new pseudo password hasher verifying passwords using Kerberos

2014-08-09 19:20:02 +02:00 · 2014-08-09 19:20:02 +02:00 · 823cdcb9ad
parent 76998bd570
commit 823cdcb9ad
3 changed files with 55 additions and 2 deletions
--- a/20
+++ b/20
@ -44,6 +44,14 @@ Whether to create user if no existing model can be found, default is `False`.
 A regular expression that the principal must match to get superuser privileges,
 default is `None`. A classic example could be `r'^.*/admin$'`.

+`KERBEROS_HASHER_SERVICE_PRINCIPAL`
+-----------------------------------
+
+The service principal to user when checking a password against the
+KDC, you don't need the secret key for this principal, it should
+just exist inside the Kerberos database as the check is done by
+trying to get ticket for this service.
+
 Custom backend
 ==============

@ -81,3 +89,15 @@ Now you should be able to login on http://test.example.com:8000/
 The sample project is configured so that all principal ending with `/admin` get
 the staff and superuser flags. You can change that by editing the key
 `KERBEROS_BACKEND_ADMIN_REGEXP` in `sample/sample/settings.py`.
+
+Pseudo hasher
+=============
+
+A pseudo hasher whose import path is `django_kerberos.hashers.KerberosHasher`
+provide a mean to associate a Django user model to a Kerberos identity.
+
+The content of the password field must be `kerberos$<principal name>`.
+
+To create an user for a principal you can do::
+
+   User.objects.create(username=new_username, password='kerberos$' + principal)
--- a/src/django_kerberos/app_settings.py
+++ b/src/django_kerberos/app_settings.py
@ -3,10 +3,11 @@ import sys
 class AppSettings(object):
    __PREFIX = 'KERBEROS_'
    __DEFAULTS = {
-            'HOSTNAME': None,
-            'KEYTAB': None,
            'BACKEND_CREATE': False,
            'BACKEND_ADMIN_REGEXP': None,
+            'SERVICE_PRINCIPAL': None,
+            'HOSTNAME': None,
+            'KEYTAB': None,
    }

    def __getattr__(self, name):
--- a/src/django_kerberos/hashers.py
+++ b/src/django_kerberos/hashers.py
@ -0,0 +1,32 @@
+import logging
+import kerberos
+
+from django.core.exceptions import ImproperlyConfigured
+from django.contrib.auth.hashers import BasePasswordHasher
+from django.utils.encoding import force_bytes
+
+from . import app_settings
+
+class KerberosHasher(BasePasswordHasher):
+    '''A pseudo hasher which just validate that the given password
+       match a given Kerberos identity'''
+    algorithm = 'kerberos'
+
+    def verify(self, password, encoded):
+        algorithm, principal = encoded.split('$', 2)
+        assert algorithm == self.algorithm
+        principal = force_bytes(principal)
+        password = force_bytes(principal)
+        if not app_settings.SERVICE_PRINCIPAL:
+            raise ImproperlyConfigured('Kerberos pseudo password hasher needs '
+                    'the setting KERBEROS_SERVICE_PRINCIPAL to be '
+                    'set')
+        try:
+            return kerberos.checkPassword(principal, password,
+                    app_settings.SERVICE_PRINCIPAL)
+        except kerberos.KrbError, e:
+            logging.getLogger(__name__).error('password validation'
+                    'for principal %r failed %s', principal, e)
+            return False
+
+