Is there a way in Python/Django to get the username of the currently logged-in Windows user, from an app that is not running locally?
UPDATE: sorry, to clarify, by this I mean the Windows username of the user viewing the web page, not the user running the server.
I've tried both:
current_user = os.environ.get("USERNAME")
current_user_getpass = getpass.getuser()
But I think they're returning the name of the user running the server.
Thanks!
FURTHER UPDATE: I don't care greatly about security. It really doesn't matter if users spoof a username. What does matter is convenience. I just need a way to get the username without users having to fiddle around with passwords or install client-side software. Any ideas?
Three ways, none of which work.
Use the Ident (AUTH) protocol. It's technically cross-platform.
...except there are exactly zero Ident servers for Windows that are able to return the real user name instead of a static string.
Edit: Apparently Retina Scan Identd can do this. (Awesome.)
Require HTTP NTLM or Negotiate authentication. You get more than a mere username check,
...except NTLM is insecure, only Internet Exploder and Firefox support it, and they only use it inside the LAN (intranet) by default. Negotiate is able to use the more secure Kerberos, but it (obviously) requires Kerberos on both server and clients. If the Windows PCs are in a domain, good. If not...
If you control all client machines, you can use simple SSL client-certificate authentication. Works in all modern browsers.
...but every user needs their own certificate. Creating an internal-use CA and issuing certificates is simple; getting them installed and working in client machines - not so.
Related
I am using python flask to develop web services. I want to make web service secure.
Need to consume those from Ajax.
I have tried Okta integration but as it is depends on redirect I couldn't achieve the integration.
I am thinking to go for windows authentication with our org ldap directory.
Getting windows username and password from windows logged in user and authenticating with ldap.
Could anyone please help me how to achieve it or please post the suggestions for better solution.
You won't get the username and password from the Windows client -- being able to grab the logon user's password from a remote web site would be an enormous security nightmare.
Assuming not simply asking the user to supply credentials is a non-negotiable design parameter, you need something that can use the logged on user's token ('I trust this token and it says you are this user ID') instead of trying to validate the user/password directly. Kerberos-based authentication if the Windows boxes are logging into an Active Directory & your app is on the same network. Otherwise you'd need some sort of SSO (I frequently use ADFS, if that's set up for the organisation, via MS Graph) -- what would depend on the specifics of the directories available.
I have two questions regarding security issues.
Intro: I'm developing a command line client that communicates with server (ready product, don't have an impact on code of the server) with Curl. Server requires authentication: username and password (plain text). All requests are made with HTTPS.
I believe using HTTP cookie is a good solution: client will authenticate only once and for another request a cookie can be used.
Firstly: Authentication implementation. Is it safe to store user password in regular python variable? I mean can it be read by a third side during script runtime? (there can be many users on same machine, on the same OS account, every single one has a username and a password [for client - server authorisation] that should remain secret)
Secondly: Would you have some hints about cookie storing? Encrypted file or something like that?
I am using Python 2.6.
Your assumption is correct. As long as the users do not have access to one another’s home directories, there is no need in further hiding the cookie. Your design is secure. Also, since you are developing a CL tool, you could simply use a netrc-like configuration file (it could be .netrc itself) containing the authentication information and forget about cookie management.
EDIT many users have access to one account:
I would consider changing that. However, playing within your constraints, I would suggest you create a log-in and log-out mechanism that generates and returns an authentication token valid for one session only.
appname login
The CLI would prompt from a username and a password. If the latter are valid, the server replies with an alphanumeric sequence valid for one session. The client would save it in a temporary file and use it for subsequent uses.
appname use
And finally,
appname logout
which would invalidate the token and remove the file.
I'm sure this question is easily googleable, but I can't seem to find the right query to find the answer I want.
I'm running several apps on my home server that all serve their own website for admin and info purposes. Currently I access them all from the internet using http://MyHouseServerAddress.com:8080 etc. Where 8080 is replaced with 8081, 8082 etc. for each app. They all have their own usernames and passwords and some of them use SSL
What I want is to have a single access point, e.g. http://MyHouseServerAddress.com which gives me access to each app. Each app will have a link on that page which will take you to that app's website as if it were just a page on the main site. However... I want the single access point to be password protected and SSL'd, BUT I want to remove the passwords from all the apps as they would be accessed through the single "portal" of the initial page which is password protected and SSL'd. I.e. each app would still serve on it's original port, but that port would no longer be accessible via the internet, instead any traffic from that port would be routed through the single access point.
What I'm trying to do it get a single password login, preferably via SSL to my home server which gives me access to all my other serving apps but also secures them all behind the single login.
Can this be done with a python script or a C# app for instance running some sort of proxy or port forward script? Or would running an Appache server that can redirect traffic through itself work? I'm happy to write code to solve the problem if needed.
I hope this makes sense!
I'm running W7 on my home server.
Thanks,
Max
This sounds very much like a portal with single sign-on. I haven't tried, but you might get away with implementing oauth on your sites and have the main site be the provider.
Other way would be to use soemthing like CAS.
Look at this question for options.
You can install Apache+PHP on port 80, install PHP Web Proxy on it, allow local access to your apps (so they allow access without password from localhost) and secure this gateway with .htaccess and .htpasswd, or another way.
This is most simple solution for home using. Good enterprise solution would be SSO, bad it is not simple.
I'm writing panel for administrating nginx (domains, rewrites, etc), svn and other services. For that, i'm writing backend that will work on root (to change nginx configs, reload them, change user passwords, etc), and client (console client, and web app).
App works on unix sockets, and i made very simple protocol for it:
\0\0\0\0user\0key\0module\0command\0data\0
Well, this is quite simple. Client sends command and data to backend, fox ex:
\0\0\0\0morsik\0\0nginx\0add_domain\0www.domain.tld something\0
Problem is, how to authenticate that user is really morsik? For web interface i don't have to - web page have it's own authorization so i can sent some key that will work for every user that nobody will know.
Problem is if somebody have access to ssh. Then he could write simple client that will spoof username and then he could change other user configuration.
So, how can i made correct authorization for users?
Don't reinvent the wheel. ;) I found this discussion enlightening:
http://cyberelk.net/tim/2007/03/08/cups-unix-domain-sockets-authentication/ Explains the concept of socket auth.
http://pythonic.pocoo.org/2007/7/7/unix-socket-credentials-with-python Helpful details.
http://atlee.ca/software/pam/ This might work also, though less convenient.
Create a group for app admins only, etc.
I'm considering moving from Apache to Lighttpd for an internal web application, written with python. The problem is that I'm relying on libapache2-mod-auth-ntlm-winbind ... which doesn't actually seem to be a well support & updated package (though that could be because it really does work well).
I'm looking for suggestions and hints about what it would take to use django itself to handle the HTTP authentication. This would allow me to be web-server-agnostic, and could potentially be a grand learning experience.
Some topical concerns:
Is it reasonable to have the custom application perform true HTTP authentication?
How involved is getting my python code connected to windows domain controller to this kind of authentication without prompting the user for a password?
Does NTLM provide any access to user details & group memberships so that I can stop searching through yet another connection to the windows domain controller via LDAP?
I would love to be able to write a module to simplify this technique which could be shared with the community.
Partial answer:
You can (and should) pass the NTLM auth off to an external helper. Basically, install Samba on the machine, configure it, join the domain, enable winbind, then use the "ntlm_auth" helper binary, probably in "pipe" mode.
Authenticating an NTLM session requires a secure pipe to the domain controller, which needs credentials (e.g. a Samba/domain-member machine account). This is the quickest route to get there.
Squid (the webcache) has code for doing NTLM auth using the external helper; FreeRadius does something similar.
The NTLM auth itself does not provide any group info; if you're running winbind you could of course use calls to "wbinfo" to get user groups.