diff options
author | Anselm Kruis <a.kruis@science-computing.de> | 2017-08-01 21:58:58 +0200 |
---|---|---|
committer | Anselm Kruis <a.kruis@science-computing.de> | 2017-08-04 18:40:27 +0200 |
commit | 0b99097fa8fdc297fef79ab599ab73349331af4e (patch) | |
tree | 88f48aa454328b59c174091441369e65b0870dbc | |
parent | c214e5043fdaf72e355bc014239ebeddf269059d (diff) |
AuthHandler: handle local "gssapi-with-mic" errors in client mode
Paramiko now tries other authentication methods, if "gssapi-with-mic"
authentication may fails for a local reason (i.e. no kerberos ticket).
Befor this change, any exception from the GSSAPI/SSPI caused the
transport to be closed.
-rw-r--r-- | paramiko/auth_handler.py | 33 |
1 files changed, 24 insertions, 9 deletions
diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py index 13c41c9b..b9e826d5 100644 --- a/paramiko/auth_handler.py +++ b/paramiko/auth_handler.py @@ -43,7 +43,7 @@ from paramiko.ssh_exception import ( PartialAuthentication, ) from paramiko.server import InteractiveQuery -from paramiko.ssh_gss import GSSAuth +from paramiko.ssh_gss import GSSAuth, GSS_EXCEPTIONS class AuthHandler (object): @@ -262,19 +262,24 @@ class AuthHandler (object): mech = m.get_string() m = Message() m.add_byte(cMSG_USERAUTH_GSSAPI_TOKEN) - m.add_string(sshgss.ssh_init_sec_context(self.gss_host, - mech, - self.username,)) + try: + m.add_string(sshgss.ssh_init_sec_context(self.gss_host, + mech, + self.username,)) + except GSS_EXCEPTIONS as e: + return self._handle_local_gss_failure(e) self.transport._send_message(m) while True: ptype, m = self.transport.packetizer.read_message() if ptype == MSG_USERAUTH_GSSAPI_TOKEN: srv_token = m.get_string() - next_token = sshgss.ssh_init_sec_context( - self.gss_host, - mech, - self.username, - srv_token) + try: + next_token = sshgss.ssh_init_sec_context(self.gss_host, + mech, + self.username, + srv_token) + except GSS_EXCEPTIONS as e: + return self._handle_local_gss_failure(e) # After this step the GSSAPI should not return any # token. If it does, we keep sending the token to # the server until no more token is returned. @@ -609,6 +614,16 @@ class AuthHandler (object): self._send_auth_result( self.auth_username, 'keyboard-interactive', result) + def _handle_local_gss_failure(self, e): + self.transport.saved_exception = e + self.transport._log(DEBUG, "GSSAPI failure: %s" % str(e)) + self.transport._log(INFO, 'Authentication (%s) failed.' % self.auth_method) + self.authenticated = False + self.username = None + if self.auth_event is not None: + self.auth_event.set() + return + _handler_table = { MSG_SERVICE_REQUEST: _parse_service_request, MSG_SERVICE_ACCEPT: _parse_service_accept, |