diff --git a/src/allmydata/frontends/auth.py b/src/allmydata/frontends/auth.py index 82ef1c6..02c65a0 100644 --- a/src/allmydata/frontends/auth.py +++ b/src/allmydata/frontends/auth.py @@ -1,8 +1,11 @@ import os -from zope.interface import implements +from zope.interface import implements, providedBy from twisted.web.client import getPage from twisted.internet import defer from twisted.cred import error, checkers, credentials +from twisted.conch.ssh import keys +from twisted.conch import error as conch_error +from twisted.python import failure from allmydata.util import base32 class NeedRootcapLookupScheme(Exception): @@ -17,7 +20,8 @@ class FTPAvatarID: class AccountFileChecker: implements(checkers.ICredentialsChecker) - credentialInterfaces = (credentials.IUsernamePassword, + credentialInterfaces = (credentials.ISSHPrivateKey, + credentials.IUsernamePassword, credentials.IUsernameHashedPassword) def __init__(self, client, accountfile): self.client = client @@ -31,24 +35,47 @@ class AccountFileChecker: name, passwd, rest = line.split(None, 2) if passwd in ("ssh-dss", "ssh-rsa"): bits = rest.split() - keystring = " ".join(bits[-1]) + keystring = " ".join(bits[:-1]) rootcap = bits[-1] - self.pubkeys[name] = keystring + if name not in self.pubkeys: + self.pubkeys[name] = {} + self.pubkeys[name][keystring.decode('base64')] = rootcap else: self.passwords[name] = passwd rootcap = rest - self.rootcaps[name] = rootcap + self.rootcaps[name] = rootcap def _cbPasswordMatch(self, matched, username): if matched: return FTPAvatarID(username, self.rootcaps[username]) raise error.UnauthorizedLogin - def requestAvatarId(self, credentials): - if credentials.username in self.passwords: - d = defer.maybeDeferred(credentials.checkPassword, - self.passwords[credentials.username]) - d.addCallback(self._cbPasswordMatch, str(credentials.username)) + def _cbCheckKey(self, matched, credentials): + if not credentials.signature: + return failure.Failure(conch_error.ValidPublicKey()) + if matched: + pubKey = keys.Key.fromString(credentials.blob) + matched = pubKey.verify(credentials.signature, credentials.sigData) + if matched: + rootcap = self.pubkeys[credentials.username][credentials.blob] + return FTPAvatarID(username, rootcap) + raise error.UnauthorizedLogin + + def checkKey(self, credentials): + return credentials.blob in self.pubkeys[credentials.username] + + def requestAvatarId(self, s_credentials): + if (credentials.ISSHPrivateKey in providedBy(s_credentials) + and s_credentials.username in self.pubkeys): + d = defer.maybeDeferred(self.checkKey, s_credentials) + d.addCallback(self._cbCheckKey, s_credentials) + return d + if ((credentials.IUsernamePassword in providedBy(s_credentials) or + credentials.IUsernameHashedPassword in providedBy(s_credentials)) + and s_credentials.username in self.passwords): + d = defer.maybeDeferred(s_credentials.checkPassword, + self.passwords[s_credentials.username]) + d.addCallback(self._cbPasswordMatch, str(s_credentials.username)) return d return defer.fail(error.UnauthorizedLogin()) -----------------------------5185036688239831991368549288 Content-Disposition: form-data; name="description"