summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAnselm Kruis <a.kruis@science-computing.de>2017-08-01 21:58:58 +0200
committerAnselm Kruis <a.kruis@science-computing.de>2017-08-04 18:40:27 +0200
commit0b99097fa8fdc297fef79ab599ab73349331af4e (patch)
tree88f48aa454328b59c174091441369e65b0870dbc
parentc214e5043fdaf72e355bc014239ebeddf269059d (diff)
AuthHandler: handle local "gssapi-with-mic" errors in client mode
Paramiko now tries other authentication methods, if "gssapi-with-mic" authentication may fails for a local reason (i.e. no kerberos ticket). Befor this change, any exception from the GSSAPI/SSPI caused the transport to be closed.
-rw-r--r--paramiko/auth_handler.py33
1 files changed, 24 insertions, 9 deletions
diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
index 13c41c9b..b9e826d5 100644
--- a/paramiko/auth_handler.py
+++ b/paramiko/auth_handler.py
@@ -43,7 +43,7 @@ from paramiko.ssh_exception import (
PartialAuthentication,
)
from paramiko.server import InteractiveQuery
-from paramiko.ssh_gss import GSSAuth
+from paramiko.ssh_gss import GSSAuth, GSS_EXCEPTIONS
class AuthHandler (object):
@@ -262,19 +262,24 @@ class AuthHandler (object):
mech = m.get_string()
m = Message()
m.add_byte(cMSG_USERAUTH_GSSAPI_TOKEN)
- m.add_string(sshgss.ssh_init_sec_context(self.gss_host,
- mech,
- self.username,))
+ try:
+ m.add_string(sshgss.ssh_init_sec_context(self.gss_host,
+ mech,
+ self.username,))
+ except GSS_EXCEPTIONS as e:
+ return self._handle_local_gss_failure(e)
self.transport._send_message(m)
while True:
ptype, m = self.transport.packetizer.read_message()
if ptype == MSG_USERAUTH_GSSAPI_TOKEN:
srv_token = m.get_string()
- next_token = sshgss.ssh_init_sec_context(
- self.gss_host,
- mech,
- self.username,
- srv_token)
+ try:
+ next_token = sshgss.ssh_init_sec_context(self.gss_host,
+ mech,
+ self.username,
+ srv_token)
+ except GSS_EXCEPTIONS as e:
+ return self._handle_local_gss_failure(e)
# After this step the GSSAPI should not return any
# token. If it does, we keep sending the token to
# the server until no more token is returned.
@@ -609,6 +614,16 @@ class AuthHandler (object):
self._send_auth_result(
self.auth_username, 'keyboard-interactive', result)
+ def _handle_local_gss_failure(self, e):
+ self.transport.saved_exception = e
+ self.transport._log(DEBUG, "GSSAPI failure: %s" % str(e))
+ self.transport._log(INFO, 'Authentication (%s) failed.' % self.auth_method)
+ self.authenticated = False
+ self.username = None
+ if self.auth_event is not None:
+ self.auth_event.set()
+ return
+
_handler_table = {
MSG_SERVICE_REQUEST: _parse_service_request,
MSG_SERVICE_ACCEPT: _parse_service_accept,