U ςd@s8dZddlZddlZddlZddlZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(ddl)m*Z*ddl+m,Z,m-Z-ddl.m/Z/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7Gd d d Z8Gd d d Z9Gd dde8Z:dS)z `.AuthHandler` N)#cMSG_SERVICE_REQUESTcMSG_DISCONNECT DISCONNECT_SERVICE_NOT_AVAILABLE)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLEcMSG_USERAUTH_REQUESTcMSG_SERVICE_ACCEPTDEBUGAUTH_SUCCESSFULINFOcMSG_USERAUTH_SUCCESScMSG_USERAUTH_FAILUREAUTH_PARTIALLY_SUCCESSFULcMSG_USERAUTH_INFO_REQUESTWARNING AUTH_FAILEDcMSG_USERAUTH_PK_OKcMSG_USERAUTH_INFO_RESPONSEMSG_SERVICE_REQUESTMSG_SERVICE_ACCEPTMSG_USERAUTH_REQUESTMSG_USERAUTH_SUCCESSMSG_USERAUTH_FAILUREMSG_USERAUTH_BANNERMSG_USERAUTH_INFO_REQUESTMSG_USERAUTH_INFO_RESPONSEcMSG_USERAUTH_GSSAPI_RESPONSEcMSG_USERAUTH_GSSAPI_TOKENcMSG_USERAUTH_GSSAPI_MICMSG_USERAUTH_GSSAPI_RESPONSEMSG_USERAUTH_GSSAPI_TOKENMSG_USERAUTH_GSSAPI_ERRORMSG_USERAUTH_GSSAPI_ERRTOKMSG_USERAUTH_GSSAPI_MIC MSG_NAMEScMSG_USERAUTH_BANNER)Message)bu) SSHExceptionAuthenticationExceptionBadAuthenticationTypePartialAuthentication)InteractiveQuery)GSSAuthGSS_EXCEPTIONSc@s.eZdZdZddZddZddZdd Zd d Zd d Z ddZ dHddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Z d=d>Z!d?d@Z"e#dAdBZ$e#dCdDZ%e#dEdFZ&dGS)I AuthHandlerzC Internal class to handle the mechanics of authentication. cCs^t||_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_dS)NFrT)weakrefproxy transportusername authenticated auth_event auth_methodbannerpassword private_keyinteractive_handler submethods auth_usernameauth_fail_countgss_hostgss_deleg_creds)selfr3rBR/var/www/html/myproject/myenv/lib/python3.8/site-packages/paramiko/auth_handler.py__init__Rs zAuthHandler.__init__cGs |jj|SN)r3_log)rAargsrBrBrCrFdszAuthHandler._logcCs|jSrE)r5rArBrBrCis_authenticatedgszAuthHandler.is_authenticatedcCs|jjr|jS|jSdSrE)r3 server_moder=r4rHrBrBrC get_usernamejszAuthHandler.get_usernamecCs>|jjz||_d|_||_|W5|jjXdSNnoner3lockacquirereleaser6r7r4 _request_authrAr4eventrBrBrC auth_noneps  zAuthHandler.auth_nonecCsD|jjz$||_d|_||_||_|W5|jjXdS)N publickey) r3rOrPrQr6r7r4r:rR)rAr4keyrTrBrBrCauth_publickeyzs  zAuthHandler.auth_publickeycCsD|jjz$||_d|_||_||_|W5|jjXdS)Nr9) r3rOrPrQr6r7r4r9rR)rAr4r9rTrBrBrC auth_passwords  zAuthHandler.auth_passwordr0cCsJ|jjz*||_d|_||_||_||_| W5|jjXdS)K response_list = handler(title, instructions, prompt_list) keyboard-interactiveN) r3rOrPrQr6r7r4r;r<rR)rAr4handlerrTr<rBrBrCauth_interactives  zAuthHandler.auth_interactivecCsJ|jjz*||_d|_||_||_||_| W5|jjXdS)Ngssapi-with-mic) r3rOrPrQr6r7r4r?r@rR)rAr4r?r@rTrBrBrCauth_gssapi_with_mics  z AuthHandler.auth_gssapi_with_miccCs>|jjz||_d|_||_|W5|jjXdS)N gssapi-keyexrNrSrBrBrCauth_gssapi_keyexs  zAuthHandler.auth_gssapi_keyexcCs|jdk r|jdSrE)r6setrHrBrBrCaborts zAuthHandler.abortcCs*t}|t|d|j|dSN ssh-userauth)r%add_byter add_stringr3 _send_messagerAmrBrBrCrRs  zAuthHandler._request_authcCsHt}|t|t|d|d|j||jdS)NzService not availableen) r%rfradd_intrrgr3rhcloserirBrBrC!_disconnect_service_not_availables     z-AuthHandler._disconnect_service_not_availablecCsHt}|t|t|d|d|j||jdS)NzNo more auth methods availablerk) r%rfrrlrrgr3rhrmrirBrBrC_disconnect_no_more_auths     z$AuthHandler._disconnect_no_more_authcCs&|jr|jj|jjfS||fSdS)z Given any key, return its type/algorithm & bits-to-sign. Intended for input to or verification of, key signatures. N)Z public_blobkey_typeZkey_blobget_name)rArWrBrBrC_get_key_type_and_bitssz"AuthHandler._get_key_type_and_bitscCspt}||jj|t|||||d|d||\}}|||||S)NrVT) r%rgr3 session_idrfr add_booleanrrZasbytes)rArWservicer4 algorithmrj_bitsrBrBrC_get_session_blobs       zAuthHandler._get_session_blobcCsd}|jjdk r t|jj}|d|js^|j}|dksRt|jtrZt d}|| rhq|dk r |tkr t dq | s|j}|dkrt d}t|jt r|j S|gS)Ng?z5Authentication failed: transport shut down or saw EOFzAuthentication timeout.zAuthentication failed.)r3Z auth_timeouttimewait is_activeZ get_exception issubclass __class__EOFErrorr)is_setrIr+Z allowed_types)rArTZmax_tserBrBrCwait_for_responses.       zAuthHandler.wait_for_responsecCs|}|jjr|dkrt}|t|||j||jj \}}|rt}|t |||||j|dS| dSrd) get_textr3rJr%rfrrgrh server_objectZ get_bannerr$rn)rArjrur8languagerBrBrC_parse_service_request s       z"AuthHandler._parse_service_requestcCsF|jj}|dd|kr2d}|t||dS|jj|t|S)N-cert-v01@openssh.comr0zOsz:AuthHandler._finalize_pubkey_algorithm..zOur pubkey algorithm list: {}zFAn RSA key was specified, but no RSA pubkey algorithms are configured!zserver-sig-algsr0,zServer-side algorithm list: {}rz)No common pubkey algorithms exist! Dying.z=Unable to agree on a pubkey algorithm for signing a {!r} key!)rFrrendswithresearchr3remote_versionZ_agreed_pubkey_algorithmrr(r'Zserver_extensionsgetr&splitlistfilter __contains__r)r)rArprrZserver_algo_strZ server_algosZ agreementrrBrBrC_finalize_pubkey_algorithm3sl     z&AuthHandler._finalize_pubkey_algorithmc Cs|}|dkr|tdt}|t||j|d||j|jdkr|| dt |j }||n>|jdkr| d| |j \}}||}||||||j d|j|}|j ||}||n|jdkr|d ||jn|jd krXt|j|j} || |j||jj\} }| tkr||||jj\} }| tkr|} t}|tz|| |j | |jWn2t!k r} z|"| WYSd} ~ XYnX|j||jj\} }| t#kr|} z| |j | |j| }Wn2t!k rf} z|"| WYSd} ~ XYnX|dkrxqn&t}|t|||j$|qt%d &t'| t}|t(|| )|jj*n|| t+krt%d nh| t,kr,|-}|-}|}|t%d &|||n*| t.krD|/|dSt%d &t'| nb|jdkr|jj0r|jj1}|2|j|)|jj*}||n|jdkrnt%d&|j|j|n|td&|dS)Nrezuserauth is OKssh-connectionr9FrVTr[r0r^zReceived Package: {}zServer returned an error tokenzCGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} r`rMzUnknown auth method "{}"z!Service request "{}" accepted (?))3rrFrr%rfrrgr4r7rtr&r9rrr:rry sign_ssh_datar<r-r@ add_bytes ssh_gss_oidsr3rhZ packetizerZ read_messager_parse_userauth_bannerr get_stringrZssh_init_sec_contextr?r._handle_local_gss_failurer send_messager(rr#rZ ssh_get_micrsr!r get_intr_parse_userauth_failureZ gss_kex_used kexgss_ctxtZ set_username)rArjrur9rprxrvblobsigsshgssptypeZmechrZ srv_tokenZ next_tokenZ maj_statusZ min_statuserr_msgZkexgss mic_tokenrBrBrC_parse_service_accept{s                                         z!AuthHandler._parse_service_acceptcCst}|tkr2|td||td|_n\|td||t| |j j ||t krv|dn|d|jd7_|j ||jdkr||tkr|j dS)NzAuth granted ({}).TzAuth rejected ({}).F )r%r rFr rrfr r5r rgr3rZget_allowed_authsr rtr>rhro _auth_trigger)rAr4methodresultrjrBrBrC_send_auth_results&       zAuthHandler._send_auth_resultcCs|t}|t||j||j|t|t|j |j D] }||d| |dqJ|j |dS)Nrr) r%rfrrgname instructionsbytesrllenpromptsrtr3rh)rAqrjprBrBrC_interactive_querys     zAuthHandler._interactive_queryc Cs|jjs||||}t }| t | t ||D]}||q|j|dS)Nr[z Illegal info request from server)r7r(rrrrangeappendrr;r%rfrrlrrgr3rh) rArjtitlerrZ prompt_listiZ response_listrrBrBrC_parse_userauth_info_requests(    z(AuthHandler._parse_userauth_info_requestcCsr|jjstd|}g}t|D]}||q$|jj|}t |t r^| |dS| |j d|dS)Nz!Illegal info response from serverr[)r3rJr(rrrrrZcheck_auth_interactive_responserr,rrr=)rArjn responsesrrrBrBrC_parse_userauth_info_responses"   z)AuthHandler._parse_userauth_info_responsecCsR||j_|td||td|jd|_d|_|j dk rN|j dS)NzGSSAPI failure: {}rF) r3rrFrrr r7r5r4r6rb)rArrBrBrCr*s  z%AuthHandler._handle_local_gss_failurecCst|jt|jt|jiSrE)rrrrrrrHrBrBrC_server_handler_table<sz!AuthHandler._server_handler_tablec Cs"t|jt|jt|jt|jt|j iSrE) rrrrrrrrrrrHrBrBrC_client_handler_tableHsz!AuthHandler._client_handler_tablecCs|jjr|jS|jSdSrE)r3rJrrrHrBrBrC_handler_tableTszAuthHandler._handler_tableN)r0)'r __module__ __qualname____doc__rDrFrIrKrUrXrYr]r_rarcrRrnrorrryrrrrrrrrrrrrrrrpropertyrrrrBrBrBrCr/MsP           H 2   r/c@seZdZdZdZddZddZeddZed d Z ed d Z ed dZ ddZ ddZ ddZddZddZeeeeee eeiZeddZdS)rzA specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. r^cCs||_||_dSrE) _delegater)rAZdelegaterrBrBrCrDesz!GssapiWithMicAuthHandler.__init__cCs||jSrE)_restore_delegate_auth_handlerrrcrHrBrBrCrciszGssapiWithMicAuthHandler.abortcCs|jjSrE)rr3rHrBrBrCr3msz"GssapiWithMicAuthHandler.transportcCs|jjSrE)rrrHrBrBrCrqsz*GssapiWithMicAuthHandler._send_auth_resultcCs|jjSrE)rr=rHrBrBrCr=usz&GssapiWithMicAuthHandler.auth_usernamecCs|jjSrE)rr?rHrBrBrCr?ysz!GssapiWithMicAuthHandler.gss_hostcCs|j|j_dSrE)rr3rrHrBrBrCr}sz7GssapiWithMicAuthHandler._restore_delegate_auth_handlerc Cs|}|j}z||j||j}WnJtk rn}z,||j_t}| | |j|j |W5d}~XYnX|dk rt }| t||tttf|j_|j|dSrE)rrZssh_accept_sec_contextr?r=rr3rrrrrr%rfrrgrr"rrrh)rArjZ client_tokenrtokenrrrBrBrC_parse_userauth_gssapi_tokens.  z5GssapiWithMicAuthHandler._parse_userauth_gssapi_tokenc Cs|}|j}|j}|z|||jj|Wn@tk rr}z"||j_t }| ||j |W5d}~XYnXt }|jj ||| ||j |dSrE)rrr=rrr3rsrrrrrr rZcheck_auth_gssapi_with_mic)rArjrrr4rrrBrBrC_parse_userauth_gssapi_mics*z3GssapiWithMicAuthHandler._parse_userauth_gssapi_miccCs||j|SrE)rrrrirBrBrCrsz/GssapiWithMicAuthHandler._parse_service_requestcCs||j|SrE)rrrrirBrBrCrsz0GssapiWithMicAuthHandler._parse_userauth_requestcCs|jSrE)(_GssapiWithMicAuthHandler__handler_tablerHrBrBrCrsz'GssapiWithMicAuthHandler._handler_tableN)rrrrrrDrcrr3rr=r?rrrrrrrrr"rrrBrBrBrCr\s8    rcsXeZdZdZefddZdddZddZd d Zd d Z dddZ ddZ Z S)AuthOnlyHandlerzU AuthHandler, and just auth, no service requests! .. versionadded:: 3.2 cstj}|t=|SrE)superrcopyr)rAZmy_tabler~rBrCrs z%AuthOnlyHandler._client_handler_tableNc Csx||_||_t}|t|||d|||||jj|j|W5QRXt |_ | |j S)a Submit a userauth request message & wait for response. Performs the transport message send call, sets self.auth_event, and will lock-n-block as necessary to both send, and wait for response to, the USERAUTH_REQUEST. Most callers will want to supply a callback to ``finish_message``, which accepts a Message ``m`` and may call mutator methods on it to add more fields. r) r7r4r%rfrrgr3rOrh threadingEventr6r)rAr4rZfinish_messagerjrBrBrCsend_auth_requests      z!AuthOnlyHandler.send_auth_requestcCs ||dSrLr)rAr4rBrBrCrUszAuthOnlyHandler.auth_nonecsH|\}|||d|fdd}||d|S)Nrcs4|d|||dS)NT)rtrgrrjrvrxrrWrBrCfinishs   z.AuthOnlyHandler.auth_publickey..finishrV)rrrryr)rAr4rWrprrBrrCrXs  zAuthOnlyHandler.auth_publickeycsfdd}||d|S)Ncs|d|tdS)NF)rtrgr&rr9rBrCrs z-AuthOnlyHandler.auth_password..finishr9r)rAr4r9rrBrrCrYs zAuthOnlyHandler.auth_passwordr0cs&d|_||_fdd}||d|S)rZZkeyboard_interactivecs|d|dS)Nr0)rgrr<rBrCr/s z0AuthOnlyHandler.auth_interactive..finishr[)r7r;r)rAr4r\r<rrBrrCr]%s z AuthOnlyHandler.auth_interactivecCstd}|t||dd}||ks,||krN||kr8|n|}d|d}|}n|d}|d|}|t||S)NzdServer did not send a server-sig-algs list; defaulting to something in our preferred algorithms listrr0zCurrent key type, z&, is in our preferred list; using thatrz3 not in our list - trying first list item instead, )rFrr)rArprrZnoncert_key_typeactualalgorBrBrCr8s    z1AuthOnlyHandler._choose_fallback_pubkey_algorithm)N)r0) rrrrrrrrUrXrYr]r __classcell__rBrBrrCrs  ) r);rr1rrzrZparamiko.commonrrrrrrrr r r r r rrrrrrrrrrrrrrrrrrr r!r"r#r$Zparamiko.messager%Z paramiko.utilr&r'Zparamiko.ssh_exceptionr(r)r*r+Zparamiko.serverr,Zparamiko.ssh_gssr-r.r/rrrBrBrBrCs&%  l