diff options
author | Jeremy T. Bouse <jbouse@debian.org> | 2014-09-22 09:21:39 -0400 |
---|---|---|
committer | Jeremy T. Bouse <jbouse@debian.org> | 2014-09-22 09:21:39 -0400 |
commit | 70f669a0a41e104bd0427e8ad9142071aae241ed (patch) | |
tree | a5c0a22c336514e1db001012a64d15477986b671 /paramiko/server.py | |
parent | e9306cab7448e641a54789039f5c8bfe988de320 (diff) | |
parent | ccd643cdbd7ba752727d62051058a4454451414d (diff) | |
download | python-paramiko-70f669a0a41e104bd0427e8ad9142071aae241ed.tar python-paramiko-70f669a0a41e104bd0427e8ad9142071aae241ed.tar.gz |
Merge tag 'upstream/1.15.0'
Upstream version 1.15.0
Diffstat (limited to 'paramiko/server.py')
-rw-r--r-- | paramiko/server.py | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/paramiko/server.py b/paramiko/server.py index 496cd60..cf396b1 100644 --- a/paramiko/server.py +++ b/paramiko/server.py @@ -229,6 +229,80 @@ class ServerInterface (object): :rtype: int or `.InteractiveQuery` """ return AUTH_FAILED + + def check_auth_gssapi_with_mic(self, username, + gss_authenticated=AUTH_FAILED, + cc_file=None): + """ + Authenticate the given user to the server if he is a valid krb5 + principal. + + :param str username: The username of the authenticating client + :param int gss_authenticated: The result of the krb5 authentication + :param str cc_filename: The krb5 client credentials cache filename + :return: `.AUTH_FAILED` if the user is not authenticated otherwise + `.AUTH_SUCCESSFUL` + :rtype: int + :note: Kerberos credential delegation is not supported. + :see: `.ssh_gss` + :note: : We are just checking in L{AuthHandler} that the given user is + a valid krb5 principal! + We don't check if the krb5 principal is allowed to log in on + the server, because there is no way to do that in python. So + if you develop your own SSH server with paramiko for a cetain + plattform like Linux, you should call C{krb5_kuserok()} in your + local kerberos library to make sure that the krb5_principal has + an account on the server and is allowed to log in as a user. + :see: `http://www.unix.com/man-page/all/3/krb5_kuserok/` + """ + if gss_authenticated == AUTH_SUCCESSFUL: + return AUTH_SUCCESSFUL + return AUTH_FAILED + + def check_auth_gssapi_keyex(self, username, + gss_authenticated=AUTH_FAILED, + cc_file=None): + """ + Authenticate the given user to the server if he is a valid krb5 + principal and GSS-API Key Exchange was performed. + If GSS-API Key Exchange was not performed, this authentication method + won't be available. + + :param str username: The username of the authenticating client + :param int gss_authenticated: The result of the krb5 authentication + :param str cc_filename: The krb5 client credentials cache filename + :return: `.AUTH_FAILED` if the user is not authenticated otherwise + `.AUTH_SUCCESSFUL` + :rtype: int + :note: Kerberos credential delegation is not supported. + :see: `.ssh_gss` `.kex_gss` + :note: : We are just checking in L{AuthHandler} that the given user is + a valid krb5 principal! + We don't check if the krb5 principal is allowed to log in on + the server, because there is no way to do that in python. So + if you develop your own SSH server with paramiko for a cetain + plattform like Linux, you should call C{krb5_kuserok()} in your + local kerberos library to make sure that the krb5_principal has + an account on the server and is allowed to log in as a user. + :see: `http://www.unix.com/man-page/all/3/krb5_kuserok/` + """ + if gss_authenticated == AUTH_SUCCESSFUL: + return AUTH_SUCCESSFUL + return AUTH_FAILED + + def enable_auth_gssapi(self): + """ + Overwrite this function in your SSH server to enable GSSAPI + authentication. + The default implementation always returns false. + + :return: True if GSSAPI authentication is enabled otherwise false + :rtype: Boolean + :see: : `.ssh_gss` + """ + UseGSSAPI = False + GSSAPICleanupCredentials = False + return UseGSSAPI def check_port_forward_request(self, address, port): """ |