| Current File : //lib/python2.7/site-packages/paramiko/ssh_gss.pyo |
��
�=OXc������������@���s:���d��Z��d��d��l��Z��d��d��l��Z��d��d��l��Z��e��Z��d��d��l��m��Z���d��d��l��m �Z �m
�Z
��d��d��l��m��Z���d��d��l
�m��Z���d��Z��y��d��d��l��Z��WnY��e��e��f��k
�r�����y"�d��d��l��Z��d��d��l��Z��d��Z��Wq���e��k
�r�����e��Z��d��Z��q��Xn��Xe��d ����Z��d
�e��f��d��������YZ��d��e��f��d
�������YZ��d��e��f��d��������YZ��d��S(����s����
This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`.
.. note:: Credential delegation is not supported in server mode.
.. seealso:: :doc:`/api/kex_gss`
.. versionadded:: 1.15
i����N(����t����ObjectIdentifier(����t����encodert����decoder(����t����MSG_USERAUTH_REQUEST(����t����SSHExceptiont����MITt����SSPIc������������C���sQ���t��d��k��r��t��|��|�����St��d��k��rA�t��j��d��k��rA�t��|��|�����St��d��������d��S(����s����
Provide SSH2 GSS-API / SSPI authentication.
:param str auth_method: The name of the SSH authentication mechanism
(gssapi-with-mic or gss-keyex)
:param bool gss_deleg_creds: Delegate client credentials or not.
We delegate credentials by default.
:return: Either an `._SSH_GSSAPI` (Unix) object or an
`_SSH_SSPI` (Windows) object
:rtype: Object
:raise ImportError: If no GSS-API / SSPI module could be imported.
:see: `RFC 4462 <http://www.ietf.org/rfc/rfc4462.txt>`_
:note: Check for the available API and return either an `._SSH_GSSAPI`
(MIT GSSAPI) object or an `._SSH_SSPI` (MS SSPI) object. If you
get python-gssapi working on Windows, python-gssapi
will be used and a `._SSH_GSSAPI` object will be returned.
If there is no supported API available,
``None`` will be returned.
R����R����t����nts)���Unable to import a GSS-API / SSPI module!N(����t����_APIt����_SSH_GSSAPIt����ost����namet ���_SSH_SSPIt����ImportError(����t����auth_methodt����gss_deleg_creds(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����GSSAuthA���s
�������
���
�t����_SSH_GSSAuthc������������B���sP���e��Z��d��Z��d�����Z��d�����Z��d�����Z��d��d�����Z��d�����Z��d�����Z��d�����Z �RS( ���s[���
Contains the shared variables and methods of `._SSH_GSSAPI` and
`._SSH_SSPI`.
c������������C���sp���|��|��_��|��|��_��d��|��_��d��|��_��d��|��_��d��|��_��d��|��_��d��|��_��t �|��_
�d��|��_��t �|��_��d��|��_
�d��S(����s����
:param str auth_method: The name of the SSH authentication mechanism
(gssapi-with-mic or gss-keyex)
:param bool gss_deleg_creds: Delegate client credentials or not
s����ssh-connections����1.2.840.113554.1.2.2N(����t����_auth_methodt����_gss_deleg_credst����Nonet ���_gss_hostt ���_usernamet����_session_idt����_servicet
���_krb5_mecht ���_gss_ctxtt����Falset����_gss_ctxt_statust
���_gss_srv_ctxtt����_gss_srv_ctxt_statust����cc_file(����t����selfR����R����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����__init__d���s������ � � � � � � � � � � �c������������C���s����|��j��d�����r��|��|��_��n��d��S(����s����
This is just a setter to use a non default service.
I added this method, because RFC 4462 doesn't specify "ssh-connection"
as the only service value.
:param str service: The desired SSH service
:rtype: Void
s����ssh-N(����t����findR����(����R ���t����service(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����set_service���s����� ��c������������C���s
���|��|��_��d��S(����s����
Setter for C{username}. If GSS-API Key Exchange is performed, the
username is not set by C{ssh_init_sec_context}.
:param str username: The name of the user who attempts to login
:rtype: Void
N(����R����(����R ���t����username(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����set_username����s������t����clientc������������C���s\���|��j��d�����}��t��j��t��|��j��������}��|��j��t��|��������}��|��d��k��rP�|��|���S|��|���|���S(����s����
This method returns a single OID, because we only support the
Kerberos V5 mechanism.
:param str mode: Client for client mode and server for server mode
:return: A byte sequence containing the number of supported
OIDs, the length of the OID and the actual OID encoded with
DER
:rtype: Bytes
:note: In server mode we just return the OID length and the DER encoded
OID.
i����t����server(����t����_make_uint32R����t����encodeR����R����t����len(����R ���t����modet����OIDst����krb5_OIDt����OID_len(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����ssh_gss_oids����s�����
����������c������������C���s2���t��j��|�����\��}��}��|��j�����|��j��k��r.�t��St��S(����s����
Check if the given OID is the Kerberos V5 OID (server mode).
:param str desired_mech: The desired GSS-API mechanism of the client
:return: ``True`` if the given OID is supported, otherwise C{False}
:rtype: Boolean
(����R����t����decodet����__str__R����R����t����True(����R ���t����desired_mecht����mecht����__(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����ssh_check_mech����s������������c������������C���s����t��j��d��|�����S(����s����
Create a 32 bit unsigned integer (The byte sequence of an integer).
:param int integer: The integer value to convert
:return: The byte sequence of an 32 bit integer
:rtype: Bytes
s����!I(����t����structt����pack(����R ���t����integer(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR)�������s������c������������C���s����|��j��t��|��������}��|��|��7}��|��t��j��d��t�����7}��|��|��j��t��|��������7}��|��|��j�����7}��|��|��j��t��|��������7}��|��|��j�����7}��|��|��j��t��|��������7}��|��|��j�����7}��|��S(����s����
Create the SSH2 MIC filed for gssapi-with-mic.
:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:param str service: The requested SSH service
:param str auth_method: The requested SSH authentication mechanism
:return: The MIC as defined in RFC 4462. The contents of the
MIC field are:
string session_identifier,
byte SSH_MSG_USERAUTH_REQUEST,
string user-name,
string service (ssh-connection),
string authentication-method
(gssapi-with-mic or gssapi-keyex)
:rtype: Bytes
t����B(����R)���R+���R8���R9���R����R*���(����R ���t
���session_idR%���R#���R����t����mic(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����_ssh_build_mic����s��������
���������������(
���t����__name__t
���__module__t����__doc__R!���R$���R&���R0���R7���R)���R>���(����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR����_���s�������� � �
�� �
R ���c������������B���se���e��Z��d��Z��d�����Z��d��d��d��d�����Z��e��d�����Z��d��d�����Z��d��d�����Z �e
�d��������Z��d�����Z��RS( ���sc���
Implementation of the GSS-API MIT Kerberos Authentication for SSH2.
:see: `.GSSAuth`
c������������C���s_���t��j��|��|��|������|��j��r@�t��j��t��j��t��j��t��j��f��|��_��n��t��j��t��j��t��j��f��|��_��d��S(����s����
:param str auth_method: The name of the SSH authentication mechanism
(gssapi-with-mic or gss-keyex)
:param bool gss_deleg_creds: Delegate client credentials or not
N( ���R����R!���R����t����gssapit����C_PROT_READY_FLAGt����C_INTEG_FLAGt
���C_MUTUAL_FLAGt����C_DELEG_FLAGt
���_gss_flags(����R ���R����R����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR!�������s�������� �������������c������������C���sk���|��|��_��|��|��_��t��j��d��|��j���t��j�����}��t��j�����}��|��j��|��_��|��d��k��rj�t��j �j
�|��j�����}��nN�t��j
�|�����\��}��} �|��j�����|��j��k��r��t��d��������n��t��j �j
�|��j�����}��d��}
�y[�|��d��k��r��t��j��d��|��d��|��d��|��j�����|��_��|��j��j��|
����}
�n��|��j��j��|�����}
�Wn<��t��j��k
�rW����t��j��d��j��t��j�����d���|��j�����������n��X|��j��j��|��_��|
�S( ���s����
Initialize a GSS-API context.
:param str username: The name of the user who attempts to login
:param str target: The hostname of the target to connect to
:param str desired_mech: The negotiated GSS-API mechanism
("pseudo negotiated" mechanism, because we
support just the krb5 mechanism :-))
:param str recv_token: The GSS-API token received from the Server
:raise SSHException: Is raised if the desired mechanism of the client
is not supported
:return: A ``String`` if the GSS-API has returned a token or ``None`` if
no token was returned
:rtype: String or None
s����host@s����Unsupported mechanism OID.t ���peer_namet ���mech_typet ���req_flagss����{0} Target: {1}i����N(����R����R����RB���t����Namet����C_NT_HOSTBASED_SERVICEt����ContextRG���t����flagsR����t����OIDt����mech_from_stringR����R����R1���R2���R����t����InitContextR����t����stept����GSSExceptiont����formatt����syst����exc_infot����establishedR����(����R ���t����targetR4���R%���t
���recv_tokent ���targ_namet����ctxt ���krb5_mechR5���R6���t����token(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����ssh_init_sec_context����s2����� � ���������������������������������������������c������������C���sa���|��|��_��|��sH�|��j��|��j��|��j��|��j��|��j�����}��|��j��j��|�����}��n��|��j��j��|��j�����}��|��S(����s����
Create the MIC token for a SSH2 message.
:param str session_id: The SSH session ID
:param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not
:return: gssapi-with-mic:
Returns the MIC token from GSS-API for the message we created
with ``_ssh_build_mic``.
gssapi-keyex:
Returns the MIC token from GSS-API with the SSH session ID as
message.
:rtype: String
:see: `._ssh_build_mic`
(����R����R>���R����R����R����R����t����get_micR����(����R ���R<���t����gss_kext ���mic_fieldt ���mic_token(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����ssh_get_mic&���s������ ���������������c������������C���sX���|��|��_��|��|��_��|��j��d��k��r3�t��j�����|��_��n��|��j��j��|�����}��|��j��j��|��_��|��S(����s����
Accept a GSS-API context (server mode).
:param str hostname: The servers hostname
:param str username: The name of the user who attempts to login
:param str recv_token: The GSS-API Token received from the server,
if it's not the initial call.
:return: A ``String`` if the GSS-API has returned a token or ``None``
if no token was returned
:rtype: String or None
N( ���R����R����R����R����RB���t
���AcceptContextRR���RW���R����(����R ���t����hostnameRY���R%���R]���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����ssh_accept_sec_contextA���s�����
� ���������c������������C���su���|��|��_��|��|��_��|��j��d��k �r[�|��j��|��j��|��j��|��j��|��j�����}��|��j��j��|��|������n��|��j��j��|��j��|������d��S(����sm���
Verify the MIC token for a SSH2 message.
:param str mic_token: The MIC token received from the client
:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:return: None if the MIC check was successful
:raises gssapi.GSSException: if the MIC check failed
N( ���R����R����R����R>���R����R����R����t
���verify_micR����(����R ���Rb���R<���R%���Ra���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt
���ssh_check_micV���s�����
� ���������������c������������C���s����|��j��j��d��k �r��t��St��S(����s����
Checks if credentials are delegated (server mode).
:return: ``True`` if credentials are delegated, otherwise ``False``
:rtype: bool
N(����R����t����delegated_credR����R3���R����(����R ���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����credentials_delegatedo���s����������c������������C���s
���t�����d��S(����s����
Save the Client token in a file. This is used by the SSH server
to store the client credentials if credentials are delegated
(server mode).
:param str client_token: The GSS-API token received form the client
:raise NotImplementedError: Credential delegation is currently not
supported in server mode
N(����t����NotImplementedError(����R ���t����client_token(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����save_client_creds{���s�����
N(
���R?���R@���RA���R!���R����R^���R����Rc���Rf���Rh���t����propertyRj���Rm���(����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR �������s�������� ����-��������R����c������������B���sb���e��Z��d��Z��d�����Z��d��d��d��d�����Z��e��d�����Z��d�����Z��d��d�����Z �e
�d��������Z��d�����Z��RS( ���sf���
Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.
:see: `.GSSAuth`
c������������C���sP���t��j��|��|��|������|��j��r9�t��j��t��j��Bt��j��B|��_��n��t��j��t��j��B|��_��d��S(����s����
:param str auth_method: The name of the SSH authentication mechanism
(gssapi-with-mic or gss-keyex)
:param bool gss_deleg_creds: Delegate client credentials or not
N(����R����R!���R����t����sspicont����ISC_REQ_INTEGRITYt����ISC_REQ_MUTUAL_AUTHt����ISC_REQ_DELEGATERG���(����R ���R����R����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR!�������s�������� �
�����c����
�������C���s����|��|��_��|��|��_��d��}��d��|��j���}��|��d �k �rm�t��j��|�����\��}��}��|��j�����|��j��k��rm�t��d��������qm�n��yY�|��d �k��r��t��j �d��d��|��j
�d��|�����|��_��n��|��j��j��|�����\��}��} �| �d���j
�} �Wn,����t��d��j��t��j�����d���|��j�����������n��X|��d��k��r��t��|��_��d �} �n��| �S(
���s����
Initialize a SSPI context.
:param str username: The name of the user who attempts to login
:param str target: The FQDN of the target to connect to
:param str desired_mech: The negotiated SSPI mechanism
("pseudo negotiated" mechanism, because we
support just the krb5 mechanism :-))
:param recv_token: The SSPI token received from the Server
:raise SSHException: Is raised if the desired mechanism of the client
is not supported
:return: A ``String`` if the SSPI has returned a token or ``None`` if
no token was returned
:rtype: String or None
i����s����host/s����Unsupported mechanism OID.t����Kerberost����scflagst ���targetspns����{0}, Target: {1}i����N(����R����R����R����R����R1���R2���R����R����t����sspit
���ClientAuthRG���R����t ���authorizet����Buffert ���ExceptionRT���RU���RV���R3���R����(
���R ���RX���R4���R%���RY���t����errorRZ���R5���R6���R]���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR^�������s.����� � ���
��������������� ��������������� �����c������������C���sa���|��|��_��|��sH�|��j��|��j��|��j��|��j��|��j�����}��|��j��j��|�����}��n��|��j��j��|��j�����}��|��S(����s����
Create the MIC token for a SSH2 message.
:param str session_id: The SSH session ID
:param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not
:return: gssapi-with-mic:
Returns the MIC token from SSPI for the message we created
with ``_ssh_build_mic``.
gssapi-keyex:
Returns the MIC token from SSPI with the SSH session ID as
message.
:rtype: String
:see: `._ssh_build_mic`
(����R����R>���R����R����R����R����t����signR����(����R ���R<���R`���Ra���Rb���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRc�������s������ ���������������c������������C���s~���|��|��_��|��|��_��d��|��j���}��t��j��d��d��|�����|��_��|��j��j��|�����\��}��}��|��d���j��}��|��d��k��rz�t��|��_��d��}��n��|��S(����s����
Accept a SSPI context (server mode).
:param str hostname: The servers FQDN
:param str username: The name of the user who attempts to login
:param str recv_token: The SSPI Token received from the server,
if it's not the initial call.
:return: A ``String`` if the SSPI has returned a token or ``None`` if
no token was returned
:rtype: String or None
s����host/Rs���t����spni����N(
���R����R����Rv���t
���ServerAuthR����Rx���Ry���R3���R����R����(����R ���Re���R%���RY���RZ���R{���R]���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRf�������s������ � �
�����
��� � �c������������C���sr���|��|��_��|��|��_��|��d��k �rX�|��j��|��j��|��j��|��j��|��j�����}��|��j��j��|��|������n��|��j��j��|��j��|������d��S(����sd���
Verify the MIC token for a SSH2 message.
:param str mic_token: The MIC token received from the client
:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:return: None if the MIC check was successful
:raises sspi.error: if the MIC check failed
N( ���R����R����R����R>���R����R����R����t����verifyR����(����R ���Rb���R<���R%���Ra���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRh�������s�����
� �������������c������������C���s ���|��j��t��j��@o��|��j��p��|��j��S(����s����
Checks if credentials are delegated (server mode).
:return: ``True`` if credentials are delegated, otherwise ``False``
:rtype: Boolean
(����RG���Ro���Rr���R����(����R ���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRj�������s����� ��c������������C���s
���t�����d��S(����s���
Save the Client token in a file. This is used by the SSH server
to store the client credentails if credentials are delegated
(server mode).
:param str client_token: The SSPI token received form the client
:raise NotImplementedError: Credential delegation is currently not
supported in server mode
N(����Rk���(����R ���Rl���(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyRm���*���s�����
N(
���R?���R@���RA���R!���R����R^���R����Rc���Rf���Rh���Rn���Rj���Rm���(����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyR��������s�������� ����/�� �����(����RA���R8���R
���RU���R3���t����GSS_AUTH_AVAILABLEt����pyasn1.type.univR����t����pyasn1.codec.derR����R����t����paramiko.commonR����t����paramiko.ssh_exceptionR����R����RB���R
���t����OSErrorRo���Rv���R����R����R����t����objectR����R ���R����(����(����(����s4���/usr/lib/python2.7/site-packages/paramiko/ssh_gss.pyt����<module>����s.�����������������������������������
�
�����������