Skip to content

J
jumpserver
Commit a01126c6 authored by ibuler's avatar ibuler
Browse files
Options

[Update] 修改radius MFA

parent f53cf8d5
Hide whitespace changes
Inline Side-by-side
Showing with 33 additions and 1 deletion
apps/authentication/backends/radius.py
View file @ a01126c6
...@@ -5,6 +5,8 @@ from django.contrib.auth import get_user_model ...@@ -5,6 +5,8 @@ from django.contrib.auth import get_user_model
from radiusauth.backends import RADIUSBackend, RADIUSRealmBackend from radiusauth.backends import RADIUSBackend, RADIUSRealmBackend
from django.conf import settings from django.conf import settings
from pyrad.packet import AccessRequest
User = get_user_model() User = get_user_model()
...@@ -25,6 +27,23 @@ class CreateUserMixin: ...@@ -25,6 +27,23 @@ class CreateUserMixin:
user.save() user.save()
return user return user
def _get_auth_packet(self, username, password, client):
"""
Get the pyrad authentication packet for the username/password and the
given pyrad client.
"""
pkt = client.CreateAuthPacket(code=AccessRequest,
User_Name=username)
if settings.CONFIG.RADIUS_ENCRYPT_PASSWORD:
password = pkt.PwCrypt(password)
else:
password = password
pkt["User-Password"] = password
pkt["NAS-Identifier"] = 'django-radius'
for key, val in list(getattr(settings, 'RADIUS_ATTRIBUTES', {}).items()):
pkt[key] = val
return pkt
class RadiusBackend(CreateUserMixin, RADIUSBackend): class RadiusBackend(CreateUserMixin, RADIUSBackend):
pass pass
......
apps/jumpserver/conf.py
View file @ a01126c6
...@@ -375,6 +375,7 @@ defaults = { ...@@ -375,6 +375,7 @@ defaults = {
'RADIUS_SERVER': 'localhost', 'RADIUS_SERVER': 'localhost',
'RADIUS_PORT': 1812, 'RADIUS_PORT': 1812,
'RADIUS_SECRET': '', 'RADIUS_SECRET': '',
'RADIUS_ENCRYPT_PASSWORD': True,
'AUTH_LDAP_SEARCH_PAGED_SIZE': 1000, 'AUTH_LDAP_SEARCH_PAGED_SIZE': 1000,
'AUTH_LDAP_SYNC_IS_PERIODIC': False, 'AUTH_LDAP_SYNC_IS_PERIODIC': False,
'AUTH_LDAP_SYNC_INTERVAL': None, 'AUTH_LDAP_SYNC_INTERVAL': None,
...@@ -398,6 +399,7 @@ defaults = { ...@@ -398,6 +399,7 @@ defaults = {
'FORCE_SCRIPT_NAME': '', 'FORCE_SCRIPT_NAME': '',
'LOGIN_CONFIRM_ENABLE': False, 'LOGIN_CONFIRM_ENABLE': False,
'WINDOWS_SKIP_ALL_MANUAL_PASSWORD': False, 'WINDOWS_SKIP_ALL_MANUAL_PASSWORD': False,
'OTP_IN_RADIUS': False,
} }
......
apps/users/models/user.py
View file @ a01126c6
...@@ -375,9 +375,20 @@ class MFAMixin: ...@@ -375,9 +375,20 @@ class MFAMixin:
self.otp_level = 0 self.otp_level = 0
self.otp_secret_key = None self.otp_secret_key = None
def check_otp_on_radius(self, code):
from authentication.backends.radius import RadiusBackend
backend = RadiusBackend()
user = backend.authenticate(None, username=self.username, password=code)
if user:
return True
return False
def check_otp(self, code): def check_otp(self, code):
from ..utils import check_otp_code from ..utils import check_otp_code
return check_otp_code(self.otp_secret_key, code) if settings.CONFIG.OTP_IN_RADIUS:
return self.check_otp_on_radius(code)
else:
return check_otp_code(self.otp_secret_key, code)
class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser): class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment