def do_GET(self):
authz = self.headers.get('Authorization', '')
if authz.startswith('Negotiate '):
authz = authz[len('Negotiate '):]
print authz
data = authz.decode('base64')
sa = sspi.ServerAuth('Negotiate')
sa.reset()
err, sec_buffer = sa.authorize(data)
if err == 0:
username = sa.ctxt.QueryContextAttributes(
sspicon.SECPKG_ATTR_NAMES)
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(
'<HTML><body>Authenticated! Username: %s</body></HTML>' %
username)
return
else:
print "Error: ", err
self.send_response(401)
self.send_header('Content-type', 'text/html')
self.send_header('WWW-Authenticate', 'Negotiate')
self.end_headers()
self.wfile.write('<HTML><body>Must authenticate</body></HTML>')
def authenticateCredentials(self, credentials):
""" See IAuthenticationPlugin.
o We expect the credentials to be those returned by
ILoginPasswordExtractionPlugin.
"""
# We only authenticate when our challenge mechanism extracted
# the ticket
if credentials.get('plugin') != self.getId():
return None
request = self.REQUEST
response = request.RESPONSE
remote_host = request.getClientAddr()
# We are actually already authenticated... maybe we are in a subrequest
if request.get('AUTHENTICATED_USER', None) is not None:
username = request.AUTHENTICATED_USER.getName()
return username, username
ticket = credentials['ticket']
if WINDOWS:
sa = sspi.ServerAuth('Negotiate')
sa.reset()
data = ticket.decode('base64')
err, sec_buffer = sa.authorize(data)
if err == 0:
username = sa.ctxt.QueryContextAttributes(
sspicon.SECPKG_ATTR_NAMES)
else:
raise Forbidden
else:
service = self.service
if not service:
service = "HTTP/" + urlparse.urlsplit(
request.SERVER_URL).netloc
result, context = kerberos.authGSSServerInit(service)
if result != 1:
raise ValueError, "Kerberos authetication error"
gssstring = ''
try:
r = kerberos.authGSSServerStep(context, ticket)
if r == 1:
gssstring = kerberos.authGSSServerResponse(context)
else:
raise Forbidden
except GSSError, e:
LOG('SPNEGO plugin', ERROR,
"%s: GSSError %s" % (remote_host, e))
raise Forbidden
username = kerberos.authGSSServerUserName(context)
kerberos.authGSSServerClean(context)
def _doAuth(self, pkg_name):
sspiclient = sspi.ClientAuth(pkg_name, targetspn=win32api.GetUserName())
sspiserver = sspi.ServerAuth(pkg_name)
sec_buffer = None
err = 1
while err != 0:
err, sec_buffer = sspiclient.authorize(sec_buffer)
err, sec_buffer = sspiserver.authorize(sec_buffer)
return sspiclient, sspiserver
def __init__(self, broker, pkgName):
PI.IServerAuthenticationPlugin.__init__(self, broker)
flags = sspicon.ASC_REQ_INTEGRITY | \
sspicon.ASC_REQ_SEQUENCE_DETECT | \
sspicon.ASC_REQ_REPLAY_DETECT | \
sspicon.ASC_REQ_CONFIDENTIALITY | \
sspicon.ASC_REQ_DELEGATE
self.mServer = sspi.ServerAuth(pkgName, scflags=flags)
self.mLogger = logging.getLogger('maestrod.auth.%s' % pkgName)
def _init_session():
global _sessions, _sessions_lock
logger.debug("Init session")
if 'uuid' not in session:
session['uuid'] = uuid = uuid4().bytes # init uuid on client
else:
uuid = session['uuid']
with _sessions_lock:
if uuid not in _sessions: # make sure
_sessions[uuid] = {
'sa': sspi.ServerAuth(_PKG_NAME),
'lock': threading.Lock(),
'last_access': datetime.datetime.now(),
}
cleanup_sessions()
def ssh_accept_sec_context(self, hostname, username, recv_token):
"""
Accept a SSPI context (server mode).
:param str hostname: The servers FQDN
:param str username: The name of the user who attempts to login
:param str recv_token: The SSPI Token received from the server,
if it's not the initial call.
:return: A ``String`` if the SSPI has returned a token or ``None`` if
no token was returned
"""
self._gss_host = hostname
self._username = username
targ_name = "host/" + self._gss_host
self._gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=targ_name)
error, token = self._gss_srv_ctxt.authorize(recv_token)
token = token[0].Buffer
if error == 0:
self._gss_srv_ctxt_status = True
token = None
return token
"""
pkg_name='Kerberos'
sspiclient=SSPIClient(pkg_name, win32api.GetUserName(), ## target spn is ourself
None, None, ## use none for client name and authentication information for current context
## u'username', (u'username',u'domain.com',u'passwd'),
sspicon.ISC_REQ_INTEGRITY|sspicon.ISC_REQ_SEQUENCE_DETECT|sspicon.ISC_REQ_REPLAY_DETECT| sspicon.ISC_REQ_DELEGATE|sspicon.ISC_REQ_CONFIDENTIALITY|sspicon.ISC_REQ_USE_SESSION_KEY)
sspiserver=SSPIServer(pkg_name, None,
sspicon.ASC_REQ_INTEGRITY|sspicon.ASC_REQ_SEQUENCE_DETECT|sspicon.ASC_REQ_REPLAY_DETECT| sspicon.ASC_REQ_DELEGATE|sspicon.ASC_REQ_CONFIDENTIALITY|sspicon.ASC_REQ_STREAM|sspicon.ASC_REQ_USE_SESSION_KEY)
"""
pkg_name = 'NTLM'
# Setup the 2 contexts.
sspiclient = sspi.ClientAuth(pkg_name)
sspiserver = sspi.ServerAuth(pkg_name)
# Perform the authentication dance, each loop exchanging more information
# on the way to completing authentication.
sec_buffer = None
while 1:
err, sec_buffer = sspiclient.authorize(sec_buffer)
err, sec_buffer = sspiserver.authorize(sec_buffer)
if err == 0:
break
# The server can now impersonate the client. In this demo the 2 users will
# always be the same.
sspiserver.ctxt.ImpersonateSecurityContext()
print('Impersonated user: ',
win32api.GetUserNameEx(win32api.NameSamCompatible))
def _gssapi_sspi_test(self):
"""
Test the used methods of python-gssapi or sspi, sspicon from pywin32.
"""
try:
import gssapi
if (
hasattr(gssapi, "__title__")
and gssapi.__title__ == "python-gssapi"
):
_API = "PYTHON-GSSAPI-OLD"
else:
_API = "PYTHON-GSSAPI-NEW"
except ImportError:
import sspicon
import sspi
_API = "SSPI"
c_token = None
gss_ctxt_status = False
mic_msg = b"G'day Mate!"
if _API == "PYTHON-GSSAPI-OLD":
if self.server_mode:
gss_flags = (
gssapi.C_PROT_READY_FLAG,
gssapi.C_INTEG_FLAG,
gssapi.C_MUTUAL_FLAG,
gssapi.C_DELEG_FLAG,
)
else:
gss_flags = (
gssapi.C_PROT_READY_FLAG,
gssapi.C_INTEG_FLAG,
gssapi.C_DELEG_FLAG,
)
# Initialize a GSS-API context.
ctx = gssapi.Context()
ctx.flags = gss_flags
krb5_oid = gssapi.OID.mech_from_string(self.krb5_mech)
target_name = gssapi.Name(
"host@" + self.targ_name, gssapi.C_NT_HOSTBASED_SERVICE
)
gss_ctxt = gssapi.InitContext(
peer_name=target_name, mech_type=krb5_oid, req_flags=ctx.flags
)
if self.server_mode:
c_token = gss_ctxt.step(c_token)
gss_ctxt_status = gss_ctxt.established
self.assertEquals(False, gss_ctxt_status)
# Accept a GSS-API context.
gss_srv_ctxt = gssapi.AcceptContext()
s_token = gss_srv_ctxt.step(c_token)
gss_ctxt_status = gss_srv_ctxt.established
self.assertNotEquals(None, s_token)
self.assertEquals(True, gss_ctxt_status)
# Establish the client context
c_token = gss_ctxt.step(s_token)
self.assertEquals(None, c_token)
else:
while not gss_ctxt.established:
c_token = gss_ctxt.step(c_token)
self.assertNotEquals(None, c_token)
# Build MIC
mic_token = gss_ctxt.get_mic(mic_msg)
if self.server_mode:
# Check MIC
status = gss_srv_ctxt.verify_mic(mic_msg, mic_token)
self.assertEquals(0, status)
elif _API == "PYTHON-GSSAPI-NEW":
if self.server_mode:
gss_flags = (
gssapi.RequirementFlag.protection_ready,
gssapi.RequirementFlag.integrity,
gssapi.RequirementFlag.mutual_authentication,
gssapi.RequirementFlag.delegate_to_peer,
)
else:
gss_flags = (
gssapi.RequirementFlag.protection_ready,
gssapi.RequirementFlag.integrity,
gssapi.RequirementFlag.delegate_to_peer,
)
# Initialize a GSS-API context.
krb5_oid = gssapi.MechType.kerberos
target_name = gssapi.Name(
"host@" + self.targ_name,
name_type=gssapi.NameType.hostbased_service,
)
gss_ctxt = gssapi.SecurityContext(
name=target_name,
flags=gss_flags,
mech=krb5_oid,
usage="initiate",
)
if self.server_mode:
c_token = gss_ctxt.step(c_token)
gss_ctxt_status = gss_ctxt.complete
self.assertEquals(False, gss_ctxt_status)
# Accept a GSS-API context.
gss_srv_ctxt = gssapi.SecurityContext(usage="accept")
s_token = gss_srv_ctxt.step(c_token)
gss_ctxt_status = gss_srv_ctxt.complete
self.assertNotEquals(None, s_token)
self.assertEquals(True, gss_ctxt_status)
# Establish the client context
c_token = gss_ctxt.step(s_token)
self.assertEquals(None, c_token)
else:
while not gss_ctxt.complete:
c_token = gss_ctxt.step(c_token)
self.assertNotEquals(None, c_token)
# Build MIC
mic_token = gss_ctxt.get_signature(mic_msg)
if self.server_mode:
# Check MIC
status = gss_srv_ctxt.verify_signature(mic_msg, mic_token)
self.assertEquals(0, status)
else:
gss_flags = (
sspicon.ISC_REQ_INTEGRITY
| sspicon.ISC_REQ_MUTUAL_AUTH
| sspicon.ISC_REQ_DELEGATE
)
# Initialize a GSS-API context.
target_name = "host/" + socket.getfqdn(self.targ_name)
gss_ctxt = sspi.ClientAuth(
"Kerberos", scflags=gss_flags, targetspn=target_name
)
if self.server_mode:
error, token = gss_ctxt.authorize(c_token)
c_token = token[0].Buffer
self.assertEquals(0, error)
# Accept a GSS-API context.
gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name)
error, token = gss_srv_ctxt.authorize(c_token)
s_token = token[0].Buffer
# Establish the context.
error, token = gss_ctxt.authorize(s_token)
c_token = token[0].Buffer
self.assertEquals(None, c_token)
self.assertEquals(0, error)
# Build MIC
mic_token = gss_ctxt.sign(mic_msg)
# Check MIC
gss_srv_ctxt.verify(mic_msg, mic_token)
else:
error, token = gss_ctxt.authorize(c_token)
c_token = token[0].Buffer
self.assertNotEquals(0, error)
def _init_session():
logger.debug("Init session")
session['uuid'] = uuid.uuid4().bytes
_sessions[session['uuid']] = {}
_sessions[session['uuid']]['sa'] = sspi.ServerAuth(
_PKG_NAME) # one per session
def test_2_gssapi_sspi(self):
"""
Test the used methods of python-gssapi or sspi, sspicon from pywin32.
"""
_API = "MIT"
try:
import gssapi
except ImportError:
import sspicon
import sspi
_API = "SSPI"
c_token = None
gss_ctxt_status = False
mic_msg = b"G'day Mate!"
if _API == "MIT":
if server_mode:
gss_flags = (gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG,
gssapi.C_MUTUAL_FLAG, gssapi.C_DELEG_FLAG)
else:
gss_flags = (gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG,
gssapi.C_DELEG_FLAG)
# Initialize a GSS-API context.
ctx = gssapi.Context()
ctx.flags = gss_flags
krb5_oid = gssapi.OID.mech_from_string(krb5_mech)
target_name = gssapi.Name("host@" + targ_name,
gssapi.C_NT_HOSTBASED_SERVICE)
gss_ctxt = gssapi.InitContext(peer_name=target_name,
mech_type=krb5_oid,
req_flags=ctx.flags)
if server_mode:
c_token = gss_ctxt.step(c_token)
gss_ctxt_status = gss_ctxt.established
self.assertEquals(False, gss_ctxt_status)
# Accept a GSS-API context.
gss_srv_ctxt = gssapi.AcceptContext()
s_token = gss_srv_ctxt.step(c_token)
gss_ctxt_status = gss_srv_ctxt.established
self.assertNotEquals(None, s_token)
self.assertEquals(True, gss_ctxt_status)
# Establish the client context
c_token = gss_ctxt.step(s_token)
self.assertEquals(None, c_token)
else:
while not gss_ctxt.established:
c_token = gss_ctxt.step(c_token)
self.assertNotEquals(None, c_token)
# Build MIC
mic_token = gss_ctxt.get_mic(mic_msg)
if server_mode:
# Check MIC
status = gss_srv_ctxt.verify_mic(mic_msg, mic_token)
self.assertEquals(0, status)
else:
gss_flags = (sspicon.ISC_REQ_INTEGRITY
| sspicon.ISC_REQ_MUTUAL_AUTH
| sspicon.ISC_REQ_DELEGATE)
# Initialize a GSS-API context.
target_name = "host/" + socket.getfqdn(targ_name)
gss_ctxt = sspi.ClientAuth("Kerberos",
scflags=gss_flags,
targetspn=target_name)
if server_mode:
error, token = gss_ctxt.authorize(c_token)
c_token = token[0].Buffer
self.assertEquals(0, error)
# Accept a GSS-API context.
gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name)
error, token = gss_srv_ctxt.authorize(c_token)
s_token = token[0].Buffer
# Establish the context.
error, token = gss_ctxt.authorize(s_token)
c_token = token[0].Buffer
self.assertEquals(None, c_token)
self.assertEquals(0, error)
# Build MIC
mic_token = gss_ctxt.sign(mic_msg)
# Check MIC
gss_srv_ctxt.verify(mic_msg, mic_token)
else:
error, token = gss_ctxt.authorize(c_token)
c_token = token[0].Buffer
self.assertNotEquals(0, error)
def __init__(self, *args, **kw):
socketserver.TCPServer.__init__(self, *args, **kw)
self.sa = sspi.ServerAuth(options.package)
def _gssapi_sspi_test(self):
try:
import gssapi
_API = "MIT-NEW"
except ImportError:
import sspicon
import sspi
_API = "SSPI"
c_token = None
gss_ctxt_status = False
mic_msg = b"G'day Mate!"
if _API == "MIT-NEW":
if self.server_mode:
gss_flags = (gssapi.RequirementFlag.protection_ready,
gssapi.RequirementFlag.integrity,
gssapi.RequirementFlag.mutual_authentication,
gssapi.RequirementFlag.delegate_to_peer)
else:
gss_flags = (gssapi.RequirementFlag.protection_ready,
gssapi.RequirementFlag.integrity,
gssapi.RequirementFlag.delegate_to_peer)
# Initialize a GSS-API context.
krb5_oid = gssapi.MechType.kerberos
target_name = gssapi.Name(
"host@" + self.targ_name,
name_type=gssapi.NameType.hostbased_service)
gss_ctxt = gssapi.SecurityContext(name=target_name,
flags=gss_flags,
mech=krb5_oid,
usage='initiate')
if self.server_mode:
c_token = gss_ctxt.step(c_token)
gss_ctxt_status = gss_ctxt.complete
self.assertEqual(False, gss_ctxt_status)
# Accept a GSS-API context.
gss_srv_ctxt = gssapi.SecurityContext(usage='accept')
s_token = gss_srv_ctxt.step(c_token)
gss_ctxt_status = gss_srv_ctxt.complete
self.assertNotEqual(None, s_token)
self.assertEqual(True, gss_ctxt_status)
# Establish the client context
c_token = gss_ctxt.step(s_token)
self.assertEqual(None, c_token)
else:
while not gss_ctxt.complete:
c_token = gss_ctxt.step(c_token)
self.assertNotEqual(None, c_token)
# Build MIC
mic_token = gss_ctxt.get_signature(mic_msg)
if self.server_mode:
# Check MIC
status = gss_srv_ctxt.verify_signature(mic_msg, mic_token)
self.assertEqual(0, status)
else:
gss_flags = (sspicon.ISC_REQ_INTEGRITY
| sspicon.ISC_REQ_MUTUAL_AUTH
| sspicon.ISC_REQ_DELEGATE)
# Initialize a GSS-API context.
target_name = "host/" + socket.getfqdn(self.targ_name)
gss_ctxt = sspi.ClientAuth("Kerberos",
scflags=gss_flags,
targetspn=target_name)
if self.server_mode:
error, token = gss_ctxt.authorize(c_token)
c_token = token[0].Buffer
self.assertEqual(0, error)
# Accept a GSS-API context.
gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=target_name)
error, token = gss_srv_ctxt.authorize(c_token)
s_token = token[0].Buffer
# Establish the context.
error, token = gss_ctxt.authorize(s_token)
c_token = token[0].Buffer
self.assertEqual(None, c_token)
self.assertEqual(0, error)
# Build MIC
mic_token = gss_ctxt.sign(mic_msg)
# Check MIC
gss_srv_ctxt.verify(mic_msg, mic_token)
else:
error, token = gss_ctxt.authorize(c_token)
c_token = token[0].Buffer
self.assertNotEqual(0, error)
