1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
# Copyright (C) 2005, 2006, 2007, 2008 Canonical Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
"""Support for secure authentication using GSSAPI over FTP.
See RFC2228 for details.
"""
import base64, ftplib, getpass, socket
from bzrlib import (
config,
errors,
)
from bzrlib.trace import info, mutter
from bzrlib.transport.ftp import FtpTransport
from bzrlib.transport import register_transport_proto, register_transport
try:
import kerberos
except ImportError, e:
mutter('failed to import kerberos lib: %s', e)
raise errors.DependencyNotPresent('kerberos', e)
if getattr(kerberos, "authGSSClientWrap", None) is None:
raise errors.DependencyNotPresent('kerberos',
"missing encryption function authGSSClientWrap")
class GSSAPIFtp(ftplib.FTP):
"""Extended version of ftplib.FTP that can authenticate using GSSAPI."""
def mic_putcmd(self, line):
rc = kerberos.authGSSClientWrap(self.vc, base64.b64encode(line))
wrapped = kerberos.authGSSClientResponse(self.vc)
ftplib.FTP.putcmd(self, "MIC " + wrapped)
def mic_getline(self):
resp = ftplib.FTP.getline(self)
if resp[:4] != '631 ':
raise AssertionError
rc = kerberos.authGSSClientUnwrap(self.vc, resp[4:].strip("\r\n"))
response = base64.b64decode(kerberos.authGSSClientResponse(self.vc))
return response
def gssapi_login(self, user):
# Try GSSAPI login first
# Used FTP response codes:
# 235 [ADAT=base64data] - indicates that the security data exchange
# completed successfully.
# 334 [ADAT=base64data] - indicates that the requested security
# mechanism is ok, and includes security data to be used by the
# client to construct the next command.
# 335 [ADAT=base64data] - indicates that the security data is
# acceptable, and more is required to complete the security
# data exchange.
resp = self.sendcmd('AUTH GSSAPI')
if resp.startswith('334 '):
rc, self.vc = kerberos.authGSSClientInit("ftp@%s" % self.host)
if kerberos.authGSSClientStep(self.vc, "") != 1:
while resp[:4] in ('334 ', '335 '):
authdata = kerberos.authGSSClientResponse(self.vc)
resp = self.sendcmd('ADAT ' + authdata)
if resp[:9] in ('235 ADAT=', '335 ADAT='):
rc = kerberos.authGSSClientStep(self.vc, resp[9:])
if not ((resp.startswith('235 ') and rc == 1) or
(resp.startswith('335 ') and rc == 0)):
raise ftplib.error_reply, resp
info("Authenticated as %s" % kerberos.authGSSClientUserName(
self.vc))
# Monkey patch ftplib
self.putcmd = self.mic_putcmd
self.getline = self.mic_getline
self.sendcmd('USER ' + user)
return resp
mutter("Unable to use GSSAPI authentication: %s", resp)
class GSSAPIFtpTransport(FtpTransport):
"""FTP transport implementation that will try to use GSSAPI authentication.
"""
def _create_connection(self, credentials=None):
"""Create a new connection with the provided credentials.
:param credentials: The credentials needed to establish the connection.
:return: The created connection and its associated credentials.
The credentials are a tuple with the username and password. The
password is used if GSSAPI Authentication is not available.
The username and password can both be None, in which case the
credentials specified in the URL or provided by the
AuthenticationConfig() are used.
"""
if credentials is None:
user, password = self._user, self._password
else:
user, password = credentials
auth = config.AuthenticationConfig()
if user is None:
user = auth.get_user('ftp', self._host, port=self._port)
if user is None:
# Default to local user
user = getpass.getuser()
mutter("Constructing FTP instance against %r" %
((self._host, self._port, user, '********',
self.is_active),))
try:
connection = GSSAPIFtp()
connection.connect(host=self._host, port=self._port)
try:
connection.gssapi_login(user=user)
except ftplib.error_perm, e:
if user and user != 'anonymous' and \
password is None: # '' is a valid password
password = auth.get_password('ftp', self._host, user,
port=self._port)
connection.login(user=user, passwd=password)
connection.set_pasv(not self.is_active)
except socket.error, e:
raise errors.SocketConnectionError(self._host, self._port,
msg='Unable to connect to',
orig_error= e)
except ftplib.error_perm, e:
raise errors.TransportError(msg="Error setting up connection:"
" %s" % str(e), orig_error=e)
return connection, (user, password)
def get_test_permutations():
"""Return the permutations to be used in testing."""
from bzrlib.tests import ftp_server
if ftp_server.FTPServerFeature.available():
return [(GSSAPIFtpTransport, ftp_server.FTPTestServer)]
else:
return []
|