7gpdZddlZddlZddlZdZdZdZ ddlZeedrej dkr dZej fZndZej j ej jjfZn4#eef$r* ddlZddlZddlZd ZejfZn#e$rd ZdZYnwxYwYnwxYwdd lmZdd lmZdd lmZddZGddZGddeZedkreZGddeZ GddeZ!dS)z This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 NT __title__z python-gssapiMITPYTHON-GSSAPI-NEWSSPIF)MSG_USERAUTH_REQUEST) SSHException)__version_info__ctdkrt||Stdkrt||Stdkr tjdkrt ||St d)a Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI_OLD` (MIT GSSAPI using python-gssapi package) object, an `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object or an `._SSH_SSPI` (MS SSPI) object. If there is no supported API available, ``None`` will be returned. rrrntz)Unable to import a GSS-API / SSPI module!)_API_SSH_GSSAPI_OLD_SSH_GSSAPI_NEWosname _SSH_SSPI ImportError) auth_methodgss_deleg_credss J/var/www/html/syslog/venv/lib/python3.11/site-packages/paramiko/ssh_gss.pyGSSAuthrNsk, u}}{O<<< $ $ ${O<<< BGtOOo666EFFFc>eZdZdZdZdZdZd dZdZdZ d Z d S) _SSH_GSSAuthzs Contains the shared variables and methods of `._SSH_GSSAPI_OLD`, `._SSH_GSSAPI_NEW` and `._SSH_SSPI`. c||_||_d|_d|_d|_d|_ d|_d|_d|_d|_ d|_ d|_ dS) :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not Nzssh-connectionz1.2.840.113554.1.2.2F) _auth_method_gss_deleg_creds _gss_host _username _session_id_service _krb5_mech _gss_ctxt_gss_ctxt_status _gss_srv_ctxt_gss_srv_ctxt_statuscc_fileselfrrs r__init__z_SSH_GSSAuth.__init__tsm ( /(  1 %"$)! rcB|dr ||_dSdS)z This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service zssh-N)findr")r*services r set_servicez_SSH_GSSAuth.set_services- <<   $#DMMM $ $rc||_dS)z Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login N)r )r*usernames r set_usernamez_SSH_GSSAuth.set_usernames"rclientcddlm}ddlm}|d}|||j}|t|}|dkr||zS||z|zS)a This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. r)ObjectIdentifier)encoderserver)pyasn1.type.univr5pyasn1.codec.derr6 _make_uint32encoder#len)r*moder5r6OIDskrb5_OIDOID_lens r ssh_gss_oidsz_SSH_GSSAuth.ssh_gss_oidss 655555,,,,,,  ##>>"2"24?"C"CDD##CMM22 8  X% %g~((rcddlm}||\}}||jkrdSdS)z Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} rdecoderFT)r:rEdecode__str__r#)r* desired_mechrEmech__s rssh_check_mechz_SSH_GSSAuth.ssh_check_mechsJ -,,,,,>>,//b <<>>T_ , ,5trc,tjd|S)z Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer z!I)structpack)r*integers rr;z_SSH_GSSAuth._make_uint32s{4)))rc|t|}||z }|tjdtz }||t|z }||z }||t|z }||z }||t|z }||z }|S)a Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) B)r;r=rMrNrr<)r* session_idr1r.rmics r_ssh_build_micz_SSH_GSSAuth._ssh_build_mics"J00 z v{3 4555 t  X/// x    t  W... w~~ t  [!1!1222 {!!### rN)r3) __name__ __module__ __qualname____doc__r+r/r2rBrKr;rTrrrrrns 6 $ $ $""")))),    ***rrcVeZdZdZdZ d dZd dZd dZd dZe d Z d Z dS)rz Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package. :see: `.GSSAuth` ct||||jr5tjtjtjtjf|_dStjtjtjf|_dSrN) rr+rgssapiC_PROT_READY_FLAG C_INTEG_FLAG C_MUTUAL_FLAG C_DELEG_FLAG _gss_flagsr)s rr+z_SSH_GSSAPI_OLD.__init__sm dKAAA  (#$# DOOO(#$DOOOrNcdddlm}||_||_t jd|jztj}t j}|j|_ |%tj |j }nh| |\} } | |j krtdtj |j }d} |OOG%g.. . /!% : s-AEAFFc||_|sG||j|j|j|j}|j|}n|j|j}|S)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. )r!rTr r"rr$get_micr&r*rRgss_kex mic_field mic_tokens r ssh_get_micz_SSH_GSSAPI_OLD.ssh_get_micAsz& E++  ! I ..y99II*2243CDDIrc||_||_|jtj|_|j|}|jj|_|S) Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned )rr r&r\ AcceptContextrortr'r*hostnamervr1rzs rssh_accept_sec_contextz&_SSH_GSSAPI_OLD.ssh_accept_sec_context\sU"!   %!'!5!7!7D "'' 33$($6$B! rc||_||_|jI||j|j|j|j}|j||dS|j|j|dS)at Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.GSSException`` -- if the MIC check failed N)r!r rTr"rr& verify_micr$r*rrRr1rs r ssh_check_micz_SSH_GSSAPI_OLD.ssh_check_micps&! > %++  ! I   ) ))Y ? ? ? ? ? N % %d&6 B B B B Brc"|jjdSdS) Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` NTF)r&delegated_credr*s rcredentials_delegatedz%_SSH_GSSAPI_OLD.credentials_delegateds   , 84urct)a~ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode NotImplementedErrorr* client_tokens rsave_client_credsz!_SSH_GSSAPI_OLD.save_client_creds "!rNNNFN rUrVrWrXr+r|rrrpropertyrrrrrrrs.DH2222h6(CCCC4X " " " " "rr)cVeZdZdZdZ d dZd dZd dZd dZe d Z d Z dS)rz Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package. :see: `.GSSAuth` cLt||||jrItjjtjjtjjtjjf|_ dStjjtjjtjjf|_ dSr[) rr+rr\RequirementFlagprotection_ready integritymutual_authenticationdelegate_to_peerrar)s rr+z_SSH_GSSAPI_NEW.__init__s dKAAA  &7&0&<&7 DOOO&7&0&<DOOOrNcddlm}||_||_t jd|jztjj}|D||\}}| |j krtdtj j } d} |=t j||j| d|_|j| } n|j|} |jj|_| S) ae Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled by the GSS-API implementation :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned rrDrc) name_typeNrdinitiate)rrkrIusage)r:rEr rr\rhNameTypehostbased_servicerFrGr#r MechTypekerberosSecurityContextrar$rocompleter%) r*rurHr1rvrErwrIrJryrzs rr|z$_SSH_GSSAPI_NEW.ssh_init_sec_contexts & -,,,,,!K dn $o7     #~~l33HD"||~~00"#?@@@O,   #3o DN N''..EEN'' 33E $ 7 rFc||_|sG||j|j|j|j}|j|}n|j|j}|S)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: str )r!rTr r"rr$ get_signaturer&rs rrz_SSH_GSSAPI_NEW.ssh_get_micsz& K++  ! I 44Y??II*889IJJIrc||_||_|jtjd|_|j|}|jj|_|S)rNaccept)r)rr r&r\rrorr'rs rrz&_SSH_GSSAPI_NEW.ssh_accept_sec_contextsZ"!   %!'!7h!G!G!GD "'' 33$($6$?! rc||_||_|jI||j|j|j|j}|j||dS|j|j|dS)a{ Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed N)r!r rTr"rr&verify_signaturer$rs rrz_SSH_GSSAPI_NEW.ssh_check_mic$s&! > %++  ! I   / / 9 E E E E E N + +D,s   - 94urct)aw Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrs rrz!_SSH_GSSAPI_NEW.save_client_credsJs "!rrrrrrrrrrs.DH,,,,\8(IIII4  X  " " " " "rrcTeZdZdZdZ d dZd dZdZd dZe d Z d Z dS)rzf Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` ct||||jr-tjtjztjz|_dStjtjz|_dSr[)rr+rsspiconISC_REQ_INTEGRITYISC_REQ_MUTUAL_AUTHISC_REQ_DELEGATErar)s rr+z_SSH_SSPI.__init__^si dKAAA  )-.*+ OOO)G,GG OOOrNcddlm}||_||_d}d|jz}|D||\}} ||jkrtd |!tj d|j ||_ |j |\}} | dj } n@#tj$r.} | xjd|jz c_d} ~ wwxYw|dkr d |_d} | S) a Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rrDhost/NrdKerberos)scflags targetspnz , Target: {}T)r:rEr rrFrGr#r sspi ClientAuthrar$ authorizeBuffer pywintypeserrorstrerrorrqr%) r*rurHr1rvrErrwrIrJrzes rr|z_SSH_SSPI.ssh_init_sec_contextqs8$ -,,,,,!dn,  #~~l33HD"||~~00"#?@@@ !!%9""" >33J??LE5!HOEE    JJ.//?? ?JJ   A:: %)D !E  s(A B66C3)C..C3Fc||_|sG||j|j|j|j}|j|}n|j|j}|S)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. )r!rTr r"rr$signr&rs rrz_SSH_SSPI.ssh_get_micsz& B++  ! I ++I66II*//0@AAIrc||_||_d|jz}tjd||_|j|\}}|dj}|dkr d|_d}|S)a Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rr)spnrTN)rr r ServerAuthr&rrr')r*rr1rvrwrrzs rrz _SSH_SSPI.ssh_accept_sec_contextsu"!dn, !_ZYGGG)33J?? ua A::(,D %E rc||_||_|I||j|j|j|j}|j||dS|j|j|dS)ak Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed N)r!r rTr"rr&verifyr$rs rrz_SSH_SSPI.ssh_check_mics&!  ++  ! I   % %i ; ; ; ; ; N ! !$"2I > > > > >rcF|jtjzo |jp|jS)r)rarrr'rs rrz_SSH_SSPI.credentials_delegateds(!99  % 8 rct)a{ Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrs rrz_SSH_SSPI.save_client_credsrrrrrrrrrrrWs (DH2222h6,????<  X  " " " " "rr)T)"rXrMrrrGSS_AUTH_AVAILABLEGSS_EXCEPTIONSr r\hasattrrrp exceptions GeneralErrorrawmiscGSSErrorrOSErrorrrrrparamiko.commonrparamiko.ssh_exceptionr paramiko._versionr rrr _SSH_GSSAPIrrrrrrs^,  MMMwv{##  (8O(K(K -/"   * JO $  W     $*, " 100000//////......GGGG@~~~~~~~~Bq"q"q"q"q"lq"q"q"hf!Kl"l"l"l"l"ll"l"l"^s"s"s"s"s" s"s"s"s"s"s6AAB $A;:B ; BB BB  B