Support krb5 authentication
This commit is contained in:
parent
7a72afc81d
commit
54555dcca4
4 changed files with 129 additions and 4 deletions
61
pkg/login-validator/cmd/auth_krb5.go
Normal file
61
pkg/login-validator/cmd/auth_krb5.go
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"strings"
|
||||
|
||||
"github.com/jcmturner/gokrb5/v8/client"
|
||||
"github.com/jcmturner/gokrb5/v8/config"
|
||||
"github.com/jcmturner/gokrb5/v8/iana/etypeID"
|
||||
"github.com/jcmturner/gokrb5/v8/krberror"
|
||||
)
|
||||
|
||||
type Krb5Auth struct {
|
||||
Realm string
|
||||
}
|
||||
|
||||
func parseETypes(s []string, w bool) []int32 {
|
||||
var eti []int32
|
||||
for _, et := range s {
|
||||
if !w {
|
||||
var weak bool
|
||||
for _, wet := range strings.Fields(config.WeakETypeList) {
|
||||
if et == wet {
|
||||
weak = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if weak {
|
||||
continue
|
||||
}
|
||||
}
|
||||
i := etypeID.EtypeSupported(et)
|
||||
if i != 0 {
|
||||
eti = append(eti, i)
|
||||
}
|
||||
}
|
||||
return eti
|
||||
}
|
||||
|
||||
func (f *Krb5Auth) checkAuth(username, password string) (res bool, err error) {
|
||||
cnf := config.New()
|
||||
cnf.LibDefaults.DNSLookupKDC = true
|
||||
cnf.LibDefaults.DNSLookupRealm = true
|
||||
cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
||||
cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
||||
cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)
|
||||
|
||||
c := client.NewWithPassword(username, f.Realm, password, cnf)
|
||||
if err := c.Login(); err != nil {
|
||||
if errk, ok := err.(krberror.Krberror); ok {
|
||||
if errk.RootCause == krberror.NetworkingError {
|
||||
return false, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
|
||||
} else if errk.RootCause == krberror.KDCError {
|
||||
return false, errors.New(`{"status": "Invalid username or password"}`)
|
||||
}
|
||||
}
|
||||
return false, err
|
||||
} else {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
|
|
@ -24,10 +24,12 @@ func main() {
|
|||
flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory")
|
||||
flag.StringVar(&loginSalt, "loginsalt", "adelina", "secret used in login HMAC")
|
||||
|
||||
var auth = flag.String("auth", "none", "Auth method: none, ldap, fwd")
|
||||
var auth = flag.String("auth", "none", "Auth method: none, fwd, ldap, krb5")
|
||||
|
||||
var fwdURI = flag.String("fwduri", "https://srs.epita.fr:443/", "URI to forward auth requests")
|
||||
|
||||
var krb5Realm = flag.String("krb5realm", "CRI.EPITA.FR", "Kerberos Realm")
|
||||
|
||||
var ldapAddr = flag.String("ldaphost", "auth.cri.epita.fr", "LDAP host")
|
||||
var ldapPort = flag.Int("ldapport", 636, "LDAP port")
|
||||
var ldaptls = flag.Bool("ldaptls", false, "Is LDAP connection LDAPS?")
|
||||
|
|
@ -56,6 +58,11 @@ func main() {
|
|||
BindUsername: *ldapbindusername,
|
||||
BindPassword: *ldapbindpassword,
|
||||
}
|
||||
} else if auth != nil && *auth == "krb5" && krb5Realm != nil {
|
||||
log.Printf("Auth method: KRB5(%s)", *krb5Realm)
|
||||
lc.authMethod = &Krb5Auth{
|
||||
Realm: *krb5Realm,
|
||||
}
|
||||
} else if auth != nil && *auth == "fwd" && fwdURI != nil {
|
||||
if uri, err := url.Parse(*fwdURI); err != nil {
|
||||
log.Fatal("Unable to parse FWD URL:", err)
|
||||
|
|
|
|||
Reference in a new issue