IipSrSSKrSSKrSSKrSrSrSrSSKr\"\S5(a \RS:XaSr\R4rO9Sr\RR\RRR4rSS KJr SS KJr SS KJr SSjr"SS5r"SS\5r\S:a\r"SS\5r "SS\5r!g!\\4a0 SSKrSSKrSSKrS r\R*4rNq!\a S rSrN~f=ff=f)z This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 NT __title__z python-gssapiMITPYTHON-GSSAPI-NEWSSPIF)MSG_USERAUTH_REQUEST) SSHException)__version_info__c[S:Xa [X5$[S:Xa [X5$[S:Xa[RS:Xa [ X5$[ S5e)a| Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI_OLD` (MIT GSSAPI using python-gssapi package) object, an `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object or an `._SSH_SSPI` (MS SSPI) object. If there is no supported API available, ``None`` will be returned. rrrntz)Unable to import a GSS-API / SSPI module!)_API_SSH_GSSAPI_OLD_SSH_GSSAPI_NEWosname _SSH_SSPI ImportError) auth_methodgss_deleg_credss 6/venv/lib/python3.13/site-packages/paramiko/ssh_gss.pyGSSAuthrNsR, u}{<< $ ${<< BGGtO66EFFcF\rSrSrSrSrSrSrS SjrSr Sr S r S r g ) _SSH_GSSAuthnzg Contains the shared variables and methods of `._SSH_GSSAPI_OLD`, `._SSH_GSSAPI_NEW` and `._SSH_SSPI`. cXlX lSUlSUlSUlSUlSUlSUlSUlSUl SUl SUl g) :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not Nzssh-connectionz1.2.840.113554.1.2.2F) _auth_method_gss_deleg_creds _gss_host _username _session_id_service _krb5_mech _gss_ctxt_gss_ctxt_status _gss_srv_ctxt_gss_srv_ctxt_statuscc_fileselfrrs r__init___SSH_GSSAuth.__init__tse ( /(  1 %"$)! rc>URS5(aXlgg)z This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service zssh-N)findr#)r+services r set_service_SSH_GSSAuth.set_services <<  #M rcXlg)z Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login N)r!)r+usernames r set_username_SSH_GSSAuth.set_usernames "rcSSKJn SSKJn UR S5nUR U"UR 55nUR [U55nUS:XaXe-$XF-U-$)a| This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. r)ObjectIdentifier)encoderserver)pyasn1.type.univr8pyasn1.codec.derr9 _make_uint32encoder$len)r+moder8r9OIDskrb5_OIDOID_lens r ssh_gss_oids_SSH_GSSAuth.ssh_gss_oidssd 6,  #>>"24??"CD##CM2 8 % %~((rctSSKJn URU5up4UR5UR:wagg)z Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} rdecoderFT)r=rIdecode__str__r$)r+ desired_mechrImech__s rssh_check_mech_SSH_GSSAuth.ssh_check_mechs/ ->>,/ <<>T__ ,rc0[R"SU5$)z Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer z!I)structpack)r+integers rr>_SSH_GSSAuth._make_uint32s{{4))rcUR[U55nXQ- nU[R"S[5- nXPR[U55- nXRR 5- nXPR[U55- nXSR 5- nXPR[U55- nXTR 5- nU$)a^ Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) B)r>r@rRrSrr?)r+ session_idr4r0rmics r_ssh_build_mic_SSH_GSSAuth._ssh_build_mics"J0  v{{3 455   X//      W.. ~~   [!122 !!## r) rr%r&rr r'r(r$r#r"r!r)N)client) __name__ __module__ __qualname____firstlineno____doc__r,r1r5rErOr>rZ__static_attributes__rrrrrns* 6 $"),  *rrc^\rSrSrSrSrS SjrS SjrSSjrSSjr \ S 5r S r S r g)rz Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package. :see: `.GSSAuth` cB[RXU5 UR(aD[R[R [R [R4Ulg[R[R [R 4UlgrN) rr,rgssapiC_PROT_READY_FLAG C_INTEG_FLAG C_MUTUAL_FLAG C_DELEG_FLAG _gss_flagsr*s rr,_SSH_GSSAPI_OLD.__init__sp dA  ((##$$## DO((##$$DOrNcSSKJn X0lXl[R "SUR-[R 5n[R"5nURUl Uc*[RRUR5nOeURU5upU R5UR:wa [S5e[RRUR5nSn UcA[R "UUURS9UlUR"R%U 5n OUR"R%U5n UR"R.UlU $![R&aI SR)[*R,"5SUR5n [R&"U 5ef=f) ac Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned rrHhost@NUnsupported mechanism OID.) peer_name mech_type req_flagsz {} Target: {}r:)r=rIr!r rgNameC_NT_HOSTBASED_SERVICEContextrlflagsOIDmech_from_stringr$rJrKr InitContextr%step GSSExceptionformatsysexc_info establishedr&) r+targetrLr4 recv_tokenrI targ_namectx krb5_mechrMrNtokenmessages rssh_init_sec_context$_SSH_GSSAPI_OLD.ssh_init_sec_context sk$ -!KK dnn $f&C&C nnOO   33DOODI~~l3HD||~0"#?@@"JJ77H  /!!'!3!3''!ii" ++E2++J7!% : : "" /%,,S\\^A->OG%%g. . /sAE=E==AGcXlU(dYURURURURUR5nUR R U5nU$URR UR5nU$)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. )r"rZr!r#rr%get_micr'r+rXgss_kex mic_field mic_tokens r ssh_get_mic_SSH_GSSAPI_OLD.ssh_get_micAs&++   !! I ..y9I**2243C3CDIrcXlX0lURc[R"5UlURR U5nURR UlU$)s Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned )r r!r'rg AcceptContextr{rr(r+hostnamerr4rs rssh_accept_sec_context&_SSH_GSSAPI_OLD.ssh_accept_sec_context\sZ"!    %!'!5!5!7D ""'' 3$($6$6$B$B! rc2X lX0lURbXURURURURUR5nUR R XA5 gURR URU5 g)a< Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.GSSException`` -- if the MIC check failed N)r"r!rZr#rr' verify_micr%r+rrXr4rs r ssh_check_mic_SSH_GSSAPI_OLD.ssh_check_micps{&! >> %++   !! I    ) )) ? NN % %d&6&6 Brc4URRbgg)y Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` TF)r'delegated_credr+s rcredentials_delegated%_SSH_GSSAPI_OLD.credentials_delegateds    , , 8rc[e)a> Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode NotImplementedErrorr+ client_tokens rsave_client_creds!_SSH_GSSAPI_OLD.save_client_creds "!rr%r&rlr r'r(r"r!NNNFNr]r^r_r`rar,rrrrpropertyrrrbrrrrrsB.DH2h6(C4 "rr)c^\rSrSrSrSrS SjrS SjrSSjrSSjr \ S 5r S r S r g)riz Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package. :see: `.GSSAuth` c[RXU5 UR(al[RR [RR [RR[RR4Ul g[RR [RR [RR4Ul grf) rr,rrgRequirementFlagprotection_ready integritymutual_authenticationdelegate_to_peerrlr*s rr,_SSH_GSSAPI_NEW.__init__s dA  &&77&&00&&<<&&77 DO&&77&&00&&<<DOrNcJSSKJn X0lXl[R "SUR-[R RS9nUb<URU5upxUR5UR:wa [S5e[RRn Sn UcB[R"UURU SS9UlUR R#U 5n OUR R#U5n UR R$UlU $) a Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled by the GSS-API implementation :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned rrHro) name_typeNrpinitiate)rrwrMusage)r=rIr!r rgrtNameTypehostbased_servicerJrKr$r MechTypekerberosSecurityContextrlr%r{completer&) r+rrLr4rrIrrMrNrrs rr$_SSH_GSSAPI_NEW.ssh_init_sec_contexts& -!KK dnn $oo77   #~~l3HD||~0"#?@@OO,,   #33oo DN NN''.ENN'' 3E $ 7 7 rcXlU(dYURURURURUR5nUR R U5nU$URR UR5nU$)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: str )r"rZr!r#rr% get_signaturer'rs rr_SSH_GSSAPI_NEW.ssh_get_mics&++   !! I 44Y?I**889I9IJIrcXlX0lURc[R"SS9UlURR U5nURR UlU$)raccept)r)r r!r'rgrr{rr(rs rr&_SSH_GSSAPI_NEW.ssh_accept_sec_contexts\"!    %!'!7!7h!GD ""'' 3$($6$6$?$?! rc2X lX0lURbXURURURURUR5nUR R XA5 gURR URU5 g)aC Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed N)r"r!rZr#rr'verify_signaturer%rs rr_SSH_GSSAPI_NEW.ssh_check_mic$s{&! >> %++   !! I    / / E NN + +D,<,s    - - 9rc[e)a? Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrs rr!_SSH_GSSAPI_NEW.save_client_credsJs "!rrrrrrrrrrrsB.DH,\8(I4   "rrcZ\rSrSrSrSrS SjrS SjrSrSSjr \ S 5r S r S r g)riWzZ Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` c[RXU5 UR(a8[R[R -[R -Ulg[R[R -Ulgrf)rr,rsspiconISC_REQ_INTEGRITYISC_REQ_MUTUAL_AUTHISC_REQ_DELEGATErlr*s rr,_SSH_SSPI.__init__^sf dA  ))--.**+ O))G,G,GG OrNc,SSKJn X0lXlSnSUR-nUb<UR U5upUR 5UR :wa [S5eUc%[R"SURUS9Ul URRU5upjU SRn US:Xa S UlSn U $![Ra4n U =R SR#UR5- sleSn A ff=f) aT Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rrHhost/NrpKerberos)scflags targetspnz , Target: {}T)r=rIr!r rJrKr$r sspi ClientAuthrlr% authorizeBuffer pywintypeserrorstrerrorr}r&) r+rrLr4rrIrrrMrNres rr_SSH_SSPI.ssh_init_sec_contextqs$ -!dnn,  #~~l3HD||~0"#?@@ !!%9" >>33J?LE!HOOE A: %)D !E    JJ.//? ?J  s$AC D/DDcXlU(dYURURURURUR5nUR R U5nU$URR UR5nU$)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. )r"rZr!r#rr%signr'rs rr_SSH_SSPI.ssh_get_mics&++   !! I ++I6I**//0@0@AIrcXlX lSUR-n[R"SUS9UlURR U5upVUSR nUS:Xa SUlSnU$)ag Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rr)spnrTN)r r!r ServerAuthr'rrr()r+rr4rrrrs rr _SSH_SSPI.ssh_accept_sec_contextsm"!dnn, !__ZYG))33J? a A:(,D %E rcX lX0lUbXURURURURUR5nUR R XA5 gURR URU5 g)a3 Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed N)r"r!rZr#rr'verifyr%rs rr_SSH_SSPI.ssh_check_micsw&!  ++   !! I    % %i ; NN ! !$"2"2I >rcUR[R-=(a UR=(d UR$)r)rlrrr(rs rr_SSH_SSPI.credentials_delegateds2!9!99  % % 8 rc[e)a; Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrs rr_SSH_SSPI.save_client_credsrrrrrrrrrrrrWsA (DH2h6,?<   "rr)T)"rarRrr~GSS_AUTH_AVAILABLEGSS_EXCEPTIONSr rghasattrrr| exceptions GeneralErrorrawmiscGSSErrorrOSErrorrrrrparamiko.commonrparamiko.ssh_exceptionr paramiko._versionr rrr _SSH_GSSAPIrrrrrrs8,  v{##(8(8O(K --/"    * * JJOO $ $  1/.G@~~Bq"lq"hf!Kl"ll"^s" s"u W  $**, " s/1C 8C DC22 D<D?DD