=OXc@s:dZddlZddlZddlZeZddlmZddlm Z m Z ddl m Z ddl mZdZyddlZWnYeefk ry"ddlZddlZdZWqek reZdZqXnXed Zd efd YZd efd YZdefdYZdS(s This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 iN(tObjectIdentifier(tencodertdecoder(tMSG_USERAUTH_REQUEST(t SSHExceptiontMITtSSPIcCsQtdkrt||StdkrAtjdkrAt||StddS(s Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: Object :raise ImportError: If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI` (MIT GSSAPI) object or an `._SSH_SSPI` (MS SSPI) object. If you get python-gssapi working on Windows, python-gssapi will be used and a `._SSH_GSSAPI` object will be returned. If there is no supported API available, ``None`` will be returned. RRtnts)Unable to import a GSS-API / SSPI module!N(t_APIt _SSH_GSSAPItostnamet _SSH_SSPIt ImportError(t auth_methodtgss_deleg_creds((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytGSSAuthAs    t _SSH_GSSAuthcBsPeZdZdZdZdZddZdZdZdZ RS( s[ Contains the shared variables and methods of `._SSH_GSSAPI` and `._SSH_SSPI`. cCsp||_||_d|_d|_d|_d|_d|_d|_t |_ d|_ t |_ d|_ dS(s :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not sssh-connections1.2.840.113554.1.2.2N(t _auth_methodt_gss_deleg_credstNonet _gss_hostt _usernamet _session_idt_servicet _krb5_mecht _gss_ctxttFalset_gss_ctxt_statust _gss_srv_ctxtt_gss_srv_ctxt_statustcc_file(tselfRR((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt__init__ds           cCs|jdr||_ndS(s This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service :rtype: Void sssh-N(tfindR(R tservice((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt set_services cCs ||_dS(s Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login :rtype: Void N(R(R tusername((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt set_usernamestclientcCs\|jd}tjt|j}|jt|}|dkrP||S|||S(s This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :rtype: Bytes :note: In server mode we just return the OID length and the DER encoded OID. itserver(t _make_uint32RtencodeRRtlen(R tmodetOIDstkrb5_OIDtOID_len((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt ssh_gss_oidss  cCs2tj|\}}|j|jkr.tStS(s Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} :rtype: Boolean (Rtdecodet__str__RRtTrue(R t desired_mechtmecht__((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytssh_check_mechscCstjd|S(s Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer :rtype: Bytes s!I(tstructtpack(R tinteger((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR)scCs|jt|}||7}|tjdt7}||jt|7}||j7}||jt|7}||j7}||jt|7}||j7}|S(s Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) :rtype: Bytes tB(R)R+R8R9RR*(R t session_idR%R#Rtmic((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt_ssh_build_mics ( t__name__t __module__t__doc__R!R$R&R0R7R)R>(((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR_s    R cBseeZdZdZddddZedZddZddZ e dZ dZ RS( sc Implementation of the GSS-API MIT Kerberos Authentication for SSH2. :see: `.GSSAuth` cCs_tj||||jr@tjtjtjtjf|_ntjtjtjf|_dS(s :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not N( RR!RtgssapitC_PROT_READY_FLAGt C_INTEG_FLAGt C_MUTUAL_FLAGt C_DELEG_FLAGt _gss_flags(R RR((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR!s c Csk||_||_tjd|jtj}tj}|j|_|dkrjtj j |j }nNt j |\}} |j|j krtdntj j |j }d} y[|dkrtjd|d|d|j|_|jj| } n|jj|} Wn<tjk rWtjdjtjd|jnX|jj|_| S( s Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raise SSHException: Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned :rtype: String or None shost@sUnsupported mechanism OID.t peer_namet mech_typet req_flagss{0} Target: {1}iN(RRRBtNametC_NT_HOSTBASED_SERVICEtContextRGtflagsRtOIDtmech_from_stringRRR1R2Rt InitContextRtstept GSSExceptiontformattsystexc_infot establishedR( R ttargetR4R%t recv_tokent targ_nametctxt krb5_mechR5R6ttoken((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytssh_init_sec_contexts2       cCsa||_|sH|j|j|j|j|j}|jj|}n|jj|j}|S(s Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: String :see: `._ssh_build_mic` (RR>RRRRtget_micR(R R<tgss_kext mic_fieldt mic_token((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt ssh_get_mic&s   cCsX||_||_|jdkr3tj|_n|jj|}|jj|_|S(s Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned :rtype: String or None N( RRRRRBt AcceptContextRRRWR(R thostnameRYR%R]((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytssh_accept_sec_contextAs  cCsu||_||_|jdk r[|j|j|j|j|j}|jj||n|jj|j|dS(sm Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises gssapi.GSSException: if the MIC check failed N( RRRR>RRRt verify_micR(R RbR<R%Ra((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt ssh_check_micVs    cCs|jjdk rtStS(s Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: bool N(Rtdelegated_credRR3R(R ((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytcredentials_delegatedoscCs tdS(s Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raise NotImplementedError: Credential delegation is currently not supported in server mode N(tNotImplementedError(R t client_token((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pytsave_client_creds{s N( R?R@RAR!RR^RRcRfRhtpropertyRjRm(((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR s -    R cBsbeZdZdZddddZedZdZddZ e dZ dZ RS( sf Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` cCsPtj||||jr9tjtjBtjB|_ntjtjB|_dS(s :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not N(RR!RtsspicontISC_REQ_INTEGRITYtISC_REQ_MUTUAL_AUTHtISC_REQ_DELEGATERG(R RR((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR!s   c Cs||_||_d}d|j}|d k rmtj|\}}|j|jkrmtdqmnyY|d krtj dd|j d||_ n|j j |\}} | dj } Wn,tdjtjd|jnX|dkrt|_d } n| S( s Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raise SSHException: Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned :rtype: String or None ishost/sUnsupported mechanism OID.tKerberostscflagst targetspns{0}, Target: {1}iN(RRRRR1R2RRtsspit ClientAuthRGRt authorizetBuffert ExceptionRTRURVR3R( R RXR4R%RYterrorRZR5R6R]((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR^s.         cCsa||_|sH|j|j|j|j|j}|jj|}n|jj|j}|S(s Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. :rtype: String :see: `._ssh_build_mic` (RR>RRRRtsignR(R R<R`RaRb((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRcs   cCs~||_||_d|j}tjdd||_|jj|\}}|dj}|dkrzt|_d}n|S(s Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned :rtype: String or None shost/RstspniN( RRRvt ServerAuthRRxRyR3RR(R ReR%RYRZR{R]((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRfs       cCsr||_||_|dk rX|j|j|j|j|j}|jj||n|jj|j|dS(sd Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises sspi.error: if the MIC check failed N( RRRR>RRRtverifyR(R RbR<R%Ra((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRhs     cCs |jtj@o|jp|jS(s Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: Boolean (RGRoRrR(R ((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRjs cCs tdS(s Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raise NotImplementedError: Credential delegation is currently not supported in server mode N(Rk(R Rl((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRm*s N( R?R@RAR!RR^RRcRfRhRnRjRm(((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR s /   (RAR8R RUR3tGSS_AUTH_AVAILABLEtpyasn1.type.univRtpyasn1.codec.derRRtparamiko.commonRtparamiko.ssh_exceptionRRRBR tOSErrorRoRvRRRtobjectRR R (((s4/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyts.