7g^dZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(ddl)m*Z*ddl+m,Z,m-Z-ddl.m/Z/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7Gd d Z8Gd d Z9Gd de8Z:dS)z `.AuthHandler` N)#cMSG_SERVICE_REQUESTcMSG_DISCONNECT DISCONNECT_SERVICE_NOT_AVAILABLE)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEcMSG_USERAUTH_REQUESTcMSG_SERVICE_ACCEPTDEBUGAUTH_SUCCESSFULINFOcMSG_USERAUTH_SUCCESScMSG_USERAUTH_FAILUREAUTH_PARTIALLY_SUCCESSFULcMSG_USERAUTH_INFO_REQUESTWARNING AUTH_FAILEDcMSG_USERAUTH_PK_OKcMSG_USERAUTH_INFO_RESPONSEMSG_SERVICE_REQUESTMSG_SERVICE_ACCEPTMSG_USERAUTH_REQUESTMSG_USERAUTH_SUCCESSMSG_USERAUTH_FAILUREMSG_USERAUTH_BANNERMSG_USERAUTH_INFO_REQUESTMSG_USERAUTH_INFO_RESPONSEcMSG_USERAUTH_GSSAPI_RESPONSEcMSG_USERAUTH_GSSAPI_TOKENcMSG_USERAUTH_GSSAPI_MICMSG_USERAUTH_GSSAPI_RESPONSEMSG_USERAUTH_GSSAPI_TOKENMSG_USERAUTH_GSSAPI_ERRORMSG_USERAUTH_GSSAPI_ERRTOKMSG_USERAUTH_GSSAPI_MIC MSG_NAMEScMSG_USERAUTH_BANNER)Message)bu) SSHExceptionAuthenticationExceptionBadAuthenticationTypePartialAuthentication)InteractiveQuery)GSSAuthGSS_EXCEPTIONSceZdZdZdZdZdZdZdZdZ dZ d&d Z d Z d Z d ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ d Z!d!Z"e#d"Z$e#d#Z%e#d$Z&d%S)' AuthHandlerzC Internal class to handle the mechanics of authentication. ctj||_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_dS)NFrT)weakrefproxy transportusername authenticated auth_event auth_methodbannerpassword private_keyinteractive_handler submethods auth_usernameauth_fail_countgss_hostgss_deleg_creds)selfr6s O/var/www/html/syslog/venv/lib/python3.11/site-packages/paramiko/auth_handler.py__init__zAuthHandler.__init__Rs{ y11 "  #' !  #c |jj|SN)r6_log)rDargss rErJzAuthHandler._logds"t~"D))rGc|jSrI)r8rDs rEis_authenticatedzAuthHandler.is_authenticatedgs !!rGc6|jjr|jS|jSrI)r6 server_moder@r7rMs rE get_usernamezAuthHandler.get_usernamejs > % !% %= rGc|jj ||_d|_||_||jjdS#|jjwxYwNnoner6lockacquirer9r:r7 _request_authreleaserDr7events rE auth_nonezAuthHandler.auth_noneps ##%%% *#DO%D $DM    N  ' ' ) ) ) ) )DN  ' ' ) ) ) ) )A)) B c&|jj ||_d|_||_||_||jjdS#|jjwxYw)N publickey) r6rVrWr9r:r7r=rXrY)rDr7keyr[s rEauth_publickeyzAuthHandler.auth_publickeyzs ##%%% *#DO*D $DM"D     N  ' ' ) ) ) ) )DN  ' ' ) ) ) ) 0A00 Bc&|jj ||_d|_||_||_||jjdS#|jjwxYw)Nr<) r6rVrWr9r:r7r<rXrY)rDr7r<r[s rE auth_passwordzAuthHandler.auth_passwords ##%%% *#DO)D $DM$DM    N  ' ' ) ) ) ) )DN  ' ' ) ) ) )rbr3c4|jj ||_d|_||_||_||_||jj dS#|jj wxYw)K response_list = handler(title, instructions, prompt_list) keyboard-interactiveN) r6rVrWr9r:r7r>r?rXrY)rDr7handlerr[r?s rEauth_interactivezAuthHandler.auth_interactives ##%%% *#DO5D $DM'.D $(DO    N  ' ' ) ) ) ) )DN  ' ' ) ) ) ) 7A77 Bc4|jj ||_d|_||_||_||_||jj dS#|jj wxYw)Ngssapi-with-mic) r6rVrWr9r:r7rBrCrXrY)rDr7rBrCr[s rEauth_gssapi_with_micz AuthHandler.auth_gssapi_with_mics ##%%% *#DO0D $DM$DM#2D    N  ' ' ) ) ) ) )DN  ' ' ) ) ) )rjc|jj ||_d|_||_||jjdS#|jjwxYw)N gssapi-keyexrUrZs rEauth_gssapi_keyexzAuthHandler.auth_gssapi_keyexs ##%%% *#DO-D $DM    N  ' ' ) ) ) ) )DN  ' ' ) ) ) )r]cJ|j|jdSdSrI)r9setrMs rEabortzAuthHandler.aborts, ? & O   ! ! ! ! ! ' &rGct}|t|d|j|dSN ssh-userauth)r&add_byter add_stringr6 _send_messagerDms rErXzAuthHandler._request_authsL II '((( ^$$$ $$Q'''''rGcDt}|t|t|d|d|j||jdS)NzService not availableen) r&rwradd_intrrxr6rycloserzs rE!_disconnect_service_not_availablez-AuthHandler._disconnect_service_not_availables II ?### 2333 ,--- T $$Q''' rGcDt}|t|t|d|d|j||jdS)NzNo more auth methods availabler}) r&rwrr~rrxr6ryrrzs rE_disconnect_no_more_authz$AuthHandler._disconnect_no_more_auths II ?### ;<<< 5666 T $$Q''' rGcl|jr|jj|jjfS||fS)z Given any key, return its type/algorithm & bits-to-sign. Intended for input to or verification of, key signatures. ) public_blobkey_typekey_blobget_name)rDr`s rE_get_key_type_and_bitsz"AuthHandler._get_key_type_and_bitss6 ? '?+S_-EE E<<>>3& &rGct}||jj|t |||||d|d||\}}|||||S)Nr_T) r&rxr6 session_idrwr add_booleanrasbytes)rDr`servicer7 algorithmr{_bitss rE_get_session_blobzAuthHandler._get_session_blobs II T^./// ())) X W [!!! d--c224 Y Tyy{{rGcd}|jj tj|jjz} |d|jsF|j}|t |jtrtd}|| rn)|&|tjkrtd| sM|j}|td}t |jtr|j S|gS)NTg?z5Authentication failed: transport shut down or saw EOFzAuthentication timeout.zAuthentication failed.)r6 auth_timeouttimewait is_active get_exception issubclass __class__EOFErrorr*is_setrNr, allowed_types)rDr[max_tses rEwait_for_responsezAuthHandler.wait_for_responses6 > & 2Y[[4>#>>F I JJsOOO>++-- N0022I*Q[("C"CI/OA||~~ !f &;&;-.GHHH I$$&& ,,..Ay+,DEE!+'<== '&G rGcJ|}|jjr|dkrt}|t |||j||jj \}}|rlt}|t|||||j|dS| dSru) get_textr6rPr&rwrrxry server_object get_bannerr%r)rDr{rr;languages rE_parse_service_requestz"AuthHandler._parse_service_request s**,, > % 7n+D+D A JJ* + + + LL ! ! ! N ( ( + + +#~;FFHH FH 0II /000 V$$$ X&&&,,Q/// F ..00000rGc|jj}|dd|vr2d}|t||dS|jj|t|S)N-cert-v01@openssh.comr3zz:AuthHandler._finalize_pubkey_algorithm..OsNNN!5A::A:::rGzOur pubkey algorithm list: {}zFAn RSA key was specified, but no RSA pubkey algorithms are configured!zserver-sig-algsr3,zServer-side algorithm list: {}rz)No common pubkey algorithms exist! Dying.z=Unable to agree on a pubkey algorithm for signing a {!r} key!)rJr rendswithresearchr6remote_version_agreed_pubkey_algorithmrr)r(server_extensionsgetr'splitlistfilter __contains__r*r)rDrrrserver_algo_str server_algos agreementrs rE_finalize_pubkey_algorithmz&AuthHandler._finalize_pubkey_algorithm3s  O  > E E        4 5 5 ") *DN,I; ; 9K6ADN 3 IIeH I I I II:AA+NN    ONt~?NNN %8??IIJJJ X  N , 0 01BAbEE J J    *0055L II7>>|LL    VL$=xHHIII D'l  7>>{KK  %!LMMMV-cjj.B.BCCC@@(K   4 5 5 3 2 2K2=/rGcZ |}|dkra|tdt}|t ||j|d||j|jdkr@| dt|j }||nn|jdkr| d| |j \}}||}||||||j d|j|}|j ||}||n|jdkr1|d ||jnb|jd krt%|j|j} || |j||jj\} }| t4kr6|||jj\} }| t8kr|} t}|t< || |j | |jn,#tB$r} |"| cYd} ~ Sd} ~ wwxYw|j| |jj\} }| tFkr|} | |j | |j| }n,#tB$r} |"| cYd} ~ Sd} ~ wwxYw|nXt}|t<|||j$|t}|tP|| )|jj*n| tVkrtKd | tXkrt|-}|-}|}|tKd &|||| t\kr|/|dStKd &tN| |jdkrg|jj0r[|jj1}|2|j|)|jj*}||n3|jdkrn'tKd&|j|j|dS|td&|dS)Nrvzuserauth is OKssh-connectionr<Fr_Trgr3rlzReceived Package: {}zServer returned an error tokenzCGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} rorTzUnknown auth method "{}"z!Service request "{}" accepted (?))3rrJr r&rwrrxr7r:rr'r<rr=rr sign_ssh_datar?r.rC add_bytes ssh_gss_oidsr6ry packetizer read_messager_parse_userauth_bannerr get_stringrssh_init_sec_contextrBr/_handle_local_gss_failurer send_messager)rr$r ssh_get_micrr"r!get_intr_parse_userauth_failure gss_kex_used kexgss_ctxt set_username)rDr{rr<rrrblobsigsshgssptypemechr srv_token next_token maj_status min_statuserr_msgkexgss mic_tokens rE_parse_service_acceptz!AuthHandler._parse_service_accept{s`**,, n $ $ IIe- . . . A JJ, - - - LL ' ' ' LL) * * * LL) * * *:-- e$$$T]++ X&&&&![00 d###!%!4AACCq/////222#~8EEGGHE1888<<>>D AJJ9:::A "77 $ tT] *AAA#==a@@@@@@@@AN00333#'>#<#I#I#K#Kq $===() II-3-H-H$(M$($(M$- ."." $2III'+'E'Ea'H'H H H H H H HI *1 %$+II ! +E F F F ! Z 8 8 8 $ ; ;A > > >-6 AJJ7888LL!3!3DN4M!N!NOOOO888 ''GHHH777!"J!"JllnnGLLNNN& F& G 22200333F&.55i6FGG N22N/33##DM222"..t~/HII  Y''''!V++".55d6FGG N ( ( + + + + + II:AA'JJ     s<4M M/M*$M/*M/"O11 P;PPPct}|tkrP|td||t d|_n|td||t| |j j ||tkr|dn%|d|xjdz c_|j ||jdkr||tkr|j dSdS)NzAuth granted ({}).TzAuth rejected ({}).F )r&r rJr rrwr r8r rxr6rget_allowed_authsrrrAryr _auth_trigger)rDr7methodresultr{s rE_send_auth_resultzAuthHandler._send_auth_resultse II _ $ $ IId077?? @ @ @ JJ, - - -!%D   IId188@@ A A A JJ, - - - LL,>>xHH   222 d#### e$$$$$)$$ $$Q'''  2 % %  ) ) + + + _ $ $ N ( ( * * * * * % $rGct}|t||j||j|t |t|j |j D]8}||d| |d9|j |dS)Nrr) r&rwrrxname instructionsbytesr~lenpromptsrr6ry)rDqr{ps rE_interactive_queryzAuthHandler._interactive_querys II -... QV Q^$$$ UWW #ai..!!!  A LL1    MM!A$     $$Q'''''rGc |jjsnt}|t|d|d|j|dS|jrdS| }| }| }| td ||||dkr| dS|j<|j|kr1| td|dS||_|jj}|dkr!|jj|}n|dkr|}|} |d}n#t.$rYnwxYw|r`| td|} | dd } n#t.$rYnwxYwt0}n|jj||}n|d kr|} | } |} || | } n#t6$rG}| t8d t;|d} Yd}~nWd}~wt<$rG}d }| t8| |jj |d} Yd}~nd}~wwxYw| |dS|jj!|| }|t0kr| snt}|tD|| || |j|dSt|}|#| ||| }| $||s"| t8d t0}n|dkrb|%}|jj&||}tO|tPr|)|dSnF|dkr[|rXtU|}|+}|dkr/| t8d||%}|,|}|s/| t8d||-d}t}|t\|/|ta|||j_1tdtfthf|j_5|j|dS|dkr|r|%}|jj6}|t0}|7||| |8||jj9|jn-#t<$r t0}|7|||wxYwtt}|jj;||n|jj|}|7|||dS)NrTFz.Auth request (type={}) service={}, username={}rzKAuth rejected because the client attempted to change username in mid-flightr<zUTF-8z+Auth request to change passwords (rejected)rr_zAuth rejected: public key: {}z9Auth rejected: unsupported or mangled public key ({}: {})z Auth rejected: invalid signaturergrlrz8Disconnect: Received more than one GSS-API OID mechanismz5Disconnect: Received an invalid GSS-API OID mechanismserverro)/BBDD V  ^1AA(KKFF z ! ! I||~~H #??733      %!NOOOllnn "-"4"4Wi"H"HKK#D$5IIh{ " "==??L IllnnG 55iII    $ ? F Fs1vv N NOOO   Q $ 1;+? C CDDD {--///^1FF#F$$# AJJ2333LL+++LL)))N00333Fallnn----(I))$44)IId$FGGG(F - - -J^1HH*F&"233 ''/// ( ( (X (V__FIIKKEqyy N--///<<>>L++L99G 0 K--///#00::N A JJ4 5 5 5 KK ' ' '*Bf++DN '*$#/DN + N ( ( + + + F ~ % %( % I^/F~$&&x@@@ $$t~8$:L   $&&x@@@ %F N ( @ @&    ^1AA(KKF x88888sT G G-,G-"H99 II8K M/=L M/(=M**M/+&[*[<c|td|jd|_|j|j|jdSdS)NzAuthentication ({}) successful!T) rJr rr:r8r6rr9rrrzs rE_parse_userauth_successz#AuthHandler._parse_userauth_successsw 3::4;KLL   " $$&&& ? & O   ! ! ! ! ! ' &rGc|}|}|r`|td|tdt |zt ||j_n|j |vrhd |j d |fD]}|t|td||j_n3|td |j d|_ d|_ |j|jdSdS)NzAuthentication continues...z Methods: z'Authentication type ({}) not permitted.zAllowed methods: {}zBad authentication typeAuthentication ({}) failed.F)get_listrrJr r rr,r6saved_exceptionr:rr+r8r7r9rr)rDr{authlistpartialrs rErz#AuthHandler._parse_userauth_failuresY::<<--//   IId9 : : : IIe[3x==8 9 9 9-B8-L-LDN * *  X - -9@@$&,,X66  & &  %%%%%-B)8..DN * * II3::4;KLL   # ? & O   ! ! ! ! ! ' &rGc|}||_|td|dS)NzAuth banner: {})rr;rJr r)rDr{r;s rErz"AuthHandler._parse_userauth_banners?  $)008899999rGc|jdkrtd|}|}||}g}t |D]=}|||f>||||}t}| t| t||D]}|||j|dS)Nrgz Illegal info request from server)r:r)rrrrangeappendrr>r&rwrr~rrxr6ry) rDr{titlerr prompt_listi response_listrs rE_parse_userauth_info_requestz(AuthHandler._parse_userauth_info_requests,  5 5 5ABB B zz||  ))++ w @ @A    ammoo> ? ? ? ?00 <   II ./// #m$$%%%  A LLOOOO $$Q'''''rGc|jjstd|}g}t |D])}||*|jj|}t|tr| |dS| |j d|dS)Nz!Illegal info response from serverrg)r6rPr)rr%r&rrcheck_auth_interactive_responser r-rrr@)rDr{n responsesr)rs rE_parse_userauth_info_responsez)AuthHandler._parse_userauth_info_responses~) DBCC C IIKK q + +A   QZZ\\ * * * *-MM    f. / /   # #F + + + F    6     rGc<||j_|td||t d|jd|_d|_|j |j dS)NzGSSAPI failure: {}rF) r6r rJr rr r:r8r7r9rr)rDrs rErz%AuthHandler._handle_local_gss_failure*s)*& %-44Q77888 $5< &(J   rGc ~t|jt|jt|jt |jt|j iSrI) rrrrrrrrrr,rMs rE_client_handler_tablez!AuthHandler._client_handler_tableHs6  : $"> $"> !< %t'H   rGc6|jjr|jS|jSrI)r6rPr4r6rMs rE_handler_tablezAuthHandler._handler_tableTs! > % .- -- -rGNr3)'r __module__ __qualname____doc__rFrJrNrQr\rardrirmrprsrXrrrrrrrrrrrrrrrrr,r1rpropertyr4r6r8rrGrEr1r1MsT$$$$***"""!!! *** * * * * * * * * * * * * ****""" (((  ' ' '   <111& E E E   FFFPCCCJ+++0 ( ( (o9o9o9b""""""<::: (((*   $$  X   X ..X...rGr1ceZdZdZdZdZdZedZedZ edZ edZ d Z d Z d Zd Zd Zeeeeee eeiZedZdS)r zA specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. rlc"||_||_dSrI) _delegater)rDdelegaters rErFz!GssapiWithMicAuthHandler.__init__es! rGc\||jSrI)_restore_delegate_auth_handlerr@rsrMs rErszGssapiWithMicAuthHandler.abortis( ++---~##%%%rGc|jjSrI)r@r6rMs rEr6z"GssapiWithMicAuthHandler.transportms ~''rGc|jjSrI)r@rrMs rErz*GssapiWithMicAuthHandler._send_auth_resultqs ~//rGc|jjSrI)r@r@rMs rEr@z&GssapiWithMicAuthHandler.auth_usernameus ~++rGc|jjSrI)r@rBrMs rErBz!GssapiWithMicAuthHandler.gss_hostys ~&&rGc(|j|j_dSrI)r@r6rrMs rErCz7GssapiWithMicAuthHandler._restore_delegate_auth_handler}s&*n###rGc*|}|j} ||j||j}n[#t $rN}||j_t}| | |j|j |d}~wwxYw|wt}| t||t t"t$f|j_|j|dSdSrI)rrssh_accept_sec_contextrBr@rr6r rrCrrr&rwrrxr r#rrry)rDr{ client_tokenrtokenrrs rE_parse_userauth_gssapi_tokenz5GssapiWithMicAuthHandler._parse_userauth_gssapi_tokens||~~  11 |T-?EE   -.DN * F  / / 1 1 1  " "4#5t{F K K K      A JJ1 2 2 2 LL   )'$/DN + N ( ( + + + + +  s!? B A BBc|}|j}|j}| |||jj|nB#t$r5}||j_t}| ||j |d}~wwxYwt}|jj ||| ||j |dSrI)rrr@rCrr6rrr rrrr rcheck_auth_gssapi_with_mic)rDr{rrr7rrs rE_parse_userauth_gssapi_micz3GssapiWithMicAuthHandler._parse_userauth_gssapi_micsLLNN % ++---   4>4h       -.DN * F  " "8T[& A A A   ! $?? f    xf=====s!A B$0BBc^||j|SrI)rCr@rrzs rErz/GssapiWithMicAuthHandler._parse_service_requests* ++---~44Q777rGc^||j|SrI)rCr@rrzs rErz0GssapiWithMicAuthHandler._parse_userauth_requests* ++---~55a888rGc|jSrI)(_GssapiWithMicAuthHandler__handler_tablerMs rEr8z'GssapiWithMicAuthHandler._handler_tables ##rGN)rr:r;r<rrFrsr=r6rr@rBrCrMrPrrrrr r#rTr8rrGrEr r \s6 F&&&((X(00X0,,X,''X'555,,,4>>>0888999 35!#?!; O$$X$$$rGr cZeZdZdZefdZd dZdZdZdZ d d Z d Z xZ S) AuthOnlyHandlerzU AuthHandler, and just auth, no service requests! .. versionadded:: 3.2 cbtj}|t=|SrI)superr6copyr)rDmy_tablers rEr6z%AuthOnlyHandler._client_handler_tables)7705577 ' (rGNc||_||_t}|t|||d|||||jj5|j|dddn #1swxYwYtj |_ | |j S)a Submit a userauth request message & wait for response. Performs the transport message send call, sets self.auth_event, and will lock-n-block as necessary to both send, and wait for response to, the USERAUTH_REQUEST. Most callers will want to supply a callback to ``finish_message``, which accepts a Message ``m`` and may call mutator methods on it to add more fields. rN) r:r7r&rwrrxr6rVry threadingEventr9r)rDr7rfinish_messager{s rEsend_auth_requestz!AuthOnlyHandler.send_auth_requests"  II ())) X %&&& Vq^  , , N ( ( + + + , , , , , , , , , , , , , , ,$/++%%do666s B44B8;B8c.||dSrSr_)rDr7s rEr\zAuthOnlyHandler.auth_nones%%h777rGc|\}|||d|fd}||d|S)Nrc|d|||dS)NT)rrxr)r{rrrr`s rEfinishz.AuthOnlyHandler.auth_publickey..finishsc MM$    LL # # # LL    LL**4;; < < < < .finishs5 MM% LL8 % % % % %rGr<ra)rDr7r<rds ` rErdzAuthOnlyHandler.auth_passwords6 & & & & &%%h FCCCrGr3cXd|_||_fd}||d|S)rfkeyboard_interactivec\|d|dS)Nr3)rx)r{r?s rErdz0AuthOnlyHandler.auth_interactive..finish/s/ LL    LL $ $ $ $ $rGrg)r:r>r_)rDr7rhr?rds ` rEriz AuthOnlyHandler.auth_interactive%sI2#*  % % % % % %%h0FOOOrGcd}|t||dd}||vs||vr||vr|n|}d|d}|}n|d}|d|}|t||S)NzdServer did not send a server-sig-algs list; defaulting to something in our preferred algorithms listrr3zCurrent key type, z&, is in our preferred list; using thatrz3 not in our list - trying first list item instead, )rJr r)rDrrrnoncert_key_typeactualalgos rErz1AuthOnlyHandler._choose_fallback_pubkey_algorithm8st %#++,CRHH x  #3x#?#?!)X!5!5XX;KFWvWWWCDDA;D\\TX\\C % rGrIr9) rr:r;r<r=r6r_r\rardrir __classcell__)rs@rErVrVsX '7'7'7'7R888EEE,DDDPPPP&       rGrV);r<r4r\rrparamiko.commonrrrrrrr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#r$r%paramiko.messager& paramiko.utilr'r(paramiko.ssh_exceptionr)r*r+r,paramiko.serverr-paramiko.ssh_gssr.r/r1r rVrrGrErus& $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$J%$$$$$ -,,,,,44444444L .L .L .L .L .L .L .L .^i$i$i$i$i$i$i$i$X|||||k|||||rG