%PDF- %PDF- Mini Shell
Mini Shell

Direktori : /lib/python3/dist-packages/paramiko/__pycache__/
Current File : //lib/python3/dist-packages/paramiko/__pycache__/ssh_gss.cpython-312.pyc
�

�ec�p���dZddlZddlZddlZdZdZdZ	ddlZeed�rejdk(rdZejfZn8dZejjejjjfZddlmZddlmZdd
lmZdd�ZGd�de�ZGd�de�ZedkreZ Gd�de�Z!Gd�de�Z"y#eef$r/	ddlZddlZddlZd	Zej*fZn#e$rd
ZdZYnwxYwY�wxYw)z�
This module provides GSS-API / SSPI  authentication as defined in :rfc:`4462`.

.. note:: Credential delegation is not supported in server mode.

.. seealso:: :doc:`/api/kex_gss`

.. versionadded:: 1.15
�NT��	__title__z
python-gssapi�MIT�PYTHON-GSSAPI-NEW�SSPIF)�MSG_USERAUTH_REQUEST)�SSHException)�__version_info__c��tdk(rt||�Stdk(rt||�Stdk(rtjdk(rt||�St
d��)a�
    Provide SSH2 GSS-API / SSPI authentication.

    :param str auth_method: The name of the SSH authentication mechanism
                            (gssapi-with-mic or gss-keyex)
    :param bool gss_deleg_creds: Delegate client credentials or not.
                                 We delegate credentials by default.
    :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix)
             object or an `_SSH_SSPI` (Windows) object
    :rtype: object

    :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported.

    :see: `RFC 4462 <http://www.ietf.org/rfc/rfc4462.txt>`_
    :note: Check for the available API and return either an `._SSH_GSSAPI_OLD`
           (MIT GSSAPI using python-gssapi package) object, an
           `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object
           or an `._SSH_SSPI` (MS SSPI) object.
           If there is no supported API available,
           ``None`` will be returned.
    rrr�ntz)Unable to import a GSS-API / SSPI module!)�_API�_SSH_GSSAPI_OLD�_SSH_GSSAPI_NEW�os�name�	_SSH_SSPI�ImportError)�auth_method�gss_deleg_credss  �2/usr/lib/python3/dist-packages/paramiko/ssh_gss.py�GSSAuthrNsX��,�u�}��{�O�<�<�	
�$�	$��{�O�<�<�	
���B�G�G�t�O���o�6�6��E�F�F�c�<�eZdZdZd�Zd�Zd�Zd
d�Zd�Zd�Z	d�Z
y	)�_SSH_GSSAuthzs
    Contains the shared variables and methods of `._SSH_GSSAPI_OLD`,
    `._SSH_GSSAPI_NEW` and `._SSH_SSPI`.
    c��||_||_d|_d|_d|_d|_	d|_d|_d|_d|_	d|_
d|_y)��
        :param str auth_method: The name of the SSH authentication mechanism
                                (gssapi-with-mic or gss-keyex)
        :param bool gss_deleg_creds: Delegate client credentials or not
        Nzssh-connectionz1.2.840.113554.1.2.2F)�_auth_method�_gss_deleg_creds�	_gss_host�	_username�_session_id�_service�
_krb5_mech�	_gss_ctxt�_gss_ctxt_status�
_gss_srv_ctxt�_gss_srv_ctxt_status�cc_file��selfrrs   r�__init__z_SSH_GSSAuth.__init__tsi��(��� /������������(��
�	�1������ %���"���$)��!���rc�6�|jd�r||_yy)z�
        This is just a setter to use a non default service.
        I added this method, because RFC 4462 doesn't specify "ssh-connection"
        as the only service value.

        :param str service: The desired SSH service
        zssh-N)�findr")r*�services  r�set_servicez_SSH_GSSAuth.set_service�s���<�<���#�D�M� rc��||_y)z�
        Setter for C{username}. If GSS-API Key Exchange is performed, the
        username is not set by C{ssh_init_sec_context}.

        :param str username: The name of the user who attempts to login
        N)r )r*�usernames  r�set_usernamez_SSH_GSSAuth.set_username�s��"��rc���ddlm}ddlm}|j	d�}|j||j��}|j	t|��}|dk(r||zS||z|zS)a�
        This method returns a single OID, because we only support the
        Kerberos V5 mechanism.

        :param str mode: Client for client mode and server for server mode
        :return: A byte sequence containing the number of supported
                 OIDs, the length of the OID and the actual OID encoded with
                 DER
        :note: In server mode we just return the OID length and the DER encoded
               OID.
        r)�ObjectIdentifier)�encoder��server)�pyasn1.type.univr4�pyasn1.codec.derr5�_make_uint32�encoder#�len)r*�moder4r5�OIDs�krb5_OID�OID_lens       r�ssh_gss_oidsz_SSH_GSSAuth.ssh_gss_oids�sh��	6�,�� � ��#���>�>�"2�4�?�?�"C�D���#�#�C��M�2���8���X�%�%��g�~��(�(rc�t�ddlm}|j|�\}}|j�|jk7ryy)z�
        Check if the given OID is the Kerberos V5 OID (server mode).

        :param str desired_mech: The desired GSS-API mechanism of the client
        :return: ``True`` if the given OID is supported, otherwise C{False}
        r��decoderFT)r9rD�decode�__str__r#)r*�desired_mechrD�mech�__s     r�ssh_check_mechz_SSH_GSSAuth.ssh_check_mech�s1��	-��>�>�,�/���b��<�<�>�T�_�_�,��rc�.�tjd|�S)z�
        Create a 32 bit unsigned integer (The byte sequence of an integer).

        :param int integer: The integer value to convert
        :return: The byte sequence of an 32 bit integer
        z!I)�struct�pack)r*�integers  rr:z_SSH_GSSAuth._make_uint32�s���{�{�4��)�)rc��|jt|��}||z
}|tjdt�z
}||jt|��z
}||j�z
}||jt|��z
}||j�z
}||jt|��z
}||j�z
}|S)a�
        Create the SSH2 MIC filed for gssapi-with-mic.

        :param str session_id: The SSH session ID
        :param str username: The name of the user who attempts to login
        :param str service: The requested SSH service
        :param str auth_method: The requested SSH authentication mechanism
        :return: The MIC as defined in RFC 4462. The contents of the
                 MIC field are:
                 string    session_identifier,
                 byte      SSH_MSG_USERAUTH_REQUEST,
                 string    user-name,
                 string    service (ssh-connection),
                 string    authentication-method
                           (gssapi-with-mic or gssapi-keyex)
        �B)r:r<rLrMrr;)r*�
session_idr1r.r�mics      r�_ssh_build_micz_SSH_GSSAuth._ssh_build_mic�s���"����J��0���z����v�{�{�3� 4�5�5���t� � ��X��/�/���x��� � ���t� � ��W��.�.���w�~�~�����t� � ��[�!1�2�2���{�!�!�#�#���
rN)�client)�__name__�
__module__�__qualname__�__doc__r+r/r2rArJr:rSrrrrrns*���
�6	$�"�)�,� *�rrc�N�eZdZdZd�Z	d
d�Zdd�Zdd�Zdd�Ze	d��Z
d	�Zy)
rz�
    Implementation of the GSS-API MIT Kerberos Authentication for SSH2,
    using the older (unmaintained) python-gssapi package.

    :see: `.GSSAuth`
    c�:�tj|||�|jrDtjtj
tjtjf|_ytjtj
tjf|_y�rN)	rr+r�gssapi�C_PROT_READY_FLAG�C_INTEG_FLAG�
C_MUTUAL_FLAG�C_DELEG_FLAG�
_gss_flagsr)s   rr+z_SSH_GSSAPI_OLD.__init__�sr��	���d�K��A�� � ��(�(��#�#��$�$��#�#�	�D�O��(�(��#�#��$�$��D�OrNc��ddlm}||_||_t	j
d|jztj�}t	j�}|j|_	|�*tjj|j�}ne|j|�\}	}
|	j�|jk7rtd��tjj|j�}d}	|�Ct	j |||j��|_|j"j%|�}n|j"j%|�}|j"j.|_|S#tj&$rGdj)t+j,�d|j�}t	j&|��wxYw)	a�
        Initialize a GSS-API context.

        :param str username: The name of the user who attempts to login
        :param str target: The hostname of the target to connect to
        :param str desired_mech: The negotiated GSS-API mechanism
                                 ("pseudo negotiated" mechanism, because we
                                 support just the krb5 mechanism :-))
        :param str recv_token: The GSS-API token received from the Server
        :raises:
            `.SSHException` -- Is raised if the desired mechanism of the client
            is not supported
        :return: A ``String`` if the GSS-API has returned a token or
            ``None`` if no token was returned
        rrC�host@N�Unsupported mechanism OID.)�	peer_name�	mech_type�	req_flagsz
{} Target: {}r6)r9rDr rr\�Name�C_NT_HOSTBASED_SERVICE�Contextra�flags�OID�mech_from_stringr#rErFr	�InitContextr$�step�GSSException�format�sys�exc_info�establishedr%)
r*�targetrGr1�
recv_tokenrD�	targ_name�ctx�	krb5_mechrHrI�token�messages
             r�ssh_init_sec_contextz$_SSH_GSSAPI_OLD.ssh_init_sec_context
sq��$	-�!�������K�K��d�n�n�$�f�&C�&C�
�	��n�n����O�O��	����
�
�3�3�D�O�O�D�I��~�~�l�3�H�D�"��|�|�~����0�"�#?�@�@�"�J�J�7�7����H�	���	/��!�!'�!3�!3�'�'�!�i�i�"���
���+�+�E�2�����+�+�J�7��!%��� :� :������	�"�"�	/�%�,�,�S�\�\�^�A�->����O�G��%�%�g�.�.�	/�s�?A E<�<AGc��||_|sY|j|j|j|j|j�}|j
j
|�}|S|jj
|j�}|S)a�
        Create the MIC token for a SSH2 message.

        :param str session_id: The SSH session ID
        :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not
        :return: gssapi-with-mic:
                 Returns the MIC token from GSS-API for the message we created
                 with ``_ssh_build_mic``.
                 gssapi-keyex:
                 Returns the MIC token from GSS-API with the SSH session ID as
                 message.
        )r!rSr r"rr$�get_micr&�r*rQ�gss_kex�	mic_field�	mic_tokens     r�ssh_get_micz_SSH_GSSAPI_OLD.ssh_get_micAs���&�����+�+�� � �����
�
��!�!�	�I����.�.�y�9�I����*�*�2�2�4�3C�3C�D�I��rc���||_||_|j�tj�|_|jj|�}|jj|_|S)�
        Accept a GSS-API context (server mode).

        :param str hostname: The servers hostname
        :param str username: The name of the user who attempts to login
        :param str recv_token: The GSS-API Token received from the server,
                               if it's not the initial call.
        :return: A ``String`` if the GSS-API has returned a token or ``None``
                if no token was returned
        )rr r&r\�
AcceptContextrortr'�r*�hostnamervr1rzs     r�ssh_accept_sec_contextz&_SSH_GSSAPI_OLD.ssh_accept_sec_context\s^��"���!������%�!'�!5�!5�!7�D���"�"�'�'�
�3��$(�$6�$6�$B�$B��!��rc�6�||_||_|j�Y|j|j|j|j|j�}|j
j
||�y|jj
|j|�y)at
        Verify the MIC token for a SSH2 message.

        :param str mic_token: The MIC token received from the client
        :param str session_id: The SSH session ID
        :param str username: The name of the user who attempts to login
        :return: None if the MIC check was successful
        :raises: ``gssapi.GSSException`` -- if the MIC check failed
        N)r!r rSr"rr&�
verify_micr$�r*r�rQr1r�s     r�
ssh_check_micz_SSH_GSSAPI_OLD.ssh_check_micps���&���!����>�>�%��+�+�� � �����
�
��!�!�	�I�
���)�)�)�Y�?�
�N�N�%�%�d�&6�&6�	�Brc�2�|jj�yy)��
        Checks if credentials are delegated (server mode).

        :return: ``True`` if credentials are delegated, otherwise ``False``
        TF)r&�delegated_cred�r*s r�credentials_delegatedz%_SSH_GSSAPI_OLD.credentials_delegated�s�����,�,�8��rc��t�)a~
        Save the Client token in a file. This is used by the SSH server
        to store the client credentials if credentials are delegated
        (server mode).

        :param str client_token: The GSS-API token received form the client
        :raises:
            ``NotImplementedError`` -- Credential delegation is currently not
            supported in server mode
        ��NotImplementedError�r*�client_tokens  r�save_client_credsz!_SSH_GSSAPI_OLD.save_client_creds��
��"�!r�NNN�F�N�rUrVrWrXr+r|r�r�r��propertyr�r�rrrrr�sB����.DH�2�h�6�(C�4����"rr)��c�N�eZdZdZd�Z	d
d�Zdd�Zdd�Zdd�Ze	d��Z
d	�Zy)
rz�
    Implementation of the GSS-API MIT Kerberos Authentication for SSH2,
    using the newer, currently maintained gssapi package.

    :see: `.GSSAuth`
    c���tj|||�|jrltjj
tjjtjjtjjf|_	ytjj
tjjtjjf|_	yr[)
rr+rr\�RequirementFlag�protection_ready�	integrity�mutual_authentication�delegate_to_peerrar)s   rr+z_SSH_GSSAPI_NEW.__init__�s���	���d�K��A�� � ��&�&�7�7��&�&�0�0��&�&�<�<��&�&�7�7�	�D�O��&�&�7�7��&�&�0�0��&�&�<�<��D�OrNc�R�ddlm}||_||_t	j
d|jztjj��}|�<|j|�\}}|j�|jk7rtd��tjj}	d}
|�Dt	j||j|	d��|_|j j#|
�}
n|j j#|�}
|j j$|_|
S)	ae
        Initialize a GSS-API context.

        :param str username: The name of the user who attempts to login
        :param str target: The hostname of the target to connect to
        :param str desired_mech: The negotiated GSS-API mechanism
                                 ("pseudo negotiated" mechanism, because we
                                 support just the krb5 mechanism :-))
        :param str recv_token: The GSS-API token received from the Server
        :raises: `.SSHException` -- Is raised if the desired mechanism of the
                 client is not supported
        :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled
                                                by the GSS-API implementation
        :return: A ``String`` if the GSS-API has returned a token or ``None``
                 if no token was returned
        rrCrc)�	name_typeNrd�initiate)rrkrH�usage)r9rDr rr\rh�NameType�hostbased_servicerErFr#r	�MechType�kerberos�SecurityContextrar$ro�completer%)r*rurGr1rvrDrwrHrIryrzs           rr|z$_SSH_GSSAPI_NEW.ssh_init_sec_context�s���&	-�!�������K�K��d�n�n�$��o�o�7�7�
�	��#��~�~�l�3�H�D�"��|�|�~����0�"�#?�@�@��O�O�,�,�	�����#�3�3���o�o�� �	�D�N��N�N�'�'��.�E��N�N�'�'�
�3�E� $��� 7� 7����rc��||_|sY|j|j|j|j|j�}|j
j
|�}|S|jj
|j�}|S)a�
        Create the MIC token for a SSH2 message.

        :param str session_id: The SSH session ID
        :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not
        :return: gssapi-with-mic:
                 Returns the MIC token from GSS-API for the message we created
                 with ``_ssh_build_mic``.
                 gssapi-keyex:
                 Returns the MIC token from GSS-API with the SSH session ID as
                 message.
        :rtype: str
        )r!rSr r"rr$�
get_signaturer&rs     rr�z_SSH_GSSAPI_NEW.ssh_get_mic�s���&�����+�+�� � �����
�
��!�!�	�I����4�4�Y�?�I����*�*�8�8��9I�9I�J�I��rc���||_||_|j�tjd��|_|jj|�}|jj|_|S)r��accept)r�)rr r&r\r�ror�r'r�s     rr�z&_SSH_GSSAPI_NEW.ssh_accept_sec_contexts`��"���!������%�!'�!7�!7�h�!G�D���"�"�'�'�
�3��$(�$6�$6�$?�$?��!��rc�6�||_||_|j�Y|j|j|j|j|j�}|j
j
||�y|jj
|j|�y)a{
        Verify the MIC token for a SSH2 message.

        :param str mic_token: The MIC token received from the client
        :param str session_id: The SSH session ID
        :param str username: The name of the user who attempts to login
        :return: None if the MIC check was successful
        :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed
        N)r!r rSr"rr&�verify_signaturer$r�s     rr�z_SSH_GSSAPI_NEW.ssh_check_mic$s���&���!����>�>�%��+�+�� � �����
�
��!�!�	�I�
���/�/�	�9�E�
�N�N�+�+�D�,<�,<�i�Hrc�2�|jj�yy)z�
        Checks if credentials are delegated (server mode).

        :return: ``True`` if credentials are delegated, otherwise ``False``
        :rtype: bool
        TF)r&�delegated_credsr�s rr�z%_SSH_GSSAPI_NEW.credentials_delegated>s�����-�-�9��rc��t�)aw
        Save the Client token in a file. This is used by the SSH server
        to store the client credentials if credentials are delegated
        (server mode).

        :param str client_token: The GSS-API token received form the client
        :raises: ``NotImplementedError`` -- Credential delegation is currently
                 not supported in server mode
        r�r�s  rr�z!_SSH_GSSAPI_NEW.save_client_credsJs
��"�!rr�r�r�r�rrrrr�sB����.DH�,�\�8�(I�4�	��	�
"rrc�L�eZdZdZd�Z	d
d�Zdd�Zd�Zdd�Ze	d��Z
d	�Zy)
rzf
    Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.

    :see: `.GSSAuth`
    c��tj|||�|jr8tjtj
ztjz|_ytjtj
z|_yr[)rr+r�sspicon�ISC_REQ_INTEGRITY�ISC_REQ_MUTUAL_AUTH�ISC_REQ_DELEGATErar)s   rr+z_SSH_SSPI.__init__^sh��	���d�K��A�� � ��)�)��-�-�.��*�*�+�
�O��)�)�G�,G�,G�G�
�OrNc�.�ddlm}||_||_d}d|jz}|�<|j	|�\}}	|j�|jk7rtd��	|�'tjd|j|��|_|jj|�\}}
|
dj}
|dk(r	d	|_d}
	|
S#tj$r4}|xj dj#|j�z
c_�d}~wwxYw)
a�
        Initialize a SSPI context.

        :param str username: The name of the user who attempts to login
        :param str target: The FQDN of the target to connect to
        :param str desired_mech: The negotiated SSPI mechanism
                                 ("pseudo negotiated" mechanism, because we
                                 support just the krb5 mechanism :-))
        :param recv_token: The SSPI token received from the Server
        :raises:
            `.SSHException` -- Is raised if the desired mechanism of the client
            is not supported
        :return: A ``String`` if the SSPI has returned a token or ``None`` if
                 no token was returned
        rrC�host/Nrd�Kerberos)�scflags�	targetspnz, Target: {}T)r9rDr rrErFr#r	�sspi�
ClientAuthrar$�	authorize�Buffer�
pywintypes�error�strerrorrqr%)r*rurGr1rvrDr�rwrHrIrz�es            rr|z_SSH_SSPI.ssh_init_sec_contextqs��$	-�!���������d�n�n�,�	��#��~�~�l�3�H�D�"��|�|�~����0�"�#?�@�@�		��!�!%�������9�"��� �>�>�3�3�J�?�L�E�5��!�H�O�O�E�
�A�:�
�%)�D�!��E�
�������	�
�J�J�.�/�/����?�?�J���	�s�%AC
�
D� /D�Dc��||_|sY|j|j|j|j|j�}|j
j
|�}|S|jj
|j�}|S)a�
        Create the MIC token for a SSH2 message.

        :param str session_id: The SSH session ID
        :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not
        :return: gssapi-with-mic:
                 Returns the MIC token from SSPI for the message we created
                 with ``_ssh_build_mic``.
                 gssapi-keyex:
                 Returns the MIC token from SSPI with the SSH session ID as
                 message.
        )r!rSr r"rr$�signr&rs     rr�z_SSH_SSPI.ssh_get_mic�s���&�����+�+�� � �����
�
��!�!�	�I����+�+�I�6�I����*�*�/�/��0@�0@�A�I��rc���||_||_d|jz}tjd|��|_|jj|�\}}|dj}|dk(r	d|_d}|S)a�
        Accept a SSPI context (server mode).

        :param str hostname: The servers FQDN
        :param str username: The name of the user who attempts to login
        :param str recv_token: The SSPI Token received from the server,
                               if it's not the initial call.
        :return: A ``String`` if the SSPI has returned a token or ``None`` if
                 no token was returned
        r�r�)�spnrTN)rr r��
ServerAuthr&r�r�r')r*r�r1rvrwr�rzs       rr�z _SSH_SSPI.ssh_accept_sec_context�ss��"���!����d�n�n�,�	�!�_�_�Z�Y�G����)�)�3�3�J�?���u��a������A�:�(,�D�%��E��rc�"�||_||_|�Y|j|j|j|j|j�}|j
j
||�y|jj
|j|�y)ak
        Verify the MIC token for a SSH2 message.

        :param str mic_token: The MIC token received from the client
        :param str session_id: The SSH session ID
        :param str username: The name of the user who attempts to login
        :return: None if the MIC check was successful
        :raises: ``sspi.error`` -- if the MIC check failed
        N)r!r rSr"rr&�verifyr$r�s     rr�z_SSH_SSPI.ssh_check_mic�s}��&���!������+�+�� � �����
�
��!�!�	�I�
���%�%�i��;�
�N�N�!�!�$�"2�"2�I�>rc�t�|jtjzxr|jxs|jS)r�)rar�r�r'r�s rr�z_SSH_SSPI.credentials_delegated�s2������!9�!9�9�
��%�%�8����	
rc��t�)a{
        Save the Client token in a file. This is used by the SSH server
        to store the client credentails if credentials are delegated
        (server mode).

        :param str client_token: The SSPI token received form the client
        :raises:
            ``NotImplementedError`` -- Credential delegation is currently not
            supported in server mode
        r�r�s  rr�z_SSH_SSPI.save_client_creds�r�rr�r�r�r�rrrrrWsA����(DH�2�h�6�,?�<�
��
�"rr)T)#rXrLrrr�GSS_AUTH_AVAILABLE�GSS_EXCEPTIONSr
r\�hasattrrrp�
exceptions�GeneralError�raw�misc�GSSErrorr�OSErrorr�r�r�r��paramiko.commonr�paramiko.ssh_exceptionr	�paramiko._versionr
r�objectrr�_SSH_GSSAPIrrrrr�<module>r�s7��,��	�
����������v�{�#��(8�(8�O�(K��� �-�-�/��"�����*�*��J�J�O�O�$�$�
�� 1�/�.�G�@~�6�~�Bq"�l�q"�h�f��!�K�l"�l�l"�^s"��s"��u	�W��
�	������$�*�*�,�����"������
�s6�A$C�C:�C(�'C:�(	C4�1C:�3C4�4C:�9C:
Zerion Mini Shell 1.0