From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 17 Sep 2023 12:25:10 +0000 (+0000)
Subject: Fix Kerberos authentication
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6e7d284393136869c6d3c1bbcd4c2ddad460b63;p=pbs.git

Fix Kerberos authentication

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/base.py b/src/web/base.py
index 15dd79a7..3bfff3c1 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -8,6 +8,7 @@ import json
 import kerberos
 import logging
 import os
+import socket
 import time
 import tornado.locale
 import tornado.web
@@ -33,7 +34,11 @@ class KerberosAuthMixin(object):
 
 	@property
 	def kerberos_service(self):
-		return self.settings.get("kerberos_service", "HTTP")
+		return self.settings.get("krb5-service", "HTTP")
+
+	@property
+	def kerberos_principal(self):
+		return self.settings.get("krb5-principal", "pakfire/%s" % socket.getfqdn())
 
 	def authenticate_redirect(self):
 		"""
@@ -73,10 +78,11 @@ class KerberosAuthMixin(object):
 			raise tornado.web.HTTPError(400, "Unexpected Authentication attempt: %s" % auth_header)
 
 	def _auth_negotiate(self, auth_header):
-		os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
-
 		auth_value = auth_header.removeprefix("Negotiate ")
 
+		# Set keytab to use
+		os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
+
 		try:
 			# Initialise the server session
 			result, context = kerberos.authGSSServerInit(self.kerberos_service)
@@ -115,8 +121,6 @@ class KerberosAuthMixin(object):
 		return user
 
 	def _auth_basic(self, auth_header):
-		os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
-
 		# Remove "Basic "
 		auth_header = auth_header.removeprefix("Basic ")
 
@@ -132,10 +136,14 @@ class KerberosAuthMixin(object):
 		return self._auth_with_credentials(username, password)
 
 	def _auth_with_credentials(self, username, password):
+
+		# Set keytab to use
+		os.environ["KRB5_KTNAME"] = self.backend.settings.get("krb5-keytab")
+
 		# Check the credentials against the Kerberos database
 		try:
 			kerberos.checkPassword(username, password,
-				"%s/pakfire.ipfire.org" % self.kerberos_service, self.kerberos_realm)
+				self.kerberos_principal, self.kerberos_realm)
 
 		# Catch any authentication errors
 		except kerberos.BasicAuthError as e: