U ØccÄã@s$dZddlZddlZddlZddlmZmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'ddl(m)Z)ddl*m+Z+m,Z,ddl-m.Z.m/Z/m0Z0m1Z1ddl2m3Z3ddl4m5Z5m6Z6Gd d „d e7ƒZ8Gd d „d e7ƒZ9dS) z `.AuthHandler` éN)#ÚcMSG_SERVICE_REQUESTÚcMSG_DISCONNECTÚ DISCONNECT_SERVICE_NOT_AVAILABLEÚ)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEÚcMSG_USERAUTH_REQUESTÚcMSG_SERVICE_ACCEPTÚDEBUGÚAUTH_SUCCESSFULÚINFOÚcMSG_USERAUTH_SUCCESSÚcMSG_USERAUTH_FAILUREÚAUTH_PARTIALLY_SUCCESSFULÚcMSG_USERAUTH_INFO_REQUESTÚWARNINGÚ AUTH_FAILEDÚcMSG_USERAUTH_PK_OKÚcMSG_USERAUTH_INFO_RESPONSEÚMSG_SERVICE_REQUESTÚMSG_SERVICE_ACCEPTÚMSG_USERAUTH_REQUESTÚMSG_USERAUTH_SUCCESSÚMSG_USERAUTH_FAILUREÚMSG_USERAUTH_BANNERÚMSG_USERAUTH_INFO_REQUESTÚMSG_USERAUTH_INFO_RESPONSEÚcMSG_USERAUTH_GSSAPI_RESPONSEÚcMSG_USERAUTH_GSSAPI_TOKENÚcMSG_USERAUTH_GSSAPI_MICÚMSG_USERAUTH_GSSAPI_RESPONSEÚMSG_USERAUTH_GSSAPI_TOKENÚMSG_USERAUTH_GSSAPI_ERRORÚMSG_USERAUTH_GSSAPI_ERRTOKÚMSG_USERAUTH_GSSAPI_MICÚ MSG_NAMESÚcMSG_USERAUTH_BANNER)ÚMessage)ÚbÚu)Ú SSHExceptionÚAuthenticationExceptionÚBadAuthenticationTypeÚPartialAuthentication)ÚInteractiveQuery)ÚGSSAuthÚGSS_EXCEPTIONSc @s6eZdZdZdd„Zdd„Zdd„Zdd „Zd d „Zd d „Z dd„Z dBdd„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd „Zd!d"„Zd#d$„Zd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zd/d0„Zd1d2„Zd3d4„Zd5d6„Zd7d8„Zd9d:„Zd;d<„Z d=d>„Z!e"ee#ee$e iZ%e&ee'ee(ee)ee*eiZ+e,d?d@„ƒZ-dAS)CÚ AuthHandlerzC Internal class to handle the mechanics of authentication. cCs^t |¡|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_dS)NFÚrT)ÚweakrefÚproxyÚ transportÚusernameÚ authenticatedÚ auth_eventÚ auth_methodÚbannerÚpasswordÚ private_keyÚinteractive_handlerÚ submethodsÚ auth_usernameÚauth_fail_countÚgss_hostÚgss_deleg_creds)Úselfr3©rBú9/tmp/pip-unpacked-wheel-rglolp_m/paramiko/auth_handler.pyÚ__init__Qs zAuthHandler.__init__cGs |jj|ŽS©N)r3Ú_log)rAÚargsrBrBrCrFcszAuthHandler._logcCs|jSrE)r5©rArBrBrCÚis_authenticatedfszAuthHandler.is_authenticatedcCs|jjr|jS|jSdSrE)r3Ú server_moder=r4rHrBrBrCÚ get_usernameiszAuthHandler.get_usernamecCs>|jj ¡z||_d|_||_| ¡W5|jj ¡XdS)NÚnone©r3ÚlockÚacquireÚreleaser6r7r4Ú _request_auth©rAr4ÚeventrBrBrCÚ auth_noneos  zAuthHandler.auth_nonecCsD|jj ¡z$||_d|_||_||_| ¡W5|jj ¡XdS)NÚ publickey) r3rNrOrPr6r7r4r:rQ)rAr4ÚkeyrSrBrBrCÚauth_publickeyys  zAuthHandler.auth_publickeycCsD|jj ¡z$||_d|_||_||_| ¡W5|jj ¡XdS)Nr9) r3rNrOrPr6r7r4r9rQ)rAr4r9rSrBrBrCÚ auth_password„s  zAuthHandler.auth_passwordr0cCsJ|jj ¡z*||_d|_||_||_||_|  ¡W5|jj ¡XdS)zK response_list = handler(title, instructions, prompt_list) úkeyboard-interactiveN) r3rNrOrPr6r7r4r;r<rQ)rAr4ÚhandlerrSr<rBrBrCÚauth_interactives  zAuthHandler.auth_interactivecCsJ|jj ¡z*||_d|_||_||_||_|  ¡W5|jj ¡XdS)Núgssapi-with-mic) r3rNrOrPr6r7r4r?r@rQ)rAr4r?r@rSrBrBrCÚauth_gssapi_with_micžs  z AuthHandler.auth_gssapi_with_miccCs>|jj ¡z||_d|_||_| ¡W5|jj ¡XdS)Nú gssapi-keyexrMrRrBrBrCÚauth_gssapi_keyexªs  zAuthHandler.auth_gssapi_keyexcCs|jdk r|j ¡dSrE)r6ÚsetrHrBrBrCÚabort´s zAuthHandler.abortcCs*tƒ}| t¡| d¡|j |¡dS©Nú ssh-userauth)r%Úadd_byterÚ add_stringr3Ú _send_message©rAÚmrBrBrCrQºs  zAuthHandler._request_authcCsHtƒ}| t¡| t¡| d¡| d¡|j |¡|j ¡dS)NzService not availableÚen) r%rdrÚadd_intrrer3rfÚclosergrBrBrCÚ!_disconnect_service_not_availableÀs     z-AuthHandler._disconnect_service_not_availablecCsHtƒ}| t¡| t¡| d¡| d¡|j |¡|j ¡dS)NzNo more auth methods availableri) r%rdrrjrrer3rfrkrgrBrBrCÚ_disconnect_no_more_authÉs     z$AuthHandler._disconnect_no_more_authcCs&|jr|jj|jjfS| ¡|fSdS)z Given any key, return its type/algorithm & bits-to-sign. Intended for input to or verification of, key signatures. N)Z public_blobÚkey_typeZkey_blobÚget_name)rArVrBrBrCÚ_get_key_type_and_bitsÒsz"AuthHandler._get_key_type_and_bitscCsptƒ}| |jj¡| t¡| |¡| |¡| d¡| d¡| |¡\}}| |¡| |¡| ¡S)NrUT) r%rer3Ú session_idrdrÚ add_booleanrpZasbytes)rArVÚservicer4Ú algorithmrhÚ_ÚbitsrBrBrCÚ_get_session_blobÞs       zAuthHandler._get_session_blobcCsÂd}|jjdk r t ¡|jj}| d¡|j ¡s^|j ¡}|dksRt|jtƒrZt dƒ}|‚|  ¡rhq†|dk r |t ¡kr t dƒ‚q |  ¡s¾|j ¡}|dkr¨t dƒ}t|jt ƒrº|j S|‚gS)Ngš™™™™™¹?zAuthentication failed.zAuthentication timeout.)r3Z auth_timeoutÚtimeÚwaitZ is_activeZ get_exceptionÚ issubclassÚ __class__ÚEOFErrorr)Úis_setrIr+Z allowed_types)rArSZmax_tsÚerBrBrCÚwait_for_responseës*       zAuthHandler.wait_for_responsecCs’| ¡}|jjr†|dkr†tƒ}| t¡| |¡|j |¡|jj  ¡\}}|r‚tƒ}| t ¡| |¡| |¡|j |¡dS|  ¡dSrb) Úget_textr3rJr%rdrrerfÚ server_objectZ get_bannerr$rl)rArhrsr8ÚlanguagerBrBrCÚ_parse_service_requests       z"AuthHandler._parse_service_requestcCsF|jj}| dd¡|kr2d}| t| |¡¡dS|jj|t|ƒƒS)Nú-cert-v01@openssh.comr0z@sz:AuthHandler._finalize_pubkey_algorithm..zOur pubkey algorithm list: {}zFAn RSA key was specified, but no RSA pubkey algorithms are configured!zserver-sig-algsr0ú,zServer-side algorithm list: {}rz)No common pubkey algorithms exist! Dying.z=Unable to agree on a pubkey algorithm for signing a {!r} key!zYServer did not send a server-sig-algs list; defaulting to our first preferred algo ({!r})z”NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!)rFrr‡ÚendswithÚreÚsearchr3Úremote_versionZ_agreed_pubkey_algorithmr…r(r'Zserver_extensionsÚgetr&ÚsplitÚlistÚfilterÚ __contains__r)) rArnZ pubkey_algoZmy_algosZserver_algo_strZ server_algosZ agreementrŠÚmsgrBrBrCÚ_finalize_pubkey_algorithm$srÿþ ÿ ÿÿÿ ÿþ þ z&AuthHandler._finalize_pubkey_algorithmc CsÞ| ¡}|dkrÈ| td¡tƒ}| t¡| |j¡| d¡| |j¡|jdkr||  d¡t |j ƒ}| |¡n>|jdkrî|  d¡|  |j ¡\}}| |¡}| |¡| |¡| |j d|j|¡}|j  ||¡}| |¡nÌ|jdkr| d ¡| |j¡n¦|jd krXt|j|jƒ} | |  ¡¡|j |¡|jj ¡\} }| tkr|| |¡|jj ¡\} }| tkrÚ| ¡} tƒ}| t¡z| |  |j | |j¡¡Wn2t!k rì} z| "| ¡WY¢Sd} ~ XYnX|j |¡|jj ¡\} }| t#krú| ¡} z|  |j | |j| ¡}Wn2t!k rf} z| "| ¡WY¢Sd} ~ XYnX|dkrxq´n&tƒ}| t¡| |¡|j $|¡qút%d  &t'| ¡ƒ‚tƒ}| t(¡| |  )|jj*¡¡n|| t+krît%d ƒ‚nh| t,kr,| -¡}| -¡}| ¡}| ¡t%d  &|||¡ƒ‚n*| t.krD| /|¡dSt%d  &t'| ¡ƒ‚nb|jdkrœ|jj0rœ|jj1}| 2|j¡| )|jj*¡}| |¡n|jdkrªnt%d &|j¡ƒ‚|j |¡n| td &|¡¡dS)Nrczuserauth is OKússh-connectionr9FrUTrYr0r\zReceived Package: {}zServer returned an error tokenzCGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} r^rLzUnknown auth method "{}"z!Service request "{}" accepted (?))3r€rFrr%rdrrer4r7rrr&r9rpr:r›rwZ sign_ssh_datar<r-r@Ú add_bytesÚ ssh_gss_oidsr3rfZ packetizerZ read_messagerÚ_parse_userauth_bannerrÚ get_stringrZssh_init_sec_contextr?r.Ú_handle_local_gss_failurerÚ send_messager(r‡r#rZ ssh_get_micrqr!r Úget_intrÚ_parse_userauth_failureZ gss_kex_usedÚ kexgss_ctxtZ set_username)rArhrsr9rnrvrtÚblobÚsigÚsshgssÚptypeZmechr~Z srv_tokenZ next_tokenZ maj_statusZ min_statusÚerr_msgZkexgssÚ mic_tokenrBrBrCÚ_parse_service_acceptosä              ü        ÿÿ   ü     ÿ    ûÿ   ÿÿþ    ÿÿz!AuthHandler._parse_service_acceptcCsÂtƒ}|tkr2| td |¡¡| t¡d|_n\| td |¡¡| t¡|  |j j   |¡¡|t krv| d¡n| d¡|jd7_|j  |¡|jdkr¬| ¡|tkr¾|j  ¡dS)NzAuth granted ({}).TzAuth rejected ({}).Féé )r%r rFr r‡rdr r5r rer3rZget_allowed_authsr rrr>rfrmÚ _auth_trigger)rAr4ÚmethodÚresultrhrBrBrCÚ_send_auth_result÷s&   ÿ    zAuthHandler._send_auth_resultcCs|tƒ}| t¡| |j¡| |j¡| tƒ¡| t|j ƒ¡|j D] }| |d¡|  |d¡qJ|j   |¡dS)Nrr­) r%rdrreÚnameÚ instructionsÚbytesrjÚlenÚpromptsrrr3rf)rAÚqrhÚprBrBrCÚ_interactive_querys     zAuthHandler._interactive_queryc Csˆ|jjs| |||¡}t ƒ}|  t ¡|  t |ƒ¡|D]}| |¡qŠ|j |¡dS)NrYz Illegal info request from server)r7r(r€r½r£ÚrangeÚappendr¼r;r%rdrrjr¶rer3rf) rArhÚtitler´r·Z prompt_listÚiZ response_listÚrrBrBrCÚ_parse_userauth_info_requestùs(  ÿ  z(AuthHandler._parse_userauth_info_requestcCsr|jjstdƒ‚| ¡}g}t|ƒD]}| | ¡¡q$|jj |¡}t |t ƒr^|  |¡dS|  |j d|¡dS)Nz!Illegal info response from serverrY)r3rJr(r£rÍrÎr€rZcheck_auth_interactive_responserÃr,rºr²r=)rArhÚnÚ responsesrÐr±rBrBrCÚ_parse_userauth_info_responses" ÿ  ÿz)AuthHandler._parse_userauth_info_responsecCsR||j_| td |¡¡| td |j¡¡d|_d|_|j dk rN|j   ¡dS)NzGSSAPI failure: {}rÊF) r3rËrFrr‡r r7r5r4r6r`)rAr~rBrBrCr¡ s  z%AuthHandler._handle_local_gss_failurecCs|jjr|jS|jSdSrE)r3rJÚ_server_handler_tableÚ_client_handler_tablerHrBrBrCÚ_handler_tableDszAuthHandler._handler_tableN)r0).rÂÚ __module__Ú __qualname__Ú__doc__rDrFrIrKrTrWrXr[r]r_rarQrlrmrprwrrƒr‹r›r¬r²rºrÈrÉr¤rŸrÒrÕr¡rrrrÖrrrrrr×ÚpropertyrØrBrBrBrCr/Lsj          K  4 ýû r/c@sœeZdZdZdZdd„Zdd„Zedd„ƒZed d „ƒZ ed d „ƒZ ed d„ƒZ dd„Z dd„Z dd„Zdd„Zdd„Zeeeeee eeiZedd„ƒZdS)rÄz°A specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. r\cCs||_||_dSrE)Ú _delegater¨)rAZdelegater¨rBrBrCrDUsz!GssapiWithMicAuthHandler.__init__cCs| ¡|j ¡SrE)Ú_restore_delegate_auth_handlerrÝrarHrBrBrCraYszGssapiWithMicAuthHandler.abortcCs|jjSrE)rÝr3rHrBrBrCr3]sz"GssapiWithMicAuthHandler.transportcCs|jjSrE)rÝr²rHrBrBrCr²asz*GssapiWithMicAuthHandler._send_auth_resultcCs|jjSrE)rÝr=rHrBrBrCr=esz&GssapiWithMicAuthHandler.auth_usernamecCs|jjSrE)rÝr?rHrBrBrCr?isz!GssapiWithMicAuthHandler.gss_hostcCs|j|j_dSrE)rÝr3rÅrHrBrBrCrÞmsz7GssapiWithMicAuthHandler._restore_delegate_auth_handlerc Cs°| ¡}|j}z| |j||j¡}WnJtk rn}z,||j_t}|  ¡|  |j|j |¡‚W5d}~XYnX|dk r¬t ƒ}|  t¡| |¡tttf|j_|j |¡dSrE)r r¨Zssh_accept_sec_contextr?r=rÁr3rËrrÞr²r°r%rdrrerr"rrÆrf)rArhZ client_tokenr¨Útokenr~r±rBrBrCÚ_parse_userauth_gssapi_tokenps.ÿ  ýz5GssapiWithMicAuthHandler._parse_userauth_gssapi_tokenc Csœ| ¡}|j}|j}| ¡z| ||jj|¡Wn@tk rr}z"||j_t }|  ||j |¡‚W5d}~XYnXt }|jj  ||¡|  ||j |¡dSrE)r r¨r=rÞrÇr3rqrÁrËrr²r°r rZcheck_auth_gssapi_with_mic)rArhr«r¨r4r~r±rBrBrCÚ_parse_userauth_gssapi_micŠs*ÿÿz3GssapiWithMicAuthHandler._parse_userauth_gssapi_miccCs| ¡|j |¡SrE)rÞrÝrƒrgrBrBrCrƒ¢sz/GssapiWithMicAuthHandler._parse_service_requestcCs| ¡|j |¡SrE)rÞrÝrÈrgrBrBrCrȦsz0GssapiWithMicAuthHandler._parse_userauth_requestcCs|jSrE)Ú(_GssapiWithMicAuthHandler__handler_tablerHrBrBrCrرsz'GssapiWithMicAuthHandler._handler_tableN)rÂrÙrÚrÛr°rDrarÜr3r²r=r?rÞràrárƒrÈrrrr"rârØrBrBrBrCrÄLs8    ürÄ):rÛr1rxr’Zparamiko.commonrrrrrrrr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#r$Zparamiko.messager%Zparamiko.py3compatr&r'Zparamiko.ssh_exceptionr(r)r*r+Zparamiko.serverr,Zparamiko.ssh_gssr-r.Úobjectr/rÄrBrBrBrCÚs"”%