[Update] 修改radius MFA

2019-11-11 20:10:49 +08:00 · 2019-11-11 20:10:49 +08:00 · a01126c6c7
parent f53cf8d544
commit a01126c6c7
3 changed files with 33 additions and 1 deletions
--- a/apps/authentication/backends/radius.py
+++ b/apps/authentication/backends/radius.py
@ -5,6 +5,8 @@ from django.contrib.auth import get_user_model
 from radiusauth.backends import RADIUSBackend, RADIUSRealmBackend
 from django.conf import settings

+from pyrad.packet import AccessRequest
+
 User = get_user_model()


@ -25,6 +27,23 @@ class CreateUserMixin:
            user.save()
        return user

+    def _get_auth_packet(self, username, password, client):
+        """
+        Get the pyrad authentication packet for the username/password and the
+        given pyrad client.
+        """
+        pkt = client.CreateAuthPacket(code=AccessRequest,
+                                      User_Name=username)
+        if settings.CONFIG.RADIUS_ENCRYPT_PASSWORD:
+            password = pkt.PwCrypt(password)
+        else:
+            password = password
+        pkt["User-Password"] = password
+        pkt["NAS-Identifier"] = 'django-radius'
+        for key, val in list(getattr(settings, 'RADIUS_ATTRIBUTES', {}).items()):
+            pkt[key] = val
+        return pkt
+

 class RadiusBackend(CreateUserMixin, RADIUSBackend):
    pass
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -375,6 +375,7 @@ defaults = {
    'RADIUS_SERVER': 'localhost',
    'RADIUS_PORT': 1812,
    'RADIUS_SECRET': '',
+    'RADIUS_ENCRYPT_PASSWORD': True,
    'AUTH_LDAP_SEARCH_PAGED_SIZE': 1000,
    'AUTH_LDAP_SYNC_IS_PERIODIC': False,
    'AUTH_LDAP_SYNC_INTERVAL': None,
@ -398,6 +399,7 @@ defaults = {
    'FORCE_SCRIPT_NAME': '',
    'LOGIN_CONFIRM_ENABLE': False,
    'WINDOWS_SKIP_ALL_MANUAL_PASSWORD': False,
+    'OTP_IN_RADIUS': False,
 }


--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@ -375,9 +375,20 @@ class MFAMixin:
        self.otp_level = 0
        self.otp_secret_key = None

+    def check_otp_on_radius(self, code):
+        from authentication.backends.radius import RadiusBackend
+        backend = RadiusBackend()
+        user = backend.authenticate(None, username=self.username, password=code)
+        if user:
+            return True
+        return False
+
    def check_otp(self, code):
        from ..utils import check_otp_code
-        return check_otp_code(self.otp_secret_key, code)
+        if settings.CONFIG.OTP_IN_RADIUS:
+            return self.check_otp_on_radius(code)
+        else:
+            return check_otp_code(self.otp_secret_key, code)


 class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):