ó =OXc@s:dZddlZddlZddlZeZddlmZddlm Z m Z ddl m Z ddl mZdZyddlZWnYeefk rçy"ddlZddlZdZWqèek rãeZdZqèXnXed „Zd efd „ƒYZd efd „ƒYZdefd„ƒYZdS(sÌ This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 iÿÿÿÿN(tObjectIdentifier(tencodertdecoder(tMSG_USERAUTH_REQUEST(t SSHExceptiontMITtSSPIcCsQtdkrt||ƒStdkrAtjdkrAt||ƒStdƒ‚dS(s´ Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: Object :raise ImportError: If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI` (MIT GSSAPI) object or an `._SSH_SSPI` (MS SSPI) object. If you get python-gssapi working on Windows, python-gssapi will be used and a `._SSH_GSSAPI` object will be returned. If there is no supported API available, ``None`` will be returned. RRtnts)Unable to import a GSS-API / SSPI module!N(t_APIt _SSH_GSSAPItostnamet _SSH_SSPIt ImportError(t auth_methodtgss_deleg_creds((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytGSSAuthAs    t _SSH_GSSAuthcBsPeZdZd„Zd„Zd„Zdd„Zd„Zd„Zd„Z RS( s[ Contains the shared variables and methods of `._SSH_GSSAPI` and `._SSH_SSPI`. cCsp||_||_d|_d|_d|_d|_d|_d|_t |_ d|_ t |_ d|_ dS(sÝ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not sssh-connections1.2.840.113554.1.2.2N(t _auth_methodt_gss_deleg_credstNonet _gss_hostt _usernamet _session_idt_servicet _krb5_mecht _gss_ctxttFalset_gss_ctxt_statust _gss_srv_ctxtt_gss_srv_ctxt_statustcc_file(tselfRR((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt__init__ds           cCs|jdƒr||_ndS(s This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service :rtype: Void sssh-N(tfindR(R tservice((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt set_services cCs ||_dS(sé Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login :rtype: Void N(R(R tusername((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt set_username‹stclientcCs\|jdƒ}tjt|jƒƒ}|jt|ƒƒ}|dkrP||S|||S(sÚ This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :rtype: Bytes :note: In server mode we just return the OID length and the DER encoded OID. itserver(t _make_uint32RtencodeRRtlen(R tmodetOIDstkrb5_OIDtOID_len((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt ssh_gss_oids•s  cCs2tj|ƒ\}}|jƒ|jkr.tStS(s Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} :rtype: Boolean (Rtdecodet__str__RRtTrue(R t desired_mechtmecht__((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytssh_check_mech©scCstjd|ƒS(sÝ Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer :rtype: Bytes s!I(tstructtpack(R tinteger((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR)¸scCs´|jt|ƒƒ}||7}|tjdtƒ7}||jt|ƒƒ7}||jƒ7}||jt|ƒƒ7}||jƒ7}||jt|ƒƒ7}||jƒ7}|S(sä Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) :rtype: Bytes tB(R)R+R8R9RR*(R t session_idR%R#Rtmic((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt_ssh_build_micÂs ( t__name__t __module__t__doc__R!R$R&R0R7R)R>(((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR_s    R cBseeZdZd„Zdddd„Zed„Zdd„Zdd„Z e d„ƒZ d„Z RS( sc Implementation of the GSS-API MIT Kerberos Authentication for SSH2. :see: `.GSSAuth` cCs_tj|||ƒ|jr@tjtjtjtjf|_ntjtjtjf|_dS(sÝ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not N( RR!RtgssapitC_PROT_READY_FLAGt C_INTEG_FLAGt C_MUTUAL_FLAGt C_DELEG_FLAGt _gss_flags(R RR((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR!æs c Csk||_||_tjd|jtjƒ}tjƒ}|j|_|dkrjtj j |j ƒ}nNt j |ƒ\}} |jƒ|j kr£tdƒ‚ntj j |j ƒ}d} y[|dkrtjd|d|d|jƒ|_|jj| ƒ} n|jj|ƒ} Wn<tjk rWtjdjtjƒd|jƒƒ‚nX|jj|_| S( sí Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raise SSHException: Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned :rtype: String or None shost@sUnsupported mechanism OID.t peer_namet mech_typet req_flagss{0} Target: {1}iN(RRRBtNametC_NT_HOSTBASED_SERVICEtContextRGtflagsRtOIDtmech_from_stringRRR1R2Rt InitContextRtstept GSSExceptiontformattsystexc_infot establishedR( R ttargetR4R%t recv_tokent targ_nametctxt krb5_mechR5R6ttoken((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytssh_init_sec_contextøs2       cCsa||_|sH|j|j|j|j|jƒ}|jj|ƒ}n|jj|jƒ}|S(s Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: String :see: `._ssh_build_mic` (RR>RRRRtget_micR(R R<tgss_kext mic_fieldt mic_token((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt ssh_get_mic&s   cCsX||_||_|jdkr3tjƒ|_n|jj|ƒ}|jj|_|S(sÒ Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned :rtype: String or None N( RRRRRBt AcceptContextRRRWR(R thostnameRYR%R]((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytssh_accept_sec_contextAs  cCsu||_||_|jdk r[|j|j|j|j|jƒ}|jj||ƒn|jj|j|ƒdS(sm Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises gssapi.GSSException: if the MIC check failed N( RRRR>RRRt verify_micR(R RbR<R%Ra((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt ssh_check_micVs    cCs|jjdk rtStS(s¦ Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: bool N(Rtdelegated_credRR3R(R ((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytcredentials_delegatedoscCs t‚dS(s‚ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raise NotImplementedError: Credential delegation is currently not supported in server mode N(tNotImplementedError(R t client_token((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytsave_client_creds{s N( R?R@RAR!RR^RRcRfRhtpropertyRjRm(((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR às -    R cBsbeZdZd„Zdddd„Zed„Zd„Zdd„Z e d„ƒZ d„Z RS( sf Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` cCsPtj|||ƒ|jr9tjtjBtjB|_ntjtjB|_dS(sÝ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not N(RR!RtsspicontISC_REQ_INTEGRITYtISC_REQ_MUTUAL_AUTHtISC_REQ_DELEGATERG(R RR((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR!Žs   c Cs||_||_d}d|j}|d k rmtj|ƒ\}}|jƒ|jkrmtdƒ‚qmnyY|d kr tj dd|j d|ƒ|_ n|j j |ƒ\}} | dj } Wn,tdjtjƒd|jƒƒ‚nX|dkrt|_d } n| S( sÙ Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raise SSHException: Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned :rtype: String or None ishost/sUnsupported mechanism OID.tKerberostscflagst targetspns{0}, Target: {1}iN(RRRRR1R2RRtsspit ClientAuthRGRt authorizetBuffert ExceptionRTRURVR3R( R RXR4R%RYterrorRZR5R6R]((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR^žs.         cCsa||_|sH|j|j|j|j|jƒ}|jj|ƒ}n|jj|jƒ}|S(s Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. :rtype: String :see: `._ssh_build_mic` (RR>RRRRtsignR(R R<R`RaRb((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRcÎs   cCs~||_||_d|j}tjdd|ƒ|_|jj|ƒ\}}|dj}|dkrzt|_d}n|S(sÆ Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned :rtype: String or None shost/RstspniN( RRRvt ServerAuthRRxRyR3RR(R ReR%RYRZR{R]((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRfés       cCsr||_||_|dk rX|j|j|j|j|jƒ}|jj||ƒn|jj|j|ƒdS(sd Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises sspi.error: if the MIC check failed N( RRRR>RRRtverifyR(R RbR<R%Ra((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRhs     cCs |jtj@o|jp|jS(s© Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: Boolean (RGRoRrR(R ((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRjs cCs t‚dS(s Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raise NotImplementedError: Credential delegation is currently not supported in server mode N(Rk(R Rl((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRm*s N( R?R@RAR!RR^RRcRfRhRnRjRm(((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR ˆs /   (RAR8R RUR3tGSS_AUTH_AVAILABLEtpyasn1.type.univRtpyasn1.codec.derRRtparamiko.commonRtparamiko.ssh_exceptionRRRBR tOSErrorRoRvRRRtobjectRR R (((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyts.        ¨