Ask interactively for user name and password if Kerberos credentials missing #7287
Commits on Apr 16, 2024
-
makeapi.in: update to follow Python 3.11+ changes and reformat
./makeapi:443: SyntaxWarning: invalid escape sequence '\(' m = re.match('^[a-zA-Z0-9]+\(\'([a-z][_a-z0-9?\*\+]*)\'.*', line) Changing just one line will cause surrounding lines to be affected by the Pylint checks. Changing those lines will expose more code to the checks. In the end, I had to reformat the whole script. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> -
ipapython/session_storage.py: pylint suggestions
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-
cli: add acquire_cred callback support to the Kerberos transport
This allows applications to specify their own acquire_cred callback. The callback should be put into the environment under 'acquire_cred' name. The callback would need to adhere to the following signature: def acquire_cred_cb( *, api: plugable.API, transport: MultiProtocolTransport, context: threading.local, principal: typing.Optional[str] = None, ccache: typing.Optional[str] = None, service: typing.Optional[str] = None, interactive: bool, exc: Exception, **kwargs ) -> None: """Acquire credential callback :param api: ipalib API object :param transport: RPC transport instance :param context: threading local context with additional data :param principal: Kerberos principal name (str, None) :param ccache: credential cache with ccache type (str, None) :param service: GSSAPI service name (e.g. 'HTTP@host.name' or None) :param interactive: true if API is used interactively over TTY :param exc: exception to raise in case callback couldn't acquire creds """ pass and ideally should acquire a Kerberos credential into the ccache. Both principal and the ccache name might be None, signifying that a default name and a default credentials cache would need to be used. Example usage: ----------------------------------------------- import os from ipalib import api from ipalib.install.kinit import kinit_password username = 'admin' password = '<some-value>' def acquire_cred(*, api, principal, ccache, exc, **kw): ccache = ccache if ccache else os.environ.get('KRB5CCNAME', 'KCM:') principal = principal if principal else username try: kinit_password(principal, password, ccache, canonicalize=True, enterprise=True) except: raise exc() api.bootstrap(acquire_cred=acquire_cred) api.finalize() api.Backend.rpcclient.connect() print(api.Command.ping()) ---------------------------------------------- Fixes: https://pagure.io/freeipa/issue/9561 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> -
cli: Ask for user name and password if Kerberos credentials missing
Ask interactively for credentials in case they are missing in the default credentials cache in the environment: $ kdestroy -A $ ipa ping Username[testuser]: admin Password: <some-password> -------------------------------------------- IPA server version 4.11.1. API version 2.253 -------------------------------------------- Only ask for the credentials if we are using a TTY device. This means a pipe-provided standard input would not trigger ask for credentials: $ kdestroy -A $ echo -n | ipa ping ipa: ERROR: did not receive Kerberos credentials Initial implementation only supports password-based credential. Fixes: https://pagure.io/freeipa/issue/9561 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> -
rpc: reuse GSSAPI service name through an exception handler
When we encounter GSSAPI exception, it means we are either in a process of negotiating authentication with a remote service or we just started acquiring a ticket. In either case, we should know GSSAPI service name: either it was passed to us by get_auth_info() directly or can infer it from the opened connection. Fixes: https://pagure.io/freeipa/issue/9561 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-
ipapython/kerberos: move low level Kerberos code to ipapython.kerberos
In order to add bindings to more MIT Kerberos functions, move existing ones to a separate file. Session code uses few of the Kerberos functions to operate on the credential caches. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-
ipapython/kerberos: add initial bindings to allow kinit implementation
Initializing credentials with passwordless pre-authentication methods requires two major elements: - use of FAST channel for exposing passwordless methods - use of pre-authentication method prompts Communicating with kinit command line utility to provide prompts is awkward. Instead, expose MIT Kerberos API for prompting. This commit adds initial kinit_with_cb() implementation that allows to invoke an externally provided callback as a prompter. A default callback implementation will be provided later. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-
ipalib/kinit: initial implementation of interactive prompter
Add initial implementation of the interactive prompter to be used with ipapython.kerberos.kinit_with_cb(). The prompter can work with all preauthentication methods FreeIPA supports that require prompts: - password-based ones (timestamp and SPAKE) - OTP/RADIUS - passkey - external IdP Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.