Authentication modules¶
Modern, adaptable authentication machinery.
Replaces certain parts of SSHClient
. For a concrete implementation, see the
OpenSSHAuthStrategy
class in Fabric.
- class paramiko.auth_strategy.AuthSource(username)¶
Some SSH authentication source, such as a password, private key, or agent.
See subclasses in this module for concrete implementations.
All implementations must accept at least a
username
(str
) kwarg.- __init__(username)¶
- __repr__()¶
Return repr(self).
- authenticate(transport)¶
Perform authentication.
- __weakref__¶
list of weak references to the object (if defined)
- class paramiko.auth_strategy.NoneAuth(username)¶
Auth type “none”, ie https://www.rfc-editor.org/rfc/rfc4252#section-5.2 .
- authenticate(transport)¶
Perform authentication.
- class paramiko.auth_strategy.Password(username, password_getter)¶
Password authentication.
- Parameters
password_getter (callable) –
A lazy callable that should return a
str
password value at authentication time, such as afunctools.partial
wrappinggetpass.getpass
, an API call to a secrets store, or similar.If you already know the password at instantiation time, you should simply use something like
lambda: "my literal"
(for a literal, but also, shame on you!) orlambda: variable_name
(for something stored in a variable).
- __init__(username, password_getter)¶
- __repr__()¶
Return repr(self).
- authenticate(transport)¶
Perform authentication.
- class paramiko.auth_strategy.PrivateKey(username)¶
Essentially a mixin for private keys.
Knows how to auth, but leaves key material discovery/loading/decryption to subclasses.
Subclasses must ensure that they’ve set
self.pkey
to a decryptedPKey
instance before callingsuper().authenticate
; typically either in their__init__
, or in an overriddenauthenticate
prior to itssuper
call.- authenticate(transport)¶
Perform authentication.
- class paramiko.auth_strategy.InMemoryPrivateKey(username, pkey)¶
An in-memory, decrypted
PKey
object.- __init__(username, pkey)¶
- __repr__()¶
Return repr(self).
- class paramiko.auth_strategy.OnDiskPrivateKey(username, source, path, pkey)¶
Some on-disk private key that needs opening and possibly decrypting.
- Parameters
- __init__(username, source, path, pkey)¶
- __repr__()¶
Return repr(self).
- class paramiko.auth_strategy.SourceResult(source, result)¶
- __getnewargs__()¶
Return self as a plain tuple. Used by copy and pickle.
- static __new__(_cls, source, result)¶
Create new instance of SourceResult(source, result)
- __repr__()¶
Return a nicely formatted representation string
- property result¶
Alias for field number 1
- property source¶
Alias for field number 0
- class paramiko.auth_strategy.AuthResult(strategy, *args, **kwargs)¶
Represents a partial or complete SSH authentication attempt.
This class conceptually extends
AuthStrategy
by pairing the former’s authentication sources with the results of trying to authenticate with them.AuthResult
is a (subclass of)list
ofnamedtuple
, which are of the formnamedtuple('SourceResult', 'source', 'result')
(where thesource
member is anAuthSource
and theresult
member is either a return value from the relevantTransport
method, or an exception object).Note
Transport auth method results are always themselves a
list
of “next allowable authentication methods”.In the simple case of “you just authenticated successfully”, it’s an empty list; if your auth was rejected but you’re allowed to try again, it will be a list of string method names like
pubkey
orpassword
.The
__str__
of this class represents the empty-list scenario as the wordsuccess
, which should make reading the result of an authentication session more obvious to humans.Instances also have a
strategy
attribute referencing theAuthStrategy
which was attempted.- __init__(strategy, *args, **kwargs)¶
- __str__()¶
Return str(self).
- __weakref__¶
list of weak references to the object (if defined)
- exception paramiko.auth_strategy.AuthFailure(result)¶
Basic exception wrapping an
AuthResult
indicating overall auth failure.Note that
AuthFailure
descends fromAuthenticationException
but is generally “higher level”; the latter is now only raised by individualAuthSource
attempts and should typically only be seen by users when encapsulated in this class. It subclassesAuthenticationException
primarily for backwards compatibility reasons.- __init__(result)¶
- __str__()¶
Return str(self).
- class paramiko.auth_strategy.AuthStrategy(ssh_config)¶
This class represents one or more attempts to auth with an SSH server.
By default, subclasses must at least accept an
ssh_config
(SSHConfig
) keyword argument, but may opt to accept more as needed for their particular strategy.- __init__(ssh_config)¶
- get_sources()¶
Generator yielding
AuthSource
instances, in the order to try.This is the primary override point for subclasses: you figure out what sources you need, and
yield
them.Subclasses _of_ subclasses may find themselves wanting to do things like filtering or discarding around a call to
super
.
- authenticate(transport)¶
Handles attempting
AuthSource
instances yielded fromget_sources
.You normally won’t need to override this, but it’s an option for advanced users.
- __weakref__¶
list of weak references to the object (if defined)
- class paramiko.auth_handler.AuthHandler(transport)¶
Internal class to handle the mechanics of authentication.
- __init__(transport)¶
- auth_interactive(username, handler, event, submethods='')¶
response_list = handler(title, instructions, prompt_list)
- __weakref__¶
list of weak references to the object (if defined)
- class paramiko.auth_handler.GssapiWithMicAuthHandler(delegate, sshgss)¶
A specialized Auth handler for gssapi-with-mic
During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique.
- __init__(delegate, sshgss)¶
- __weakref__¶
list of weak references to the object (if defined)
- class paramiko.auth_handler.AuthOnlyHandler(transport)¶
AuthHandler, and just auth, no service requests!
New in version 3.2.
- send_auth_request(username, method, finish_message=None)¶
Submit a userauth request message & wait for response.
Performs the transport message send call, sets self.auth_event, and will lock-n-block as necessary to both send, and wait for response to, the USERAUTH_REQUEST.
Most callers will want to supply a callback to
finish_message
, which accepts a Messagem
and may call mutator methods on it to add more fields.
- auth_interactive(username, handler, submethods='')¶
response_list = handler(title, instructions, prompt_list)