-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ask interactively for user name and password if Kerberos credentials missing #7287
base: master
Are you sure you want to change the base?
Commits on Apr 16, 2024
-
makeapi.in: update to follow Python 3.11+ changes and reformat
./makeapi:443: SyntaxWarning: invalid escape sequence '\(' m = re.match('^[a-zA-Z0-9]+\(\'([a-z][_a-z0-9?\*\+]*)\'.*', line) Changing just one line will cause surrounding lines to be affected by the Pylint checks. Changing those lines will expose more code to the checks. In the end, I had to reformat the whole script. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for a6f106c - Browse repository at this point
Copy the full SHA a6f106cView commit details -
ipapython/session_storage.py: pylint suggestions
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for f31bd37 - Browse repository at this point
Copy the full SHA f31bd37View commit details -
cli: add acquire_cred callback support to the Kerberos transport
This allows applications to specify their own acquire_cred callback. The callback should be put into the environment under 'acquire_cred' name. The callback would need to adhere to the following signature: def acquire_cred_cb( *, api: plugable.API, transport: MultiProtocolTransport, context: threading.local, principal: typing.Optional[str] = None, ccache: typing.Optional[str] = None, service: typing.Optional[str] = None, interactive: bool, exc: Exception, **kwargs ) -> None: """Acquire credential callback :param api: ipalib API object :param transport: RPC transport instance :param context: threading local context with additional data :param principal: Kerberos principal name (str, None) :param ccache: credential cache with ccache type (str, None) :param service: GSSAPI service name (e.g. 'HTTP@host.name' or None) :param interactive: true if API is used interactively over TTY :param exc: exception to raise in case callback couldn't acquire creds """ pass and ideally should acquire a Kerberos credential into the ccache. Both principal and the ccache name might be None, signifying that a default name and a default credentials cache would need to be used. Example usage: ----------------------------------------------- import os from ipalib import api from ipalib.install.kinit import kinit_password username = 'admin' password = '<some-value>' def acquire_cred(*, api, principal, ccache, exc, **kw): ccache = ccache if ccache else os.environ.get('KRB5CCNAME', 'KCM:') principal = principal if principal else username try: kinit_password(principal, password, ccache, canonicalize=True, enterprise=True) except: raise exc() api.bootstrap(acquire_cred=acquire_cred) api.finalize() api.Backend.rpcclient.connect() print(api.Command.ping()) ---------------------------------------------- Fixes: https://pagure.io/freeipa/issue/9561 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 69c543a - Browse repository at this point
Copy the full SHA 69c543aView commit details -
cli: Ask for user name and password if Kerberos credentials missing
Ask interactively for credentials in case they are missing in the default credentials cache in the environment: $ kdestroy -A $ ipa ping Username[testuser]: admin Password: <some-password> -------------------------------------------- IPA server version 4.11.1. API version 2.253 -------------------------------------------- Only ask for the credentials if we are using a TTY device. This means a pipe-provided standard input would not trigger ask for credentials: $ kdestroy -A $ echo -n | ipa ping ipa: ERROR: did not receive Kerberos credentials Initial implementation only supports password-based credential. Fixes: https://pagure.io/freeipa/issue/9561 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 3749b60 - Browse repository at this point
Copy the full SHA 3749b60View commit details -
rpc: reuse GSSAPI service name through an exception handler
When we encounter GSSAPI exception, it means we are either in a process of negotiating authentication with a remote service or we just started acquiring a ticket. In either case, we should know GSSAPI service name: either it was passed to us by get_auth_info() directly or can infer it from the opened connection. Fixes: https://pagure.io/freeipa/issue/9561 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 243a945 - Browse repository at this point
Copy the full SHA 243a945View commit details -
ipapython/kerberos: move low level Kerberos code to ipapython.kerberos
In order to add bindings to more MIT Kerberos functions, move existing ones to a separate file. Session code uses few of the Kerberos functions to operate on the credential caches. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 9a62980 - Browse repository at this point
Copy the full SHA 9a62980View commit details -
ipapython/kerberos: add initial bindings to allow kinit implementation
Initializing credentials with passwordless pre-authentication methods requires two major elements: - use of FAST channel for exposing passwordless methods - use of pre-authentication method prompts Communicating with kinit command line utility to provide prompts is awkward. Instead, expose MIT Kerberos API for prompting. This commit adds initial kinit_with_cb() implementation that allows to invoke an externally provided callback as a prompter. A default callback implementation will be provided later. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for e52bada - Browse repository at this point
Copy the full SHA e52badaView commit details -
ipalib/kinit: initial implementation of interactive prompter
Add initial implementation of the interactive prompter to be used with ipapython.kerberos.kinit_with_cb(). The prompter can work with all preauthentication methods FreeIPA supports that require prompts: - password-based ones (timestamp and SPAKE) - OTP/RADIUS - passkey - external IdP Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 9815c9c - Browse repository at this point
Copy the full SHA 9815c9cView commit details