GSS-API authentication¶
This module provides GSS-API / SSPI authentication as defined in RFC 4462.
Note
Credential delegation is not supported in server mode.
See also
New in version 1.15.
- paramiko.ssh_gss.GSS_AUTH_AVAILABLE = False¶
A boolean constraint that indicates if GSS-API / SSPI is available.
- paramiko.ssh_gss.GSS_EXCEPTIONS = ()¶
A tuple of the exception types used by the underlying GSSAPI implementation.
- paramiko.ssh_gss.GSSAuth(auth_method, gss_deleg_creds=True)¶
Provide SSH2 GSS-API / SSPI authentication.
- Parameters
- Returns
Either an
_SSH_GSSAPI_OLD
or_SSH_GSSAPI_NEW
(Unix) object or an_SSH_SSPI
(Windows) object- Return type
- Raises
ImportError
– If no GSS-API / SSPI module could be imported.- See
- Note
Check for the available API and return either an
_SSH_GSSAPI_OLD
(MIT GSSAPI using python-gssapi package) object, an_SSH_GSSAPI_NEW
(MIT GSSAPI using gssapi package) object or an_SSH_SSPI
(MS SSPI) object. If there is no supported API available,None
will be returned.
- class paramiko.ssh_gss._SSH_GSSAuth(auth_method, gss_deleg_creds)¶
Contains the shared variables and methods of
_SSH_GSSAPI_OLD
,_SSH_GSSAPI_NEW
and_SSH_SSPI
.- __init__(auth_method, gss_deleg_creds)¶
- set_service(service)¶
This is just a setter to use a non default service. I added this method, because RFC 4462 doesn’t specify “ssh-connection” as the only service value.
- Parameters
service (str) – The desired SSH service
- set_username(username)¶
Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}.
- Parameters
username (str) – The name of the user who attempts to login
- ssh_gss_oids(mode='client')¶
This method returns a single OID, because we only support the Kerberos V5 mechanism.
- Parameters
mode (str) – Client for client mode and server for server mode
- Returns
A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER
- Note
In server mode we just return the OID length and the DER encoded OID.
- ssh_check_mech(desired_mech)¶
Check if the given OID is the Kerberos V5 OID (server mode).
- Parameters
desired_mech (str) – The desired GSS-API mechanism of the client
- Returns
True
if the given OID is supported, otherwise C{False}
- __weakref__¶
list of weak references to the object (if defined)
- class paramiko.ssh_gss._SSH_GSSAPI_OLD(auth_method, gss_deleg_creds)¶
Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package.
- See
- __init__(auth_method, gss_deleg_creds)¶
- ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)¶
Initialize a GSS-API context.
- Parameters
username (str) – The name of the user who attempts to login
target (str) – The hostname of the target to connect to
desired_mech (str) – The negotiated GSS-API mechanism (“pseudo negotiated” mechanism, because we support just the krb5 mechanism :-))
recv_token (str) – The GSS-API token received from the Server
- Raises
SSHException
– Is raised if the desired mechanism of the client is not supported- Returns
A
String
if the GSS-API has returned a token orNone
if no token was returned
- ssh_get_mic(session_id, gss_kex=False)¶
Create the MIC token for a SSH2 message.
- Parameters
- Returns
gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with
_ssh_build_mic
. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message.
- ssh_accept_sec_context(hostname, recv_token, username=None)¶
Accept a GSS-API context (server mode).
- ssh_check_mic(mic_token, session_id, username=None)¶
Verify the MIC token for a SSH2 message.
- property credentials_delegated¶
Checks if credentials are delegated (server mode).
- Returns
True
if credentials are delegated, otherwiseFalse
- save_client_creds(client_token)¶
Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode).
- Parameters
client_token (str) – The GSS-API token received form the client
- Raises
NotImplementedError
– Credential delegation is currently not supported in server mode
- class paramiko.ssh_gss._SSH_GSSAPI_NEW(auth_method, gss_deleg_creds)¶
Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package.
- See
- __init__(auth_method, gss_deleg_creds)¶
- ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)¶
Initialize a GSS-API context.
- Parameters
username (str) – The name of the user who attempts to login
target (str) – The hostname of the target to connect to
desired_mech (str) – The negotiated GSS-API mechanism (“pseudo negotiated” mechanism, because we support just the krb5 mechanism :-))
recv_token (str) – The GSS-API token received from the Server
- Raises
SSHException
– Is raised if the desired mechanism of the client is not supported- Raises
gssapi.exceptions.GSSError
if there is an error signaled by the GSS-API implementation- Returns
A
String
if the GSS-API has returned a token orNone
if no token was returned
- ssh_get_mic(session_id, gss_kex=False)¶
Create the MIC token for a SSH2 message.
- Parameters
- Returns
gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with
_ssh_build_mic
. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message.- Return type
- ssh_accept_sec_context(hostname, recv_token, username=None)¶
Accept a GSS-API context (server mode).
- ssh_check_mic(mic_token, session_id, username=None)¶
Verify the MIC token for a SSH2 message.
- property credentials_delegated¶
Checks if credentials are delegated (server mode).
- Returns
True
if credentials are delegated, otherwiseFalse
- Return type
- save_client_creds(client_token)¶
Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode).
- Parameters
client_token (str) – The GSS-API token received form the client
- Raises
NotImplementedError
– Credential delegation is currently not supported in server mode
- class paramiko.ssh_gss._SSH_SSPI(auth_method, gss_deleg_creds)¶
Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.
- See
- __init__(auth_method, gss_deleg_creds)¶
- ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)¶
Initialize a SSPI context.
- Parameters
- Raises
SSHException
– Is raised if the desired mechanism of the client is not supported- Returns
A
String
if the SSPI has returned a token orNone
if no token was returned
- ssh_get_mic(session_id, gss_kex=False)¶
Create the MIC token for a SSH2 message.
- Parameters
- Returns
gssapi-with-mic: Returns the MIC token from SSPI for the message we created with
_ssh_build_mic
. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message.
- ssh_accept_sec_context(hostname, username, recv_token)¶
Accept a SSPI context (server mode).
- ssh_check_mic(mic_token, session_id, username=None)¶
Verify the MIC token for a SSH2 message.
- property credentials_delegated¶
Checks if credentials are delegated (server mode).
- Returns
True
if credentials are delegated, otherwiseFalse
- save_client_creds(client_token)¶
Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode).
- Parameters
client_token (str) – The SSPI token received form the client
- Raises
NotImplementedError
– Credential delegation is currently not supported in server mode