U ¨Ãq`Ã|ã@sdZddlZddlZddlmZmZmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&ddl'm(Z(ddl)m*Z*ddl+m,Z,m-Z-m.Z.m/Z/ddl0m1Z1ddl2m3Z3m4Z4Gd d „d e5ƒZ6Gd d „d e5ƒZ7dS) z `.AuthHandler` éN)#ÚcMSG_SERVICE_REQUESTÚcMSG_DISCONNECTÚ DISCONNECT_SERVICE_NOT_AVAILABLEÚ)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEÚcMSG_USERAUTH_REQUESTÚcMSG_SERVICE_ACCEPTÚDEBUGÚAUTH_SUCCESSFULÚINFOÚcMSG_USERAUTH_SUCCESSÚcMSG_USERAUTH_FAILUREÚAUTH_PARTIALLY_SUCCESSFULÚcMSG_USERAUTH_INFO_REQUESTÚWARNINGÚ AUTH_FAILEDÚcMSG_USERAUTH_PK_OKÚcMSG_USERAUTH_INFO_RESPONSEÚMSG_SERVICE_REQUESTÚMSG_SERVICE_ACCEPTÚMSG_USERAUTH_REQUESTÚMSG_USERAUTH_SUCCESSÚMSG_USERAUTH_FAILUREÚMSG_USERAUTH_BANNERÚMSG_USERAUTH_INFO_REQUESTÚMSG_USERAUTH_INFO_RESPONSEÚcMSG_USERAUTH_GSSAPI_RESPONSEÚcMSG_USERAUTH_GSSAPI_TOKENÚcMSG_USERAUTH_GSSAPI_MICÚMSG_USERAUTH_GSSAPI_RESPONSEÚMSG_USERAUTH_GSSAPI_TOKENÚMSG_USERAUTH_GSSAPI_ERRORÚMSG_USERAUTH_GSSAPI_ERRTOKÚMSG_USERAUTH_GSSAPI_MICÚ MSG_NAMESÚcMSG_USERAUTH_BANNER)ÚMessage)Úb)Ú SSHExceptionÚAuthenticationExceptionÚBadAuthenticationTypeÚPartialAuthentication)ÚInteractiveQuery)ÚGSSAuthÚGSS_EXCEPTIONSc @seZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd d „Z dd„Z d|jj ¡z||_d|_||_| ¡W5|jj ¡XdS)NÚnone©r2ÚlockÚacquireÚreleaser5r6r3Ú _request_auth©r@r3ÚeventrArArBÚ auth_nonens  zAuthHandler.auth_nonecCsD|jj ¡z$||_d|_||_||_| ¡W5|jj ¡XdS)NÚ publickey) r2rMrNrOr5r6r3r9rP)r@r3ÚkeyrRrArArBÚauth_publickeyxs  zAuthHandler.auth_publickeycCsD|jj ¡z$||_d|_||_||_| ¡W5|jj ¡XdS)Nr8) r2rMrNrOr5r6r3r8rP)r@r3r8rRrArArBÚ auth_passwordƒs  zAuthHandler.auth_passwordr/cCsJ|jj ¡z*||_d|_||_||_||_|  ¡W5|jj ¡XdS)zK response_list = handler(title, instructions, prompt_list) úkeyboard-interactiveN) r2rMrNrOr5r6r3r:r;rP)r@r3ÚhandlerrRr;rArArBÚauth_interactiveŽs  zAuthHandler.auth_interactivecCsJ|jj ¡z*||_d|_||_||_||_|  ¡W5|jj ¡XdS)Núgssapi-with-mic) r2rMrNrOr5r6r3r>r?rP)r@r3r>r?rRrArArBÚauth_gssapi_with_mics  z AuthHandler.auth_gssapi_with_miccCs>|jj ¡z||_d|_||_| ¡W5|jj ¡XdS)Nú gssapi-keyexrLrQrArArBÚauth_gssapi_keyex©s  zAuthHandler.auth_gssapi_keyexcCs|jdk r|j ¡dSrD)r5ÚsetrGrArArBÚabort³s zAuthHandler.abortcCs*tƒ}| t¡| d¡|j |¡dS©Nú ssh-userauth)r%Úadd_byterÚ add_stringr2Ú _send_message©r@ÚmrArArBrP¹s  zAuthHandler._request_authcCsHtƒ}| t¡| t¡| d¡| d¡|j |¡|j ¡dS)NzService not availableÚen) r%rcrÚadd_intrrdr2reÚcloserfrArArBÚ!_disconnect_service_not_available¿s     z-AuthHandler._disconnect_service_not_availablecCsHtƒ}| t¡| t¡| d¡| d¡|j |¡|j ¡dS)NzNo more auth methods availablerh) r%rcrrirrdr2rerjrfrArArBÚ_disconnect_no_more_authÈs     z$AuthHandler._disconnect_no_more_authcCsŠtƒ}| |jj¡| t¡| |¡| |¡| d¡| d¡|jrj| |jj¡| |jj ¡n| |  ¡¡| |¡|  ¡S)NrTT) r%rdr2Ú session_idrcrÚ add_booleanÚ public_blobÚkey_typeÚkey_blobÚget_nameZasbytes)r@rUÚservicer3rgrArArBÚ_get_session_blobÑs      zAuthHandler._get_session_blobcCsÂd}|jjdk r t ¡|jj}| d¡|j ¡s^|j ¡}|dksRt|jtƒrZt dƒ}|‚|  ¡rhq†|dk r |t ¡kr t dƒ‚q |  ¡s¾|j ¡}|dkr¨t dƒ}t|jt ƒrº|j S|‚gS)Ngš™™™™™¹?zAuthentication failed.zAuthentication timeout.)r2Z auth_timeoutÚtimeÚwaitZ is_activeZ get_exceptionÚ issubclassÚ __class__ÚEOFErrorr(Úis_setrHr*Z allowed_types)r@rRZmax_tsÚerArArBÚwait_for_responseâs*       zAuthHandler.wait_for_responsecCs’| ¡}|jjr†|dkr†tƒ}| t¡| |¡|j |¡|jj  ¡\}}|r‚tƒ}| t ¡| |¡| |¡|j |¡dS|  ¡dSra) Úget_textr2rIr%rcrrdreÚ server_objectZ get_bannerr$rk)r@rgrsr7ÚlanguagerArArBÚ_parse_service_requestýs       z"AuthHandler._parse_service_requestc Csô| ¡}|dkrÞ| td¡tƒ}| t¡| |j¡| d¡| |j¡|jdkr||  d¡t |j ƒ}| |¡nT|jdkr|  d¡|j j r¼| |j j j¡| |j j j¡n| |j  ¡¡| |j ¡| |j d|j¡}|j  |¡}| |¡nÌ|jdkr*| d ¡| |j¡n¦|jd krnt|j|jƒ}| | ¡¡|j |¡|jj ¡\}}|tkr’| |¡|jj ¡\}}|tkrð| ¡}tƒ}| t ¡z| | !|j"||j¡¡Wn2t#k r} z| $| ¡WY¢Sd} ~ XYnX|j |¡|jj ¡\}}|t%kr| ¡} z| !|j"||j| ¡} Wn2t#k r|} z| $| ¡WY¢Sd} ~ XYnX| dkrŽqÊn&tƒ}| t ¡| | ¡|j &|¡qt'd  (t)|¡ƒ‚tƒ}| t*¡| | +|jj,¡¡n||t-krt'd ƒ‚nh|t.krB| /¡} | /¡} | ¡}| ¡t'd  (| | |¡ƒ‚n*|t0krZ| 1|¡dSt'd  (t)|¡ƒ‚nb|jdkr²|jj2r²|jj3}| 4|j¡| +|jj,¡}| |¡n|jdkrÀnt'd (|j¡ƒ‚|j |¡n| td (|¡¡dS)Nrbzuserauth is OKússh-connectionr8FrTTrXr/r[zReceived Package: {}zServer returned an error tokenzCGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} r]rKzUnknown auth method "{}"z!Service request "{}" accepted (?))5r}rErr%rcrrdr3r6rnr&r8r9rorprqrrrtZ sign_ssh_datar;r,r?Ú add_bytesÚ ssh_gss_oidsr2reZ packetizerZ read_messagerÚ_parse_userauth_bannerrÚ get_stringrZssh_init_sec_contextr>r-Ú_handle_local_gss_failurerÚ send_messager'Úformatr#rZ ssh_get_micrmr!r Úget_intrÚ_parse_userauth_failureZ gss_kex_usedÚ kexgss_ctxtZ set_username)r@rgrsr8ÚblobÚsigÚsshgssÚptypeZmechr{Z srv_tokenZ next_tokenZ maj_statusZ min_statusÚerr_msgZkexgssÚ mic_tokenrArArBÚ_parse_service_acceptsä            ÿ         ÿÿ   ü     ÿ    ûÿ   ÿÿþ    ÿÿz!AuthHandler._parse_service_acceptcCsÂtƒ}|tkr2| td |¡¡| t¡d|_n\| td |¡¡| t¡|  |j j   |¡¡|t krv| d¡n| d¡|jd7_|j  |¡|jdkr¬| ¡|tkr¾|j  ¡dS)NzAuth granted ({}).TzAuth rejected ({}).Féé )r%r rEr rˆrcr r4r rdr2r~Zget_allowed_authsr rnr=rerlÚ _auth_trigger)r@r3ÚmethodÚresultrgrArArBÚ_send_auth_result–s&   ÿ    zAuthHandler._send_auth_resultcCs|tƒ}| t¡| |j¡| |j¡| tƒ¡| t|j ƒ¡|j D] }| |d¡|  |d¡qJ|j   |¡dS)Nrr“) r%rcrrdÚnameÚ instructionsÚbytesriÚlenÚpromptsrnr2re)r@ÚqrgÚprArArBÚ_interactive_query®s     zAuthHandler._interactive_queryc CsŽ|jjs| |||¡}t ƒ}|  t ¡|  t |ƒ¡|D]}| |¡qŠ|j |¡dS)NrXz Illegal info request from server)r6r'r}r¤r‰ÚrangeÚappendr£r:r%rcrrirœrdr2re) r@rgÚtitleršrZ prompt_listÚiZ response_listÚrrArArBÚ_parse_userauth_info_request“s(  ÿ  z(AuthHandler._parse_userauth_info_requestcCsr|jjstdƒ‚| ¡}g}t|ƒD]}| | ¡¡q$|jj |¡}t |t ƒr^|  |¡dS|  |j d|¡dS)Nz!Illegal info response from serverrX)r2rIr'r‰rµr¶r}r~Zcheck_auth_interactive_responserªr+r r˜r<)r@rgÚnÚ responsesr¸r—rArArBÚ_parse_userauth_info_response¨s" ÿ  ÿz)AuthHandler._parse_userauth_info_responsecCsR||j_| td |¡¡| td |j¡¡d|_d|_|j dk rN|j   ¡dS)NzGSSAPI failure: {}r²F) r2r³rErrˆr r6r4r3r5r_)r@r{rArArBr†ºs  z%AuthHandler._handle_local_gss_failurecCs|jjr|jS|jSdSrD)r2rIÚ_server_handler_tableÚ_client_handler_tablerGrArArBÚ_handler_tableÞszAuthHandler._handler_tableN)r/)+r©Ú __module__Ú __qualname__Ú__doc__rCrErHrJrSrVrWrZr\r^r`rPrkrlrtr|r€r’r˜r r°r±rŠr„rºr½r†rrrr¾rrrrrr¿ÚpropertyrÀrArArArBr.Ksd        / ýû r.c@sœeZdZdZdZdd„Zdd„Zedd„ƒZed d „ƒZ ed d „ƒZ ed d„ƒZ dd„Z dd„Z dd„Zdd„Zdd„Zeeeeee eeiZedd„ƒZdS)r«z°A specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. r[cCs||_||_dSrD)Ú _delegaterŽ)r@ZdelegaterŽrArArBrCïsz!GssapiWithMicAuthHandler.__init__cCs| ¡|j ¡SrD)Ú_restore_delegate_auth_handlerrÅr`rGrArArBr`ószGssapiWithMicAuthHandler.abortcCs|jjSrD)rÅr2rGrArArBr2÷sz"GssapiWithMicAuthHandler.transportcCs|jjSrD)rÅr˜rGrArArBr˜ûsz*GssapiWithMicAuthHandler._send_auth_resultcCs|jjSrD)rÅr<rGrArArBr<ÿsz&GssapiWithMicAuthHandler.auth_usernamecCs|jjSrD)rÅr>rGrArArBr>sz!GssapiWithMicAuthHandler.gss_hostcCs|j|j_dSrD)rÅr2r¬rGrArArBrÆsz7GssapiWithMicAuthHandler._restore_delegate_auth_handlerc Cs°| ¡}|j}z| |j||j¡}WnJtk rn}z,||j_t}|  ¡|  |j|j |¡‚W5d}~XYnX|dk r¬t ƒ}|  t¡| |¡tttf|j_|j |¡dSrD)r…rŽZssh_accept_sec_contextr>r<r¨r2r³rrÆr˜r–r%rcrrdrr"rr­re)r@rgZ client_tokenrŽÚtokenr{r—rArArBÚ_parse_userauth_gssapi_token s.ÿ  ýz5GssapiWithMicAuthHandler._parse_userauth_gssapi_tokenc Csœ| ¡}|j}|j}| ¡z| ||jj|¡Wn@tk rr}z"||j_t }|  ||j |¡‚W5d}~XYnXt }|jj  ||¡|  ||j |¡dSrD)r…rŽr<rÆr®r2rmr¨r³rr˜r–r r~Zcheck_auth_gssapi_with_mic)r@rgr‘rŽr3r{r—rArArBÚ_parse_userauth_gssapi_mic$s*ÿÿz3GssapiWithMicAuthHandler._parse_userauth_gssapi_miccCs| ¡|j |¡SrD)rÆrÅr€rfrArArBr€<sz/GssapiWithMicAuthHandler._parse_service_requestcCs| ¡|j |¡SrD)rÆrÅr°rfrArArBr°@sz0GssapiWithMicAuthHandler._parse_userauth_requestcCs|jSrD)Ú(_GssapiWithMicAuthHandler__handler_tablerGrArArBrÀKsz'GssapiWithMicAuthHandler._handler_tableN)r©rÁrÂrÃr–rCr`rÄr2r˜r<r>rÆrÈrÉr€r°rrrr"rÊrÀrArArArBr«æs8    ür«)8rÃr0ruZparamiko.commonrrrrrrrr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#r$Zparamiko.messager%Zparamiko.py3compatr&Zparamiko.ssh_exceptionr'r(r)r*Zparamiko.serverr+Zparamiko.ssh_gssr,r-Úobjectr.r«rArArArBÚs”%