lib/paramiko/__pycache__/ssh_gss.cpython-314.pyc

+
u<10>i)p<00><00><><00>Rt^RIt^RIt^RItRtRtRt^RIt]!]R4'd"]PR8XdRt]P3tM9Rt]PP]PPP3t^R	IHt^R
IHtRRlt!RR
4t!RR]4t!RR]4t!RR]4tR# ]]3d2^RIt^RIt^RItRt]P*3tLe ]d	RtRtLsi;ii;i)z<>
This module provides GSS-API / SSPI  authentication as defined in :rfc:`4462`.

.. note:: Credential delegation is not supported in server mode.

.. seealso:: :doc:`/api/kex_gss`

.. versionadded:: 1.15
NT<EFBFBD>	__title__z
python-gssapi<70>MIT<49>PYTHON-GSSAPI-NEW<45>SSPIF)<01>MSG_USERAUTH_REQUEST)<01>SSHExceptionc<04><><00>\R8Xd\W4#\R8Xd\W4#\R8Xd!\PR8Xd\W4#\
R4h)a|
Provide SSH2 GSS-API / SSPI authentication.

:param str auth_method: The name of the SSH authentication mechanism
                        (gssapi-with-mic or gss-keyex)
:param bool gss_deleg_creds: Delegate client credentials or not.
                             We delegate credentials by default.
:return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix)
         object or an `_SSH_SSPI` (Windows) object
:rtype: object

:raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported.

:see: `RFC 4462 <http://www.ietf.org/rfc/rfc4462.txt>`_
:note: Check for the available API and return either an `._SSH_GSSAPI_OLD`
       (MIT GSSAPI using python-gssapi package) object, an
       `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object
       or an `._SSH_SSPI` (MS SSPI) object.
       If there is no supported API available,
       ``None`` will be returned.
rrr<00>ntz)Unable to import a GSS-API / SSPI module!)<07>_API<50>_SSH_GSSAPI_OLD<4C>_SSH_GSSAPI_NEW<45>os<6F>name<6D>	_SSH_SSPI<50>ImportError)<02>auth_method<6F>gss_deleg_credss&&<26>7/tmp/pip-target-zhdecbcm/lib/python/paramiko/ssh_gss.py<70>GSSAuthrMsR<00><00>,<0C>u<EFBFBD>}<7D><1E>{<7B><<3C><<3C>	
<0A>$<24>	$<24><1E>{<7B><<3C><<3C>	
<0A><16><1E>B<EFBFBD>G<EFBFBD>G<EFBFBD>t<EFBFBD>O<EFBFBD><18><1B>6<>6<><19>E<>F<>F<>c<00>Ra<00>]tRt^mtoRtRtRtRtRRltRt	Rt
RtR	tVt
R
#)<0C>_SSH_GSSAuthzg
Contains the shared variables and methods of `._SSH_GSSAPI_OLD`,
`._SSH_GSSAPI_NEW` and `._SSH_SSPI`.
c<0C><><00>WnW nRVnRVnRVnRVnRVnRVnRVnRVn	RVn
RVnR#)<05><>
:param str auth_method: The name of the SSH authentication mechanism
                        (gssapi-with-mic or gss-keyex)
:param bool gss_deleg_creds: Delegate client credentials or not
Nzssh-connectionz1.2.840.113554.1.2.2F)<0C>_auth_method<6F>_gss_deleg_creds<64>	_gss_host<73>	_username<6D>_session_id<69>_service<63>
_krb5_mech<EFBFBD>	_gss_ctxt<78>_gss_ctxt_status<75>
_gss_srv_ctxt<78>_gss_srv_ctxt_status<75>cc_file<6C><03>selfrrs&&&r<00>__init__<5F>_SSH_GSSAuth.__init__sse<00><00>(<28><19> /<2F><1D><1D><04><0E><1D><04><0E><1F><04><18>(<28><04>
<0A>	<0C>1<><04><0F><1E><04><0E> %<25><04><1D>"<22><04><1A>$)<29><04>!<21><1B><04>rc<0C>D<00>VPR4'd	WnR#R#)z<>
This is just a setter to use a non default service.
I added this method, because RFC 4462 doesn't specify "ssh-connection"
as the only service value.

:param str service: The desired SSH service
zssh-N)<02>findr)r'<00>services&&r<00>set_service<63>_SSH_GSSAuth.set_service<63>s<00><00><13><<3C><<3C><06><1F><1F>#<23>M<EFBFBD> rc<0C><00>WnR#)z<>
Setter for C{username}. If GSS-API Key Exchange is performed, the
username is not set by C{ssh_init_sec_context}.

:param str username: The name of the user who attempts to login
N)r)r'<00>usernames&&r<00>set_username<6D>_SSH_GSSAuth.set_username<6D>s	<00><00>"<22>rc<0C><><00>^RIHp^RIHpVP	^4pVPV!VP44pVP	\V44pVR8Xd	We,#WF,V,#)a|
This method returns a single OID, because we only support the
Kerberos V5 mechanism.

:param str mode: Client for client mode and server for server mode
:return: A byte sequence containing the number of supported
         OIDs, the length of the OID and the actual OID encoded with
         DER
:note: In server mode we just return the OID length and the DER encoded
       OID.
)<01>ObjectIdentifier)<01>encoder<65>server)<08>pyasn1.type.univr4<00>pyasn1.codec.derr5<00>_make_uint32<33>encoder <00>len)r'<00>moder4r5<00>OIDs<44>krb5_OID<49>OID_lens&&     r<00>ssh_gss_oids<64>_SSH_GSSAuth.ssh_gss_oids<64>sd<00><00>	6<>,<2C><13> <20> <20><11>#<23><04><1A>><3E>><3E>"2<>4<EFBFBD>?<3F>?<3F>"C<>D<><08><16>#<23>#<23>C<EFBFBD><08>M<EFBFBD>2<><07><0F>8<EFBFBD><1B><1A>%<25>%<25><13>~<7E><08>(<28>(rc<0C>z<00>^RIHpVPV4wr4VP4VP8wdR#R#)z<>
Check if the given OID is the Kerberos V5 OID (server mode).

:param str desired_mech: The desired GSS-API mechanism of the client
:return: ``True`` if the given OID is supported, otherwise C{False}
<EFBFBD><01>decoderFT)r8rD<00>decode<64>__str__r )r'<00>desired_mechrD<00>mech<63>__s&&   r<00>ssh_check_mech<63>_SSH_GSSAuth.ssh_check_mech<63>s/<00><00>	-<2D><1A>><3E>><3E>,<2C>/<2F><08><04><0F><<3C><<3C>><3E>T<EFBFBD>_<EFBFBD>_<EFBFBD>,<2C><18>rc<0C>0<00>\P!RV4#)z<>
Create a 32 bit unsigned integer (The byte sequence of an integer).

:param int integer: The integer value to convert
:return: The byte sequence of an 32 bit integer
z!I)<02>struct<63>pack)r'<00>integers&&rr9<00>_SSH_GSSAuth._make_uint32<33>s<00><00><16>{<7B>{<7B>4<EFBFBD><17>)<29>)rc<0C><><00>VP\V44pWQ,
pV\P!R\4,
pWPP\V44,
pWRP4,
pWPP\V44,
pWSP4,
pWPP\V44,
pWTP4,
pV#)a^
Create the SSH2 MIC filed for gssapi-with-mic.

:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:param str service: The requested SSH service
:param str auth_method: The requested SSH authentication mechanism
:return: The MIC as defined in RFC 4462. The contents of the
         MIC field are:
         string    session_identifier,
         byte      SSH_MSG_USERAUTH_REQUEST,
         string    user-name,
         string    service (ssh-connection),
         string    authentication-method
                   (gssapi-with-mic or gssapi-keyex)
<EFBFBD>B)r9r;rMrNrr:)r'<00>
session_idr0r,r<00>mics&&&&& r<00>_ssh_build_mic<69>_SSH_GSSAuth._ssh_build_mic<69>s<><00><00>"<13><1F><1F><03>J<EFBFBD><0F>0<><03><0B><19><03><0B>v<EFBFBD>{<7B>{<7B>3<EFBFBD> 4<>5<>5<><03><0B> <20> <20><13>X<EFBFBD><1D>/<2F>/<2F><03><0B><EFBFBD><EFBFBD> <20> <20><03><0B> <20> <20><13>W<EFBFBD><1C>.<2E>.<2E><03><0B>~<7E>~<7E><1F><1F><03><0B> <20> <20><13>[<5B>!1<>2<>2<><03><0B>!<21>!<21>#<23>#<23><03><12>
r)rr!r"rrr#r$r rrrr%N)<01>client)<0E>__name__<5F>
__module__<EFBFBD>__qualname__<5F>__firstlineno__<5F>__doc__r(r-r1r@rJr9rU<00>__static_attributes__<5F>__classdictcell__<5F><01>
__classdict__s@rrrms2<00><><00><00><08>
<1C>6	$<24>"<22>)<29>,<14> *<2A><13>rrc<00>ha<00>]tRt^<5E>toRtRtRRltRRltR
RltR
Rlt	]
R4tR	tR
t
VtR#)rz<>
Implementation of the GSS-API MIT Kerberos Authentication for SSH2,
using the older (unmaintained) python-gssapi package.

:see: `.GSSAuth`
c<0C>H<00>\PWV4VP'dF\P\P
\P\P3VnR#\P\P
\P3VnR#<00>rN)	rr(r<00>gssapi<70>C_PROT_READY_FLAG<41>C_INTEG_FLAG<41>
C_MUTUAL_FLAG<41>C_DELEG_FLAG<41>
_gss_flagsr&s&&&rr(<00>_SSH_GSSAPI_OLD.__init__<5F>ss<00><00>	<15><1D><1D>d<EFBFBD><1F>A<><0F> <20> <20> <20><16>(<28>(<28><16>#<23>#<23><16>$<24>$<24><16>#<23>#<23>	<0E>D<EFBFBD>O<EFBFBD><17>(<28>(<28><16>#<23>#<23><16>$<24>$<24><0E>D<EFBFBD>OrNc<0C><><00>^RIHpW0nWn\P
!RVP,\P4p\P!4pVPVn	Vf+\PPVP4pMfVPV4wr<>V	P4VP8wd\R4h\PPVP4pRpVfE\P !VVVPR7VnVP"P%V4pMVP"P%V4pVP"P.VnV# \P&dNRP)\*P,!4^,TP4p\P&!T4hi;i)ac
Initialize a GSS-API context.

:param str username: The name of the user who attempts to login
:param str target: The hostname of the target to connect to
:param str desired_mech: The negotiated GSS-API mechanism
                         ("pseudo negotiated" mechanism, because we
                         support just the krb5 mechanism :-))
:param str recv_token: The GSS-API token received from the Server
:raises:
    `.SSHException` -- Is raised if the desired mechanism of the client
    is not supported
:return: A ``String`` if the GSS-API has returned a token or
    ``None`` if no token was returned
rC<00>host@N<>Unsupported mechanism OID.)<03>	peer_name<6D>	mech_type<70>	req_flagsz
{} Target: {})r8rDrrrd<00>Name<6D>C_NT_HOSTBASED_SERVICE<43>Contextri<00>flags<67>OID<49>mech_from_stringr rErFr<00>InitContextr!<00>step<65>GSSException<6F>format<61>sys<79>exc_info<66>establishedr")
r'<00>targetrGr0<00>
recv_tokenrD<00>	targ_name<6D>ctx<74>	krb5_mechrHrI<00>token<65>messages
&&&&&        r<00>ssh_init_sec_context<78>$_SSH_GSSAPI_OLD.ssh_init_sec_contextsk<00><00>$	-<2D>!<21><0E><1F><0E><1A>K<EFBFBD>K<EFBFBD><13>d<EFBFBD>n<EFBFBD>n<EFBFBD>$<24>f<EFBFBD>&C<>&C<>
<EFBFBD>	<09><15>n<EFBFBD>n<EFBFBD><1E><03><18>O<EFBFBD>O<EFBFBD><03>	<09><17><1F><1E>
<EFBFBD>
<EFBFBD>3<>3<>D<EFBFBD>O<EFBFBD>O<EFBFBD>D<>I<EFBFBD><1E>~<7E>~<7E>l<EFBFBD>3<>H<EFBFBD>D<EFBFBD><13>|<7C>|<7C>~<7E><14><1F><1F>0<>"<22>#?<3F>@<40>@<40>"<22>J<EFBFBD>J<EFBFBD>7<>7<><04><0F><0F>H<>	<09><14><05>	/<2F><19>!<21>!'<27>!3<>!3<>'<27>'<27>!<21>i<EFBFBD>i<EFBFBD>"<12><04><0E>
<1D><0E><0E>+<2B>+<2B>E<EFBFBD>2<><05><1C><0E><0E>+<2B>+<2B>J<EFBFBD>7<><05>!%<25><0E><0E> :<3A> :<3A><04><1D><14><0C><>	<16>"<22>"<22>	/<2F>%<25>,<2C>,<2C>S<EFBFBD>\<5C>\<5C>^<5E>A<EFBFBD>-><3E><04><0E><0E>O<>G<EFBFBD><18>%<25>%<25>g<EFBFBD>.<2E>.<2E>	/<2F>s<00>AF<00>F<00>A"G)c<0C><00>WnV'gZVPVPVPVPVP4pVP
P
V4pV#VPP
VP4pV#)a<>
Create the MIC token for a SSH2 message.

:param str session_id: The SSH session ID
:param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not
:return: gssapi-with-mic:
         Returns the MIC token from GSS-API for the message we created
         with ``_ssh_build_mic``.
         gssapi-keyex:
         Returns the MIC token from GSS-API with the SSH session ID as
         message.
)rrUrrrr!<00>get_micr#<00>r'rS<00>gss_kex<65>	mic_field<6C>	mic_tokens&&&  r<00>ssh_get_mic<69>_SSH_GSSAPI_OLD.ssh_get_mic@s<00><00>&<26><18><16><1C>+<2B>+<2B><14> <20> <20><14><0E><0E><14>
<0A>
<0A><14>!<21>!<21>	<0E>I<EFBFBD><1D><0E><0E>.<2E>.<2E>y<EFBFBD>9<>I<EFBFBD><19><18><1D>*<2A>*<2A>2<>2<>4<EFBFBD>3C<33>3C<33>D<>I<EFBFBD><18>rc<0C><><00>WnW0nVPf\P!4VnVPPV4pVPPVnV#)<01>s
Accept a GSS-API context (server mode).

:param str hostname: The servers hostname
:param str username: The name of the user who attempts to login
:param str recv_token: The GSS-API Token received from the server,
                       if it's not the initial call.
:return: A ``String`` if the GSS-API has returned a token or ``None``
        if no token was returned
)rrr#rd<00>
AcceptContextrxr}r$<00>r'<00>hostnamerr0r<>s&&&& r<00>ssh_accept_sec_context<78>&_SSH_GSSAPI_OLD.ssh_accept_sec_context[sZ<00><00>"<22><0E>!<21><0E><0F><1D><1D>%<25>!'<27>!5<>!5<>!7<>D<EFBFBD><1E><14>"<22>"<22>'<27>'<27>
<EFBFBD>3<><05>$(<28>$6<>$6<>$B<>$B<><04>!<21><14>rc<0C>8<00>W nW0nVPeZVPVPVPVPVP4pVP
P
WA4R#VPP
VPV4R#)a<
Verify the MIC token for a SSH2 message.

:param str mic_token: The MIC token received from the client
:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:return: None if the MIC check was successful
:raises: ``gssapi.GSSException`` -- if the MIC check failed
N)rrrUrrr#<00>
verify_micr!<00>r'r<>rSr0r<>s&&&& r<00>
ssh_check_mic<69>_SSH_GSSAPI_OLD.ssh_check_micos{<00><00>&<26><18>!<21><0E><0F>><3E>><3E>%<25><1C>+<2B>+<2B><14> <20> <20><14><0E><0E><14>
<0A>
<0A><14>!<21>!<21>	<0E>I<EFBFBD>
<11><1E><1E>)<29>)<29>)<29>?<3F>
<11>N<EFBFBD>N<EFBFBD>%<25>%<25>d<EFBFBD>&6<>&6<>	<09>Brc<0C>:<00>VPPeR#R#)<03>y
Checks if credentials are delegated (server mode).

:return: ``True`` if credentials are delegated, otherwise ``False``
TF)r#<00>delegated_cred<65>r's&r<00>credentials_delegated<65>%_SSH_GSSAPI_OLD.credentials_delegated<65>s<00><00><10><1D><1D>,<2C>,<2C>8<><17>rc<0C><00>\h)a>
Save the Client token in a file. This is used by the SSH server
to store the client credentials if credentials are delegated
(server mode).

:param str client_token: The GSS-API token received form the client
:raises:
    ``NotImplementedError`` -- Credential delegation is currently not
    supported in server mode
<EFBFBD><01>NotImplementedError<6F>r'<00>client_tokens&&r<00>save_client_creds<64>!_SSH_GSSAPI_OLD.save_client_creds<64><00>
<00><00>"<22>!r<00>r!r"rirr#r$rr<00>NNN<4E>F<>N<>rXrYrZr[r\r(r<>r<>r<>r<><00>propertyr<79>r<>r]r^r_s@rrr<00>sC<00><><00><00><08><0E>,2<15>h<19>6<15>(C<01>4<0E><15><0E><15>"<22>"rrc<00>ha<00>]tRtRtoRtRtRRltR
RltRRltRRlt	]
R	4tR
tRt
VtR#)ri<>z<>
Implementation of the GSS-API MIT Kerberos Authentication for SSH2,
using the newer, currently maintained gssapi package.

:see: `.GSSAuth`
c<0C><><00>\PWV4VP'dn\PP
\PP\PP\PP3Vn	R#\PP
\PP\PP3Vn	R#rc)
rr(rrd<00>RequirementFlag<61>protection_ready<64>	integrity<74>mutual_authentication<6F>delegate_to_peerrir&s&&&rr(<00>_SSH_GSSAPI_NEW.__init__<5F>s<><00><00>	<15><1D><1D>d<EFBFBD><1F>A<><0F> <20> <20> <20><16>&<26>&<26>7<>7<><16>&<26>&<26>0<>0<><16>&<26>&<26><<3C><<3C><16>&<26>&<26>7<>7<>	<0E>D<EFBFBD>O<EFBFBD><17>&<26>&<26>7<>7<><16>&<26>&<26>0<>0<><16>&<26>&<26><<3C><<3C><0E>D<EFBFBD>OrNc<0C>d<00>^RIHpW0nWn\P
!RVP,\PPR7pVe>VPV4wrxVP4VP8wd\R4h\PPp	Rp
VfF\P!VVPV	RR7VnVP P#V
4p
MVP P#V4p
VP P$VnV
#)a<>
Initialize a GSS-API context.

:param str username: The name of the user who attempts to login
:param str target: The hostname of the target to connect to
:param str desired_mech: The negotiated GSS-API mechanism
                         ("pseudo negotiated" mechanism, because we
                         support just the krb5 mechanism :-))
:param str recv_token: The GSS-API token received from the Server
:raises: `.SSHException` -- Is raised if the desired mechanism of the
         client is not supported
:raises: ``gssapi.exceptions.GSSError`` if there is an error signaled
                                        by the GSS-API implementation
:return: A ``String`` if the GSS-API has returned a token or ``None``
         if no token was returned
rCrl)<01>	name_typeNrm<00>initiate)rrtrH<00>usage)r8rDrrrdrq<00>NameType<70>hostbased_servicerErFr r<00>MechType<70>kerberos<6F>SecurityContextrir!rx<00>completer")r'r~rGr0rrDr<>rHrIr<>r<>s&&&&&      rr<><00>$_SSH_GSSAPI_NEW.ssh_init_sec_context<78>s<><00><00>&	-<2D>!<21><0E><1F><0E><1A>K<EFBFBD>K<EFBFBD><13>d<EFBFBD>n<EFBFBD>n<EFBFBD>$<24><1C>o<EFBFBD>o<EFBFBD>7<>7<>
<EFBFBD>	<09><18>#<23><1E>~<7E>~<7E>l<EFBFBD>3<>H<EFBFBD>D<EFBFBD><13>|<7C>|<7C>~<7E><14><1F><1F>0<>"<22>#?<3F>@<40>@<40><1A>O<EFBFBD>O<EFBFBD>,<2C>,<2C>	<09><14><05><15><1D>#<23>3<>3<><1E><1A>o<EFBFBD>o<EFBFBD><1E> <20>	<0E>D<EFBFBD>N<EFBFBD><19>N<EFBFBD>N<EFBFBD>'<27>'<27><05>.<2E>E<EFBFBD><18>N<EFBFBD>N<EFBFBD>'<27>'<27>
<EFBFBD>3<>E<EFBFBD> $<24><0E><0E> 7<> 7<><04><1D><14>rc<0C><00>WnV'gZVPVPVPVPVP4pVP
P
V4pV#VPP
VP4pV#)a<>
Create the MIC token for a SSH2 message.

:param str session_id: The SSH session ID
:param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not
:return: gssapi-with-mic:
         Returns the MIC token from GSS-API for the message we created
         with ``_ssh_build_mic``.
         gssapi-keyex:
         Returns the MIC token from GSS-API with the SSH session ID as
         message.
:rtype: str
)rrUrrrr!<00>
get_signaturer#r<>s&&&  rr<><00>_SSH_GSSAPI_NEW.ssh_get_mic<69>s<00><00>&<26><18><16><1C>+<2B>+<2B><14> <20> <20><14><0E><0E><14>
<0A>
<0A><14>!<21>!<21>	<0E>I<EFBFBD><1D><0E><0E>4<>4<>Y<EFBFBD>?<3F>I<EFBFBD><19><18><1D>*<2A>*<2A>8<>8<><14>9I<39>9I<39>J<>I<EFBFBD><18>rc<0C><><00>WnW0nVPf\P!RR7VnVPPV4pVPPVnV#)r<><00>accept)r<>)rrr#rdr<>rxr<>r$r<>s&&&& rr<><00>&_SSH_GSSAPI_NEW.ssh_accept_sec_context
s\<00><00>"<22><0E>!<21><0E><0F><1D><1D>%<25>!'<27>!7<>!7<>h<EFBFBD>!G<>D<EFBFBD><1E><14>"<22>"<22>'<27>'<27>
<EFBFBD>3<><05>$(<28>$6<>$6<>$?<3F>$?<3F><04>!<21><14>rc<0C>8<00>W nW0nVPeZVPVPVPVPVP4pVP
P
WA4R#VPP
VPV4R#)aC
Verify the MIC token for a SSH2 message.

:param str mic_token: The MIC token received from the client
:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:return: None if the MIC check was successful
:raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed
N)rrrUrrr#<00>verify_signaturer!r<>s&&&& rr<><00>_SSH_GSSAPI_NEW.ssh_check_mics{<00><00>&<26><18>!<21><0E><0F>><3E>><3E>%<25><1C>+<2B>+<2B><14> <20> <20><14><0E><0E><14>
<0A>
<0A><14>!<21>!<21>	<0E>I<EFBFBD>
<11><1E><1E>/<2F>/<2F>	<09>E<>
<11>N<EFBFBD>N<EFBFBD>+<2B>+<2B>D<EFBFBD>,<<3C>,<<3C>i<EFBFBD>Hrc<0C>:<00>VPPeR#R#)z<>
Checks if credentials are delegated (server mode).

:return: ``True`` if credentials are delegated, otherwise ``False``
:rtype: bool
TF)r#<00>delegated_credsr<73>s&rr<><00>%_SSH_GSSAPI_NEW.credentials_delegated8s<00><00><10><1D><1D>-<2D>-<2D>9<><17>rc<0C><00>\h)a?
Save the Client token in a file. This is used by the SSH server
to store the client credentials if credentials are delegated
(server mode).

:param str client_token: The GSS-API token received form the client
:raises: ``NotImplementedError`` -- Credential delegation is currently
         not supported in server mode
r<EFBFBD>r<>s&&rr<><00>!_SSH_GSSAPI_NEW.save_client_credsDs
<00><00>"<22>!rr<>r<>r<>r<>r<>r_s@rrr<00>sC<00><><00><00><08><0E>,,<15>\<19>8<15>(I<01>4<0E>	<15><0E>	<15>
"<22>
"rrc<00>da<00>]tRtRtoRtRtRRltR
RltRtRRlt	]
R	4tR
tRt
VtR#)riQzZ
Implementation of the Microsoft SSPI Kerberos Authentication for SSH2.

:see: `.GSSAuth`
c<0C>,<00>\PWV4VP'dB\P\P
,\P,VnR#\P\P
,VnR#rc)rr(r<00>sspicon<6F>ISC_REQ_INTEGRITY<54>ISC_REQ_MUTUAL_AUTH<54>ISC_REQ_DELEGATErir&s&&&rr(<00>_SSH_SSPI.__init__Xsi<00><00>	<15><1D><1D>d<EFBFBD><1F>A<><0F> <20> <20> <20><17>)<29>)<29><19>-<2D>-<2D>.<2E><19>*<2A>*<2A>+<2B>
<11>O<EFBFBD><18>)<29>)<29>G<EFBFBD>,G<>,G<>G<>
<11>OrNc<0C>T<00>^RIHpW0nWn^pRVP,pVe>VP	V4wr<>VP4VP8wd\R4hVf)\P!RVPVR7VnVPPV4wrjV
^,Pp
T^8XdRTnRp
T
# \Pd9pT;P RP#TP4,
unhRp?ii;i)	aT
Initialize a SSPI context.

:param str username: The name of the user who attempts to login
:param str target: The FQDN of the target to connect to
:param str desired_mech: The negotiated SSPI mechanism
                         ("pseudo negotiated" mechanism, because we
                         support just the krb5 mechanism :-))
:param recv_token: The SSPI token received from the Server
:raises:
    `.SSHException` -- Is raised if the desired mechanism of the client
    is not supported
:return: A ``String`` if the SSPI has returned a token or ``None`` if
         no token was returned
rC<00>host/Nrm<00>Kerberos)<02>scflags<67>	targetspnz, Target: {}T)r8rDrrrErFr r<00>sspi<70>
ClientAuthrir!<00>	authorize<7A>Buffer<65>
pywintypes<EFBFBD>error<6F>strerrorrzr")r'r~rGr0rrDr<>r<>rHrIr<><00>es&&&&&       rr<><00>_SSH_SSPI.ssh_init_sec_contextks<00><00>$	-<2D>!<21><0E><1F><0E><11><05><1B>d<EFBFBD>n<EFBFBD>n<EFBFBD>,<2C>	<09><17>#<23><1E>~<7E>~<7E>l<EFBFBD>3<>H<EFBFBD>D<EFBFBD><13>|<7C>|<7C>~<7E><14><1F><1F>0<>"<22>#?<3F>@<40>@<40>		<12><19>!<21>!%<25><1F><1F><1E><04><0F><0F>9<EFBFBD>"<12><04><0E> <20>><3E>><3E>3<>3<>J<EFBFBD>?<3F>L<EFBFBD>E<EFBFBD><19>!<21>H<EFBFBD>O<EFBFBD>O<EFBFBD>E<EFBFBD>
<11>A<EFBFBD>:<3A>
<10>%)<29>D<EFBFBD>!<21><18>E<EFBFBD>
<10><15><0C><><1A><1F><1F>	<12>
<0A>J<EFBFBD>J<EFBFBD>.<2E>/<2F>/<2F><04><0E><0E>?<3F>?<3F>J<EFBFBD><11><>	<12>s<00>*AC<00>D'<03>/3D"<03>"D'c<0C><00>WnV'gZVPVPVPVPVP4pVP
P
V4pV#VPP
VP4pV#)a<>
Create the MIC token for a SSH2 message.

:param str session_id: The SSH session ID
:param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not
:return: gssapi-with-mic:
         Returns the MIC token from SSPI for the message we created
         with ``_ssh_build_mic``.
         gssapi-keyex:
         Returns the MIC token from SSPI with the SSH session ID as
         message.
)rrUrrrr!<00>signr#r<>s&&&  rr<><00>_SSH_SSPI.ssh_get_mic<69>s<00><00>&<26><18><16><1C>+<2B>+<2B><14> <20> <20><14><0E><0E><14>
<0A>
<0A><14>!<21>!<21>	<0E>I<EFBFBD><1D><0E><0E>+<2B>+<2B>I<EFBFBD>6<>I<EFBFBD><19><18><1D>*<2A>*<2A>/<2F>/<2F><04>0@<40>0@<40>A<>I<EFBFBD><18>rc<0C><><00>WnW nRVP,p\P!RVR7VnVPPV4wrVV^,PpV^8Xd
RVnRpV#)ag
Accept a SSPI context (server mode).

:param str hostname: The servers FQDN
:param str username: The name of the user who attempts to login
:param str recv_token: The SSPI Token received from the server,
                       if it's not the initial call.
:return: A ``String`` if the SSPI has returned a token or ``None`` if
         no token was returned
r<EFBFBD>r<>)<01>spnTN)rrr<><00>
ServerAuthr#r<>r<>r$)r'r<>r0rr<>r<>r<>s&&&&   rr<><00> _SSH_SSPI.ssh_accept_sec_context<78>sm<00><00>"<22><0E>!<21><0E><1B>d<EFBFBD>n<EFBFBD>n<EFBFBD>,<2C>	<09>!<21>_<EFBFBD>_<EFBFBD>Z<EFBFBD>Y<EFBFBD>G<><04><1A><1B>)<29>)<29>3<>3<>J<EFBFBD>?<3F><0C><05><15>a<EFBFBD><08><0F><0F><05><10>A<EFBFBD>:<3A>(,<2C>D<EFBFBD>%<25><18>E<EFBFBD><14>rc<0C>$<00>W nW0nVeZVPVPVPVPVP4pVP
P
WA4R#VPP
VPV4R#)a3
Verify the MIC token for a SSH2 message.

:param str mic_token: The MIC token received from the client
:param str session_id: The SSH session ID
:param str username: The name of the user who attempts to login
:return: None if the MIC check was successful
:raises: ``sspi.error`` -- if the MIC check failed
N)rrrUrrr#<00>verifyr!r<>s&&&& rr<><00>_SSH_SSPI.ssh_check_mic<69>sw<00><00>&<26><18>!<21><0E><13><1F><1C>+<2B>+<2B><14> <20> <20><14><0E><0E><14>
<0A>
<0A><14>!<21>!<21>	<0E>I<EFBFBD>
<11><1E><1E>%<25>%<25>i<EFBFBD>;<3B>
<11>N<EFBFBD>N<EFBFBD>!<21>!<21>$<24>"2<>"2<>I<EFBFBD>>rc<0C><><00>VP\P,;'d!VP;'g
VP#)r<>)rir<>r<>r$r<>s&rr<><00>_SSH_SSPI.credentials_delegated<65>s:<00><00><14><EFBFBD><EFBFBD><17>!9<>!9<>9<>
<EFBFBD>
<EFBFBD><10>%<25>%<25>8<>8<><14><1F><1F>	
rc<0C><00>\h)a;
Save the Client token in a file. This is used by the SSH server
to store the client credentials if credentials are delegated
(server mode).

:param str client_token: The SSPI token received form the client
:raises:
    ``NotImplementedError`` -- Credential delegation is currently not
    supported in server mode
r<EFBFBD>r<>s&&rr<><00>_SSH_SSPI.save_client_creds<64>r<>rr<>r<>r<>r<>r<>r_s@rrrQsB<00><><00><00><08><0E>&2<15>h<19>6<15>,?<3F><<0E>
<EFBFBD><0E>
<EFBFBD>"<22>"rr<00>)T)r\rMr
r{<00>GSS_AUTH_AVAILABLE<4C>GSS_EXCEPTIONSr
rd<00>hasattrrry<00>
exceptions<EFBFBD>GeneralError<6F>raw<61>misc<73>GSSErrorr<00>OSErrorr<72>r<>r<>r<><00>paramiko.commonr<00>paramiko.ssh_exceptionrrrrrrr<>rr<00><module>r<>s&<00><01>,<04><0E>	<09>
<EFBFBD><1A><12><14><0E><0C><04><14><11><0E>v<EFBFBD>{<7B>#<23>#<23><06>(8<>(8<>O<EFBFBD>(K<><14><04> <20>-<2D>-<2D>/<2F><0E>"<22><04><12><1D><1D>*<2A>*<2A><12>J<EFBFBD>J<EFBFBD>O<EFBFBD>O<EFBFBD>$<24>$<24>
<EFBFBD><0E> 1<>/<2F>G<01>@~<13>~<13>Bq"<22>l<EFBFBD>q"<22>hl"<22>l<EFBFBD>l"<22>^s"<22><0C>s"<22><>i	<14>W<EFBFBD><1D>
<14>	<14><19><16><13><15><04>$<24>*<2A>*<2A>,<2C><0E><><16><14>"<22><1A><13><04><14><>
<14>s4<00>C<00> C<00>
8C<00>	C;<03>C(<02>(C7<05>3C;<03>6C7<05>7C;