Rewrite auth mechanism proposal #203
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Try auth_password first (it should be the most common for network equipments and some of them don't like auth_none as first method, requiring reconnection * Use correct display names * Remove redundant code (error handling) * Allow some partial auth support (might not work) * Banner is retrieved and tested at each auth attempt, because some equipments send it only once even is the method failed * Some Python3 compatibility "hack" (get_banner), there's a lot to change to be fully Python3 compatible I think (unicode_literals from __future__ everywhere, as str in Py2 is basically bytes)
houndci-bot
reviewed
Aug 22, 2019
Exscript/protocols/ssh2.py
Outdated
| if partial_methods == [] and hasattr(e, 'allowed_types'): | ||
| allowed_methods = e.allowed_types | ||
| finally: | ||
| self.os_guesser.data_received(self.get_banner(), False) # Log banner sent DURING auth |
There was a problem hiding this comment.
line too long (102 > 79 characters)
| elif type(e) is BadHostKeyException: | ||
| self._add_auth_error('{}: Bad host key: {}'.format(method_name, e)) | ||
| elif type(e) is SSHException: | ||
| self._add_auth_error('{}: SSHException: {}'.format(method_name, e)) |
There was a problem hiding this comment.
line too long (87 > 79 characters)
| elif type(e) is AuthenticationException: | ||
| self._add_auth_error('Authentication with {} failed: {}'.format(method_name, e)) | ||
| elif type(e) is BadHostKeyException: | ||
| self._add_auth_error('{}: Bad host key: {}'.format(method_name, e)) |
There was a problem hiding this comment.
line too long (87 > 79 characters)
| if type(e) is BadAuthenticationType: # Should happen only once | ||
| self._add_auth_error('{} reported as bad method, supported: {}'.format(method['ssh_method'], e.allowed_types)) | ||
| elif type(e) is AuthenticationException: | ||
| self._add_auth_error('Authentication with {} failed: {}'.format(method_name, e)) |
There was a problem hiding this comment.
line too long (100 > 79 characters)
Exscript/protocols/ssh2.py
Outdated
| self._paramiko_auth(username, password, next_methods) | ||
| except (BadAuthenticationType, AuthenticationException, BadHostKeyException, SSHException) as e: | ||
| if type(e) is BadAuthenticationType: # Should happen only once | ||
| self._add_auth_error('{} reported as bad method, supported: {}'.format(method['ssh_method'], e.allowed_types)) |
There was a problem hiding this comment.
line too long (130 > 79 characters)
| # Some OSes (e.g. JunOS ERX OS, Huawei) do not accept further login | ||
| # attempts after failing one. So in this hack, we | ||
| # re-connect after each attempt... | ||
| if self.get_driver().reconnect_between_auth_methods or not self.client.active: | ||
| # But do not reconnect in case of partial auth | ||
| if self.get_driver().reconnect_between_auth_methods or (partial_methods == [] and not self.client.active): |
There was a problem hiding this comment.
line too long (118 > 79 characters)
| for method in auth_types: | ||
| method_name = method.get('display_name', method['ssh_method']) | ||
| if allowed_methods is not None and method_name not in allowed_methods: | ||
| self._dbg(1, 'Skipping authentification method %s (unsupported)' % method_name) |
There was a problem hiding this comment.
line too long (95 > 79 characters)
| allowed_methods = partial_methods | ||
| for method in auth_types: | ||
| method_name = method.get('display_name', method['ssh_method']) | ||
| if allowed_methods is not None and method_name not in allowed_methods: |
There was a problem hiding this comment.
line too long (82 > 79 characters)
| {'ssh_method': 'publickey', 'function': '_paramiko_auth_agent', 'display_name': 'publickey (agent)'}, | ||
| {'ssh_method': 'publickey', 'function': '_paramiko_auth_autokey', 'display_name': 'publickey (autokey)'}, | ||
| # https://superuser.com/questions/894608/ssh-o-preferredauthentications-whats-the-difference-between-password-and-k | ||
| {'ssh_method': 'keyboard-interactive', 'function': '_paramiko_auth_interactive'} |
There was a problem hiding this comment.
line too long (84 > 79 characters)
| {'ssh_method': 'password', 'function': '_paramiko_auth_password'}, | ||
| {'ssh_method': 'none', 'function': '_paramiko_auth_none'}, | ||
| {'ssh_method': 'publickey', 'function': '_paramiko_auth_agent', 'display_name': 'publickey (agent)'}, | ||
| {'ssh_method': 'publickey', 'function': '_paramiko_auth_autokey', 'display_name': 'publickey (autokey)'}, |
There was a problem hiding this comment.
line too long (109 > 79 characters)
houndci-bot
reviewed
Aug 22, 2019
| self._paramiko_auth(username, password, next_methods) | ||
| except (BadAuthenticationType, AuthenticationException, BadHostKeyException, SSHException) as e: | ||
| if type(e) is BadAuthenticationType: # Should happen only once | ||
| self._add_auth_error('{} reported as bad method, supported: {}'.format( |
There was a problem hiding this comment.
line too long (91 > 79 characters)
| self._dbg(1, 'Authentication successful') | ||
| return | ||
| elif partial_methods == []: # Only attempt partial methods once (1 recursion) | ||
| self.guess_os_from_banner() # Try to get banner before trying next method |
There was a problem hiding this comment.
line too long (94 > 79 characters)
| self._dbg(1, 'Authenticating with %s' % method_name) | ||
| next_methods = getattr(self, method['function'])(username, password) | ||
| if next_methods == []: | ||
| self.guess_os_from_banner(authenticated=True) # Auth done, get banner ! |
There was a problem hiding this comment.
line too long (92 > 79 characters)
| # This one automatically falls back to keyb-interecative with internal handler | ||
| {'ssh_method': 'password', 'function': '_paramiko_auth_password'}, | ||
| {'ssh_method': 'none', 'function': '_paramiko_auth_none'}, | ||
| {'ssh_method': 'publickey', 'function': '_paramiko_auth_agent', 'display_name': 'publickey (agent)'}, |
There was a problem hiding this comment.
line too long (105 > 79 characters)
| 'keyboard-interactive': ('_paramiko_auth_interactive',), | ||
| 'password': ('_paramiko_auth_password',)} | ||
| auth_types = [ | ||
| # This one automatically falls back to keyb-interecative with internal handler |
There was a problem hiding this comment.
line too long (82 > 79 characters)
|
As a workaround I landed up extending the SSH protocol class. ` ` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
unicode_literalsfrom__future__everywhere, as str in Py2 is basically bytes)