diff options
Diffstat (limited to 'auth_transport.py')
| -rw-r--r-- | auth_transport.py | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/auth_transport.py b/auth_transport.py index 1a06326d..78ce8d70 100644 --- a/auth_transport.py +++ b/auth_transport.py @@ -10,11 +10,13 @@ from logging import DEBUG, INFO, WARNING, ERROR, CRITICAL DISCONNECT_SERVICE_NOT_AVAILABLE, DISCONNECT_AUTH_CANCELLED_BY_USER, \ DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE = 7, 13, 14 -AUTH_SUCCESSFUL, AUTH_PARTIALLY_SUCCESSFUL, AUTH_FAILED = range(3) class Transport(BaseTransport): "BaseTransport with the auth framework hooked up" + + AUTH_SUCCESSFUL, AUTH_PARTIALLY_SUCCESSFUL, AUTH_FAILED = range(3) + def __init__(self, sock): BaseTransport.__init__(self, sock) self.auth_event = None @@ -111,21 +113,21 @@ class Transport(BaseTransport): else: self.log(DEBUG, 'Service request "%s" accepted (?)' % service) - def get_allowed_auths(self): + def get_allowed_auths(self, username): "override me!" return 'password' def check_auth_none(self, username): - "override me! return tuple of (int, string) ==> (auth status, list of acceptable auth methods)" - return (AUTH_FAILED, self.get_allowed_auths()) + "override me! return int ==> auth status" + return self.AUTH_FAILED def check_auth_password(self, username, password): - "override me! return tuple of (int, string) ==> (auth status, list of acceptable auth methods)" - return (AUTH_FAILED, self.get_allowed_auths()) + "override me! return int ==> auth status" + return self.AUTH_FAILED def check_auth_publickey(self, username, key): - "override me! return tuple of (int, string) ==> (auth status, list of acceptable auth methods)" - return (AUTH_FAILED, self.get_allowed_auths()) + "override me! return int ==> auth status" + return self.AUTH_FAILED def parse_userauth_request(self, m): if not self.server_mode: @@ -142,11 +144,12 @@ class Transport(BaseTransport): username = m.get_string() service = m.get_string() method = m.get_string() + self.log(DEBUG, 'Auth request (type=%s) service=%s, username=%s' % (method, service, username)) if service != 'ssh-connection': self.disconnect_service_not_available() return if (self.auth_username is not None) and (self.auth_username != username): - # trying to change username in mid-flight! + self.log(DEBUG, 'Auth rejected because the client attempted to change username in mid-flight') self.disconnect_no_more_auth() return if method == 'none': @@ -157,27 +160,27 @@ class Transport(BaseTransport): if changereq: # always treated as failure, since we don't support changing passwords, but collect # the list of valid auth types from the callback anyway + self.log(DEBUG, 'Auth request to change passwords (rejected)') newpassword = m.get_string().decode('UTF-8') - result = self.check_auth_password(username, password) - result = (AUTH_FAILED, result[1]) + result = self.AUTH_FAILED else: result = self.check_auth_password(username, password) elif method == 'publickey': # FIXME result = self.check_auth_none(username) - result = (AUTH_FAILED, result[1]) else: result = self.check_auth_none(username) - result = (AUTH_FAILED, result[1]) # okay, send result m = Message() - if result[0] == AUTH_SUCCESSFUL: - m.add_byte(chr(MSG_USERAUTH_SUCCESSFUL)) + if result == self.AUTH_SUCCESSFUL: + self.log(DEBUG, 'Auth granted.') + m.add_byte(chr(MSG_USERAUTH_SUCCESS)) self.auth_complete = 1 else: + self.log(DEBUG, 'Auth rejected.') m.add_byte(chr(MSG_USERAUTH_FAILURE)) - m.add_string(result[1]) - if result[0] == AUTH_PARTIALLY_SUCCESSFUL: + m.add_string(self.get_allowed_auths(username)) + if result == self.AUTH_PARTIALLY_SUCCESSFUL: m.add_boolean(1) else: m.add_boolean(0) |