import kerberos
import logging
import os
+import socket
import time
import tornado.locale
import tornado.web
@property
def kerberos_service(self):
- return self.settings.get("kerberos_service", "HTTP")
+ return self.settings.get("krb5-service", "HTTP")
+
+ @property
+ def kerberos_principal(self):
+ return self.settings.get("krb5-principal", "pakfire/%s" % socket.getfqdn())
def authenticate_redirect(self):
"""
raise tornado.web.HTTPError(400, "Unexpected Authentication attempt: %s" % auth_header)
def _auth_negotiate(self, auth_header):
- os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
-
auth_value = auth_header.removeprefix("Negotiate ")
+ # Set keytab to use
+ os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
+
try:
# Initialise the server session
result, context = kerberos.authGSSServerInit(self.kerberos_service)
return user
def _auth_basic(self, auth_header):
- os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
-
# Remove "Basic "
auth_header = auth_header.removeprefix("Basic ")
return self._auth_with_credentials(username, password)
def _auth_with_credentials(self, username, password):
+
+ # Set keytab to use
+ os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
+
# Check the credentials against the Kerberos database
try:
kerberos.checkPassword(username, password,
- "%s/pakfire.ipfire.org" % self.kerberos_service, self.kerberos_realm)
+ self.kerberos_principal, self.kerberos_realm)
# Catch any authentication errors
except kerberos.BasicAuthError as e: