = True
try:
if AUTH.IGNORE_USERNAME_CASE.get():
user = User.objects.get(username__iexact=username)
else:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL.name
profile.save()
user.is_superuser = is_super
ensure_has_a_group(user)
user.save()
user = rewrite_user(user)
return user
return None
def post(self):
import pam
import pwd
username = self.get_argument("username")
password = self.get_argument("password")
if pam.authenticate(username, password):
db = self.settings['db_async']
info = pwd.getpwnam(username)
fms_token = str(uuid.uuid4())
user = {
u'_id': fms_token,
u'username': username,
u'uid': info.pw_uid,
u'gid': info.pw_gid,
u'home': info.pw_dir,
u'created': datetime.datetime.now()
}
result = yield motor.Op(db.tokens.insert, user)
self.set_secure_cookie("fms_auth", fms_token, expires_days=None)
self.write("OK")
else:
self.clear_cookie("username")
self.set_status(401) #Unauthorized
def authenticate(self, username, password):
username = force_username_case(username)
if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()):
is_super = False
if User.objects.count() == 0:
is_super = True
try:
if desktop.conf.AUTH.IGNORE_USERNAME_CASE.get():
user = User.objects.get(username__iexact=username)
else:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL
profile.save()
user.is_superuser = is_super
ensure_has_a_group(user)
user.save()
user = rewrite_user(user)
return user
return None
def handle(self):
logger.debug("Received connection.")
while True:
try:
r = self.request.recv(1024)
if len(r) == 0:
logger.debug("Client quit")
break
data = json.loads(str(r, 'utf-8'))
except ValueError:
self.reply({}, status=400, message='JSON Parse error')
if 'username' in data:
if 'password' in data:
username = data['username']
password = data['password']
service = data.get('service', 'login')
if pam.authenticate(username, password, service=service):
self.reply({}, status=200, message='Authentication successful.')
else:
self.reply({}, status=401, message='Authentication failed.')
else:
self.reply({}, status=400, message='Password is missing.')
else:
self.reply({}, status=400, message='Username is missing.')
def chgPass(request):
"""修改登录系统的密码"""
error = ""
msg = ""
if request.method == "POST":
username = request.session.get("username")
oldpass = request.POST.get("oldpass")
password = request.POST.get("password")
password_confirm = request.POST.get("password_confirm")
if "" in [oldpass, password, password_confirm]:
error = "带*内容不能为空"
elif not pam.authenticate(username, oldpass):
error = "密码不正确"
elif password != password_confirm:
error = "两次密码不匹配"
if not error:
ret = subprocess.call("%s %s %s" % (chgpass_shell, username, password), shell=True)
if ret:
error = "密码修改失败"
else:
msg = "修改密码成功"
return render_to_response(
"chgPass.html", {"msg": msg, "error": error, "pass_menu": "active"}, context_instance=RequestContext(request)
)
def authenticate(self, username=None, password=None):
# print("PAMBackend.authenticate was just called, like.. right now !!!!!")
if (pam.authenticate(username, password)):
print("pam.authenticate() returned True")
try:
user = User.objects.get(username=username)
print("User found")
except User.DoesNotExist:
print("User *not* found")
user = User(username=username)
user.is_staff = False
user.is_active = True
try:
user.save()
print("user created")
except:
print("user *not* created")
try:
a = Staff.objects.get( Q( user=user ) | Q( nethz_login=user.username ))
if not a.user == user:
a.user = user
a.save()
print( "advisor found: %s" % ( a ) )
except Staff.DoesNotExist:
a = Staff(user=user)
try:
a.save()
except Exception as e:
print( e )
print( "created advisor: %s" % ( a ) )
print(a)
return user
else:
return
def post(self):
import pam
import pwd
username = self.get_argument("username")
password = self.get_argument("password")
if pam.authenticate(username, password):
db = self.settings['db_async']
info = pwd.getpwnam(username)
fms_token = str(uuid.uuid4())
user = {
u'_id' : fms_token,
u'username' : username,
u'uid' : info.pw_uid,
u'gid' : info.pw_gid,
u'home': info.pw_dir,
u'created' : datetime.datetime.now()
}
result = yield motor.Op(db.tokens.insert, user)
self.set_secure_cookie("fms_auth", fms_token, expires_days=None)
self.write("OK")
else:
self.clear_cookie("username")
self.set_status(401) #Unauthorized
def GET(self):
getInput = web.input(username="", password="")
if pam.authenticate(getInput.username, getInput.password):
session.loggedin = True
return 'success'
else:
return 'fail'
def chgPass(request):
error = ''
msg = ''
if request.method == 'POST':
username = request.session.get('username')
oldpass = request.POST.get('oldpass')
password = request.POST.get('password')
password_confirm = request.POST.get('password_confirm')
if '' in [oldpass, password, password_confirm]:
error = '带*内容不能为空'
elif not pam.authenticate(username, oldpass):
error = '密码不正确'
elif password != password_confirm:
error = '两次密码不匹配'
if not error:
ret = subprocess.call('%s %s %s' %
(chgpass_shell, username, password),
shell=True)
if ret:
error = '密码修改失败'
else:
msg = '修改密码成功'
return render_to_response('chgPass.html', {
'msg': msg,
'error': error,
'pass_menu': 'active'
},
context_instance=RequestContext(request))
def check_auth(self, username, password):
if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()):
is_super = False
if User.objects.count() == 0:
is_super = True
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL
profile.save()
user.is_superuser = is_super
default_group = get_default_user_group()
if default_group is not None:
user.groups.add(default_group)
user.save()
user = rewrite_user(user)
return user
return None
def pam_authenticate(username=None, password=None):
if pam.authenticate(username, password, service="login"):
try:
user = User.objects.get(username=username)
# Change user password in DB because PAM authenticated the new one.
if user.check_password(password):
return True
user.set_password(password)
user.save()
return True
except User.DoesNotExist:
# New user that is not in the database.
user = User.objects.create_user(username=username, password=password)
# Checks if the user has sudo right for the server
if username in grp.getgrnam("sudo")[3]:
if not "sudo" in Group.objects.all():
group = Group.objects.create(name="sudo")
else:
group = Group.objects.get(name="sudo")
user.groups.add(group)
user.save()
return True
return False
def check_password(self, password):
if 'palco.backends.PAMBackend' in settings.AUTHENTICATION_BACKENDS:
import pam
return pam.authenticate(self.user.username, password, settings.PAM_SERVICE)
else:
return self.user.check_password(password)
def get_html(self, http_context):
no_auth = ['.jpg', '.png', '.css', '.ico', '.htm']
if http_context.module == 'static' and (http_context.url[-4:]
in no_auth):
return None
sessionid = http_context.sessionid
if 'num_logout' in http_context.http_get.keys():
http_context.session.del_var(sessionid, 'CONNECTED')
error = ''
connected = False
sessionvars = http_context.session.get_vars(sessionid)
if 'CONNECTED' in sessionvars.keys():
if not 'alphanum_json' in http_context.http_get.keys():
return None
else:
connected = True
error = 'No Error'
http_post = http_context.http_post
http_post_varlist = http_post.keys()
allowedlogin = self._webconf['login_allowusers'].split(',')
loginmodule = self._webconf['login_pammodule']
if 'alphanum_login' in http_post_varlist and 'str_password' in http_post_varlist:
if http_post['alphanum_login'] in allowedlogin and pam.authenticate(
http_post['alphanum_login'], http_post['str_password'],
loginmodule):
http_context.session.add_var(sessionid, 'CONNECTED', True)
http_context.session.add_var(sessionid, 'user',
http_post['alphanum_login'])
if not 'alphanum_json' in http_context.http_get.keys():
return None
connected = True
error = 'No Error'
else:
error = 'Wrong credentials'
token = sessionvars['posttoken']
content = {
'page': http_context.url,
'error': error,
'token': token,
'connected': connected
}
if 'alphanum_json' in http_context.http_get.keys():
template = None
content = json.dumps(content)
http_context.session.add_var(sessionid, 'API', True)
else:
template = 'login.tpl'
return WebStructure.HttpContext(statuscode=200,
content=content,
template=template,
mimetype='text/html')
def doLogin(self, username=None, password=None):
result = pam.authenticate(username=username, password=password, service='login')
if result:
global logined
logined=1
raise cherrypy.HTTPRedirect("Serverconfig")
else:
raise cherrypy.HTTPRedirect("index")
def valid_auth(environ):
auth = environ.get('HTTP_AUTHORIZATION', None)
if auth:
auth = b64decode(auth[6:])
username, password = auth.split(':')
return authenticate(username, password)
else:
return False
def _checkPAM(self, username, password):
if '\\' in username:
domain, user = username.split('\\')
username = '******' % (user, domain.upper())
elif '@' in username:
user, domain = username.split('@')
username = '******' % (user, domain.upper())
return pam.authenticate(username, password, self.pamService)
def check(self, username, password, realm):
"""
Checks if there is a user with the specified username and password for the specified realm
@param string username
@param string password in clear text
@return boolean
"""
return pam.authenticate(username, password)
def authenticate(self):
if pam.authenticate(self.username, self.password):
logging.debug("Auth success for user: %s" % self.username)
self.password = None # such security! :D
self.authenticated = True
else:
logging.debug("Auth FAIL for user: %s" % self.username)
self.authenticated = False
def delete_user(self, *args):
import pam
password_input = Gtk.Entry()
password_input.set_visibility(False)
password_input.set_alignment(0.5)
confirm = KanoDialog(
title_text = _('Are you sure you want to delete this account?'),
description_text = _('Enter {}\'s password - A reboot will be required'.format(self.user)),
widget=password_input,
has_entry=True,
button_dict = [
{
'label': _('Cancel').upper(),
'color': 'red',
'return_value': False
},
{
'label': _('Ok').upper(),
'color': 'green',
'return_value': True
}
])
confirm.dialog.set_position(Gtk.WindowPosition.CENTER_ALWAYS)
# Kano Dialog will return False if cancel button is clicked, or text from the entry field if Ok
response=confirm.run()
if response == False:
return
elif type(response) == str and not len(response):
error = KanoDialog(title_text = _('Please enter the password for user {}'.format(self.user)))
error.dialog.set_position(Gtk.WindowPosition.CENTER_ALWAYS)
error.run()
return
else:
password=response
# Authenticate user and schedule removal. Protect against unknown troubles.
try:
if pam.authenticate(self.user, password):
info = KanoDialog(title_text = _('User {} scheduled for removal'.format(self.user)), \
description_text = _('Press OK to reboot'))
info.dialog.set_position(Gtk.WindowPosition.CENTER_ALWAYS)
info.run()
os.system('sudo kano-init schedule delete-user "{}"'.format(self.user))
LightDM.restart()
else:
error = KanoDialog(title_text = _('Incorrect password for user {}'.format(self.user)))
error.dialog.set_position(Gtk.WindowPosition.CENTER_ALWAYS)
error.run()
except Exception as e:
logger.error('Error deleting account {} - {}'.format(self.user, str(e)))
error = KanoDialog(title_text = _('Could not delete account {}'.format(self.user)))
error.dialog.set_position(Gtk.WindowPosition.CENTER_ALWAYS)
error.run()
def auth(self, userobj, username, password, settings, **kwargs):
if username not in _auth_cache:
# Need lock here, as PAM authentication is not thread safe
_pam_lock.acquire()
try:
auth_result = pam.authenticate(username, password,
settings["service"])
# cache result only if we properly authenticated
if auth_result:
_auth_cache[username] = time.time()
finally:
_pam_lock.release()
if not auth_result:
log.error("PAM was unable to authenticate user: %s" %
(username, ))
return None
else:
log.debug("Using cached auth for user: %s" % (username, ))
# old attrs fetched from Kallithea database
admin = getattr(userobj, 'admin', False)
active = getattr(userobj, 'active', True)
email = getattr(userobj, 'email',
'') or "%s@%s" % (username, socket.gethostname())
firstname = getattr(userobj, 'firstname', '')
lastname = getattr(userobj, 'lastname', '')
extern_type = getattr(userobj, 'extern_type', '')
user_attrs = {
'username': username,
'firstname': firstname,
'lastname': lastname,
'groups':
[g.gr_name for g in grp.getgrall() if username in g.gr_mem],
'email': email,
'admin': admin,
'active': active,
"active_from_extern": None,
'extern_name': username,
'extern_type': extern_type,
}
try:
user_data = pwd.getpwnam(username)
regex = settings["gecos"]
match = re.search(regex, user_data.pw_gecos)
if match:
user_attrs["firstname"] = match.group('first_name')
user_attrs["lastname"] = match.group('last_name')
except Exception:
log.warning("Cannot extract additional info for PAM user %s",
username)
pass
log.debug("pamuser: \n%s" % formatted_json(user_attrs))
log.info('user %s authenticated correctly' % user_attrs['username'])
return user_attrs
def is_authorized(self, username, password):
"""Returns true is a user is authorised via PAM.
Note: We use the 'login' PAM stack rather than inventing
our own.
@rtype: boolean
"""
return pam.authenticate(username, password, 'sshd')
def authenticate(username, password):
import pam
# This will fetch tickets twice but...
if not pam.authenticate(USER, password, "sshd"):
raise AuthenticationRequired("Invalid credentials.")
if not getTickets(username, password):
raise AuthenticationRequired("Unable to get tickets.")
return makeToken()
def authenticate(self, username, password, **kwargs):
if pam.authenticate(username, password):
metadata = {}
if username == 'root':
metadata['is_admin'] == True
tenant = {'id': username, 'name': username}
user = {'id': username, 'name': username}
return (tenant, user, metadata)
def authenticate(self, username, password, **kwargs):
if pam.authenticate(username, password):
extras = {}
if username == "root":
extras["is_admin"] == True
tenant = {"id": username, "name": username}
user = {"id": username, "name": username}
return (tenant, user, extras)
def auth(self, userobj, username, password, settings, **kwargs):
if username not in _auth_cache:
# Need lock here, as PAM authentication is not thread safe
_pam_lock.acquire()
try:
auth_result = pam.authenticate(username, password,
settings["service"])
# cache result only if we properly authenticated
if auth_result:
_auth_cache[username] = time.time()
finally:
_pam_lock.release()
if not auth_result:
log.error("PAM was unable to authenticate user: %s" % (username,))
return None
else:
log.debug("Using cached auth for user: %s" % (username,))
# old attrs fetched from Kallithea database
admin = getattr(userobj, 'admin', False)
active = getattr(userobj, 'active', True)
email = getattr(userobj, 'email', '') or "%s@%s" % (username, socket.gethostname())
firstname = getattr(userobj, 'firstname', '')
lastname = getattr(userobj, 'lastname', '')
extern_type = getattr(userobj, 'extern_type', '')
user_attrs = {
'username': username,
'firstname': firstname,
'lastname': lastname,
'groups': [g.gr_name for g in grp.getgrall() if username in g.gr_mem],
'email': email,
'admin': admin,
'active': active,
"active_from_extern": None,
'extern_name': username,
'extern_type': extern_type,
}
try:
user_data = pwd.getpwnam(username)
regex = settings["gecos"]
match = re.search(regex, user_data.pw_gecos)
if match:
user_attrs["firstname"] = match.group('first_name')
user_attrs["lastname"] = match.group('last_name')
except Exception:
log.warning("Cannot extract additional info for PAM user %s", username)
pass
log.debug("pamuser: \n%s" % formatted_json(user_attrs))
log.info('user %s authenticated correctly' % user_attrs['username'])
return user_attrs
def authenticate(self, username, password, **kwargs):
if pam.authenticate(username, password):
metadata = {}
if username == 'root':
metadata['is_admin'] == True
tenant = {'id': username,
'name': username}
user = {'id': username,
'name': username}
return (tenant, user, metadata)
def get_sudo_password(heading, parent=None):
entry = Gtk.Entry()
entry.set_visibility(False)
kdialog = KanoDialog(
title_text=heading,
description_text="Enter your system password - default is kano:",
widget=entry,
has_entry=True,
global_style=True,
parent_window=parent
)
pw = kdialog.run()
del kdialog
del entry
while not pam.authenticate(getpass.getuser(), pw):
fail = KanoDialog(
title_text=heading,
description_text="The password was incorrect. Try again?",
button_dict={
"YES": {
"return_value": 0
},
"CANCEL": {
"return_value": -1,
"color": "red"
}
},
parent_window=parent
)
rv = fail.run()
del fail
if rv < 0:
return
entry = Gtk.Entry()
entry.set_visibility(False)
kdialog = KanoDialog(
title_text=heading,
description_text="Re-enter your system password - default is kano:",
widget=entry,
has_entry=True,
global_style=True,
parent_window=parent
)
pw = kdialog.run()
del kdialog
del entry
return pw
def validate_password(self, field):
"""use Linux PAM for authenticate"""
username = self.username.data
if platform.system().lower() == 'linux':
g.logger.debug('use pam for authenticate.')
from pam import authenticate
if authenticate(username, field.data):
g.logger.info('session opened for user %s.' % username)
return username
else:
raise ValueError('Authentication failure.')
return username
def authenticate_user(state, control_code):
state.user_name = getpass.getuser()
if control_code == 'new':
state.control.send(str(state.user_name).encode('ascii'))
user_name = state.control.recv(1024).decode('ascii')
user_pass = state.control.recv(1024).decode('ascii')
result = 'pass'
if pam.authenticate(user_name, user_pass):
state.control.send(str(result).encode('ascii'))
else:
result = 'fail'
state.control.send(str(result).encode('ascii'))
def handle_request(self, parameters):
# fill in any missing userdn, etc.
self.validate(parameters)
is_root = (self.calleruid == 0) and parameters["asroot"]
mods = []
# check if the the user passed the rootpwmoddn
if parameters["asroot"]:
binddn = cfg.rootpwmoddn
# check if rootpwmodpw should be used
if not parameters["password"] and is_root and cfg.rootpwmodpw:
password = cfg.rootpwmodpw
else:
password = parameters["password"]
else:
binddn = parameters["userdn"]
password = parameters["password"]
# write response header
self.fp.write_int32(constants.NSLCD_RESULT_BEGIN)
# check home directory modification
homedir = parameters["mods"].get(constants.NSLCD_USERMOD_HOMEDIR)
if homedir:
if is_root:
mods.append((ldap.MOD_REPLACE, passwd.attmap["homeDirectory"], [homedir]))
elif not os.path.isabs(homedir):
self.write_result(constants.NSLCD_USERMOD_HOMEDIR, "should be an absolute path")
elif not os.path.isdir(homedir):
self.write_result(constants.NSLCD_USERMOD_HOMEDIR, "not a directory")
else:
mods.append((ldap.MOD_REPLACE, passwd.attmap["homeDirectory"], [homedir]))
# check login shell modification
shell = parameters["mods"].get(constants.NSLCD_USERMOD_SHELL)
if shell:
if is_root:
mods.append((ldap.MOD_REPLACE, passwd.attmap["loginShell"], [shell]))
elif shell not in list_shells():
self.write_result(constants.NSLCD_USERMOD_SHELL, "unlisted shell")
elif not os.path.isfile(shell) or not os.access(shell, os.X_OK):
self.write_result(constants.NSLCD_USERMOD_SHELL, "not an executable")
else:
mods.append((ldap.MOD_REPLACE, passwd.attmap["loginShell"], [shell]))
# get a connection and perform the modification
if mods:
try:
conn, authz, msg = pam.authenticate(binddn, password)
conn.modify_s(parameters["userdn"], mods)
logging.info("changed information for %s", parameters["userdn"])
except (ldap.INVALID_CREDENTIALS, ldap.INSUFFICIENT_ACCESS), e:
try:
msg = e[0]["desc"]
except:
msg = str(e)
logging.debug("modification failed: %s", msg)
self.write_result(constants.NSLCD_USERMOD_RESULT, msg)
def authenticate(self, username=None, password=None):
if pam.authenticate(username, password, service='login'):
try:
return User.objects.get(username=username)
except User.DoesNotExist:
# Create new django user
user = User(username=username)
user.set_password(password)
user.save()
user.groups.add(Group.objects.get(name='Users'))
return user
return None
def verify_current_password(password):
# Verify the current password in the first text box
# Get current username
username, e, num = run_cmd("echo $SUDO_USER")
# Remove trailing newline character
username = username.rstrip()
if not pam.authenticate(username, password):
# Could not verify password
return False
return True
def requestAvatarId(self, credentials):
if pam.authenticate(credentials.username, credentials.password):
log.info('Successful login with PAM for %s' % credentials.username)
auth = getUtility(IAuthentication)
oms_user = User(credentials.username)
oms_user.groups.extend(get_linux_groups_for_user(credentials.username))
log.info(' Adding user groups: %s' % ', '.join(oms_user.groups))
for g in get_linux_groups_for_user(credentials.username):
auth.registerPrincipal(Group(g))
auth.registerPrincipal(oms_user)
return defer.succeed(credentials.username)
log.warning(' Authentication failed with PAM for %s' % credentials.username)
return defer.fail(UnauthorizedLogin('Invalid credentials'))
def verify_current_password(password):
# Verify the current password in the first text box
# Get current username
username, e, num = run_cmd("echo $SUDO_USER")
# Remove trailing newline character
username = username.rstrip()
if not pam.authenticate(username, password):
# Could not verify password
return False
return True
def verify(self):
self.verifyTime += 1
import pam
password = self.ui.editPassword.text()
status = pam.authenticate(self.getUsername(), password)
if not status:
self.ui.labStatus.setText("Validate failed %d"%self.verifyTime)
self.ui.editPassword.clear()
else:
self.ui.labStatus.setText("Validate passed")
self.setWallpaper()
notify.Notify(title='gwaller',content="set wallpaper successful").inotify()
self.close()
def is_authenticated(user, password):
"""Check if ``user``/``password`` couple is valid."""
if user is None or password is None:
return False
# Check whether the user exists in the PAM system
try:
pwd.getpwnam(user).pw_uid
except KeyError:
log.LOGGER.debug("User %s not found" % user)
return False
else:
log.LOGGER.debug("User %s found" % user)
# Check whether the group exists
try:
# Obtain supplementary groups
members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
except KeyError:
log.LOGGER.debug(
"The PAM membership required group (%s) doesn't exist" %
GROUP_MEMBERSHIP)
return False
# Check whether the user exists
try:
# Get user primary group
primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name
except KeyError:
log.LOGGER.debug(
"The PAM user (%s) doesn't exist" %
user)
return False
# Check whether the user belongs to the required group (primary or supplementary)
if primary_group == GROUP_MEMBERSHIP or user in members:
log.LOGGER.debug(
"The PAM user belongs to the required group (%s)" %
GROUP_MEMBERSHIP)
# Check the password
if pam.authenticate(user, password):
return True
else:
log.LOGGER.debug("Wrong PAM password")
else:
log.LOGGER.debug(
"The PAM user doesn't belong to the required group (%s)" %
GROUP_MEMBERSHIP)
return False
def auth(self, userobj, username, password, settings, **kwargs):
if not username or not password:
log.debug('Empty username or password skipping...')
return None
auth_result = pam.authenticate(username, password, settings["service"])
if not auth_result:
log.error("PAM was unable to authenticate user: %s" % (username, ))
return None
log.debug('Got PAM response %s' % (auth_result, ))
# old attrs fetched from RhodeCode database
default_email = "%s@%s" % (username, socket.gethostname())
admin = getattr(userobj, 'admin', False)
active = getattr(userobj, 'active', True)
email = getattr(userobj, 'email', '') or default_email
username = getattr(userobj, 'username', username)
firstname = getattr(userobj, 'firstname', '')
lastname = getattr(userobj, 'lastname', '')
extern_type = getattr(userobj, 'extern_type', '')
user_attrs = {
'username': username,
'firstname': firstname,
'lastname': lastname,
'groups': [g.gr_name for g in grp.getgrall()
if username in g.gr_mem],
'email': email,
'admin': admin,
'active': active,
'active_from_extern': None,
'extern_name': username,
'extern_type': extern_type,
}
try:
user_data = pwd.getpwnam(username)
regex = settings["gecos"]
match = re.search(regex, user_data.pw_gecos)
if match:
user_attrs["firstname"] = match.group('first_name')
user_attrs["lastname"] = match.group('last_name')
except Exception:
log.warning("Cannot extract additional info for PAM user")
pass
log.debug("pamuser: %s", user_attrs)
log.info('user %s authenticated correctly' % user_attrs['username'])
return user_attrs
def get_sudo_password(heading, parent=None):
entry = Gtk.Entry()
entry.set_visibility(False)
kdialog = KanoDialog(
title_text=heading,
description_text=_("Enter your system password - default is kano:"),
widget=entry,
has_entry=True,
global_style=True,
parent_window=parent)
pw = kdialog.run()
del kdialog
del entry
while not pam.authenticate(getpass.getuser(), pw):
fail = KanoDialog(
title_text=heading,
description_text=_("The password was incorrect. Try again?"),
button_dict={
_("YES"): {
"return_value": 0
},
_("CANCEL"): {
"return_value": -1,
"color": "red"
}
},
parent_window=parent)
rv = fail.run()
del fail
if rv < 0:
return
entry = Gtk.Entry()
entry.set_visibility(False)
kdialog = KanoDialog(
title_text=heading,
description_text=_(
"Re-enter your system password - default is kano:"),
widget=entry,
has_entry=True,
global_style=True,
parent_window=parent)
pw = kdialog.run()
del kdialog
del entry
return pw
def get_user(username, provider, password=None):
if provider == "Local":
u = User.query.filter_by(name=username, provider=provider).first()
if u is not None and u.check_password(password):
return u
elif provider == "PAM":
if pam.authenticate(username, password):
u = User.query.filter_by(name=username, provider=provider).first()
if u is None:
u = User(name=username, provider=provider)
db.session.add(u)
db.session.commit()
return u
return None
def get_user(username, provider, password=None):
if provider == "Local":
u = User.query.filter_by(name=username, provider=provider).first()
if u is not None and u.check_password(password):
return u
elif provider == "PAM":
if pam.authenticate(username, password):
u = User.query.filter_by(name=username, provider=provider).first()
if u is None:
u = User(name=username, provider=provider)
db.session.add(u)
db.session.commit()
return u
return None
def login():
username = request.form["username"]
password = request.form["password"]
is_auth = pam.authenticate(username,password)
if is_auth:
session["logged_in"] = True
session["username"] = username
session["auth_message"] = None
user_repo = '/mapr/' + MAPR_CLUSTER + NOTEBOOKS_FOLDER + '/' + username
subprocess.call(['mkdir','-p',user_repo])
subprocess.call(['chown',username,user_repo])
subprocess.call(['chmod','777',user_repo])
else:
session["auth_message"]="authentication failed for {}".format(username)
return home()
def login_2():
form = LoginForm()
if form.validate_on_submit():
try:
ret = pam.authenticate(form['username'].data, form['password'].data)
if not ret:
flash('Invalid credentials', 'error')
else:
connect_to_masters()
session['username'] = form['username'].data
return redirect(request.args.get("next") or url_for("index_2"))
except Unauthorized:
flash('Invalid credentials', 'error')
return render_template("login_2.html", form=form)
def requestAvatarId(self, credentials):
if pam.authenticate(credentials.username, credentials.password):
log.info('Successful login with PAM for %s' % credentials.username)
auth = getUtility(IAuthentication)
oms_user = User(credentials.username)
oms_user.groups.extend(
get_linux_groups_for_user(credentials.username))
log.info(' Adding user groups: %s' % ', '.join(oms_user.groups))
for g in get_linux_groups_for_user(credentials.username):
auth.registerPrincipal(Group(g))
auth.registerPrincipal(oms_user)
return defer.succeed(credentials.username)
log.warning(' Authentication failed with PAM for %s' %
credentials.username)
return defer.fail(UnauthorizedLogin('Invalid credentials'))
def is_authenticated(user, password):
"""Check if ``user``/``password`` couple is valid."""
if user is None or password is None:
return False
# Check whether the user exists in the PAM system
try:
pwd.getpwnam(user).pw_uid
except KeyError:
log.LOGGER.debug("User %s not found" % user)
return False
else:
log.LOGGER.debug("User %s found" % user)
# Check whether the group exists
try:
# Obtain supplementary groups
members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
except KeyError:
log.LOGGER.debug(
"The PAM membership required group (%s) doesn't exist" %
GROUP_MEMBERSHIP)
return False
# Check whether the user exists
try:
# Get user primary group
primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name
except KeyError:
log.LOGGER.debug("The PAM user (%s) doesn't exist" % user)
return False
# Check whether the user belongs to the required group
# (primary or supplementary)
if primary_group == GROUP_MEMBERSHIP or user in members:
log.LOGGER.debug("The PAM user belongs to the required group (%s)" %
GROUP_MEMBERSHIP)
# Check the password
if pam.authenticate(user, password):
return True
else:
log.LOGGER.debug("Wrong PAM password")
else:
log.LOGGER.debug(
"The PAM user doesn't belong to the required group (%s)" %
GROUP_MEMBERSHIP)
return False
def check(self, uid=None, passwd=None):
""":func:`burpui.misc.auth.local.LocalLoader.check` verifies if the
given password matches the given user settings.
:param uid: User to authenticate
:type uid: str
:param passwd: Password
:type passwd: str
:returns: True if there is a match, otherwise False
"""
if self.users is None or uid in self.users:
return pam.authenticate(uid, passwd, 'other')
return False
def post(self, request):
print("POST REQ")
username = request.data.get('username')
password = request.data.get('password')
print("post request: " + username + "\npassword: "******"PAM: " + str(pa))
if pa:
print("User " + username + " authenticated succesfully.")
return Response(status=status.HTTP_200_OK)
else:
print("User " + username + " authentication failed")
return Response(status=status.HTTP_403_FORBIDDEN)
def authenticate(self, username=None, password=None):
if pam.authenticate(username, password):
try:
user = User.objects.get(username=username)
except:
user = User(username=username, password='******')
if getattr(settings, 'PAM_IS_SUPERUSER', False):
user.is_superuser = True
if getattr(settings, 'PAM_IS_STAFF', user.is_superuser):
user.is_staff = True
user.save()
return user
return None
def handle_read(self):
data = self._buf + self.recv(1024)
if not data:
self.close()
return
reqs, data = data.rsplit('\r\n', 1)
self._buf = data
for req in reqs.split('\r\n'):
try:
user, passwd = req.split()
except:
self.send('bad\r\n')
else:
if pam.authenticate(user, passwd):
self.send('ok\r\n')
else:
self.send('fail\r\n')
def on_cancel(self, evt):
from pam import authenticate
'''Cancel button has been pressed. Clean up and exit without continuing.'''
page = evt.GetPage()
print "on_cancel: %s\n" % page.__class__, page.title
dialog = wx.TextEntryDialog(None,
"Enter Password to Log In",
defaultValue='',
style=wx.OK | wx.CANCEL | wx.TE_PASSWORD)
if dialog.ShowModal() == wx.ID_OK:
if authenticate('update', dialog.GetValue()) is False:
wx.MessageBox("The update system will shut down now",
"Shutting Down")
subprocess.Popen('sudo /sbin/shutdown -h now', shell=True)
else:
evt.Veto()
dialog.Destroy()
def authenticate(self, request, username=None, password=None):
if pam.authenticate(username, password):
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = User(username=username)
user.is_staff = False
user.is_superuser = False
gcos = pwd.getpwnam(username).pw_gecos.split(',')
user.email = gcos[4]
if len(gcos[0].split(' ')) == 2:
user.firstname = gcos[0].split(' ')[0]
user.lastname = gcos[0].split(' ')[1]
user.save()
return user
else:
return None
def basic_auth_user(self, realm, user_name, password, environ):
pam = self.pam
is_ok = pam.authenticate(
user_name,
password,
service=self.pam_service,
resetcreds=self.pam_resetcreds,
encoding=self.pam_encoding,
)
if is_ok:
_logger.debug("User '{}' logged on.".format(user_name))
return True
_logger.warning(
"pam.authenticate('{}', '***', '{}') failed with code {}: {}".
format(user_name, self.pam_service, pam.code, pam.reason))
return False
