Authentication modules

Modern, adaptable authentication machinery.

Replaces certain parts of SSHClient. For a concrete implementation, see the OpenSSHAuthStrategy class in Fabric.

class paramiko.auth_strategy.AuthSource(username)

Some SSH authentication source, such as a password, private key, or agent.

See subclasses in this module for concrete implementations.

All implementations must accept at least a username (str) kwarg.

__init__(username)
__repr__()

Return repr(self).

authenticate(transport)

Perform authentication.

__weakref__

list of weak references to the object (if defined)

class paramiko.auth_strategy.NoneAuth(username)

Auth type “none”, ie https://www.rfc-editor.org/rfc/rfc4252#section-5.2 .

authenticate(transport)

Perform authentication.

class paramiko.auth_strategy.Password(username, password_getter)

Password authentication.

Parameters

password_getter (callable) –

A lazy callable that should return a str password value at authentication time, such as a functools.partial wrapping getpass.getpass, an API call to a secrets store, or similar.

If you already know the password at instantiation time, you should simply use something like lambda: "my literal" (for a literal, but also, shame on you!) or lambda: variable_name (for something stored in a variable).

__init__(username, password_getter)
__repr__()

Return repr(self).

authenticate(transport)

Perform authentication.

class paramiko.auth_strategy.PrivateKey(username)

Essentially a mixin for private keys.

Knows how to auth, but leaves key material discovery/loading/decryption to subclasses.

Subclasses must ensure that they’ve set self.pkey to a decrypted PKey instance before calling super().authenticate; typically either in their __init__, or in an overridden authenticate prior to its super call.

authenticate(transport)

Perform authentication.

class paramiko.auth_strategy.InMemoryPrivateKey(username, pkey)

An in-memory, decrypted PKey object.

__init__(username, pkey)
__repr__()

Return repr(self).

class paramiko.auth_strategy.OnDiskPrivateKey(username, source, path, pkey)

Some on-disk private key that needs opening and possibly decrypting.

Parameters
  • source (str) – String tracking where this key’s path was specified; should be one of "ssh-config", "python-config", or "implicit-home".

  • path (Path) – The filesystem path this key was loaded from.

  • pkey (PKey) – The PKey object this auth source uses/represents.

__init__(username, source, path, pkey)
__repr__()

Return repr(self).

class paramiko.auth_strategy.SourceResult(source, result)
__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

static __new__(_cls, source, result)

Create new instance of SourceResult(source, result)

__repr__()

Return a nicely formatted representation string

property result

Alias for field number 1

property source

Alias for field number 0

class paramiko.auth_strategy.AuthResult(strategy, *args, **kwargs)

Represents a partial or complete SSH authentication attempt.

This class conceptually extends AuthStrategy by pairing the former’s authentication sources with the results of trying to authenticate with them.

AuthResult is a (subclass of) list of namedtuple, which are of the form namedtuple('SourceResult', 'source', 'result') (where the source member is an AuthSource and the result member is either a return value from the relevant Transport method, or an exception object).

Note

Transport auth method results are always themselves a list of “next allowable authentication methods”.

In the simple case of “you just authenticated successfully”, it’s an empty list; if your auth was rejected but you’re allowed to try again, it will be a list of string method names like pubkey or password.

The __str__ of this class represents the empty-list scenario as the word success, which should make reading the result of an authentication session more obvious to humans.

Instances also have a strategy attribute referencing the AuthStrategy which was attempted.

__init__(strategy, *args, **kwargs)
__str__()

Return str(self).

__weakref__

list of weak references to the object (if defined)

exception paramiko.auth_strategy.AuthFailure(result)

Basic exception wrapping an AuthResult indicating overall auth failure.

Note that AuthFailure descends from AuthenticationException but is generally “higher level”; the latter is now only raised by individual AuthSource attempts and should typically only be seen by users when encapsulated in this class. It subclasses AuthenticationException primarily for backwards compatibility reasons.

__init__(result)
__str__()

Return str(self).

class paramiko.auth_strategy.AuthStrategy(ssh_config)

This class represents one or more attempts to auth with an SSH server.

By default, subclasses must at least accept an ssh_config (SSHConfig) keyword argument, but may opt to accept more as needed for their particular strategy.

__init__(ssh_config)
get_sources()

Generator yielding AuthSource instances, in the order to try.

This is the primary override point for subclasses: you figure out what sources you need, and yield them.

Subclasses _of_ subclasses may find themselves wanting to do things like filtering or discarding around a call to super.

authenticate(transport)

Handles attempting AuthSource instances yielded from get_sources.

You normally won’t need to override this, but it’s an option for advanced users.

__weakref__

list of weak references to the object (if defined)

AuthHandler

class paramiko.auth_handler.AuthHandler(transport)

Internal class to handle the mechanics of authentication.

__init__(transport)
auth_interactive(username, handler, event, submethods='')

response_list = handler(title, instructions, prompt_list)

__weakref__

list of weak references to the object (if defined)

class paramiko.auth_handler.GssapiWithMicAuthHandler(delegate, sshgss)

A specialized Auth handler for gssapi-with-mic

During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique.

__init__(delegate, sshgss)
__weakref__

list of weak references to the object (if defined)

class paramiko.auth_handler.AuthOnlyHandler(transport)

AuthHandler, and just auth, no service requests!

New in version 3.2.

send_auth_request(username, method, finish_message=None)

Submit a userauth request message & wait for response.

Performs the transport message send call, sets self.auth_event, and will lock-n-block as necessary to both send, and wait for response to, the USERAUTH_REQUEST.

Most callers will want to supply a callback to finish_message, which accepts a Message m and may call mutator methods on it to add more fields.

auth_interactive(username, handler, submethods='')

response_list = handler(title, instructions, prompt_list)