GSS-API authentication

This module provides GSS-API / SSPI authentication as defined in RFC 4462.

Note

Credential delegation is not supported in server mode.

New in version 1.15.

paramiko.ssh_gss.GSSAuth(auth_method, gss_deleg_creds=True)

Provide SSH2 GSS-API / SSPI authentication.

Parameters:
  • auth_method (str) – The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex)
  • gss_deleg_creds (bool) – Delegate client credentials or not. We delegate credentials by default.
Returns:

Either an _SSH_GSSAPI_OLD or _SSH_GSSAPI_NEW (Unix) object or an _SSH_SSPI (Windows) object

Return type:

object

Raises:

ImportError – If no GSS-API / SSPI module could be imported.

See:

RFC 4462

Note:

Check for the available API and return either an _SSH_GSSAPI_OLD (MIT GSSAPI using python-gssapi package) object, an _SSH_GSSAPI_NEW (MIT GSSAPI using gssapi package) object or an _SSH_SSPI (MS SSPI) object. If there is no supported API available, None will be returned.

class paramiko.ssh_gss._SSH_GSSAuth(auth_method, gss_deleg_creds)

Contains the shared variables and methods of _SSH_GSSAPI_OLD, _SSH_GSSAPI_NEW and _SSH_SSPI.

__init__(auth_method, gss_deleg_creds)
Parameters:
  • auth_method (str) – The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex)
  • gss_deleg_creds (bool) – Delegate client credentials or not
__weakref__

list of weak references to the object (if defined)

set_service(service)

This is just a setter to use a non default service. I added this method, because RFC 4462 doesn’t specify “ssh-connection” as the only service value.

Parameters:service (str) – The desired SSH service
set_username(username)

Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}.

Parameters:username (str) – The name of the user who attempts to login
ssh_check_mech(desired_mech)

Check if the given OID is the Kerberos V5 OID (server mode).

Parameters:desired_mech (str) – The desired GSS-API mechanism of the client
Returns:True if the given OID is supported, otherwise C{False}
ssh_gss_oids(mode='client')

This method returns a single OID, because we only support the Kerberos V5 mechanism.

Parameters:mode (str) – Client for client mode and server for server mode
Returns:A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER
Note:In server mode we just return the OID length and the DER encoded OID.
class paramiko.ssh_gss._SSH_GSSAPI_OLD(auth_method, gss_deleg_creds)

Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package.

See:GSSAuth
__init__(auth_method, gss_deleg_creds)
Parameters:
  • auth_method (str) – The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex)
  • gss_deleg_creds (bool) – Delegate client credentials or not
credentials_delegated

Checks if credentials are delegated (server mode).

Returns:True if credentials are delegated, otherwise False
save_client_creds(client_token)

Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode).

Parameters:client_token (str) – The GSS-API token received form the client
Raises:NotImplementedError – Credential delegation is currently not supported in server mode
ssh_accept_sec_context(hostname, recv_token, username=None)

Accept a GSS-API context (server mode).

Parameters:
  • hostname (str) – The servers hostname
  • username (str) – The name of the user who attempts to login
  • recv_token (str) – The GSS-API Token received from the server, if it’s not the initial call.
Returns:

A String if the GSS-API has returned a token or None if no token was returned

ssh_check_mic(mic_token, session_id, username=None)

Verify the MIC token for a SSH2 message.

Parameters:
  • mic_token (str) – The MIC token received from the client
  • session_id (str) – The SSH session ID
  • username (str) – The name of the user who attempts to login
Returns:

None if the MIC check was successful

Raises:

gssapi.GSSException – if the MIC check failed

ssh_get_mic(session_id, gss_kex=False)

Create the MIC token for a SSH2 message.

Parameters:
  • session_id (str) – The SSH session ID
  • gss_kex (bool) – Generate the MIC for GSS-API Key Exchange or not
Returns:

gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with _ssh_build_mic. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message.

ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)

Initialize a GSS-API context.

Parameters:
  • username (str) – The name of the user who attempts to login
  • target (str) – The hostname of the target to connect to
  • desired_mech (str) – The negotiated GSS-API mechanism (“pseudo negotiated” mechanism, because we support just the krb5 mechanism :-))
  • recv_token (str) – The GSS-API token received from the Server
Raises:

SSHException – Is raised if the desired mechanism of the client is not supported

Returns:

A String if the GSS-API has returned a token or None if no token was returned

class paramiko.ssh_gss._SSH_GSSAPI_NEW(auth_method, gss_deleg_creds)

Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package.

See:GSSAuth
__init__(auth_method, gss_deleg_creds)
Parameters:
  • auth_method (str) – The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex)
  • gss_deleg_creds (bool) – Delegate client credentials or not
credentials_delegated

Checks if credentials are delegated (server mode).

Returns:True if credentials are delegated, otherwise False
Return type:bool
save_client_creds(client_token)

Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode).

Parameters:client_token (str) – The GSS-API token received form the client
Raises:NotImplementedError – Credential delegation is currently not supported in server mode
ssh_accept_sec_context(hostname, recv_token, username=None)

Accept a GSS-API context (server mode).

Parameters:
  • hostname (str) – The servers hostname
  • username (str) – The name of the user who attempts to login
  • recv_token (str) – The GSS-API Token received from the server, if it’s not the initial call.
Returns:

A String if the GSS-API has returned a token or None if no token was returned

ssh_check_mic(mic_token, session_id, username=None)

Verify the MIC token for a SSH2 message.

Parameters:
  • mic_token (str) – The MIC token received from the client
  • session_id (str) – The SSH session ID
  • username (str) – The name of the user who attempts to login
Returns:

None if the MIC check was successful

Raises:

gssapi.exceptions.GSSError – if the MIC check failed

ssh_get_mic(session_id, gss_kex=False)

Create the MIC token for a SSH2 message.

Parameters:
  • session_id (str) – The SSH session ID
  • gss_kex (bool) – Generate the MIC for GSS-API Key Exchange or not
Returns:

gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with _ssh_build_mic. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message.

Return type:

str

ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)

Initialize a GSS-API context.

Parameters:
  • username (str) – The name of the user who attempts to login
  • target (str) – The hostname of the target to connect to
  • desired_mech (str) – The negotiated GSS-API mechanism (“pseudo negotiated” mechanism, because we support just the krb5 mechanism :-))
  • recv_token (str) – The GSS-API token received from the Server
Raises:

SSHException – Is raised if the desired mechanism of the client is not supported

Raises:

gssapi.exceptions.GSSError if there is an error signaled by the GSS-API implementation

Returns:

A String if the GSS-API has returned a token or None if no token was returned

class paramiko.ssh_gss._SSH_SSPI(auth_method, gss_deleg_creds)

Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.

See:GSSAuth
__init__(auth_method, gss_deleg_creds)
Parameters:
  • auth_method (str) – The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex)
  • gss_deleg_creds (bool) – Delegate client credentials or not
credentials_delegated

Checks if credentials are delegated (server mode).

Returns:True if credentials are delegated, otherwise False
save_client_creds(client_token)

Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode).

Parameters:client_token (str) – The SSPI token received form the client
Raises:NotImplementedError – Credential delegation is currently not supported in server mode
ssh_accept_sec_context(hostname, username, recv_token)

Accept a SSPI context (server mode).

Parameters:
  • hostname (str) – The servers FQDN
  • username (str) – The name of the user who attempts to login
  • recv_token (str) – The SSPI Token received from the server, if it’s not the initial call.
Returns:

A String if the SSPI has returned a token or None if no token was returned

ssh_check_mic(mic_token, session_id, username=None)

Verify the MIC token for a SSH2 message.

Parameters:
  • mic_token (str) – The MIC token received from the client
  • session_id (str) – The SSH session ID
  • username (str) – The name of the user who attempts to login
Returns:

None if the MIC check was successful

Raises:

sspi.error – if the MIC check failed

ssh_get_mic(session_id, gss_kex=False)

Create the MIC token for a SSH2 message.

Parameters:
  • session_id (str) – The SSH session ID
  • gss_kex (bool) – Generate the MIC for Key Exchange with SSPI or not
Returns:

gssapi-with-mic: Returns the MIC token from SSPI for the message we created with _ssh_build_mic. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message.

ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)

Initialize a SSPI context.

Parameters:
  • username (str) – The name of the user who attempts to login
  • target (str) – The FQDN of the target to connect to
  • desired_mech (str) – The negotiated SSPI mechanism (“pseudo negotiated” mechanism, because we support just the krb5 mechanism :-))
  • recv_token – The SSPI token received from the Server
Raises:

SSHException – Is raised if the desired mechanism of the client is not supported

Returns:

A String if the SSPI has returned a token or None if no token was returned