1 files changed, 109 insertions, 7 deletions

diff --git a/paramiko/transport.py b/paramiko/transport.py
index 6ab9274c..d46a6c6f 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -32,12 +32,15 @@ import weakref
 import paramiko
 from paramiko import util
 from paramiko.auth_handler import AuthHandler
+from paramiko.ssh_gss import GSSAuth
 from paramiko.channel import Channel
 from paramiko.common import *
 from paramiko.compress import ZlibCompressor, ZlibDecompressor
 from paramiko.dsskey import DSSKey
 from paramiko.kex_gex import KexGex
 from paramiko.kex_group1 import KexGroup1
+from paramiko.kex_group14 import KexGroup14
+from paramiko.kex_gss import KexGSSGex, KexGSSGroup1, KexGSSGroup14, NullHostKey
 from paramiko.message import Message
 from paramiko.packet import Packetizer, NeedRekeyException
 from paramiko.primes import ModulusPack
@@ -205,7 +208,7 @@ class Transport (threading.Thread):
         'arcfour128', 'arcfour256' )
     _preferred_macs = ( 'hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96' )
     _preferred_keys = ( 'ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256' )
-    _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' )
+    _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group-exchange-sha1' )
     _preferred_compression = ( 'none', )
 
     _cipher_info = {
@@ -234,7 +237,11 @@ class Transport (threading.Thread):
 
     _kex_info = {
         'diffie-hellman-group1-sha1': KexGroup1,
+        'diffie-hellman-group14-sha1': KexGroup14,
         'diffie-hellman-group-exchange-sha1': KexGex,
+        'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==': KexGSSGroup1,
+        'gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==': KexGSSGroup14,
+        'gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==': KexGSSGex
         }
 
     _compression_info = {
@@ -249,7 +256,7 @@ class Transport (threading.Thread):
 
     _modulus_pack = None
 
-    def __init__(self, sock):
+    def __init__(self, sock, gss_kex=False, gss_deleg_creds=True):
         """
         Create a new SSH session over an existing socket, or socket-like
         object.  This only creates the Transport object; it doesn't begin the
@@ -328,6 +335,21 @@ class Transport (threading.Thread):
         self.host_key_type = None
         self.host_key = None
 
+        # GSS-API / SSPI Key Exchange
+        self.use_gss_kex = gss_kex
+        # This will be set to True if GSS-API Key Exchange was performed
+        self.gss_kex_used = False
+        self.kexgss_ctxt = None
+        self.gss_host = None
+        if gss_kex:
+            self.kexgss_ctxt = GSSAuth("gssapi-keyex", gss_deleg_creds)
+            self._preferred_kex = ('gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==',
+                                   'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==',
+                                   'gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==',
+                                   'diffie-hellman-group-exchange-sha1',
+                                   'diffie-hellman-group1-sha1',
+                                   'diffie-hellman-group14-sha1')
+
         # state used during negotiation
         self.kex_engine = None
         self.H = None
@@ -418,6 +440,18 @@ class Transport (threading.Thread):
         """
         return SecurityOptions(self)
 
+    def set_gss_host(self, gss_host):
+        """
+        Setter for C{gss_host} if GSS-API Key Exchange is performed.
+
+        @param gss_host: The targets name in the kerberos database
+                         Default: The name of the host to connect to
+        @type gss_host: String
+        @rtype: Void
+        """
+        # We need the FQDN to get this working with SSPI
+        self.gss_host = socket.getfqdn(gss_host)
+
     def start_client(self, event=None):
         """
         Negotiate a new SSH2 session as a client.  This is the first step after
@@ -970,7 +1004,8 @@ class Transport (threading.Thread):
             self.lock.release()
         return chan
 
-    def connect(self, hostkey=None, username='', password=None, pkey=None):
+    def connect(self, hostkey=None, username='', password=None, pkey=None,
+                gss_host=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True):
         """
         Negotiate an SSH2 session, and optionally verify the server's host key
         and authenticate using a password or private key.  This is a shortcut
@@ -1000,6 +1035,14 @@ class Transport (threading.Thread):
         @param pkey: a private key to use for authentication, if you want to
             use private key authentication; otherwise C{None}.
         @type pkey: L{PKey<pkey.PKey>}
+        @param gss_host: The host to authenticate to
+        @type gss_host: str
+        @param gss_auth: Enable or Disable GSSAPI Authentication
+        @type gss_auth: Boolean
+        @param gss_kex: Perform GSS-API Key Exchange and user authentication
+        @type gss_kex: Boolean
+        @param gss_deleg_creds: Use delegated credentails with GSSAPI
+        @type gss_deleg_cred: Boolean
 
         @raise SSHException: if the SSH2 negotiation fails, the host key
             supplied by the server is incorrect, or authentication fails.
@@ -1010,7 +1053,9 @@ class Transport (threading.Thread):
         self.start_client()
 
         # check host key if we were given one
-        if (hostkey is not None):
+        # If GSS-API Key Exchange was performed, we are not required to check
+        # the host key.
+        if (hostkey is not None) and not gss_kex:
             key = self.get_remote_server_key()
             if (key.get_name() != hostkey.get_name()) or (key.asbytes() != hostkey.asbytes()):
                 self._log(DEBUG, 'Bad host key from server')
@@ -1019,13 +1064,19 @@ class Transport (threading.Thread):
                 raise SSHException('Bad host key from server')
             self._log(DEBUG, 'Host key verified (%s)' % hostkey.get_name())
 
-        if (pkey is not None) or (password is not None):
+        if (pkey is not None) or (password is not None) or gss_auth or gss_kex:
             if password is not None:
                 self._log(DEBUG, 'Attempting password auth...')
                 self.auth_password(username, password)
-            else:
+            elif pkey is not None:
                 self._log(DEBUG, 'Attempting public-key auth...')
                 self.auth_publickey(username, pkey)
+            elif gss_auth:
+                self._log(DEBUG, 'Attempting GSS-API auth... (gssapi-with-mic)')
+                self.auth_gssapi_with_mic(username, gss_host, gss_deleg_creds)
+            else:
+                self._log(DEBUG, 'Attempting GSS-API auth... (gssapi-keyex)')
+                self.auth_gssapi_keyex(username)
 
         return
 
@@ -1308,6 +1359,57 @@ class Transport (threading.Thread):
         self.auth_handler.auth_interactive(username, handler, my_event, submethods)
         return self.auth_handler.wait_for_response(my_event)
 
+    def auth_gssapi_with_mic(self, username, gss_host, gss_deleg_creds):
+        """
+        Authenticate to the Server using GSS-API / SSPI.
+
+        @param username: The username to authenticate as
+        @type username: String
+        @param gss_host: The target host
+        @type gss_host: String
+        @param gss_deleg_creds: Delegate credentials or not
+        @type gss_deleg_creds: Boolean
+        @return: list of auth types permissible for the next stage of
+                 authentication (normally empty)
+        @rtype: list
+        @raise BadAuthenticationType: if gssapi-with-mic isn't
+            allowed by the server (and no event was passed in)
+        @raise AuthenticationException: if the authentication failed (and no
+            event was passed in)
+        @raise SSHException: if there was a network error
+        """
+        if (not self.active) or (not self.initial_kex_done):
+            # we should never try to authenticate unless we're on a secure link
+            raise SSHException('No existing session')
+        my_event = threading.Event()
+        self.auth_handler = AuthHandler(self)
+        self.auth_handler.auth_gssapi_with_mic(username, gss_host, gss_deleg_creds, my_event)
+        return self.auth_handler.wait_for_response(my_event)
+
+    def auth_gssapi_keyex(self, username):
+        """
+        Authenticate to the Server with GSS-API / SSPI if GSS-API Key Exchange
+        was the used key exchange method.
+
+        @param username: The username to authenticate as
+        @type username: String
+        @return: list of auth types permissible for the next stage of
+            authentication (normally empty)
+        @rtype: list
+        @raise BadAuthenticationType: if GSS-API Key Exchange was not performed
+                                      (and no event was passed in)
+        @raise AuthenticationException: if the authentication failed (and no
+            event was passed in)
+        @raise SSHException: if there was a network error
+        """
+        if (not self.active) or (not self.initial_kex_done):
+            # we should never try to authenticate unless we're on a secure link
+            raise SSHException('No existing session')
+        my_event = threading.Event()
+        self.auth_handler = AuthHandler(self)
+        self.auth_handler.auth_gssapi_keyex(username, my_event)
+        return self.auth_handler.wait_for_response(my_event)
+
     def set_log_channel(self, name):
         """
         Set the channel for this transport's logging.  The default is
@@ -1582,7 +1684,7 @@ class Transport (threading.Thread):
                         if ptype not in self._expected_packet:
                             raise SSHException('Expecting packet from %r, got %d' % (self._expected_packet, ptype))
                         self._expected_packet = tuple()
-                        if (ptype >= 30) and (ptype <= 39):
+                        if (ptype >= 30) and (ptype <= 41):
                             self.kex_engine.parse_next(ptype, m)
                             continue