我正在为一所大学做一个项目,作为最后一步,我必须核实学历。我应该验证这些凭据是否有效,并且我不必连接到任何服务或获得任何权限。我是这个领域的新手,所以如果我没有提供足够的信息,请耐心等待。如果你问我,我会尽我所能用所要求的信息更新这篇文章
我正在Ubuntu服务器18.04上工作。使用Python 3.6。我已经成功地在我的设备上安装了kerberos 5客户端软件,并在现有kdc和krb5服务器上设置了一个域。我还通过pip成功安装了gssapi。(我没有验证,但这表明成功了Successfully installed gssapi-1.6.5
)
我能够执行kinit
。如何使用gssapi执行kinit
并评估它是否成功?我只需要一个真/假值和一个kdestroy
值
我正在使用this教程,但我真的不知道应该在那里放些什么,我真正需要的是什么。如果我做对了,我只需要为凭证构建一个SecurityContext,然后像我的终端中的kinit username
和kdestroy
一样销毁它,对吗?
教程中说:
>>> server_hostbased_name = gssapi.Name('HTTP@' + FQDN, name_type=gssapi.NameType.hostbased_service)
>>> server_hostbased_name
Name(b'HTTP@sross', <OID 1.2.840.113554.1.2.1.4>)
>>> server_name = gssapi.Name('HTTP/sross@')
>>> server_name
Name(b'HTTP/sross@', None)
当我执行kinit username
时,输入正确的密码,然后klist
我得到:
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: username@DOMAIN.COM
Valid starting Expires Service principal
05/08/20 14:35:31 05/09/20 14:35:23 krbtgt/DOMAIN.COM@DOMAIN.COM
对于我的案例,教程中的前两行不适合我的案例,我可以设置server_name = gssapi.Name('krbtgt/DOMAIN.COM@')
,这是对的吗?这只是为了基本的理解
在本教程中,我找不到任何方法来验证凭证username
与相应的password
,有人能告诉我如何做,或者给我看一个关于根据kerberos服务器验证这些凭证的教程吗
提前谢谢
更新:
我发现here是以下代码(我缩短了_acquire_creds
方法,因为它包含的功能比我需要的更多)。也许这能帮你向我解释一下
def __init__(self, username, password, server):
log.info("Setting up GSSAPI Security Context for Kerberos auth")
self.creds = self._acquire_creds(username, password)
server_spn = "cifs@%s" % server
log.debug("GSSAPI Server SPN Target: %s" % server_spn)
server_name = gssapi.Name(base=server_spn,
name_type=gssapi.NameType.hostbased_service)
self.context = gssapi.SecurityContext(name=server_name,
creds=self.creds,
usage='initiate')
def _acquire_creds(self, username, password):
# 3 use cases with Kerberos Auth
# 1. Both the user and pass is supplied so we want to create a new
# ticket with the pass
# 2. Only the user is supplied so we will attempt to get the cred
# from the existing store
# 3. The user is not supplied so we will attempt to get the default
# cred from the existing store
log.info("GSSAPI: Acquiring credentials handle")
if username and password:
log.debug("GSSAPI: Acquiring credentials handle for user %s with "
"password" % username)
user = gssapi.Name(base=username,
name_type=gssapi.NameType.user)
bpass = password.encode('utf-8')
try:
creds = gssapi.raw.acquire_cred_with_password(user, bpass,
usage='initiate')
except AttributeError:
raise SMBAuthenticationError("Cannot get GSSAPI credential "
"with password as the necessary "
"GSSAPI extensions are not "
"available")
except gssapi.exceptions.GSSError as er:
raise SMBAuthenticationError("Failed to acquire GSSAPI "
"credential with password: %s"
% str(er))
# acquire_cred_with_password returns a wrapper, we want the creds
# object inside this wrapper
creds = creds.creds
log.info("GSSAPI: Acquired credentials for user %s" % str(user))
return creds
似乎问这个问题的所有细节都足以得到答案。这段代码适用于我,允许我验证给定的
username
和password
。我还不确定的是,我是否必须执行某种kdestroy
来最终“关闭”上下文。我会尽快更新这个答案相关问题 更多 >
编程相关推荐