def _check_auth_password(self, address, realm, username, password):
"""Verify supplied username and password against user DB"""
user = self.userMap[realm].get(username, None)
if user is not None:
# list of User login objects for username
offered = password
allowed = user.get('password_hash', None)
if allowed is not None:
#logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed, self.hash_cache):
return True
return False
def validate_authentication(self, username, password, handler):
"""Password auth against usermap.
Please note that we take serious steps to secure against password
cracking, but that it _may_ still be possible to achieve with a big
effort.
Paranoid users / grid owners should not enable password access in the
first place!
"""
logger.debug("Authenticating %s" % username)
self.update_logins(username)
offered = None
if hit_rate_limit(configuration, "ftps", handler.remote_ip, username):
logger.warning("Rate limiting login from %s" % handler.remote_ip)
elif 'password' in configuration.user_ftps_auth and \
self.has_user(username):
# list of User login objects for username
entries = [self.user_table[username]]
offered = password
for entry in entries:
if entry['pwd'] is not None:
allowed = entry['pwd']
logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed):
logger.info("Authenticated %s" % username)
self.authenticated_user = username
update_rate_limit(configuration, "ftps",
handler.remote_ip, username, True)
return True
err_msg = "Password authentication failed for %s" % username
logger.error(err_msg)
print err_msg
self.authenticated_user = None
update_rate_limit(configuration, "ftps", handler.remote_ip, username,
False)
# Must raise AuthenticationFailed exception since version 1.0.0 instead
# of returning bool
raise AuthenticationFailed(err_msg)
def check_auth_password(self, username, password):
"""Password auth against usermap.
Please note that we take serious steps to secure against password
cracking, but that it _may_ still be possible to achieve with a big
effort.
Paranoid users / grid owners should not enable password access in the
first place!
"""
offered = None
if hit_rate_limit(configuration, "sftp-pw", self.client_addr[0],
username):
logger.warning("Rate limiting login from %s" % self.client_addr[0])
elif self.allow_password and self.users.has_key(username):
# list of User login objects for username
entries = self.users[username]
offered = password
for entry in entries:
if entry.password is not None:
# TODO: Add ssh tunneling on resource frontends
# before enforcing ip check
# and \
#(entry.ip_addr is None or
# entry.ip_addr == self.client_addr[0]):
allowed = entry.password
self.logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed):
self.logger.info("Authenticated %s" % username)
self.authenticated_user = username
update_rate_limit(configuration, "sftp-pw",
self.client_addr[0], username, True)
return paramiko.AUTH_SUCCESSFUL
err_msg = "Password authentication failed for %s" % username
self.logger.error(err_msg)
print err_msg
update_rate_limit(configuration, "sftp-pw", self.client_addr[0],
username, False)
return paramiko.AUTH_FAILED
def _check_auth_password(self, username, password):
"""Verify supplied username and password against user DB"""
offered = None
if hit_rate_limit(configuration, "davs", self.client_address[0],
username):
logger.warning("Rate limiting login from %s" % \
self.client_address[0])
elif self.users.has_key(username):
# list of User login objects for username
entries = self.users[username]
offered = password
for entry in entries:
if entry.password is not None:
allowed = entry.password
logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed):
self.authenticated_user = username
update_rate_limit(configuration, "davs",
self.client_address[0], username,
True)
return True
update_rate_limit(configuration, "davs", self.client_address[0],
username, False)
return False
def validate_authentication(self, username, password, handler):
"""Password auth against internal DB built from login_map.
Please note that we take serious steps to secure against password
cracking, but that it _may_ still be possible to achieve with a big
effort.
The following is checked before granting auth:
1) Valid username
2) Valid user (Does user exist and enabled ftps)
3) Valid 2FA session (if 2FA is enabled)
4) Hit rate limit (Too many auth attempts)
5) Valid password (if password enabled)
"""
secret = None
disconnect = False
strict_password_policy = True
password_offered = None
password_enabled = False
invalid_username = False
invalid_user = False
valid_password = False
valid_twofa = False
exceeded_rate_limit = False
client_ip = handler.remote_ip
client_port = handler.remote_port
username = force_utf8(username)
daemon_conf = configuration.daemon_conf
max_user_hits = daemon_conf['auth_limits']['max_user_hits']
user_abuse_hits = daemon_conf['auth_limits']['user_abuse_hits']
proto_abuse_hits = daemon_conf['auth_limits']['proto_abuse_hits']
max_secret_hits = daemon_conf['auth_limits']['max_secret_hits']
logger.debug("Run authentication of %s from %s" %
(username, client_ip))
logger.info("refresh user %s" % username)
logger.debug("daemon_conf['allow_password']: %s" %
daemon_conf['allow_password'])
# For e.g. GDP we require all logins to match active 2FA session IP,
# but otherwise user may freely switch net during 2FA lifetime.
if configuration.site_twofactor_strict_address:
enforce_address = client_ip
else:
enforce_address = None
# We don't have a handle_request for server so expire here instead
if self.last_expire + self.min_expire_delay < time.time():
self.last_expire = time.time()
expire_rate_limit(configuration,
"ftps",
expire_delay=self.min_expire_delay)
if hit_rate_limit(configuration,
'ftps',
client_ip,
username,
max_user_hits=max_user_hits):
exceeded_rate_limit = True
elif not default_username_validator(configuration, username):
invalid_username = True
elif daemon_conf['allow_password']:
hash_cache = daemon_conf['hash_cache']
password_offered = password
secret = make_scramble(password_offered, None)
# Only sharelinks should be excluded from strict password policy
if configuration.site_enable_sharelinks and \
possible_sharelink_id(configuration, username):
strict_password_policy = False
logger.debug("refresh user %s" % username)
self._update_logins(configuration, username)
if not self.has_user(username):
if not os.path.islink(
os.path.join(daemon_conf['root_dir'], username)):
invalid_user = True
entries = []
else:
# list of User login objects for username
entries = [self.user_table[username]]
for entry in entries:
if entry['pwd'] is not None:
password_enabled = True
password_allowed = entry['pwd']
logger.debug("Password check for %s" % username)
if check_password_hash(configuration, 'ftps', username,
password_offered, password_allowed,
hash_cache, strict_password_policy):
valid_password = True
break
if valid_password and check_twofactor_session(
configuration, username, enforce_address, 'ftps'):
valid_twofa = True
# Update rate limits and write to auth log
(authorized, disconnect) = validate_auth_attempt(
configuration,
'ftps',
'password',
username,
client_ip,
client_port,
secret=secret,
invalid_username=invalid_username,
invalid_user=invalid_user,
valid_twofa=valid_twofa,
authtype_enabled=password_enabled,
valid_auth=valid_password,
exceeded_rate_limit=exceeded_rate_limit,
user_abuse_hits=user_abuse_hits,
proto_abuse_hits=proto_abuse_hits,
max_secret_hits=max_secret_hits,
)
if disconnect:
handler._shutdown_connecting_dtp()
if authorized:
self.authenticated_user = username
return True
else:
# Must raise AuthenticationFailed exception since version 1.0.0 instead
# of returning bool
self.authenticated_user = None
raise AuthenticationFailed()
