def authenticate(name, password): """ Returns true or false depending on the success of the name-password combination using the shadows or passwd file (The shadow file is preferred if it exists) """ try: success = pam.pam().authenticate(name, password) if success is True: return success except Exception as e: logging.warning(e) return False if path.exists("/etc/shadow"): try: if six.PY3: shadow = spwd.getspnam(name).sp_pwdp # https://docs.python.org/3.4/library/spwd.html#module-spwd else: shadow = spwd.getspnam(name).sp_pwd except KeyError as e: return False else: shadow = pwd.getpwnam(name).pw_passwd salt_pattern = compile_regex(r"\$.*\$.*\$") try: salt = salt_pattern.match(shadow).group() except AttributeError as a: logging.warning(a) return False return crypt(password, salt) == shadow
def login(): logger.debug('Autenticando usuario') try: auth = request.authorization if not auth or not auth.username or not auth.password: logger.error( 'No se ha podido autenticar al usuario: faltan las credenciales!' ) return json_response(status=400) p = pam.pam() # user = p.authenticate(username=auth.username, password=auth.password, service='dvls') user = p.authenticate(username=auth.username, password=auth.password) if user and (auth.username == app.config['CONN_USER']): token = jwt.encode( dict(username=auth.username, exp=datetime.utcnow() + timedelta(minutes=60)), app.config['SECRET_KEY']) return json_response(data=dict(token=token.decode('UTF-8'))) logger.error( 'No se ha podido autenticar al usuario: las credenciales son incorrectas!' ) return json_response(status=403) except Exception as e: logger.error('No se ha podido autenticar al usuario: %s', str(e)) return json_response(status=500)
def login(user, password): users = config.get('DEFAULT', 'users', fallback=None) if users and not user in users.split(','): # User not is in the valid user list return False # Validate user with password return pam().authenticate(user, password)
def page_reset_tor(): check_logged_in() p = pam.pam() pw = request.form.get('password_reset_tor') if pw == None or p.authenticate("admin", pw) == False: flash("Invalid Password", category="error") return redirect(url_for(".page_settings")) else: check_and_mark_reboot_action("reset_tor") # Successful Auth reset_tor() # Trigger reboot t = Timer(1.0, reboot_device) t.start() # Wait until device is restarted templateData = { "title": "myNode Reboot", "header_text": "Restarting", "subheader_text": "This will take several minutes...", "ui_settings": read_ui_settings() } return render_template('reboot.html', **templateData)
def __inner_authorize(self, user: str, passwd: str) -> bool: if self.__allow_users and user not in self.__allow_users: get_logger().error("User %r not in allow-list", user) return False if self.__deny_users and user in self.__deny_users: get_logger().error("User %r in deny-list", user) return False if self.__allow_uids_at > 0: try: uid = pwd.getpwnam(user).pw_uid except Exception: get_logger().exception("Can't find UID of user %r", user) return False else: if uid < self.__allow_uids_at: get_logger().error( "Unallowed UID of user %r: uid=%d < allow_uids_at=%d", user, uid, self.__allow_uids_at) return False pam_obj = pam.pam() if not pam_obj.authenticate(user, passwd, service=self.__service): get_logger().error( "Can't authorize user %r using PAM: code=%d; reason=%s", user, pam_obj.code, pam_obj.reason) return False return True
def checkpass(self, username, password): auth = pam.pam().authenticate(username, password) if auth is True: logging.debug("Authentication Success") else: logging.debug("Authentication Failure") return auth
def get_authenticated_user(self, username, password): """ :param username: :param password: :return: """ import pam from models import User if self._current_user.is_authenticated: return self._current_user else: auth_engine = pam.pam() if auth_engine.authenticate(username, password): try: connection = ElementXMLRPC(url=settings.ELEMENT_URL) self._element_session_id = connection.authenticate(username, password) except ElementError as e: raise AuthenticationError(str(e)) # Until we have a backend, we might have to pickle and de-pickle this # When we do, store the object and return the username user = User(username, self._element_session_id) return user else: raise AuthenticationError("Login failed: [{0}] {1}".format(auth_engine.code, auth_engine.reason))
def auth_user(pam_config, username, password): """ Authenticate user with PAM. """ LOG.debug('Authenticating user with PAM.') auth = pam.pam() if auth.authenticate(username, password): allowed_users = pam_config.get("users") \ or [] allowed_group = pam_config.get("groups")\ or [] if not allowed_users and not allowed_group: # If no filters are set, only authentication is needed. return True else: if username in allowed_users: # The user is allowed by username. return True # Otherwise, check group memeberships. If any of the user's # groups are an allowed groupl, the user is allowed. groups = [g.gr_name for g in grp.getgrall() if username in g.gr_mem] gid = pwd.getpwnam(username).pw_gid groups.append(grp.getgrgid(gid).gr_name) return not set(groups).isdisjoint( set(pam_config.get("groups"))) return False
def login(): if request.method == 'POST': p = pam.pam() if p.authenticate(request.form['username'], request.form['password']): session['logged_in'] = True return redirect(url_for('start_compaign')) return render_template('index.html', error='invalid username/password')
def __try_auth_pam(self, auth_string): if self.__is_method_enabled("pam"): username, pw = auth_string.split(":") auth = pam.pam() if auth.authenticate(username, pw): allowed_users = self.__auth_config["method_pam"].get("users") \ or [] allowed_group = self.__auth_config["method_pam"].get("groups")\ or [] if len(allowed_users) == 0 and len(allowed_group) == 0: # If no filters are set, only authentication is needed. return True else: if username in allowed_users: # The user is allowed by username. return True # Otherwise, check group memeberships. If any of the user's # groups are an allowed groupl, the user is allowed. groups = [g.gr_name for g in grp.getgrall() if username in g.gr_mem] gid = pwd.getpwnam(username).pw_gid groups.append(grp.getgrgid(gid).gr_name) return not set(groups).isdisjoint( set(self.__auth_config["method_pam"].get("groups"))) return False
async def check_password(self, user_id, password): """ Attempt to authenticate a user against PAM and register an account if none exists. Returns: True if authentication against PAM was successful, False if not """ if not password: return False # user_id is of the form @foo:bar.com localpart = user_id.split(":", 1)[0][1:] # check if localpart is a valid mxid. # If not, bail out without even checking PAM because # we can't create a user with that id anyway. if types.contains_invalid_mxid_characters(localpart): return False # Now check the password if not pam.pam().authenticate(localpart, password, service='matrix-synapse'): return False # From here on, the user is authenticated if (await self.account_handler.check_user_exists(user_id)): return True if self.create_users: user_id = await self.account_handler.register_user(localpart=localpart) return bool(user_id) return False
def login(): import pam # what handles this during normal boot? subprocess.call(['rm', '/run/nologin', '/etc/nologin']) try: subprocess.call(['clear']) print('Welcome to HadesOS!') print() session_type = input('Session type (graphical/text): ') or 'text' if session_type not in ('graphical', 'text'): print('Bad session type.') return if session_type == 'text': # For text sessions, use login - it sets up controlling terminals etc correctly os.execvp('login', ['login']) return user_name = input('Login: '******'graphical': os.execvp('hades', ['hades', 'startx', '--', user_name]) else: print('Authentication failed.') except (KeyboardInterrupt, EOFError): pass
def login(): if request.method == 'POST': request_username = request.form['username'] request_passwd = request.form['password'] current_url = request.form['url'] if AUTH == 'ldap': try: l = ldap.initialize('ldap://%s:%d' % (LDAP_HOST, LDAP_PORT)) l.set_option(ldap.OPT_REFERRALS, 0) l.protocol_version = 3 l.simple_bind(LDAP_BIND_DN, LDAP_PASS) q = l.search_s(LDAP_BASE, ldap.SCOPE_SUBTREE, '(&(objectClass=' + OBJECT_CLASS + ')(' + ID_MAPPING + '=' + request_username + '))', [])[0] l.bind_s(q[0], request_passwd, ldap.AUTH_SIMPLE) #set the parameters for user by ldap objectClass user = { 'username': q[1][ID_MAPPING][0].decode('utf8'), 'name': q[1][DISPLAY_MAPPING][0].decode('utf8'), 'su': 'Yes' } except Exception, e: print(str(e)) user = None elif AUTH == 'htpasswd': from lwp.utils import check_htpasswd user = None if check_htpasswd(HTPASSWD_FILE, request_username, request_passwd): user = { 'username': request_username, 'name': request_username, 'su': 'Yes' } elif AUTH == 'pam': user = None p = pam.pam() if p.authenticate(request_username, request_passwd, service=PAM_SERVICE): user = { 'username': request_username, 'name': request_username, 'su': 'Yes' } else: request_passwd = hash_passwd(request_passwd) user = query_db('select name, username, su from users where username=? and password=?', [request_username, request_passwd], one=True) if user: session['logged_in'] = True session['token'] = get_token() session['last_activity'] = int(time.time()) session['username'] = user['username'] session['name'] = user['name'] session['su'] = user['su'] flash(u'You are logged in!', 'success') if current_url == url_for('auth.login'): return redirect(url_for('main.home')) return redirect(current_url) flash(u'Invalid username or password!', 'error')
def validate(self): if not self.is_valid(): return False user = self.cleaned_data.get('username') passwd = self.cleaned_data.get('password') p = pam.pam() return p.authenticate(user, passwd)
def auth_user(pam_config, username, password): """ Authenticate user with PAM. """ LOG.debug('Authenticating user with PAM.') auth = pam.pam() if auth.authenticate(username, password): allowed_users = pam_config.get("users") \ or [] allowed_group = pam_config.get("groups")\ or [] if len(allowed_users) == 0 and len(allowed_group) == 0: # If no filters are set, only authentication is needed. return True else: if username in allowed_users: # The user is allowed by username. return True # Otherwise, check group memeberships. If any of the user's # groups are an allowed groupl, the user is allowed. groups = [g.gr_name for g in grp.getgrall() if username in g.gr_mem] gid = pwd.getpwnam(username).pw_gid groups.append(grp.getgrgid(gid).gr_name) return not set(groups).isdisjoint( set(pam_config.get("groups"))) return False
def chk_pwd(self, pwd): user = os.getenv('USER') if pwd == None: return False if PAM_LIB: def pam_conv(a, q, d): return [(pwd, 0)] auth = PAM.pam() auth.start("passwd") auth.set_item(PAM.PAM_USER, user) auth.set_item(PAM.PAM_CONV, pam_conv) try: auth.authenticate() auth.acct_mgmt() except: return False else: return True else: auth = pam.pam() return auth.authenticate(user, pwd)
class PamBackend(object): """ The user running the application (the apache user on CentOS) must be a member of the /etc/shadow group. """ _pam = pam.pam() def authenticate(self, username=None, password=None): """ All users that are recognized by the operating system will be returned (or created, then returned). """ user = None # If the user is authenticated by the operating system then... if self._pam.authenticate(username, password): try: user = User.objects.get(username=username) logging.info("User %s logged in." % username) except User.DoesNotExist: # we don't care what the password is, as it won't be used. password = User.objects.make_random_password() user = User(username=username, password=password) user.save() logging.info("User %s was created." % username) else: logging.warning('User %s failed to log in. Code: %s Reason: %s' % (username, self._pam.code, self._pam.reason)) return user def get_user(self, user_id): try: return User.objects.get(pk=user_id) except User.DoesNotExist: return None
def __try_auth_pam(self, auth_string): if self.__is_method_enabled("pam"): username, pw = auth_string.split(":") auth = pam.pam() if auth.authenticate(username, pw): allowed_users = self.__auth_config["method_pam"].get("users") \ or [] allowed_group = self.__auth_config["method_pam"].get("groups")\ or [] if len(allowed_users) == 0 and len(allowed_group) == 0: # If no filters are set, only authentication is needed. return True else: if username in allowed_users: # The user is allowed by username. return True # Otherwise, check group memeberships. If any of the user's # groups are an allowed groupl, the user is allowed groups = [g.gr_name for g in grp.getgrall() if username in g.gr_mem] gid = pwd.getpwnam(username).pw_gid groups.append(grp.getgrgid(gid).gr_name) return not set(groups).isdisjoint( set(self.__auth_config["method_pam"].get("groups"))) return False
def is_authenticated(self): auth = flask.request.authorization if not auth or not 'username' in auth.keys() or not 'password' in auth.keys(): return False p = pam.pam() return p.authenticate(auth['username'], auth['password'])
def page_lnd_change_alias(): check_logged_in() # Load page p = pam.pam() pw = request.form.get('password_change_alias') if pw == None or p.authenticate("admin", pw) == False: flash("Invalid Password", category="error") return redirect(url_for(".page_lnd")) # Change alias alias = request.form.get('alias') if alias == None or alias == "": flash("Empty Alias", category="error") return redirect(url_for(".page_lnd")) if len(alias) > 34: flash("Invalid Alias", category="error") return redirect(url_for(".page_lnd")) with open("/mnt/hdd/mynode/settings/.lndalias", "w") as f: utf8_alias = alias.decode('utf-8', 'ignore') f.write(utf8_alias) f.close() # Reboot t = Timer(1.0, reboot_device) t.start() # Wait until device is restarted templateData = { "title": "myNode Reboot", "header_text": "Restarting", "subheader_text": "This will take several minutes...", "ui_settings": read_ui_settings() } return render_template('reboot.html', **templateData)
def change_password_page(): if not request: return redirect("/settings") message = "<div class='success_message'>Successfully changed password!</div>" # Verify current password p = pam.pam() current = request.form.get('current_password') if current == None or p.authenticate("admin", current) == False: message = "<div class='error_message'>Incorrect password</div>" templateData = { "title": "myNode Settings", "password_message": Markup(message) } return render_template('settings.html', **templateData) p1 = request.form.get('password1') p2 = request.form.get('password2') if p1 == None or p2 == None or p1 == "" or p2 == "" or p1 != p2: message = "<div class='error_message'>Passwords did not match or were empty!</div>" else: # Change password subprocess.call(['/usr/bin/mynode_chpasswd.sh', p1]) templateData = { "title": "myNode Settings", "password_message": Markup(message) } return render_template('settings.html', **templateData)
def change_password_page(): if not request: return redirect("/settings") message = "<div class='success_message'>Successfully changed password!</div>" # Verify current password p = pam.pam() current = request.form.get('current_password') if current == None or p.authenticate("admin", current) == False: return redirect( url_for(".page_settings", error_message="Invalid Password")) p1 = request.form.get('password1') p2 = request.form.get('password2') if p1 == None or p2 == None or p1 == "" or p2 == "" or p1 != p2: return redirect( url_for(".page_settings", error_message="Passwords did not match or were empty!")) else: # Change password subprocess.call(['/usr/bin/mynode_chpasswd.sh', p1]) return redirect( url_for(".page_settings", success_message="Password Updated!"))
def is_ssh_default_password_changed(): """API called to check if the default password for SSH is changed. This will populate the ssh enabled radio button in the UI. Returns: dict: Execution status if the API call was successful, flag to indicate if default ssh password is changed and with error reason if call fails. """ webserver_node = webserver_publisher_node.get_webserver_node() webserver_node.get_logger().info("Providing ssh enabeld as response") try: # Authenticate against default password if pam.pam().authenticate(DEFAULT_USER, DEFAULT_SSH_PASSWORD): return jsonify(success=True, isDefaultSshPasswordChanged=False, reason="Default password not changed") else: return jsonify(success=True, isDefaultSshPasswordChanged=True, reason="Default password changed") except Exception as ex: webserver_node.get_logger().error( f"Failed check if the ssh password is default: {ex}") return jsonify(success=False, isDefaultSshPasswordChanged=False, reason="Error")
def login(password): p = pam.pam() if password == None or p.authenticate("admin", password) == False: return False else: session["logged_in"] = True session.permanent = True return True
def __init__(self, users=None): self.event = threading.Event() self.users = users self.users_keys = {} if have_pam: self.pam = pam.pam() else: self.pam = None
def __init__(self, configuration): super().__init__(configuration) self.configuration = configuration if "pam_service" not in self.configuration.options("auth"): self.service = 'login' else: self.service = self.configuration.get("auth", "pam_service") self.pam = pam()
def page_lnd_lndconnect(): check_logged_in() # Load page if request.method == 'GET': return redirect(url_for(".page_lnd")) p = pam.pam() pw = request.form.get('password_lndconnect') from_homepage = request.form.get('lndconnect_from_homepage') if pw == None or p.authenticate("admin", pw) == False: if from_homepage != None: flash("Invalid Password", category="error") return redirect("/") else: flash("Invalid Password", category="error") return redirect(url_for(".page_lnd")) lndconnect_local_grpc_text = get_text_contents( "/tmp/mynode_lndconnect/lndconnect_local_grpc.txt") lndconnect_local_rest_text = get_text_contents( "/tmp/mynode_lndconnect/lndconnect_local_rest.txt") lndconnect_tor_grpc_text = get_text_contents( "/tmp/mynode_lndconnect/lndconnect_tor_grpc.txt") lndconnect_tor_rest_text = get_text_contents( "/tmp/mynode_lndconnect/lndconnect_tor_rest.txt") if is_community_edition(): lndconnect_tor_grpc_text = "Premium Feature" lndconnect_tor_rest_text = "Premium Feature" lndconnect_local_grpc_img = get_image_contents( "/tmp/mynode_lndconnect/lndconnect_local_grpc.png") lndconnect_local_rest_img = get_image_contents( "/tmp/mynode_lndconnect/lndconnect_local_rest.png") lndconnect_tor_grpc_img = get_image_contents( "/tmp/mynode_lndconnect/lndconnect_tor_grpc.png") lndconnect_tor_rest_img = get_image_contents( "/tmp/mynode_lndconnect/lndconnect_tor_rest.png") if is_community_edition(): lndconnect_tor_grpc_img = get_image_contents( "/var/www/mynode/static/images/dots.png") lndconnect_tor_rest_img = get_image_contents( "/var/www/mynode/static/images/dots.png") # Show lndconnect page templateData = { "title": "myNode Lightning Wallet", "lndconnect_local_grpc_text": lndconnect_local_grpc_text, "lndconnect_local_rest_text": lndconnect_local_rest_text, "lndconnect_tor_grpc_text": lndconnect_tor_grpc_text, "lndconnect_tor_rest_text": lndconnect_tor_rest_text, "lndconnect_local_grpc_img": lndconnect_local_grpc_img, "lndconnect_local_rest_img": lndconnect_local_rest_img, "lndconnect_tor_grpc_img": lndconnect_tor_grpc_img, "lndconnect_tor_rest_img": lndconnect_tor_rest_img, "ui_settings": read_ui_settings() } return render_template('lndconnect.html', **templateData)
def authenticate(self, user: str = None, password: str = None, **kwargs) -> str: p = pam.pam() r = p.authenticate(user, password, service=config.login.pam_service) if not r: raise self.LoginError("PAM authentication failed") return user
def authenticate_user(username, password): try: from pam import pam if pam().authenticate(username, password): return True, None else: return False, "Incorrect password" except ImportError: return False, "Authentication modules is not available"
def __init__(self, db, session_manager): self.db = db self.session_manager = session_manager if config['api'].getboolean('pam', False): import pam self.pam = pam.pam() else: self.pam = None
def login(request): if request.REQUEST_METHOD == 'POST': if pam().authenticate(request.POST['username'], request.POST['password']): request.set_session('auth', request.POST['username'], path='/', http_only=True, secure=True, domain='panel.techraptor.us') refresh_users() return '', 303, {'Location': request.GET.get('next', '/')} elif 'auth' in request.COOKIE: return '', 303, {'Location': request.GET.get('next', '/')} return serve('html/login.html')
def page_download_ovpn(): p = pam.pam() pw = request.form.get('password_download_ovpn') if pw == None or p.authenticate("admin", pw) == False: flash("Invalid Password", category="error") return redirect(url_for(".page_vpn_info")) # Download ovpn return send_from_directory(directory="/home/pivpn/ovpns/", filename="mynode_vpn.ovpn")
def check_password(username, password, service): try: auth = pam.pam() if not auth.authenticate(username, password, service=service): log_error("Password check failed (%s): %s" % (auth.code, auth.reason)) return 0 else: return 1 except: raise_with_tb(rhnException('Internal PAM error'), sys.exc_info()[2])
def post(self, request): user = request.data.get("user") password = request.data.get("password") if not user or not password: return Response({"message": f"user name is NA"}, status=status.HTTP_401_UNAUTHORIZED) pam_p = pam.pam() if not pam_p.authenticate(user, password): return Response({"message": f"user {user} is unauthorized"}, status=status.HTTP_401_UNAUTHORIZED) user_obj, _ = User.objects.get_or_create({"name": user}, name=user) return Response({"check_flg": True, "user_id": user_obj.pk})
def lnd_macaroon(): p = pam.pam() pw = request.form.get('password_download_macaroon') if pw == None or p.authenticate("admin", pw) == False: return redirect(url_for(".page_lnd", error_message="Invalid Password")) # Download macaroon return send_from_directory( directory="/mnt/hdd/mynode/lnd/data/chain/bitcoin/mainnet/", filename="admin.macaroon")
def __init__(self, wsgidav_app, config): super(PAMDomainController, self).__init__(wsgidav_app, config) self.pam = pam.pam() # auth_conf = config["http_authenticator"] dc_conf = config.get("pam_dc", {}) self.pam_service = dc_conf.get("service", "login") self.pam_encoding = dc_conf.get("encoding", "utf-8") self.pam_resetcreds = dc_conf.get("resetcreds", True)
def pwgroupauth(username, password, group): """Authenticate user.""" try: if username not in grp.getgrnam(group)[3]: return False except KeyError: return False if pam.pam().authenticate(username, password): return True return False
def __os_auth(self): p = pam.pam() sys_info = self.__sys_details() pass_msg = ''' KeyChain password ({0}@{1} Auth): ''' keyring_user = getpass.getuser() keyring_pass = getpass.getpass( pass_msg.format(keyring_user, sys_info['hostname'])) if not p.authenticate(keyring_user, keyring_pass): print "Authentication Error: {0} - {1}".format(p.code, p.reason) return False return True
def child_routine(self): """ The main routine that is executed by the child after the object forks. This loop does not exit unless a stop request is made. """ self.logger = logging.getLogger('KingPhisher.Server.Authenticator.Child') while True: request = self._raw_recv(timeout=None) if 'action' not in request: self.logger.warning('request received without a specified action') continue if not isinstance(request.get('sequence'), int): self.logger.warning('request received without a valid sequence number') continue action = request.get('action', 'UNKNOWN') self.logger.debug("received request with sequence number {0} and action '{1}'".format(request['sequence'], action)) if action == 'stop': break elif action != 'authenticate': continue username = str(request['username']) password = str(request['password']) start_time = time.time() pam_handle = pam.pam() result = pam_handle.authenticate(username, password, service=self.service, resetcreds=False) end_time = time.time() - start_time self.logger.debug("pam returned code: {0} reason: '{1}' for user {2} after {3:.2f} seconds".format(pam_handle.code, pam_handle.reason, username, end_time)) result = { 'result': result, 'sequence': request['sequence'], 'username': username } if result['result']: if self.required_group: result['result'] = False try: assert self.required_group in get_groups_for_user(username) except AssertionError: self.logger.warning("authentication failed for user: {0} reason: lack of group membership".format(username)) except KeyError: self.logger.error("encountered a KeyError while looking up group membership for user: {0}".format(username)) else: result['result'] = True else: self.logger.warning("authentication failed for user: {0} reason: bad username or password".format(username)) self._raw_send(result)
def check_password(realm, username, password, timeout=datetime.timedelta(seconds=5)): try: import pam groups = [] pServer = pam.pam() returnCode = pServer.authenticate(username, password) if returnCode == True: return True, groups else: cherrypy.log.error("PAM password check failed to authenticate %s" % username ) return False, groups except Exception as e: cherrypy.log.error("%s" % e) return False, groups
def preload(self, root=False): if not root: p = pam.pam() if not p.authenticate(self.login, self.password): raise Exception('Not Authenticated - %s (%s) ("%s":"%s"):' % (p.code, p.reason, self.login, self.password)) self.set_customer_uid() signal.signal(signal.SIGTERM, self._on_sigterm) # Изменяем имя процесса для мониторинга process_title = ' - ' + self.name + ' ' + setproctitle.getproctitle() setproctitle.setproctitle(process_title) self.logger.info("%s process started PID = %s , Title = %s" % (str(self.__class__.__name__), str(self.pid), str(process_title))) self.on_running(self.status_id, pid=self.pid, pname=self.name)
def authenticate(self, username, password): if self.cfg is None or not self.cfg.has_section(username): return False source = 'internal' if self.cfg.has_option(username, 'source'): source = self.cfg[username]['source'] if source == 'internal': return self.cfg[username]['password'] == password elif source == 'pam': p = pam.pam() return p.authenticate(username, password) raise PermissionDenied()
def user_authorization(self): if not self.__is_autorization: p = pam.pam() ret = p.authenticate(self.user, self.password) if ret is True: self.__is_autorization = True # получаю идентификаторы пользователя if self.__get_uid_guid() is False: return False # Изменяем права процесса os.setgid(self.__UID) os.setegid(self.__UID) os.setuid(self.__GID) os.seteuid(self.__GID) else: self.__is_autorization = False return ret
def unixUserLogin(userName, password): """ returns if unix user can login, using unix login If successful, returns MGIUser object from database """ logger.debug('%s - attempting to authenticate' % userName) user = None # authenticate using Python-PAM authenticated = pam().authenticate(userName, password) if authenticated: logger.debug('%s - authentication successful' % userName) # now look up user in database user = MGIUser.query.filter_by(login=userName).first() if not user: logger.debug('%s - does not exist in MGI_User table' % userName) return user
def authenticate(self, username=None, password=None): try: rc_user = RcLdapUser.objects.get(username=username) except RcLdapUser.DoesNotExist: return None p = pam.pam() authed = p.authenticate(username, password, service=settings.PAM_SERVICES['default']) if authed: user_dict = { 'first_name': rc_user.first_name, 'last_name': rc_user.last_name, 'email': rc_user.email, 'is_staff': False, } user, created = User.objects.update_or_create( username=rc_user.username, defaults=user_dict ) return user return None
def auth_pam(self): if not pam.pam().authenticate(GLib.get_user_name(), self.current_password.get_text(), 'passwd'): raise PasswordError("Invalid password")
#!/usr/bin/python # pam_authenticate.py: a script to check a user's password against PAM. # part of the pywiki project, see https://github.com/pepaslabs/pywiki # written by jason pepas, released under the terms of the MIT license. # usage: pipe a password into this script, giving the username as the first argument. # a zero exit status indicates successful authentication. import sys import pam # pip install python-pam p = pam.pam() logged_in = False try: user = sys.argv[1] passwd = sys.stdin.read() logged_in = p.authenticate(user, passwd) except Exception as e: sys.exit(2) else: if logged_in == True: sys.exit(0) else: sys.exit(1)
import pam except ImportError: log.debug('PAM auth helper: Could not import pam module') sys.exit(1) def handle_timeout(signum, stack): raise IOError("Timed out reading input") # set timeout so we don't block on reading stdin signal.alarm(TIMEOUT) pam_service = sys.stdin.readline().strip() pam_username = sys.stdin.readline().strip() pam_password = sys.stdin.readline().strip() # cancel the alarm signal.alarm(0) p_auth = pam.pam() authenticated = p_auth.authenticate(pam_username, pam_password, service=pam_service) if authenticated: log.debug('PAM auth helper: authentication successful for {}'.format(pam_username)) sys.stdout.write('True\n') sys.exit(0) else: log.debug('PAM auth helper: authentication failed for {}'.format(pam_username)) sys.stdout.write('False\n') sys.exit(1)
def authenticate(self, email, username, password, options): pam_username = None auto_register_username = None auto_register_email = None force_fail = False if not options['redact_username_in_logs']: log.debug("use username: {} use email {} email {} username {}".format(options.get('login-use-username'), options.get('login-use-email', False), email, username)) # check email based login first because if email exists in Galaxy DB # we will be given the "public name" as username if string_as_bool(options.get('login-use-email', False)) and email is not None: if '@' in email: (email_user, email_domain) = email.split('@') pam_username = email_user if email_domain == options.get('maildomain', None): auto_register_email = email if username is not None: auto_register_username = username else: auto_register_username = email_user else: log.debug('PAM authenticate: warning: email does not match configured PAM maildomain') # no need to fail: if auto-register is not enabled, this # might still be a valid user else: log.debug('PAM authenticate: email must be used to login, but no valid email found') force_fail = True elif string_as_bool(options.get('login-use-username', False)): # if we get here via authenticate_user then # user will be "public name" and # email address will be as per registered user if username is not None: pam_username = username if email is not None: auto_register_email = email elif options.get('maildomain', None) is not None: # we can register a user with this username and mail domain # if auto registration is enabled auto_register_email = '{}@{}'.format(username, options['maildomain']) auto_register_username = username else: log.debug('PAM authenticate: username login selected but no username provided') force_fail = True else: log.debug('PAM authenticate: could not find username for PAM') force_fail = True if force_fail: return None, '', '' pam_service = options.get('pam-service', 'galaxy') use_helper = string_as_bool(options.get('use-external-helper', False)) log.debug("PAM auth: will use external helper: {}".format(use_helper)) authenticated = False if use_helper: authentication_helper = options.get('authentication-helper-script', '/bin/false').strip() log.debug("PAM auth: external helper script: {}".format(authentication_helper)) if not authentication_helper.startswith('/'): # don't accept relative path authenticated = False else: auth_cmd = shlex.split('/usr/bin/sudo -n {}'.format(authentication_helper)) log.debug("PAM auth: external helper cmd: {}".format(auth_cmd)) proc = Popen(auth_cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE) message = '{}\n{}\n{}\n'.format(pam_service, pam_username, password) (output, error) = proc.communicate(message) status = proc.wait() if status != 0 and error != '': log.debug("PAM auth: external authentication script had errors: status {} error {}".format(status, error)) if output.strip() == 'True': authenticated = True else: authenticated = False else: try: import pam except ImportError: log.debug('PAM authenticate: could not load pam module, PAM authentication disabled') return None, '', '' p_auth = pam.pam() authenticated = p_auth.authenticate(pam_username, password, service=pam_service) if authenticated: log.debug('PAM authentication successful for {}'.format('redacted' if options['redact_username_in_logs'] else pam_username)) return True, auto_register_email, auto_register_username else: log.debug('PAM authentication failed for {}'.format('redacted' if options['redact_username_in_logs'] else pam_username)) return False, '', ''
def pam_authenticate(*args, **kwargs): return pam.pam().authenticate(*args, **kwargs)
#!/usr/bin/env python2 import pam import fileinput import sys import json lines = list(fileinput.input()) if len(lines) < 2: print("Expected only two lines: user, password") sys.exit(1) auth = pam.authenticate if hasattr(pam, "authenticate") else pam.pam().authenticate if auth(lines[0].replace("\n", "").strip(), lines[1].replace("\n", "").strip()): print("Success") sys.exit(0) print("Error") sys.exit(1)
__version__ = "0.0.8" __author__ = "Anton Hvornum" pidfile = "/var/run/slim_smtp.pid" DOMAIN = "example.com" core = { "_socket": {"listen": "", "ports": [25, 587]}, "SSL": { "enabled": True, "key": "/etc/ssl/hvornum.se.key_nopass", "cert": "/etc/ssl/hvornum.se.crt", "VERSION": ssl.PROTOCOL_TLSv1, }, # |ssl.PROTOCOL_SSLv3}, "domain": DOMAIN, "supports": [DOMAIN, "SIZE 10240000", "STARTTLS", "AUTH PLAIN", "ENHANCEDSTATUSCODES", "8BITMIME", "DSN"], "users": {b"testuser": {"password": "******"}, "@POSTGRESQL": False, "@PAM": pam.pam()}, "relay": {"active": False, "host": "smtp.t3.se", "port": 25, "TLS": False}, "external": {"enforce_tls": True}, "storages": { "testuser@" + DOMAIN: "/home/anton/Maildir/", "default": "/home/anton/Maildir/", "@POSTGRESQL": True, "@PAM": False, }, "postgresql": {"db": "example", "dbuser": "******", "dbpass": "******"}, } def decompress(b): import gzip from io import BytesIO
import hashlib import pam from base64 import b64encode import env import smtplib from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart from email.header import Header from datetime import datetime import json from log import logger from lvmtool import * email_from_address = env.getenv('EMAIL_FROM_ADDRESS') admin_email_address = env.getenv('ADMIN_EMAIL_ADDRESS') PAM = pam.pam() fspath = env.getenv('FS_PREFIX') data_quota = env.getenv('DATA_QUOTA') data_quota_cmd = env.getenv('DATA_QUOTA_CMD') if (env.getenv('EXTERNAL_LOGIN').lower() == 'true'): from plugin import external_receive def administration_required(func): @wraps(func) def wrapper(*args, **kwargs): if ( ('cur_user' in kwargs) == False): return {"success":'false', "reason":"Cannot get cur_user"} cur_user = kwargs['cur_user'] if ((cur_user.user_group == 'admin') or (cur_user.user_group == 'root')):
import argparse import logging import os import pam import socket import sys import traceback import paramiko from paramiko.common import DEBUG, INFO from collections import deque from threading import Thread HOST, PORT = '0.0.0.0', 2222 BACKLOG = 10 PAM_AUTH = pam.pam() _CONFIG = {} log_name = 'ssh_coupler.main' root_logger = paramiko.util.get_logger(log_name) class Server(paramiko.ServerInterface): def check_auth_password(self, username, password): if PAM_AUTH.authenticate(username, password): return paramiko.AUTH_SUCCESSFUL return paramiko.AUTH_FAILED def check_auth_publickey(self, username, key): # Testing: all are allowed return paramiko.AUTH_SUCCESSFUL
def setUp(self): self.p = pam.pam()