summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJeff Forcier <jeff@bitprophet.org>2017-09-18 11:01:40 -0700
committerGitHub <noreply@github.com>2017-09-18 11:01:40 -0700
commitb55abff677c348ed41126a59b4f608c2449183aa (patch)
tree683ff34ce4984be308116c503018dcb55d29f931
parent3a1d42c99942827abe92c3e15446c5091502e68f (diff)
parent2bfd3341e1b32d17d0dd358ba6a7efbde7d4859a (diff)
Merge pull request #1064 from SebastianDeiss/fix-set_gss_host
Fix gss_host setting and cleanup its logic
-rw-r--r--paramiko/client.py6
-rw-r--r--paramiko/transport.py17
2 files changed, 14 insertions, 9 deletions
diff --git a/paramiko/client.py b/paramiko/client.py
index 86f5d896..75d295ea 100644
--- a/paramiko/client.py
+++ b/paramiko/client.py
@@ -354,9 +354,11 @@ class SSHClient (ClosingContextManager):
)
t.use_compression(compress=compress)
t.set_gss_host(
- kex_requested=gss_kex,
- gss_host=gss_host,
+ # t.hostname may be None, but GSS-API requires a target name.
+ # Therefore use hostname as fallback.
+ gss_host=gss_host or hostname,
trust_dns=gss_trust_dns,
+ gssapi_requested=gss_auth or gss_kex,
)
if self._log_channel is not None:
t.set_log_channel(self._log_channel)
diff --git a/paramiko/transport.py b/paramiko/transport.py
index a1c503f8..f07aec72 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -455,13 +455,10 @@ class Transport(threading.Thread, ClosingContextManager):
"""
return SecurityOptions(self)
- def set_gss_host(self, kex_requested, gss_host, trust_dns):
+ def set_gss_host(self, gss_host, trust_dns=True, gssapi_requested=True):
"""
Normalize/canonicalize ``self.gss_host`` depending on various factors.
- :param bool kex_requested:
- Whether GSSAPI key exchange was even requested. If not, this is a
- no-op and nothing happens (and ``self.gss_host`` is not set.)
:param str gss_host:
The explicitly requested GSS-oriented hostname to connect to (i.e.
what the host's name is in the Kerberos database.) Defaults to
@@ -471,17 +468,23 @@ class Transport(threading.Thread, ClosingContextManager):
Indicates whether or not DNS is trusted; if true, DNS will be used
to canonicalize the GSS hostname (which again will either be
``gss_host`` or the transport's default hostname.)
+ (Defaults to True due to backwards compatibility.)
+ :param bool gssapi_requested:
+ Whether GSSAPI key exchange or authentication was even requested.
+ If not, this is a no-op and nothing happens
+ (and ``self.gss_host`` is not set.)
+ (Defaults to True due to backwards compatibility.)
:returns: ``None``.
"""
# No GSSAPI in play == nothing to do
- if not kex_requested:
+ if not gssapi_requested:
return
# Obtain the correct host first - did user request a GSS-specific name
# to use that is distinct from the actual SSH target hostname?
if gss_host is None:
gss_host = self.hostname
# Finally, canonicalize via DNS if DNS is trusted.
- if trust_dns:
+ if trust_dns and gss_host is not None:
gss_host = socket.getfqdn(gss_host)
# And set attribute for reference later.
self.gss_host = gss_host
@@ -1159,9 +1162,9 @@ class Transport(threading.Thread, ClosingContextManager):
self._preferred_keys = [hostkey.get_name()]
self.set_gss_host(
- kex_requested=gss_kex,
gss_host=gss_host,
trust_dns=gss_trust_dns,
+ gssapi_requested=gss_kex or gss_auth,
)
self.start_client()