GSS-API authentication¶
This module provides GSS-API / SSPI authentication as defined in RFC 4462.
Note
Credential delegation is not supported in server mode.
See also
New in version 1.15.
- paramiko.ssh_gss.GSSAuth(auth_method, gss_deleg_creds=True)¶
Provide SSH2 GSS-API / SSPI authentication.
Parameters: Returns: Either an _SSH_GSSAPI (Unix) object or an _SSH_SSPI (Windows) object
Return type: Object
Raises ImportError: If no GSS-API / SSPI module could be imported.
See: Note: Check for the available API and return either an _SSH_GSSAPI (MIT GSSAPI) object or an _SSH_SSPI (MS SSPI) object. If you get python-gssapi working on Windows, python-gssapi will be used and a _SSH_GSSAPI object will be returned. If there is no supported API available, None will be returned.
- class paramiko.ssh_gss._SSH_GSSAuth(auth_method, gss_deleg_creds)¶
Contains the shared variables and methods of _SSH_GSSAPI and _SSH_SSPI.
- __init__(auth_method, gss_deleg_creds)¶
Parameters:
- set_service(service)¶
This is just a setter to use a non default service. I added this method, because RFC 4462 doesn’t specify “ssh-connection” as the only service value.
Parameters: service (str) – The desired SSH service Return type: Void
- set_username(username)¶
Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}.
Parameters: username (str) – The name of the user who attempts to login Return type: Void
- ssh_gss_oids(mode='client')¶
This method returns a single OID, because we only support the Kerberos V5 mechanism.
Parameters: mode (str) – Client for client mode and server for server mode Returns: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER Return type: Bytes Note: In server mode we just return the OID length and the DER encoded OID.
- ssh_check_mech(desired_mech)¶
Check if the given OID is the Kerberos V5 OID (server mode).
Parameters: desired_mech (str) – The desired GSS-API mechanism of the client Returns: True if the given OID is supported, otherwise C{False} Return type: Boolean
- __weakref__¶
list of weak references to the object (if defined)
- class paramiko.ssh_gss._SSH_GSSAPI(auth_method, gss_deleg_creds)¶
Implementation of the GSS-API MIT Kerberos Authentication for SSH2.
See: GSSAuth - __init__(auth_method, gss_deleg_creds)¶
Parameters:
- ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)¶
Initialize a GSS-API context.
Parameters: - username (str) – The name of the user who attempts to login
- target (str) – The hostname of the target to connect to
- desired_mech (str) – The negotiated GSS-API mechanism (“pseudo negotiated” mechanism, because we support just the krb5 mechanism :-))
- recv_token (str) – The GSS-API token received from the Server
Raises SSHException: Is raised if the desired mechanism of the client is not supported
Returns: A String if the GSS-API has returned a token or None if no token was returned
Return type: String or None
- ssh_get_mic(session_id, gss_kex=False)¶
Create the MIC token for a SSH2 message.
Parameters: Returns: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with _ssh_build_mic. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message.
Return type: String
See: _ssh_build_mic
- ssh_accept_sec_context(hostname, recv_token, username=None)¶
Accept a GSS-API context (server mode).
Parameters: Returns: A String if the GSS-API has returned a token or None if no token was returned
Return type: String or None
- ssh_check_mic(mic_token, session_id, username=None)¶
Verify the MIC token for a SSH2 message.
Parameters: Returns: 0 if the MIC check was successful and 1 if it fails
Return type: int
- credentials_delegated¶
Checks if credentials are delegated (server mode).
Returns: True if credentials are delegated, otherwise False Return type: bool
- save_client_creds(client_token)¶
Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode).
Parameters: client_token (str) – The GSS-API token received form the client Raises NotImplementedError: Credential delegation is currently not supported in server mode
- class paramiko.ssh_gss._SSH_SSPI(auth_method, gss_deleg_creds)¶
Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.
See: GSSAuth - __init__(auth_method, gss_deleg_creds)¶
Parameters:
- ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)¶
Initialize a SSPI context.
Parameters: Raises SSHException: Is raised if the desired mechanism of the client is not supported
Returns: A String if the SSPI has returned a token or None if no token was returned
Return type: String or None
- ssh_get_mic(session_id, gss_kex=False)¶
Create the MIC token for a SSH2 message.
Parameters: Returns: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with _ssh_build_mic. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message.
Return type: String
See: _ssh_build_mic
- ssh_accept_sec_context(hostname, username, recv_token)¶
Accept a SSPI context (server mode).
Parameters: Returns: A String if the SSPI has returned a token or None if no token was returned
Return type: String or None
- ssh_check_mic(mic_token, session_id, username=None)¶
Verify the MIC token for a SSH2 message.
Parameters: Returns: 0 if the MIC check was successful
Return type: int
- credentials_delegated¶
Checks if credentials are delegated (server mode).
Returns: True if credentials are delegated, otherwise False Return type: Boolean
- save_client_creds(client_token)¶
Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode).
Parameters: client_token (str) – The SSPI token received form the client Raises NotImplementedError: Credential delegation is currently not supported in server mode
