This module provides GSS-API / SSPI authentication as defined in RFC 4462.
Note
Credential delegation is not supported in server mode.
See also
New in version 1.15.
paramiko.ssh_gss.GSSAuth(auth_method, gss_deleg_creds=True)
Provide SSH2 GSS-API / SSPI authentication.
_SSH_GSSAPI
(Unix) object or an
_SSH_SSPI
(Windows) objectImportError
-- If no GSS-API / SSPI module could be imported._SSH_GSSAPI
(MIT GSSAPI) object or an _SSH_SSPI
(MS SSPI) object. If you
get python-gssapi working on Windows, python-gssapi
will be used and a _SSH_GSSAPI
object will be returned.
If there is no supported API available,
None
will be returned.class paramiko.ssh_gss._SSH_GSSAuth(auth_method, gss_deleg_creds)
Contains the shared variables and methods of _SSH_GSSAPI
and
_SSH_SSPI
.
__init__(auth_method, gss_deleg_creds)
__weakref__
list of weak references to the object (if defined)
set_service(service)
This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value.
str
) -- The desired SSH serviceset_username(username)
Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}.
str
) -- The name of the user who attempts to loginssh_check_mech(desired_mech)
Check if the given OID is the Kerberos V5 OID (server mode).
str
) -- The desired GSS-API mechanism of the clientTrue
if the given OID is supported, otherwise C{False}ssh_gss_oids(mode='client')
This method returns a single OID, because we only support the Kerberos V5 mechanism.
str
) -- Client for client mode and server for server modeclass paramiko.ssh_gss._SSH_GSSAPI(auth_method, gss_deleg_creds)
Implementation of the GSS-API MIT Kerberos Authentication for SSH2.
__init__(auth_method, gss_deleg_creds)
credentials_delegated
Checks if credentials are delegated (server mode).
True
if credentials are delegated, otherwise False
save_client_creds(client_token)
Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode).
str
) -- The GSS-API token received form the clientNotImplementedError
-- Credential delegation is currently not
supported in server modessh_accept_sec_context(hostname, recv_token, username=None)
Accept a GSS-API context (server mode).
ssh_check_mic(mic_token, session_id, username=None)
Verify the MIC token for a SSH2 message.
ssh_get_mic(session_id, gss_kex=False)
Create the MIC token for a SSH2 message.
_ssh_build_mic
.
gssapi-keyex:
Returns the MIC token from GSS-API with the SSH session ID as
message.ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)
Initialize a GSS-API context.
- username (
str
) -- The name of the user who attempts to login - target (
str
) -- The hostname of the target to connect to - desired_mech (
str
) -- The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) - recv_token (
str
) -- The GSS-API token received from the Server
SSHException
-- Is raised if the desired mechanism of the client
is not supportedString
if the GSS-API has returned a token or
None
if no token was returnedclass paramiko.ssh_gss._SSH_SSPI(auth_method, gss_deleg_creds)
Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.
__init__(auth_method, gss_deleg_creds)
credentials_delegated
Checks if credentials are delegated (server mode).
True
if credentials are delegated, otherwise False
save_client_creds(client_token)
Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode).
str
) -- The SSPI token received form the clientNotImplementedError
-- Credential delegation is currently not
supported in server modessh_accept_sec_context(hostname, username, recv_token)
Accept a SSPI context (server mode).
ssh_check_mic(mic_token, session_id, username=None)
Verify the MIC token for a SSH2 message.
ssh_get_mic(session_id, gss_kex=False)
Create the MIC token for a SSH2 message.
_ssh_build_mic
.
gssapi-keyex:
Returns the MIC token from SSPI with the SSH session ID as
message.ssh_init_sec_context(target, desired_mech=None, username=None, recv_token=None)
Initialize a SSPI context.
SSHException
-- Is raised if the desired mechanism of the client
is not supportedString
if the SSPI has returned a token or None
if
no token was returned