new pseudo password hasher verifying passwords using Kerberos
This commit is contained in:
parent
76998bd570
commit
823cdcb9ad
20
README
20
README
|
@ -44,6 +44,14 @@ Whether to create user if no existing model can be found, default is `False`.
|
|||
A regular expression that the principal must match to get superuser privileges,
|
||||
default is `None`. A classic example could be `r'^.*/admin$'`.
|
||||
|
||||
`KERBEROS_HASHER_SERVICE_PRINCIPAL`
|
||||
-----------------------------------
|
||||
|
||||
The service principal to user when checking a password against the
|
||||
KDC, you don't need the secret key for this principal, it should
|
||||
just exist inside the Kerberos database as the check is done by
|
||||
trying to get ticket for this service.
|
||||
|
||||
Custom backend
|
||||
==============
|
||||
|
||||
|
@ -81,3 +89,15 @@ Now you should be able to login on http://test.example.com:8000/
|
|||
The sample project is configured so that all principal ending with `/admin` get
|
||||
the staff and superuser flags. You can change that by editing the key
|
||||
`KERBEROS_BACKEND_ADMIN_REGEXP` in `sample/sample/settings.py`.
|
||||
|
||||
Pseudo hasher
|
||||
=============
|
||||
|
||||
A pseudo hasher whose import path is `django_kerberos.hashers.KerberosHasher`
|
||||
provide a mean to associate a Django user model to a Kerberos identity.
|
||||
|
||||
The content of the password field must be `kerberos$<principal name>`.
|
||||
|
||||
To create an user for a principal you can do::
|
||||
|
||||
User.objects.create(username=new_username, password='kerberos$' + principal)
|
||||
|
|
|
@ -3,10 +3,11 @@ import sys
|
|||
class AppSettings(object):
|
||||
__PREFIX = 'KERBEROS_'
|
||||
__DEFAULTS = {
|
||||
'HOSTNAME': None,
|
||||
'KEYTAB': None,
|
||||
'BACKEND_CREATE': False,
|
||||
'BACKEND_ADMIN_REGEXP': None,
|
||||
'SERVICE_PRINCIPAL': None,
|
||||
'HOSTNAME': None,
|
||||
'KEYTAB': None,
|
||||
}
|
||||
|
||||
def __getattr__(self, name):
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
import logging
|
||||
import kerberos
|
||||
|
||||
from django.core.exceptions import ImproperlyConfigured
|
||||
from django.contrib.auth.hashers import BasePasswordHasher
|
||||
from django.utils.encoding import force_bytes
|
||||
|
||||
from . import app_settings
|
||||
|
||||
class KerberosHasher(BasePasswordHasher):
|
||||
'''A pseudo hasher which just validate that the given password
|
||||
match a given Kerberos identity'''
|
||||
algorithm = 'kerberos'
|
||||
|
||||
def verify(self, password, encoded):
|
||||
algorithm, principal = encoded.split('$', 2)
|
||||
assert algorithm == self.algorithm
|
||||
principal = force_bytes(principal)
|
||||
password = force_bytes(principal)
|
||||
if not app_settings.SERVICE_PRINCIPAL:
|
||||
raise ImproperlyConfigured('Kerberos pseudo password hasher needs '
|
||||
'the setting KERBEROS_SERVICE_PRINCIPAL to be '
|
||||
'set')
|
||||
try:
|
||||
return kerberos.checkPassword(principal, password,
|
||||
app_settings.SERVICE_PRINCIPAL)
|
||||
except kerberos.KrbError, e:
|
||||
logging.getLogger(__name__).error('password validation'
|
||||
'for principal %r failed %s', principal, e)
|
||||
return False
|
||||
|
||||
|
Reference in New Issue