我正在为一个大学的项目工作,这是我必须验证凭据的最后一步。我应该验证这些凭据是否有效,并且不必连接任何服务或获得任何权利。我是这种初学者,所以如果我提供的信息不足,请耐心等待。如果您询问,我会尽力用所需的信息更新此帖子。
我正在使用Ubuntu Server 18.04。使用Python 3.6。我已经在设备上成功安装了kerberos 5客户端软件,并在Realm上设置了现有的kdc和krb5服务器。我也通过点子成功安装了gssapi。 (我没有验证,但这表明成功Successfully installed gssapi-1.6.5
)
我能够执行kinit
。如何使用gssapi执行kinit
并评估其是否成功?我只需要一个True / False值,然后再输入kdestroy
。
我正在使用this教程,但是我真的不知道该放在哪里以及我真正需要什么。如果我做对了,我只需要为凭据构建一个SecurityContext,然后在我的终端中像kinit username
和kdestroy
一样销毁它,对吗?在教程中说:
>>> server_hostbased_name = gssapi.Name('HTTP@' + FQDN, name_type=gssapi.NameType.hostbased_service)
>>> server_hostbased_name
Name(b'HTTP@sross', <OID 1.2.840.113554.1.2.1.4>)
>>> server_name = gssapi.Name('HTTP/sross@')
>>> server_name
Name(b'HTTP/sross@', None)
[当我执行kinit username
时输入正确的密码,然后我得到klist
:
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
05/08/20 14:35:31 05/09/20 14:35:23 krbtgt/[email protected]
我是否正确,对于我的情况,本教程中的前两行不适合我的情况,我只能设置server_name = gssapi.Name('krbtgt/DOMAIN.COM@')
吗?这只是为了基本了解。
在本教程中,我找不到任何方法来验证带有相应username
的凭据password
,有人可以告诉我该怎么做,还是可以向我展示有关根据我的kerberos服务器验证这些凭据的教程?
提前感谢!
更新:我发现here是以下代码(我缩短了_acquire_creds
方法,因为它包含的功能超出了我的需要)。也许这可以帮助您向我解释一下?:
def __init__(self, username, password, server):
log.info("Setting up GSSAPI Security Context for Kerberos auth")
self.creds = self._acquire_creds(username, password)
server_spn = "cifs@%s" % server
log.debug("GSSAPI Server SPN Target: %s" % server_spn)
server_name = gssapi.Name(base=server_spn,
name_type=gssapi.NameType.hostbased_service)
self.context = gssapi.SecurityContext(name=server_name,
creds=self.creds,
usage='initiate')
def _acquire_creds(self, username, password):
# 3 use cases with Kerberos Auth
# 1. Both the user and pass is supplied so we want to create a new
# ticket with the pass
# 2. Only the user is supplied so we will attempt to get the cred
# from the existing store
# 3. The user is not supplied so we will attempt to get the default
# cred from the existing store
log.info("GSSAPI: Acquiring credentials handle")
if username and password:
log.debug("GSSAPI: Acquiring credentials handle for user %s with "
"password" % username)
user = gssapi.Name(base=username,
name_type=gssapi.NameType.user)
bpass = password.encode('utf-8')
try:
creds = gssapi.raw.acquire_cred_with_password(user, bpass,
usage='initiate')
except AttributeError:
raise SMBAuthenticationError("Cannot get GSSAPI credential "
"with password as the necessary "
"GSSAPI extensions are not "
"available")
except gssapi.exceptions.GSSError as er:
raise SMBAuthenticationError("Failed to acquire GSSAPI "
"credential with password: %s"
% str(er))
# acquire_cred_with_password returns a wrapper, we want the creds
# object inside this wrapper
creds = creds.creds
log.info("GSSAPI: Acquired credentials for user %s" % str(user))
return creds
似乎以所有详细信息提出问题就足以得到答案。此代码对我有用,并让我验证给定的username
和password
。我不确定的是是否必须执行某种kdestroy
来最终“关闭”上下文。一旦弄清楚,我将尝试更新此答案。
import gssapi, socket
FQDN = socket.getfqdn()
server_name = gssapi.Name('krbtgt/DOMAIN.COM@')
username = "USERNAME"
password = "PASSWORD"
user = gssapi.Name(base=username, name_type=gssapi.NameType.user)
bpass = password.encode('utf-8')
result = False
try:
creds = gssapi.raw.acquire_cred_with_password(user, bpass, usage='initiate')
creds = creds.creds
context = gssapi.SecurityContext(name=server_name, creds=creds, usage='initiate')
result = True
except AttributeError:
print("AttributeError")
except gssapi.exceptions.GSSError as er:
print(er)
# acquire_cred_with_password returns a wrapper, we want the creds
# object inside this wrapper
print(result)