o Uh)p @s,dZddlZddlZddlZdZdZdZz"ddlZeedr*ej dkr*dZej fZn dZej j ej jjfZWn-eefyczddlZddlZddlZd ZejfZWn ey`d ZdZYnwYnwdd lmZdd lmZdd dZGdddZGdddeZGdddeZGdddeZdS)z This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 NT __title__z python-gssapiMITPYTHON-GSSAPI-NEWSSPIF)MSG_USERAUTH_REQUEST) SSHExceptioncCsHtdkr t||Stdkrt||Stdkr tjdkr t||Std)a Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI_OLD` (MIT GSSAPI using python-gssapi package) object, an `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object or an `._SSH_SSPI` (MS SSPI) object. If there is no supported API available, ``None`` will be returned. rrrntz)Unable to import a GSS-API / SSPI module!)_API_SSH_GSSAPI_OLD_SSH_GSSAPI_NEWosname _SSH_SSPI ImportError) auth_methodgss_deleg_credsrrC/var/www/html/venv/lib/python3.10/site-packages/paramiko/ssh_gss.pyGSSAuthMs   rc@sJeZdZdZddZddZddZdd d Zd d Zd dZ ddZ dS) _SSH_GSSAuthzs Contains the shared variables and methods of `._SSH_GSSAPI_OLD`, `._SSH_GSSAPI_NEW` and `._SSH_SSPI`. cCsN||_||_d|_d|_d|_d|_ d|_d|_d|_d|_ d|_ d|_ dS) :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not Nzssh-connectionz1.2.840.113554.1.2.2F) _auth_method_gss_deleg_creds _gss_host _username _session_id_service _krb5_mech _gss_ctxt_gss_ctxt_status _gss_srv_ctxt_gss_srv_ctxt_statuscc_fileselfrrrrr__init__ss z_SSH_GSSAuth.__init__cCs|dr ||_dSdS)z This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service zssh-N)findr)r$servicerrr set_services  z_SSH_GSSAuth.set_servicecCs ||_dS)z Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login N)r)r$usernamerrr set_usernames z_SSH_GSSAuth.set_usernameclientcCs\ddlm}ddlm}|d}|||j}|t|}|dkr(||S|||S)a This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. r)ObjectIdentifier)encoderserver)pyasn1.type.univr,pyasn1.codec.derr- _make_uint32encoderlen)r$moder,r-OIDskrb5_OIDOID_lenrrr ssh_gss_oidss   z_SSH_GSSAuth.ssh_gss_oidscCs0ddlm}||\}}||jkrdSdS)z Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} rdecoderFT)r1r;decode__str__r)r$ desired_mechr;mech__rrrssh_check_mechs z_SSH_GSSAuth.ssh_check_mechcCs td|S)z Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer z!I)structpack)r$integerrrrr2s z_SSH_GSSAuth._make_uint32cCs|t|}||7}|tdt7}||t|7}||7}||t|7}||7}||t|7}||7}|S)a Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) B)r2r4rBrCrr3)r$ session_idr)r'rmicrrr_ssh_build_mics   z_SSH_GSSAuth._ssh_build_micN)r+) __name__ __module__ __qualname____doc__r%r(r*r9rAr2rHrrrrrms  rc@VeZdZdZddZ dddZddd Zdd d Zdd d Ze ddZ ddZ dS)r z Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package. :see: `.GSSAuth` cCsDt||||jrtjtjtjtjf|_dStjtjtjf|_dSrN) rr%rgssapiC_PROT_READY_FLAG C_INTEG_FLAG C_MUTUAL_FLAG C_DELEG_FLAG _gss_flagsr#rrrr%s  z_SSH_GSSAPI_OLD.__init__Nc Csddlm}||_||_td|jtj}t}|j|_ |dur*tj |j }n| |\} } | |j krr) recv_tokenr; targ_namectx krb5_mechr?r@tokenmessagerrrssh_init_sec_context s>     z$_SSH_GSSAPI_OLD.ssh_init_sec_contextFcCD||_|s||j|j|j|j}|j|}|S|j|j}|S)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. )rrHrrrrget_micr r$rFgss_kex mic_field mic_tokenrrr ssh_get_mic@  z_SSH_GSSAPI_OLD.ssh_get_miccCs:||_||_|jdurt|_|j|}|jj|_|S) Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned N)rrr rO AcceptContextrarfr!r$hostnamerhr)rlrrrssh_accept_sec_context[s     z&_SSH_GSSAPI_OLD.ssh_accept_sec_contextcCT||_||_|jdur ||j|j|j|j}|j||dS|j|j|dS)at Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.GSSException`` -- if the MIC check failed N)rrrHrrr verify_micrr$rtrFr)rsrrr ssh_check_mico  z_SSH_GSSAPI_OLD.ssh_check_miccC|jjdurdSdS) Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` NTF)r delegated_credr$rrrcredentials_delegateds z%_SSH_GSSAPI_OLD.credentials_delegatedcCt)a~ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode NotImplementedErrorr$ client_tokenrrrsave_client_creds z!_SSH_GSSAPI_OLD.save_client_credsNNNFN rIrJrKrLr%rnrur{rpropertyrrrrrrr s 4    r c@rM)r z Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package. :see: `.GSSAuth` cCsRt||||jrtjjtjjtjjtjjf|_ dStjjtjjtjjf|_ dSrN) rr%rrORequirementFlagprotection_ready integritymutual_authenticationdelegate_to_peerrTr#rrrr%s  z_SSH_GSSAPI_NEW.__init__Nc Csddlm}||_||_tjd|jtjjd}|dur.||\}}| |j kr.t dtj j } d} |durJtj||j| dd|_|j| } n|j|} |jj|_| S) ae Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled by the GSS-API implementation :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned rr:rU) name_typeNrVinitiate)rr]r?usage)r1r;rrrOrZNameTypehostbased_servicer<r=rrMechTypekerberosSecurityContextrTrracompleter) r$rgr>r)rhr;rir?r@rkrlrrrrns0   z$_SSH_GSSAPI_NEW.ssh_init_sec_contextFcCro)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: str )rrHrrrr get_signaturer rqrrrrus z_SSH_GSSAPI_NEW.ssh_get_miccCs>||_||_|jdurtjdd|_|j|}|jj|_|S)rwNaccept)r)rrr rOrrarr!ryrrrr{ s    z&_SSH_GSSAPI_NEW.ssh_accept_sec_contextcCr|)a{ Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed N)rrrHrrr verify_signaturerr~rrrrrz_SSH_GSSAPI_NEW.ssh_check_miccCr)z Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: bool NTF)r delegated_credsrrrrr8s z%_SSH_GSSAPI_NEW.credentials_delegatedcCr)aw Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrrrrrDs z!_SSH_GSSAPI_NEW.save_client_credsrrrrrrrrr s .    r c@sTeZdZdZddZ dddZddd Zd d Zdd d Ze ddZ ddZ dS)rzf Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` cCs>t||||jrtjtjBtjB|_dStjtjB|_dSrN)rr%rsspiconISC_REQ_INTEGRITYISC_REQ_MUTUAL_AUTHISC_REQ_DELEGATErTr#rrrr%Xs z_SSH_SSPI.__init__Nc Csddlm}||_||_d}d|j}|dur)||\}} ||jkr)tdz|dur8tj d|j |d|_ |j |\}} | dj } Wntjy_} z | jd|j7_d} ~ ww|dkrk d |_d} | S) a Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rr:host/NrVKerberos)scflags targetspnz , Target: {}T)r1r;rrr<r=rrsspi ClientAuthrTr authorizeBuffer pywintypeserrorstrerrorrcr) r$rgr>r)rhr;rrir?r@rlerrrrnks6  z_SSH_SSPI.ssh_init_sec_contextFcCro)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. )rrHrrrrsignr rqrrrrurvz_SSH_SSPI.ssh_get_miccCsV||_||_d|j}tjd|d|_|j|\}}|dj}|dkr)d|_d}|S)a Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rr)spnrTN)rrr ServerAuthr rrr!)r$rzr)rhrirrlrrrr{s   z _SSH_SSPI.ssh_accept_sec_contextcCsR||_||_|dur||j|j|j|j}|j||dS|j|j|dS)ak Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed N)rrrHrrr verifyrr~rrrrs z_SSH_SSPI.ssh_check_miccCs|jtj@o |jp |jS)r)rTrrr!rrrrrs  z_SSH_SSPI.credentials_delegatedcCr)a{ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrrrrrrz_SSH_SSPI.save_client_credsrrrrrrrrrQs 4   r)T)rLrBr rdGSS_AUTH_AVAILABLEGSS_EXCEPTIONSr rOhasattrrrb exceptions GeneralErrorrawmiscGSSErrorrOSErrorrrrrparamiko.commonrparamiko.ssh_exceptionrrrr r rrrrrsP       50