summaryrefslogtreecommitdiffhomepage
path: root/demos
diff options
context:
space:
mode:
authorJeff Forcier <jeff@bitprophet.org>2015-11-03 16:20:45 -0800
committerJeff Forcier <jeff@bitprophet.org>2015-11-03 16:20:45 -0800
commite8142be57cc9f5f216f24cc48656c58b70c5d59a (patch)
tree3296d24f3d58a02ad294250c49fe7124091ad96b /demos
parent94c20181dd8073e0cdbc83973c87e89c5f472d80 (diff)
parent16c106e6aac64424b554b33d269eee80ebb1db7a (diff)
Merge branch 'master' into 502-int
Diffstat (limited to 'demos')
-rw-r--r--demos/demo_server.py42
-rw-r--r--[-rwxr-xr-x]demos/demo_sftp.py19
-rwxr-xr-xdemos/demo_simple.py22
3 files changed, 72 insertions, 11 deletions
diff --git a/demos/demo_server.py b/demos/demo_server.py
index bb35258b..c4af9b10 100644
--- a/demos/demo_server.py
+++ b/demos/demo_server.py
@@ -66,9 +66,42 @@ class Server (paramiko.ServerInterface):
if (username == 'robey') and (key == self.good_pub_key):
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
+
+ def check_auth_gssapi_with_mic(self, username,
+ gss_authenticated=paramiko.AUTH_FAILED,
+ cc_file=None):
+ """
+ .. note::
+ We are just checking in `AuthHandler` that the given user is a
+ valid krb5 principal! We don't check if the krb5 principal is
+ allowed to log in on the server, because there is no way to do that
+ in python. So if you develop your own SSH server with paramiko for
+ a certain platform like Linux, you should call ``krb5_kuserok()`` in
+ your local kerberos library to make sure that the krb5_principal
+ has an account on the server and is allowed to log in as a user.
+
+ .. seealso::
+ `krb5_kuserok() man page
+ <http://www.unix.com/man-page/all/3/krb5_kuserok/>`_
+ """
+ if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
+ return paramiko.AUTH_SUCCESSFUL
+ return paramiko.AUTH_FAILED
+
+ def check_auth_gssapi_keyex(self, username,
+ gss_authenticated=paramiko.AUTH_FAILED,
+ cc_file=None):
+ if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
+ return paramiko.AUTH_SUCCESSFUL
+ return paramiko.AUTH_FAILED
+
+ def enable_auth_gssapi(self):
+ UseGSSAPI = True
+ GSSAPICleanupCredentials = False
+ return UseGSSAPI
def get_allowed_auths(self, username):
- return 'password,publickey'
+ return 'gssapi-keyex,gssapi-with-mic,password,publickey'
def check_channel_shell_request(self, channel):
self.event.set()
@@ -79,6 +112,8 @@ class Server (paramiko.ServerInterface):
return True
+DoGSSAPIKeyExchange = True
+
# now connect
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -101,7 +136,8 @@ except Exception as e:
print('Got a connection!')
try:
- t = paramiko.Transport(client)
+ t = paramiko.Transport(client, gss_kex=DoGSSAPIKeyExchange)
+ t.set_gss_host(socket.getfqdn(""))
try:
t.load_server_moduli()
except:
@@ -123,7 +159,7 @@ try:
print('Authenticated!')
server.event.wait(10)
- if not server.event.isSet():
+ if not server.event.is_set():
print('*** Client never asked for a shell.')
sys.exit(1)
diff --git a/demos/demo_sftp.py b/demos/demo_sftp.py
index a34f2b19..2cb44701 100755..100644
--- a/demos/demo_sftp.py
+++ b/demos/demo_sftp.py
@@ -34,6 +34,11 @@ from paramiko.py3compat import input
# setup logging
paramiko.util.log_to_file('demo_sftp.log')
+# Paramiko client configuration
+UseGSSAPI = True # enable GSS-API / SSPI authentication
+DoGSSAPIKeyExchange = True
+Port = 22
+
# get hostname
username = ''
if len(sys.argv) > 1:
@@ -45,10 +50,10 @@ else:
if len(hostname) == 0:
print('*** Hostname required.')
sys.exit(1)
-port = 22
+
if hostname.find(':') >= 0:
hostname, portstr = hostname.split(':')
- port = int(portstr)
+ Port = int(portstr)
# get username
@@ -57,7 +62,10 @@ if username == '':
username = input('Username [%s]: ' % default_username)
if len(username) == 0:
username = default_username
-password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+if not UseGSSAPI:
+ password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+else:
+ password = None
# get host key, if we know one
@@ -81,8 +89,9 @@ if hostname in host_keys:
# now, connect and use paramiko Transport to negotiate SSH2 across the connection
try:
- t = paramiko.Transport((hostname, port))
- t.connect(username=username, password=password, hostkey=hostkey)
+ t = paramiko.Transport((hostname, Port))
+ t.connect(hostkey, username, password, gss_host=socket.getfqdn(hostname),
+ gss_auth=UseGSSAPI, gss_kex=DoGSSAPIKeyExchange)
sftp = paramiko.SFTPClient.from_transport(t)
# dirlist on remote host
diff --git a/demos/demo_simple.py b/demos/demo_simple.py
index ae631e43..3a17988c 100755
--- a/demos/demo_simple.py
+++ b/demos/demo_simple.py
@@ -36,6 +36,10 @@ except ImportError:
# setup logging
paramiko.util.log_to_file('demo_simple.log')
+# Paramiko client configuration
+UseGSSAPI = True # enable GSS-API / SSPI authentication
+DoGSSAPIKeyExchange = True
+port = 22
# get hostname
username = ''
@@ -48,7 +52,7 @@ else:
if len(hostname) == 0:
print('*** Hostname required.')
sys.exit(1)
-port = 22
+
if hostname.find(':') >= 0:
hostname, portstr = hostname.split(':')
port = int(portstr)
@@ -60,7 +64,8 @@ if username == '':
username = input('Username [%s]: ' % default_username)
if len(username) == 0:
username = default_username
-password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+if not UseGSSAPI or (not UseGSSAPI and not DoGSSAPIKeyExchange):
+ password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
# now, connect and use paramiko Client to negotiate SSH2 across the connection
@@ -69,7 +74,18 @@ try:
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.WarningPolicy())
print('*** Connecting...')
- client.connect(hostname, port, username, password)
+ if not UseGSSAPI or (not UseGSSAPI and not DoGSSAPIKeyExchange):
+ client.connect(hostname, port, username, password)
+ else:
+ # SSPI works only with the FQDN of the target host
+ hostname = socket.getfqdn(hostname)
+ try:
+ client.connect(hostname, port, username, gss_auth=UseGSSAPI,
+ gss_kex=DoGSSAPIKeyExchange)
+ except Exception:
+ password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+ client.connect(hostname, port, username, password)
+
chan = client.invoke_shell()
print(repr(client.get_transport()))
print('*** Here we go!\n')