a °…bÄã@s$dZddlZddlZddlZddlmZmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'ddl(m)Z)ddl*m+Z+m,Z,ddl-m.Z.m/Z/m0Z0m1Z1ddl2m3Z3ddl4m5Z5m6Z6Gd d „d e7ƒZ8Gd d „d e7ƒZ9dS) z `.AuthHandler` éN)#ÚcMSG_SERVICE_REQUESTÚcMSG_DISCONNECTÚ DISCONNECT_SERVICE_NOT_AVAILABLEÚ)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEÚcMSG_USERAUTH_REQUESTÚcMSG_SERVICE_ACCEPTÚDEBUGÚAUTH_SUCCESSFULÚINFOÚcMSG_USERAUTH_SUCCESSÚcMSG_USERAUTH_FAILUREÚAUTH_PARTIALLY_SUCCESSFULÚcMSG_USERAUTH_INFO_REQUESTÚWARNINGÚ AUTH_FAILEDÚcMSG_USERAUTH_PK_OKÚcMSG_USERAUTH_INFO_RESPONSEÚMSG_SERVICE_REQUESTÚMSG_SERVICE_ACCEPTÚMSG_USERAUTH_REQUESTÚMSG_USERAUTH_SUCCESSÚMSG_USERAUTH_FAILUREÚMSG_USERAUTH_BANNERÚMSG_USERAUTH_INFO_REQUESTÚMSG_USERAUTH_INFO_RESPONSEÚcMSG_USERAUTH_GSSAPI_RESPONSEÚcMSG_USERAUTH_GSSAPI_TOKENÚcMSG_USERAUTH_GSSAPI_MICÚMSG_USERAUTH_GSSAPI_RESPONSEÚMSG_USERAUTH_GSSAPI_TOKENÚMSG_USERAUTH_GSSAPI_ERRORÚMSG_USERAUTH_GSSAPI_ERRTOKÚMSG_USERAUTH_GSSAPI_MICÚ MSG_NAMESÚcMSG_USERAUTH_BANNER)ÚMessage)ÚbÚu)Ú SSHExceptionÚAuthenticationExceptionÚBadAuthenticationTypeÚPartialAuthentication)ÚInteractiveQuery)ÚGSSAuthÚGSS_EXCEPTIONSc @s6eZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd d „Z dd„Z dBdd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd „Zd!d"„Zd#d$„Zd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zd/d0„Zd1d2„Zd3d4„Zd5d6„Zd7d8„Zd9d:„Zd;d<„Z d=d>„Z!e"ee#ee$e iZ%e&ee'ee(ee)ee*eiZ+e,d?d@„ƒZ-dAS)CÚ AuthHandlerzC Internal class to handle the mechanics of authentication. cCs^t |¡|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_dS)NFÚrT)ÚweakrefÚproxyÚ transportÚusernameÚ authenticatedÚ auth_eventÚ auth_methodÚbannerÚpasswordÚ private_keyÚinteractive_handlerÚ submethodsÚ auth_usernameÚauth_fail_countÚgss_hostÚgss_deleg_creds)Úselfr3©rBú@óz:AuthHandler._finalize_pubkey_algorithm..zOur pubkey algorithm list: {}zFAn RSA key was specified, but no RSA pubkey algorithms are configured!zserver-sig-algsr0ú,zServer-side algorithm list: {}rz)No common pubkey algorithms exist! Dying.z=Unable to agree on a pubkey algorithm for signing a {!r} key!zYServer did not send a server-sig-algs list; defaulting to our first preferred algo ({!r})z”NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!)rFrrˆÚendswithÚreÚsearchr3Úremote_versionZ_agreed_pubkey_algorithmr†r(r'Zserver_extensionsÚgetr&ÚsplitÚlistÚfilterÚ __contains__r)) rArnZ pubkey_algoZmy_algosZserver_algo_strZ server_algosZ agreementr‹ÚmsgrBrBrCÚ_finalize_pubkey_algorithm$slÿþ ÿ  ÿÿÿ  ÿþ þ z&AuthHandler._finalize_pubkey_algorithmc CsÚ| ¡}|dkrÄ| td¡tƒ}| t¡| |j¡| d¡| |j¡|jdkr||  d¡t |j ƒ}| |¡n:|jdkrî|  d¡|  |j ¡\}}| |¡}| |¡| |¡| |j d|j|¡}|j  ||¡}| |¡nÈ|jdkr| d ¡| |j¡n¢|jd krTt|j|jƒ} | |  ¡¡|j |¡|jj ¡\} }| tkr|| |¡|jj ¡\} }| tkrÖ| ¡} tƒ}| t¡z| |  |j | |j¡¡Wn0t!yê} z| "| ¡WYd} ~ Sd} ~ 00|j |¡|jj ¡\} }| t#krø| ¡} z|  |j | |j| ¡}Wn0t!yb} z| "| ¡WYd} ~ Sd} ~ 00|durtq°n&tƒ}| t¡| |¡|j $|¡qøt%d  &t'| ¡ƒ‚tƒ}| t(¡| |  )|jj*¡¡n|| t+krêt%d ƒ‚nh| t,kr(| -¡}| -¡}| ¡}| ¡t%d  &|||¡ƒ‚n*| t.kr@| /|¡dSt%d  &t'| ¡ƒ‚nb|jdkr˜|jj0r˜|jj1}| 2|j¡| )|jj*¡}| |¡n|jdkr¦nt%d &|j¡ƒ‚|j |¡n| td &|¡¡dS)Nrczuserauth is OKússh-connectionr9FrUTrYr0r\zReceived Package: {}zServer returned an error tokenzCGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} r^rLzUnknown auth method "{}"z!Service request "{}" accepted (?))3rrFrr%rdrrer4r7rrr&r9rpr:rrwZ sign_ssh_datar<r-r@Ú add_bytesÚ ssh_gss_oidsr3rfZ packetizerZ read_messagerÚ_parse_userauth_bannerrÚ get_stringrZssh_init_sec_contextr?r.Ú_handle_local_gss_failurerÚ send_messager(rˆr#rZ ssh_get_micrqr!r Úget_intrÚ_parse_userauth_failureZ gss_kex_usedÚ kexgss_ctxtZ set_username)rArhrsr9rnrvrtÚblobÚsigÚsshgssÚptypeZmechrZ srv_tokenZ next_tokenZ maj_statusZ min_statusÚerr_msgZkexgssÚ mic_tokenrBrBrCÚ_parse_service_acceptosÚ              ü         ÿÿ   ü     ÿ    ûÿ   ÿÿþ    ÿ ÿz!AuthHandler._parse_service_acceptcCsÂtƒ}|tkr2| td |¡¡| t¡d|_n\| td |¡¡| t¡|  |j j   |¡¡|t krv| d¡n| d¡|jd7_|j  |¡|jdkr¬| ¡|tkr¾|j  ¡dS)NzAuth granted ({}).TzAuth rejected ({}).Féé )r%r rFr rˆrdr r5r rer3r‚Zget_allowed_authsr rrr>rfrmÚ _auth_trigger)rAr4ÚmethodÚresultrhrBrBrCÚ_send_auth_result÷s&   ÿ    zAuthHandler._send_auth_resultcCs|tƒ}| t¡| |j¡| |j¡| tƒ¡| t|j ƒ¡|j D] }| |d¡|  |d¡qJ|j   |¡dS)Nrr¯) r%rdrreÚnameÚ instructionsÚbytesrjÚlenÚpromptsrrr3rf)rAÚqrhÚprBrBrCÚ_interactive_querys     zAuthHandler._interactive_queryc Cs†|jjs| |||¡}t ƒ}|  t ¡|  t |ƒ¡|D]}| |¡qŠ|j |¡dS)NrYz Illegal info request from server)r7r(rr¿r¥ÚrangeÚappendr¾r;r%rdrrjr¸rer3rf) rArhÚtitler¶r¹Z prompt_listÚiZ response_listÚrrBrBrCÚ_parse_userauth_info_requestùs$  ÿ  z(AuthHandler._parse_userauth_info_requestcCsr|jjstdƒ‚| ¡}g}t|ƒD]}| | ¡¡q$|jj |¡}t |t ƒr^|  |¡dS|  |j d|¡dS)Nz!Illegal info response from serverrY)r3rJr(r¥rÏrÐrr‚Zcheck_auth_interactive_responserÅr,r¼r´r=)rArhÚnÚ responsesrÒr³rBrBrCÚ_parse_userauth_info_responses ÿ  ÿz)AuthHandler._parse_userauth_info_responsecCsR||j_| td |¡¡| td |j¡¡d|_d|_|j durN|j   ¡dS)NzGSSAPI failure: {}rÌF) r3rÍrFrrˆr r7r5r4r6r`)rArrBrBrCr£ s  z%AuthHandler._handle_local_gss_failurecCs|jjr|jS|jSdSrE)r3rJÚ_server_handler_tableÚ_client_handler_tablerHrBrBrCÚ_handler_tableDszAuthHandler._handler_tableN)r0).rÄÚ __module__Ú __qualname__Ú__doc__rDrFrIrKrTrWrXr[r]r_rarPrlrmrprwr€r„rŒrr®r´r¼rÊrËr¦r¡rÔr×r£rrrrØrrrrrrÙÚpropertyrÚrBrBrBrCr/LsZ          K  4 ýû r/c@sœeZdZdZdZdd„Zdd„Zedd„ƒZed d „ƒZ ed d „ƒZ ed d„ƒZ dd„Z dd„Z dd„Zdd„Zdd„Zeeeeee eeiZedd„ƒZdS)rÆz°A specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. r\cCs||_||_dSrE)Ú _delegaterª)rAZdelegaterªrBrBrCrDUsz!GssapiWithMicAuthHandler.__init__cCs| ¡|j ¡SrE)Ú_restore_delegate_auth_handlerrßrarHrBrBrCraYszGssapiWithMicAuthHandler.abortcCs|jjSrE)rßr3rHrBrBrCr3]sz"GssapiWithMicAuthHandler.transportcCs|jjSrE)rßr´rHrBrBrCr´asz*GssapiWithMicAuthHandler._send_auth_resultcCs|jjSrE)rßr=rHrBrBrCr=esz&GssapiWithMicAuthHandler.auth_usernamecCs|jjSrE)rßr?rHrBrBrCr?isz!GssapiWithMicAuthHandler.gss_hostcCs|j|j_dSrE)rßr3rÇrHrBrBrCràmsz7GssapiWithMicAuthHandler._restore_delegate_auth_handlerc Cs²| ¡}|j}z| |j||j¡}WnLtyp}z4||j_t}|  ¡|  |j|j |¡‚WYd}~n d}~00|dur®t ƒ}|  t¡| |¡tttf|j_|j |¡dSrE)r¢rªZssh_accept_sec_contextr?r=rÃr3rÍrràr´r²r%rdrrerr"rrÈrf)rArhZ client_tokenrªÚtokenrr³rBrBrCÚ_parse_userauth_gssapi_tokenps* ÿ  ýz5GssapiWithMicAuthHandler._parse_userauth_gssapi_tokenc Csž| ¡}|j}|j}| ¡z| ||jj|¡WnBtyt}z*||j_t }|  ||j |¡‚WYd}~n d}~00t }|jj  ||¡|  ||j |¡dSrE)r¢rªr=ràrÉr3rqrÃrÍrr´r²r r‚Zcheck_auth_gssapi_with_mic)rArhr­rªr4rr³rBrBrCÚ_parse_userauth_gssapi_micŠs$ ÿÿz3GssapiWithMicAuthHandler._parse_userauth_gssapi_miccCs| ¡|j |¡SrE)ràrßr„rgrBrBrCr„¢sz/GssapiWithMicAuthHandler._parse_service_requestcCs| ¡|j |¡SrE)ràrßrÊrgrBrBrCrʦsz0GssapiWithMicAuthHandler._parse_userauth_requestcCs|jSrE)Ú(_GssapiWithMicAuthHandler__handler_tablerHrBrBrCrÚ±sz'GssapiWithMicAuthHandler._handler_tableN)rÄrÛrÜrÝr²rDrarÞr3r´r=r?ràrârãr„rÊrrrr"rärÚrBrBrBrCrÆLs0    ürÆ):rÝr1rxr”Zparamiko.commonrrrrrrrr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#r$Zparamiko.messager%Zparamiko.py3compatr&r'Zparamiko.ssh_exceptionr(r)r*r+Zparamiko.serverr,Zparamiko.ssh_gssr-r.Úobjectr/rÆrBrBrBrCÚs"”%