diff options
| author | Sebastian Deiss <sebastian.deiss@atos.net> | 2017-09-18 09:28:00 +0200 |
|---|---|---|
| committer | Sebastian Deiss <sebastian.deiss@atos.net> | 2017-09-18 09:28:00 +0200 |
| commit | 2bfd3341e1b32d17d0dd358ba6a7efbde7d4859a (patch) | |
| tree | 06698f43b44bb470134d8f4511e3199d81d19775 | |
| parent | 12efa62cf9c4190aab651f9dd61b1b176d8e07fe (diff) | |
Fix gss_host setting and cleanup its logic
The parameter 'kex_requested' is misleading, since setting 'gss_host'
is also required for gssapi-with-mic.
| -rw-r--r-- | paramiko/client.py | 6 | ||||
| -rw-r--r-- | paramiko/transport.py | 17 |
2 files changed, 14 insertions, 9 deletions
diff --git a/paramiko/client.py b/paramiko/client.py index 86f5d896..75d295ea 100644 --- a/paramiko/client.py +++ b/paramiko/client.py @@ -354,9 +354,11 @@ class SSHClient (ClosingContextManager): ) t.use_compression(compress=compress) t.set_gss_host( - kex_requested=gss_kex, - gss_host=gss_host, + # t.hostname may be None, but GSS-API requires a target name. + # Therefore use hostname as fallback. + gss_host=gss_host or hostname, trust_dns=gss_trust_dns, + gssapi_requested=gss_auth or gss_kex, ) if self._log_channel is not None: t.set_log_channel(self._log_channel) diff --git a/paramiko/transport.py b/paramiko/transport.py index a1c503f8..f07aec72 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -455,13 +455,10 @@ class Transport(threading.Thread, ClosingContextManager): """ return SecurityOptions(self) - def set_gss_host(self, kex_requested, gss_host, trust_dns): + def set_gss_host(self, gss_host, trust_dns=True, gssapi_requested=True): """ Normalize/canonicalize ``self.gss_host`` depending on various factors. - :param bool kex_requested: - Whether GSSAPI key exchange was even requested. If not, this is a - no-op and nothing happens (and ``self.gss_host`` is not set.) :param str gss_host: The explicitly requested GSS-oriented hostname to connect to (i.e. what the host's name is in the Kerberos database.) Defaults to @@ -471,17 +468,23 @@ class Transport(threading.Thread, ClosingContextManager): Indicates whether or not DNS is trusted; if true, DNS will be used to canonicalize the GSS hostname (which again will either be ``gss_host`` or the transport's default hostname.) + (Defaults to True due to backwards compatibility.) + :param bool gssapi_requested: + Whether GSSAPI key exchange or authentication was even requested. + If not, this is a no-op and nothing happens + (and ``self.gss_host`` is not set.) + (Defaults to True due to backwards compatibility.) :returns: ``None``. """ # No GSSAPI in play == nothing to do - if not kex_requested: + if not gssapi_requested: return # Obtain the correct host first - did user request a GSS-specific name # to use that is distinct from the actual SSH target hostname? if gss_host is None: gss_host = self.hostname # Finally, canonicalize via DNS if DNS is trusted. - if trust_dns: + if trust_dns and gss_host is not None: gss_host = socket.getfqdn(gss_host) # And set attribute for reference later. self.gss_host = gss_host @@ -1159,9 +1162,9 @@ class Transport(threading.Thread, ClosingContextManager): self._preferred_keys = [hostkey.get_name()] self.set_gss_host( - kex_requested=gss_kex, gss_host=gss_host, trust_dns=gss_trust_dns, + gssapi_requested=gss_kex or gss_auth, ) self.start_client() |