ó Ú_e[c@sddZddlZddlZddlZeZdZddlmZddl m Z m Z dZ yddl Z e jfZWnqeefk rñy:ddlZddlZddlZdZ ejfZWqòek ríeZdZ qòXnXddlmZddlmZed „Zd efd „ƒYZd efd „ƒYZdefd„ƒYZdS(sÌ This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 iÿÿÿÿN(tObjectIdentifier(tencodertdecodertMITtSSPI(tMSG_USERAUTH_REQUEST(t SSHExceptioncCsQtdkrt||ƒStdkrAtjdkrAt||ƒStdƒ‚dS(s© Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI` (Unix) object or an `_SSH_SSPI` (Windows) object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI` (MIT GSSAPI) object or an `._SSH_SSPI` (MS SSPI) object. If you get python-gssapi working on Windows, python-gssapi will be used and a `._SSH_GSSAPI` object will be returned. If there is no supported API available, ``None`` will be returned. RRtnts)Unable to import a GSS-API / SSPI module!N(t_APIt _SSH_GSSAPItostnamet _SSH_SSPIt ImportError(t auth_methodtgss_deleg_creds((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pytGSSAuthFs    t _SSH_GSSAuthcBsPeZdZd„Zd„Zd„Zdd„Zd„Zd„Zd„Z RS( s[ Contains the shared variables and methods of `._SSH_GSSAPI` and `._SSH_SSPI`. cCsp||_||_d|_d|_d|_d|_d|_d|_t |_ d|_ t |_ d|_ dS(sÝ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not sssh-connections1.2.840.113554.1.2.2N(t _auth_methodt_gss_deleg_credstNonet _gss_hostt _usernamet _session_idt_servicet _krb5_mecht _gss_ctxttFalset_gss_ctxt_statust _gss_srv_ctxtt_gss_srv_ctxt_statustcc_file(tselfRR((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt__init__hs           cCs|jdƒr||_ndS(sì This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service sssh-N(tfindR(R tservice((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt set_serviceƒscCs ||_dS(sÔ Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login N(R(R tusername((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt set_usernameŽstclientcCs\|jdƒ}tjt|jƒƒ}|jt|ƒƒ}|dkrP||S|||S(sÄ This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. itserver(t _make_uint32RtencodeRRtlen(R tmodetOIDstkrb5_OIDtOID_len((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt ssh_gss_oids—s  cCs2tj|ƒ\}}|jƒ|jkr.tStS(sè Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} (Rtdecodet__str__RRtTrue(R t desired_mechtmecht__((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pytssh_check_mechªscCstjd|ƒS(sÇ Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer s!I(tstructtpack(R tinteger((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyR)¸scCs´|jt|ƒƒ}||7}|tjdtƒ7}||jt|ƒƒ7}||jƒ7}||jt|ƒƒ7}||jƒ7}||jt|ƒƒ7}||jƒ7}|S(sÎ Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) tB(R)R+R8R9RR*(R t session_idR%R#Rtmic((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt_ssh_build_micÁs ( t__name__t __module__t__doc__R!R$R&R0R7R)R>(((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyRcs    R cBseeZdZd„Zdddd„Zed„Zdd„Zdd„Z e d„ƒZ d„Z RS( sc Implementation of the GSS-API MIT Kerberos Authentication for SSH2. :see: `.GSSAuth` cCs_tj|||ƒ|jr@tjtjtjtjf|_ntjtjtjf|_dS(sÝ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not N( RR!RtgssapitC_PROT_READY_FLAGt C_INTEG_FLAGt C_MUTUAL_FLAGt C_DELEG_FLAGt _gss_flags(R RR((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyR!äs c Csq||_||_tjd|jtjƒ}tjƒ}|j|_|dkrjtj j |j ƒ}nNt j |ƒ\}} |jƒ|j kr£tdƒ‚ntj j |j ƒ}d} y[|dkrtjd|d|d|jƒ|_|jj| ƒ} n|jj|ƒ} WnBtjk r]djtjƒd|jƒ} tj| ƒ‚nX|jj|_| S( sË Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned shost@sUnsupported mechanism OID.t peer_namet mech_typet req_flagss {} Target: {}iN(RRRBtNametC_NT_HOSTBASED_SERVICEtContextRGtflagsRtOIDtmech_from_stringRRR1R2Rt InitContextRtstept GSSExceptiontformattsystexc_infot establishedR( R ttargetR4R%t recv_tokent targ_nametctxt krb5_mechR5R6ttokentmessage((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pytssh_init_sec_contextös4       cCsa||_|sH|j|j|j|j|jƒ}|jj|ƒ}n|jj|jƒ}|S(sÞ Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. (RR>RRRRtget_micR(R R<tgss_kext mic_fieldt mic_token((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt ssh_get_mic%s   cCsX||_||_|jdkr3tjƒ|_n|jj|ƒ}|jj|_|S(s³ Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned N( RRRRRBt AcceptContextRRRWR(R thostnameRYR%R]((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pytssh_accept_sec_context>s  cCsu||_||_|jdk r[|j|j|j|j|jƒ}|jj||ƒn|jj|j|ƒdS(st Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.GSSException`` -- if the MIC check failed N( RRRR>RRRt verify_micR(R RcR<R%Rb((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyt ssh_check_micRs    cCs|jjdk rtStS(s‘ Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` N(Rtdelegated_credRR3R(R ((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pytcredentials_delegatedkscCs t‚dS(s~ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode N(tNotImplementedError(R t client_token((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pytsave_client_credsvs N( R?R@RAR!RR_RRdRgRitpropertyRkRn(((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyR Þs .    R cBsbeZdZd„Zdddd„Zed„Zd„Zdd„Z e d„ƒZ d„Z RS( sf Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` cCsPtj|||ƒ|jr9tjtjBtjB|_ntjtjB|_dS(sÝ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not N(RR!RtsspicontISC_REQ_INTEGRITYtISC_REQ_MUTUAL_AUTHtISC_REQ_DELEGATERG(R RR((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyR!Šs   c Cs"||_||_d}d|j}|dk rmtj|ƒ\}}|jƒ|jkrmtdƒ‚qmnyY|dkr tj dd|j d|ƒ|_ n|j j |ƒ\}} | dj } Wn7tjk rÿ} | jdj| |jƒ7_‚nX|dkrt|_d} n| S( s¼ Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned ishost/sUnsupported mechanism OID.tKerberostscflagst targetspns , Target: {}N(RRRRR1R2RRtsspit ClientAuthRGRt authorizetBuffert pywintypesterrortstrerrorRTR3R( R RXR4R%RYR|RZR5R6R]te((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyR_žs.         cCsa||_|sH|j|j|j|j|jƒ}|jj|ƒ}n|jj|jƒ}|S(sÚ Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. (RR>RRRRtsignR(R R<RaRbRc((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyRdÏs   cCs~||_||_d|j}tjdd|ƒ|_|jj|ƒ\}}|dj}|dkrzt|_d}n|S(s§ Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned shost/RttspniN( RRRwt ServerAuthRRyRzR3RR(R RfR%RYRZR|R]((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyRgès       cCsr||_||_|dk rX|j|j|j|j|jƒ}|jj||ƒn|jj|j|ƒdS(sk Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed N( RRRR>RRRtverifyR(R RcR<R%Rb((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyRiþs     cCs |jtj@o|jp|jS(s‘ Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` (RGRpRsR(R ((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyRkscCs t‚dS(s{ Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode N(Rl(R Rm((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyRn&s N( R?R@RAR!RR_RRdRgRiRoRkRn(((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyR „s 0    (( RAR8R RUR3tGSS_AUTH_AVAILABLEtGSS_EXCEPTIONStpyasn1.type.univRtpyasn1.codec.derRRRRBRSR tOSErrorR{RpRwR|RRtparamiko.commonRtparamiko.ssh_exceptionRRtobjectRR R (((s4/tmp/pip-install-KP2Jbq/paramiko/paramiko/ssh_gss.pyts6         {¦