summaryrefslogtreecommitdiff
path: root/paramiko/server.py
diff options
context:
space:
mode:
authorJeremy T. Bouse <jbouse@debian.org>2014-09-22 09:21:39 -0400
committerJeremy T. Bouse <jbouse@debian.org>2014-09-22 09:21:39 -0400
commit70f669a0a41e104bd0427e8ad9142071aae241ed (patch)
treea5c0a22c336514e1db001012a64d15477986b671 /paramiko/server.py
parente9306cab7448e641a54789039f5c8bfe988de320 (diff)
parentccd643cdbd7ba752727d62051058a4454451414d (diff)
downloadpython-paramiko-70f669a0a41e104bd0427e8ad9142071aae241ed.tar
python-paramiko-70f669a0a41e104bd0427e8ad9142071aae241ed.tar.gz
Merge tag 'upstream/1.15.0'
Upstream version 1.15.0
Diffstat (limited to 'paramiko/server.py')
-rw-r--r--paramiko/server.py74
1 files changed, 74 insertions, 0 deletions
diff --git a/paramiko/server.py b/paramiko/server.py
index 496cd60..cf396b1 100644
--- a/paramiko/server.py
+++ b/paramiko/server.py
@@ -229,6 +229,80 @@ class ServerInterface (object):
:rtype: int or `.InteractiveQuery`
"""
return AUTH_FAILED
+
+ def check_auth_gssapi_with_mic(self, username,
+ gss_authenticated=AUTH_FAILED,
+ cc_file=None):
+ """
+ Authenticate the given user to the server if he is a valid krb5
+ principal.
+
+ :param str username: The username of the authenticating client
+ :param int gss_authenticated: The result of the krb5 authentication
+ :param str cc_filename: The krb5 client credentials cache filename
+ :return: `.AUTH_FAILED` if the user is not authenticated otherwise
+ `.AUTH_SUCCESSFUL`
+ :rtype: int
+ :note: Kerberos credential delegation is not supported.
+ :see: `.ssh_gss`
+ :note: : We are just checking in L{AuthHandler} that the given user is
+ a valid krb5 principal!
+ We don't check if the krb5 principal is allowed to log in on
+ the server, because there is no way to do that in python. So
+ if you develop your own SSH server with paramiko for a cetain
+ plattform like Linux, you should call C{krb5_kuserok()} in your
+ local kerberos library to make sure that the krb5_principal has
+ an account on the server and is allowed to log in as a user.
+ :see: `http://www.unix.com/man-page/all/3/krb5_kuserok/`
+ """
+ if gss_authenticated == AUTH_SUCCESSFUL:
+ return AUTH_SUCCESSFUL
+ return AUTH_FAILED
+
+ def check_auth_gssapi_keyex(self, username,
+ gss_authenticated=AUTH_FAILED,
+ cc_file=None):
+ """
+ Authenticate the given user to the server if he is a valid krb5
+ principal and GSS-API Key Exchange was performed.
+ If GSS-API Key Exchange was not performed, this authentication method
+ won't be available.
+
+ :param str username: The username of the authenticating client
+ :param int gss_authenticated: The result of the krb5 authentication
+ :param str cc_filename: The krb5 client credentials cache filename
+ :return: `.AUTH_FAILED` if the user is not authenticated otherwise
+ `.AUTH_SUCCESSFUL`
+ :rtype: int
+ :note: Kerberos credential delegation is not supported.
+ :see: `.ssh_gss` `.kex_gss`
+ :note: : We are just checking in L{AuthHandler} that the given user is
+ a valid krb5 principal!
+ We don't check if the krb5 principal is allowed to log in on
+ the server, because there is no way to do that in python. So
+ if you develop your own SSH server with paramiko for a cetain
+ plattform like Linux, you should call C{krb5_kuserok()} in your
+ local kerberos library to make sure that the krb5_principal has
+ an account on the server and is allowed to log in as a user.
+ :see: `http://www.unix.com/man-page/all/3/krb5_kuserok/`
+ """
+ if gss_authenticated == AUTH_SUCCESSFUL:
+ return AUTH_SUCCESSFUL
+ return AUTH_FAILED
+
+ def enable_auth_gssapi(self):
+ """
+ Overwrite this function in your SSH server to enable GSSAPI
+ authentication.
+ The default implementation always returns false.
+
+ :return: True if GSSAPI authentication is enabled otherwise false
+ :rtype: Boolean
+ :see: : `.ssh_gss`
+ """
+ UseGSSAPI = False
+ GSSAPICleanupCredentials = False
+ return UseGSSAPI
def check_port_forward_request(self, address, port):
"""