def check_ticket(self, ticket): init_context_res = chech_ticket_res = -1 principal = realm = orig_service = target_name = service = '' try: principal = kerberos.getServerPrincipalDetails( self._service_type, self._hostname) orig_service, realm = self._split_principal(principal) init_context_res, context = kerberos.authGSSServerInit('') chech_ticket_res = kerberos.authGSSServerStep(context, ticket) target_name = kerberos.authGSSServerTargetName(context) service, _ = self._split_principal(target_name) response = kerberos.authGSSServerResponse(context) principal = kerberos.authGSSServerUserName(context) kerberos.authGSSServerClean(context) except kerberos.GSSError: if init_context_res != 1: ERROR("Error init kerberos context") elif chech_ticket_res == -1: ERROR("Ticket is not correct:" + ticket) elif service.lower() != orig_service.lower(): ERROR('Bad credentials: wrong target name ' + target_name) return '', '', '' except kerberos.KrbError: ERROR("Internal kerberos error") return '', '', '' # del kerberos username, realm = principal.split('@') return response, username, realm
def _doNegotiateAuth(self): _ignore_result, context = kerberos.authGSSServerInit("") try: self._getKerberosDetails() kerberos.authGSSServerStep(context, self.authToken) targetName = kerberos.authGSSServerTargetName(context) if targetName.lower() != self._kerberosPrincipal.lower(): raise Exception( "Target name did not match local principal - %s vs %s" % (targetName, self._kerberosPrincipal)) response = kerberos.authGSSServerResponse(context) principal = kerberos.authGSSServerUserName(context) (user, realm) = principal.split("@", 1) if realm.lower() != self._kerberosRealm.lower(): raise Exception("Mismatched realms - %s vs %s" % (realm, self._kerberosRealm)) self.user = user self.page.responseHeaders.append( ("WWW-Authenticate", "Negotiate %s" % response)) print "Did negotiate auth for %s" % self.user except: print "Failed negotiate auth" self.page.offerNegotiate = False raise finally: kerberos.authGSSServerClean(context)
def testGSSAPI(service): def statusText(r): if r == 1: return "Complete" elif r == 0: return "Continue" else: return "Error" rc, vc = kerberos.authGSSClientInit(service); print "Status for authGSSClientInit = %s" % statusText(rc); if rc != 1: return rs, vs = kerberos.authGSSServerInit(service); print "Status for authGSSServerInit = %s" % statusText(rs); if rs != 1: return rc = kerberos.authGSSClientStep(vc, ""); print "Status for authGSSClientStep = %s" % statusText(rc); if rc != 0: return rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc)); print "Status for authGSSServerStep = %s" % statusText(rs); if rs == -1: return rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs)); print "Status for authGSSClientStep = %s" % statusText(rc); if rc == -1: return print "Server user name: %s" % kerberos.authGSSServerUserName(vs); print "Server target name: %s" % kerberos.authGSSServerTargetName(vs); print "Client user name: %s" % kerberos.authGSSClientUserName(vc); rc = kerberos.authGSSClientClean(vc); print "Status for authGSSClientClean = %s" % statusText(rc); rs = kerberos.authGSSServerClean(vs); print "Status for authGSSServerClean = %s" % statusText(rs);
def testGSSAPI(service): def statusText(r): if r == 1: return "Complete" elif r == 0: return "Continue" else: return "Error" rc, vc = kerberos.authGSSClientInit(service) print("Status for authGSSClientInit = %s" % statusText(rc)) if rc != 1: return rs, vs = kerberos.authGSSServerInit(service) print("Status for authGSSServerInit = %s" % statusText(rs)) if rs != 1: return rc = kerberos.authGSSClientStep(vc, "") print("Status for authGSSClientStep = %s" % statusText(rc)) if rc != 0: return rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc)) print("Status for authGSSServerStep = %s" % statusText(rs)) if rs == -1: return rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs)) print("Status for authGSSClientStep = %s" % statusText(rc)) if rc == -1: return print("Server user name: %s" % kerberos.authGSSServerUserName(vs)) print("Server target name: %s" % kerberos.authGSSServerTargetName(vs)) print("Client user name: %s" % kerberos.authGSSClientUserName(vc)) rc = kerberos.authGSSClientClean(vc) print("Status for authGSSClientClean = %s" % statusText(rc)) rs = kerberos.authGSSServerClean(vs) print("Status for authGSSServerClean = %s" % statusText(rs))
def _doNegotiateAuth(self): _ignore_result, context = kerberos.authGSSServerInit("") try: self._getKerberosDetails() kerberos.authGSSServerStep(context, self.authToken) targetName = kerberos.authGSSServerTargetName(context) if targetName.lower() != self._kerberosPrincipal.lower(): raise Exception("Target name did not match local principal - %s vs %s" % (targetName, self._kerberosPrincipal)) response = kerberos.authGSSServerResponse(context) principal = kerberos.authGSSServerUserName(context) (user, realm) = principal.split("@", 1) if realm.lower() != self._kerberosRealm.lower(): raise Exception("Mismatched realms - %s vs %s" % (realm, self._kerberosRealm)) self.user = user self.page.responseHeaders.append(("WWW-Authenticate", "Negotiate %s" % response)) print "Did negotiate auth for %s" % self.user except: print "Failed negotiate auth" self.page.offerNegotiate = False raise finally: kerberos.authGSSServerClean(context)
def test_gssapi(): """ Return Code Values 0 = Continue 1 = Complete Other = Error """ service = "HTTP@%s" % hostname rc, vc = kerberos.authGSSClientInit(service) assert rc == 1, "authGSSClientInit = %d, expecting 1" % rc rs, vs = kerberos.authGSSServerInit(service) assert rs == 1, "authGSSServerInit = %d, expecting 1" % rs rc = kerberos.authGSSClientStep(vc, "") assert rc == 0, "authGSSClientStep = %d, expecting 0" % rc rs = kerberos.authGSSServerStep(vs, kerberos.authGSSClientResponse(vc)) assert rs != -1, "authGSSServerStep = %d, not expecting it to be -1" % rs rc = kerberos.authGSSClientStep(vc, kerberos.authGSSServerResponse(vs)) assert rc != -1, "authGSSClientStep = %d, not expecting it to be -1" % rc expected_username = "******" % (username, realm.upper()) server_user_name = kerberos.authGSSServerUserName(vs) assert server_user_name == expected_username, "Invalid server username returned" client_user_name = kerberos.authGSSClientUserName(vc) assert client_user_name == expected_username, "Invalid client username returned" server_target_name = kerberos.authGSSServerTargetName(vs) assert server_target_name is None, "Server target name is not None" rc = kerberos.authGSSClientClean(vc) assert rc == 1, "authGSSClientClean = %d, expecting it to be 0" % rc rs = kerberos.authGSSServerClean(vs) assert rs == 1, "authGSSServerClean = %d, expecting it to be 0" % rs
def targetName(self): return kerberos.authGSSServerTargetName(self.context)
except kerberos.GSSError, ex: self.log.error("authGSSServerStep: %s(%s)" % ( ex[0][0], ex[1][0], )) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin('Bad credentials: %s(%s)' % ( ex[0][0], ex[1][0], )) except kerberos.KrbError, ex: self.log.error("authGSSServerStep: %s" % (ex[0], )) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin('Bad credentials: %s' % (ex[0], )) targetname = kerberos.authGSSServerTargetName(context) try: service, _ignore_realm = self._splitPrincipal(targetname) except ValueError: self.log.error( "authGSSServerTargetName invalid target name: '%s'" % (targetname, )) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin( 'Bad credentials: bad target name %s' % (targetname, )) if service.lower() != self.service.lower(): self.log.error( "authGSSServerTargetName mismatch got: '%s' wanted: '%s'" % (service, self.service)) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin(
self.log_error("authGSSServerInit: %s(%s)" % (ex[0][0], ex[1][0],)) raise error.LoginFailed('Authentication System Failure: %s(%s)' % (ex[0][0], ex[1][0],)) # Do the GSSAPI step and get response and username try: kerberos.authGSSServerStep(context, base64data); except kerberos.GSSError, ex: self.log_error("authGSSServerStep: %s(%s)" % (ex[0][0], ex[1][0],)) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin('Bad credentials: %s(%s)' % (ex[0][0], ex[1][0],)) except kerberos.KrbError, ex: self.log_error("authGSSServerStep: %s" % (ex[0],)) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin('Bad credentials: %s' % (ex[0],)) targetname = kerberos.authGSSServerTargetName(context) try: service, _ignore_realm = self._splitPrincipal(targetname) except ValueError: self.log_error("authGSSServerTargetName invalid target name: '%s'" % (targetname,)) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin('Bad credentials: bad target name %s' % (targetname,)) if service.lower() != self.service.lower(): self.log_error("authGSSServerTargetName mismatch got: '%s' wanted: '%s'" % (service, self.service)) kerberos.authGSSServerClean(context) raise error.UnauthorizedLogin('Bad credentials: wrong target name %s' % (targetname,)) response = kerberos.authGSSServerResponse(context) principal = kerberos.authGSSServerUserName(context) username = principal realmname = ""