1.2.3. aaa

This module provides the functionality authentication authorization and access to the server application.

1.2.3.1. Classes

class AuthenticatedSession(user)[source]

Bases: object

A container to store information associated with an authenticated session.

__init__(user)[source]
Parameters:user (User) – The user object of the authenticated user.
created[source]
event_socket[source]

An optional EventSocket associated with the client. If the client has not opened an event socket, this is None.

classmethod from_db_authenticated_session(stored_session)[source]

Load an instance from a record stored in the database.

Parameters:stored_session – The authenticated session from the database to load.
Returns:A new AuthenticatedSession instance.
last_seen[source]
user[source]
user_access_level[source]
user_is_admin[source]
class AuthenticatedSessionManager(timeout='30m')[source]

Bases: object

A container for managing authenticated sessions.

__init__(timeout='30m')[source]
Parameters:timeout (int, str) – The length of time in seconds for which sessions are valid.
clean()[source]

Remove sessions which have expired.

get(session_id, update_timestamp=True)[source]

Look up an AuthenticatedSession instance from it’s unique identifier and optionally update the last seen timestamp. If the session is not found or has expired, None will be returned.

Parameters:
  • session_id (str) – The unique identifier of the session to retrieve.
  • update_timestamp (bool) – Whether or not to update the last seen timestamp for the session.
Returns:

The session if it exists and is active.
Return type:

AuthenticatedSession
put(user)[source]

Create and store a new AuthenticatedSession object for the specified user id. Any previously existing sessions for the specified user are removed from the manager.

Parameters:user (User) – The user object of the authenticated user.
Returns:The unique identifier for this session.
Return type:str
remove(session_id)[source]

Remove the specified session from the manager.

Parameters:session_id (str) – The unique identifier for the session to remove.
stop()[source]
class CachedPassword(pw_hash)[source]

Bases: object

A cached in-memory password. Cleartext passwords are salted with data generated at runtime and hashed before being stored for future comparisons.

__init__(pw_hash)[source]
Parameters:pw_hash (bytes) – The salted hash of the password to cache.
hash_algorithm = 'sha512'[source]
iterations = 5000[source]
classmethod new_from_password(password)[source]

Create a new instance from a plaintext password.

Parameters:password (str) – The password to cache in memory.
pw_hash[source]
salt = 'bXtGg@'[source]
time[source]
class ForkedAuthenticator(cache_timeout='10m', required_group=None, pam_service='sshd')[source]

Bases: object

This provides authentication services to the King Phisher server through PAM. It is initialized while the server is running as root and forks into the background before the privileges are dropped. The child continues to run as root and forwards requests to PAM on behalf of the parent process which is then free to drop privileges. The pipes use JSON to encode the request data as a string before sending it and using a newline character as the terminator. Requests from the parent process to the child process include a sequence number which must be included in the response.

__init__(cache_timeout='10m', required_group=None, pam_service='sshd')[source]
Parameters:
  • cache_timeout (int, str) – The life time of cached credentials in seconds.
  • required_group (str) – A group that if specified, users must be a member of to be authenticated.
  • pam_service (str) – The service to use for identification to pam when authenticating.
authenticate(username, password)[source]

Check if a username and password are valid. If they are, the password will be salted, hashed with SHA-512 and stored so the next call with the same values will not require sending a request to the forked child.

Parameters:
  • username (str) – The username to check.
  • password (str) – The password to check.
Returns:

Whether the credentials are valid or not.
Return type:

bool
cache = None[source]

The credential cache dictionary. Keys are usernames and values are tuples of password hashes and ages.

cache_timeout = None[source]

The timeout of the credential cache in seconds.

child_pid = None[source]

The PID of the forked child.

child_routine()[source]

The main routine that is executed by the child after the object forks. This loop does not exit unless a stop request is made.

response_timeout = None[source]

The timeout for individual requests in seconds.

send(request)[source]

Encode and send a request through the pipe to the opposite end. This also sets the ‘sequence’ member of the request and increments the stored value.

Parameters:request (dict) – A request.
sequence_number = None[source]

A sequence number to use to align requests with responses.

stop()[source]

Send a stop request to the child process and wait for it to exit.