From 3e1f9f09b1da0397f82e4ee9e1886f5271705e29 Mon Sep 17 00:00:00 2001
From: Sebastian Deiss <s.deiss@science-computing.de>
Date: Tue, 11 Feb 2014 13:08:11 +0100
Subject: GSS-API / SSPI authenticated Diffie-Hellman Key Exchange and user
 authentication with Python 3 support

Add Python 3 support for the GSS-API / SSPI authenticated Diffie-Hellman
Key Exchange and user authentication. This patch supersedes pull request
#250.
---
 demos/demo_server.py | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

(limited to 'demos/demo_server.py')

diff --git a/demos/demo_server.py b/demos/demo_server.py
index bb35258b..74e4677e 100644
--- a/demos/demo_server.py
+++ b/demos/demo_server.py
@@ -66,9 +66,39 @@ class Server (paramiko.ServerInterface):
         if (username == 'robey') and (key == self.good_pub_key):
             return paramiko.AUTH_SUCCESSFUL
         return paramiko.AUTH_FAILED
+    
+    def check_auth_gssapi_with_mic(self, username,
+                                   gss_authenticated=paramiko.AUTH_FAILED,
+                                   cc_file=None):
+        """
+        @note: We are just checking in L{AuthHandler} that the given user is
+               a valid krb5 principal!
+               We don't check if the krb5 principal is allowed to log in on
+               the server, because there is no way to do that in python. So
+               if you develop your own SSH server with paramiko for a certain
+               platform like Linux, you should call C{krb5_kuserok()} in your
+               local kerberos library to make sure that the krb5_principal has
+               an account on the server and is allowed to log in as a user.
+        @see: U{krb5_kuserok() man page <http://www.unix.com/man-page/all/3/krb5_kuserok/>}
+        """
+        if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
+            return paramiko.AUTH_SUCCESSFUL
+        return paramiko.AUTH_FAILED
+
+    def check_auth_gssapi_keyex(self, username,
+                                gss_authenticated=paramiko.AUTH_FAILED,
+                                cc_file=None):
+        if gss_authenticated == paramiko.AUTH_SUCCESSFUL:
+            return paramiko.AUTH_SUCCESSFUL
+        return paramiko.AUTH_FAILED
+
+    def enable_auth_gssapi(self):
+        UseGSSAPI = True
+        GSSAPICleanupCredentials = False
+        return UseGSSAPI
 
     def get_allowed_auths(self, username):
-        return 'password,publickey'
+        return 'gssapi-keyex,gssapi-with-mic,password,publickey'
 
     def check_channel_shell_request(self, channel):
         self.event.set()
@@ -79,6 +109,8 @@ class Server (paramiko.ServerInterface):
         return True
 
 
+DoGSSAPIKeyExchange = True
+
 # now connect
 try:
     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -101,7 +133,8 @@ except Exception as e:
 print('Got a connection!')
 
 try:
-    t = paramiko.Transport(client)
+    t = paramiko.Transport(client, gss_kex=DoGSSAPIKeyExchange)
+    t.set_gss_host(socket.getfqdn(""))
     try:
         t.load_server_moduli()
     except:
-- 
cgit v1.2.1