diff --git a/pkg/login-validator/cmd/auth_krb5.go b/pkg/login-validator/cmd/auth_krb5.go new file mode 100644 index 0000000..4068d9e --- /dev/null +++ b/pkg/login-validator/cmd/auth_krb5.go @@ -0,0 +1,61 @@ +package main + +import ( + "errors" + "strings" + + "github.com/jcmturner/gokrb5/v8/client" + "github.com/jcmturner/gokrb5/v8/config" + "github.com/jcmturner/gokrb5/v8/iana/etypeID" + "github.com/jcmturner/gokrb5/v8/krberror" +) + +type Krb5Auth struct { + Realm string +} + +func parseETypes(s []string, w bool) []int32 { + var eti []int32 + for _, et := range s { + if !w { + var weak bool + for _, wet := range strings.Fields(config.WeakETypeList) { + if et == wet { + weak = true + break + } + } + if weak { + continue + } + } + i := etypeID.EtypeSupported(et) + if i != 0 { + eti = append(eti, i) + } + } + return eti +} + +func (f *Krb5Auth) checkAuth(username, password string) (res bool, err error) { + cnf := config.New() + cnf.LibDefaults.DNSLookupKDC = true + cnf.LibDefaults.DNSLookupRealm = true + cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto) + cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto) + cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto) + + c := client.NewWithPassword(username, f.Realm, password, cnf) + if err := c.Login(); err != nil { + if errk, ok := err.(krberror.Krberror); ok { + if errk.RootCause == krberror.NetworkingError { + return false, errors.New(`{"status": "Authentication system unavailable, please retry."}`) + } else if errk.RootCause == krberror.KDCError { + return false, errors.New(`{"status": "Invalid username or password"}`) + } + } + return false, err + } else { + return true, nil + } +} diff --git a/pkg/login-validator/cmd/main.go b/pkg/login-validator/cmd/main.go index d3cdfb1..d311c56 100644 --- a/pkg/login-validator/cmd/main.go +++ b/pkg/login-validator/cmd/main.go @@ -24,10 +24,12 @@ func main() { flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory") flag.StringVar(&loginSalt, "loginsalt", "adelina", "secret used in login HMAC") - var auth = flag.String("auth", "none", "Auth method: none, ldap, fwd") + var auth = flag.String("auth", "none", "Auth method: none, fwd, ldap, krb5") var fwdURI = flag.String("fwduri", "https://srs.epita.fr:443/", "URI to forward auth requests") + var krb5Realm = flag.String("krb5realm", "CRI.EPITA.FR", "Kerberos Realm") + var ldapAddr = flag.String("ldaphost", "auth.cri.epita.fr", "LDAP host") var ldapPort = flag.Int("ldapport", 636, "LDAP port") var ldaptls = flag.Bool("ldaptls", false, "Is LDAP connection LDAPS?") @@ -56,6 +58,11 @@ func main() { BindUsername: *ldapbindusername, BindPassword: *ldapbindpassword, } + } else if auth != nil && *auth == "krb5" && krb5Realm != nil { + log.Printf("Auth method: KRB5(%s)", *krb5Realm) + lc.authMethod = &Krb5Auth{ + Realm: *krb5Realm, + } } else if auth != nil && *auth == "fwd" && fwdURI != nil { if uri, err := url.Parse(*fwdURI); err != nil { log.Fatal("Unable to parse FWD URL:", err) diff --git a/server.yml b/server.yml index cab8d53..94739d3 100644 --- a/server.yml +++ b/server.yml @@ -145,8 +145,9 @@ services: - /var/lib/adlin/pxelinux.cfg:/srv/tftp/pxelinux.cfg - name: login-validator - image: nemunaire/adlin-login-validator:87f1cf05e8037b934d293a48704bd3f8ee678d41 + image: nemunaire/adlin-login-validator:00a36b31bcf77a953d62e8c0027c659bc420f393 # command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"] +# command: ["/bin/login-validator", "-bind=:8081", "-auth=krb5", "-krb5realm=CRI.EPITA.FR"] command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"] # command: ["/bin/login-validator", "-bind=:8081", "-auth=none"] net: /run/netns/login diff --git a/token-validator/auth.go b/token-validator/auth.go index 2da0767..f90fec9 100644 --- a/token-validator/auth.go +++ b/token-validator/auth.go @@ -5,14 +5,19 @@ import ( "encoding/json" "errors" "net/http" + "strings" "time" + "github.com/jcmturner/gokrb5/v8/client" + "github.com/jcmturner/gokrb5/v8/config" + "github.com/jcmturner/gokrb5/v8/iana/etypeID" + "github.com/jcmturner/gokrb5/v8/krberror" "github.com/julienschmidt/httprouter" "git.nemunai.re/lectures/adlin/libadlin" ) -var AuthFunc = checkAuth +var AuthFunc = checkAuthKrb5 func init() { router.GET("/api/auth", apiAuthHandler(validateAuthToken)) @@ -87,7 +92,7 @@ func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil) } -func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) { +func checkAuthHttp(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) { var lf loginForm if err := json.Unmarshal(body, &lf); err != nil { return nil, err @@ -111,3 +116,54 @@ func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interfa } } } + +func parseETypes(s []string, w bool) []int32 { + var eti []int32 + for _, et := range s { + if !w { + var weak bool + for _, wet := range strings.Fields(config.WeakETypeList) { + if et == wet { + weak = true + break + } + } + if weak { + continue + } + } + i := etypeID.EtypeSupported(et) + if i != 0 { + eti = append(eti, i) + } + } + return eti +} + +func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) { + var lf loginForm + if err := json.Unmarshal(body, &lf); err != nil { + return nil, err + } + + cnf := config.New() + cnf.LibDefaults.DNSLookupKDC = true + cnf.LibDefaults.DNSLookupRealm = true + cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto) + cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto) + cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto) + + c := client.NewWithPassword(lf.Username, "CRI.EPITA.FR", lf.Password, cnf) + if err := c.Login(); err != nil { + if errk, ok := err.(krberror.Krberror); ok { + if errk.RootCause == krberror.NetworkingError { + return nil, errors.New(`{"status": "Authentication system unavailable, please retry."}`) + } else if errk.RootCause == krberror.KDCError { + return nil, errors.New(`{"status": "Invalid username or password"}`) + } + } + return nil, err + } else { + return dummyAuth(w, nil, body) + } +}