Imported Upstream version 1.15.0upstream/1.15.0

3 files changed, 71 insertions, 10 deletions

diff --git a/demos/demo_server.py b/demos/demo_server.py
index bb35258..5b3d516 100644
--- a/demos/demo_server.py
+++ b/demos/demo_server.py
@@ -66,9 +66,42 @@ class Server (paramiko.ServerInterface):
         if (username == 'robey') and (key == self.good_pub_key):
             return paramiko.AUTH_SUCCESSFUL
         return paramiko.AUTH_FAILED
+    
+    def check_auth_gssapi_with_mic(self, username,
+                                   gss_authenticated=paramiko.AUTH_FAILED,
+                                   cc_file=None):
+        """
+        .. note::
+            We are just checking in `AuthHandler` that the given user is a
+            valid krb5 principal! We don't check if the krb5 principal is
+            allowed to log in on the server, because there is no way to do that
+            in python. So if you develop your own SSH server with paramiko for
+            a certain platform like Linux, you should call ``krb5_kuserok()`` in
+            your local kerberos library to make sure that the krb5_principal
+            has an account on the server and is allowed to log in as a user.
+
+        .. seealso::
+            `krb5_kuserok() man page
+            <http://www.unix.com/man-page/all/3/krb5_kuserok/>`_
+        """
+        if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
+            return paramiko.AUTH_SUCCESSFUL
+        return paramiko.AUTH_FAILED
+
+    def check_auth_gssapi_keyex(self, username,
+                                gss_authenticated=paramiko.AUTH_FAILED,
+                                cc_file=None):
+        if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
+            return paramiko.AUTH_SUCCESSFUL
+        return paramiko.AUTH_FAILED
+
+    def enable_auth_gssapi(self):
+        UseGSSAPI = True
+        GSSAPICleanupCredentials = False
+        return UseGSSAPI
 
     def get_allowed_auths(self, username):
-        return 'password,publickey'
+        return 'gssapi-keyex,gssapi-with-mic,password,publickey'
 
     def check_channel_shell_request(self, channel):
         self.event.set()
@@ -79,6 +112,8 @@ class Server (paramiko.ServerInterface):
         return True
 
 
+DoGSSAPIKeyExchange = True
+
 # now connect
 try:
     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -101,7 +136,8 @@ except Exception as e:
 print('Got a connection!')
 
 try:
-    t = paramiko.Transport(client)
+    t = paramiko.Transport(client, gss_kex=DoGSSAPIKeyExchange)
+    t.set_gss_host(socket.getfqdn(""))
     try:
         t.load_server_moduli()
     except:
diff --git a/demos/demo_sftp.py b/demos/demo_sftp.py
index a34f2b1..2cb4470 100755..100644
--- a/demos/demo_sftp.py
+++ b/demos/demo_sftp.py
@@ -34,6 +34,11 @@ from paramiko.py3compat import input
 # setup logging
 paramiko.util.log_to_file('demo_sftp.log')
 
+# Paramiko client configuration
+UseGSSAPI = True             # enable GSS-API / SSPI authentication
+DoGSSAPIKeyExchange = True
+Port = 22
+
 # get hostname
 username = ''
 if len(sys.argv) > 1:
@@ -45,10 +50,10 @@ else:
 if len(hostname) == 0:
     print('*** Hostname required.')
     sys.exit(1)
-port = 22
+
 if hostname.find(':') >= 0:
     hostname, portstr = hostname.split(':')
-    port = int(portstr)
+    Port = int(portstr)
 
 
 # get username
@@ -57,7 +62,10 @@ if username == '':
     username = input('Username [%s]: ' % default_username)
     if len(username) == 0:
         username = default_username
-password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+if not UseGSSAPI:
+    password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+else:
+    password = None
 
 
 # get host key, if we know one
@@ -81,8 +89,9 @@ if hostname in host_keys:
 
 # now, connect and use paramiko Transport to negotiate SSH2 across the connection
 try:
-    t = paramiko.Transport((hostname, port))
-    t.connect(username=username, password=password, hostkey=hostkey)
+    t = paramiko.Transport((hostname, Port))
+    t.connect(hostkey, username, password, gss_host=socket.getfqdn(hostname),
+              gss_auth=UseGSSAPI, gss_kex=DoGSSAPIKeyExchange)
     sftp = paramiko.SFTPClient.from_transport(t)
 
     # dirlist on remote host
diff --git a/demos/demo_simple.py b/demos/demo_simple.py
index ae631e4..3a17988 100755
--- a/demos/demo_simple.py
+++ b/demos/demo_simple.py
@@ -36,6 +36,10 @@ except ImportError:
 
 # setup logging
 paramiko.util.log_to_file('demo_simple.log')
+# Paramiko client configuration
+UseGSSAPI = True             # enable GSS-API / SSPI authentication
+DoGSSAPIKeyExchange = True
+port = 22
 
 # get hostname
 username = ''
@@ -48,7 +52,7 @@ else:
 if len(hostname) == 0:
     print('*** Hostname required.')
     sys.exit(1)
-port = 22
+
 if hostname.find(':') >= 0:
     hostname, portstr = hostname.split(':')
     port = int(portstr)
@@ -60,7 +64,8 @@ if username == '':
     username = input('Username [%s]: ' % default_username)
     if len(username) == 0:
         username = default_username
-password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+if not UseGSSAPI or (not UseGSSAPI and not DoGSSAPIKeyExchange):
+    password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
 
 
 # now, connect and use paramiko Client to negotiate SSH2 across the connection
@@ -69,7 +74,18 @@ try:
     client.load_system_host_keys()
     client.set_missing_host_key_policy(paramiko.WarningPolicy())
     print('*** Connecting...')
-    client.connect(hostname, port, username, password)
+    if not UseGSSAPI or (not UseGSSAPI and not DoGSSAPIKeyExchange):
+        client.connect(hostname, port, username, password)
+    else:
+        # SSPI works only with the FQDN of the target host
+        hostname = socket.getfqdn(hostname)
+        try:
+            client.connect(hostname, port, username, gss_auth=UseGSSAPI,
+                           gss_kex=DoGSSAPIKeyExchange)
+        except Exception:
+            password = getpass.getpass('Password for %s@%s: ' % (username, hostname))
+            client.connect(hostname, port, username, password)
+
     chan = client.invoke_shell()
     print(repr(client.get_transport()))
     print('*** Here we go!\n')