Merge branch 'master' of github.com:laurivosandi/certidude

2025-10-31 17:39:12 +00:00 · 2017-01-26 21:59:37 +00:00
parent 1ec5ad3b7c 6221fe9c00
commit 5d5a24096c
3 changed files with 112 additions and 55 deletions
--- a/certidude/auth.py
+++ b/certidude/auth.py
@@ -1,7 +1,6 @@

 import click
 import falcon
-import kerberos # If this fails pip install kerberos
 import logging
 import os
 import re
@@ -13,6 +12,7 @@ from certidude import config, const
 logger = logging.getLogger("api")

 if "kerberos" in config.AUTHENTICATION_BACKENDS:
+    import kerberos # If this fails pip install kerberos
    ktname = os.getenv("KRB5_KTNAME")

    if not ktname:
@@ -186,7 +186,7 @@ def authenticate(optional=False):
            if not simplepam.authenticate(user, passwd, "sshd"):
                logger.critical(u"Basic authentication failed for user %s from  %s",
                    repr(user), req.context.get("remote_addr"))
-                raise falcon.HTTPForbidden("Forbidden", "Invalid password")
+                raise falcon.HTTPUnauthorized("Forbidden", "Invalid password", ("Basic",))

            req.context["user"] = User.objects.get(user)
            return func(resource, req, resp, *args, **kwargs)
--- a/certidude/cli.py
+++ b/certidude/cli.py
@@ -239,7 +239,7 @@ def certidude_request(fork):
                nm_config.set("vpn", "connection-type", "tls")
                nm_config.set("vpn", "comp-lzo", "yes")
                nm_config.set("vpn", "cert-pass-flags", "0")
-                nm_config.set("vpn", "tap-dev", "yes")
+                nm_config.set("vpn", "tap-dev", "no")
                nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
                nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
                nm_config.set("vpn", "key", endpoint_key_path)
@@ -1174,10 +1174,11 @@ def certidude_serve(port, listen):
    from certidude import config

    # Fetch UID, GID of certidude user
-    import pwd
-    _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude")
-    restricted_groups = []
-    restricted_groups.append(gid)
+    if os.getuid() == 0:
+        import pwd
+        _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude")
+        restricted_groups = []
+        restricted_groups.append(gid)

    """
    Spawn signer process