diff options
| -rwxr-xr-x | demos/demo_simple.py | 12 | ||||
| -rw-r--r-- | paramiko/auth_handler.py | 3 | ||||
| -rw-r--r-- | paramiko/client.py | 50 | ||||
| -rw-r--r-- | paramiko/transport.py | 18 |
4 files changed, 45 insertions, 38 deletions
diff --git a/demos/demo_simple.py b/demos/demo_simple.py index 100e15f5..a9d363da 100755 --- a/demos/demo_simple.py +++ b/demos/demo_simple.py @@ -64,7 +64,7 @@ if username == '': username = input('Username [%s]: ' % default_username) if len(username) == 0: username = default_username -if not UseGSSAPI: +if not UseGSSAPI or (not UseGSSAPI and not DoGSSAPIKeyExchange): password = getpass.getpass('Password for %s@%s: ' % (username, hostname)) @@ -74,13 +74,17 @@ try: client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.WarningPolicy()) print('*** Connecting...') - if not UseGSSAPI: + if not UseGSSAPI or (not UseGSSAPI and not DoGSSAPIKeyExchange): client.connect(hostname, Port, username, password) else: # SSPI works only with the FQDN of the target host hostname = socket.getfqdn(hostname) - client.connect(hostname, Port, username, gss_auth=UseGSSAPI, - gss_kex=DoGSSAPIKeyExchange) + try: + client.connect(hostname, Port, username, gss_auth=UseGSSAPI, + gss_kex=DoGSSAPIKeyExchange) + except Exception: + password = getpass.getpass('Password for %s@%s: ' % (username, hostname)) + client.connect(hostname, Port, username, password) chan = client.invoke_shell() print(repr(client.get_transport())) print('*** Here we go!\n') diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py index 1910a7f1..81a7946d 100644 --- a/paramiko/auth_handler.py +++ b/paramiko/auth_handler.py @@ -297,6 +297,9 @@ class AuthHandler (object): %s\n") % (str(maj_status), str(min_status), err_msg) + elif ptype == MSG_USERAUTH_FAILURE: + self._parse_userauth_failure(m) + return else: raise SSHException("Received Package: %s" % MSG_NAMES[ptype]) elif self.auth_method == 'gssapi-keyex' and\ diff --git a/paramiko/client.py b/paramiko/client.py index b786d17b..f4149510 100644 --- a/paramiko/client.py +++ b/paramiko/client.py @@ -473,6 +473,31 @@ class SSHClient (object): two_factor = False allowed_types = [] + """ + If GSS-API support and GSS-PI Key Exchange was performed, we attempt + authentication with gssapi-keyex. + """ + if gss_kex and self._transport.gss_kex_used: + try: + self._transport.auth_gssapi_keyex(username) + return + except Exception as e: + saved_exception = e + + """ + Try GSS-API authentication (gssapi-with-mic) only if GSS-API Key + Exchange is not performed, because if we use GSS-API for the key + exchange, there is already a fully established GSS-API context, so + why should we do that again? + """ + if gss_auth: + try: + self._transport.auth_gssapi_with_mic(username, gss_host, + gss_deleg_creds) + return + except Exception as e: + saved_exception = e + if pkey is not None: try: self._log(DEBUG, 'Trying SSH key %s' % hexlify(pkey.get_fingerprint())) @@ -554,31 +579,6 @@ class SSHClient (object): elif two_factor: raise SSHException('Two-factor authentication requires a password') - """ - Try GSS-API authentication (gssapi-with-mic) only if GSS-API Key - Exchange is not performed, because if we use GSS-API for the key - exchange, there is already a fully established GSS-API context, so - why should we do that again? - """ - if gss_auth and not self._transport.gss_kex_used: - try: - self._transport.auth_gssapi_with_mic(username, gss_host, - gss_deleg_creds) - return - except SSHException as e: - saved_exception = e - - """ - If GSS-API support and GSS-PI Key Exchange was performed, we attempt - authentication with gssapi-keyex. - """ - if gss_auth and gss_kex and self._transport.gss_kex_used: - try: - self._transport.auth_gssapi_keyex(username) - return - except SSHException as e: - saved_exception = e - # if we got an auth-failed exception earlier, re-raise it if saved_exception is not None: raise saved_exception diff --git a/paramiko/transport.py b/paramiko/transport.py index d46a6c6f..fcf074ae 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -341,7 +341,7 @@ class Transport (threading.Thread): self.gss_kex_used = False self.kexgss_ctxt = None self.gss_host = None - if gss_kex: + if self.use_gss_kex: self.kexgss_ctxt = GSSAuth("gssapi-keyex", gss_deleg_creds) self._preferred_kex = ('gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==', 'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==', @@ -1065,18 +1065,18 @@ class Transport (threading.Thread): self._log(DEBUG, 'Host key verified (%s)' % hostkey.get_name()) if (pkey is not None) or (password is not None) or gss_auth or gss_kex: - if password is not None: - self._log(DEBUG, 'Attempting password auth...') - self.auth_password(username, password) - elif pkey is not None: - self._log(DEBUG, 'Attempting public-key auth...') - self.auth_publickey(username, pkey) - elif gss_auth: + if gss_auth: self._log(DEBUG, 'Attempting GSS-API auth... (gssapi-with-mic)') self.auth_gssapi_with_mic(username, gss_host, gss_deleg_creds) - else: + elif gss_kex: self._log(DEBUG, 'Attempting GSS-API auth... (gssapi-keyex)') self.auth_gssapi_keyex(username) + elif pkey is not None: + self._log(DEBUG, 'Attempting public-key auth...') + self.auth_publickey(username, pkey) + else: + self._log(DEBUG, 'Attempting password auth...') + self.auth_password(username, password) return |