def check_auth_publickey(self, username, key): """Public key auth against usermap""" offered = None if hit_rate_limit(configuration, "sftp-key", self.client_addr[0], username, max_fails=10): logger.warning("Rate limiting login from %s" % self.client_addr[0]) elif self.allow_publickey and self.users.has_key(username): # list of User login objects for username entries = self.users[username] offered = key.get_base64() for entry in entries: if entry.public_key is not None: # TODO: Add ssh tunneling on resource frontends # before enforcing ip check # and \ # (entry.ip_addr is None or # entry.ip_addr == self.client_addr[0]): allowed = entry.public_key.get_base64() self.logger.debug("Public key check for %s" % username) if allowed == offered: self.logger.info("Public key match for %s" % username) self.authenticated_user = username update_rate_limit(configuration, "sftp-key", self.client_addr[0], username, True) return paramiko.AUTH_SUCCESSFUL err_msg = 'Public key authentication failed for %s:\n%s' % \ (username, offered) self.logger.error(err_msg) print err_msg update_rate_limit(configuration, "sftp-key", self.client_addr[0], username, False) return paramiko.AUTH_FAILED
def doLogin(self): """Login handler""" if 'submit' in self.query: if 'user' in self.query: self.user = self.query['user'] else: self.clearUser() if 'password' in self.query: self.password = self.query['password'] else: self.password = None if not hit_rate_limit(configuration, "openid", self.client_address[0], self.user) and \ self.checkLogin(self.user, self.password): if not self.query['success_to']: self.query['success_to'] = '%s/id/' % self.server.base_url print "doLogin succeded: redirect to %s" % self.query['success_to'] self.redirect(self.query['success_to']) update_rate_limit(configuration, "openid", self.client_address[0], self.user, True) else: # TODO: Login failed - is this correct behaviour? print "doLogin failed for %s!" % self.user # print "doLogin full query: %s" % self.query self.clearUser() self.redirect(self.query['success_to']) update_rate_limit(configuration, "openid", self.client_address[0], self.user, False) elif 'cancel' in self.query: self.redirect(self.query['fail_to']) else: assert 0, 'strange login %r' % (self.query,)
def _check_auth_publickey(self, username, key): """Verify supplied username and public key against user DB""" offered = None if hit_rate_limit(configuration, "davs", self.client_address[0], username): logger.warning("Rate limiting login from %s" % \ self.client_address[0]) elif self.users.has_key(username): # list of User login objects for username entries = self.users[username] offered = key.get_base64() for entry in entries: if entry.public_key is not None: allowed = entry.public_key.get_base64() logger.debug("Public key check for %s" % username) if allowed == offered: logger.info("Public key match for %s" % username) self.authenticated_user = username update_rate_limit(configuration, "davs", self.client_address[0], username, True) return True update_rate_limit(configuration, "davs", self.client_address[0], username, False) return False
def getRealmUserPassword(self, realmname, username, environ): """Return the password for the given username for the realm. Used for digest authentication. """ #print "DEBUG: env in getRealmUserPassword: %s" % environ addr = _get_addr(environ) self._expire_rate_limit() #logger.info("refresh user %s" % username) update_users(configuration, self.userMap, username) #logger.info("in getRealmUserPassword from %s" % addr) if hit_rate_limit(configuration, "davs", addr, username): logger.warning("Rate limiting login from %s" % addr) password = None else: digest = super(MiGWsgiDAVDomainController, self).getRealmUserPassword(realmname, username, environ) #logger.info("found digest %s" % digest) try: _, _, _, payload = digest.split("$") #logger.info("found payload %s" % payload) unscrambled = unscramble_digest(configuration.site_digest_salt, payload) _, _, password = unscrambled.split(":") #logger.info("found password") except Exception, exc: logger.error("failed to extract digest password: %s" % exc) password = None
def validate_authentication(self, username, password, handler): """Password auth against usermap. Please note that we take serious steps to secure against password cracking, but that it _may_ still be possible to achieve with a big effort. Paranoid users / grid owners should not enable password access in the first place! """ logger.debug("Authenticating %s" % username) self.update_logins(username) offered = None if hit_rate_limit(configuration, "ftps", handler.remote_ip, username): logger.warning("Rate limiting login from %s" % handler.remote_ip) elif 'password' in configuration.user_ftps_auth and \ self.has_user(username): # list of User login objects for username entries = [self.user_table[username]] offered = password for entry in entries: if entry['pwd'] is not None: allowed = entry['pwd'] logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed): logger.info("Authenticated %s" % username) self.authenticated_user = username update_rate_limit(configuration, "ftps", handler.remote_ip, username, True) return True err_msg = "Password authentication failed for %s" % username logger.error(err_msg) print err_msg self.authenticated_user = None update_rate_limit(configuration, "ftps", handler.remote_ip, username, False) # Must raise AuthenticationFailed exception since version 1.0.0 instead # of returning bool raise AuthenticationFailed(err_msg)
def check_auth_password(self, username, password): """Password auth against usermap. Please note that we take serious steps to secure against password cracking, but that it _may_ still be possible to achieve with a big effort. Paranoid users / grid owners should not enable password access in the first place! """ offered = None if hit_rate_limit(configuration, "sftp-pw", self.client_addr[0], username): logger.warning("Rate limiting login from %s" % self.client_addr[0]) elif self.allow_password and self.users.has_key(username): # list of User login objects for username entries = self.users[username] offered = password for entry in entries: if entry.password is not None: # TODO: Add ssh tunneling on resource frontends # before enforcing ip check # and \ #(entry.ip_addr is None or # entry.ip_addr == self.client_addr[0]): allowed = entry.password self.logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed): self.logger.info("Authenticated %s" % username) self.authenticated_user = username update_rate_limit(configuration, "sftp-pw", self.client_addr[0], username, True) return paramiko.AUTH_SUCCESSFUL err_msg = "Password authentication failed for %s" % username self.logger.error(err_msg) print err_msg update_rate_limit(configuration, "sftp-pw", self.client_addr[0], username, False) return paramiko.AUTH_FAILED
def authDomainUser(self, realmname, username, password, environ): """Returns True if this username/password pair is valid for the realm, False otherwise. Used for basic authentication. We explicitly compare against saved hash rather than password value. """ #print "DEBUG: env in authDomainUser: %s" % environ addr = _get_addr(environ) self._expire_rate_limit() #logger.info("refresh user %s" % username) update_users(configuration, self.userMap, username) #logger.info("in authDomainUser from %s" % addr) success = False if hit_rate_limit(configuration, "davs", addr, username): logger.warning("Rate limiting login from %s" % addr) elif self._check_auth_password(addr, realmname, username, password): logger.info("Accepted login for %s from %s" % (username, addr)) success = True else: logger.warning("Invalid login for %s from %s" % (username, addr)) update_rate_limit(configuration, "davs", addr, username, success) logger.info("valid digest user %s" % username) return success
def _check_auth_password(self, username, password): """Verify supplied username and password against user DB""" offered = None if hit_rate_limit(configuration, "davs", self.client_address[0], username): logger.warning("Rate limiting login from %s" % \ self.client_address[0]) elif self.users.has_key(username): # list of User login objects for username entries = self.users[username] offered = password for entry in entries: if entry.password is not None: allowed = entry.password logger.debug("Password check for %s" % username) if check_password_hash(offered, allowed): self.authenticated_user = username update_rate_limit(configuration, "davs", self.client_address[0], username, True) return True update_rate_limit(configuration, "davs", self.client_address[0], username, False) return False
def handleAllow(self, query): """Handle requests to allow authentication: Must verify user is already logged in or validate username/password pair against user DB. """ request = self.server.lastCheckIDRequest.get(self.user) print "handleAllow with last request %s from user %s" % \ (request, self.user) # print "DEBUG: full query %s" % query # Old IE 8 does not send contents of submit buttons thus only the # fields login_as and password are set with the allow requests. We # manually add a yes here if so to avoid the else case. if not 'yes' in query and not 'no' in query: query['yes'] = 'yes' if 'yes' in query: if 'login_as' in query: self.user = self.query['login_as'] #print "handleAllow set user %s" % self.user elif 'identifier' in query: self.user = self.query['identifier'] if request.idSelect(): # Do any ID expansion to a specified format if configuration.daemon_conf['expandusername']: user_id = lookup_full_identity(query.get('identifier', '')) else: user_id = query.get('identifier', '') identity = self.server.base_url + 'id/' + user_id else: identity = request.identity print "handleAllow with identity %s" % identity if 'password' in self.query: print "setting password" self.password = self.query['password'] else: print "no password in query" self.password = None if not hit_rate_limit(configuration, "openid", self.client_address[0], self.user) and \ self.checkLogin(self.user, self.password): print "handleAllow validated login %s" % identity trust_root = request.trust_root if self.query.get('remember', 'no') == 'yes': self.server.approved[(identity, trust_root)] = 'always' print "handleAllow approving login %s" % identity response = self.approved(request, identity) update_rate_limit(configuration, "openid", self.client_address[0], self.user, True) else: print "handleAllow rejected login %s" % identity self.clearUser() response = self.rejected(request, identity) update_rate_limit(configuration, "openid", self.client_address[0], self.user, False) elif 'no' in query: response = request.answer(False) else: assert False, 'strange allow post. %r' % (query,) self.displayResponse(response)