From 7b3698064645c2951d5150685096e81244cff0ed Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Wed, 23 Aug 2017 13:22:39 -0700 Subject: Changelog re #1041 --- sites/www/changelog.rst | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'sites/www') diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 12c8cb03..15bf8ebf 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,11 @@ Changelog ========= +* :support:`1041` Modify logic around explicit disconnect + messages, and unknown-channel situations, so that they rely on centralized + shutdown code instead of running their own. This is at worst removing some + unnecessary code, and may help with some situations where Paramiko hangs at + the end of a session. Thanks to Paul Kapp for the patch. * :support:`1012` (via :issue:`1016`) Enhance documentation around the new `SFTP.posix_rename ` method so it's referenced in the 'standard' ``rename`` method for increased visibility. -- cgit v1.2.3 From a8723e08aaff00ee068cbdefa119cd34dd6f0d6b Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Mon, 28 Aug 2017 11:51:41 -0700 Subject: Changelog and docs re #1042 --- paramiko/client.py | 18 ++++++++++++++++-- sites/www/changelog.rst | 15 +++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) (limited to 'sites/www') diff --git a/paramiko/client.py b/paramiko/client.py index 39837c2c..0539d83d 100644 --- a/paramiko/client.py +++ b/paramiko/client.py @@ -240,9 +240,23 @@ class SSHClient (ClosingContextManager): Authentication is attempted in the following order of priority: - The ``pkey`` or ``key_filename`` passed in (if any) + + - ``key_filename`` may contain OpenSSH public certificate paths + as well as regular private-key paths; when files ending in + ``-cert.pub`` are found, they are assumed to match a private + key, and both components will be loaded. (The private key + itself does *not* need to be listed in ``key_filename`` for + this to occur - *just* the certificate.) + - Any key we can find through an SSH agent - Any "id_rsa", "id_dsa" or "id_ecdsa" key discoverable in ``~/.ssh/`` + + - When OpenSSH-style public certificates exist that match an + existing such private key (so e.g. one has ``id_rsa`` and + ``id_rsa-cert.pub``) the certificate will be loaded alongside + the private key and used for authentication. + - Plain username/password auth, if a password was given If a private key requires a password to unlock it, and a password is @@ -257,8 +271,8 @@ class SSHClient (ClosingContextManager): a password to use for authentication or for unlocking a private key :param .PKey pkey: an optional private key to use for authentication :param str key_filename: - the filename, or list of filenames, of optional private key(s) to - try for authentication + the filename, or list of filenames, of optional private key(s) + and/or certs to try for authentication :param float timeout: an optional timeout (in seconds) for the TCP connect :param bool allow_agent: diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 15bf8ebf..3eb88485 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,21 @@ Changelog ========= +* :feature:`1042` (also partially :issue:`531`) Implement generic (suitable for + all key types) client-side certificate authentication. + + The core implementation is `PKey.load_certificate + ` and its corresponding ``.public_blob`` + attribute on key objects, which is honored in the auth and transport modules. + Additionally, `SSHClient.connect ` will + now automatically load certificate data alongside private key data when one + has appropriately-named cert files (e.g. ``id_rsa-cert.pub``) - see its + docstring for details. + + Thanks to Paul Kapp for the final patch, and to Jason Rigby for earlier work + in :issue:`531` (which remains open as it contains additional functionality + that may get merged later.) + * :support:`1041` Modify logic around explicit disconnect messages, and unknown-channel situations, so that they rely on centralized shutdown code instead of running their own. This is at worst removing some -- cgit v1.2.3 From 797777baad68a1e556d35ef05f346b54452bd7a1 Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Mon, 28 Aug 2017 15:37:55 -0700 Subject: 2nd amendment doesn't grant the right to bare excepts --- paramiko/auth_handler.py | 7 +++---- sites/www/changelog.rst | 5 +++++ 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'sites/www') diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py index 6c515cb6..3d742c06 100644 --- a/paramiko/auth_handler.py +++ b/paramiko/auth_handler.py @@ -459,10 +459,9 @@ class AuthHandler (object): INFO, 'Auth rejected: public key: %s' % str(e)) key = None - except: - self.transport._log( - INFO, - 'Auth rejected: unsupported or mangled public key') + except Exception as e: + msg = 'Auth rejected: unsupported or mangled public key ({0}: {1})' # noqa + self.transport._log(INFO, msg.format(e.__class__.__name__, e)) key = None if key is None: self._disconnect_no_more_auth() diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 3eb88485..83fc8a8f 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,11 @@ Changelog ========= +* :support:`-` Display exception type and message when logging auth-rejection + messages (ones reading ``Auth rejected: unsupported or mangled public key``); + previously this error case had a bare except and did not display exactly why + the key failed. It will now append info such as ``KeyError: + 'some-unknown-type-string'`` or similar. * :feature:`1042` (also partially :issue:`531`) Implement generic (suitable for all key types) client-side certificate authentication. -- cgit v1.2.3 From 84d29dd4ea9d957d778207078c7cfed1d4bf9d46 Mon Sep 17 00:00:00 2001 From: Jeff Forcier Date: Mon, 28 Aug 2017 17:50:38 -0700 Subject: Update changelog re: recent changes re: #1042 --- sites/www/changelog.rst | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) (limited to 'sites/www') diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 83fc8a8f..9de287ae 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -7,8 +7,8 @@ Changelog previously this error case had a bare except and did not display exactly why the key failed. It will now append info such as ``KeyError: 'some-unknown-type-string'`` or similar. -* :feature:`1042` (also partially :issue:`531`) Implement generic (suitable for - all key types) client-side certificate authentication. +* :feature:`1042` (also partially :issue:`531`) Implement basic client-side + certificate authentication (as per the OpenSSH vendor extension.) The core implementation is `PKey.load_certificate ` and its corresponding ``.public_blob`` @@ -18,9 +18,17 @@ Changelog has appropriately-named cert files (e.g. ``id_rsa-cert.pub``) - see its docstring for details. - Thanks to Paul Kapp for the final patch, and to Jason Rigby for earlier work - in :issue:`531` (which remains open as it contains additional functionality - that may get merged later.) + Thanks to Jason Rigby for a first draft (:issue:`531`) and to Paul Kapp for + the second draft, upon which the current functionality has been based (with + modifications.) + + .. note:: + This support is client-focused; Paramiko-driven server code is capable of + handling cert-bearing pubkey auth packets, *but* it does not interpret any + cert-specific fields, so the end result is functionally identical to a + vanilla pubkey auth process (and thus requires e.g. prepopulated + authorized-keys data.) We expect full server-side cert support to follow + later. * :support:`1041` Modify logic around explicit disconnect messages, and unknown-channel situations, so that they rely on centralized -- cgit v1.2.3