teach
/
adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

Support krb5 authentication

This commit is contained in:
nemunaire 2021-02-04 18:37:22 +01:00
parent 7a72afc81d
commit 54555dcca4
4 changed files with 129 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
pkg/login-validator/cmd/auth_krb5.go Normal file
View File

@ -0,0 +1,61 @@
package main
import (
"errors"
"strings"
"github.com/jcmturner/gokrb5/v8/client"
"github.com/jcmturner/gokrb5/v8/config"
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
"github.com/jcmturner/gokrb5/v8/krberror"
)
type Krb5Auth struct {
Realm string
}
func parseETypes(s []string, w bool) []int32 {
var eti []int32
for _, et := range s {
if !w {
var weak bool
for _, wet := range strings.Fields(config.WeakETypeList) {
if et == wet {
weak = true
break
}
}
if weak {
continue
}
}
i := etypeID.EtypeSupported(et)
if i != 0 {
eti = append(eti, i)
}
}
return eti
}
func (f *Krb5Auth) checkAuth(username, password string) (res bool, err error) {
cnf := config.New()
cnf.LibDefaults.DNSLookupKDC = true
cnf.LibDefaults.DNSLookupRealm = true
cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
c := client.NewWithPassword(username, f.Realm, password, cnf)
if err := c.Login(); err != nil {
if errk, ok := err.(krberror.Krberror); ok {
if errk.RootCause == krberror.NetworkingError {
return false, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
} else if errk.RootCause == krberror.KDCError {
return false, errors.New(`{"status": "Invalid username or password"}`)
}
}
return false, err
} else {
return true, nil
}
}

9
pkg/login-validator/cmd/main.go
View File

@ -24,10 +24,12 @@ func main() {
flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory")
flag.StringVar(&loginSalt, "loginsalt", "adelina", "secret used in login HMAC")
var auth = flag.String("auth", "none", "Auth method: none, ldap, fwd")
var auth = flag.String("auth", "none", "Auth method: none, fwd, ldap, krb5")
var fwdURI = flag.String("fwduri", "https://srs.epita.fr:443/", "URI to forward auth requests")
var krb5Realm = flag.String("krb5realm", "CRI.EPITA.FR", "Kerberos Realm")
var ldapAddr = flag.String("ldaphost", "auth.cri.epita.fr", "LDAP host")
var ldapPort = flag.Int("ldapport", 636, "LDAP port")
var ldaptls = flag.Bool("ldaptls", false, "Is LDAP connection LDAPS?")
@ -56,6 +58,11 @@ func main() {
BindUsername: *ldapbindusername,
BindPassword: *ldapbindpassword,
}
} else if auth != nil && *auth == "krb5" && krb5Realm != nil {
log.Printf("Auth method: KRB5(%s)", *krb5Realm)
lc.authMethod = &Krb5Auth{
Realm: *krb5Realm,
}
} else if auth != nil && *auth == "fwd" && fwdURI != nil {
if uri, err := url.Parse(*fwdURI); err != nil {
log.Fatal("Unable to parse FWD URL:", err)

3
server.yml
View File

@ -145,8 +145,9 @@ services:
- /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg
- name: login-validator
image: nemunaire/adlin-login-validator:87f1cf05e8037b934d293a48704bd3f8ee678d41
image: nemunaire/adlin-login-validator:00a36b31bcf77a953d62e8c0027c659bc420f393
# command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"]
# command: ["/bin/login-validator", "-bind=:8081", "-auth=krb5", "-krb5realm=CRI.EPITA.FR"]
command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"]
# command: ["/bin/login-validator", "-bind=:8081", "-auth=none"]
net: /run/netns/login

60
token-validator/auth.go
View File

@ -5,14 +5,19 @@ import (
"encoding/json"
"errors"
"net/http"
"strings"
"time"
"github.com/jcmturner/gokrb5/v8/client"
"github.com/jcmturner/gokrb5/v8/config"
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
"github.com/jcmturner/gokrb5/v8/krberror"
"github.com/julienschmidt/httprouter"
"git.nemunai.re/lectures/adlin/libadlin"
)
var AuthFunc = checkAuth
var AuthFunc = checkAuthKrb5
func init() {
router.GET("/api/auth", apiAuthHandler(validateAuthToken))
@ -87,7 +92,7 @@ func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa
return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
}
func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
func checkAuthHttp(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
var lf loginForm
if err := json.Unmarshal(body, &lf); err != nil {
return nil, err
@ -111,3 +116,54 @@ func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa
}
}
}
func parseETypes(s []string, w bool) []int32 {
var eti []int32
for _, et := range s {
if !w {
var weak bool
for _, wet := range strings.Fields(config.WeakETypeList) {
if et == wet {
weak = true
break
}
}
if weak {
continue
}
}
i := etypeID.EtypeSupported(et)
if i != 0 {
eti = append(eti, i)
}
}
return eti
}
func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
var lf loginForm
if err := json.Unmarshal(body, &lf); err != nil {
return nil, err
}
cnf := config.New()
cnf.LibDefaults.DNSLookupKDC = true
cnf.LibDefaults.DNSLookupRealm = true
cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
c := client.NewWithPassword(lf.Username, "CRI.EPITA.FR", lf.Password, cnf)
if err := c.Login(); err != nil {
if errk, ok := err.(krberror.Krberror); ok {
if errk.RootCause == krberror.NetworkingError {
return nil, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
} else if errk.RootCause == krberror.KDCError {
return nil, errors.New(`{"status": "Invalid username or password"}`)
}
}
return nil, err
} else {
return dummyAuth(w, nil, body)
}
}