oh)pdZddlZddlZddlZdZdZdZ ddlZeedrejdk(rdZejfZn8dZejjejjjfZdd lmZdd lmZdd ZGddZGddeZGddeZGddeZy#eef$r/ ddlZddlZddlZd Zej*fZn#e$rd ZdZYnwxYwYqwxYw)z This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 NT __title__z python-gssapiMITPYTHON-GSSAPI-NEWSSPIF)MSG_USERAUTH_REQUEST) SSHExceptionctdk(r t||Stdk(r t||Stdk(rtjdk(r t ||St d)a Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 `_ :note: Check for the available API and return either an `._SSH_GSSAPI_OLD` (MIT GSSAPI using python-gssapi package) object, an `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object or an `._SSH_SSPI` (MS SSPI) object. If there is no supported API available, ``None`` will be returned. rrrntz)Unable to import a GSS-API / SSPI module!)_API_SSH_GSSAPI_OLD_SSH_GSSAPI_NEWosname _SSH_SSPI ImportError) auth_methodgss_deleg_credss b/var/www/pru.catia.catastroantioquia-mas.com/tasa/lib/python3.12/site-packages/paramiko/ssh_gss.pyGSSAuthrMsX, u}{O<< $ ${O<< BGGtOo66EFFc<eZdZdZdZdZdZd dZdZdZ dZ y ) _SSH_GSSAuthzs Contains the shared variables and methods of `._SSH_GSSAPI_OLD`, `._SSH_GSSAPI_NEW` and `._SSH_SSPI`. c||_||_d|_d|_d|_d|_ d|_d|_d|_d|_ d|_ d|_ y) :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not Nzssh-connectionz1.2.840.113554.1.2.2F) _auth_method_gss_deleg_creds _gss_host _username _session_id_service _krb5_mech _gss_ctxt_gss_ctxt_status _gss_srv_ctxt_gss_srv_ctxt_statuscc_fileselfrrs r__init__z_SSH_GSSAuth.__init__ssi ( /(  1 %"$)! rc6|jdr||_yy)z This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service zssh-N)findr!)r)services r set_servicez_SSH_GSSAuth.set_services << #DM rc||_y)z Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login N)r)r)usernames r set_usernamez_SSH_GSSAuth.set_usernames "rcddlm}ddlm}|j d}|j ||j }|j t|}|dk(r||zS||z|zS)a This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. r)ObjectIdentifier)encoderserver)pyasn1.type.univr3pyasn1.codec.derr4 _make_uint32encoder"len)r)moder3r4OIDskrb5_OIDOID_lens r ssh_gss_oidsz_SSH_GSSAuth.ssh_gss_oidssh 6,  #>>"24??"CD##CM2 8 X% %g~((rctddlm}|j|\}}|j|jk7ryy)z Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} rdecoderFT)r8rCdecode__str__r")r) desired_mechrCmech__s rssh_check_mechz_SSH_GSSAuth.ssh_check_mechs1 ->>,/b <<>T__ ,rc.tjd|S)z Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer z!I)structpack)r)integers rr9z_SSH_GSSAuth._make_uint32s{{4))rc|jt|}||z }|tjdtz }||jt|z }||j z }||jt|z }||j z }||jt|z }||j z }|S)a Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) B)r9r;rKrLrr:)r) session_idr0r-rmics r_ssh_build_micz_SSH_GSSAuth._ssh_build_mics"J0 z v{{3 455 t  X// x   t  W.. w~~ t  [!122 {!!## rN)client) __name__ __module__ __qualname____doc__r*r.r1r@rIr9rRrrrrrms* 6 $"),  *rrcNeZdZdZdZ d dZd dZd dZd dZe dZ d Z y) r z Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package. :see: `.GSSAuth` c:tj||||jrDtjtj tj tjf|_ytjtj tj f|_yrN) rr*rgssapiC_PROT_READY_FLAG C_INTEG_FLAG C_MUTUAL_FLAG C_DELEG_FLAG _gss_flagsr(s rr*z_SSH_GSSAPI_OLD.__init__sr dKA  ((##$$## DO((##$$DOrNcddlm}||_||_t j d|jztj }t j}|j|_ |*tjj|j}ne|j|\} } | j|jk7r tdtjj|j}d} |Ct j |||j|_|j"j%| } n|j"j%|} |j"j.|_| S#tj&$rGdj)t+j,d|j} t j&| wxYw) a Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned rrBhost@NUnsupported mechanism OID.) peer_name mech_type req_flagsz {} Target: {}r5)r8rCrrr[NameC_NT_HOSTBASED_SERVICEContextr`flagsOIDmech_from_stringr"rDrEr InitContextr#step GSSExceptionformatsysexc_info establishedr$) r)targetrFr0 recv_tokenrC targ_namectx krb5_mechrGrHtokenmessages rssh_init_sec_contextz$_SSH_GSSAPI_OLD.ssh_init_sec_context sq$ -!KK dnn $f&C&C nnOO   33DOODI~~l3HD"||~0"#?@@"JJ77H  /!!'!3!3''!ii" ++E2++J7!% : : "" /%,,S\\^A->OG%%g. . /s?A E<> %++   !! I    ) ))Y ? NN % %d&6&6 Brc2|jjyy) Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` TF)r%delegated_credr)s rcredentials_delegatedz%_SSH_GSSAPI_OLD.credentials_delegateds    , , 8rct)a~ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode NotImplementedErrorr) client_tokens rsave_client_credsz!_SSH_GSSAPI_OLD.save_client_creds "!rNNNFN rTrUrVrWr*r{rrrpropertyrrrrrr r sB.DH2h6(C4 "rr cNeZdZdZdZ d dZd dZd dZd dZe dZ d Z y) rz Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package. :see: `.GSSAuth` ctj||||jrltjj tjj tjjtjjf|_ ytjj tjj tjjf|_ yrZ) rr*rr[RequirementFlagprotection_ready integritymutual_authenticationdelegate_to_peerr`r(s rr*z_SSH_GSSAPI_NEW.__init__s dKA  &&77&&00&&<<&&77 DO&&77&&00&&<<DOrNcRddlm}||_||_t j d|jztj j}|<|j|\}}|j|jk7r tdtjj} d} |Dt j||j| d|_|j j#| } n|j j#|} |j j$|_| S) ae Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled by the GSS-API implementation :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned rrBrb) name_typeNrcinitiate)rrjrGusage)r8rCrrr[rgNameTypehostbased_servicerDrEr"r MechTypekerberosSecurityContextr`r#rncompleter$) r)rtrFr0rurCrvrGrHrxrys rr{z$_SSH_GSSAPI_NEW.ssh_init_sec_contexts& -!KK dnn $oo77   #~~l3HD"||~0"#?@@OO,,   #33oo DN NN''.ENN'' 3E $ 7 7 rc||_|sY|j|j|j|j|j}|j j |}|S|jj |j}|S)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: str )r rRrr!rr# get_signaturer%r~s rrz_SSH_GSSAPI_NEW.ssh_get_mics&++   !! I 44Y?I**889I9IJIrc||_||_|jtjd|_|jj |}|jj |_|S)raccept)r)rrr%r[rrnrr&rs rrz&_SSH_GSSAPI_NEW.ssh_accept_sec_context s`"!    %!'!7!7h!GD ""'' 3$($6$6$?$?! rc6||_||_|jY|j|j|j|j|j}|j j ||y|jj |j|y)a{ Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed N)r rrRr!rr%verify_signaturer#rs rrz_SSH_GSSAPI_NEW.ssh_check_mics&! >> %++   !! I    / / 9 E NN + +D,<,>33J?LE5!HOOE A: %)D !E    JJ.//? ?J  s%AC D /DDc||_|sY|j|j|j|j|j}|j j |}|S|jj |j}|S)a Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. )r rRrr!rr#signr%r~s rrz_SSH_SSPI.ssh_get_mics&++   !! I ++I6I**//0@0@AIrc||_||_d|jz}tjd||_|jj |\}}|dj }|dk(r d|_d}|S)a Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned rr)spnrTN)rrr ServerAuthr%rrr&)r)rr0rurvrrys rrz _SSH_SSPI.ssh_accept_sec_contextss"!dnn, !__ZYG))33J? ua A:(,D %E rc"||_||_|Y|j|j|j|j|j}|j j ||y|jj |j|y)ak Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed N)r rrRr!rr%verifyr#rs rrz_SSH_SSPI.ssh_check_mics}&!  ++   !! I    % %i ; NN ! !$"2"2I >rct|jtjzxr|jxs |jS)r)r`rrr&rs rrz_SSH_SSPI.credentials_delegateds2!9!99  % % 8 rct)a{ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode rrs rrz_SSH_SSPI.save_client_credsrrrrrrrrrrrQsA (DH2h6,?<   "rr)T)rWrKrrqGSS_AUTH_AVAILABLEGSS_EXCEPTIONSr r[hasattrrro exceptions GeneralErrorrawmiscGSSErrorrOSErrorrrrrparamiko.commonrparamiko.ssh_exceptionr rrr rrrrrrs#,  v{#(8(8O(K --/"    * * JJOO $ $  1/G@~~Bq"lq"hl"ll"^s" s"i W  $**, " s6A$B66C,>CC, C&#C,%C&&C,+C,