def check_password(self, username, password):
print('check_password', username)
"""The actual password checking logic. Separated from the authenticate code from Django for easier updating"""
try:
if SUPPORTS_VERIFY:
print('verify')
kerberos.checkPassword(
username.lower(), password,
getattr(settings, "KRB5_SERVICE", ""),
getattr(settings, "KRB5_REALM", ""),
getattr(settings, "KRB5_VERIFY_KDC", True))
else:
print('do not verify')
kerberos.checkPassword(username.lower(), password,
getattr(settings, "KRB5_SERVICE", ""),
getattr(settings, "KRB5_REALM", ""))
return True
except kerberos.BasicAuthError as e:
print('BasicAuthError', e)
if getattr(settings, "KRB5_DEBUG", False):
logger.exception("Failure during authentication")
return False
except Exception as e:
print('Error', e)
if getattr(settings, "KRB5_DEBUG", False):
logger.exception("Failure during authentication")
# for all other execptions also deny access
return False
def auth_basic(self, auth_header):
"""
Manages the basic authorization process with kerberos.
Returns a username or raises a BasicAuthError.
"""
# The authorization header is base64 encoded, we need it decoded
auth_decoded = base64.decodebytes(auth_header.encode('utf8')).decode()
# Decoded format is <username>:<password> so we need to split it
userstring, password = auth_decoded.split(':', maxsplit=1)
try:
# If the user specifies a realm in the username verify
# it matches the configured SPNEGO realm so we
# don't open ourselves up to KDC spoofing
username, realm = userstring.split('@', maxsplit=1)
if realm != settings.SPNEGO_REALM:
raise NotAuthorized
except ValueError:
username = userstring
kerberos.checkPassword(
username, password,
kerberos.getServerPrincipalDetails('HTTP',
settings.SPNEGO_HOSTNAME),
settings.SPNEGO_REALM)
return username
def testCheckpassword(user, pswd, service, realm):
try:
kerberos.checkPassword(user, pswd, service, realm)
except kerberos.BasicAuthError as e:
print("Kerberos authentication for %s failed: %s" % (user, e[0]))
else:
print("Kerberos authentication for %s succeeded" % user)
def testCheckpassword(user, pswd, service, realm):
try:
kerberos.checkPassword(user, pswd, service, realm)
except kerberos.BasicAuthError as e:
print("Kerberos authentication for %s failed: %s" % (user, e[0]))
else:
print("Kerberos authentication for %s succeeded" % user)
def test_admin_login_fails_when_we_dont_know_the_password():
krb5_password = '******'
with pytest.raises(kerberos.BasicAuthError) as e:
kerberos.checkPassword('admin/admin', krb5_password, '', 'EXAMPLE.COM')
error_message = e.value.args[0]
assert 'Preauthentication failed' in error_message
def kerberos_authentication(username, password):
try:
import kerberos
kerberos.checkPassword(username, password, settings.sso_service,
settings.sso_realm)
return dict(id='', username=username)
except ImportError:
return False
except kerberos.BasicAuthError:
return False
def _doBasicAuth(self):
# Future improvement - we could also support LDAP authentication if we wanted to
# If we're trying basic, that means that negotiate auth has already failed, so don't offer it again
self.page.offerNegotiate = False
self._getKerberosDetails()
(user, password) = base64.b64decode(self.authToken).split(":", 1)
try:
kerberos.checkPassword(user, password, self._kerberosService, self._kerberosRealm)
self.user = user
print "Authenticated user %s" % user
except:
print "Failed to authenticate user %s" % user
raise
def __call__(self, environ, start_response):
def error():
start_response('500 Error', [
('content-type', 'text/plain'),
])
return ['Internal error']
def noauth(msg=None):
start_response('401 Unauthorized', [
('content-type', 'text/plain'),
('WWW-Authenticate', 'Negotiate'),
('WWW-Authenticate', 'Basic realm="Web Service for CloudLab"')
])
if msg:
return ['No auth. Error: %s' % msg]
return ['No auth']
if 'HTTP_AUTHORIZATION' not in environ:
return noauth()
type, authstr = environ['HTTP_AUTHORIZATION'].split(' ', 1)
if type == 'Negotiate':
result, context = kerberos.authGSSServerInit(self.service)
if result != 1:
return error()
gssstring = ''
r = kerberos.authGSSServerStep(context, authstr)
if r == 1:
gssstring = kerberos.authGSSServerResponse(context)
else:
return noauth()
def new_start_response(status, headers):
start_response(
status,
[('WWW-Authenticate', 'Negotiate %s' % gssstring)] +
headers)
environ['REMOTE_USER'] = kerberos.authGSSServerUserName(context)
kerberos.authGSSServerClean(context)
elif type == 'Basic':
username, password = b64decode(authstr).split(':', 1)
try:
kerberos.checkPassword(username, password, self.service,
self.realm)
except Exception, e:
return noauth(e.message)
new_start_response = start_response
environ['REMOTE_USER'] = username
def check_password(self, username, password):
"""The actual password checking logic. Separated from the authenticate code from Django for easier updating"""
try:
kerberos.checkPassword(username.lower(), password, getattr(settings, "KRB5_SERVICE", ""), settings.KRB5_REALM)
return True
except kerberos.BasicAuthError:
if getattr(settings, "KRB5_DEBUG", False):
logger.exception("Failure during authentication")
return False
except:
if getattr(settings, "KRB5_DEBUG", False):
logger.exception("Failure during authentication")
# for all other execptions also deny access
return False
def __call__(self, environ, start_response):
def error():
start_response('500 Error', [
('content-type', 'text/plain'),
])
return ['Internal error']
def noauth():
start_response('401 Unauthorized', [
('content-type', 'text/plain'),
('WWW-Authenticate','Negotiate'),
('WWW-Authenticate','Basic realm="Secured area"')
])
return ['No auth']
if 'HTTP_AUTHORIZATION' not in environ:
return noauth()
type, authstr = environ['HTTP_AUTHORIZATION'].split(' ', 1)
if type == 'Negotiate':
result, context = kerberos.authGSSServerInit(self.service)
if result != 1:
return error()
gssstring=''
r=kerberos.authGSSServerStep(context,authstr)
if r == 1:
gssstring=kerberos.authGSSServerResponse(context)
else:
return noauth()
def new_start_response(status, headers):
start_response(
status,
[
('WWW-Authenticate','Negotiate %s' % gssstring)
]+headers
)
environ['REMOTE_USER']=kerberos.authGSSServerUserName(context)
kerberos.authGSSServerClean(context)
elif type == 'Basic':
username, password = b64decode(authstr).split(':',1)
try:
kerberos.checkPassword(username, password, self.service, self.realm)
except:
return noauth()
new_start_response=start_response
environ['REMOTE_USER']=username
return self.wrapped(environ, new_start_response)
def _doBasicAuth(self):
# Future improvement - we could also support LDAP authentication if we wanted to
# If we're trying basic, that means that negotiate auth has already failed, so don't offer it again
self.page.offerNegotiate = False
self._getKerberosDetails()
(user, password) = base64.b64decode(self.authToken).split(":", 1)
try:
kerberos.checkPassword(user, password, self._kerberosService,
self._kerberosRealm)
self.user = user
print "Authenticated user %s" % user
except:
print "Failed to authenticate user %s" % user
raise
def requestAvatarId(self, credentials):
# If there is no calendar principal URI then the calendar user is disabled.
pcreds = IPrincipalCredentials(credentials)
creds = pcreds.credentials
if isinstance(creds, BasicKerberosCredentials):
try:
kerberos.checkPassword(creds.username, creds.password, creds.service, creds.default_realm)
except kerberos.BasicAuthError, ex:
self.log.error("%s" % (ex[0],))
raise error.UnauthorizedLogin("Bad credentials for: %s (%s: %s)" % (pcreds.authnURI, ex[0], ex[1]))
else:
return succeed((pcreds.authnPrincipal, pcreds.authzPrincipal))
def authenticate(self, username=None, password=None):
try:
kerberos.checkPassword(username, password, '', settings.KRB5_REALM)
except kerberos.BasicAuthError:
return None
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = User.objects.create_user(
username=username,
email='%s@%s' % (username, settings.KRB5_REALM.lower()))
user.set_unusable_password()
user.save()
return user
def __call__(self, environ, start_response):
def error():
start_response("500 Error", [("content-type", "text/plain")])
return ["Internal error"]
def noauth(msg=None):
start_response(
"401 Unauthorized",
[
("content-type", "text/plain"),
("WWW-Authenticate", "Negotiate"),
("WWW-Authenticate", 'Basic realm="Web Service for CloudLab"'),
],
)
if msg:
return ["No auth. Error: %s" % msg]
return ["No auth"]
if "HTTP_AUTHORIZATION" not in environ:
return noauth()
type, authstr = environ["HTTP_AUTHORIZATION"].split(" ", 1)
if type == "Negotiate":
result, context = kerberos.authGSSServerInit(self.service)
if result != 1:
return error()
gssstring = ""
r = kerberos.authGSSServerStep(context, authstr)
if r == 1:
gssstring = kerberos.authGSSServerResponse(context)
else:
return noauth()
def new_start_response(status, headers):
start_response(status, [("WWW-Authenticate", "Negotiate %s" % gssstring)] + headers)
environ["REMOTE_USER"] = kerberos.authGSSServerUserName(context)
kerberos.authGSSServerClean(context)
elif type == "Basic":
username, password = b64decode(authstr).split(":", 1)
try:
kerberos.checkPassword(username, password, self.service, self.realm)
except Exception, e:
return noauth(e.message)
new_start_response = start_response
environ["REMOTE_USER"] = username
def check_password(self, username, password):
"""The actual password checking logic. Separated from the authenticate code from Django for easier updating"""
try:
kerberos.checkPassword(username.lower(), password,
getattr(settings, "KRB5_SERVICE", ""),
settings.KRB5_REALM)
return True
except kerberos.BasicAuthError:
if getattr(settings, "KRB5_DEBUG", False):
logger.exception("Failure during authentication")
return False
except:
if getattr(settings, "KRB5_DEBUG", False):
logger.exception("Failure during authentication")
# for all other execptions also deny access
return False
def authenticate(username, password):
service_principal = "%s/%s" % (
configuration.conf.get('kerberos', 'principal'),
utils.get_fqdn()
)
realm = configuration.conf.get("kerberos", "default_realm")
try:
user_realm = configuration.conf.get("security", "default_realm")
except AirflowConfigException:
user_realm = realm
user_principal = utils.principal_from_username(username, user_realm)
try:
# this is pykerberos specific, verify = True is needed to prevent KDC spoofing
if not kerberos.checkPassword(user_principal,
password,
service_principal, realm, True):
raise AuthenticationError()
except kerberos.KrbError as e:
logging.error(
'Password validation for user '
'%s in realm %s failed %s', user_principal, realm, e)
raise AuthenticationError(e)
return
def authenticate(username, password):
service_principal = "%s/%s" % (
configuration.conf.get('kerberos', 'principal'),
utils.get_fqdn()
)
realm = configuration.conf.get("kerberos", "default_realm")
try:
user_realm = configuration.conf.get("security", "default_realm")
except AirflowConfigException:
user_realm = realm
user_principal = utils.principal_from_username(username, user_realm)
try:
# this is pykerberos specific, verify = True is needed to prevent KDC spoofing
if not kerberos.checkPassword(user_principal,
password,
service_principal, realm, True):
raise AuthenticationError()
except kerberos.KrbError as e:
logging.error(
'Password validation for user '
'%s in realm %s failed %s', user_principal, realm, e)
raise AuthenticationError(e)
return
def auth_krb(jenni, input):
"""
This will authenticate a user off of AD Credentials
If checkPassword returns True, add user to auth_list
You must have sso_service and sso_realm in ~/.phenny/default.py
"""
global auth_list
import kerberos
split_it = []
nick = input.nick
line = input.group(0)
string_line = str(line)
for item in string_line.split():
split_it.append(item)
username = split_it[2]
password = split_it[3]
# Can only be done in prvmsg by an admin
if input.sender.startswith('#'):
return
if input.admin:
if nick in auth_list:
return
else:
jenni.say(nick + " is being authenticated.")
if kerberos.checkPassword(username,password,input.sso_service,input.sso_realm):
jenni.say(nick + " authenticated.")
auth_list.append(nick)
else:
jenni.say(nick + " NOT authorized!")
auth_list.remove(nick)
def can_log_in(self, username, password):
try:
return kerberos.checkPassword(username.lower(), password,
settings.AUTH_KERBEROS_SERVICE,
settings.AUTH_KERBEROS_REALM, False)
except:
logger.exception("Failure during Kerberos authentication")
return False
def can_log_in(self, username, password):
try:
return kerberos.checkPassword(
username.lower(), password, settings.AUTH_KERBEROS_SERVICE, settings.AUTH_KERBEROS_REALM, False
)
except:
logger.exception("Failure during Kerberos authentication")
return False
def authenticate(self, username=None, password=None):
try:
auth = kerberos.checkPassword(
username, password, '',
settings.KRB5_REALM
)
except kerberos.BasicAuthError, e:
return None
def auth_basic(self, auth_header, callback):
"""
Perform Basic authentication using Kerberos against
self.settings['sso_realm'].
"""
auth_decoded = base64.decodestring(auth_header[6:])
username, password = auth_decoded.split(":", 2)
try:
kerberos.checkPassword(username, password, self.settings["sso_service"], self.settings["sso_realm"])
except Exception as e: # Basic auth failed
if self.settings["debug"]:
print(e) # Very useful for debugging Kerberos errors
return self.authenticate_redirect()
# NOTE: Basic auth just gives us the username without the @REALM part
# so we have to add it:
user = "******" % (username, self.settings["sso_realm"])
callback(user)
def authenticate_user(user, password):
try:
if kerberos.checkPassword(user, password, "krbtgt/SLAC.STANFORD.EDU",
"SLAC.STANFORD.EDU"):
return True
except:
pass
return False
def requestAvatarId(self, credentials):
# If there is no calendar principal URI then the calendar user is disabled.
pcreds = IPrincipalCredentials(credentials)
creds = pcreds.credentials
if isinstance(creds, BasicKerberosCredentials):
try:
kerberos.checkPassword(creds.username, creds.password, creds.service, creds.default_realm)
except kerberos.BasicAuthError, ex:
self.log.error("{ex}", ex=ex[0])
raise error.UnauthorizedLogin("Bad credentials for: %s (%s: %s)" % (pcreds.authnURI, ex[0], ex[1],))
else:
return succeed((
pcreds.authnPrincipal,
pcreds.authzPrincipal,
))
def check_password(self, username, password):
try:
return kerberos.checkPassword(
username, password,
getattr(settings, 'AUTH_SERVICE_NAME', 'http/[email protected]'),
getattr(settings, 'AUTH_SERVICE_REALM', 'example.com'), True)
except kerberos.BasicAuthError:
# logging.exception("username/password mismatch")
return False
def check_password(username, password):
try:
# verify is an extra field implemented in https://github.com/02strich/pykerberos
# it is needed to prevent KDC spoofing attacks, but require service authentication
# with a keytab file specified in `KRB5_KTNAME`.
return kerberos.checkPassword(username, password, settings.service,
settings.realm, True)
except kerberos.BasicAuthError:
logging.exception("username/password mismatch")
return False
def authenticate(self, username=None, password=None):
try:
kerberos.checkPassword(
username, password, '',
settings.KRB5_REALM
)
except kerberos.BasicAuthError:
return None
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = User.objects.create_user(
username=username,
email='%s@%s' % (username, settings.KRB5_REALM.lower())
)
user.set_unusable_password()
user.save()
return user
def auth_basic(self, auth_header, callback):
"""
Perform Basic authentication using Kerberos against
`self.settings['sso_realm']`.
"""
auth_decoded = base64.decodestring(auth_header[6:])
username, password = auth_decoded.split(':', 1)
try:
kerberos.checkPassword(username, password,
self.settings['sso_service'],
self.settings['sso_realm'])
except Exception as e: # Basic auth failed
if self.settings['debug']:
print(e) # Very useful for debugging Kerberos errors
return self.authenticate_redirect()
# NOTE: Basic auth just gives us the username without the @REALM part
# so we have to add it:
user = "******" % (username, self.settings['sso_realm'])
callback(user)
def auth(self, username, password):
subauth.log('trying user: %s|%s|%s' %
(username, self.domain, self.realm))
try:
if kerberos.checkPassword(username, password, self.domain,
self.realm):
subauth.log("Success!")
return True
except Exception, e:
subauth.log('Exception: %s' % e)
pass
def authenticate(username, password):
service_principal = "%s/%s" % (conf.get('kerberos', 'principal'), utils.get_fqdn())
realm = conf.get("kerberos", "default_realm")
user_principal = utils.principal_from_username(username)
try:
# this is pykerberos specific, verify = True is needed to prevent KDC spoofing
if not kerberos.checkPassword(user_principal, password, service_principal, realm, True):
raise AuthenticationError()
except kerberos.KrbError, e:
logging.error('Password validation for principal %s failed %s', user_principal, e)
raise AuthenticationError(e)
def authenticate(self, username, password):
if '@' not in username:
username = username + '@' + self.get_default_realm()
try:
if kerberos.checkPassword(username, password, '', '', 0):
logger.info('Authenticated user ' + username + '.')
if username.split('@', 1)[0] not in [u.username for u in self.users]:
self.add_user(username.split('@', 1)[0], 'Firstname', 'Lastname', PRIV_LAYMAN)
self.select_user(username)
return True
except kerberos.BasicAuthError:
return False
def authenticate(self, request, username=None, password=None, **kwargs):
import kerberos
try:
kerberos.checkPassword(
username, password, '',
settings.KRB5_REALM
)
except kerberos.BasicAuthError:
return None
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = User.objects.create_user(
username=username,
email='{}@{}'.format(username, settings.KRB5_REALM.lower())
)
user.set_unusable_password()
user.save()
return user
def authenticate(self, username=None, password=None, **kwargs):
if not kerberos:
return None
UserModel = get_user_model()
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
try:
kerberos.checkPassword(username, password, '', settings.KRB5_REALM)
except kerberos.BasicAuthError:
return None
try:
user = UserModel.objects.get(username=username)
except UserModel.DoesNotExist:
user = UserModel.objects.create_user(
username=username,
email='%s@%s' % (username, settings.KRB5_REALM.lower()))
user.set_unusable_password()
user.save()
return user
def authenticate(cls, mail_user, password):
mail_user = mail_user.internal_username.split("+")[-1] # Allow to have more than 1 krb-authenticated account for user
mail_user = mail_user.split("@")
if len(mail_user) != 2: # Failed to split to [username, domain]
return False
username, domain = mail_user[0], mail_user[1].upper() # Kerberos uses uppercase domains
mail_user = "******".join((username, domain))
try:
result = kerberos.checkPassword(mail_user, password.encode('utf-8'), "", domain)
except kerberos.KrbError:
return False
return result
def authenticate(self, username=None, password=None, **kwargs):
if not kerberos:
return None
UserModel = get_user_model()
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
try:
kerberos.checkPassword(username, password, "", settings.KRB5_REALM)
except kerberos.BasicAuthError:
return None
try:
user = UserModel.objects.get(username=username)
except UserModel.DoesNotExist:
user = UserModel.objects.create_user(
username=username, email="%s@%s" % (username, settings.KRB5_REALM.lower())
)
user.set_unusable_password()
user.save()
return user
def login(email, password):
allowed_domains = ALLOWED_DOMAINS + [REALM]
validate_email = EmailValidator(whitelist=allowed_domains)
# user is allowed to type just the username. In this case, the REALM
# will be appended as the domain to form a complete e-mail address
if '@' in email:
try:
validate_email(email)
except ValidationError as err:
raise KERBEROSLoginError({"error_message": str(err)})
username, domain = email.split('@')
else:
username, domain = email, DEFAULT_DOMAIN
email = username + '@' + domain
if domain not in allowed_domains:
errmsg = "Invalid e-mail: domain not allowed"
raise KERBEROSLoginError({"error_message": errmsg})
try:
kerberos.checkPassword(username, password, '', REALM)
except kerberos.BasicAuthError as err:
errmsg, _ = err.args
if errmsg == "Cannot contact any KDC for requested realm":
errmsg = "Error connecting to KERBEROS server"
raise KERBEROSLoginError({"error_message": errmsg})
elif errmsg == "Decrypt integrity check failed":
errmsg = "KERBEROS account or password incorrect"
raise KERBEROSLoginError({"error_message": errmsg})
else:
raise KERBEROSLoginError({"error_message": errmsg})
except Exception:
errmsg = "KERBEROS authentication failed"
raise KERBEROSLoginError({"error_message": errmsg})
return (email, username)
def _parse_krb_basic_auth(self, username, password):
krb_auth = self.metrique_config.krb_auth
# kerberos module must be available, krb auth enabled, realm defined
# and username/password provided
realm = self.metrique_config.realm
ok = (kerberos and krb_auth and realm and username and password)
if ok:
try:
ok = kerberos.checkPassword(username, password, '', realm)
except kerberos.BasicAuthError as e:
logger.debug('KRB ERROR [%s]: %s' % (username, e))
ok = False
logger.debug('KRB AUTH [%s]: %s' % (username, ok))
return ok
def login():
error = None
if request.method == 'GET':
return render_template('login.html', error=error)
username = request.form['username']
allusers = softwareService.getAllUsers()
if username not in allusers:
error = "'" + username + "' is not entitled for this application"
return render_template('login.html', error=error)
password = request.form['password']
kerberosname = username + '@UTORONTO.CA'
app.logger.info('%s try login', kerberosname)
try:
kerberos.checkPassword(kerberosname, password, '', '')
session['username'] = request.form['username']
app.logger.info('[%s] login', session['username'])
except:
e = sys.exc_info()[0]
app.logger.info('authenticate error %s', e)
error = "invalid credential"
return render_template('login.html', error=error)
fullname = ""
if "name" in allusers[username]:
fullname = allusers[username]["name"]
email=""
if "email" in allusers[username]:
email = allusers[username]["email"]
if fullname and email:
return redirect(url_for('index'))
else:
return render_template('register.html', id=username, name=fullname, email=email)
def authenticate(username, password):
service_principal = "%s/%s" % (conf.get('kerberos',
'principal'), utils.get_fqdn())
realm = conf.get("kerberos", "default_realm")
user_principal = utils.principal_from_username(username)
try:
# this is pykerberos specific, verify = True is needed to prevent KDC spoofing
if not kerberos.checkPassword(user_principal, password,
service_principal, realm, True):
raise AuthenticationError()
except kerberos.KrbError, e:
logging.error('Password validation for principal %s failed %s',
user_principal, e)
raise AuthenticationError(e)
def checkPassword(user, password): # First try their local password if user.password and user.password == User.crypt(user.username, password): return True # Then try Kerberos if possible if settings.kerberosRealm: try: import kerberos try: if kerberos.checkPassword(user.username, password, '', settings.kerberosRealm): return True except (kerberos.KrbError, kerberos.BasicAuthError): pass except ImportError: pass return False
def login(self, session, username, password, generic_password):
krb_realm = self.server.config('KRB_REALM', default='CHALMERS.SE')
if generic_password and password == generic_password:
session.set("authuser", username)
session.set("authrealm", krb_realm)
return
if AuthenticationManager.has_krb5():
import kerberos
service = "krbtgt/" + self.function.server.instance_address
# Get in control of which realm we're using"
if "@" in username:
(username,) = username.split('@')
if kerberos.checkPassword(username, password, service, krb_realm):
session.set("authuser", username)
session.set("authrealm", krb_realm)
else:
raise exterror.ExtAuthenticationFailedError()
else:
raise exterror.ExtAuthenticationFailedError()
def checkPassword(self, credentials):
try:
res = kerberos.checkPassword(
credentials.username,
credentials.password,
self.service,
self.default_realm
)
except kerberos.KrbError as e:
msg = repr(e)
log.msg(msg)
raise UnauthorizedLogin(msg)
if not res:
raise UnauthorizedLogin()
username, sep, realm = credentials.username.rpartition('@')
if sep != '@':
return '%s@%s' % (credentials.username, self.default_realm)
return credentials.username
def authenticateKerberos(self, event):
try:
self.authenticated = kerberos.checkPassword(self.username.get(), self.password.get(), \
'krbtgt/CC.COLUMBIA.EDU', 'CC.COLUMBIA.EDU')
except kerberos.KrbError as ae:
print ae
self.authTriesRemaining -= 1
self.message.set('Password incorrect, try again.')
self.text['fg'] = 'red'
if self.authenticated:
self.text['fg'] = 'darkgreen'
self.message.set('Password accepted')
print 'User %s authenticated successfully' % ( self.username.get(), )
self.after(600, self.event_generate, '<<CloseDialog>>')
else:
print 'Authentication unsuccessful'
print 'authTriesRemaining: %d' % self.authTriesRemaining
if self.authTriesRemaining < 1:
self.event_generate('<<CloseDialog>>')
def login(self, session, username, password, generic_password):
krb_realm = self.server.config('KRB_REALM', default='CHALMERS.SE')
if generic_password and password == generic_password:
session.set("authuser", username)
session.set("authrealm", krb_realm)
return
if AuthenticationManager.has_krb5():
import kerberos
service = "krbtgt/" + self.function.server.instance_address
# Get in control of which realm we're using"
if "@" in username:
(username, ) = username.split('@')
if kerberos.checkPassword(username, password, service, krb_realm):
session.set("authuser", username)
session.set("authrealm", krb_realm)
else:
raise exterror.ExtAuthenticationFailedError()
else:
raise exterror.ExtAuthenticationFailedError()
# Make sure resolver setting to access DC.
import kerberos
# Domain information
user = "******"
dc_address = "192.168.2.170"
domain = "EXAMPLE.COM"
# Password list
password_list = ['123456','password','12345678','1234','pussy','12345','dragon','qwerty','696969','mustang','letmein','baseball','master','michael','football','shadow','monkey','abc123','pass','f****e','6969','jordan','harley','ranger','iwantu','jennifer','hunter','f**k','2000','test','batman','trustno1','thomas','tigger','robert','access','love','buster','1234567','soccer','hockey','killer','george','sexy','andrew','charlie','superman','asshole','fuckyou','dallas','jessica','panties','pepper','1111','austin','william','daniel','golfer','summer','heather','hammer','yankees','joshua','maggie','biteme','enter','ashley','thunder','cowboy','silver','richard','f****r','orange','merlin','michelle','corvette','bigdog','cheese','matthew','121212','patrick','martin','freedom','ginger','b*****b','nicole','sparky','yellow','camaro','secret','dick','falcon','taylor','111111','131313','123123','bitch','hello','scooter','please','porsche','guitar','chelsea','black','diamond','nascar','jackson','cameron','654321','computer','amanda','wizard','xxxxxxxx','money','phoenix','mickey','bailey','knight','iceman','tigers','purple','andrea','horny','dakota','aaaaaa','player','sunshine','morgan','starwars','boomer','cowboys','edward','charles','girls','booboo','coffee','xxxxxx','bulldog','ncc1701','rabbit','peanut','john','johnny','gandalf','spanky','winter','brandy','compaq','carlos','tennis','james','mike','brandon','fender','anthony','blowme','ferrari','cookie','chicken','maverick','chicago','joseph','diablo','sexsex','hardcore','666666','willie','welcome','chris','panther','yamaha','justin','banana','driver','marine','angels','fishing','david','maddog','hooters','wilson','butthead','dennis','f*****g','captain','bigdick','chester','smokey','xavier','steven','viking','snoopy','blue','eagles','winner','samantha','house','miller','flower','jack','firebird','butter','united','turtle','steelers','tiffany','zxcvbn','tomcat','golf','bond007','bear','tiger','doctor','gateway','gators','angel','junior','thx1138','porno','badboy','debbie','spider','melissa','booger','1212','flyers','fish','p**n','matrix','teens','scooby','jason','walter','cumshot','boston','braves','yankee','lover','barney','victor','tucker','princess','mercedes','5150','doggie','zzzzzz','gunner','horney','bubba','2112','fred','johnson','xxxxx','t**s','member','boobs','donald','bigdaddy','bronco','penis','voyager','rangers','birdie','trouble','white','topgun','bigtits','bitches','green','super','qazwsx','magic','lakers','rachel','slayer','scott','2222','asdf','video','london','7777','marlboro','srinivas','internet','action','carter','jasper','monster','teresa','jeremy','11111111','bill','crystal','peter','pussies','c**k','beer','rocket','theman','oliver','prince','beach','amateur','7777777','muffin','redsox','star','testing','shannon','murphy','frank','hannah','dave','eagle1','11111','mother','nathan','raiders','steve','forever','angela','viper','ou812','jake','lovers','suckit','gregory','buddy','whatever','young','nicholas','lucky','helpme','jackie','monica','midnight','college','baby','c**t','brian','mark','startrek','sierra','leather','232323','4444','beavis','bigcock','happy','sophie','ladies','naughty','giants','booty','blonde','f****d','golden','0','fire','sandra','pookie','packers','einstein','dolphins','0','chevy','winston','warrior','sammy','s**t','8675309','zxcvbnm','nipples','power','victoria','asdfgh','v****a','toyota','travis','hotdog','paris','rock','xxxx','extreme','redskins','erotic','dirty','ford','freddy','arsenal','access14','wolf','nipple','iloveyou','alex','florida','eric','legend','movie','success','rosebud','jaguar','great','cool','cooper','1313','scorpio','mountain','madison','987654','brazil','lauren','japan','naked','squirt','stars','apple','alexis','aaaa','bonnie','peaches','jasmine','kevin','matt','qwertyui','danielle','beaver','4321','4128','runner','swimming','dolphin','gordon','casper','stupid','shit','saturn','gemini','apples','august','3333','canada','blazer','cumming','hunting','kitty','rainbow','112233','arthur','cream','calvin','shaved','surfer','samson','kelly','paul','mine','king','racing','5555','eagle','hentai','newyork','little','redwings','smith','sticky','cocacola','animal','broncos','private','skippy','marvin','blondes','enjoy','girl','apollo','parker','qwert','time','sydney','women','voodoo','magnum','juice','abgrtyu','777777','dreams','maxwell','music','rush2112','russia','scorpion','rebecca','tester','mistress','phantom','billy','6666','albert']
n = 0
for password in password_list:
try:
kerberos.checkPassword(user, password, dc_address, domain)
print("Password is " + password)
break
except kerberos.BasicAuthError as error:
# Get 'Preauthentication failed' phrase from exception message
if str(error).split("'")[1] == 'Preauthentication failed':
n += 1
if (n % 10) == 0:
print('Trial count is ' + str(n))
if n == len(password_list):
print('Not matched')
else:
print(error)
def authenticate(self, username=None, password=None):
try:
auth = kerberos.checkPassword(username, password, '',
settings.KRB5_REALM)
except kerberos.BasicAuthError, e:
return None
def login():
if request.method == 'GET':
return redirect(url_for('default'))
else:
try:
## Check password with kerberos
kerberos.checkPassword(request.form['username'],
request.form['password'],
app.config['KRB5_SERVICE'],
app.config['KRB5_DOMAIN'])
except kerberos.BasicAuthError as e:
flash('Incorrect username and/or password', 'alert-danger')
return redirect(url_for('default'))
except kerberos.KrbError as e:
flash('Kerberos Error: ' + e.__str__(), 'alert-danger')
return redirect(url_for('default'))
except kerberos.GSSError as e:
flash('GSS Error: ' + e.__str__(), 'alert-danger')
return redirect(url_for('default'))
except Exception as e:
mysqladm.errors.fatal(e)
## Set logged in
session['logged_in'] = True
session['username'] = request.form['username']
## is user in mysqladm management group
group = grp.getgrnam(app.config['ACCESS_GROUP'])
if request.form['username'] in group.gr_mem:
session['admin'] = True
else:
## Make sure the user is in the permissions table
## if they are not...then they should not be able to logon
## Load the dictionary based cursor
cur = g.db.cursor()
## Execute a SQL select
cur.execute("SELECT COUNT(*) FROM `permissions` WHERE `name` = %s",
(session['username']))
## Get results
num = cur.fetchone()
if not int(num[0]) > 0:
session.pop('logged_in', None)
session.pop('username', None)
flash('You do not have permission to use this system',
'alert-danger')
return redirect(url_for('default'))
## Set admin flag off
session['admin'] = False
## Check if the user selected "Log me out when I close the browser"
permanent = request.form.get('sec', default="")
## Set session as permanent or not
if permanent == 'sec':
session.permanent = True
else:
session.permanent = False
## Set defaults for hidden files
session['hidden_files'] = 'hide'
## Log a successful login
app.logger.info('User "' + session['username'] + '" logged in from "' +
request.remote_addr + '" using ' +
request.user_agent.string)
## determine if "next" variable is set (the URL to be sent to)
next = request.form.get('next', default=None)
if next == None:
return redirect(url_for('database_list'))
else:
return redirect(next)
def test_admin_login_succeeds_when_default_password_is_provided():
krb5_password = os.getenv('KRB5_PASS')
kerberos.checkPassword('admin/admin', krb5_password, '', 'EXAMPLE.COM')
def test_basic_check_password():
service = "HTTP/%s" % hostname
actual = kerberos.checkPassword(username, password, service, realm.upper())
assert actual, "Checking of the password failed"
def _login(user, pwd, remember):
"""Try to login user with kerberos"""
try:
kerberos.checkPassword(user, pwd, _SERVICE_NAME, _REALM)
except kerberos.BasicAuthError:
return False
def auth(username, password):
app.logger.debug("bargate.lib.user.auth " + username)
if len(username) == 0:
app.logger.debug("bargate.lib.user.auth empty username")
return False
if len(password) == 0:
app.logger.debug("bargate.lib.user.auth empty password")
return False
if app.config['AUTH_TYPE'] == 'kerberos' or app.config['AUTH_TYPE'] == 'krb5':
app.logger.debug("bargate.lib.user.auth auth type kerberos")
## Kerberos authentication.
## As of May 2015, DO NOT USE THIS. checkPassword does not verify the KDC is the right one.
## Of course, this can only be verified if the local machine is actually joined to the domain? and thus has a local host/ principal?
try:
kerberos.checkPassword(request.form['username'], request.form['password'], app.config['KRB5_SERVICE'], app.config['KRB5_DOMAIN'])
except kerberos.BasicAuthError as e:
return False
except kerberos.KrbError as e:
flash('Unexpected kerberos authentication error: ' + e.__str__(),'alert-danger')
return False
except kerberos.GSSError as e:
flash('Unexpected kerberos gss authentication error: ' + e.__str__(),'alert-danger')
return False
app.logger.debug("bargate.lib.user.auth auth kerberos success")
return True
elif app.config['AUTH_TYPE'] == 'smb':
app.logger.debug("bargate.lib.user.auth auth type smb")
## "SMB" auth. This is a bit odd. It just tries to connect to an SMB share and list the contents. If this succeeds, assume SUCCESS!
try:
g.smb_username = username
g.smb_password = password
ctx = smbc.Context(auth_fn=bargate.lib.user.get_smbc_auth_logon)
ctx.opendir(app.config['SMB_AUTH_URI']).getdents()
except smbc.PermissionError:
app.logger.debug("bargate.lib.user.auth smb permission denied")
return False
except Exception as ex:
app.logger.debug("bargate.lib.user.auth smb exception: " + str(ex))
flash('Unexpected SMB authentication error: ' + str(ex),'alert-danger')
return False
app.logger.debug("bargate.lib.user.auth auth smb success")
return True
elif app.config['AUTH_TYPE'] == 'ldap':
app.logger.debug("bargate.lib.user.auth auth type ldap")
## LDAP auth. This is preferred as of May 2015 due to issues with python-kerberos.
## connect to LDAP and turn off referals
l = ldap.initialize(app.config['LDAP_URI'])
l.set_option(ldap.OPT_REFERRALS, 0)
## and bind to the server with a username/password if needed in order to search for the full DN for the user who is logging in.
try:
if app.config['LDAP_ANON_BIND']:
l.simple_bind_s()
else:
l.simple_bind_s( (app.config['LDAP_BIND_USER']), (app.config['LDAP_BIND_PW']) )
except ldap.LDAPError as e:
flash('Internal Error - Could not connect to LDAP directory: ' + str(e),'alert-danger')
app.logger.error("Could not bind to LDAP: " + str(e))
abort(500)
app.logger.debug("bargate.lib.user.auth ldap searching for username in base " + app.config['LDAP_SEARCH_BASE'] + " looking for attribute " + app.config['LDAP_USER_ATTRIBUTE'])
## Now search for the user object to bind as
try:
results = l.search_s(app.config['LDAP_SEARCH_BASE'], ldap.SCOPE_SUBTREE,(app.config['LDAP_USER_ATTRIBUTE']) + "=" + username)
except ldap.LDAPError as e:
app.logger.debug("bargate.lib.user.auth no object found in ldap")
return False
app.logger.debug("bargate.lib.user.auth ldap found results from dn search")
## handle the search results
for result in results:
dn = result[0]
attrs = result[1]
if dn == None:
## No dn returned. Return false.
return False
else:
app.logger.debug("bargate.lib.user.auth ldap found dn " + str(dn))
## Found the DN. Yay! Now bind with that DN and the password the user supplied
try:
app.logger.debug("bargate.lib.user.auth ldap attempting ldap simple bind as " + str(dn))
lauth = ldap.initialize(app.config['LDAP_URI'])
lauth.set_option(ldap.OPT_REFERRALS, 0)
lauth.simple_bind_s( (dn), (password) )
except ldap.LDAPError as e:
## password was wrong
app.logger.debug("bargate.lib.user.auth ldap bind failed as " + str(dn))
return False
app.logger.debug("bargate.lib.user.auth ldap bind succeeded as " + str(dn))
## Should we use the ldap home dir attribute?
if app.config['LDAP_HOMEDIR']:
## Now look up the LDAP HOME ATTRIBUTE as well
if (app.config['LDAP_HOME_ATTRIBUTE']) in attrs:
if type(attrs[app.config['LDAP_HOME_ATTRIBUTE']]) is list:
homedir_attribute = attrs[app.config['LDAP_HOME_ATTRIBUTE']][0]
else:
homedir_attribute = str(attrs[app.config['LDAP_HOME_ATTRIBUTE'] ])
if homedir_attribute == None:
app.logger.error('ldap_get_homedir returned None for user ' + username)
flash("Profile Error: I could not find your home directory location","alert-danger")
abort(500)
else:
session['ldap_homedir'] = homedir_attribute
app.logger.debug('User "' + username + '" LDAP home attribute ' + session['ldap_homedir'])
if app.config['LDAP_HOMEDIR_IS_UNC']:
if session['ldap_homedir'].startswith('\\\\'):
session['ldap_homedir'] = session['ldap_homedir'].replace('\\\\','smb://',1)
session['ldap_homedir'] = session['ldap_homedir'].replace('\\','/')
## Overkill but log it again anyway just to make sure we really have the value we think we should
app.logger.debug('User "' + username + '" home SMB path ' + session['ldap_homedir'])
## Return that LDAP auth succeeded
app.logger.debug("bargate.lib.user.auth ldap success")
return True
## Catch all return false for LDAP auth
return False
def _login(user, pwd, remember):
'''Try to login user with kerberos'''
try:
kerberos.checkPassword(user, pwd, _SERVICE_NAME, _REALM)
except kerberos.BasicAuthError:
return False
def authUser(self,user,password): return kerberos.checkPassword(user,password,"",self.daemon)
def auth(username, server, password):
username = username.lower()
try:
kerberos.checkPassword(username, password, "login", "EXAMPLE.COM")
except kerberos.BasicAuthError, e:
return False
def authenticate(self, username=None, password=None, **kwargs):
UserModel = get_user_model()
if username is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
# print "trying to authenticate ", username, password
try:
kerberos.checkPassword(username, password,
"", settings.KRB5_REALM)
except kerberos.BasicAuthError:
# print "Kerberos auth failed"
return None
# print "kerberos succeeded"
# TODO: think how to better integrate this with the
# django permission system. depending on group
# membership, assign different permissions.
# this requires a better understanding of the
# way django permissions are expressed :-(
if False and settings.RUN_ON_WEBAPP:
webappgroup = dict(getent.group('mhb-app'))
if username not in webappgroup['members']:
return None
user, created = User.objects.get_or_create(
username=username
)
# print "user, created: ", user, type(user), created
if created:
# no local password for such users
user.set_unusable_password()
# allow everybody access to admin:
user.is_staff = True
# we do not make anybody superuser here;
# that should happen manually
try:
# have to set a reasonable default group
g = Group.objects.get(name="lehrender")
user.groups.add(g)
except:
# print "adding user to group did not work"
pass
# try to get the real-world user name :
try:
d = dict(getent.passwd(username))
gecos = d['gecos']
f, l = gecos.split(' ', 1)
user.first_name = f
user.last_name = l
except:
pass
user.save()
return user
import kerberos
# import random
while True:
try:
# unknown users (principles) cause more CPU!
"""
print kerberos.checkPassword("user", \
"badpassword@123", \
"krbtgt/client.example.com", \
"EXAMPLE.COM")
"""
# known users (principles) cause more CPU!
print kerberos.checkPassword("user1", \
"badpassword@123", \
"krbtgt/client.example.com", \
"EXAMPLE.COM")
except Exception, exc:
# print exc
pass
