File manager

File manager - Edit - /home/newsbmcs.com/public_html/static/img/logo/paramiko.tar

Back
kex_group16.py��0000644��00000004360�15030210772�0007270 0��ustar�00��# Copyright (C) 2019 Edgar Sousa <https://github.com/edgsousa> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 4096 bit key halves, using a known "p" prime and "g" generator. """ from paramiko.kex_group1 import KexGroup1 from hashlib import sha512 class KexGroup16SHA512(KexGroup1): name = "diffie-hellman-group16-sha512" # http://tools.ietf.org/html/rfc3526#section-5 P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF # noqa G = 2 name = "diffie-hellman-group16-sha512" hash_algo = sha512 ��sftp_file.py��0000644��00000052474�15030210772�0007102 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ SFTP file object """ from binascii import hexlify from collections import deque import socket import threading import time from paramiko.common import DEBUG, io_sleep from paramiko.file import BufferedFile from paramiko.util import u from paramiko.sftp import ( CMD_CLOSE, CMD_READ, CMD_DATA, SFTPError, CMD_WRITE, CMD_STATUS, CMD_FSTAT, CMD_ATTRS, CMD_FSETSTAT, CMD_EXTENDED, int64, ) from paramiko.sftp_attr import SFTPAttributes class SFTPFile(BufferedFile): """ Proxy object for a file on the remote server, in client mode SFTP. Instances of this class may be used as context managers in the same way that built-in Python file objects are. """ # Some sftp servers will choke if you send read/write requests larger than # this size. MAX_REQUEST_SIZE = 32768 def __init__(self, sftp, handle, mode="r", bufsize=-1): BufferedFile.__init__(self) self.sftp = sftp self.handle = handle BufferedFile._set_mode(self, mode, bufsize) self.pipelined = False self._prefetching = False self._prefetch_done = False self._prefetch_data = {} self._prefetch_extents = {} self._prefetch_lock = threading.Lock() self._saved_exception = None self._reqs = deque() def __del__(self): self._close(async_=True) def close(self): """ Close the file. """ self._close(async_=False) def _close(self, async_=False): # We allow double-close without signaling an error, because real # Python file objects do. However, we must protect against actually # sending multiple CMD_CLOSE packets, because after we close our # handle, the same handle may be re-allocated by the server, and we # may end up mysteriously closing some random other file. (This is # especially important because we unconditionally call close() from # __del__.) if self._closed: return self.sftp._log(DEBUG, "close({})".format(u(hexlify(self.handle)))) if self.pipelined: self.sftp._finish_responses(self) BufferedFile.close(self) try: if async_: # GC'd file handle could be called from an arbitrary thread # -- don't wait for a response self.sftp._async_request(type(None), CMD_CLOSE, self.handle) else: self.sftp._request(CMD_CLOSE, self.handle) except EOFError: # may have outlived the Transport connection pass except (IOError, socket.error): # may have outlived the Transport connection pass def _data_in_prefetch_requests(self, offset, size): k = [ x for x in list(self._prefetch_extents.values()) if x[0] <= offset ] if len(k) == 0: return False k.sort(key=lambda x: x[0]) buf_offset, buf_size = k[-1] if buf_offset + buf_size <= offset: # prefetch request ends before this one begins return False if buf_offset + buf_size >= offset + size: # inclusive return True # well, we have part of the request. see if another chunk has # the rest. return self._data_in_prefetch_requests( buf_offset + buf_size, offset + size - buf_offset - buf_size ) def _data_in_prefetch_buffers(self, offset): """ if a block of data is present in the prefetch buffers, at the given offset, return the offset of the relevant prefetch buffer. otherwise, return None. this guarantees nothing about the number of bytes collected in the prefetch buffer so far. """ k = [i for i in self._prefetch_data.keys() if i <= offset] if len(k) == 0: return None index = max(k) buf_offset = offset - index if buf_offset >= len(self._prefetch_data[index]): # it's not here return None return index def _read_prefetch(self, size): """ read data out of the prefetch buffer, if possible. if the data isn't in the buffer, return None. otherwise, behaves like a normal read. """ # while not closed, and haven't fetched past the current position, # and haven't reached EOF... while True: offset = self._data_in_prefetch_buffers(self._realpos) if offset is not None: break if self._prefetch_done or self._closed: break self.sftp._read_response() self._check_exception() if offset is None: self._prefetching = False return None prefetch = self._prefetch_data[offset] del self._prefetch_data[offset] buf_offset = self._realpos - offset if buf_offset > 0: self._prefetch_data[offset] = prefetch[:buf_offset] prefetch = prefetch[buf_offset:] if size < len(prefetch): self._prefetch_data[self._realpos + size] = prefetch[size:] prefetch = prefetch[:size] return prefetch def _read(self, size): size = min(size, self.MAX_REQUEST_SIZE) if self._prefetching: data = self._read_prefetch(size) if data is not None: return data t, msg = self.sftp._request( CMD_READ, self.handle, int64(self._realpos), int(size) ) if t != CMD_DATA: raise SFTPError("Expected data") return msg.get_string() def _write(self, data): # may write less than requested if it would exceed max packet size chunk = min(len(data), self.MAX_REQUEST_SIZE) sftp_async_request = self.sftp._async_request( type(None), CMD_WRITE, self.handle, int64(self._realpos), data[:chunk], ) self._reqs.append(sftp_async_request) if not self.pipelined or ( len(self._reqs) > 100 and self.sftp.sock.recv_ready() ): while len(self._reqs): req = self._reqs.popleft() t, msg = self.sftp._read_response(req) if t != CMD_STATUS: raise SFTPError("Expected status") # convert_status already called return chunk def settimeout(self, timeout): """ Set a timeout on read/write operations on the underlying socket or ssh `.Channel`. :param float timeout: seconds to wait for a pending read/write operation before raising ``socket.timeout``, or ``None`` for no timeout .. seealso:: `.Channel.settimeout` """ self.sftp.sock.settimeout(timeout) def gettimeout(self): """ Returns the timeout in seconds (as a `float`) associated with the socket or ssh `.Channel` used for this file. .. seealso:: `.Channel.gettimeout` """ return self.sftp.sock.gettimeout() def setblocking(self, blocking): """ Set blocking or non-blocking mode on the underiying socket or ssh `.Channel`. :param int blocking: 0 to set non-blocking mode; non-0 to set blocking mode. .. seealso:: `.Channel.setblocking` """ self.sftp.sock.setblocking(blocking) def seekable(self): """ Check if the file supports random access. :return: `True` if the file supports random access. If `False`, :meth:`seek` will raise an exception """ return True def seek(self, offset, whence=0): """ Set the file's current position. See `file.seek` for details. """ self.flush() if whence == self.SEEK_SET: self._realpos = self._pos = offset elif whence == self.SEEK_CUR: self._pos += offset self._realpos = self._pos else: self._realpos = self._pos = self._get_size() + offset self._rbuffer = bytes() def stat(self): """ Retrieve information about this file from the remote system. This is exactly like `.SFTPClient.stat`, except that it operates on an already-open file. :returns: an `.SFTPAttributes` object containing attributes about this file. """ t, msg = self.sftp._request(CMD_FSTAT, self.handle) if t != CMD_ATTRS: raise SFTPError("Expected attributes") return SFTPAttributes._from_msg(msg) def chmod(self, mode): """ Change the mode (permissions) of this file. The permissions are unix-style and identical to those used by Python's `os.chmod` function. :param int mode: new permissions """ self.sftp._log( DEBUG, "chmod({}, {!r})".format(hexlify(self.handle), mode) ) attr = SFTPAttributes() attr.st_mode = mode self.sftp._request(CMD_FSETSTAT, self.handle, attr) def chown(self, uid, gid): """ Change the owner (``uid``) and group (``gid``) of this file. As with Python's `os.chown` function, you must pass both arguments, so if you only want to change one, use `stat` first to retrieve the current owner and group. :param int uid: new owner's uid :param int gid: new group id """ self.sftp._log( DEBUG, "chown({}, {!r}, {!r})".format(hexlify(self.handle), uid, gid), ) attr = SFTPAttributes() attr.st_uid, attr.st_gid = uid, gid self.sftp._request(CMD_FSETSTAT, self.handle, attr) def utime(self, times): """ Set the access and modified times of this file. If ``times`` is ``None``, then the file's access and modified times are set to the current time. Otherwise, ``times`` must be a 2-tuple of numbers, of the form ``(atime, mtime)``, which is used to set the access and modified times, respectively. This bizarre API is mimicked from Python for the sake of consistency -- I apologize. :param tuple times: ``None`` or a tuple of (access time, modified time) in standard internet epoch time (seconds since 01 January 1970 GMT) """ if times is None: times = (time.time(), time.time()) self.sftp._log( DEBUG, "utime({}, {!r})".format(hexlify(self.handle), times) ) attr = SFTPAttributes() attr.st_atime, attr.st_mtime = times self.sftp._request(CMD_FSETSTAT, self.handle, attr) def truncate(self, size): """ Change the size of this file. This usually extends or shrinks the size of the file, just like the ``truncate()`` method on Python file objects. :param size: the new size of the file """ self.sftp._log( DEBUG, "truncate({}, {!r})".format(hexlify(self.handle), size) ) attr = SFTPAttributes() attr.st_size = size self.sftp._request(CMD_FSETSTAT, self.handle, attr) def check(self, hash_algorithm, offset=0, length=0, block_size=0): """ Ask the server for a hash of a section of this file. This can be used to verify a successful upload or download, or for various rsync-like operations. The file is hashed from ``offset``, for ``length`` bytes. If ``length`` is 0, the remainder of the file is hashed. Thus, if both ``offset`` and ``length`` are zero, the entire file is hashed. Normally, ``block_size`` will be 0 (the default), and this method will return a byte string representing the requested hash (for example, a string of length 16 for MD5, or 20 for SHA-1). If a non-zero ``block_size`` is given, each chunk of the file (from ``offset`` to ``offset + length``) of ``block_size`` bytes is computed as a separate hash. The hash results are all concatenated and returned as a single string. For example, ``check('sha1', 0, 1024, 512)`` will return a string of length 40. The first 20 bytes will be the SHA-1 of the first 512 bytes of the file, and the last 20 bytes will be the SHA-1 of the next 512 bytes. :param str hash_algorithm: the name of the hash algorithm to use (normally ``"sha1"`` or ``"md5"``) :param offset: offset into the file to begin hashing (0 means to start from the beginning) :param length: number of bytes to hash (0 means continue to the end of the file) :param int block_size: number of bytes to hash per result (must not be less than 256; 0 means to compute only one hash of the entire segment) :return: `str` of bytes representing the hash of each block, concatenated together :raises: ``IOError`` -- if the server doesn't support the "check-file" extension, or possibly doesn't support the hash algorithm requested .. note:: Many (most?) servers don't support this extension yet. .. versionadded:: 1.4 """ t, msg = self.sftp._request( CMD_EXTENDED, "check-file", self.handle, hash_algorithm, int64(offset), int64(length), block_size, ) msg.get_text() # ext msg.get_text() # alg data = msg.get_remainder() return data def set_pipelined(self, pipelined=True): """ Turn on/off the pipelining of write operations to this file. When pipelining is on, paramiko won't wait for the server response after each write operation. Instead, they're collected as they come in. At the first non-write operation (including `.close`), all remaining server responses are collected. This means that if there was an error with one of your later writes, an exception might be thrown from within `.close` instead of `.write`. By default, files are not pipelined. :param bool pipelined: ``True`` if pipelining should be turned on for this file; ``False`` otherwise .. versionadded:: 1.5 """ self.pipelined = pipelined def prefetch(self, file_size=None, max_concurrent_requests=None): """ Pre-fetch the remaining contents of this file in anticipation of future `.read` calls. If reading the entire file, pre-fetching can dramatically improve the download speed by avoiding roundtrip latency. The file's contents are incrementally buffered in a background thread. The prefetched data is stored in a buffer until read via the `.read` method. Once data has been read, it's removed from the buffer. The data may be read in a random order (using `.seek`); chunks of the buffer that haven't been read will continue to be buffered. :param int file_size: When this is ``None`` (the default), this method calls `stat` to determine the remote file size. In some situations, doing so can cause exceptions or hangs (see `#562 <https://github.com/paramiko/paramiko/pull/562>`_); as a workaround, one may call `stat` explicitly and pass its value in via this parameter. :param int max_concurrent_requests: The maximum number of concurrent read requests to prefetch. See `.SFTPClient.get` (its ``max_concurrent_prefetch_requests`` param) for details. .. versionadded:: 1.5.1 .. versionchanged:: 1.16.0 The ``file_size`` parameter was added (with no default value). .. versionchanged:: 1.16.1 The ``file_size`` parameter was made optional for backwards compatibility. .. versionchanged:: 3.3 Added ``max_concurrent_requests``. """ if file_size is None: file_size = self.stat().st_size # queue up async reads for the rest of the file chunks = [] n = self._realpos while n < file_size: chunk = min(self.MAX_REQUEST_SIZE, file_size - n) chunks.append((n, chunk)) n += chunk if len(chunks) > 0: self._start_prefetch(chunks, max_concurrent_requests) def readv(self, chunks, max_concurrent_prefetch_requests=None): """ Read a set of blocks from the file by (offset, length). This is more efficient than doing a series of `.seek` and `.read` calls, since the prefetch machinery is used to retrieve all the requested blocks at once. :param chunks: a list of ``(offset, length)`` tuples indicating which sections of the file to read :param int max_concurrent_prefetch_requests: The maximum number of concurrent read requests to prefetch. See `.SFTPClient.get` (its ``max_concurrent_prefetch_requests`` param) for details. :return: a list of blocks read, in the same order as in ``chunks`` .. versionadded:: 1.5.4 .. versionchanged:: 3.3 Added ``max_concurrent_prefetch_requests``. """ self.sftp._log( DEBUG, "readv({}, {!r})".format(hexlify(self.handle), chunks) ) read_chunks = [] for offset, size in chunks: # don't fetch data that's already in the prefetch buffer if self._data_in_prefetch_buffers( offset ) or self._data_in_prefetch_requests(offset, size): continue # break up anything larger than the max read size while size > 0: chunk_size = min(size, self.MAX_REQUEST_SIZE) read_chunks.append((offset, chunk_size)) offset += chunk_size size -= chunk_size self._start_prefetch(read_chunks, max_concurrent_prefetch_requests) # now we can just devolve to a bunch of read()s :) for x in chunks: self.seek(x[0]) yield self.read(x[1]) # ...internals... def _get_size(self): try: return self.stat().st_size except: return 0 def _start_prefetch(self, chunks, max_concurrent_requests=None): self._prefetching = True self._prefetch_done = False t = threading.Thread( target=self._prefetch_thread, args=(chunks, max_concurrent_requests), ) t.daemon = True t.start() def _prefetch_thread(self, chunks, max_concurrent_requests): # do these read requests in a temporary thread because there may be # a lot of them, so it may block. for offset, length in chunks: # Limit the number of concurrent requests in a busy-loop if max_concurrent_requests is not None: while True: with self._prefetch_lock: pf_len = len(self._prefetch_extents) if pf_len < max_concurrent_requests: break time.sleep(io_sleep) num = self.sftp._async_request( self, CMD_READ, self.handle, int64(offset), int(length) ) with self._prefetch_lock: self._prefetch_extents[num] = (offset, length) def _async_response(self, t, msg, num): if t == CMD_STATUS: # save exception and re-raise it on next file operation try: self.sftp._convert_status(msg) except Exception as e: self._saved_exception = e return if t != CMD_DATA: raise SFTPError("Expected data") data = msg.get_string() while True: with self._prefetch_lock: # spin if in race with _prefetch_thread if num in self._prefetch_extents: offset, length = self._prefetch_extents[num] self._prefetch_data[offset] = data del self._prefetch_extents[num] if len(self._prefetch_extents) == 0: self._prefetch_done = True break def _check_exception(self): """if there's a saved exception, raise & clear it""" if self._saved_exception is not None: x = self._saved_exception self._saved_exception = None raise x ��agent.py��0000644��00000037005�15030210772�0006216 0��ustar�00��# Copyright (C) 2003-2007 John Rochester <john@jrochester.org> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ SSH Agent interface """ import os import socket import struct import sys import threading import time import tempfile import stat from logging import DEBUG from select import select from paramiko.common import io_sleep, byte_chr from paramiko.ssh_exception import SSHException, AuthenticationException from paramiko.message import Message from paramiko.pkey import PKey, UnknownKeyType from paramiko.util import asbytes, get_logger cSSH2_AGENTC_REQUEST_IDENTITIES = byte_chr(11) SSH2_AGENT_IDENTITIES_ANSWER = 12 cSSH2_AGENTC_SIGN_REQUEST = byte_chr(13) SSH2_AGENT_SIGN_RESPONSE = 14 SSH_AGENT_RSA_SHA2_256 = 2 SSH_AGENT_RSA_SHA2_512 = 4 # NOTE: RFC mildly confusing; while these flags are OR'd together, OpenSSH at # least really treats them like "AND"s, in the sense that if it finds the # SHA256 flag set it won't continue looking at the SHA512 one; it # short-circuits right away. # Thus, we never want to eg submit 6 to say "either's good". ALGORITHM_FLAG_MAP = { "rsa-sha2-256": SSH_AGENT_RSA_SHA2_256, "rsa-sha2-512": SSH_AGENT_RSA_SHA2_512, } for key, value in list(ALGORITHM_FLAG_MAP.items()): ALGORITHM_FLAG_MAP[f"{key}-cert-v01@openssh.com"] = value # TODO 4.0: rename all these - including making some of their methods public? class AgentSSH: def __init__(self): self._conn = None self._keys = () def get_keys(self): """ Return the list of keys available through the SSH agent, if any. If no SSH agent was running (or it couldn't be contacted), an empty list will be returned. This method performs no IO, just returns the list of keys retrieved when the connection was made. :return: a tuple of `.AgentKey` objects representing keys available on the SSH agent """ return self._keys def _connect(self, conn): self._conn = conn ptype, result = self._send_message(cSSH2_AGENTC_REQUEST_IDENTITIES) if ptype != SSH2_AGENT_IDENTITIES_ANSWER: raise SSHException("could not get keys from ssh-agent") keys = [] for i in range(result.get_int()): keys.append( AgentKey( agent=self, blob=result.get_binary(), comment=result.get_text(), ) ) self._keys = tuple(keys) def _close(self): if self._conn is not None: self._conn.close() self._conn = None self._keys = () def _send_message(self, msg): msg = asbytes(msg) self._conn.send(struct.pack(">I", len(msg)) + msg) data = self._read_all(4) msg = Message(self._read_all(struct.unpack(">I", data)[0])) return ord(msg.get_byte()), msg def _read_all(self, wanted): result = self._conn.recv(wanted) while len(result) < wanted: if len(result) == 0: raise SSHException("lost ssh-agent") extra = self._conn.recv(wanted - len(result)) if len(extra) == 0: raise SSHException("lost ssh-agent") result += extra return result class AgentProxyThread(threading.Thread): """ Class in charge of communication between two channels. """ def __init__(self, agent): threading.Thread.__init__(self, target=self.run) self._agent = agent self._exit = False def run(self): try: (r, addr) = self.get_connection() # Found that r should be either # a socket from the socket library or None self.__inr = r # The address should be an IP address as a string? or None self.__addr = addr self._agent.connect() if not isinstance(self._agent, int) and ( self._agent._conn is None or not hasattr(self._agent._conn, "fileno") ): raise AuthenticationException("Unable to connect to SSH agent") self._communicate() except: # XXX Not sure what to do here ... raise or pass ? raise def _communicate(self): import fcntl oldflags = fcntl.fcntl(self.__inr, fcntl.F_GETFL) fcntl.fcntl(self.__inr, fcntl.F_SETFL, oldflags \| os.O_NONBLOCK) while not self._exit: events = select([self._agent._conn, self.__inr], [], [], 0.5) for fd in events[0]: if self._agent._conn == fd: data = self._agent._conn.recv(512) if len(data) != 0: self.__inr.send(data) else: self._close() break elif self.__inr == fd: data = self.__inr.recv(512) if len(data) != 0: self._agent._conn.send(data) else: self._close() break time.sleep(io_sleep) def _close(self): self._exit = True self.__inr.close() self._agent._conn.close() class AgentLocalProxy(AgentProxyThread): """ Class to be used when wanting to ask a local SSH Agent being asked from a remote fake agent (so use a unix socket for ex.) """ def __init__(self, agent): AgentProxyThread.__init__(self, agent) def get_connection(self): """ Return a pair of socket object and string address. May block! """ conn = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) try: conn.bind(self._agent._get_filename()) conn.listen(1) (r, addr) = conn.accept() return r, addr except: raise class AgentRemoteProxy(AgentProxyThread): """ Class to be used when wanting to ask a remote SSH Agent """ def __init__(self, agent, chan): AgentProxyThread.__init__(self, agent) self.__chan = chan def get_connection(self): return self.__chan, None def get_agent_connection(): """ Returns some SSH agent object, or None if none were found/supported. .. versionadded:: 2.10 """ if ("SSH_AUTH_SOCK" in os.environ) and (sys.platform != "win32"): conn = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) try: conn.connect(os.environ["SSH_AUTH_SOCK"]) return conn except: # probably a dangling env var: the ssh agent is gone return elif sys.platform == "win32": from . import win_pageant, win_openssh conn = None if win_pageant.can_talk_to_agent(): conn = win_pageant.PageantConnection() elif win_openssh.can_talk_to_agent(): conn = win_openssh.OpenSSHAgentConnection() return conn else: # no agent support return class AgentClientProxy: """ Class proxying request as a client: #. client ask for a request_forward_agent() #. server creates a proxy and a fake SSH Agent #. server ask for establishing a connection when needed, calling the forward_agent_handler at client side. #. the forward_agent_handler launch a thread for connecting the remote fake agent and the local agent #. Communication occurs ... """ def __init__(self, chanRemote): self._conn = None self.__chanR = chanRemote self.thread = AgentRemoteProxy(self, chanRemote) self.thread.start() def __del__(self): self.close() def connect(self): """ Method automatically called by ``AgentProxyThread.run``. """ conn = get_agent_connection() if not conn: return self._conn = conn def close(self): """ Close the current connection and terminate the agent Should be called manually """ if hasattr(self, "thread"): self.thread._exit = True self.thread.join(1000) if self._conn is not None: self._conn.close() class AgentServerProxy(AgentSSH): """ Allows an SSH server to access a forwarded agent. This also creates a unix domain socket on the system to allow external programs to also access the agent. For this reason, you probably only want to create one of these. :meth:`connect` must be called before it is usable. This will also load the list of keys the agent contains. You must also call :meth:`close` in order to clean up the unix socket and the thread that maintains it. (:class:`contextlib.closing` might be helpful to you.) :param .Transport t: Transport used for SSH Agent communication forwarding :raises: `.SSHException` -- mostly if we lost the agent """ def __init__(self, t): AgentSSH.__init__(self) self.__t = t self._dir = tempfile.mkdtemp("sshproxy") os.chmod(self._dir, stat.S_IRWXU) self._file = self._dir + "/sshproxy.ssh" self.thread = AgentLocalProxy(self) self.thread.start() def __del__(self): self.close() def connect(self): conn_sock = self.__t.open_forward_agent_channel() if conn_sock is None: raise SSHException("lost ssh-agent") conn_sock.set_name("auth-agent") self._connect(conn_sock) def close(self): """ Terminate the agent, clean the files, close connections Should be called manually """ os.remove(self._file) os.rmdir(self._dir) self.thread._exit = True self.thread.join(1000) self._close() def get_env(self): """ Helper for the environment under unix :return: a dict containing the ``SSH_AUTH_SOCK`` environment variables """ return {"SSH_AUTH_SOCK": self._get_filename()} def _get_filename(self): return self._file class AgentRequestHandler: """ Primary/default implementation of SSH agent forwarding functionality. Simply instantiate this class, handing it a live command-executing session object, and it will handle forwarding any local SSH agent processes it finds. For example:: # Connect client = SSHClient() client.connect(host, port, username) # Obtain session session = client.get_transport().open_session() # Forward local agent AgentRequestHandler(session) # Commands executed after this point will see the forwarded agent on # the remote end. session.exec_command("git clone https://my.git.repository/") """ def __init__(self, chanClient): self._conn = None self.__chanC = chanClient chanClient.request_forward_agent(self._forward_agent_handler) self.__clientProxys = [] def _forward_agent_handler(self, chanRemote): self.__clientProxys.append(AgentClientProxy(chanRemote)) def __del__(self): self.close() def close(self): for p in self.__clientProxys: p.close() class Agent(AgentSSH): """ Client interface for using private keys from an SSH agent running on the local machine. If an SSH agent is running, this class can be used to connect to it and retrieve `.PKey` objects which can be used when attempting to authenticate to remote SSH servers. Upon initialization, a session with the local machine's SSH agent is opened, if one is running. If no agent is running, initialization will succeed, but `get_keys` will return an empty tuple. :raises: `.SSHException` -- if an SSH agent is found, but speaks an incompatible protocol .. versionchanged:: 2.10 Added support for native openssh agent on windows (extending previous putty pageant support) """ def __init__(self): AgentSSH.__init__(self) conn = get_agent_connection() if not conn: return self._connect(conn) def close(self): """ Close the SSH agent connection. """ self._close() class AgentKey(PKey): """ Private key held in a local SSH agent. This type of key can be used for authenticating to a remote server (signing). Most other key operations work as expected. .. versionchanged:: 3.2 Added the ``comment`` kwarg and attribute. .. versionchanged:: 3.2 Added the ``.inner_key`` attribute holding a reference to the 'real' key instance this key is a proxy for, if one was obtainable, else None. """ def __init__(self, agent, blob, comment=""): self.agent = agent self.blob = blob self.comment = comment msg = Message(blob) self.name = msg.get_text() self._logger = get_logger(__file__) self.inner_key = None try: self.inner_key = PKey.from_type_string( key_type=self.name, key_bytes=blob ) except UnknownKeyType: # Log, but don't explode, since inner_key is a best-effort thing. err = "Unable to derive inner_key for agent key of type {!r}" self.log(DEBUG, err.format(self.name)) def log(self, args, kwargs): return self._logger.log(args, *kwargs) def asbytes(self): # Prefer inner_key.asbytes, since that will differ for eg RSA-CERT return self.inner_key.asbytes() if self.inner_key else self.blob def get_name(self): return self.name def get_bits(self): # Have to work around PKey's default get_bits being crap if self.inner_key is not None: return self.inner_key.get_bits() return super().get_bits() def __getattr__(self, name): """ Proxy any un-implemented methods/properties to the inner_key. """ if self.inner_key is None: # nothing to proxy to raise AttributeError(name) return getattr(self.inner_key, name) @property def _fields(self): fallback = [self.get_name(), self.blob] return self.inner_key._fields if self.inner_key else fallback def sign_ssh_data(self, data, algorithm=None): msg = Message() msg.add_byte(cSSH2_AGENTC_SIGN_REQUEST) # NOTE: this used to be just self.blob, which is not entirely right for # RSA-CERT 'keys' - those end up always degrading to ssh-rsa type # signatures, for reasons probably internal to OpenSSH's agent code, # even if everything else wants SHA2 (including our flag map). msg.add_string(self.asbytes()) msg.add_string(data) msg.add_int(ALGORITHM_FLAG_MAP.get(algorithm, 0)) ptype, result = self.agent._send_message(msg) if ptype != SSH2_AGENT_SIGN_RESPONSE: raise SSHException("key cannot be used for signing") return result.get_binary() ��sftp.py��0000644��00000014507�15030210772�0006076 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. import select import socket import struct from paramiko import util from paramiko.common import DEBUG, byte_chr, byte_ord from paramiko.message import Message ( CMD_INIT, CMD_VERSION, CMD_OPEN, CMD_CLOSE, CMD_READ, CMD_WRITE, CMD_LSTAT, CMD_FSTAT, CMD_SETSTAT, CMD_FSETSTAT, CMD_OPENDIR, CMD_READDIR, CMD_REMOVE, CMD_MKDIR, CMD_RMDIR, CMD_REALPATH, CMD_STAT, CMD_RENAME, CMD_READLINK, CMD_SYMLINK, ) = range(1, 21) (CMD_STATUS, CMD_HANDLE, CMD_DATA, CMD_NAME, CMD_ATTRS) = range(101, 106) (CMD_EXTENDED, CMD_EXTENDED_REPLY) = range(200, 202) SFTP_OK = 0 ( SFTP_EOF, SFTP_NO_SUCH_FILE, SFTP_PERMISSION_DENIED, SFTP_FAILURE, SFTP_BAD_MESSAGE, SFTP_NO_CONNECTION, SFTP_CONNECTION_LOST, SFTP_OP_UNSUPPORTED, ) = range(1, 9) SFTP_DESC = [ "Success", "End of file", "No such file", "Permission denied", "Failure", "Bad message", "No connection", "Connection lost", "Operation unsupported", ] SFTP_FLAG_READ = 0x1 SFTP_FLAG_WRITE = 0x2 SFTP_FLAG_APPEND = 0x4 SFTP_FLAG_CREATE = 0x8 SFTP_FLAG_TRUNC = 0x10 SFTP_FLAG_EXCL = 0x20 _VERSION = 3 # for debugging CMD_NAMES = { CMD_INIT: "init", CMD_VERSION: "version", CMD_OPEN: "open", CMD_CLOSE: "close", CMD_READ: "read", CMD_WRITE: "write", CMD_LSTAT: "lstat", CMD_FSTAT: "fstat", CMD_SETSTAT: "setstat", CMD_FSETSTAT: "fsetstat", CMD_OPENDIR: "opendir", CMD_READDIR: "readdir", CMD_REMOVE: "remove", CMD_MKDIR: "mkdir", CMD_RMDIR: "rmdir", CMD_REALPATH: "realpath", CMD_STAT: "stat", CMD_RENAME: "rename", CMD_READLINK: "readlink", CMD_SYMLINK: "symlink", CMD_STATUS: "status", CMD_HANDLE: "handle", CMD_DATA: "data", CMD_NAME: "name", CMD_ATTRS: "attrs", CMD_EXTENDED: "extended", CMD_EXTENDED_REPLY: "extended_reply", } # TODO: rewrite SFTP file/server modules' overly-flexible "make a request with # xyz components" so we don't need this very silly method of signaling whether # a given Python integer should be 32- or 64-bit. # NOTE: this only became an issue when dropping Python 2 support; prior to # doing so, we had to support actual-longs, which served as that signal. This # is simply recreating that structure in a more tightly scoped fashion. class int64(int): pass class SFTPError(Exception): pass class BaseSFTP: def __init__(self): self.logger = util.get_logger("paramiko.sftp") self.sock = None self.ultra_debug = False # ...internals... def _send_version(self): m = Message() m.add_int(_VERSION) self._send_packet(CMD_INIT, m) t, data = self._read_packet() if t != CMD_VERSION: raise SFTPError("Incompatible sftp protocol") version = struct.unpack(">I", data[:4])[0] # if version != _VERSION: # raise SFTPError('Incompatible sftp protocol') return version def _send_server_version(self): # winscp will freak out if the server sends version info before the # client finishes sending INIT. t, data = self._read_packet() if t != CMD_INIT: raise SFTPError("Incompatible sftp protocol") version = struct.unpack(">I", data[:4])[0] # advertise that we support "check-file" extension_pairs = ["check-file", "md5,sha1"] msg = Message() msg.add_int(_VERSION) msg.add(extension_pairs) self._send_packet(CMD_VERSION, msg) return version def _log(self, level, msg, args): self.logger.log(level, msg, args) def _write_all(self, out): while len(out) > 0: n = self.sock.send(out) if n <= 0: raise EOFError() if n == len(out): return out = out[n:] return def _read_all(self, n): out = bytes() while n > 0: if isinstance(self.sock, socket.socket): # sometimes sftp is used directly over a socket instead of # through a paramiko channel. in this case, check periodically # if the socket is closed. (for some reason, recv() won't ever # return or raise an exception, but calling select on a closed # socket will.) while True: read, write, err = select.select([self.sock], [], [], 0.1) if len(read) > 0: x = self.sock.recv(n) break else: x = self.sock.recv(n) if len(x) == 0: raise EOFError() out += x n -= len(x) return out def _send_packet(self, t, packet): packet = packet.asbytes() out = struct.pack(">I", len(packet) + 1) + byte_chr(t) + packet if self.ultra_debug: self._log(DEBUG, util.format_binary(out, "OUT: ")) self._write_all(out) def _read_packet(self): x = self._read_all(4) # most sftp servers won't accept packets larger than about 32k, so # anything with the high byte set (> 16MB) is just garbage. if byte_ord(x[0]): raise SFTPError("Garbage packet received") size = struct.unpack(">I", x)[0] data = self._read_all(size) if self.ultra_debug: self._log(DEBUG, util.format_binary(data, "IN: ")) if size > 0: t = byte_ord(data[0]) return t, data[1:] return 0, bytes() ��channel.py��0000644��00000140047�15030210772�0006531 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Abstraction for an SSH2 channel. """ import binascii import os import socket import time import threading from functools import wraps from paramiko import util from paramiko.common import ( cMSG_CHANNEL_REQUEST, cMSG_CHANNEL_WINDOW_ADJUST, cMSG_CHANNEL_DATA, cMSG_CHANNEL_EXTENDED_DATA, DEBUG, ERROR, cMSG_CHANNEL_SUCCESS, cMSG_CHANNEL_FAILURE, cMSG_CHANNEL_EOF, cMSG_CHANNEL_CLOSE, ) from paramiko.message import Message from paramiko.ssh_exception import SSHException from paramiko.file import BufferedFile from paramiko.buffered_pipe import BufferedPipe, PipeTimeout from paramiko import pipe from paramiko.util import ClosingContextManager def open_only(func): """ Decorator for `.Channel` methods which performs an openness check. :raises: `.SSHException` -- If the wrapped method is called on an unopened `.Channel`. """ @wraps(func) def _check(self, args, kwds): if ( self.closed or self.eof_received or self.eof_sent or not self.active ): raise SSHException("Channel is not open") return func(self, args, *kwds) return _check class Channel(ClosingContextManager): """ A secure tunnel across an SSH `.Transport`. A Channel is meant to behave like a socket, and has an API that should be indistinguishable from the Python socket API. Because SSH2 has a windowing kind of flow control, if you stop reading data from a Channel and its buffer fills up, the server will be unable to send you any more data until you read some of it. (This won't affect other channels on the same transport -- all channels on a single transport are flow-controlled independently.) Similarly, if the server isn't reading data you send, calls to `send` may block, unless you set a timeout. This is exactly like a normal network socket, so it shouldn't be too surprising. Instances of this class may be used as context managers. """ def __init__(self, chanid): """ Create a new channel. The channel is not associated with any particular session or `.Transport` until the Transport attaches it. Normally you would only call this method from the constructor of a subclass of `.Channel`. :param int chanid: the ID of this channel, as passed by an existing `.Transport`. """ #: Channel ID self.chanid = chanid #: Remote channel ID self.remote_chanid = 0 #: `.Transport` managing this channel self.transport = None #: Whether the connection is presently active self.active = False self.eof_received = 0 self.eof_sent = 0 self.in_buffer = BufferedPipe() self.in_stderr_buffer = BufferedPipe() self.timeout = None #: Whether the connection has been closed self.closed = False self.ultra_debug = False self.lock = threading.Lock() self.out_buffer_cv = threading.Condition(self.lock) self.in_window_size = 0 self.out_window_size = 0 self.in_max_packet_size = 0 self.out_max_packet_size = 0 self.in_window_threshold = 0 self.in_window_sofar = 0 self.status_event = threading.Event() self._name = str(chanid) self.logger = util.get_logger("paramiko.transport") self._pipe = None self.event = threading.Event() self.event_ready = False self.combine_stderr = False self.exit_status = -1 self.origin_addr = None def __del__(self): try: self.close() except: pass def __repr__(self): """ Return a string representation of this object, for debugging. """ out = "<paramiko.Channel {}".format(self.chanid) if self.closed: out += " (closed)" elif self.active: if self.eof_received: out += " (EOF received)" if self.eof_sent: out += " (EOF sent)" out += " (open) window={}".format(self.out_window_size) if len(self.in_buffer) > 0: out += " in-buffer={}".format(len(self.in_buffer)) out += " -> " + repr(self.transport) out += ">" return out @open_only def get_pty( self, term="vt100", width=80, height=24, width_pixels=0, height_pixels=0, ): """ Request a pseudo-terminal from the server. This is usually used right after creating a client channel, to ask the server to provide some basic terminal semantics for a shell invoked with `invoke_shell`. It isn't necessary (or desirable) to call this method if you're going to execute a single command with `exec_command`. :param str term: the terminal type to emulate (for example, ``'vt100'``) :param int width: width (in characters) of the terminal screen :param int height: height (in characters) of the terminal screen :param int width_pixels: width (in pixels) of the terminal screen :param int height_pixels: height (in pixels) of the terminal screen :raises: `.SSHException` -- if the request was rejected or the channel was closed """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("pty-req") m.add_boolean(True) m.add_string(term) m.add_int(width) m.add_int(height) m.add_int(width_pixels) m.add_int(height_pixels) m.add_string(bytes()) self._event_pending() self.transport._send_user_message(m) self._wait_for_event() @open_only def invoke_shell(self): """ Request an interactive shell session on this channel. If the server allows it, the channel will then be directly connected to the stdin, stdout, and stderr of the shell. Normally you would call `get_pty` before this, in which case the shell will operate through the pty, and the channel will be connected to the stdin and stdout of the pty. When the shell exits, the channel will be closed and can't be reused. You must open a new channel if you wish to open another shell. :raises: `.SSHException` -- if the request was rejected or the channel was closed """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("shell") m.add_boolean(True) self._event_pending() self.transport._send_user_message(m) self._wait_for_event() @open_only def exec_command(self, command): """ Execute a command on the server. If the server allows it, the channel will then be directly connected to the stdin, stdout, and stderr of the command being executed. When the command finishes executing, the channel will be closed and can't be reused. You must open a new channel if you wish to execute another command. :param str command: a shell command to execute. :raises: `.SSHException` -- if the request was rejected or the channel was closed """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("exec") m.add_boolean(True) m.add_string(command) self._event_pending() self.transport._send_user_message(m) self._wait_for_event() @open_only def invoke_subsystem(self, subsystem): """ Request a subsystem on the server (for example, ``sftp``). If the server allows it, the channel will then be directly connected to the requested subsystem. When the subsystem finishes, the channel will be closed and can't be reused. :param str subsystem: name of the subsystem being requested. :raises: `.SSHException` -- if the request was rejected or the channel was closed """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("subsystem") m.add_boolean(True) m.add_string(subsystem) self._event_pending() self.transport._send_user_message(m) self._wait_for_event() @open_only def resize_pty(self, width=80, height=24, width_pixels=0, height_pixels=0): """ Resize the pseudo-terminal. This can be used to change the width and height of the terminal emulation created in a previous `get_pty` call. :param int width: new width (in characters) of the terminal screen :param int height: new height (in characters) of the terminal screen :param int width_pixels: new width (in pixels) of the terminal screen :param int height_pixels: new height (in pixels) of the terminal screen :raises: `.SSHException` -- if the request was rejected or the channel was closed """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("window-change") m.add_boolean(False) m.add_int(width) m.add_int(height) m.add_int(width_pixels) m.add_int(height_pixels) self.transport._send_user_message(m) @open_only def update_environment(self, environment): """ Updates this channel's remote shell environment. .. note:: This operation is additive - i.e. the current environment is not reset before the given environment variables are set. .. warning:: Servers may silently reject some environment variables; see the warning in `set_environment_variable` for details. :param dict environment: a dictionary containing the name and respective values to set :raises: `.SSHException` -- if any of the environment variables was rejected by the server or the channel was closed """ for name, value in environment.items(): try: self.set_environment_variable(name, value) except SSHException as e: err = 'Failed to set environment variable "{}".' raise SSHException(err.format(name), e) @open_only def set_environment_variable(self, name, value): """ Set the value of an environment variable. .. warning:: The server may reject this request depending on its ``AcceptEnv`` setting; such rejections will fail silently (which is common client practice for this particular request type). Make sure you understand your server's configuration before using! :param str name: name of the environment variable :param str value: value of the environment variable :raises: `.SSHException` -- if the request was rejected or the channel was closed """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("env") m.add_boolean(False) m.add_string(name) m.add_string(value) self.transport._send_user_message(m) def exit_status_ready(self): """ Return true if the remote process has exited and returned an exit status. You may use this to poll the process status if you don't want to block in `recv_exit_status`. Note that the server may not return an exit status in some cases (like bad servers). :return: ``True`` if `recv_exit_status` will return immediately, else ``False``. .. versionadded:: 1.7.3 """ return self.closed or self.status_event.is_set() def recv_exit_status(self): """ Return the exit status from the process on the server. This is mostly useful for retrieving the results of an `exec_command`. If the command hasn't finished yet, this method will wait until it does, or until the channel is closed. If no exit status is provided by the server, -1 is returned. .. warning:: In some situations, receiving remote output larger than the current `.Transport` or session's ``window_size`` (e.g. that set by the ``default_window_size`` kwarg for `.Transport.__init__`) will cause `.recv_exit_status` to hang indefinitely if it is called prior to a sufficiently large `.Channel.recv` (or if there are no threads calling `.Channel.recv` in the background). In these cases, ensuring that `.recv_exit_status` is called after* `.Channel.recv` (or, again, using threads) can avoid the hang. :return: the exit code (as an `int`) of the process on the server. .. versionadded:: 1.2 """ self.status_event.wait() assert self.status_event.is_set() return self.exit_status def send_exit_status(self, status): """ Send the exit status of an executed command to the client. (This really only makes sense in server mode.) Many clients expect to get some sort of status code back from an executed command after it completes. :param int status: the exit code of the process .. versionadded:: 1.2 """ # in many cases, the channel will not still be open here. # that's fine. m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("exit-status") m.add_boolean(False) m.add_int(status) self.transport._send_user_message(m) @open_only def request_x11( self, screen_number=0, auth_protocol=None, auth_cookie=None, single_connection=False, handler=None, ): """ Request an x11 session on this channel. If the server allows it, further x11 requests can be made from the server to the client, when an x11 application is run in a shell session. From :rfc:`4254`:: It is RECOMMENDED that the 'x11 authentication cookie' that is sent be a fake, random cookie, and that the cookie be checked and replaced by the real cookie when a connection request is received. If you omit the auth_cookie, a new secure random 128-bit value will be generated, used, and returned. You will need to use this value to verify incoming x11 requests and replace them with the actual local x11 cookie (which requires some knowledge of the x11 protocol). If a handler is passed in, the handler is called from another thread whenever a new x11 connection arrives. The default handler queues up incoming x11 connections, which may be retrieved using `.Transport.accept`. The handler's calling signature is:: handler(channel: Channel, (address: str, port: int)) :param int screen_number: the x11 screen number (0, 10, etc.) :param str auth_protocol: the name of the X11 authentication method used; if none is given, ``"MIT-MAGIC-COOKIE-1"`` is used :param str auth_cookie: hexadecimal string containing the x11 auth cookie; if none is given, a secure random 128-bit value is generated :param bool single_connection: if True, only a single x11 connection will be forwarded (by default, any number of x11 connections can arrive over this session) :param handler: an optional callable handler to use for incoming X11 connections :return: the auth_cookie used """ if auth_protocol is None: auth_protocol = "MIT-MAGIC-COOKIE-1" if auth_cookie is None: auth_cookie = binascii.hexlify(os.urandom(16)) m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("x11-req") m.add_boolean(True) m.add_boolean(single_connection) m.add_string(auth_protocol) m.add_string(auth_cookie) m.add_int(screen_number) self._event_pending() self.transport._send_user_message(m) self._wait_for_event() self.transport._set_x11_handler(handler) return auth_cookie @open_only def request_forward_agent(self, handler): """ Request for a forward SSH Agent on this channel. This is only valid for an ssh-agent from OpenSSH !!! :param handler: a required callable handler to use for incoming SSH Agent connections :return: True if we are ok, else False (at that time we always return ok) :raises: SSHException in case of channel problem. """ m = Message() m.add_byte(cMSG_CHANNEL_REQUEST) m.add_int(self.remote_chanid) m.add_string("auth-agent-req@openssh.com") m.add_boolean(False) self.transport._send_user_message(m) self.transport._set_forward_agent_handler(handler) return True def get_transport(self): """ Return the `.Transport` associated with this channel. """ return self.transport def set_name(self, name): """ Set a name for this channel. Currently it's only used to set the name of the channel in logfile entries. The name can be fetched with the `get_name` method. :param str name: new channel name """ self._name = name def get_name(self): """ Get the name of this channel that was previously set by `set_name`. """ return self._name def get_id(self): """ Return the `int` ID # for this channel. The channel ID is unique across a `.Transport` and usually a small number. It's also the number passed to `.ServerInterface.check_channel_request` when determining whether to accept a channel request in server mode. """ return self.chanid def set_combine_stderr(self, combine): """ Set whether stderr should be combined into stdout on this channel. The default is ``False``, but in some cases it may be convenient to have both streams combined. If this is ``False``, and `exec_command` is called (or ``invoke_shell`` with no pty), output to stderr will not show up through the `recv` and `recv_ready` calls. You will have to use `recv_stderr` and `recv_stderr_ready` to get stderr output. If this is ``True``, data will never show up via `recv_stderr` or `recv_stderr_ready`. :param bool combine: ``True`` if stderr output should be combined into stdout on this channel. :return: the previous setting (a `bool`). .. versionadded:: 1.1 """ data = bytes() self.lock.acquire() try: old = self.combine_stderr self.combine_stderr = combine if combine and not old: # copy old stderr buffer into primary buffer data = self.in_stderr_buffer.empty() finally: self.lock.release() if len(data) > 0: self._feed(data) return old # ...socket API... def settimeout(self, timeout): """ Set a timeout on blocking read/write operations. The ``timeout`` argument can be a nonnegative float expressing seconds, or ``None``. If a float is given, subsequent channel read/write operations will raise a timeout exception if the timeout period value has elapsed before the operation has completed. Setting a timeout of ``None`` disables timeouts on socket operations. ``chan.settimeout(0.0)`` is equivalent to ``chan.setblocking(0)``; ``chan.settimeout(None)`` is equivalent to ``chan.setblocking(1)``. :param float timeout: seconds to wait for a pending read/write operation before raising ``socket.timeout``, or ``None`` for no timeout. """ self.timeout = timeout def gettimeout(self): """ Returns the timeout in seconds (as a float) associated with socket operations, or ``None`` if no timeout is set. This reflects the last call to `setblocking` or `settimeout`. """ return self.timeout def setblocking(self, blocking): """ Set blocking or non-blocking mode of the channel: if ``blocking`` is 0, the channel is set to non-blocking mode; otherwise it's set to blocking mode. Initially all channels are in blocking mode. In non-blocking mode, if a `recv` call doesn't find any data, or if a `send` call can't immediately dispose of the data, an error exception is raised. In blocking mode, the calls block until they can proceed. An EOF condition is considered "immediate data" for `recv`, so if the channel is closed in the read direction, it will never block. ``chan.setblocking(0)`` is equivalent to ``chan.settimeout(0)``; ``chan.setblocking(1)`` is equivalent to ``chan.settimeout(None)``. :param int blocking: 0 to set non-blocking mode; non-0 to set blocking mode. """ if blocking: self.settimeout(None) else: self.settimeout(0.0) def getpeername(self): """ Return the address of the remote side of this Channel, if possible. This simply wraps `.Transport.getpeername`, used to provide enough of a socket-like interface to allow asyncore to work. (asyncore likes to call ``'getpeername'``.) """ return self.transport.getpeername() def close(self): """ Close the channel. All future read/write operations on the channel will fail. The remote end will receive no more data (after queued data is flushed). Channels are automatically closed when their `.Transport` is closed or when they are garbage collected. """ self.lock.acquire() try: # only close the pipe when the user explicitly closes the channel. # otherwise they will get unpleasant surprises. (and do it before # checking self.closed, since the remote host may have already # closed the connection.) if self._pipe is not None: self._pipe.close() self._pipe = None if not self.active or self.closed: return msgs = self._close_internal() finally: self.lock.release() for m in msgs: if m is not None: self.transport._send_user_message(m) def recv_ready(self): """ Returns true if data is buffered and ready to be read from this channel. A ``False`` result does not mean that the channel has closed; it means you may need to wait before more data arrives. :return: ``True`` if a `recv` call on this channel would immediately return at least one byte; ``False`` otherwise. """ return self.in_buffer.read_ready() def recv(self, nbytes): """ Receive data from the channel. The return value is a string representing the data received. The maximum amount of data to be received at once is specified by ``nbytes``. If a string of length zero is returned, the channel stream has closed. :param int nbytes: maximum number of bytes to read. :return: received data, as a `bytes`. :raises socket.timeout: if no data is ready before the timeout set by `settimeout`. """ try: out = self.in_buffer.read(nbytes, self.timeout) except PipeTimeout: raise socket.timeout() ack = self._check_add_window(len(out)) # no need to hold the channel lock when sending this if ack > 0: m = Message() m.add_byte(cMSG_CHANNEL_WINDOW_ADJUST) m.add_int(self.remote_chanid) m.add_int(ack) self.transport._send_user_message(m) return out def recv_stderr_ready(self): """ Returns true if data is buffered and ready to be read from this channel's stderr stream. Only channels using `exec_command` or `invoke_shell` without a pty will ever have data on the stderr stream. :return: ``True`` if a `recv_stderr` call on this channel would immediately return at least one byte; ``False`` otherwise. .. versionadded:: 1.1 """ return self.in_stderr_buffer.read_ready() def recv_stderr(self, nbytes): """ Receive data from the channel's stderr stream. Only channels using `exec_command` or `invoke_shell` without a pty will ever have data on the stderr stream. The return value is a string representing the data received. The maximum amount of data to be received at once is specified by ``nbytes``. If a string of length zero is returned, the channel stream has closed. :param int nbytes: maximum number of bytes to read. :return: received data as a `bytes` :raises socket.timeout: if no data is ready before the timeout set by `settimeout`. .. versionadded:: 1.1 """ try: out = self.in_stderr_buffer.read(nbytes, self.timeout) except PipeTimeout: raise socket.timeout() ack = self._check_add_window(len(out)) # no need to hold the channel lock when sending this if ack > 0: m = Message() m.add_byte(cMSG_CHANNEL_WINDOW_ADJUST) m.add_int(self.remote_chanid) m.add_int(ack) self.transport._send_user_message(m) return out def send_ready(self): """ Returns true if data can be written to this channel without blocking. This means the channel is either closed (so any write attempt would return immediately) or there is at least one byte of space in the outbound buffer. If there is at least one byte of space in the outbound buffer, a `send` call will succeed immediately and return the number of bytes actually written. :return: ``True`` if a `send` call on this channel would immediately succeed or fail """ self.lock.acquire() try: if self.closed or self.eof_sent: return True return self.out_window_size > 0 finally: self.lock.release() def send(self, s): """ Send data to the channel. Returns the number of bytes sent, or 0 if the channel stream is closed. Applications are responsible for checking that all data has been sent: if only some of the data was transmitted, the application needs to attempt delivery of the remaining data. :param bytes s: data to send :return: number of bytes actually sent, as an `int` :raises socket.timeout: if no data could be sent before the timeout set by `settimeout`. """ m = Message() m.add_byte(cMSG_CHANNEL_DATA) m.add_int(self.remote_chanid) return self._send(s, m) def send_stderr(self, s): """ Send data to the channel on the "stderr" stream. This is normally only used by servers to send output from shell commands -- clients won't use this. Returns the number of bytes sent, or 0 if the channel stream is closed. Applications are responsible for checking that all data has been sent: if only some of the data was transmitted, the application needs to attempt delivery of the remaining data. :param bytes s: data to send. :return: number of bytes actually sent, as an `int`. :raises socket.timeout: if no data could be sent before the timeout set by `settimeout`. .. versionadded:: 1.1 """ m = Message() m.add_byte(cMSG_CHANNEL_EXTENDED_DATA) m.add_int(self.remote_chanid) m.add_int(1) return self._send(s, m) def sendall(self, s): """ Send data to the channel, without allowing partial results. Unlike `send`, this method continues to send data from the given string until either all data has been sent or an error occurs. Nothing is returned. :param bytes s: data to send. :raises socket.timeout: if sending stalled for longer than the timeout set by `settimeout`. :raises socket.error: if an error occurred before the entire string was sent. .. note:: If the channel is closed while only part of the data has been sent, there is no way to determine how much data (if any) was sent. This is irritating, but identically follows Python's API. """ while s: sent = self.send(s) s = s[sent:] return None def sendall_stderr(self, s): """ Send data to the channel's "stderr" stream, without allowing partial results. Unlike `send_stderr`, this method continues to send data from the given bytestring until all data has been sent or an error occurs. Nothing is returned. :param bytes s: data to send to the client as "stderr" output. :raises socket.timeout: if sending stalled for longer than the timeout set by `settimeout`. :raises socket.error: if an error occurred before the entire string was sent. .. versionadded:: 1.1 """ while s: sent = self.send_stderr(s) s = s[sent:] return None def makefile(self, params): """ Return a file-like object associated with this channel. The optional ``mode`` and ``bufsize`` arguments are interpreted the same way as by the built-in ``file()`` function in Python. :return: `.ChannelFile` object which can be used for Python file I/O. """ return ChannelFile(([self] + list(params))) def makefile_stderr(self, params): """ Return a file-like object associated with this channel's stderr stream. Only channels using `exec_command` or `invoke_shell` without a pty will ever have data on the stderr stream. The optional ``mode`` and ``bufsize`` arguments are interpreted the same way as by the built-in ``file()`` function in Python. For a client, it only makes sense to open this file for reading. For a server, it only makes sense to open this file for writing. :returns: `.ChannelStderrFile` object which can be used for Python file I/O. .. versionadded:: 1.1 """ return ChannelStderrFile(([self] + list(params))) def makefile_stdin(self, params): """ Return a file-like object associated with this channel's stdin stream. The optional ``mode`` and ``bufsize`` arguments are interpreted the same way as by the built-in ``file()`` function in Python. For a client, it only makes sense to open this file for writing. For a server, it only makes sense to open this file for reading. :returns: `.ChannelStdinFile` object which can be used for Python file I/O. .. versionadded:: 2.6 """ return ChannelStdinFile(([self] + list(params))) def fileno(self): """ Returns an OS-level file descriptor which can be used for polling, but but not for reading or writing. This is primarily to allow Python's ``select`` module to work. The first time ``fileno`` is called on a channel, a pipe is created to simulate real OS-level file descriptor (FD) behavior. Because of this, two OS-level FDs are created, which will use up FDs faster than normal. (You won't notice this effect unless you have hundreds of channels open at the same time.) :return: an OS-level file descriptor (`int`) .. warning:: This method causes channel reads to be slightly less efficient. """ self.lock.acquire() try: if self._pipe is not None: return self._pipe.fileno() # create the pipe and feed in any existing data self._pipe = pipe.make_pipe() p1, p2 = pipe.make_or_pipe(self._pipe) self.in_buffer.set_event(p1) self.in_stderr_buffer.set_event(p2) return self._pipe.fileno() finally: self.lock.release() def shutdown(self, how): """ Shut down one or both halves of the connection. If ``how`` is 0, further receives are disallowed. If ``how`` is 1, further sends are disallowed. If ``how`` is 2, further sends and receives are disallowed. This closes the stream in one or both directions. :param int how: 0 (stop receiving), 1 (stop sending), or 2 (stop receiving and sending). """ if (how == 0) or (how == 2): # feign "read" shutdown self.eof_received = 1 if (how == 1) or (how == 2): self.lock.acquire() try: m = self._send_eof() finally: self.lock.release() if m is not None: self.transport._send_user_message(m) def shutdown_read(self): """ Shutdown the receiving side of this socket, closing the stream in the incoming direction. After this call, future reads on this channel will fail instantly. This is a convenience method, equivalent to ``shutdown(0)``, for people who don't make it a habit to memorize unix constants from the 1970s. .. versionadded:: 1.2 """ self.shutdown(0) def shutdown_write(self): """ Shutdown the sending side of this socket, closing the stream in the outgoing direction. After this call, future writes on this channel will fail instantly. This is a convenience method, equivalent to ``shutdown(1)``, for people who don't make it a habit to memorize unix constants from the 1970s. .. versionadded:: 1.2 """ self.shutdown(1) @property def _closed(self): # Concession to Python 3's socket API, which has a private ._closed # attribute instead of a semipublic .closed attribute. return self.closed # ...calls from Transport def _set_transport(self, transport): self.transport = transport self.logger = util.get_logger(self.transport.get_log_channel()) def _set_window(self, window_size, max_packet_size): self.in_window_size = window_size self.in_max_packet_size = max_packet_size # threshold of bytes we receive before we bother to send # a window update self.in_window_threshold = window_size // 10 self.in_window_sofar = 0 self._log(DEBUG, "Max packet in: {} bytes".format(max_packet_size)) def _set_remote_channel(self, chanid, window_size, max_packet_size): self.remote_chanid = chanid self.out_window_size = window_size self.out_max_packet_size = self.transport._sanitize_packet_size( max_packet_size ) self.active = 1 self._log( DEBUG, "Max packet out: {} bytes".format(self.out_max_packet_size) ) def _request_success(self, m): self._log(DEBUG, "Sesch channel {} request ok".format(self.chanid)) self.event_ready = True self.event.set() return def _request_failed(self, m): self.lock.acquire() try: msgs = self._close_internal() finally: self.lock.release() for m in msgs: if m is not None: self.transport._send_user_message(m) def _feed(self, m): if isinstance(m, bytes): # passed from _feed_extended s = m else: s = m.get_binary() self.in_buffer.feed(s) def _feed_extended(self, m): code = m.get_int() s = m.get_binary() if code != 1: self._log( ERROR, "unknown extended_data type {}; discarding".format(code) ) return if self.combine_stderr: self._feed(s) else: self.in_stderr_buffer.feed(s) def _window_adjust(self, m): nbytes = m.get_int() self.lock.acquire() try: if self.ultra_debug: self._log(DEBUG, "window up {}".format(nbytes)) self.out_window_size += nbytes self.out_buffer_cv.notify_all() finally: self.lock.release() def _handle_request(self, m): key = m.get_text() want_reply = m.get_boolean() server = self.transport.server_object ok = False if key == "exit-status": self.exit_status = m.get_int() self.status_event.set() ok = True elif key == "xon-xoff": # ignore ok = True elif key == "pty-req": term = m.get_string() width = m.get_int() height = m.get_int() pixelwidth = m.get_int() pixelheight = m.get_int() modes = m.get_string() if server is None: ok = False else: ok = server.check_channel_pty_request( self, term, width, height, pixelwidth, pixelheight, modes ) elif key == "shell": if server is None: ok = False else: ok = server.check_channel_shell_request(self) elif key == "env": name = m.get_string() value = m.get_string() if server is None: ok = False else: ok = server.check_channel_env_request(self, name, value) elif key == "exec": cmd = m.get_string() if server is None: ok = False else: ok = server.check_channel_exec_request(self, cmd) elif key == "subsystem": name = m.get_text() if server is None: ok = False else: ok = server.check_channel_subsystem_request(self, name) elif key == "window-change": width = m.get_int() height = m.get_int() pixelwidth = m.get_int() pixelheight = m.get_int() if server is None: ok = False else: ok = server.check_channel_window_change_request( self, width, height, pixelwidth, pixelheight ) elif key == "x11-req": single_connection = m.get_boolean() auth_proto = m.get_text() auth_cookie = m.get_binary() screen_number = m.get_int() if server is None: ok = False else: ok = server.check_channel_x11_request( self, single_connection, auth_proto, auth_cookie, screen_number, ) elif key == "auth-agent-req@openssh.com": if server is None: ok = False else: ok = server.check_channel_forward_agent_request(self) else: self._log(DEBUG, 'Unhandled channel request "{}"'.format(key)) ok = False if want_reply: m = Message() if ok: m.add_byte(cMSG_CHANNEL_SUCCESS) else: m.add_byte(cMSG_CHANNEL_FAILURE) m.add_int(self.remote_chanid) self.transport._send_user_message(m) def _handle_eof(self, m): self.lock.acquire() try: if not self.eof_received: self.eof_received = True self.in_buffer.close() self.in_stderr_buffer.close() if self._pipe is not None: self._pipe.set_forever() finally: self.lock.release() self._log(DEBUG, "EOF received ({})".format(self._name)) def _handle_close(self, m): self.lock.acquire() try: msgs = self._close_internal() self.transport._unlink_channel(self.chanid) finally: self.lock.release() for m in msgs: if m is not None: self.transport._send_user_message(m) # ...internals... def _send(self, s, m): size = len(s) self.lock.acquire() try: if self.closed: # this doesn't seem useful, but it is the documented behavior # of Socket raise socket.error("Socket is closed") size = self._wait_for_send_window(size) if size == 0: # eof or similar return 0 m.add_string(s[:size]) finally: self.lock.release() # Note: We release self.lock before calling _send_user_message. # Otherwise, we can deadlock during re-keying. self.transport._send_user_message(m) return size def _log(self, level, msg, args): self.logger.log(level, "[chan " + self._name + "] " + msg, args) def _event_pending(self): self.event.clear() self.event_ready = False def _wait_for_event(self): self.event.wait() assert self.event.is_set() if self.event_ready: return e = self.transport.get_exception() if e is None: e = SSHException("Channel closed.") raise e def _set_closed(self): # you are holding the lock. self.closed = True self.in_buffer.close() self.in_stderr_buffer.close() self.out_buffer_cv.notify_all() # Notify any waiters that we are closed self.event.set() self.status_event.set() if self._pipe is not None: self._pipe.set_forever() def _send_eof(self): # you are holding the lock. if self.eof_sent: return None m = Message() m.add_byte(cMSG_CHANNEL_EOF) m.add_int(self.remote_chanid) self.eof_sent = True self._log(DEBUG, "EOF sent ({})".format(self._name)) return m def _close_internal(self): # you are holding the lock. if not self.active or self.closed: return None, None m1 = self._send_eof() m2 = Message() m2.add_byte(cMSG_CHANNEL_CLOSE) m2.add_int(self.remote_chanid) self._set_closed() # can't unlink from the Transport yet -- the remote side may still # try to send meta-data (exit-status, etc) return m1, m2 def _unlink(self): # server connection could die before we become active: # still signal the close! if self.closed: return self.lock.acquire() try: self._set_closed() self.transport._unlink_channel(self.chanid) finally: self.lock.release() def _check_add_window(self, n): self.lock.acquire() try: if self.closed or self.eof_received or not self.active: return 0 if self.ultra_debug: self._log(DEBUG, "addwindow {}".format(n)) self.in_window_sofar += n if self.in_window_sofar <= self.in_window_threshold: return 0 if self.ultra_debug: self._log( DEBUG, "addwindow send {}".format(self.in_window_sofar) ) out = self.in_window_sofar self.in_window_sofar = 0 return out finally: self.lock.release() def _wait_for_send_window(self, size): """ (You are already holding the lock.) Wait for the send window to open up, and allocate up to ``size`` bytes for transmission. If no space opens up before the timeout, a timeout exception is raised. Returns the number of bytes available to send (may be less than requested). """ # you are already holding the lock if self.closed or self.eof_sent: return 0 if self.out_window_size == 0: # should we block? if self.timeout == 0.0: raise socket.timeout() # loop here in case we get woken up but a different thread has # filled the buffer timeout = self.timeout while self.out_window_size == 0: if self.closed or self.eof_sent: return 0 then = time.time() self.out_buffer_cv.wait(timeout) if timeout is not None: timeout -= time.time() - then if timeout <= 0.0: raise socket.timeout() # we have some window to squeeze into if self.closed or self.eof_sent: return 0 if self.out_window_size < size: size = self.out_window_size if self.out_max_packet_size - 64 < size: size = self.out_max_packet_size - 64 self.out_window_size -= size if self.ultra_debug: self._log(DEBUG, "window down to {}".format(self.out_window_size)) return size class ChannelFile(BufferedFile): """ A file-like wrapper around `.Channel`. A ChannelFile is created by calling `Channel.makefile`. .. warning:: To correctly emulate the file object created from a socket's `makefile <python:socket.socket.makefile>` method, a `.Channel` and its `.ChannelFile` should be able to be closed or garbage-collected independently. Currently, closing the `ChannelFile` does nothing but flush the buffer. """ def __init__(self, channel, mode="r", bufsize=-1): self.channel = channel BufferedFile.__init__(self) self._set_mode(mode, bufsize) def __repr__(self): """ Returns a string representation of this object, for debugging. """ return "<paramiko.ChannelFile from " + repr(self.channel) + ">" def _read(self, size): return self.channel.recv(size) def _write(self, data): self.channel.sendall(data) return len(data) class ChannelStderrFile(ChannelFile): """ A file-like wrapper around `.Channel` stderr. See `Channel.makefile_stderr` for details. """ def _read(self, size): return self.channel.recv_stderr(size) def _write(self, data): self.channel.sendall_stderr(data) return len(data) class ChannelStdinFile(ChannelFile): """ A file-like wrapper around `.Channel` stdin. See `Channel.makefile_stdin` for details. """ def close(self): super().close() self.channel.shutdown_write() ��_winapi.py��0000644��00000025704�15030210772�0006551 0��ustar�00��""" Windows API functions implemented as ctypes functions and classes as found in jaraco.windows (3.4.1). If you encounter issues with this module, please consider reporting the issues in jaraco.windows and asking the author to port the fixes back here. """ import builtins import ctypes.wintypes from paramiko.util import u ###################### # jaraco.windows.error def format_system_message(errno): """ Call FormatMessage with a system error number to retrieve the descriptive error message. """ # first some flags used by FormatMessageW ALLOCATE_BUFFER = 0x100 FROM_SYSTEM = 0x1000 # Let FormatMessageW allocate the buffer (we'll free it below) # Also, let it know we want a system error message. flags = ALLOCATE_BUFFER \| FROM_SYSTEM source = None message_id = errno language_id = 0 result_buffer = ctypes.wintypes.LPWSTR() buffer_size = 0 arguments = None bytes = ctypes.windll.kernel32.FormatMessageW( flags, source, message_id, language_id, ctypes.byref(result_buffer), buffer_size, arguments, ) # note the following will cause an infinite loop if GetLastError # repeatedly returns an error that cannot be formatted, although # this should not happen. handle_nonzero_success(bytes) message = result_buffer.value ctypes.windll.kernel32.LocalFree(result_buffer) return message class WindowsError(builtins.WindowsError): """more info about errors at http://msdn.microsoft.com/en-us/library/ms681381(VS.85).aspx""" def __init__(self, value=None): if value is None: value = ctypes.windll.kernel32.GetLastError() strerror = format_system_message(value) args = 0, strerror, None, value super().__init__(args) @property def message(self): return self.strerror @property def code(self): return self.winerror def __str__(self): return self.message def __repr__(self): return "{self.__class__.__name__}({self.winerror})".format(vars()) def handle_nonzero_success(result): if result == 0: raise WindowsError() ########################### # jaraco.windows.api.memory GMEM_MOVEABLE = 0x2 GlobalAlloc = ctypes.windll.kernel32.GlobalAlloc GlobalAlloc.argtypes = ctypes.wintypes.UINT, ctypes.c_size_t GlobalAlloc.restype = ctypes.wintypes.HANDLE GlobalLock = ctypes.windll.kernel32.GlobalLock GlobalLock.argtypes = (ctypes.wintypes.HGLOBAL,) GlobalLock.restype = ctypes.wintypes.LPVOID GlobalUnlock = ctypes.windll.kernel32.GlobalUnlock GlobalUnlock.argtypes = (ctypes.wintypes.HGLOBAL,) GlobalUnlock.restype = ctypes.wintypes.BOOL GlobalSize = ctypes.windll.kernel32.GlobalSize GlobalSize.argtypes = (ctypes.wintypes.HGLOBAL,) GlobalSize.restype = ctypes.c_size_t CreateFileMapping = ctypes.windll.kernel32.CreateFileMappingW CreateFileMapping.argtypes = [ ctypes.wintypes.HANDLE, ctypes.c_void_p, ctypes.wintypes.DWORD, ctypes.wintypes.DWORD, ctypes.wintypes.DWORD, ctypes.wintypes.LPWSTR, ] CreateFileMapping.restype = ctypes.wintypes.HANDLE MapViewOfFile = ctypes.windll.kernel32.MapViewOfFile MapViewOfFile.restype = ctypes.wintypes.HANDLE UnmapViewOfFile = ctypes.windll.kernel32.UnmapViewOfFile UnmapViewOfFile.argtypes = (ctypes.wintypes.HANDLE,) RtlMoveMemory = ctypes.windll.kernel32.RtlMoveMemory RtlMoveMemory.argtypes = (ctypes.c_void_p, ctypes.c_void_p, ctypes.c_size_t) ctypes.windll.kernel32.LocalFree.argtypes = (ctypes.wintypes.HLOCAL,) ##################### # jaraco.windows.mmap class MemoryMap: """ A memory map object which can have security attributes overridden. """ def __init__(self, name, length, security_attributes=None): self.name = name self.length = length self.security_attributes = security_attributes self.pos = 0 def __enter__(self): p_SA = ( ctypes.byref(self.security_attributes) if self.security_attributes else None ) INVALID_HANDLE_VALUE = -1 PAGE_READWRITE = 0x4 FILE_MAP_WRITE = 0x2 filemap = ctypes.windll.kernel32.CreateFileMappingW( INVALID_HANDLE_VALUE, p_SA, PAGE_READWRITE, 0, self.length, u(self.name), ) handle_nonzero_success(filemap) if filemap == INVALID_HANDLE_VALUE: raise Exception("Failed to create file mapping") self.filemap = filemap self.view = MapViewOfFile(filemap, FILE_MAP_WRITE, 0, 0, 0) return self def seek(self, pos): self.pos = pos def write(self, msg): assert isinstance(msg, bytes) n = len(msg) if self.pos + n >= self.length: # A little safety. raise ValueError(f"Refusing to write {n} bytes") dest = self.view + self.pos length = ctypes.c_size_t(n) ctypes.windll.kernel32.RtlMoveMemory(dest, msg, length) self.pos += n def read(self, n): """ Read n bytes from mapped view. """ out = ctypes.create_string_buffer(n) source = self.view + self.pos length = ctypes.c_size_t(n) ctypes.windll.kernel32.RtlMoveMemory(out, source, length) self.pos += n return out.raw def __exit__(self, exc_type, exc_val, tb): ctypes.windll.kernel32.UnmapViewOfFile(self.view) ctypes.windll.kernel32.CloseHandle(self.filemap) ############################# # jaraco.windows.api.security # from WinNT.h READ_CONTROL = 0x00020000 STANDARD_RIGHTS_REQUIRED = 0x000F0000 STANDARD_RIGHTS_READ = READ_CONTROL STANDARD_RIGHTS_WRITE = READ_CONTROL STANDARD_RIGHTS_EXECUTE = READ_CONTROL STANDARD_RIGHTS_ALL = 0x001F0000 # from NTSecAPI.h POLICY_VIEW_LOCAL_INFORMATION = 0x00000001 POLICY_VIEW_AUDIT_INFORMATION = 0x00000002 POLICY_GET_PRIVATE_INFORMATION = 0x00000004 POLICY_TRUST_ADMIN = 0x00000008 POLICY_CREATE_ACCOUNT = 0x00000010 POLICY_CREATE_SECRET = 0x00000020 POLICY_CREATE_PRIVILEGE = 0x00000040 POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080 POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100 POLICY_AUDIT_LOG_ADMIN = 0x00000200 POLICY_SERVER_ADMIN = 0x00000400 POLICY_LOOKUP_NAMES = 0x00000800 POLICY_NOTIFICATION = 0x00001000 POLICY_ALL_ACCESS = ( STANDARD_RIGHTS_REQUIRED \| POLICY_VIEW_LOCAL_INFORMATION \| POLICY_VIEW_AUDIT_INFORMATION \| POLICY_GET_PRIVATE_INFORMATION \| POLICY_TRUST_ADMIN \| POLICY_CREATE_ACCOUNT \| POLICY_CREATE_SECRET \| POLICY_CREATE_PRIVILEGE \| POLICY_SET_DEFAULT_QUOTA_LIMITS \| POLICY_SET_AUDIT_REQUIREMENTS \| POLICY_AUDIT_LOG_ADMIN \| POLICY_SERVER_ADMIN \| POLICY_LOOKUP_NAMES ) POLICY_READ = ( STANDARD_RIGHTS_READ \| POLICY_VIEW_AUDIT_INFORMATION \| POLICY_GET_PRIVATE_INFORMATION ) POLICY_WRITE = ( STANDARD_RIGHTS_WRITE \| POLICY_TRUST_ADMIN \| POLICY_CREATE_ACCOUNT \| POLICY_CREATE_SECRET \| POLICY_CREATE_PRIVILEGE \| POLICY_SET_DEFAULT_QUOTA_LIMITS \| POLICY_SET_AUDIT_REQUIREMENTS \| POLICY_AUDIT_LOG_ADMIN \| POLICY_SERVER_ADMIN ) POLICY_EXECUTE = ( STANDARD_RIGHTS_EXECUTE \| POLICY_VIEW_LOCAL_INFORMATION \| POLICY_LOOKUP_NAMES ) class TokenAccess: TOKEN_QUERY = 0x8 class TokenInformationClass: TokenUser = 1 class TOKEN_USER(ctypes.Structure): num = 1 _fields_ = [ ("SID", ctypes.c_void_p), ("ATTRIBUTES", ctypes.wintypes.DWORD), ] class SECURITY_DESCRIPTOR(ctypes.Structure): """ typedef struct _SECURITY_DESCRIPTOR { UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; PSID Owner; PSID Group; PACL Sacl; PACL Dacl; } SECURITY_DESCRIPTOR; """ SECURITY_DESCRIPTOR_CONTROL = ctypes.wintypes.USHORT REVISION = 1 _fields_ = [ ("Revision", ctypes.c_ubyte), ("Sbz1", ctypes.c_ubyte), ("Control", SECURITY_DESCRIPTOR_CONTROL), ("Owner", ctypes.c_void_p), ("Group", ctypes.c_void_p), ("Sacl", ctypes.c_void_p), ("Dacl", ctypes.c_void_p), ] class SECURITY_ATTRIBUTES(ctypes.Structure): """ typedef struct _SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; } SECURITY_ATTRIBUTES; """ _fields_ = [ ("nLength", ctypes.wintypes.DWORD), ("lpSecurityDescriptor", ctypes.c_void_p), ("bInheritHandle", ctypes.wintypes.BOOL), ] def __init__(self, args, *kwargs): super().__init__(args, kwargs) self.nLength = ctypes.sizeof(SECURITY_ATTRIBUTES) @property def descriptor(self): return self._descriptor @descriptor.setter def descriptor(self, value): self._descriptor = value self.lpSecurityDescriptor = ctypes.addressof(value) ctypes.windll.advapi32.SetSecurityDescriptorOwner.argtypes = ( ctypes.POINTER(SECURITY_DESCRIPTOR), ctypes.c_void_p, ctypes.wintypes.BOOL, ) ######################### # jaraco.windows.security def GetTokenInformation(token, information_class): """ Given a token, get the token information for it. """ data_size = ctypes.wintypes.DWORD() ctypes.windll.advapi32.GetTokenInformation( token, information_class.num, 0, 0, ctypes.byref(data_size) ) data = ctypes.create_string_buffer(data_size.value) handle_nonzero_success( ctypes.windll.advapi32.GetTokenInformation( token, information_class.num, ctypes.byref(data), ctypes.sizeof(data), ctypes.byref(data_size), ) ) return ctypes.cast(data, ctypes.POINTER(TOKEN_USER)).contents def OpenProcessToken(proc_handle, access): result = ctypes.wintypes.HANDLE() proc_handle = ctypes.wintypes.HANDLE(proc_handle) handle_nonzero_success( ctypes.windll.advapi32.OpenProcessToken( proc_handle, access, ctypes.byref(result) ) ) return result def get_current_user(): """ Return a TOKEN_USER for the owner of this process. """ process = OpenProcessToken( ctypes.windll.kernel32.GetCurrentProcess(), TokenAccess.TOKEN_QUERY ) return GetTokenInformation(process, TOKEN_USER) def get_security_attributes_for_user(user=None): """ Return a SECURITY_ATTRIBUTES structure with the SID set to the specified user (uses current user if none is specified). """ if user is None: user = get_current_user() assert isinstance(user, TOKEN_USER), "user must be TOKEN_USER instance" SD = SECURITY_DESCRIPTOR() SA = SECURITY_ATTRIBUTES() # by attaching the actual security descriptor, it will be garbage- # collected with the security attributes SA.descriptor = SD SA.bInheritHandle = 1 ctypes.windll.advapi32.InitializeSecurityDescriptor( ctypes.byref(SD), SECURITY_DESCRIPTOR.REVISION ) ctypes.windll.advapi32.SetSecurityDescriptorOwner( ctypes.byref(SD), user.SID, 0 ) return SA ��proxy.py��0000644��00000011050�15030210772�0006271 0��ustar�00��# Copyright (C) 2012 Yipit, Inc <coders@yipit.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. import os import shlex import signal from select import select import socket import time # Try-and-ignore import so platforms w/o subprocess (eg Google App Engine) can # still import paramiko. subprocess, subprocess_import_error = None, None try: import subprocess except ImportError as e: subprocess_import_error = e from paramiko.ssh_exception import ProxyCommandFailure from paramiko.util import ClosingContextManager class ProxyCommand(ClosingContextManager): """ Wraps a subprocess running ProxyCommand-driven programs. This class implements a the socket-like interface needed by the `.Transport` and `.Packetizer` classes. Using this class instead of a regular socket makes it possible to talk with a Popen'd command that will proxy traffic between the client and a server hosted in another machine. Instances of this class may be used as context managers. """ def __init__(self, command_line): """ Create a new CommandProxy instance. The instance created by this class can be passed as an argument to the `.Transport` class. :param str command_line: the command that should be executed and used as the proxy. """ if subprocess is None: raise subprocess_import_error self.cmd = shlex.split(command_line) self.process = subprocess.Popen( self.cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, bufsize=0, ) self.timeout = None def send(self, content): """ Write the content received from the SSH client to the standard input of the forked command. :param str content: string to be sent to the forked command """ try: self.process.stdin.write(content) except IOError as e: # There was a problem with the child process. It probably # died and we can't proceed. The best option here is to # raise an exception informing the user that the informed # ProxyCommand is not working. raise ProxyCommandFailure(" ".join(self.cmd), e.strerror) return len(content) def recv(self, size): """ Read from the standard output of the forked program. :param int size: how many chars should be read :return: the string of bytes read, which may be shorter than requested """ try: buffer = b"" start = time.time() while len(buffer) < size: select_timeout = None if self.timeout is not None: elapsed = time.time() - start if elapsed >= self.timeout: raise socket.timeout() select_timeout = self.timeout - elapsed r, w, x = select([self.process.stdout], [], [], select_timeout) if r and r[0] == self.process.stdout: buffer += os.read( self.process.stdout.fileno(), size - len(buffer) ) return buffer except socket.timeout: if buffer: # Don't raise socket.timeout, return partial result instead return buffer raise # socket.timeout is a subclass of IOError except IOError as e: raise ProxyCommandFailure(" ".join(self.cmd), e.strerror) def close(self): os.kill(self.process.pid, signal.SIGTERM) @property def closed(self): return self.process.returncode is not None @property def _closed(self): # Concession to Python 3 socket-like API return self.closed def settimeout(self, timeout): self.timeout = timeout ��auth_strategy.py��0000644��00000026255�15030210772�0010010 0��ustar�00��""" Modern, adaptable authentication machinery. Replaces certain parts of `.SSHClient`. For a concrete implementation, see the ``OpenSSHAuthStrategy`` class in `Fabric <https://fabfile.org>`_. """ from collections import namedtuple from .agent import AgentKey from .util import get_logger from .ssh_exception import AuthenticationException class AuthSource: """ Some SSH authentication source, such as a password, private key, or agent. See subclasses in this module for concrete implementations. All implementations must accept at least a ``username`` (``str``) kwarg. """ def __init__(self, username): self.username = username def _repr(self, kwargs): # TODO: are there any good libs for this? maybe some helper from # structlog? pairs = [f"{k}={v!r}" for k, v in kwargs.items()] joined = ", ".join(pairs) return f"{self.__class__.__name__}({joined})" def __repr__(self): return self._repr() def authenticate(self, transport): """ Perform authentication. """ raise NotImplementedError class NoneAuth(AuthSource): """ Auth type "none", ie https://www.rfc-editor.org/rfc/rfc4252#section-5.2 . """ def authenticate(self, transport): return transport.auth_none(self.username) class Password(AuthSource): """ Password authentication. :param callable password_getter: A lazy callable that should return a `str` password value at authentication time, such as a `functools.partial` wrapping `getpass.getpass`, an API call to a secrets store, or similar. If you already know the password at instantiation time, you should simply use something like ``lambda: "my literal"`` (for a literal, but also, shame on you!) or ``lambda: variable_name`` (for something stored in a variable). """ def __init__(self, username, password_getter): super().__init__(username=username) self.password_getter = password_getter def __repr__(self): # Password auth is marginally more 'username-caring' than pkeys, so may # as well log that info here. return super()._repr(user=self.username) def authenticate(self, transport): # Lazily get the password, in case it's prompting a user # TODO: be nice to log source _of_ the password? password = self.password_getter() return transport.auth_password(self.username, password) # TODO 4.0: twiddle this, or PKey, or both, so they're more obviously distinct. # TODO 4.0: the obvious is to make this more wordy (PrivateKeyAuth), the # minimalist approach might be to rename PKey to just Key (esp given all the # subclasses are WhateverKey and not WhateverPKey) class PrivateKey(AuthSource): """ Essentially a mixin for private keys. Knows how to auth, but leaves key material discovery/loading/decryption to subclasses. Subclasses must ensure that they've set ``self.pkey`` to a decrypted `.PKey` instance before calling ``super().authenticate``; typically either in their ``__init__``, or in an overridden ``authenticate`` prior to its `super` call. """ def authenticate(self, transport): return transport.auth_publickey(self.username, self.pkey) class InMemoryPrivateKey(PrivateKey): """ An in-memory, decrypted `.PKey` object. """ def __init__(self, username, pkey): super().__init__(username=username) # No decryption (presumably) necessary! self.pkey = pkey def __repr__(self): # NOTE: most of interesting repr-bits for private keys is in PKey. # TODO: tacking on agent-ness like this is a bit awkward, but, eh? rep = super()._repr(pkey=self.pkey) if isinstance(self.pkey, AgentKey): rep += " [agent]" return rep class OnDiskPrivateKey(PrivateKey): """ Some on-disk private key that needs opening and possibly decrypting. :param str source: String tracking where this key's path was specified; should be one of ``"ssh-config"``, ``"python-config"``, or ``"implicit-home"``. :param Path path: The filesystem path this key was loaded from. :param PKey pkey: The `PKey` object this auth source uses/represents. """ def __init__(self, username, source, path, pkey): super().__init__(username=username) self.source = source allowed = ("ssh-config", "python-config", "implicit-home") if source not in allowed: raise ValueError(f"source argument must be one of: {allowed!r}") self.path = path # Superclass wants .pkey, other two are mostly for display/debugging. self.pkey = pkey def __repr__(self): return self._repr( key=self.pkey, source=self.source, path=str(self.path) ) # TODO re sources: is there anything in an OpenSSH config file that doesn't fit # into what Paramiko already had kwargs for? SourceResult = namedtuple("SourceResult", ["source", "result"]) # TODO: tempting to make this an OrderedDict, except the keys essentially want # to be rich objects (AuthSources) which do not make for useful user indexing? # TODO: members being vanilla tuples is pretty old-school/expedient; they # "really" want to be something that's type friendlier (unless the tuple's 2nd # member being a Union of two types is "fine"?), which I assume means yet more # classes, eg an abstract SourceResult with concrete AuthSuccess and # AuthFailure children? # TODO: arguably we want __init__ typechecking of the members (or to leverage # mypy by classifying this literally as list-of-AuthSource?) class AuthResult(list): """ Represents a partial or complete SSH authentication attempt. This class conceptually extends `AuthStrategy` by pairing the former's authentication sources with the results of trying to authenticate with them. `AuthResult` is a (subclass of) `list` of `namedtuple`, which are of the form ``namedtuple('SourceResult', 'source', 'result')`` (where the ``source`` member is an `AuthSource` and the ``result`` member is either a return value from the relevant `.Transport` method, or an exception object). .. note:: Transport auth method results are always themselves a ``list`` of "next allowable authentication methods". In the simple case of "you just authenticated successfully", it's an empty list; if your auth was rejected but you're allowed to try again, it will be a list of string method names like ``pubkey`` or ``password``. The ``__str__`` of this class represents the empty-list scenario as the word ``success``, which should make reading the result of an authentication session more obvious to humans. Instances also have a `strategy` attribute referencing the `AuthStrategy` which was attempted. """ def __init__(self, strategy, args, kwargs): self.strategy = strategy super().__init__(args, *kwargs) def __str__(self): # NOTE: meaningfully distinct from __repr__, which still wants to use # superclass' implementation. # TODO: go hog wild, use rich.Table? how is that on degraded term's? # TODO: test this lol return "\n".join( f"{x.source} -> {x.result or 'success'}" for x in self ) # TODO 4.0: descend from SSHException or even just Exception class AuthFailure(AuthenticationException): """ Basic exception wrapping an `AuthResult` indicating overall auth failure. Note that `AuthFailure` descends from `AuthenticationException` but is generally "higher level"; the latter is now only raised by individual `AuthSource` attempts and should typically only be seen by users when encapsulated in this class. It subclasses `AuthenticationException` primarily for backwards compatibility reasons. """ def __init__(self, result): self.result = result def __str__(self): return "\n" + str(self.result) class AuthStrategy: """ This class represents one or more attempts to auth with an SSH server. By default, subclasses must at least accept an ``ssh_config`` (`.SSHConfig`) keyword argument, but may opt to accept more as needed for their particular strategy. """ def __init__( self, ssh_config, ): self.ssh_config = ssh_config self.log = get_logger(__name__) def get_sources(self): """ Generator yielding `AuthSource` instances, in the order to try. This is the primary override point for subclasses: you figure out what sources you need, and ``yield`` them. Subclasses _of_ subclasses may find themselves wanting to do things like filtering or discarding around a call to `super`. """ raise NotImplementedError def authenticate(self, transport): """ Handles attempting `AuthSource` instances yielded from `get_sources`. You normally* won't need to override this, but it's an option for advanced users. """ succeeded = False overall_result = AuthResult(strategy=self) # TODO: arguably we could fit in a "send none auth, record allowed auth # types sent back" thing here as OpenSSH-client does, but that likely # wants to live in fabric.OpenSSHAuthStrategy as not all target servers # will implement it! # TODO: needs better "server told us too many attempts" checking! for source in self.get_sources(): self.log.debug(f"Trying {source}") try: # NOTE: this really wants to _only_ wrap the authenticate()! result = source.authenticate(transport) succeeded = True # TODO: 'except PartialAuthentication' is needed for 2FA and # similar, as per old SSHClient.connect - it is the only way # AuthHandler supplies access to the 'name-list' field from # MSG_USERAUTH_FAILURE, at present. except Exception as e: result = e # TODO: look at what this could possibly raise, we don't really # want Exception here, right? just SSHException subclasses? or # do we truly want to capture anything at all with assumption # it's easy enough for users to look afterwards? # NOTE: showing type, not message, for tersity & also most of # the time it's basically just "Authentication failed." source_class = e.__class__.__name__ self.log.info( f"Authentication via {source} failed with {source_class}" ) overall_result.append(SourceResult(source, result)) if succeeded: break # Gotta die here if nothing worked, otherwise Transport's main loop # just kinda hangs out until something times out! if not succeeded: raise AuthFailure(result=overall_result) # Success: give back what was done, in case they care. return overall_result # TODO: is there anything OpenSSH client does which _can't_ cleanly map to # iterating a generator? ��compress.py��0000644��00000002402�15030210772�0006744 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Compression implementations for a Transport. """ import zlib class ZlibCompressor: def __init__(self): # Use the default level of zlib compression self.z = zlib.compressobj() def __call__(self, data): return self.z.compress(data) + self.z.flush(zlib.Z_FULL_FLUSH) class ZlibDecompressor: def __init__(self): self.z = zlib.decompressobj() def __call__(self, data): return self.z.decompress(data) ��rsakey.py��0000644��00000016572�15030210772�0006424 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ RSA keys. """ from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import rsa, padding from paramiko.message import Message from paramiko.pkey import PKey from paramiko.ssh_exception import SSHException class RSAKey(PKey): """ Representation of an RSA key which can be used to sign and verify SSH2 data. """ name = "ssh-rsa" HASHES = { "ssh-rsa": hashes.SHA1, "ssh-rsa-cert-v01@openssh.com": hashes.SHA1, "rsa-sha2-256": hashes.SHA256, "rsa-sha2-256-cert-v01@openssh.com": hashes.SHA256, "rsa-sha2-512": hashes.SHA512, "rsa-sha2-512-cert-v01@openssh.com": hashes.SHA512, } def __init__( self, msg=None, data=None, filename=None, password=None, key=None, file_obj=None, ): self.key = None self.public_blob = None if file_obj is not None: self._from_private_key(file_obj, password) return if filename is not None: self._from_private_key_file(filename, password) return if (msg is None) and (data is not None): msg = Message(data) if key is not None: self.key = key else: self._check_type_and_load_cert( msg=msg, # NOTE: this does NOT change when using rsa2 signatures; it's # purely about key loading, not exchange or verification key_type=self.name, cert_type="ssh-rsa-cert-v01@openssh.com", ) self.key = rsa.RSAPublicNumbers( e=msg.get_mpint(), n=msg.get_mpint() ).public_key(default_backend()) @classmethod def identifiers(cls): return list(cls.HASHES.keys()) @property def size(self): return self.key.key_size @property def public_numbers(self): if isinstance(self.key, rsa.RSAPrivateKey): return self.key.private_numbers().public_numbers else: return self.key.public_numbers() def asbytes(self): m = Message() m.add_string(self.name) m.add_mpint(self.public_numbers.e) m.add_mpint(self.public_numbers.n) return m.asbytes() def __str__(self): # NOTE: see #853 to explain some legacy behavior. # TODO 4.0: replace with a nice clean fingerprint display or something return self.asbytes().decode("utf8", errors="ignore") @property def _fields(self): return (self.get_name(), self.public_numbers.e, self.public_numbers.n) def get_name(self): return self.name def get_bits(self): return self.size def can_sign(self): return isinstance(self.key, rsa.RSAPrivateKey) def sign_ssh_data(self, data, algorithm=None): if algorithm is None: algorithm = self.name sig = self.key.sign( data, padding=padding.PKCS1v15(), # HASHES being just a map from long identifier to either SHA1 or # SHA256 - cert'ness is not truly relevant. algorithm=self.HASHES[algorithm](), ) m = Message() # And here again, cert'ness is irrelevant, so it is stripped out. m.add_string(algorithm.replace("-cert-v01@openssh.com", "")) m.add_string(sig) return m def verify_ssh_sig(self, data, msg): sig_algorithm = msg.get_text() if sig_algorithm not in self.HASHES: return False key = self.key if isinstance(key, rsa.RSAPrivateKey): key = key.public_key() # NOTE: pad received signature with leading zeros, key.verify() # expects a signature of key size (e.g. PuTTY doesn't pad) sign = msg.get_binary() diff = key.key_size - len(sign) * 8 if diff > 0: sign = b"\x00" * ((diff + 7) // 8) + sign try: key.verify( sign, data, padding.PKCS1v15(), self.HASHES[sig_algorithm]() ) except InvalidSignature: return False else: return True def write_private_key_file(self, filename, password=None): self._write_private_key_file( filename, self.key, serialization.PrivateFormat.TraditionalOpenSSL, password=password, ) def write_private_key(self, file_obj, password=None): self._write_private_key( file_obj, self.key, serialization.PrivateFormat.TraditionalOpenSSL, password=password, ) @staticmethod def generate(bits, progress_func=None): """ Generate a new private RSA key. This factory function can be used to generate a new host key or authentication key. :param int bits: number of bits the generated key should be. :param progress_func: Unused :return: new `.RSAKey` private key """ key = rsa.generate_private_key( public_exponent=65537, key_size=bits, backend=default_backend() ) return RSAKey(key=key) # ...internals... def _from_private_key_file(self, filename, password): data = self._read_private_key_file("RSA", filename, password) self._decode_key(data) def _from_private_key(self, file_obj, password): data = self._read_private_key("RSA", file_obj, password) self._decode_key(data) def _decode_key(self, data): pkformat, data = data if pkformat == self._PRIVATE_KEY_FORMAT_ORIGINAL: try: key = serialization.load_der_private_key( data, password=None, backend=default_backend() ) except (ValueError, TypeError, UnsupportedAlgorithm) as e: raise SSHException(str(e)) elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH: n, e, d, iqmp, p, q = self._uint32_cstruct_unpack(data, "iiiiii") public_numbers = rsa.RSAPublicNumbers(e=e, n=n) key = rsa.RSAPrivateNumbers( p=p, q=q, d=d, dmp1=d % (p - 1), dmq1=d % (q - 1), iqmp=iqmp, public_numbers=public_numbers, ).private_key(default_backend()) else: self._got_bad_key_format_id(pkformat) assert isinstance(key, rsa.RSAPrivateKey) self.key = key ��sftp_si.py��0000644��00000030400�15030210772�0006557 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ An interface to override for SFTP server support. """ import os import sys from paramiko.sftp import SFTP_OP_UNSUPPORTED class SFTPServerInterface: """ This class defines an interface for controlling the behavior of paramiko when using the `.SFTPServer` subsystem to provide an SFTP server. Methods on this class are called from the SFTP session's thread, so you can block as long as necessary without affecting other sessions (even other SFTP sessions). However, raising an exception will usually cause the SFTP session to abruptly end, so you will usually want to catch exceptions and return an appropriate error code. All paths are in string form instead of unicode because not all SFTP clients & servers obey the requirement that paths be encoded in UTF-8. """ def __init__(self, server, args, kwargs): """ Create a new SFTPServerInterface object. This method does nothing by default and is meant to be overridden by subclasses. :param .ServerInterface server: the server object associated with this channel and SFTP subsystem """ super().__init__(args, *kwargs) def session_started(self): """ The SFTP server session has just started. This method is meant to be overridden to perform any necessary setup before handling callbacks from SFTP operations. """ pass def session_ended(self): """ The SFTP server session has just ended, either cleanly or via an exception. This method is meant to be overridden to perform any necessary cleanup before this `.SFTPServerInterface` object is destroyed. """ pass def open(self, path, flags, attr): """ Open a file on the server and create a handle for future operations on that file. On success, a new object subclassed from `.SFTPHandle` should be returned. This handle will be used for future operations on the file (read, write, etc). On failure, an error code such as ``SFTP_PERMISSION_DENIED`` should be returned. ``flags`` contains the requested mode for opening (read-only, write-append, etc) as a bitset of flags from the ``os`` module: - ``os.O_RDONLY`` - ``os.O_WRONLY`` - ``os.O_RDWR`` - ``os.O_APPEND`` - ``os.O_CREAT`` - ``os.O_TRUNC`` - ``os.O_EXCL`` (One of ``os.O_RDONLY``, ``os.O_WRONLY``, or ``os.O_RDWR`` will always be set.) The ``attr`` object contains requested attributes of the file if it has to be created. Some or all attribute fields may be missing if the client didn't specify them. .. note:: The SFTP protocol defines all files to be in "binary" mode. There is no equivalent to Python's "text" mode. :param str path: the requested path (relative or absolute) of the file to be opened. :param int flags: flags or'd together from the ``os`` module indicating the requested mode for opening the file. :param .SFTPAttributes attr: requested attributes of the file if it is newly created. :return: a new `.SFTPHandle` or error code. """ return SFTP_OP_UNSUPPORTED def list_folder(self, path): """ Return a list of files within a given folder. The ``path`` will use posix notation (``"/"`` separates folder names) and may be an absolute or relative path. The list of files is expected to be a list of `.SFTPAttributes` objects, which are similar in structure to the objects returned by ``os.stat``. In addition, each object should have its ``filename`` field filled in, since this is important to a directory listing and not normally present in ``os.stat`` results. The method `.SFTPAttributes.from_stat` will usually do what you want. In case of an error, you should return one of the ``SFTP_`` error codes, such as ``SFTP_PERMISSION_DENIED``. :param str path: the requested path (relative or absolute) to be listed. :return: a list of the files in the given folder, using `.SFTPAttributes` objects. .. note:: You should normalize the given ``path`` first (see the `os.path` module) and check appropriate permissions before returning the list of files. Be careful of malicious clients attempting to use relative paths to escape restricted folders, if you're doing a direct translation from the SFTP server path to your local filesystem. """ return SFTP_OP_UNSUPPORTED def stat(self, path): """ Return an `.SFTPAttributes` object for a path on the server, or an error code. If your server supports symbolic links (also known as "aliases"), you should follow them. (`lstat` is the corresponding call that doesn't follow symlinks/aliases.) :param str path: the requested path (relative or absolute) to fetch file statistics for. :return: an `.SFTPAttributes` object for the given file, or an SFTP error code (like ``SFTP_PERMISSION_DENIED``). """ return SFTP_OP_UNSUPPORTED def lstat(self, path): """ Return an `.SFTPAttributes` object for a path on the server, or an error code. If your server supports symbolic links (also known as "aliases"), you should not follow them -- instead, you should return data on the symlink or alias itself. (`stat` is the corresponding call that follows symlinks/aliases.) :param str path: the requested path (relative or absolute) to fetch file statistics for. :type path: str :return: an `.SFTPAttributes` object for the given file, or an SFTP error code (like ``SFTP_PERMISSION_DENIED``). """ return SFTP_OP_UNSUPPORTED def remove(self, path): """ Delete a file, if possible. :param str path: the requested path (relative or absolute) of the file to delete. :return: an SFTP error code `int` like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED def rename(self, oldpath, newpath): """ Rename (or move) a file. The SFTP specification implies that this method can be used to move an existing file into a different folder, and since there's no other (easy) way to move files via SFTP, it's probably a good idea to implement "move" in this method too, even for files that cross disk partition boundaries, if at all possible. .. note:: You should return an error if a file with the same name as ``newpath`` already exists. (The rename operation should be non-desctructive.) .. note:: This method implements 'standard' SFTP ``RENAME`` behavior; those seeking the OpenSSH "POSIX rename" extension behavior should use `posix_rename`. :param str oldpath: the requested path (relative or absolute) of the existing file. :param str newpath: the requested new path of the file. :return: an SFTP error code `int` like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED def posix_rename(self, oldpath, newpath): """ Rename (or move) a file, following posix conventions. If newpath already exists, it will be overwritten. :param str oldpath: the requested path (relative or absolute) of the existing file. :param str newpath: the requested new path of the file. :return: an SFTP error code `int` like ``SFTP_OK``. :versionadded: 2.2 """ return SFTP_OP_UNSUPPORTED def mkdir(self, path, attr): """ Create a new directory with the given attributes. The ``attr`` object may be considered a "hint" and ignored. The ``attr`` object will contain only those fields provided by the client in its request, so you should use ``hasattr`` to check for the presence of fields before using them. In some cases, the ``attr`` object may be completely empty. :param str path: requested path (relative or absolute) of the new folder. :param .SFTPAttributes attr: requested attributes of the new folder. :return: an SFTP error code `int` like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED def rmdir(self, path): """ Remove a directory if it exists. The ``path`` should refer to an existing, empty folder -- otherwise this method should return an error. :param str path: requested path (relative or absolute) of the folder to remove. :return: an SFTP error code `int` like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED def chattr(self, path, attr): """ Change the attributes of a file. The ``attr`` object will contain only those fields provided by the client in its request, so you should check for the presence of fields before using them. :param str path: requested path (relative or absolute) of the file to change. :param attr: requested attributes to change on the file (an `.SFTPAttributes` object) :return: an error code `int` like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED def canonicalize(self, path): """ Return the canonical form of a path on the server. For example, if the server's home folder is ``/home/foo``, the path ``"../betty"`` would be canonicalized to ``"/home/betty"``. Note the obvious security issues: if you're serving files only from a specific folder, you probably don't want this method to reveal path names outside that folder. You may find the Python methods in ``os.path`` useful, especially ``os.path.normpath`` and ``os.path.realpath``. The default implementation returns ``os.path.normpath('/' + path)``. """ if os.path.isabs(path): out = os.path.normpath(path) else: out = os.path.normpath("/" + path) if sys.platform == "win32": # on windows, normalize backslashes to sftp/posix format out = out.replace("\\", "/") return out def readlink(self, path): """ Return the target of a symbolic link (or shortcut) on the server. If the specified path doesn't refer to a symbolic link, an error should be returned. :param str path: path (relative or absolute) of the symbolic link. :return: the target `str` path of the symbolic link, or an error code like ``SFTP_NO_SUCH_FILE``. """ return SFTP_OP_UNSUPPORTED def symlink(self, target_path, path): """ Create a symbolic link on the server, as new pathname ``path``, with ``target_path`` as the target of the link. :param str target_path: path (relative or absolute) of the target for this new symbolic link. :param str path: path (relative or absolute) of the symbolic link to create. :return: an error code `int` like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED ��ecdsakey.py��0000644��00000026605�15030210772�0006714 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ ECDSA keys """ from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( decode_dss_signature, encode_dss_signature, ) from paramiko.common import four_byte from paramiko.message import Message from paramiko.pkey import PKey from paramiko.ssh_exception import SSHException from paramiko.util import deflate_long class _ECDSACurve: """ Represents a specific ECDSA Curve (nistp256, nistp384, etc). Handles the generation of the key format identifier and the selection of the proper hash function. Also grabs the proper curve from the 'ecdsa' package. """ def __init__(self, curve_class, nist_name): self.nist_name = nist_name self.key_length = curve_class.key_size # Defined in RFC 5656 6.2 self.key_format_identifier = "ecdsa-sha2-" + self.nist_name # Defined in RFC 5656 6.2.1 if self.key_length <= 256: self.hash_object = hashes.SHA256 elif self.key_length <= 384: self.hash_object = hashes.SHA384 else: self.hash_object = hashes.SHA512 self.curve_class = curve_class class _ECDSACurveSet: """ A collection to hold the ECDSA curves. Allows querying by oid and by key format identifier. The two ways in which ECDSAKey needs to be able to look up curves. """ def __init__(self, ecdsa_curves): self.ecdsa_curves = ecdsa_curves def get_key_format_identifier_list(self): return [curve.key_format_identifier for curve in self.ecdsa_curves] def get_by_curve_class(self, curve_class): for curve in self.ecdsa_curves: if curve.curve_class == curve_class: return curve def get_by_key_format_identifier(self, key_format_identifier): for curve in self.ecdsa_curves: if curve.key_format_identifier == key_format_identifier: return curve def get_by_key_length(self, key_length): for curve in self.ecdsa_curves: if curve.key_length == key_length: return curve class ECDSAKey(PKey): """ Representation of an ECDSA key which can be used to sign and verify SSH2 data. """ _ECDSA_CURVES = _ECDSACurveSet( [ _ECDSACurve(ec.SECP256R1, "nistp256"), _ECDSACurve(ec.SECP384R1, "nistp384"), _ECDSACurve(ec.SECP521R1, "nistp521"), ] ) def __init__( self, msg=None, data=None, filename=None, password=None, vals=None, file_obj=None, # TODO 4.0: remove; it does nothing since porting to cryptography.io validate_point=True, ): self.verifying_key = None self.signing_key = None self.public_blob = None if file_obj is not None: self._from_private_key(file_obj, password) return if filename is not None: self._from_private_key_file(filename, password) return if (msg is None) and (data is not None): msg = Message(data) if vals is not None: self.signing_key, self.verifying_key = vals c_class = self.signing_key.curve.__class__ self.ecdsa_curve = self._ECDSA_CURVES.get_by_curve_class(c_class) else: # Must set ecdsa_curve first; subroutines called herein may need to # spit out our get_name(), which relies on this. key_type = msg.get_text() # But this also means we need to hand it a real key/curve # identifier, so strip out any cert business. (NOTE: could push # that into _ECDSACurveSet.get_by_key_format_identifier(), but it # feels more correct to do it here?) suffix = "-cert-v01@openssh.com" if key_type.endswith(suffix): key_type = key_type[: -len(suffix)] self.ecdsa_curve = self._ECDSA_CURVES.get_by_key_format_identifier( key_type ) key_types = self._ECDSA_CURVES.get_key_format_identifier_list() cert_types = [ "{}-cert-v01@openssh.com".format(x) for x in key_types ] self._check_type_and_load_cert( msg=msg, key_type=key_types, cert_type=cert_types ) curvename = msg.get_text() if curvename != self.ecdsa_curve.nist_name: raise SSHException( "Can't handle curve of type {}".format(curvename) ) pointinfo = msg.get_binary() try: key = ec.EllipticCurvePublicKey.from_encoded_point( self.ecdsa_curve.curve_class(), pointinfo ) self.verifying_key = key except ValueError: raise SSHException("Invalid public key") @classmethod def identifiers(cls): return cls._ECDSA_CURVES.get_key_format_identifier_list() # TODO 4.0: deprecate/remove @classmethod def supported_key_format_identifiers(cls): return cls.identifiers() def asbytes(self): key = self.verifying_key m = Message() m.add_string(self.ecdsa_curve.key_format_identifier) m.add_string(self.ecdsa_curve.nist_name) numbers = key.public_numbers() key_size_bytes = (key.curve.key_size + 7) // 8 x_bytes = deflate_long(numbers.x, add_sign_padding=False) x_bytes = b"\x00" * (key_size_bytes - len(x_bytes)) + x_bytes y_bytes = deflate_long(numbers.y, add_sign_padding=False) y_bytes = b"\x00" * (key_size_bytes - len(y_bytes)) + y_bytes point_str = four_byte + x_bytes + y_bytes m.add_string(point_str) return m.asbytes() def __str__(self): return self.asbytes() @property def _fields(self): return ( self.get_name(), self.verifying_key.public_numbers().x, self.verifying_key.public_numbers().y, ) def get_name(self): return self.ecdsa_curve.key_format_identifier def get_bits(self): return self.ecdsa_curve.key_length def can_sign(self): return self.signing_key is not None def sign_ssh_data(self, data, algorithm=None): ecdsa = ec.ECDSA(self.ecdsa_curve.hash_object()) sig = self.signing_key.sign(data, ecdsa) r, s = decode_dss_signature(sig) m = Message() m.add_string(self.ecdsa_curve.key_format_identifier) m.add_string(self._sigencode(r, s)) return m def verify_ssh_sig(self, data, msg): if msg.get_text() != self.ecdsa_curve.key_format_identifier: return False sig = msg.get_binary() sigR, sigS = self._sigdecode(sig) signature = encode_dss_signature(sigR, sigS) try: self.verifying_key.verify( signature, data, ec.ECDSA(self.ecdsa_curve.hash_object()) ) except InvalidSignature: return False else: return True def write_private_key_file(self, filename, password=None): self._write_private_key_file( filename, self.signing_key, serialization.PrivateFormat.TraditionalOpenSSL, password=password, ) def write_private_key(self, file_obj, password=None): self._write_private_key( file_obj, self.signing_key, serialization.PrivateFormat.TraditionalOpenSSL, password=password, ) @classmethod def generate(cls, curve=ec.SECP256R1(), progress_func=None, bits=None): """ Generate a new private ECDSA key. This factory function can be used to generate a new host key or authentication key. :param progress_func: Not used for this type of key. :returns: A new private key (`.ECDSAKey`) object """ if bits is not None: curve = cls._ECDSA_CURVES.get_by_key_length(bits) if curve is None: raise ValueError("Unsupported key length: {:d}".format(bits)) curve = curve.curve_class() private_key = ec.generate_private_key(curve, backend=default_backend()) return ECDSAKey(vals=(private_key, private_key.public_key())) # ...internals... def _from_private_key_file(self, filename, password): data = self._read_private_key_file("EC", filename, password) self._decode_key(data) def _from_private_key(self, file_obj, password): data = self._read_private_key("EC", file_obj, password) self._decode_key(data) def _decode_key(self, data): pkformat, data = data if pkformat == self._PRIVATE_KEY_FORMAT_ORIGINAL: try: key = serialization.load_der_private_key( data, password=None, backend=default_backend() ) except ( ValueError, AssertionError, TypeError, UnsupportedAlgorithm, ) as e: raise SSHException(str(e)) elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH: try: msg = Message(data) curve_name = msg.get_text() verkey = msg.get_binary() # noqa: F841 sigkey = msg.get_mpint() name = "ecdsa-sha2-" + curve_name curve = self._ECDSA_CURVES.get_by_key_format_identifier(name) if not curve: raise SSHException("Invalid key curve identifier") key = ec.derive_private_key( sigkey, curve.curve_class(), default_backend() ) except Exception as e: # PKey._read_private_key_openssh() should check or return # keytype - parsing could fail for any reason due to wrong type raise SSHException(str(e)) else: self._got_bad_key_format_id(pkformat) self.signing_key = key self.verifying_key = key.public_key() curve_class = key.curve.__class__ self.ecdsa_curve = self._ECDSA_CURVES.get_by_curve_class(curve_class) def _sigencode(self, r, s): msg = Message() msg.add_mpint(r) msg.add_mpint(s) return msg.asbytes() def _sigdecode(self, sig): msg = Message(sig) r = msg.get_mpint() s = msg.get_mpint() return r, s ��__pycache__/kex_group16.cpython-310.pyc��0000644��00000002313�15030210772�0013623 0��ustar�00��o ��h��@��s0��d�Z�ddlmZ�ddlmZ�G�dd��de�ZdS�)z� Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 4096 bit key halves, using a known "p" prime and "g" generator. ��)� KexGroup1)�sha512c��@��s ��e�Zd�ZdZdZdZdZeZdS�)�KexGroup16SHA512zdiffie-hellman-group16-sha512l��MrzM�MBr�}o�{c#Lu�S5�V> i��\;�p_^w��#�y�(�!wF��dR6f�5NG�x�Uv�A�_�K\|G��nFgD-E9�`mli�Q�`#N^ �I�L&[t{Bh�Cxm�p�9B��d"?8�-�CbV�S}$A\Q6]`� �Xu�;u\|H�+>$�)Cv3'�6E��_�/s�aDz�s�0%J�)2z��0�Qk}�c�aM>\�m�`�kUuE o�1�gN&�c�j��3� 4��Z�X�"-Gr �c�0"]�\Z%u>Is0\`�4�<�;��7�]�k> =`.:�d��C,�<�oq6�b��JX�E'@�+�) C�6��T�\+UD�<1�-G9�t�u�$?ji�+qXAR�Y�wX(\>�B{6�3�2��\|��$]K~&�Z��=�-z�\��5�1�.� �1?/bvj��V�&�S _r��@��Sy6Fe�n4s!(��9bG�otL�"8HM��"1c�4�Q��~�\|��N)�__name__� __module__�__qualname__�name�P�Gr�� hash_algo��r ��r ��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_group16.pyr��s��r��N)�__doc__�paramiko.kex_group1r��hashlibr��r��r ��r ��r ��r��<module>��s��__pycache__/sftp_server.cpython-310.pyc��0000644��00000027613�15030210772�0014025 0��ustar�00��o ��h$L��@��s\��d�Z�ddlZddlZddlZddlmZmZ�ddlmZ�ddl m Z mZmZm Z mZmZ�ddlmZ�ddlmZ�ddlmZ�dd lmZ�dd lmZ�ddl mZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)mZm+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;m<Z<m=Z=m>Z>�eed�Z?G�d d��de e�Z@ddlAmBZB�dS�)z Server-mode SFTP support. ��N)�md5�sha1)�util)�BaseSFTP�Message�SFTP_FAILURE�SFTP_PERMISSION_DENIED�SFTP_NO_SUCH_FILE�int64)�SFTPServerInterface)�SFTPAttributes)�DEBUG)�SubsystemHandler)�b)%� CMD_HANDLE� SFTP_DESC� CMD_STATUS�SFTP_EOF�CMD_NAME�SFTP_BAD_MESSAGE�CMD_EXTENDED_REPLY�SFTP_FLAG_READ�SFTP_FLAG_WRITE�SFTP_FLAG_APPEND�SFTP_FLAG_CREATE�SFTP_FLAG_TRUNC�SFTP_FLAG_EXCL� CMD_NAMES�CMD_OPEN� CMD_CLOSE�SFTP_OK�CMD_READ�CMD_DATA� CMD_WRITE� CMD_REMOVE� CMD_RENAME� CMD_MKDIR� CMD_RMDIR�CMD_OPENDIR�CMD_READDIR�CMD_STAT� CMD_ATTRS� CMD_LSTAT� CMD_FSTAT�CMD_SETSTAT�CMD_FSETSTAT�CMD_READLINK�CMD_SYMLINK�CMD_REALPATH�CMD_EXTENDED�SFTP_OP_UNSUPPORTED)r��r��c��s��e�Zd�ZdZefdd�Z��fdd�Zdd��Z��fdd �Ze d d��Z e dd ��Zdd��Zd dd�Z d!dd�Zdd��Zdd��Zdd��Zdd��Zdd��Z��ZS�)"� SFTPServerz� Server-side SFTP subsystem support. Since this is a `.SubsystemHandler`, it can be (and is meant to be) set as the handler for ``"sftp"`` requests. Use `.Transport.set_subsystem_handler` to activate this class. c��O��sn��t��\|��t�\|�\|\|\|��\|��}t�\|��d��\|�_\|��\|�_ d\|�_ i�\|�_i�\|�_\|\|g\|�R�i�\|��\|�_ dS�)a�� The constructor for SFTPServer is meant to be called from within the `.Transport` as a subsystem handler. ``server`` and any additional parameters or keyword parameters are passed from the original call to `.Transport.set_subsystem_handler`. :param .Channel channel: channel passed from the `.Transport`. :param str name: name of the requested subsystem. :param .ServerInterface server: the server object associated with this channel and subsystem :param sftp_si: a subclass of `.SFTPServerInterface` to use for handling individual requests. z.sftp��N)r��__init__r�� get_transportr�� get_logger�get_log_channel�logger�get_hexdump�ultra_debug�next_handle� file_table�folder_table�server)�self�channel�namerA��sftp_si�args�kwargs� transport��rI��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp_server.pyr7��_��s�� zSFTPServer.__init__c��s`��t�t\|�t�r\|D�]}t��\|d\|�j��d�\|��q d�S�t��\|d\|�j��d�\|��d�S�)Nz[chan z] )� issubclass�type�list�super�_log�sock�get_name)rB��level�msg�m�� __class__rI��rJ��rO��s ��"�$zSFTPServer._logc�� C��s.��\|\|�_�\|��td�\|��\|��\|�j�� z\|��\}}W�n4�ty.��\|��td��Y�d�S��t yR�}�z\|��tdt \|��\|��tt��W�Y�d�}~d�S�d�}~ww�t \|�}\|��}z \|��\|\|\|��W�n1�t y��}�z%\|��tdt \|��\|��tt��z\|��\|t��W�n��Y�W�Y�d�}~nd�}~ww�q)Nz#Started sftp server on channel {!r}TzEOF -- end of sessionzException on channel: z Exception in server processing: )rP��rO��r ��format�_send_server_versionrA��session_started�_read_packet�EOFError� Exception�strr�� tb_stringsr��get_int�_process�_send_statusr��) rB��rD��rH��rC��t�data�erS��request_numberrI��rI��rJ��start_subsystem��s<�� zSFTPServer.start_subsystemc��sT��\|�j��t��\|�j��D�]}\|��q\|�j��D�]}\|��qi�\|�_i�\|�_d�S��N)rA�� session_endedrN��finish_subsystemr?��values�closer@��)rB��frU��rI��rJ��ri��s�� zSFTPServer.finish_subsystemc��C��s��\|�t�jkrtS�\|�t�jks\|�t�jkrtS�tS�)au�� Convert an errno value (as from an ``OSError`` or ``IOError``) into a standard SFTP result code. This is a convenience function for trapping exceptions in server code and returning an appropriate result. :param int e: an errno code, as from ``OSError.errno``. :return: an `int` SFTP error code like ``SFTP_NO_SUCH_FILE``. )�errno�EACCESr��ENOENT�ENOTDIRr ��r��)rd��rI��rI��rJ�� convert_errno��s �� zSFTPServer.convert_errnoc��C��s��t�jdkr!\|j\|j@�rt�\|�\|j��\|j\|j@�r!t�\|�\|j \|j ��\|j\|j@�r1t�\|�\|j \|jf��\|j\|j@�rUt\|�d��}\|�\|j��W�d��dS�1�sNw��Y��dS�dS�)a:�� Change a file's attributes on the local filesystem. The contents of ``attr`` are used to change the permissions, owner, group ownership, and/or modification & access time of the file, depending on which attributes are present in ``attr``. This is meant to be a handy helper function for translating SFTP file requests into local file operations. :param str filename: name of the file to alter (should usually be an absolute path). :param .SFTPAttributes attr: attributes to change. �win32zw+N)�sys�platform�_flags�FLAG_PERMISSIONS�os�chmod�st_mode�FLAG_UIDGID�chown�st_uid�st_gid�FLAG_AMTIME�utime�st_atime�st_mtime� FLAG_SIZE�open�truncate�st_size)�filename�attrrl��rI��rI��rJ�� set_file_attr��s�� "��zSFTPServer.set_file_attrc��G��s��t��}\|�\|��\|D�]:}t\|t�r\|�\|��q t\|t�r"\|�\|��q t\|ttf�r/\|�\|��q t \|�t u�r;\|�\|��q td� \|t \|��\|��\|\|��d�S�)Nzunknown type for {!r} type {!r})r��add_int� isinstancer �� add_int64�intr]��bytes� add_stringrL��r��_packr\��rW��_send_packet)rB��re��rb��rF��rS��itemrI��rI��rJ�� _response��s�� zSFTPServer._responseFc��C��sz��t�t\|�t�s\|��\|\|��d�S�\|�td�\|�j��\|��jd7��_\|r+\|\|�j\|� ��<�n\|\|�j \|� ��<�\|��\|t\|� ��d�S�)Nzhx{:d}r6��) rK��rL�� SFTPHandlera�� _set_namer��rW��r>��r@�� _get_namer?��r��r��)rB��re��handle�folderrI��rI��rJ��_send_handle_response��s��z SFTPServer._send_handle_responseNc��C��sB��\|d�u�rzt�\|�}W�n�ty��d}Y�nw�\|��\|t\|\|d��d�S�)N�Unknown��)r�� IndexErrorr��r��)rB��re��code�descrI��rI��rJ��ra��s��zSFTPServer._send_statusc��C��sL��\|�j��\|�}tt\|�t�rt��}\|�\|��\|��\|\|d��d�S�\|��\|\|��d�S�)NT) rA��list_folderrK��rL��rM��r�� _set_filesr��ra��)rB��re��path�respr��rI��rI��rJ��_open_folder ��s�� zSFTPServer._open_folderc��C��s\|��\|��}t\|�dkr\|��\|t��d�S�t��}\|�\|��\|�t\|��\|D�]}\|�\|j��\|�\|��\|�\|��q#\|�� t \|��d�S�)Nr��)�_get_next_files�lenra��r��r��r��r��r��r��r��r��)rB��re��r��flistrS��r��rI��rI��rJ��_read_folder��s�� zSFTPServer._read_folderc��C��s��\|��}\|��}\|��}\|��}\|��}\|\|�jvr"\|��\|td��d�S�\|�j\|�}\|D�]} \| tv�r7\| } t\| �}�n q)\|��\|td��d�S�\|dkr^\|� ��}t t\|�t�sY\|��\|\|d��d�S�\|j \|�}\|dkrd\|}\|dk�rq\|��\|td��d�S�t��} \|}\|\|\|�k�r�t\|\|\|�\|��}t\|d�}d}\|��}\|\|k�r�\|�\|\|�}t\|t�s�\|��\|\|d��d�S�\|�\|��\|t\|�7�}\|\|7�}\|\|k�s�\| \|��7�} \|\|\|�k�s\|t��}\|�\|��\|�d ��\|�\| ��\|�\| ��\|��t\|��d�S�) N�Invalid handlezNo supported hash types foundr��zUnable to stat file��zBlock size too smalli��zUnable to hash file� check-file)� get_binary�get_list� get_int64r_��r?��ra��r��_hash_classr��statrK��rL��r��r��r��min�readr��updater��digestr��r��r�� add_bytesr��r��)rB��re��rS��r��alg_list�start�length� block_sizerl��x�algname�alg�st�sum_out�offset�blocklen�chunklen�count�hash_objrc��rI��rI��rJ��_check_file#��sx�� zSFTPServer._check_filec��C��sz��\|t�@�r\|t@�rtj}n\|t@�rtj}ntj}\|t@�r \|tjO�}\|t@�r)\|tj O�}\|t @�r2\|tjO�}\|t@�r;\|tj O�}\|S�)z;convert SFTP-style open() flags to Python's os.open() flags)r��r��rw��O_RDWR�O_WRONLY�O_RDONLYr��O_APPENDr��O_CREATr��O_TRUNCr��O_EXCL)rB��pflags�flagsrI��rI��rJ��_convert_pflagsf��s�� zSFTPServer._convert_pflagsc��C��s��\|��td�t\|��\|tkr-\|��}\|��\|��}t� \|�}\|�� \|\|�j�\|\|\|��d�S�\|t krg\|��}\|\|�jv�rF\|�j\|=�\|��\|t��d�S�\|\|�jv�r^\|�j\|��\|�j\|=�\|��\|t��d�S�\|��\|td��d�S�\|tkr�\|��}\|��}\|��} \|\|�jvr�\|��\|td��d�S�\|�j\|��\|\| �} t\| ttf�r�t\| �dkr�\|��\|t��d�S�\|��\|t\| ��d�S�\|��\|\| ��d�S�\|tkr�\|��}\|��}\|��} \|\|�jvr�\|��\|td��d�S�\|��\|\|�j\|�� \|\| ��d�S�\|t!kr�\|��}\|��\|\|�j�"\|��d�S�\|t#k�r\|��}\|��}\|��\|\|�j�$\|\|��d�S�\|t%k�r\|��}t� \|�}\|��\|\|�j�&\|\|��d�S�\|t'k�r?\|��}\|��\|\|�j�(\|��d�S�\|t)k�rP\|��}\|��\|\|��d�S�\|t+k�ru\|��}\|\|�jv�rh\|��\|td��d�S�\|�j\|�} \|��,\|\| ��d�S�\|t-k�r�\|��}\|�j�.\|�}t/t0\|�t��r�\|��\|t1\|��d�S�\|��\|\|��d�S�\|t2k�r�\|��}\|�j�3\|�}t/t0\|�t��r�\|��\|t1\|��d�S�\|��\|\|��d�S�\|t4k�r�\|��}\|\|�jv�r�\|��\|td��d�S�\|�j\|��.��}t/t0\|�t��r�\|��\|t1\|��d�S�\|��\|\|��d�S�\|t5k�r\|��}t� \|�}\|��\|\|�j�6\|\|��d�S�\|t7k�rC\|��}t� \|�}\|\|�jv�r5\|��\|td��d�S�\|��\|\|�j\|��6\|��d�S�\|t8k�ro\|��}\|�j�9\|�}t\|ttf��rg\|��\|t:d\|dt��d�S�\|��\|\|��d�S�\|t;k�r�\|��}\|��}\|��\|\|�j�<\|\|��d�S�\|t=k�r�\|��}\|�j�>\|�}\|��\|t:d\|dt��d�S�\|t?k�r�\|��}\|dk�r�\|��@\|\|��d�S�\|dk�r�\|��}\|��}\|��\|\|�j�A\|\|��d�S�\|��\|tB��d�S�\|��\|tB��d�S�)NzRequest: {}r��r��r6��r��r��zposix-rename@openssh.com)CrO��r ��rW��r��r��get_textr��r_��r�� _from_msgr��rA��r��r��r��r@��ra��r ��r?��rk��r��r!��r��r��r��r��r]��r��r��r��r"��r#��writer$��remover%��renamer&��mkdirr'��rmdirr(��r��r)��r��r��r��rK��rL��r+��r,��lstatr-��r.��chattrr/��r0��readlinkr��r1��symlinkr2��canonicalizer3��r��posix_renamer4��)rB��rb��re��rS��r��r��r��r��r��r��rc��oldpath�newpathr��r��target_path�rpath�tagrI��rI��rJ��r`��x��s(�� zSFTPServer._process)Frg��)�__name__� __module__�__qualname__�__doc__r��r7��rO��rf��ri��staticmethodrq��r��r��r��ra��r��r��r��r��r`�� __classcell__rI��rI��rU��rJ��r5��X��s&�� " Cr5��)r��)Cr��rw��rm��rs��hashlibr��r��paramikor�� paramiko.sftpr��r��r��r��r ��r ��paramiko.sftp_sir��paramiko.sftp_attrr��paramiko.commonr ��paramiko.serverr�� paramiko.utilr��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r ��r!��r"��r#��r$��r%��r&��r'��r(��r)��r��r+��r,��r-��r.��r/��r0��r1��r2��r3��r4��r��r5��paramiko.sftp_handler��rI��rI��rI��rJ��<module>��s&�� (��D��__pycache__/channel.cpython-310.pyc��0000644��00000125611�15030210772�0013070 0��ustar�00��o ��h'��@��s��d�Z�ddlZddlZddlZddlZddlZddlmZ�ddlm Z �ddl mZmZm Z mZmZmZmZmZmZmZ�ddlmZ�ddlmZ�ddlmZ�dd lmZmZ�dd lmZ�ddlm Z �dd ��Z!G�dd��de �Z"G�dd��de�Z#G�dd��de#�Z$G�dd��de#�Z%dS�)z" Abstraction for an SSH2 channel. ��N��wraps)�util) �cMSG_CHANNEL_REQUEST�cMSG_CHANNEL_WINDOW_ADJUST�cMSG_CHANNEL_DATA�cMSG_CHANNEL_EXTENDED_DATA�DEBUG�ERROR�cMSG_CHANNEL_SUCCESS�cMSG_CHANNEL_FAILURE�cMSG_CHANNEL_EOF�cMSG_CHANNEL_CLOSE)�Message)�SSHException)�BufferedFile)�BufferedPipe�PipeTimeout)�pipe)�ClosingContextManagerc��s��t��fdd��}\|S�)z� Decorator for `.Channel` methods which performs an openness check. :raises: `.SSHException` -- If the wrapped method is called on an unopened `.Channel`. c��s6��\|�j�s\|�js\|�js\|�jstd��\|�g\|�R�i�\|��S�)NzChannel is not open)�closed�eof_received�eof_sent�activer��)�self�args�kwds��func��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/channel.py�_check=��s��zopen_only.<locals>._checkr��)r��r!��r��r��r �� open_only4��s�� r"��c��@��sJ��e�Zd�ZdZdd��Zdd��Zdd��Ze d�dd ��Zedd��Z edd��Z edd��Zed�dd��Zedd��Z edd��Zdd��Zdd��Zdd��Ze ! d�d"d#��Zed$d%��Zd&d'��Zd(d)��Zdd+��Zd,d-��Zd.d/��Zd0d1��Zd2d3��Zd4d5��Zd6d7��Zd8d9��Zd:d;��Zd<d=��Zd>d?��Z d@dA��Z!dBdC��Z"dDdE��Z#dFdG��Z$dHdI��Z%dJdK��Z&dLdM��Z'dNdO��Z(dPdQ��Z)dRdS��ZdTdU��Z+dVdW��Z,dXdY��Z-e.dZd[��Z/d\d]��Z0d^d_��Z1d`da��Z2dbdc��Z3ddde��Z4dfdg��Z5dhdi��Z6djdk��Z7dldm��Z8dndo��Z9dpdq��Z:drds��Z;dtdu��Z<dvdw��Z=dxdy��Z>dzd{��Z?d\|d}��Z@d~d��ZAd�d��ZBd�d��ZCd�d��ZDd S�)��Channela�� A secure tunnel across an SSH `.Transport`. A Channel is meant to behave like a socket, and has an API that should be indistinguishable from the Python socket API. Because SSH2 has a windowing kind of flow control, if you stop reading data from a Channel and its buffer fills up, the server will be unable to send you any more data until you read some of it. (This won't affect other channels on the same transport -- all channels on a single transport are flow-controlled independently.) Similarly, if the server isn't reading data you send, calls to `send` may block, unless you set a timeout. This is exactly like a normal network socket, so it shouldn't be too surprising. Instances of this class may be used as context managers. c��C��s��\|\|�_�d\|�_d\|�_d\|�_d\|�_d\|�_t��\|�_t��\|�_d\|�_ d\|�_ d\|�_t� ��\|�_t�\|�j�\|�_d\|�_d\|�_d\|�_d\|�_d\|�_d\|�_t��\|�_t\|�\|�_t�d�\|�_d\|�_t��\|�_d\|�_ d\|�_!d\|�_"d\|�_#dS�)am�� Create a new channel. The channel is not associated with any particular session or `.Transport` until the Transport attaches it. Normally you would only call this method from the constructor of a subclass of `.Channel`. :param int chanid: the ID of this channel, as passed by an existing `.Transport`. r��NFzparamiko.transport��)$�chanid� remote_chanid� transportr��r��r��r�� in_buffer�in_stderr_buffer�timeoutr��ultra_debug� threading�Lock�lock� Condition� out_buffer_cv�in_window_size�out_window_size�in_max_packet_size�out_max_packet_size�in_window_threshold�in_window_sofar�Event�status_event�str�_namer�� get_logger�logger�_pipe�event�event_ready�combine_stderr�exit_status�origin_addr)r��r%��r��r��r ��__init__\��s8�� zChannel.__init__c��C��s��z\|��W�d�S��Y�d�S��N)�close�r��r��r��r ��__del__��s��zChannel.__del__c��C��s��d��\|�j�}\|�jr\|d7�}n\|�jr8\|�jr\|d7�}\|�jr\|d7�}\|d��\|�j�7�}t\|�j�dkr8\|d��t\|�j��7�}\|dt \|�j ��7�}\|d 7�}\|S�) zO Return a string representation of this object, for debugging. z<paramiko.Channel {}z (closed)z (EOF received)z (EOF sent)z (open) window={}r��z in-buffer={}z -> �>)�formatr%��r��r��r��r��r2��lenr(��reprr'��)r��outr��r��r ��__repr__��s�� zChannel.__repr__�vt100�P��r��c��C��s��t��}\|�t��\|�\|�j��\|�d��\|�d��\|�\|��\|�\|��\|�\|��\|�\|��\|�\|��\|�t��\|��\|�j � \|��\|��dS�)ak�� Request a pseudo-terminal from the server. This is usually used right after creating a client channel, to ask the server to provide some basic terminal semantics for a shell invoked with `invoke_shell`. It isn't necessary (or desirable) to call this method if you're going to execute a single command with `exec_command`. :param str term: the terminal type to emulate (for example, ``'vt100'``) :param int width: width (in characters) of the terminal screen :param int height: height (in characters) of the terminal screen :param int width_pixels: width (in pixels) of the terminal screen :param int height_pixels: height (in pixels) of the terminal screen :raises: `.SSHException` -- if the request was rejected or the channel was closed �pty-reqTN)r��add_byter��add_intr&�� add_string�add_boolean�bytes�_event_pendingr'��_send_user_message�_wait_for_event)r��term�width�height�width_pixels� height_pixels�mr��r��r ��get_pty��s�� zChannel.get_ptyc��C��sP��t��}\|�t��\|�\|�j��\|�d��\|�d��\|��\|�j� \|��\|�� dS�)a�� Request an interactive shell session on this channel. If the server allows it, the channel will then be directly connected to the stdin, stdout, and stderr of the shell. Normally you would call `get_pty` before this, in which case the shell will operate through the pty, and the channel will be connected to the stdin and stdout of the pty. When the shell exits, the channel will be closed and can't be reused. You must open a new channel if you wish to open another shell. :raises: `.SSHException` -- if the request was rejected or the channel was closed �shellTN�r��rR��r��rS��r&��rT��rU��rW��r'��rX��rY��r��r_��r��r��r ��invoke_shell��s�� zChannel.invoke_shellc��C��Z��t��}\|�t��\|�\|�j��\|�d��\|�d��\|�\|��\|��\|�j� \|��\|�� dS�)a'�� Execute a command on the server. If the server allows it, the channel will then be directly connected to the stdin, stdout, and stderr of the command being executed. When the command finishes executing, the channel will be closed and can't be reused. You must open a new channel if you wish to execute another command. :param str command: a shell command to execute. :raises: `.SSHException` -- if the request was rejected or the channel was closed �execTNrb��)r��commandr_��r��r��r ��exec_command��s�� zChannel.exec_commandc��C��re��)a�� Request a subsystem on the server (for example, ``sftp``). If the server allows it, the channel will then be directly connected to the requested subsystem. When the subsystem finishes, the channel will be closed and can't be reused. :param str subsystem: name of the subsystem being requested. :raises: `.SSHException` -- if the request was rejected or the channel was closed � subsystemTNrb��)r��ri��r_��r��r��r ��invoke_subsystem��s�� zChannel.invoke_subsystemc��C��sh��t��}\|�t��\|�\|�j��\|�d��\|�d��\|�\|��\|�\|��\|�\|��\|�\|��\|�j�\|��dS�)aP�� Resize the pseudo-terminal. This can be used to change the width and height of the terminal emulation created in a previous `get_pty` call. :param int width: new width (in characters) of the terminal screen :param int height: new height (in characters) of the terminal screen :param int width_pixels: new width (in pixels) of the terminal screen :param int height_pixels: new height (in pixels) of the terminal screen :raises: `.SSHException` -- if the request was rejected or the channel was closed � window-changeFN� r��rR��r��rS��r&��rT��rU��r'��rX��)r��r[��r\��r]��r^��r_��r��r��r �� resize_pty��s�� zChannel.resize_ptyc��C��sR��\|��D�]"\}}z\|��\|\|��W�q�ty&�}�z d}t\|�\|�\|��d}~ww�dS�)a�� Updates this channel's remote shell environment. .. note:: This operation is additive - i.e. the current environment is not reset before the given environment variables are set. .. warning:: Servers may silently reject some environment variables; see the warning in `set_environment_variable` for details. :param dict environment: a dictionary containing the name and respective values to set :raises: `.SSHException` -- if any of the environment variables was rejected by the server or the channel was closed z(Failed to set environment variable "{}".N)�items�set_environment_variabler��rI��)r��environment�name�value�e�errr��r��r ��update_environment5��s��zChannel.update_environmentc��C��sT��t��}\|�t��\|�\|�j��\|�d��\|�d��\|�\|��\|�\|��\|�j�\|��dS�)a`�� Set the value of an environment variable. .. warning:: The server may reject this request depending on its ``AcceptEnv`` setting; such rejections will fail silently (which is common client practice for this particular request type). Make sure you understand your server's configuration before using! :param str name: name of the environment variable :param str value: value of the environment variable :raises: `.SSHException` -- if the request was rejected or the channel was closed �envFNrl��)r��rq��rr��r_��r��r��r ��ro��O��s�� z Channel.set_environment_variablec��C��s��\|�j�p\|�j��S�)a�� Return true if the remote process has exited and returned an exit status. You may use this to poll the process status if you don't want to block in `recv_exit_status`. Note that the server may not return an exit status in some cases (like bad servers). :return: ``True`` if `recv_exit_status` will return immediately, else ``False``. .. versionadded:: 1.7.3 )r��r8��is_setrF��r��r��r ��exit_status_readyj��s�� zChannel.exit_status_readyc��C��s��\|�j��\|�j��sJ��\|�jS�)a3�� Return the exit status from the process on the server. This is mostly useful for retrieving the results of an `exec_command`. If the command hasn't finished yet, this method will wait until it does, or until the channel is closed. If no exit status is provided by the server, -1 is returned. .. warning:: In some situations, receiving remote output larger than the current `.Transport` or session's ``window_size`` (e.g. that set by the ``default_window_size`` kwarg for `.Transport.__init__`) will cause `.recv_exit_status` to hang indefinitely if it is called prior to a sufficiently large `.Channel.recv` (or if there are no threads calling `.Channel.recv` in the background). In these cases, ensuring that `.recv_exit_status` is called after `.Channel.recv` (or, again, using threads) can avoid the hang. :return: the exit code (as an `int`) of the process on the server. .. versionadded:: 1.2 )r8��waitrw��rA��rF��r��r��r ��recv_exit_statusy��s�� zChannel.recv_exit_statusc��C��sJ��t��}\|�t��\|�\|�j��\|�d��\|�d��\|�\|��\|�j�\|��dS�)aS�� Send the exit status of an executed command to the client. (This really only makes sense in server mode.) Many clients expect to get some sort of status code back from an executed command after it completes. :param int status: the exit code of the process .. versionadded:: 1.2 �exit-statusFNrl��)r��statusr_��r��r��r ��send_exit_status��s�� zChannel.send_exit_statusNFc��C��s��\|du�rd}\|du�rt��t�d��}t��}\|�t��\|�\|�j��\|� d��\|� d��\|� \|��\|� \|��\|� \|��\|�\|��\|��\|�j� \|��\|��\|�j�\|��\|S�)aM�� Request an x11 session on this channel. If the server allows it, further x11 requests can be made from the server to the client, when an x11 application is run in a shell session. From :rfc:`4254`:: It is RECOMMENDED that the 'x11 authentication cookie' that is sent be a fake, random cookie, and that the cookie be checked and replaced by the real cookie when a connection request is received. If you omit the auth_cookie, a new secure random 128-bit value will be generated, used, and returned. You will need to use this value to verify incoming x11 requests and replace them with the actual local x11 cookie (which requires some knowledge of the x11 protocol). If a handler is passed in, the handler is called from another thread whenever a new x11 connection arrives. The default handler queues up incoming x11 connections, which may be retrieved using `.Transport.accept`. The handler's calling signature is:: handler(channel: Channel, (address: str, port: int)) :param int screen_number: the x11 screen number (0, 10, etc.) :param str auth_protocol: the name of the X11 authentication method used; if none is given, ``"MIT-MAGIC-COOKIE-1"`` is used :param str auth_cookie: hexadecimal string containing the x11 auth cookie; if none is given, a secure random 128-bit value is generated :param bool single_connection: if True, only a single x11 connection will be forwarded (by default, any number of x11 connections can arrive over this session) :param handler: an optional callable handler to use for incoming X11 connections :return: the auth_cookie used NzMIT-MAGIC-COOKIE-1��x11-reqT)�binascii�hexlify�os�urandomr��rR��r��rS��r&��rT��rU��rW��r'��rX��rY��_set_x11_handler)r�� screen_number� auth_protocol�auth_cookie�single_connection�handlerr_��r��r��r ��request_x11��s$��/ zChannel.request_x11c��C��sL��t��}\|�t��\|�\|�j��\|�d��\|�d��\|�j�\|��\|�j� \|��dS�)a�� Request for a forward SSH Agent on this channel. This is only valid for an ssh-agent from OpenSSH !!! :param handler: a required callable handler to use for incoming SSH Agent connections :return: True if we are ok, else False (at that time we always return ok) :raises: SSHException in case of channel problem. �auth-agent-req@openssh.comFT) r��rR��r��rS��r&��rT��rU��r'��rX��_set_forward_agent_handler)r��r��r_��r��r��r ��request_forward_agent��s�� zChannel.request_forward_agentc��C��\|�j�S�)zG Return the `.Transport` associated with this channel. )r'��rF��r��r��r �� get_transport��zChannel.get_transportc��C�� \|\|�_�dS�)z� Set a name for this channel. Currently it's only used to set the name of the channel in logfile entries. The name can be fetched with the `get_name` method. :param str name: new channel name N�r:��)r��rq��r��r��r ��set_name �� zChannel.set_namec��C��r��)zU Get the name of this channel that was previously set by `set_name`. r��rF��r��r��r ��get_name��r��zChannel.get_namec��C��r��)a3�� Return the `int` ID # for this channel. The channel ID is unique across a `.Transport` and usually a small number. It's also the number passed to `.ServerInterface.check_channel_request` when determining whether to accept a channel request in server mode. )r%��rF��r��r��r ��get_id��s�� zChannel.get_idc��C��sd��t��}\|�j��z\|�j}\|\|�_\|r\|s\|�j��}W�\|�j��n\|�j��w�t\|�dkr0\|��\|��\|S�)a�� Set whether stderr should be combined into stdout on this channel. The default is ``False``, but in some cases it may be convenient to have both streams combined. If this is ``False``, and `exec_command` is called (or ``invoke_shell`` with no pty), output to stderr will not show up through the `recv` and `recv_ready` calls. You will have to use `recv_stderr` and `recv_stderr_ready` to get stderr output. If this is ``True``, data will never show up via `recv_stderr` or `recv_stderr_ready`. :param bool combine: ``True`` if stderr output should be combined into stdout on this channel. :return: the previous setting (a `bool`). .. versionadded:: 1.1 r��) rV��r.��acquirer@��r)��empty�releaserJ��_feed)r��combine�data�oldr��r��r ��set_combine_stderr%��s�� zChannel.set_combine_stderrc��C��r��)a�� Set a timeout on blocking read/write operations. The ``timeout`` argument can be a nonnegative float expressing seconds, or ``None``. If a float is given, subsequent channel read/write operations will raise a timeout exception if the timeout period value has elapsed before the operation has completed. Setting a timeout of ``None`` disables timeouts on socket operations. ``chan.settimeout(0.0)`` is equivalent to ``chan.setblocking(0)``; ``chan.settimeout(None)`` is equivalent to ``chan.setblocking(1)``. :param float timeout: seconds to wait for a pending read/write operation before raising ``socket.timeout``, or ``None`` for no timeout. N�r��)r��r��r��r��r �� settimeoutJ��s�� zChannel.settimeoutc��C��r��)z� Returns the timeout in seconds (as a float) associated with socket operations, or ``None`` if no timeout is set. This reflects the last call to `setblocking` or `settimeout`. r��rF��r��r��r �� gettimeout\��s��zChannel.gettimeoutc��C��s ��\|r \|��d��dS�\|��d��dS�)aZ�� Set blocking or non-blocking mode of the channel: if ``blocking`` is 0, the channel is set to non-blocking mode; otherwise it's set to blocking mode. Initially all channels are in blocking mode. In non-blocking mode, if a `recv` call doesn't find any data, or if a `send` call can't immediately dispose of the data, an error exception is raised. In blocking mode, the calls block until they can proceed. An EOF condition is considered "immediate data" for `recv`, so if the channel is closed in the read direction, it will never block. ``chan.setblocking(0)`` is equivalent to ``chan.settimeout(0)``; ``chan.setblocking(1)`` is equivalent to ``chan.settimeout(None)``. :param int blocking: 0 to set non-blocking mode; non-0 to set blocking mode. N��)r��)r��blockingr��r��r ��setblockingd��s��zChannel.setblockingc��C�� \|�j��S�)a�� Return the address of the remote side of this Channel, if possible. This simply wraps `.Transport.getpeername`, used to provide enough of a socket-like interface to allow asyncore to work. (asyncore likes to call ``'getpeername'``.) )r'��getpeernamerF��r��r��r ��r��{��r��zChannel.getpeernamec��C��s��\|�j��z&\|�jdur\|�j��d\|�_\|�jr\|�jr!W�\|�j��dS�\|��}W�\|�j��n\|�j��w�\|D�]}\|dur@\|�j� \|��q4dS�)a+�� Close the channel. All future read/write operations on the channel will fail. The remote end will receive no more data (after queued data is flushed). Channels are automatically closed when their `.Transport` is closed or when they are garbage collected. N) r.��r��r=��rE��r��r��r��_close_internalr'��rX��)r��msgsr_��r��r��r ��rE��s�� z Channel.closec��C��r��)av�� Returns true if data is buffered and ready to be read from this channel. A ``False`` result does not mean that the channel has closed; it means you may need to wait before more data arrives. :return: ``True`` if a `recv` call on this channel would immediately return at least one byte; ``False`` otherwise. )r(�� read_readyrF��r��r��r �� recv_ready��s�� zChannel.recv_readyc��C��x��z \|�j��\|\|�j�}W�n�ty��t��w�\|��t\|��}\|dkr:t��}\|�t ��\|� \|�j��\|� \|��\|�j� \|��\|S�)a�� Receive data from the channel. The return value is a string representing the data received. The maximum amount of data to be received at once is specified by ``nbytes``. If a string of length zero is returned, the channel stream has closed. :param int nbytes: maximum number of bytes to read. :return: received data, as a `bytes`. :raises socket.timeout: if no data is ready before the timeout set by `settimeout`. r��)r(��readr��r��socket�_check_add_windowrJ��r��rR��r��rS��r&��r'��rX��r��nbytesrL��ackr_��r��r��r ��recv��s�� zChannel.recvc��C��r��)a�� Returns true if data is buffered and ready to be read from this channel's stderr stream. Only channels using `exec_command` or `invoke_shell` without a pty will ever have data on the stderr stream. :return: ``True`` if a `recv_stderr` call on this channel would immediately return at least one byte; ``False`` otherwise. .. versionadded:: 1.1 )r)��r��rF��r��r��r ��recv_stderr_ready��s�� zChannel.recv_stderr_readyc��C��r��)a�� Receive data from the channel's stderr stream. Only channels using `exec_command` or `invoke_shell` without a pty will ever have data on the stderr stream. The return value is a string representing the data received. The maximum amount of data to be received at once is specified by ``nbytes``. If a string of length zero is returned, the channel stream has closed. :param int nbytes: maximum number of bytes to read. :return: received data as a `bytes` :raises socket.timeout: if no data is ready before the timeout set by `settimeout`. .. versionadded:: 1.1 r��)r)��r��r��r��r��r��rJ��r��rR��r��rS��r&��r'��rX��r��r��r��r ��recv_stderr��s�� zChannel.recv_stderrc��C��sJ��\|�j��z\|�js\|�jrW�\|�j��dS�\|�jdkW�\|�j��S�\|�j��w�)a#�� Returns true if data can be written to this channel without blocking. This means the channel is either closed (so any write attempt would return immediately) or there is at least one byte of space in the outbound buffer. If there is at least one byte of space in the outbound buffer, a `send` call will succeed immediately and return the number of bytes actually written. :return: ``True`` if a `send` call on this channel would immediately succeed or fail Tr��)r.��r��r��r��r��r2��rF��r��r��r �� send_ready��s�� zChannel.send_readyc��C��s(��t��}\|�t��\|�\|�j��\|��\|\|�S�)a�� Send data to the channel. Returns the number of bytes sent, or 0 if the channel stream is closed. Applications are responsible for checking that all data has been sent: if only some of the data was transmitted, the application needs to attempt delivery of the remaining data. :param bytes s: data to send :return: number of bytes actually sent, as an `int` :raises socket.timeout: if no data could be sent before the timeout set by `settimeout`. )r��rR��r��rS��r&��_send�r��sr_��r��r��r ��send ��s�� zChannel.sendc��C��s2��t��}\|�t��\|�\|�j��\|�d��\|��\|\|�S�)a�� Send data to the channel on the "stderr" stream. This is normally only used by servers to send output from shell commands -- clients won't use this. Returns the number of bytes sent, or 0 if the channel stream is closed. Applications are responsible for checking that all data has been sent: if only some of the data was transmitted, the application needs to attempt delivery of the remaining data. :param bytes s: data to send. :return: number of bytes actually sent, as an `int`. :raises socket.timeout: if no data could be sent before the timeout set by `settimeout`. .. versionadded:: 1.1 ��)r��rR��r��rS��r&��r��r��r��r��r ��send_stderr!��s �� zChannel.send_stderrc��C��"��\|r\|��\|�}\|\|d��}\|sdS�)a�� Send data to the channel, without allowing partial results. Unlike `send`, this method continues to send data from the given string until either all data has been sent or an error occurs. Nothing is returned. :param bytes s: data to send. :raises socket.timeout: if sending stalled for longer than the timeout set by `settimeout`. :raises socket.error: if an error occurred before the entire string was sent. .. note:: If the channel is closed while only part of the data has been sent, there is no way to determine how much data (if any) was sent. This is irritating, but identically follows Python's API. N)r��r��r��sentr��r��r ��sendall9��s �� zChannel.sendallc��C��r��)aK�� Send data to the channel's "stderr" stream, without allowing partial results. Unlike `send_stderr`, this method continues to send data from the given bytestring until all data has been sent or an error occurs. Nothing is returned. :param bytes s: data to send to the client as "stderr" output. :raises socket.timeout: if sending stalled for longer than the timeout set by `settimeout`. :raises socket.error: if an error occurred before the entire string was sent. .. versionadded:: 1.1 N)r��r��r��r��r ��sendall_stderrP��s �� zChannel.sendall_stderrc��G��t�\|�gt\|��S�)a(�� Return a file-like object associated with this channel. The optional ``mode`` and ``bufsize`` arguments are interpreted the same way as by the built-in ``file()`` function in Python. :return: `.ChannelFile` object which can be used for Python file I/O. )�ChannelFile�list�r��paramsr��r��r ��makefilee��s��zChannel.makefilec��G��r��)a}�� Return a file-like object associated with this channel's stderr stream. Only channels using `exec_command` or `invoke_shell` without a pty will ever have data on the stderr stream. The optional ``mode`` and ``bufsize`` arguments are interpreted the same way as by the built-in ``file()`` function in Python. For a client, it only makes sense to open this file for reading. For a server, it only makes sense to open this file for writing. :returns: `.ChannelStderrFile` object which can be used for Python file I/O. .. versionadded:: 1.1 )�ChannelStderrFiler��r��r��r��r ��makefile_stderro��s��zChannel.makefile_stderrc��G��r��)a�� Return a file-like object associated with this channel's stdin stream. The optional ``mode`` and ``bufsize`` arguments are interpreted the same way as by the built-in ``file()`` function in Python. For a client, it only makes sense to open this file for writing. For a server, it only makes sense to open this file for reading. :returns: `.ChannelStdinFile` object which can be used for Python file I/O. .. versionadded:: 2.6 )�ChannelStdinFiler��r��r��r��r ��makefile_stdin��s��zChannel.makefile_stdinc��C��s��\|�j��z4\|�jdur\|�j��W�\|�j��S�t��\|�_t�\|�j�\}}\|�j� \|��\|�j � \|��\|�j��W�\|�j��S�\|�j��w�)a�� Returns an OS-level file descriptor which can be used for polling, but but not for reading or writing. This is primarily to allow Python's ``select`` module to work. The first time ``fileno`` is called on a channel, a pipe is created to simulate real OS-level file descriptor (FD) behavior. Because of this, two OS-level FDs are created, which will use up FDs faster than normal. (You won't notice this effect unless you have hundreds of channels open at the same time.) :return: an OS-level file descriptor (`int`) .. warning:: This method causes channel reads to be slightly less efficient. N)r.��r��r=��filenor��r�� make_pipe�make_or_piper(�� set_eventr)��)r��p1�p2r��r��r ��r��s�� zChannel.filenoc��C��st��\|dks\|dkrd\|�_�\|dks\|dkr6\|�j��z\|��}W�\|�j��n\|�j��w�\|dur8\|�j�\|��dS�dS�dS�)a�� Shut down one or both halves of the connection. If ``how`` is 0, further receives are disallowed. If ``how`` is 1, further sends are disallowed. If ``how`` is 2, further sends and receives are disallowed. This closes the stream in one or both directions. :param int how: 0 (stop receiving), 1 (stop sending), or 2 (stop receiving and sending). r��r��N)r��r.��r�� _send_eofr��r'��rX��)r��howr_��r��r��r ��shutdown��s�� zChannel.shutdownc��C��\|��d��dS�)a\|�� Shutdown the receiving side of this socket, closing the stream in the incoming direction. After this call, future reads on this channel will fail instantly. This is a convenience method, equivalent to ``shutdown(0)``, for people who don't make it a habit to memorize unix constants from the 1970s. .. versionadded:: 1.2 r��N�r��rF��r��r��r �� shutdown_read�� zChannel.shutdown_readc��C��r��)a{�� Shutdown the sending side of this socket, closing the stream in the outgoing direction. After this call, future writes on this channel will fail instantly. This is a convenience method, equivalent to ``shutdown(1)``, for people who don't make it a habit to memorize unix constants from the 1970s. .. versionadded:: 1.2 r��Nr��rF��r��r��r ��shutdown_write��r��zChannel.shutdown_writec��C��r��rD��)r��rF��r��r��r ��_closed��r��zChannel._closedc��C��s��\|\|�_�t�\|�j��\|�_d�S�rD��)r'��r��r;��get_log_channelr<��)r��r'��r��r��r ��_set_transport��s��zChannel._set_transportc��C��s2��\|\|�_�\|\|�_\|d�\|�_d\|�_\|��td�\|��d�S�)N� ��r��zMax packet in: {} bytes)r1��r3��r5��r6��_logr ��rI��)r��window_size�max_packet_sizer��r��r ��_set_window��s �� zChannel._set_windowc��C��s8��\|\|�_�\|\|�_\|�j�\|�\|�_d\|�_\|��td�\|�j��d�S�)Nr��zMax packet out: {} bytes) r&��r2��r'��_sanitize_packet_sizer4��r��r��r ��rI��)r��r%��r��r��r��r��r ��_set_remote_channel��s��zChannel._set_remote_channelc��C��s(��\|��td�\|�j��d\|�_\|�j��d�S�)NzSesch channel {} request okT)r��r ��rI��r%��r?��r>��setrc��r��r��r ��_request_success��s�� zChannel._request_successc��C��sP��\|�j��z\|��}W�\|�j��n\|�j��w�\|D�]}\|d�ur%\|�j�\|��qd�S�rD��)r.��r��r��r��r'��rX��r��r_��r��r��r��r ��_request_failed��s�� zChannel._request_failedc��C��s(��t�\|t�r\|}n\|��}\|�j�\|��d�S�rD��)� isinstancerV�� get_binaryr(��feed)r��r_��r��r��r��r ��r��s�� z Channel._feedc��C��sR��\|��}\|��}\|dkr\|��td�\|��d�S�\|�jr!\|��\|��d�S�\|�j�\|��d�S�)Nr��z)unknown extended_data type {}; discarding) �get_intr��r��r ��rI��r@��r��r)��r��)r��r_��coder��r��r��r ��_feed_extended��s�� zChannel._feed_extendedc��C��s`��\|��}\|�j��z \|�jr\|��td�\|��\|��j\|7��_\|�j� ��W�\|�j� ��d�S�\|�j� ��w�)Nzwindow up {})r��r.��r��r+��r��r ��rI��r2��r0�� notify_allr��)r��r_��r��r��r��r ��_window_adjust$��s�� zChannel._window_adjustc�� C��sr��\|��}\|��}\|�jj}d}\|dkr\|��\|�_\|�j��d}n�\|dkr&d}n�\|dkrU\|��}\|��}\|��}\|��} \|��} \|��}\|d�u�rId}n�\|� \|�\|\|\|\| \| \|�}n�\|dkrf\|d�u�r`d}n�\|� \|��}n�\|dkr�\|��}\|��} \|d�u�ryd}n�\|�\|�\|\| �}n�\|dkr�\|��}\|d�u�r�d}n�\|�\|�\|�}n~\|d kr�\|��}\|d�u�r�d}no\|� \|�\|�}nh\|d kr�\|��}\|��}\|��} \|��} \|d�u�r�d}nM\|�\|�\|\|\| \| �}nC\|dkr�\|��}\|��}\|��}\|��}\|d�u�r�d}n(\|�\|�\|\|\|\|�}n\|dk�r \|d�u��rd}n\|�\|��}n\|��td �\|��d}\|�r7t��}\|�r$\|�t��n\|�t��\|�\|�j��\|�j�\|��d�S�d�S�)NFr{��Tzxon-xoffrQ��ra��rv��rf��ri��rk��r��r��zUnhandled channel request "{}")�get_text�get_booleanr'�� server_objectr��rA��r8��r�� get_string�check_channel_pty_request�check_channel_shell_request�check_channel_env_request�check_channel_exec_request�check_channel_subsystem_request�#check_channel_window_change_requestr��check_channel_x11_request�#check_channel_forward_agent_requestr��r ��rI��r��rR��r��r��rS��r&��rX��)r��r_��key� want_reply�server�okrZ��r[��r\�� pixelwidth�pixelheight�modesrq��rr��cmdr�� auth_protor��r��r��r��r ��_handle_request/��s�� zChannel._handle_requestc��C��sr��\|�j��z!\|�js d\|�_\|�j��\|�j��\|�jd�ur \|�j��W�\|�j��n\|�j��w�\|�� t d�\|�j��d�S�)NTzEOF received ({})) r.��r��r��r(��rE��r)��r=��set_foreverr��r��r ��rI��r:��rc��r��r��r ��_handle_eof��s�� zChannel._handle_eofc��C��s^��\|�j��z\|��}\|�j�\|�j��W�\|�j��n\|�j��w�\|D�]}\|d�ur,\|�j�\|��q d�S�rD��)r.��r��r��r'��_unlink_channelr%��r��rX��r��r��r��r �� _handle_close��s�� zChannel._handle_closec��C��s��t�\|�}\|�j��z)\|�jrt�d��\|��\|�}\|dkr#W�\|�j��dS�\|�\|d�\|��W�\|�j��n\|�j��w�\|�j � \|��\|S�)NzSocket is closedr��)rJ��r.��r��r��r��error�_wait_for_send_windowr��rT��r'��rX��)r��r��r_��sizer��r��r ��r��s�� z Channel._sendc��G��s(��\|�j�j\|d\|�j�d�\|�g\|�R��d�S�)Nz[chan z] )r<��logr:��)r��level�msgr��r��r��r ��r��s��(zChannel._logc��C��s��\|�j��d\|�_d�S�)NF)r>��clearr?��rF��r��r��r ��rW��s�� zChannel._event_pendingc��C��s@��\|�j��\|�j��sJ��\|�jrd�S�\|�j��}\|d�u�rtd�}\|�)NzChannel closed.)r>��ry��rw��r?��r'�� get_exceptionr��)r��rs��r��r��r ��rY��s�� zChannel._wait_for_eventc��C��sT��d\|�_�\|�j��\|�j��\|�j��\|�j��\|�j��\|�j d�ur(\|�j � ��d�S�d�S�)NT)r��r(��rE��r)��r0��r��r>��r��r8��r=��r��rF��r��r��r ��_set_closed��s�� zChannel._set_closedc��C��sD��\|�j�rd�S�t��}\|�t��\|�\|�j��d\|�_�\|��td�\|�j ��\|S�)NTz EOF sent ({})) r��r��rR��r ��rS��r&��r��r ��rI��r:��rc��r��r��r ��r��s�� zChannel._send_eofc��C��sD��\|�j�r\|�jrdS�\|��}t��}\|�t��\|�\|�j��\|��\|\|fS�)N)NN) r��r��r��r��rR��r��rS��r&��r��)r��m1�m2r��r��r ��r��s�� zChannel._close_internalc��C��sH��\|�j�rd�S�\|�j��z\|��\|�j�\|�j��W�\|�j��d�S�\|�j��w�rD��)r��r.��r��r��r'��r��r%��r��rF��r��r��r ��_unlink��s�� zChannel._unlinkc��C��s��\|�j��zM\|�js\|�js\|�jsW�\|�j��dS�\|�jr#\|��td� \|��\|��j \|7��_ \|�j \|�jkr8W�\|�j��dS�\|�jrE\|��td� \|�j ��\|�j }d\|�_ \|W�\|�j��S�\|�j��w�)Nr��zaddwindow {}zaddwindow send {})r.��r��r��r��r��r��r+��r��r ��rI��r6��r5��)r��nrL��r��r��r ��r��s&�� zChannel._check_add_windowc��C��s��\|�j�s\|�jrdS�\|�jdkrI\|�jdkrt��\|�j}\|�jdkrI\|�j�s$\|�jr&dS�t��}\|�j�\|��\|durD\|t��\|�8�}\|dkrDt��\|�jdks\|�j�sO\|�jrQdS�\|�j\|k�rY\|�j}\|�jd�\|k�re\|�jd�}\|��j\|8��_\|�j ry\|�� td�\|�j��\|S�)aD�� (You are already holding the lock.) Wait for the send window to open up, and allocate up to ``size`` bytes for transmission. If no space opens up before the timeout, a timeout exception is raised. Returns the number of bytes available to send (may be less than requested). r��r��N�@��zwindow down to {}) r��r��r2��r��r��timer0��ry��r4��r+��r��r ��rI��)r��r��r��thenr��r��r ��r��s4�� zChannel._wait_for_send_window)rN��rO��rP��r��r��)rO��rP��r��r��)r��NNFN)E�__name__� __module__�__qualname__�__doc__rC��rG��rM��r"��r`��rd��rh��rj��rm��ru��ro��rx��rz��r}��r��r��r��r��r��r��r��r��r��r��r��rE��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��propertyr��r��r��r��r��r��r��r��r��r��r��r ��r��r��rW��rY��r��r��r��r��r��r��r��r��r��r ��r#��K��s��,�) �B % ! \ r#��c��@��s2��e�Zd�ZdZd dd�Zdd��Zdd ��Zd d��ZdS�)r��a�� A file-like wrapper around `.Channel`. A ChannelFile is created by calling `Channel.makefile`. .. warning:: To correctly emulate the file object created from a socket's `makefile <python:socket.socket.makefile>` method, a `.Channel` and its `.ChannelFile` should be able to be closed or garbage-collected independently. Currently, closing the `ChannelFile` does nothing but flush the buffer. �rr$��c��C��s ��\|\|�_�t�\|��\|��\|\|��d�S�rD��)�channelr��rC�� _set_mode)r��r ��mode�bufsizer��r��r ��rC��C��s�� zChannelFile.__init__c��C��s��dt�\|�j��d�S�)zP Returns a string representation of this object, for debugging. z<paramiko.ChannelFile from rH��)rK��r ��rF��r��r��r ��rM��H��s��zChannelFile.__repr__c��C��\|�j��\|�S�rD��)r ��r��r��r��r��r��r ��_readN��zChannelFile._readc��C��\|�j��\|��t\|�S�rD��)r ��r��rJ��r��r��r��r��r ��_writeQ��zChannelFile._writeN)r��r$��)r��r��r��r��rC��rM��r&��r��r��r��r��r ��r��6��s�� r��c��@��s ��e�Zd�ZdZdd��Zdd��ZdS�)r��zg A file-like wrapper around `.Channel` stderr. See `Channel.makefile_stderr` for details. c��C��r$��rD��)r ��r��r%��r��r��r ��r&��]��r'��zChannelStderrFile._readc��C��r(��rD��)r ��r��rJ��r)��r��r��r ��r��`��r+��zChannelStderrFile._writeN)r��r��r��r��r&��r��r��r��r��r ��r��V��s��r��c��s ��e�Zd�ZdZ��fdd�Z��ZS�)r��ze A file-like wrapper around `.Channel` stdin. See `Channel.makefile_stdin` for details. c��s��t��\|�j��d�S�rD��)�superrE��r ��r��rF�� __class__r��r ��rE��l��s�� zChannelStdinFile.close)r��r��r��r��rE�� __classcell__r��r��r-��r ��r��e��s��r��)&r��r��r��r��r��r,�� functoolsr��paramikor��paramiko.commonr��r��r��r��r ��r ��r��r��r ��r��paramiko.messager��paramiko.ssh_exceptionr�� paramiko.filer��paramiko.buffered_piper��r��r�� paramiko.utilr��r"��r#��r��r��r��r��r��r��r ��<module>��s:��0��t ��__pycache__/kex_group1.cpython-310.pyc��0000644��00000007465�15030210772�0013552 0��ustar�00��o ��hl��@��s��d�Z�ddlZddlmZ�ddlmZ�ddlmZmZm Z m Z �ddlmZ�ddl mZ�edd �\ZZd d��edd �D��\ZZe d�ed ��Zed�ZG�dd��d�ZdS�)z� Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 1024 bit key halves, using a known "p" prime and "g" generator. ��N)�sha1)�util)�max_byte� zero_byte�byte_chr� byte_mask)�Message)�SSHException�� c��C��s��g�\|�]}t�\|��qS��)r��)�.0�cr��r��F/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_group1.py� <listcomp>"��s��r��c��@��sL��e�Zd�ZdZdZdZeZdd��Zdd��Z dd ��Z d d��Zdd ��Zdd��Z dS�)� KexGroup1lE��8�{3If?�E y�Z�3�V�58n�oP�e�?a-� �tBL� �y3W[�<�p�6m5��P��&a�F!�33�w& �AR�M;L}.�c\|&A�@�h\�&&#-D�v�d��zdiffie-hellman-group1-sha1c��C��s��\|\|�_�d\|�_d\|�_d\|�_d�S�)Nr��)� transport�x�e�f)�selfr��r��r��r��__init__1��s�� zKexGroup1.__init__c��C��s��\|��\|�jjrt\|�j\|�j\|�j�\|�_\|�j�t ��d�S�t\|�j\|�j\|�j�\|�_ t��}\|�t ��\|�\|�j ��\|�j�\|��\|�j�t��d�S�)N)�_generate_xr��server_mode�pow�Gr��Pr��_expect_packet�_MSG_KEXDH_INITr��r��add_byte�c_MSG_KEXDH_INIT� add_mpint� _send_message�_MSG_KEXDH_REPLY)r��mr��r��r�� start_kex7��s�� zKexGroup1.start_kexc��C��sF��\|�j�jr \|tkr \|��\|�S�\|�j�js\|tkr\|��\|�S�d}t\|�\|��)NzKexGroup1 asked to handle packet type {:d})r��r��r"��_parse_kexdh_initr'��_parse_kexdh_replyr ��format)r��ptyper(��msgr��r��r�� parse_nextF��s�� zKexGroup1.parse_nextc��C��sZ�� t��d�}t\|d�d�\|dd��}\|d�d��tkr$\|d�d��tkr$nqt�\|�\|�_d�S�)N��r��r��r��)�os�urandomr��b7fffffffffffffff�b0000000000000000r��inflate_longr��)r��x_bytesr��r��r��r��P��s�� zKexGroup1._generate_xc��C��s��\|��}\|��\|�_\|�jdk�s\|�j\|�jd�krtd��\|��}t\|�j\|�j\|�j�}t��}\|� \|�j j\|�j j\|�j j \|�j j��\|�\|��\|�\|�j��\|�\|�j��\|�\|��\|�j �\|\|��\|��\|�j �\|\|��\|�j ��d�S�)Nr0��zServer kex "f" is out of range)� get_string� get_mpintr��r ��r �� get_binaryr��r��r��addr�� local_version�remote_version�local_kex_init�remote_kex_init� add_stringr%��r��_set_K_H� hash_algo�asbytes�digest�_verify_key�_activate_outbound)r��r(��host_key�sig�K�hmr��r��r��r+��a��s(�� zKexGroup1._parse_kexdh_replyc��C��s��\|��\|�_\|�jdk�s\|�j\|�jd�krtd��t\|�j\|�j\|�j�}\|�j��}t ��}\|� \|�jj\|�jj\|�jj \|�jj��\|�\|��\|�\|�j��\|�\|�j��\|�\|��\|��\|��}\|�j�\|\|��\|�j��\|\|�jj�}t ��}\|�t��\|�\|��\|�\|�j��\|�\|��\|�j�\|��\|�j��d�S�)Nr0��zClient kex "e" is out of range)r9��r��r ��r ��r��r��r��get_server_keyrC��r��r;��r=��r<��r?��r>��r@��r%��r��rB��rD��rA�� sign_ssh_data� host_key_typer#��c_MSG_KEXDH_REPLYr&��rF��)r��r(��rI��keyrJ��HrH��r��r��r��r��z��s8�� zKexGroup1._parse_kexdh_initN)�__name__� __module__�__qualname__r ��r��namer��rB��r��r)��r/��r��r+��r��r��r��r��r��r��(��s�� r��)�__doc__r2��hashlibr��paramikor��paramiko.commonr��r��r��r��paramiko.messager��paramiko.ssh_exceptionr ��ranger"��r'��r$��rN��r4��r5��r��r��r��r��r��<module>��s��__pycache__/pipe.cpython-310.pyc��0000644��00000010200�15030210772�0012400 0��ustar�00��o ��h>��@��sZ��d�Z�ddlZddlZddlZdd��ZG�dd��d�ZG�dd��d�ZG�d d ��d �Zdd��ZdS�) a�� Abstraction of a one-way pipe where the read end can be used in `select.select`. Normally this is trivial, but Windows makes it nearly impossible. The pipe acts like an Event, which can be set or cleared. When set, the pipe will trigger as readable in `select <select.select>`. ��Nc��C��s&��t�jd�d��dkrt��}�\|�S�t��}�\|�S�)N��win)�sys�platform� PosixPipe�WindowsPipe)�p��r ��@/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/pipe.py� make_pipe!��s ��r��c��@��s<��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d ��Zdd��Zd S�)r��c��C��s&��t��\\|�_\|�_d\|�_d\|�_d\|�_d�S��NF)�os�pipe�_rfd�_wfd�_set�_forever�_closed��selfr ��r ��r ��__init__��s�� zPosixPipe.__init__c��C��s"��t��\|�j��t��\|�j��d\|�_d�S��NT)r ��closer��r��r��r��r ��r ��r ��r��0��s�� zPosixPipe.closec��C��s��\|�j�S��N)r��r��r ��r ��r ��fileno6��s��zPosixPipe.filenoc��C��s(��\|�j�r\|�jrd�S�t�\|�jd��d\|�_�d�S��N��F)r��r��r ��readr��r��r ��r ��r ��clear9��s�� zPosixPipe.clearc��C��s(��\|�j�s\|�jrd�S�d\|�_�t�\|�jd��d�S��NT��)r��r��r ��writer��r��r ��r ��r ��set?��s��z PosixPipe.setc��C��d\|�_�\|��d�S�r��r��r"��r��r ��r ��r ��set_foreverE��zPosixPipe.set_foreverN) �__name__� __module__�__qualname__r��r��r��r��r"��r%��r ��r ��r ��r ��r��)��s��r��c��@��s@��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd d��Zdd ��Z dS�)r��z� On Windows, only an OS-level "WinSock" may be used in select(), but reads and writes must be to the actual socket object. c��C��sz��t��t�jt�j�}\|�d��\|�d��t��t�jt�j�\|�_\|�j�d\|��d�f��\|��\\|�_ }\|� ��d\|�_d\|�_d\|�_ d�S�)N)� 127.0.0.1r��r��r��F)�socket�AF_INET�SOCK_STREAM�bind�listen�_rsock�connect�getsockname�accept�_wsockr��r��r��r��)r��serv�addrr ��r ��r ��r��P��s�� zWindowsPipe.__init__c��C��s��\|�j��\|�j��d\|�_d�S�r��)r0��r��r4��r��r��r ��r ��r ��r��_��s�� zWindowsPipe.closec��C��s ��\|�j��S�r��)r0��r��r��r ��r ��r ��r��e��s�� zWindowsPipe.filenoc��C��s&��\|�j�r\|�jrd�S�\|�j�d��d\|�_�d�S�r��)r��r��r0��recvr��r ��r ��r ��r��h��s�� zWindowsPipe.clearc��C��s&��\|�j�s\|�jrd�S�d\|�_�\|�j�d��d�S�r��)r��r��r4��sendr��r ��r ��r ��r"��n��s��zWindowsPipe.setc��C��r#��r��r$��r��r ��r ��r ��r%��t��r&��zWindowsPipe.set_foreverN) r'��r(��r)��__doc__r��r��r��r��r"��r%��r ��r ��r ��r ��r��J��s��r��c��@��s$��e�Zd�Zdd��Zdd��Zdd��ZdS�)�OrPipec��C��s��d\|�_�d�\|�_\|\|�_d�S�r��)r��_partner�_pipe)r��r��r ��r ��r ��r��z��s�� zOrPipe.__init__c��C�� d\|�_�\|�jj�s\|�j��d�S�d�S�r��)r��r;��r<��r"��r��r ��r ��r ��r"��z OrPipe.setc��C��r=��r��)r��r;��r<��r��r��r ��r ��r ��r��r>��zOrPipe.clearN)r'��r(��r)��r��r"��r��r ��r ��r ��r ��r:��y��s��r:��c��C��s$��t�\|��}t�\|��}\|\|_\|\|_\|\|fS�)z� wraps a pipe into two pipe-like objects which are "or"d together to affect the real pipe. if either returned pipe is set, the wrapped pipe is set. when both are cleared, the wrapped pipe is cleared. )r:��r;��)r��p1�p2r ��r ��r ��make_or_pipe��s ��rA��) r9��r��r ��r+��r��r��r��r:��rA��r ��r ��r ��r ��<module>��s�� !/��__pycache__/message.cpython-310.pyc��0000644��00000022221�15030210772�0013075 0��ustar�00��o ��h�$��@��sV��d�Z�ddlZddlmZ�ddlmZ�ddlmZmZm Z �ddl mZ�G�dd��d�ZdS�) z& Implementation of an SSH2 "message". ��N)�BytesIO)�util)� zero_byte�max_byte�one_byte)�uc��@��s��e�Zd�ZdZdZd>dd�Zdd��Zdd ��Zd d��Zdd ��Z dd��Z dd��Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd��Zd d!��Zd"d#��Zd$d%��Zd&d'��Zd(d)��Zdd+��Zd,d-��Zd.d/��Zd0d1��Zd2d3��Zd4d5��Zd6d7��Zd8d9��Zd:d;��Z d<d=��Z!dS�)?�Messagea~�� An SSH2 message is a stream of bytes that encodes some combination of strings, integers, bools, and infinite-precision integers. This class builds or breaks down such a byte stream. Normally you don't need to deal with anything this low-level, but it's exposed for people implementing custom extensions, or features that paramiko doesn't support yet. l��~�Nc��C��s"��\|durt�\|�\|�_dS�t��\|�_dS�)z� Create a new SSH2 message. :param bytes content: the byte stream to use as the message content (passed in only when decomposing a message). N)r��packet)�self�content��r��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/message.py�__init__,��s��zMessage.__init__c��C��s��\|��S��N)�asbytes�r ��r��r��r �� __bytes__9��s��zMessage.__bytes__c��C��s��dt�\|�j��d�S�)zP Returns a string representation of this object, for debugging. zparamiko.Message(�))�reprr ��getvaluer��r��r��r ��__repr__<��zMessage.__repr__c��C��s ��\|�j��S�)zO Return the byte stream content of this Message, as a `bytes`. )r ��r��r��r��r��r ��r��C��s�� zMessage.asbytesc��C��s��\|�j��d��dS�)zk Rewind the message to the beginning as if no items had been parsed out of it yet. r��N)r ��seekr��r��r��r ��rewindI��s��zMessage.rewindc��C��s$��\|�j��}\|�j��}\|�j��\|��\|S�)zk Return the `bytes` of this message that haven't already been parsed and returned. )r ��tell�readr��)r ��position� remainderr��r��r �� get_remainderP��s�� zMessage.get_remainderc��C��s��\|�j��}\|��\|�j��\|�S�)z� Returns the `bytes` of this message that have been parsed and returned. The string passed into a message's constructor can be regenerated by concatenating ``get_so_far`` and `get_remainder`. )r ��r��r��r��)r ��r��r��r��r �� get_so_farZ��s�� zMessage.get_so_farc��C��sF��\|�j��\|�}d}t\|�\|��k�r\|k�r!n�\|S�\|t\|t\|��S�\|S�)a �� Return the next ``n`` bytes of the message, without decomposing into an int, decoded string, etc. Just the raw bytes are returned. Returns a string of ``n`` zero bytes if there weren't ``n`` bytes remaining in the message. i��)r ��r��lenr��)r ��n�b�max_pad_sizer��r��r �� get_bytesd��s��zMessage.get_bytesc��C��s ��\|��d�S�)a�� Return the next byte of the message, without decomposing it. This is equivalent to `get_bytes(1) <get_bytes>`. :return: the next (`bytes`) byte of the message, or ``b'�'`` if there aren't any bytes remaining. ��)r$��r��r��r��r ��get_byteq��s�� zMessage.get_bytec��C��s��\|��d�}\|tkS�)z2 Fetch a boolean from the stream. r%��)r$��r��r ��r"��r��r��r ��get_boolean\|��s�� zMessage.get_booleanc��C��s>��\|��d�}\|tkrt�\|��S�\|\|��d�7�}t�d\|�d�S�)zZ Fetch an int from the stream. :return: a 32-bit unsigned `int`. r%��>Ir��)r$��r��r��inflate_long� get_binary�struct�unpack)r ��byter��r��r ��get_adaptive_int��s �� zMessage.get_adaptive_intc��C��t��d\|��d��d�S�)z/ Fetch an int from the stream. r��r��r-��r.��r$��r��r��r��r ��get_int��r��zMessage.get_intc��C��r1��)zj Fetch a 64-bit int from the stream. :return: a 64-bit unsigned integer (`int`). �>Q��r��r3��r��r��r��r �� get_int64��s��zMessage.get_int64c��C��s��t��\|��S�)zr Fetch a long int (mpint) from the stream. :return: an arbitrary-length integer (`int`). )r��r+��r,��r��r��r��r �� get_mpint��zMessage.get_mpintc��C��\|��\|��S�)z� Fetch a "string" from the stream. This will actually be a `bytes` object, and may contain unprintable characters. (It's not unheard of for a string to contain another byte-stream message.) �r$��r4��r��r��r��r �� get_string��r9��zMessage.get_stringc��C��s��t�\|��S�)z� Fetch a Unicode string from the stream. This currently operates by attempting to encode the next "string" as ``utf-8``. )r��r<��r��r��r��r ��get_text��s��zMessage.get_textc��C��r:��)z@ Alias for `get_string` (obtains a bytestring). r;��r��r��r��r ��r,��s��zMessage.get_binaryc��C��s��\|��d�S�)z� Fetch a list of `strings <str>` from the stream. These are trivially encoded as comma-separated values in a string. �,)r=��splitr��r��r��r ��get_list��r9��zMessage.get_listc��C��\|�j��\|��\|�S�)zj Write bytes to the stream, without any formatting. :param bytes b: bytes to add �r ��writer'��r��r��r �� add_bytes��zMessage.add_bytesc��C��rA��)zq Write a single byte to the stream, without any formatting. :param bytes b: byte to add rB��r'��r��r��r ��add_byte��rE��zMessage.add_bytec��C��s$��\|r \|�j��t��\|�S�\|�j��t��\|�S�)za Add a boolean value to the stream. :param bool b: boolean value to add )r ��rC��r��r��r'��r��r��r ��add_boolean��s ��zMessage.add_booleanc��C��\|�j��t�d\|��\|�S��zU Add an integer to the stream. :param int n: integer to add r��r ��rC��r-��pack�r ��r!��r��r��r ��add_int��zMessage.add_intc��C��sB��\|t�jkr\|�j�t��\|��t�\|��\|�S�\|�j�t� d\|��\|�S�rI��) r��big_intr ��rC��r�� add_stringr��deflate_longr-��rK��rL��r��r��r ��add_adaptive_int��s�� zMessage.add_adaptive_intc��C��rH��)zX Add a 64-bit int to the stream. :param int n: long int to add r5��rJ��rL��r��r��r �� add_int64��rN��zMessage.add_int64c��C��s��\|��t�\|��\|�S�)z� Add a long int to the stream, encoded as an infinite-precision integer. This method only works on positive numbers. :param int z: long int to add )rP��r��rQ��)r ��zr��r��r �� add_mpint��s��zMessage.add_mpintc��C��s(��t��\|�}\|��t\|��\|�j�\|��\|�S�)z[ Add a bytestring to the stream. :param byte s: bytestring to add )r��r��rM��r ��r ��rC��)r ��sr��r��r ��rP��s�� zMessage.add_stringc��C��s��\|��d�\|��\|�S�)z� Add a list of strings to the stream. They are encoded identically to a single string of values separated by commas. (Yes, really, that's how SSH2 does it.) :param l: list of strings to add r>��)rP��join)r ��lr��r��r ��add_list��s��zMessage.add_listc��C��sJ��t�\|�tu�r\|��\|�S�t\|t�r\|��\|�S�t�\|�tu�r \|��\|�S�\|��\|�S�r��) �type�boolrG�� isinstance�intrR��listrY��rP��)r ��ir��r��r ��_add'��s�� zMessage._addc��G��s��\|D�]}\|��\|��qdS�)a�� Add a sequence of items to the stream. The values are encoded based on their type: bytes, str, int, bool, or list. .. warning:: Longs are encoded non-deterministically. Don't use this method. :param seq: the sequence of items N)r`��)r ��seq�itemr��r��r ��add3��s�� zMessage.addr��)"�__name__� __module__�__qualname__�__doc__rO��r��r��r��r��r��r��r��r$��r&��r(��r0��r4��r7��r8��r<��r=��r,��r@��rD��rF��rG��rM��rR��rS��rU��rP��rY��r`��rc��r��r��r��r ��r��s@�� r��) rg��r-��ior��paramikor��paramiko.commonr��r��r�� paramiko.utilr��r��r��r��r��r ��<module>��s��__pycache__/util.cpython-310.pyc��0000644��00000021265�15030210772�0012435 0��ustar�00��o ��hN%��@��s@��d�Z�ddlZddlZddlZddlZddlZddlmZmZm Z m Z mZmZ�ddl mZ�d5dd�Zd6d d �Zd7dd �Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Ze��adae��ad d!��Z efd"d#�Z!G�d$d%��d%�Z"e"��Z#d&d'��Z$d(d)��Z%G�dd+��d+�Z&d,d-��Z'd.d/��Z(d8d1d2�Z)d8d3d4�ZdS�)9z0 Useful functions used by the rest of paramiko. ��N)�DEBUG� zero_byte� xffffffff�max_byte�byte_ord�byte_chr)� SSHConfigFc�� C��s��d}d}\|st�\|��dkrt\|�d��dkrd}t�\|��d�r.t}\|r"t}\|dt�\|��d��\|��}�tdt�\|��d�D�]}\|d>�t�d\|�\|\|d��d��}q6\|rW\|ddt�\|��>�8�}\|S�)zTturns a normalized byte string into a long-int (adapted from Crypto.Util.number)r�� >I��)�lenr��r��r��range�struct�unpack)�s�always_positive�out�negative�filler�i��r��@/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/util.py�inflate_long)��s�� &r��Tc��C��s��t��}t\|��}�\|�dkr%\|�dkr%t�d\|�t@��\|�}\|�dL�}�\|�dkr%\|�dkst\|�D�]}\|�dkr7\|d�dkr7�n\|�dkrC\|d�dkrC�nq)d}\|�dkrMt}nt}\|\|d�d��}\|ry\|�dkrit\|d��d krit\|�}\|�dkryt\|d��d k�ryt\|�}\|S�) zTturns a long-int into a normalized byte string (adapted from Crypto.Util.number)r��r ��r��r ��)r��Nr ��) �bytes�intr��packr�� enumerater��r��r��)�n�add_sign_paddingr��r��r��r��r��deflate_long>��s.��r$��c��s~��d}g�}t�\|��\|d�kr%\|�t\|�\|\|d��\|d7�}t�\|��\|d�ks\|t�\|��k�r6\|�t\|�\|d��fdd�\|D��S�)Nr��c��s��g�\|�]}��\|��qS�r��r��)�.0�line��prefixr��r�� <listcomp>e��s��z!format_binary.<locals>.<listcomp>)r��append�format_binary_line)�datar��xr��r��r)��r�� format_binary]��s��r0��c��C��s4��d��dd��\|�D��}d��dd��\|�D��}d�\|\|�S�)N� c��S��s��g�\|�] }d��t\|��qS�)z{:02X}��formatr��r'��cr��r��r��r+��i��s��z&format_binary_line.<locals>.<listcomp>r%��c��S��s��g�\|�]}d��t\|��t\|�d�d��qS�)z.{:c}..�?��_��r2��r4��r��r��r��r+��k��s���z {:50s} {})�joinr3��)r.��left�rightr��r��r��r-��h��s ��r-��c��C��sR��d}\|�D�]"}t�\|�}d\|��krdkrn�n\|t\|�7�}q\|td�\|��7�}q\|S�)N��r��z%{:02X})r��r��br3��)r��r��r5��r��r��r��r��safe_stringp��s��r>��c��C��sr��z\|��W�S��ty8��t\|�d�}t\|d��}\|dkrY�dS�t\|�d�}\|d@�s4\|dK�}\|d8�}\|d@�r(\|�Y�S�w�)NFr��r ��r��r ��)� bit_length�AttributeErrorr$��r��r��)r"��norm�hbyte�bitlenr��r��r��r?��{��s�� r?��c��C��s��d��tjt��d�S�)Nr%�� )r8�� traceback�format_exception�sys�exc_info�splitr��r��r��r�� tb_strings��s��rJ��c��C��s��t��}t��}t\|�dkr\|dd��}\|dkrK\|��}t\|�dkr$\|�\|��\|�t\|��\|�\|��\|��}t\|t\|��}\|\|d\|��7�}\|\|8�}\|dks\|S�)a)�� Given a password, passphrase, or other human-source key, scramble it through a secure hash into some keyworthy bytes. This specific algorithm is used for encrypting/decrypting private key files. :param function hash_alg: A function which creates a new hash object, such as ``hashlib.sha256``. :param salt: data to salt the hash with. :type bytes salt: Hash salt bytes. :param str key: human-entered password or passphrase. :param int nbytes: number of bytes to generate. :return: Key data, as `bytes`. r��Nr��)r��r��updater=��digest�min)�hash_alg�salt�key�nbytes�keydatarL��hash_obj�sizer��r��r��generate_key_bytes��s �� rU��c��C��s��ddl�m}�\|\|��S�)a�� Read a file of known SSH host keys, in the format used by openssh, and return a compound dict of ``hostname -> keytype ->`` `PKey <paramiko.pkey.PKey>`. The hostname may be an IP address or DNS name. The keytype will be either ``"ssh-rsa"`` or ``"ssh-dss"``. This type of file unfortunately doesn't exist on Windows, but on posix, it will usually be stored in ``os.path.expanduser("~/.ssh/known_hosts")``. Since 1.5.3, this is just a wrapper around `.HostKeys`. :param str filename: name of the file to read host keys from :return: nested dict of `.PKey` objects, indexed by hostname and then keytype r��)�HostKeys)�paramiko.hostkeysrV��)�filenamerV��r��r��r��load_host_keys��s��rY��c��C��s��t��}\|�\|��\|S�)z� Provided only as a backward-compatible wrapper around `.SSHConfig`. .. deprecated:: 2.7 Use `SSHConfig.from_file` instead. )r��parse)�file_obj�configr��r��r��parse_ssh_config��s�� r]��c��C��s ��\|��\|��S�)zM Provided only as a backward-compatible wrapper around `.SSHConfig`. )�lookup)�hostnamer\��r��r��r��lookup_ssh_host_config��s�� r`��c�� C��s��dd\|}}}dd\|�}}}\|dkr7\|\|�}\|\|\|\|��}}\|\|\|\|��}}\|\|\|\|��}}\|dks\|dk�r?\|\|7�}\|S�)Nr ��r��r��) r/��m�u1�u2�u3�v1�v2�v3�qr��r��r��mod_inverse��s��ri��c��C��sT��zt�jW�S��ty)��t��td7�att�_W�d��n1�sw��Y��t�j�Y�S�w�)Nr ��)�_g_thread_data�idr@��_g_thread_lock�_g_thread_counterr��r��r��r�� get_thread_id��s�� rn��c��C��sf��t��d�}t\|j�dkrdS�\|�\|��t\|�d�}t��\|�}d}\|d7�}\|�t��\|d��\|� \|��dS�)zKsend paramiko logs to a logfile, if they're not already going somewhere�paramikor��N�az>%(levelname)-.3s [%(asctime)s.%(msecs)03d] thr=%(_threadid)-3dz %(name)s: %(message)sz%Y%m%d-%H:%M:%S) �logging� getLoggerr��handlers�setLevel�open� StreamHandler�setFormatter� Formatter� addHandler)rX��level�logger�f�handler�frmr��r��r��log_to_file��s�� r��c��@��s��e�Zd�Zdd��ZdS�)�PFilterc��C��s��t��\|_dS�)NT)rn�� _threadid)�self�recordr��r��r��filter��s��zPFilter.filterN)�__name__� __module__�__qualname__r��r��r��r��r��r��s��r��c��C��s��t��\|��}\|�t��\|S��N)rq��rr�� addFilter�_pfilter)�namer{��r��r��r�� get_logger ��s�� r��c��C��sN��t�\|��t�\|�kr dS�d}tt�\|��D�]}\|t\|�\|��t\|\|��A�O�}q\|dkS�)NFr��)r��r��r��)rp��r=��resr��r��r��r��constant_time_bytes_eq��s��r��c��@��s��e�Zd�Zdd��Zdd��ZdS�)�ClosingContextManagerc��C��s��\|�S�r��r��)r��r��r��r�� __enter__��s��zClosingContextManager.__enter__c��C��s��\|��d�S�r��)�close)r��type�valuerE��r��r��r��__exit__!��s��zClosingContextManager.__exit__N)r��r��r��r��r��r��r��r��r��r��s��r��c��C��s��t�\|�t\|\|��S�r��)�maxrM��)�minimum�val�maximumr��r��r��clamp_value%��s��r��c��C��sD��zt�\|��W�S��ty!��z\|��W��Y�S��ty ��\|��Y��Y�S�w�w�)z: Coerce to bytes if possible or return unchanged. )r=�� TypeError�asbytesr@��)r��r��r��r��r��)��s�� r��utf8c��C��s4��t�\|�t�r\|�S�t�\|�t�r\|��\|�S�tdt\|��)zcast unicode or bytes to bytes�Expected unicode or bytes, got )� isinstancer��str�encoder��r��r��encodingr��r��r��r=��?��s �� r=��c��C��s4��t�\|�t�r \|��\|�S�t�\|�t�r\|�S�tdt\|��)z cast bytes or unicode to unicoder��)r��r��decoder��r��r��r��r��r��r��uJ��s �� r��)F)T)r%��)r��)+�__doc__rG��r��rE�� threadingrq��paramiko.commonr��r��r��r��r��r��paramiko.configr��r��r$��r0��r-��r>��r?��rJ��rU��rY��r]��r`��ri��localrj��rm��Lockrl��rn��r��r��r��r��r��r��r��r��r=��r��r��r��r��r��<module>��sD�� __pycache__/sftp_client.cpython-310.pyc��0000644��00000074122�15030210772�0013772 0��ustar�00��o ��h��@��sf��d�dl�mZ�d�dlZd�dlZd�dlZd�dlZd�dlZd�dlZd�dlm Z �d�dl mZ�d�dlm Z �d�dlmZmZmZ�d�dlmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)mZm+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2�d�dl3m4Z4�d�d l5m6Z6�d�d l7m8Z8�d�dl9m:Z:m;Z;m<Z<�dd ��Z=dZ>G�dd��dee:�Z?G�dd��de?�Z@dS�)��)�hexlifyN)�util)�Channel)�Message)�INFO�DEBUG�o777) �BaseSFTP�CMD_OPENDIR� CMD_HANDLE� SFTPError�CMD_READDIR�CMD_NAME� CMD_CLOSE�SFTP_FLAG_READ�SFTP_FLAG_WRITE�SFTP_FLAG_CREATE�SFTP_FLAG_TRUNC�SFTP_FLAG_APPEND�SFTP_FLAG_EXCL�CMD_OPEN� CMD_REMOVE� CMD_RENAME� CMD_MKDIR� CMD_RMDIR�CMD_STAT� CMD_ATTRS� CMD_LSTAT�CMD_SYMLINK�CMD_SETSTAT�CMD_READLINK�CMD_REALPATH� CMD_STATUS�CMD_EXTENDED�SFTP_OK�SFTP_EOF�SFTP_NO_SUCH_FILE�SFTP_PERMISSION_DENIED�int64)�SFTPAttributes)�SSHException)�SFTPFile)�ClosingContextManager�b�uc��C��sL��z\|��d�W�S��ttfy%��z\|��d�W��Y�S��ty$��\|��Y��Y�S�w�w�)z� decode a string as ascii or utf8 if possible (as required by the sftp protocol). if neither works, just return a byte string because the server probably doesn't know the filename's encoding. �asciizutf-8)�encode�UnicodeError�AttributeError�decode)�s��r5��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp_client.py�_to_unicodeH��s��r7��/c��sj��e�Zd�ZdZdd��ZedQdd��Z��fdd�Zd d ��Zdd��Z dRdd�Z dRdd�ZdSdd�ZdTdd�Z e Zdd��ZeZdd��Zdd��Zefdd �Zd!d"��Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��Zd-d.��Zd/d0��Zd1d2��Zd3d4��ZdUd5d6�Zd7d8��Z d9d:��Z!dVd=d>�Z"dWd?d@�Z# < dXdAdB�Z$ < dXdCdD�Z%dEdF��Z&dGdH��Z'dUdIdJ�Z(dKdL��Z)dMdN��ZdOdP��Z+��Z,S�)Y� SFTPClientz� SFTP client object. Used to open an SFTP session across an open SSH `.Transport` and perform remote file operations. Instances of this class may be used as context managers. c��C��s��t��\|��\|\|�_d\|�_d\|�_t��\|�_d\|�_t � ��\|�_t\|�t u�r5\|�j��}t�\|��d��\|�_\|��\|�_z\|��}W�n�tyF��td��w�\|��td�\|��dS�)a�� Create an SFTP client from an existing `.Channel`. The channel should already have requested the ``"sftp"`` subsystem. An alternate way to create an SFTP client context is by using `from_transport`. :param .Channel sock: an open `.Channel` using the ``"sftp"`` subsystem :raises: `.SSHException` -- if there's an exception while negotiating sftp F��Nz.sftpzEOF during negotiationzOpened sftp connection (server version {}))r ��__init__�sock�ultra_debug�request_number� threading�Lock�_lock�_cwd�weakref�WeakValueDictionary� _expecting�typer�� get_transportr�� get_logger�get_log_channel�logger�get_hexdump� _send_version�EOFErrorr��_logr��format)�selfr<�� transport�server_versionr5��r5��r6��r;��d��s0�� zSFTPClient.__init__Nc��C��s,��\|j�\|\|d�}\|du�r dS�\|�d��\|�\|�S�)a\�� Create an SFTP client channel from an open `.Transport`. Setting the window and packet sizes might affect the transfer speed. The default settings in the `.Transport` class are the same as in OpenSSH and should work adequately for both files transfers and interactive sessions. :param .Transport t: an open `.Transport` which is already authenticated :param int window_size: optional window size for the `.SFTPClient` session. :param int max_packet_size: optional max packet size for the `.SFTPClient` session.. :return: a new `.SFTPClient` object, referring to an sftp session (channel) across the transport .. versionchanged:: 1.15 Added the ``window_size`` and ``max_packet_size`` arguments. )�window_size�max_packet_sizeN�sftp)�open_session�invoke_subsystem)�cls�trS��rT��chanr5��r5��r6��from_transport��s�� zSFTPClient.from_transportc��sf��t�\|t�r\|D�]}\|�j\|\|g\|�R��qd�S�\|�dd�}t��j\|d\|�g\|�j��gt\|��R��d�S�)N�%z%%z [chan %s] )� isinstance�listrN��replace�superr<��get_name)rP��level�msg�args�m�� __class__r5��r6��rN��s�� zSFTPClient._logc��C��s��\|��td��\|�j��dS�)zc Close the SFTP session and its underlying channel. .. versionadded:: 1.4 zsftp session closed.N)rN��r��r<��close�rP��r5��r5��r6��rh��s��zSFTPClient.closec��C��s��\|�j�S�)z� Return the underlying `.Channel` object for this SFTP session. This might be useful for doing things like setting a timeout on the channel. .. versionadded:: 1.7.1 )r<��ri��r5��r5��r6��get_channel��s��zSFTPClient.get_channel�.c��C��s��dd��\|��\|�D��S�)a�� Return a list containing the names of the entries in the given ``path``. The list is in arbitrary order. It does not include the special entries ``'.'`` and ``'..'`` even if they are present in the folder. This method is meant to mirror ``os.listdir`` as closely as possible. For a list of full `.SFTPAttributes` objects, see `listdir_attr`. :param str path: path to list (defaults to ``'.'``) c��S��s��g�\|�]}\|j��qS�r5��)�filename)�.0�fr5��r5��r6�� <listcomp>��s��z&SFTPClient.listdir.<locals>.<listcomp>)�listdir_attr�rP��pathr5��r5��r6��listdir��s��zSFTPClient.listdirc��C��s��\|��\|�}\|��td�\|��\|��t\|�\}}\|tkrtd��\|��}g�} �z \|��t \|�\}}W�n �t y8��Y�n1w�\|tkrAtd��\|��}t \|�D�]}\|��}\|��} t�\|\|\| �} \|dkrg\|dkrg\|�\| ��qIq%\|��t\|��\|S�)a�� Return a list containing `.SFTPAttributes` objects corresponding to files in the given ``path``. The list is in arbitrary order. It does not include the special entries ``'.'`` and ``'..'`` even if they are present in the folder. The returned `.SFTPAttributes` objects will each have an additional field: ``longname``, which may contain a formatted string of the file's attributes, in unix format. The content of this string will probably depend on the SFTP server implementation. :param str path: path to list (defaults to ``'.'``) :return: list of `.SFTPAttributes` objects .. versionadded:: 1.2 � listdir({!r})�Expected handleT�Expected name responserk��..)�_adjust_cwdrN��r��rO��_requestr ��r��r�� get_binaryr ��rM��r��get_int�range�get_textr)�� _from_msg�appendr��)rP��rr��rY��rc��handle�filelist�count�irl��longname�attrr5��r5��r6��rp��s4�� zSFTPClient.listdir_attr�2��c��c��s0��\|��\|�}\|��td�\|��\|��t\|�\}}\|tkrtd��\|��}t ��} �z_t \|�D�]}\|��td�t \|�}\|�\|��q,\|D�]B}\|��\}} t\| �}\|��} \|\| kr\\|tkr\\|��\|��\|��}t \|�D�]}\|��}\|��} t�\|\|\| �}\|dkr�\|dkr�\|V��qdq?t ��}W�n�ty��\|��t\|��Y�dS�w�q')a�� Generator version of `.listdir_attr`. See the API docs for `.listdir_attr` for overall details. This function adds one more kwarg on top of `.listdir_attr`: ``read_aheads``, an integer controlling how many ``SSH_FXP_READDIR`` requests are made to the server. The default of 50 should suffice for most file listings as each request/response cycle may contain multiple files (dependent on server implementation.) .. versionadded:: 1.15 rt��ru��TNrk��rw��)rx��rN��r��rO��ry��r ��r��r�� get_stringr^��r\|��_async_requestrF��r ��r��_read_packetr��r{��r"��_convert_statusr}��r)��r~��rM��r��)rP��rr��read_aheadsrY��rc��r��numsr��num�pkt_data�new_numr��rl��r��r��r5��r5��r6��listdir_iter��sJ�� zSFTPClient.listdir_iter�r��c�� C��s��\|��\|�}\|��td�\|\|��d}d\|v�sd\|v�r\|tO�}d\|v�s)d\|v�s)d\|v�r-\|tO�}d\|v�r7\|ttB�O�}d\|v�rA\|ttB�O�}d\|v�rK\|tt B�O�}t ��}\|��t\|\|\|�\}}\|t kr`td��\|��}\|��td �\|\|tt\|��t\|�\|\|\|�S�) aT�� Open a file on the remote server. The arguments are the same as for Python's built-in `python:file` (aka `python:open`). A file-like object is returned, which closely mimics the behavior of a normal Python file object, including the ability to be used as a context manager. The mode indicates how the file is to be opened: ``'r'`` for reading, ``'w'`` for writing (truncating an existing file), ``'a'`` for appending, ``'r+'`` for reading/writing, ``'w+'`` for reading/writing (truncating an existing file), ``'a+'`` for reading/appending. The Python ``'b'`` flag is ignored, since SSH treats all files as binary. The ``'U'`` flag is supported in a compatible way. Since 1.5.2, an ``'x'`` flag indicates that the operation should only succeed if the file was created and did not previously exist. This has no direct mapping to Python's file flags, but is commonly known as the ``O_EXCL`` flag in posix. The file will be buffered in standard Python style by default, but can be altered with the ``bufsize`` parameter. ``<=0`` turns off buffering, ``1`` uses line buffering, and any number greater than 1 (``>1``) uses that specific buffer size. :param str filename: name of the file to open :param str mode: mode (Python-style) to open in :param int bufsize: desired buffering (default: ``-1``) :return: an `.SFTPFile` object representing the open file :raises: ``IOError`` -- if the file could not be opened. zopen({!r}, {!r})r��r��+�w�a�xru��zopen({!r}, {!r}) -> {})rx��rN��r��rO��r��r��r��r��r��r��r)��ry��r��r��r��rz��r.��r��r+��) rP��rl��mode�bufsize�imode� attrblockrY��rc��r��r5��r5��r6��openF��s2�� zSFTPClient.openc��C��,��\|��\|�}\|��td�\|��\|��t\|��dS�)a �� Remove the file at the given path. This only works on files; for removing folders (directories), use `rmdir`. :param str path: path (absolute or relative) of the file to remove :raises: ``IOError`` -- if the path refers to a folder (directory) zremove({!r})N)rx��rN��r��rO��ry��r��rq��r5��r5��r6��remove��s�� zSFTPClient.removec��C��s:��\|��\|�}\|��\|�}\|��td�\|\|��\|��t\|\|��dS�)a3�� Rename a file or folder from ``oldpath`` to ``newpath``. .. note:: This method implements 'standard' SFTP ``RENAME`` behavior; those seeking the OpenSSH "POSIX rename" extension behavior should use `posix_rename`. :param str oldpath: existing name of the file or folder :param str newpath: new name for the file or folder, must not exist already :raises: ``IOError`` -- if ``newpath`` is a folder, or something else goes wrong zrename({!r}, {!r})N)rx��rN��r��rO��ry��r��rP��oldpath�newpathr5��r5��r6��rename��s�� zSFTPClient.renamec��C��s<��\|��\|�}\|��\|�}\|��td�\|\|��\|��td\|\|��dS�)a�� Rename a file or folder from ``oldpath`` to ``newpath``, following posix conventions. :param str oldpath: existing name of the file or folder :param str newpath: new name for the file or folder, will be overwritten if it already exists :raises: ``IOError`` -- if ``newpath`` is a folder, posix-rename is not supported by the server or something else goes wrong :versionadded: 2.2 zposix_rename({!r}, {!r})zposix-rename@openssh.comN)rx��rN��r��rO��ry��r#��r��r5��r5��r6��posix_rename��s�� zSFTPClient.posix_renamec��C��<��\|��\|�}\|��td�\|\|��t��}\|\|_\|��t\|\|��dS�)as�� Create a folder (directory) named ``path`` with numeric mode ``mode``. The default mode is 0777 (octal). On some systems, mode is ignored. Where it is used, the current umask value is first masked out. :param str path: name of the folder to create :param int mode: permissions (posix-style) for the newly-created folder zmkdir({!r}, {!r})N)rx��rN��r��rO��r)��st_modery��r��rP��rr��r��r��r5��r5��r6��mkdir�� zSFTPClient.mkdirc��C��r��)zj Remove the folder named ``path``. :param str path: name of the folder to remove zrmdir({!r})N)rx��rN��r��rO��ry��r��rq��r5��r5��r6��rmdir��s�� zSFTPClient.rmdirc��C��F��\|��\|�}\|��td�\|��\|��t\|�\}}\|tkrtd��t� \|�S�)a8�� Retrieve information about a file on the remote system. The return value is an object whose attributes correspond to the attributes of Python's ``stat`` structure as returned by ``os.stat``, except that it contains fewer fields. An SFTP server may return as much or as little info as it wants, so the results may vary from server to server. Unlike a Python `python:stat` object, the result may not be accessed as a tuple. This is mostly due to the author's slack factor. The fields supported are: ``st_mode``, ``st_size``, ``st_uid``, ``st_gid``, ``st_atime``, and ``st_mtime``. :param str path: the filename to stat :return: an `.SFTPAttributes` object containing attributes about the given file z stat({!r})�Expected attributes) rx��rN��r��rO��ry��r��r��r��r)��r~��rP��rr��rY��rc��r5��r5��r6��stat��s�� zSFTPClient.statc��C��r��)aZ�� Retrieve information about a file on the remote system, without following symbolic links (shortcuts). This otherwise behaves exactly the same as `stat`. :param str path: the filename to stat :return: an `.SFTPAttributes` object containing attributes about the given file zlstat({!r})r��) rx��rN��r��rO��ry��r��r��r��r)��r~��r��r5��r5��r6��lstat��s�� zSFTPClient.lstatc��C��s8��\|��\|�}\|��td�\|\|��t\|�}\|��t\|\|��dS�)z� Create a symbolic link to the ``source`` path at ``destination``. :param str source: path of the original file :param str dest: path of the newly created symlink zsymlink({!r}, {!r})N)rx��rN��r��rO��r-��ry��r��)rP��source�destr5��r5��r6��symlink��s�� zSFTPClient.symlinkc��C��r��)a�� Change the mode (permissions) of a file. The permissions are unix-style and identical to those used by Python's `os.chmod` function. :param str path: path of the file to change the permissions of :param int mode: new permissions zchmod({!r}, {!r})N)rx��rN��r��rO��r)��r��ry��r��r��r5��r5��r6��chmod��r��zSFTPClient.chmodc��C��sF��\|��\|�}\|��td�\|\|\|��t��}\|\|\|_\|_\|��t\|\|��dS�)a�� Change the owner (``uid``) and group (``gid``) of a file. As with Python's `os.chown` function, you must pass both arguments, so if you only want to change one, use `stat` first to retrieve the current owner and group. :param str path: path of the file to change the owner and group of :param int uid: new owner's uid :param int gid: new group id zchown({!r}, {!r}, {!r})N) rx��rN��r��rO��r)��st_uid�st_gidry��r��)rP��rr��uid�gidr��r5��r5��r6��chown��s �� zSFTPClient.chownc��C��sZ��\|��\|�}\|du�rt��t��f}\|��td�\|\|��t��}\|\\|_\|_\|��t \|\|��dS�)a�� Set the access and modified times of the file specified by ``path``. If ``times`` is ``None``, then the file's access and modified times are set to the current time. Otherwise, ``times`` must be a 2-tuple of numbers, of the form ``(atime, mtime)``, which is used to set the access and modified times, respectively. This bizarre API is mimicked from Python for the sake of consistency -- I apologize. :param str path: path of the file to modify :param tuple times: ``None`` or a tuple of (access time, modified time) in standard internet epoch time (seconds since 01 January 1970 GMT) Nzutime({!r}, {!r})) rx��timerN��r��rO��r)��st_atime�st_mtimery��r��)rP��rr��timesr��r5��r5��r6��utime0��s�� zSFTPClient.utimec��C��r��)a0�� Change the size of the file specified by ``path``. This usually extends or shrinks the size of the file, just like the `~file.truncate` method on Python file objects. :param str path: path of the file to modify :param int size: the new size of the file ztruncate({!r}, {!r})N)rx��rN��r��rO��r)��st_sizery��r��)rP��rr��sizer��r5��r5��r6��truncateF��r��zSFTPClient.truncatec��C��sr��\|��\|�}\|��td�\|��\|��t\|�\}}\|tkrtd��\|��}\|dkr(dS�\|dkr3td�\|��t \|� ��S�)a�� Return the target of a symbolic link (shortcut). You can use `symlink` to create these. The result may be either an absolute or relative pathname. :param str path: path of the symbolic link file :return: target path, as a `str` zreadlink({!r})rv��r��Nr:��zReadlink returned {} results)rx��rN��r��rO��ry��r ��r��r��r{��r7��r��rP��rr��rY��rc��r��r5��r5��r6��readlinkU��s�� zSFTPClient.readlinkc��C��sb��\|��\|�}\|��td�\|��\|��t\|�\}}\|tkrtd��\|��}\|dkr-td�\|��\|� ��S�)a�� Return the normalized path (on the server) of a given path. This can be used to quickly resolve symbolic links or determine what the server is considering to be the "current folder" (by passing ``'.'`` as ``path``). :param str path: path to be normalized :return: normalized form of the given path (as a `str`) :raises: ``IOError`` -- if the path can't be resolved on the server znormalize({!r})rv��r:��zRealpath returned {} results) rx��rN��r��rO��ry��r!��r��r��r{��r}��r��r5��r5��r6�� normalizej��s�� zSFTPClient.normalizec��C��sV��\|du�r d\|�_�dS�t�\|��\|�j�s!tj}t\|d�t� \|�\|��t \|��\|��\|�_�dS�)aS�� Change the "current directory" of this SFTP session. Since SFTP doesn't really have the concept of a current working directory, this is emulated by Paramiko. Once you use this method to set a working directory, all operations on this `.SFTPClient` object will be relative to that path. You can pass in ``None`` to stop using a current working directory. :param str path: new current working directory :raises: ``IOError`` -- if the requested path doesn't exist on the server .. versionadded:: 1.4 Nz{}: {})rB��r��S_ISDIRr��errno�ENOTDIRr��rO��os�strerrorr-��r��)rP��rr��coder5��r5��r6��chdir��s��zSFTPClient.chdirc��C��s��\|�j�ot\|�j��S�)z� Return the "current working directory" for this SFTP session, as emulated by Paramiko. If no directory has been set with `chdir`, this method will return ``None``. .. versionadded:: 1.4 )rB��r.��ri��r5��r5��r6��getcwd��s�� zSFTPClient.getcwdc��C��sL��d} �\|��d�}\|�\|��\|t\|�7�}t\|�dkr �\|S�\|d�ur%\|\|\|��q)Nr��Ti��)�read�write�len)rP��reader�writer� file_size�callbackr��datar5��r5��r6��_transfer_with_callback��s�� z"SFTPClient._transfer_with_callbackr��Tc�� C��s��\|��\|d��}\|�d��\|�j\|\|\|\|d�}W�d��n1�sw��Y��\|r;\|��\|�}\|j\|kr9td�\|j\|��\|S�t��}\|S�)a�� Copy the contents of an open file object (``fl``) to the SFTP server as ``remotepath``. Any exception raised by operations will be passed through. The SFTP operations use pipelining for speed. :param fl: opened file or file-like object to copy :param str remotepath: the destination path on the SFTP server :param int file_size: optional size parameter passed to callback. If none is specified, size defaults to 0 :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred (since 1.7.4) :param bool confirm: whether to do a stat() on the file afterwards to confirm the file size (since 1.7.7) :return: an `.SFTPAttributes` object containing attributes about the given file. .. versionadded:: 1.10 �wbT�r��r��r��r��Nzsize mismatch in put! {} != {})�file� set_pipelinedr��r��r��IOErrorrO��r)��) rP��fl� remotepathr��r��confirm�frr��r4��r5��r5��r6��putfo��s�� zSFTPClient.putfoc��C��sL��t��\|�j}t\|d��}\|��\|\|\|\|\|�W��d��S�1�sw��Y��dS�)an�� Copy a local file (``localpath``) to the SFTP server as ``remotepath``. Any exception raised by operations will be passed through. This method is primarily provided as a convenience. The SFTP operations use pipelining for speed. :param str localpath: the local file to copy :param str remotepath: the destination path on the SFTP server. Note that the filename should be included. Only specifying a directory may result in an error. :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred :param bool confirm: whether to do a stat() on the file afterwards to confirm the file size :return: an `.SFTPAttributes` object containing attributes about the given file .. versionadded:: 1.4 .. versionchanged:: 1.7.4 ``callback`` and rich attribute return value added. .. versionchanged:: 1.7.7 ``confirm`` param added. �rbN)r��r��r��r��r��)rP�� localpathr��r��r��r��r��r5��r5��r6��put��s��$�zSFTPClient.putc��C��s^��\|��\|�j}\|��\|d��}\|r\|�\|\|��\|�j\|\|\|\|d�W��d��S�1�s(w��Y��dS�)a�� Copy a remote file (``remotepath``) from the SFTP server and write to an open file or file-like object, ``fl``. Any exception raised by operations will be passed through. This method is primarily provided as a convenience. :param object remotepath: opened file or file-like object to copy to :param str fl: the destination path on the local host or open file object :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred :param bool prefetch: controls whether prefetching is performed (default: True) :param int max_concurrent_prefetch_requests: The maximum number of concurrent read requests to prefetch. See `.SFTPClient.get` (its ``max_concurrent_prefetch_requests`` param) for details. :return: the `number <int>` of bytes written to the opened file object .. versionadded:: 1.10 .. versionchanged:: 2.8 Added the ``prefetch`` keyword argument. .. versionchanged:: 3.3 Added ``max_concurrent_prefetch_requests``. r��r��N)r��r��r��prefetchr��)rP��r��r��r��r�� max_concurrent_prefetch_requestsr��r��r5��r5��r6��getfo��s��"�$�zSFTPClient.getfoc�� C��sf��t�\|d��}\|��\|\|\|\|\|�}W�d��n1�sw��Y��t�\|�}\|j\|kr1td�\|j\|��dS�)a�� Copy a remote file (``remotepath``) from the SFTP server to the local host as ``localpath``. Any exception raised by operations will be passed through. This method is primarily provided as a convenience. :param str remotepath: the remote file to copy :param str localpath: the destination path on the local host :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred :param bool prefetch: controls whether prefetching is performed (default: True) :param int max_concurrent_prefetch_requests: The maximum number of concurrent read requests to prefetch. When this is ``None`` (the default), do not limit the number of concurrent prefetch requests. Note: OpenSSH's sftp internally imposes a limit of 64 concurrent requests, while Paramiko imposes no limit by default; consider setting a limit if a file can be successfully received with sftp but hangs with Paramiko. .. versionadded:: 1.4 .. versionchanged:: 1.7.4 Added the ``callback`` param .. versionchanged:: 2.8 Added the ``prefetch`` keyword argument. .. versionchanged:: 3.3 Added ``max_concurrent_prefetch_requests``. r��Nzsize mismatch in get! {} != {})r��r��r��r��r��r��rO��) rP��r��r��r��r��r��r��r��r4��r5��r5��r6��get#��s��$�� zSFTPClient.getc��G��s"��\|�j�td��\|g\|�R��}\|��\|�S��N)r��rF��_read_response)rP��rY��rd��r��r5��r5��r6��ry��W��s�� zSFTPClient._requestc��G��s��\|�j��zJt��}\|�\|�j��\|D�](}t\|t�r\|�\|��qt\|t�r)\|�\|��qt\|t �r4\|� \|��q\|�\|��q\|�j}\|\|�j\|<�\|��jd7��_W�\|�j�� n\|�j�� w�\|��\|\|��\|S�)Nr:��)rA��acquirer��add_intr>��r]��r(�� add_int64�intr)��_pack� add_stringrE��release�_send_packet)rP��fileobjrY��rd��rc��itemr��r5��r5��r6��r��[��s$�� zSFTPClient._async_requestc�� C��s�� z\|��\}}W�n�ty�}�ztd�\|��d�}~ww�t\|�}\|��}\|�j��z1\|\|�jvrL\|�� t d�\|��\|d�u�rEW�\|�j��dS�W�\|�j��q�\|�j\|�}\|�j\|=�W�\|�j��n\|�j��w�\|\|krs\|tkro\|�� \|��\|\|fS�\|td��ur�\|�\|\|\|��\|d�u�r� �dS�q)NTzServer connection dropped: {}zUnexpected response #{}�NN)r��rM��r��rO��r��r{��rA��r��rE��rN��r��r��r"��r��rF��_async_response)rP��waitforrY��r��erc��r��r��r5��r5��r6��r��t��s@�� zSFTPClient._read_responsec��C��s4��\|\|�j��v�r\|��\|��\|\|�j��v�sd�S�d�S�r��)rE��valuesr��_check_exception)rP��r��r5��r5��r6��_finish_responses��s��zSFTPClient._finish_responsesc��C��s\��\|��}\|��}\|tkrdS�\|tkrt\|��\|tkr ttj\|��\|t krttj \|��t\|��)zU Raises EOFError or IOError on error status; otherwise does nothing. N)r{��r}��r$��r%��rM��r&��r��r��ENOENTr'��EACCES)rP��rc��r��textr5��r5��r6��r��s��zSFTPClient._convert_statusc��C��sT��t�\|�}\|�jdu�r\|S�t\|�r\|dd��tkr\|S�\|�jtkr#\|�j\|�S�\|�jt�\|�S�)zr Return an adjusted path if we're emulating a "current working directory" for the server. Nr��r:��)r-��rB��r��b_slashrq��r5��r5��r6��rx��s�� zSFTPClient._adjust_cwdr��)rk��)rk��r��)r��r��r��)r��NT)NT)NTN)-�__name__� __module__�__qualname__�__doc__r;��classmethodr[��rN��rh��rj��rs��rp��r��r��r��r��unlinkr��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��ry��r��r��r��r��rx�� __classcell__r5��r5��rf��r6��r9��Z��s^�� ( * @; $ �. �4 %r9��c��@��s��e�Zd�ZdZdS�)�SFTPzA An alias for `.SFTPClient` for backwards compatibility. N)r��r��r��r��r5��r5��r5��r6��r��s��r��)A�binasciir��r��r��r��r?��r��rC��paramikor��paramiko.channelr��paramiko.messager��paramiko.commonr��r��r�� paramiko.sftpr ��r ��r��r��r ��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r ��r!��r"��r#��r$��r%��r&��r'��r(��paramiko.sftp_attrr)��paramiko.ssh_exceptionr��paramiko.sftp_filer+�� paramiko.utilr,��r-��r.��r7��r��r9��r��r5��r5��r5��r6��<module>��s4��#��l��__pycache__/server.cpython-310.pyc��0000644��00000075661�15030210772�0012777 0��ustar�00��o ��h�v��@��sf��d�Z�ddlZddlmZ�ddlmZmZmZmZm Z �G�dd��d�Z G�dd��d�ZG�d d ��d ej�Z dS�)zD `.ServerInterface` is an interface to override for server support. ��N)�util)�DEBUG�ERROR�'OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED�AUTH_FAILED�AUTH_SUCCESSFULc��@��s��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd d��Zdd ��Z dd��Z edfdd�Zedfdd�Z dd��Zdd��Zdd��Zdd��Zdd��Zdd ��Zd!d"��Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��Zd-d.��Zd/d0��ZdS�)1�ServerInterfacea�� This class defines an interface for controlling the behavior of Paramiko in server mode. Methods on this class are called from Paramiko's primary thread, so you shouldn't do too much work in them. (Certainly nothing that blocks or sleeps.) c��C��t�S�)a.�� Determine if a channel request of a given type will be granted, and return ``OPEN_SUCCEEDED`` or an error code. This method is called in server mode when the client requests a channel, after authentication is complete. If you allow channel requests (and an ssh server that didn't would be useless), you should also override some of the channel request methods below, which are used to determine which services will be allowed on a given channel: - `check_channel_pty_request` - `check_channel_shell_request` - `check_channel_subsystem_request` - `check_channel_window_change_request` - `check_channel_x11_request` - `check_channel_forward_agent_request` The ``chanid`` parameter is a small number that uniquely identifies the channel within a `.Transport`. A `.Channel` object is not created unless this method returns ``OPEN_SUCCEEDED`` -- once a `.Channel` object is created, you can call `.Channel.get_id` to retrieve the channel ID. The return value should either be ``OPEN_SUCCEEDED`` (or ``0``) to allow the channel request, or one of the following error codes to reject it: - ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED`` - ``OPEN_FAILED_CONNECT_FAILED`` - ``OPEN_FAILED_UNKNOWN_CHANNEL_TYPE`` - ``OPEN_FAILED_RESOURCE_SHORTAGE`` The default implementation always returns ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED``. :param str kind: the kind of channel the client would like to open (usually ``"session"``). :param int chanid: ID of the channel :return: an `int` success or failure code (listed above) �r��)�self�kind�chanid��r��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/server.py�check_channel_request,��s��+z%ServerInterface.check_channel_requestc��C��dS�)a\�� Return a list of authentication methods supported by the server. This list is sent to clients attempting to authenticate, to inform them of authentication methods that might be successful. The "list" is actually a string of comma-separated names of types of authentication. Possible values are ``"password"``, ``"publickey"``, and ``"none"``. The default implementation always returns ``"password"``. :param str username: the username requesting authentication. :return: a comma-separated `str` of authentication types �passwordr��r��usernamer��r��r��get_allowed_authsY��s��z!ServerInterface.get_allowed_authsc��C��r ��)a�� Determine if a client may open channels with no (further) authentication. Return ``AUTH_FAILED`` if the client must authenticate, or ``AUTH_SUCCESSFUL`` if it's okay for the client to not authenticate. The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the client. :return: ``AUTH_FAILED`` if the authentication fails; ``AUTH_SUCCESSFUL`` if it succeeds. :rtype: int �r��r��r��r��r��check_auth_nonej��zServerInterface.check_auth_nonec��C��r ��)a2�� Determine if a given username and password supplied by the client is acceptable for use in authentication. Return ``AUTH_FAILED`` if the password is not accepted, ``AUTH_SUCCESSFUL`` if the password is accepted and completes the authentication, or ``AUTH_PARTIALLY_SUCCESSFUL`` if your authentication is stateful, and this key is accepted for authentication, but more authentication is required. (In this latter case, `get_allowed_auths` will be called to report to the client what options it has for continuing the authentication.) The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the authenticating client. :param str password: the password given by the client. :return: ``AUTH_FAILED`` if the authentication fails; ``AUTH_SUCCESSFUL`` if it succeeds; ``AUTH_PARTIALLY_SUCCESSFUL`` if the password auth is successful, but authentication must continue. :rtype: int r��)r��r��r��r��r��r��check_auth_password}��z#ServerInterface.check_auth_passwordc��C��r ��)a�� Determine if a given key supplied by the client is acceptable for use in authentication. You should override this method in server mode to check the username and key and decide if you would accept a signature made using this key. Return ``AUTH_FAILED`` if the key is not accepted, ``AUTH_SUCCESSFUL`` if the key is accepted and completes the authentication, or ``AUTH_PARTIALLY_SUCCESSFUL`` if your authentication is stateful, and this password is accepted for authentication, but more authentication is required. (In this latter case, `get_allowed_auths` will be called to report to the client what options it has for continuing the authentication.) Note that you don't have to actually verify any key signtature here. If you're willing to accept the key, Paramiko will do the work of verifying the client's signature. The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the authenticating client :param .PKey key: the key object provided by the client :return: ``AUTH_FAILED`` if the client can't authenticate with this key; ``AUTH_SUCCESSFUL`` if it can; ``AUTH_PARTIALLY_SUCCESSFUL`` if it can authenticate with this key but must continue with authentication :rtype: int r��)r��r��keyr��r��r��check_auth_publickey��s��z$ServerInterface.check_auth_publickeyc��C��r ��)a�� Begin an interactive authentication challenge, if supported. You should override this method in server mode if you want to support the ``"keyboard-interactive"`` auth type, which requires you to send a series of questions for the client to answer. Return ``AUTH_FAILED`` if this auth method isn't supported. Otherwise, you should return an `.InteractiveQuery` object containing the prompts and instructions for the user. The response will be sent via a call to `check_auth_interactive_response`. The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the authenticating client :param str submethods: a comma-separated list of methods preferred by the client (usually empty) :return: ``AUTH_FAILED`` if this auth method isn't supported; otherwise an object containing queries for the user :rtype: int or `.InteractiveQuery` r��)r��r�� submethodsr��r��r��check_auth_interactive��r��z&ServerInterface.check_auth_interactivec��C��r ��)a�� Continue or finish an interactive authentication challenge, if supported. You should override this method in server mode if you want to support the ``"keyboard-interactive"`` auth type. Return ``AUTH_FAILED`` if the responses are not accepted, ``AUTH_SUCCESSFUL`` if the responses are accepted and complete the authentication, or ``AUTH_PARTIALLY_SUCCESSFUL`` if your authentication is stateful, and this set of responses is accepted for authentication, but more authentication is required. (In this latter case, `get_allowed_auths` will be called to report to the client what options it has for continuing the authentication.) If you wish to continue interactive authentication with more questions, you may return an `.InteractiveQuery` object, which should cause the client to respond with more answers, calling this method again. This cycle can continue indefinitely. The default implementation always returns ``AUTH_FAILED``. :param responses: list of `str` responses from the client :return: ``AUTH_FAILED`` if the authentication fails; ``AUTH_SUCCESSFUL`` if it succeeds; ``AUTH_PARTIALLY_SUCCESSFUL`` if the interactive auth is successful, but authentication must continue; otherwise an object containing queries for the user :rtype: int or `.InteractiveQuery` r��)r�� responsesr��r��r��check_auth_interactive_response��s��z/ServerInterface.check_auth_interactive_responseNc��C��\|t�krt�S�tS�)a�� Authenticate the given user to the server if he is a valid krb5 principal. :param str username: The username of the authenticating client :param int gss_authenticated: The result of the krb5 authentication :param str cc_filename: The krb5 client credentials cache filename :return: ``AUTH_FAILED`` if the user is not authenticated otherwise ``AUTH_SUCCESSFUL`` :rtype: int :note: Kerberos credential delegation is not supported. :see: `.ssh_gss` :note: : We are just checking in L{AuthHandler} that the given user is a valid krb5 principal! We don't check if the krb5 principal is allowed to log in on the server, because there is no way to do that in python. So if you develop your own SSH server with paramiko for a certain platform like Linux, you should call C{krb5_kuserok()} in your local kerberos library to make sure that the krb5_principal has an account on the server and is allowed to log in as a user. :see: http://www.unix.com/man-page/all/3/krb5_kuserok/ �r��r��r��r��gss_authenticated�cc_filer��r��r��check_auth_gssapi_with_mic��s��zServerInterface.check_auth_gssapi_with_micc��C��r!��)a`�� Authenticate the given user to the server if he is a valid krb5 principal and GSS-API Key Exchange was performed. If GSS-API Key Exchange was not performed, this authentication method won't be available. :param str username: The username of the authenticating client :param int gss_authenticated: The result of the krb5 authentication :param str cc_filename: The krb5 client credentials cache filename :return: ``AUTH_FAILED`` if the user is not authenticated otherwise ``AUTH_SUCCESSFUL`` :rtype: int :note: Kerberos credential delegation is not supported. :see: `.ssh_gss` `.kex_gss` :note: : We are just checking in L{AuthHandler} that the given user is a valid krb5 principal! We don't check if the krb5 principal is allowed to log in on the server, because there is no way to do that in python. So if you develop your own SSH server with paramiko for a certain platform like Linux, you should call C{krb5_kuserok()} in your local kerberos library to make sure that the krb5_principal has an account on the server and is allowed to log in as a user. :see: http://www.unix.com/man-page/all/3/krb5_kuserok/ r"��r#��r��r��r��check_auth_gssapi_keyex��s��z'ServerInterface.check_auth_gssapi_keyexc��C��s��d}\|S�)z� Overwrite this function in your SSH server to enable GSSAPI authentication. The default implementation always returns false. :returns bool: Whether GSSAPI authentication is enabled. :see: `.ssh_gss` Fr��)r�� UseGSSAPIr��r��r��enable_auth_gssapi,��s�� z"ServerInterface.enable_auth_gssapic��C��r��)a1�� Handle a request for port forwarding. The client is asking that connections to the given address and port be forwarded back across this ssh connection. An address of ``"0.0.0.0"`` indicates a global address (any address associated with this server) and a port of ``0`` indicates that no specific port is requested (usually the OS will pick a port). The default implementation always returns ``False``, rejecting the port forwarding request. If the request is accepted, you should return the port opened for listening. :param str address: the requested address :param int port: the requested port :return: the port number (`int`) that was opened for listening, or ``False`` to reject Fr��r��address�portr��r��r��check_port_forward_request8��s��zServerInterface.check_port_forward_requestc��C��r��)a,�� The client would like to cancel a previous port-forwarding request. If the given address and port is being forwarded across this ssh connection, the port should be closed. :param str address: the forwarded address :param int port: the forwarded port Nr��r��r��r��r��cancel_port_forward_requestM��s�� z+ServerInterface.cancel_port_forward_requestc��C��r��)a�� Handle a global request of the given ``kind``. This method is called in server mode and client mode, whenever the remote host makes a global request. If there are any arguments to the request, they will be in ``msg``. There aren't any useful global requests defined, aside from port forwarding, so usually this type of request is an extension to the protocol. If the request was successful and you would like to return contextual data to the remote host, return a tuple. Items in the tuple will be sent back with the successful result. (Note that the items in the tuple can only be strings, ints, or bools.) The default implementation always returns ``False``, indicating that it does not support any global requests. .. note:: Port forwarding requests are handled separately, in `check_port_forward_request`. :param str kind: the kind of global request being made. :param .Message msg: any extra arguments to the request. :return: ``True`` or a `tuple` of data if the request was granted; ``False`` otherwise. Fr��)r��r��msgr��r��r��check_global_requestX��s��z$ServerInterface.check_global_requestc��C��r��)a2�� Determine if a pseudo-terminal of the given dimensions (usually requested for shell access) can be provided on the given channel. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the pty request arrived on. :param str term: type of terminal requested (for example, ``"vt100"``). :param int width: width of screen in characters. :param int height: height of screen in characters. :param int pixelwidth: width of screen in pixels, if known (may be ``0`` if unknown). :param int pixelheight: height of screen in pixels, if known (may be ``0`` if unknown). :return: ``True`` if the pseudo-terminal has been allocated; ``False`` otherwise. Fr��)r��channel�term�width�height� pixelwidth�pixelheight�modesr��r��r��check_channel_pty_requestx��s��z)ServerInterface.check_channel_pty_requestc��C��r��)a�� Determine if a shell will be provided to the client on the given channel. If this method returns ``True``, the channel should be connected to the stdin/stdout of a shell (or something that acts like a shell). The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the request arrived on. :return: ``True`` if this channel is now hooked up to a shell; ``False`` if a shell can't or won't be provided. Fr��r��r1��r��r��r��check_channel_shell_request��z+ServerInterface.check_channel_shell_requestc��C��r��)a{�� Determine if a shell command will be executed for the client. If this method returns ``True``, the channel should be connected to the stdin, stdout, and stderr of the shell command. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the request arrived on. :param str command: the command to execute. :return: ``True`` if this channel is now hooked up to the stdin, stdout, and stderr of the executing command; ``False`` if the command will not be executed. .. versionadded:: 1.1 Fr��)r��r1��commandr��r��r��check_channel_exec_request��r��zServerInterface.check_channel_exec_requestc��C��sJ��\|��}\|�\|�\}}}\|du�rdS�\|\|\|\|�g\|�R�i�\|��}\|��dS�)a�� Determine if a requested subsystem will be provided to the client on the given channel. If this method returns ``True``, all future I/O through this channel will be assumed to be connected to the requested subsystem. An example of a subsystem is ``sftp``. The default implementation checks for a subsystem handler assigned via `.Transport.set_subsystem_handler`. If one has been set, the handler is invoked and this method returns ``True``. Otherwise it returns ``False``. .. note:: Because the default implementation uses the `.Transport` to identify valid subsystems, you probably won't need to override this method. :param .Channel channel: the `.Channel` the pty request arrived on. :param str name: name of the requested subsystem. :return: ``True`` if this channel is now hooked up to the requested subsystem; ``False`` if that subsystem can't or won't be provided. NFT)� get_transport�_get_subsystem_handler�start)r��r1��name� transport� handler_class�args�kwargs�handlerr��r��r��check_channel_subsystem_request��s��z/ServerInterface.check_channel_subsystem_requestc��C��r��)a�� Determine if the pseudo-terminal on the given channel can be resized. This only makes sense if a pty was previously allocated on it. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the pty request arrived on. :param int width: width of screen in characters. :param int height: height of screen in characters. :param int pixelwidth: width of screen in pixels, if known (may be ``0`` if unknown). :param int pixelheight: height of screen in pixels, if known (may be ``0`` if unknown). :return: ``True`` if the terminal was resized; ``False`` if not. Fr��)r��r1��r3��r4��r5��r6��r��r��r��#check_channel_window_change_request��s��z3ServerInterface.check_channel_window_change_requestc��C��r��)a�� Determine if the client will be provided with an X11 session. If this method returns ``True``, X11 applications should be routed through new SSH channels, using `.Transport.open_x11_channel`. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the X11 request arrived on :param bool single_connection: ``True`` if only a single X11 channel should be opened, else ``False``. :param str auth_protocol: the protocol used for X11 authentication :param str auth_cookie: the cookie used to authenticate to X11 :param int screen_number: the number of the X11 screen to connect to :return: ``True`` if the X11 session was opened; ``False`` if not Fr��)r��r1��single_connection� auth_protocol�auth_cookie� screen_numberr��r��r��check_channel_x11_request��z)ServerInterface.check_channel_x11_requestc��C��r��)a�� Determine if the client will be provided with an forward agent session. If this method returns ``True``, the server will allow SSH Agent forwarding. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the request arrived on :return: ``True`` if the AgentForward was loaded; ``False`` if not If ``True`` is returned, the server should create an :class:`AgentServerProxy` to access the agent. Fr��r9��r��r��r��#check_channel_forward_agent_request��r;��z3ServerInterface.check_channel_forward_agent_requestc��C��r ��)aC�� Determine if a local port forwarding channel will be granted, and return ``OPEN_SUCCEEDED`` or an error code. This method is called in server mode when the client requests a channel, after authentication is complete. The ``chanid`` parameter is a small number that uniquely identifies the channel within a `.Transport`. A `.Channel` object is not created unless this method returns ``OPEN_SUCCEEDED`` -- once a `.Channel` object is created, you can call `.Channel.get_id` to retrieve the channel ID. The origin and destination parameters are (ip_address, port) tuples that correspond to both ends of the TCP connection in the forwarding tunnel. The return value should either be ``OPEN_SUCCEEDED`` (or ``0``) to allow the channel request, or one of the following error codes to reject it: - ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED`` - ``OPEN_FAILED_CONNECT_FAILED`` - ``OPEN_FAILED_UNKNOWN_CHANNEL_TYPE`` - ``OPEN_FAILED_RESOURCE_SHORTAGE`` The default implementation always returns ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED``. :param int chanid: ID of the channel :param tuple origin: 2-tuple containing the IP address and port of the originator (client side) :param tuple destination: 2-tuple containing the IP address and port of the destination (server side) :return: an `int` success or failure code (listed above) r ��)r��r ��origin�destinationr��r��r��"check_channel_direct_tcpip_request��s��&z2ServerInterface.check_channel_direct_tcpip_requestc��C��r��)a�� Check whether a given environment variable can be specified for the given channel. This method should return ``True`` if the server is willing to set the specified environment variable. Note that some environment variables (e.g., PATH) can be exceedingly dangerous, so blindly allowing the client to set the environment is almost certainly not a good idea. The default implementation always returns ``False``. :param channel: the `.Channel` the env request arrived on :param str name: name :param str value: Channel value :returns: A boolean Fr��)r��r1��rA��valuer��r��r��check_channel_env_request6��s��z)ServerInterface.check_channel_env_requestc��C��r��)am�� A pre-login banner to display to the user. The message may span multiple lines separated by crlf pairs. The language should be in rfc3066 style, for example: en-US The default implementation always returns ``(None, None)``. :returns: A tuple containing the banner and language code. .. versionadded:: 2.3 )NNr��r��r��r��r�� get_bannerH��s��zServerInterface.get_banner)�__name__� __module__�__qualname__�__doc__r��r��r��r��r��r��r ��r��r&��r'��r)��r-��r.��r0��r8��r:��r=��rG��rH��rM��rO��rR��rT��rV��r��r��r��r��r��"��s6�� - � � (r��c��@��s$��e�Zd�ZdZd dd�Zd dd�ZdS�)�InteractiveQueryzP A query (set of prompts) for a user during interactive authentication. ��c��G��sJ��\|\|�_�\|\|�_g�\|�_\|D�]}t\|t�r\|��\|��q\|��\|d�\|d��qdS�)a�� Create a new interactive query to send to the client. The name and instructions are optional, but are generally displayed to the end user. A list of prompts may be included, or they may be added via the `add_prompt` method. :param str name: name of this query :param str instructions: user instructions (usually short) about this query :param str prompts: one or more authentication prompts r��N)rA��instructions�prompts� isinstance�str� add_prompt)r��rA��r^��r_��xr��r��r��__init__\��s�� zInteractiveQuery.__init__Tc��C��s��\|�j��\|\|f��dS�)aa�� Add a prompt to this query. The prompt should be a (reasonably short) string. Multiple prompts can be added to the same query. :param str prompt: the user prompt :param bool echo: ``True`` (default) if the user's response should be echoed; ``False`` if not (for a password or similar) N)r_��append)r��prompt�echor��r��r��rb��q��s�� zInteractiveQuery.add_promptN)r\��r\��)T)rW��rX��rY��rZ��rd��rb��r��r��r��r��r[��W��s�� r[��c��@��s8��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd d��ZdS�) �SubsystemHandlera�� Handler for a subsystem in server mode. If you create a subclass of this class and pass it to `.Transport.set_subsystem_handler`, an object of this class will be created for each request for this subsystem. Each new object will be executed within its own new thread by calling `start_subsystem`. When that method completes, the channel is closed. For example, if you made a subclass ``MP3Handler`` and registered it as the handler for subsystem ``"mp3"``, then whenever a client has successfully authenticated and requests subsystem ``"mp3"``, an object of class ``MP3Handler`` will be created, and `start_subsystem` will be called on it from a new thread. c��C��s2��t�jj\|�\|�jd��\|\|�_\|��\|�_\|\|�_\|\|�_dS�)ak�� Create a new handler for a channel. This is used by `.ServerInterface` to start up a new handler when a channel requests this subsystem. You don't need to override this method, but if you do, be sure to pass the ``channel`` and ``name`` parameters through to the original ``__init__`` method here. :param .Channel channel: the channel associated with this subsystem request. :param str name: name of the requested subsystem. :param .ServerInterface server: the server object for the session that started this subsystem )�targetN) � threading�Threadrd��_run�_SubsystemHandler__channelr>��_SubsystemHandler__transport�_SubsystemHandler__name�_SubsystemHandler__server)r��r1��rA��serverr��r��r��rd��s �� zSubsystemHandler.__init__c��C��s��\|�j�S�)zj Return the `.ServerInterface` object associated with this channel and subsystem. )rp��rU��r��r��r�� get_server��s��zSubsystemHandler.get_serverc�� C��s��z\|�j��td�\|�j��\|��\|�j\|�j�\|�j��W�n'�ty>�}�z\|�j��td�\|�j\|��\|�j��tt � ��W�Y�d�}~nd�}~ww�z\|��W�d�S��Y�d�S�)Nz!Starting handler for subsystem {}z+Exception in subsystem handler for "{}": {})rn��_logr��formatro��start_subsystemrm�� Exceptionr��r�� tb_strings�finish_subsystem)r��er��r��r��rl��s&��zSubsystemHandler._runc��C��r��)az�� Process an ssh subsystem in server mode. This method is called on a new object (and in a new thread) for each subsystem request. It is assumed that all subsystem logic will take place here, and when the subsystem is finished, this method will return. After this method returns, the channel is closed. The combination of ``transport`` and ``channel`` are unique; this handler corresponds to exactly one `.Channel` on one `.Transport`. .. note:: It is the responsibility of this method to exit if the underlying `.Transport` is closed. This can be done by checking `.Transport.is_active` or noticing an EOF on the `.Channel`. If this method loops forever without checking for this case, your Python interpreter may refuse to exit because this thread will still be running. :param str name: name of the requested subsystem. :param .Transport transport: the server-mode `.Transport`. :param .Channel channel: the channel associated with this subsystem request. Nr��)r��rA��rB��r1��r��r��r��ru��rN��z SubsystemHandler.start_subsystemc��C��s��\|�j��dS�)z� Perform any cleanup at the end of a subsystem. The default implementation just closes the channel. .. versionadded:: 1.1 N)rm��closerU��r��r��r��rx��s��z!SubsystemHandler.finish_subsystemN) rW��rX��rY��rZ��rd��rr��rl��ru��rx��r��r��r��r��rh��~��s��rh��)rZ��rj��paramikor��paramiko.commonr��r��r��r��r��r��r[��rk��rh��r��r��r��r��<module>��s�� 9'��__pycache__/ber.cpython-310.pyc��0000644��00000006407�15030210772�0012231 0��ustar�00��o ��h��@��s^��d�dl�mZmZmZmZ�d�dlmZ�d�dlmZ�d�dlm Z �G�dd��de �ZG�dd��d�ZdS�) ��)�max_byte� zero_byte�byte_ord�byte_chrN)�b)�int64c��@��s��e�Zd�ZdS�)�BERExceptionN)�__name__� __module__�__qualname__��r��r��?/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/ber.pyr��s��r��c��@��sn��e�Zd�ZdZe��fdd�Zdd��Zdd��Zdd ��Zd d��Z dd ��Z edd��Zdd��Z dd��Zedd��ZdS�)�BERz7 Robey's tiny little attempt at a BER decoder. c��C��s��t�\|�\|�_d\|�_d�S�)Nr��)r��content�idx)�selfr��r��r��r ��__init__"��s�� zBER.__init__c��C��s��\|�j�S��N)r��r��r��r��r ��asbytes&��s��zBER.asbytesc��C��\|��S�r��)r��r��r��r��r ��__str__)��zBER.__str__c��C��s��dt�\|�j��d�S�)NzBER('z'))�reprr��r��r��r��r ��__repr__,��s��zBER.__repr__c��C��r��r��)�decode_nextr��r��r��r ��decode/��r��z BER.decodec��C��s��\|�j�t\|�j�kr d�S�t\|�j\|�j��}\|��j�d7��_�\|d@�dkrMd}\|�j�t\|�j�k�rMt\|�j\|�j��}\|��j�d7��_�\|d>�\|d@�B�}\|d@�sEn\|�j�t\|�j�k�s)\|�j�t\|�j�krWd�S�t\|�j\|�j��}\|��j�d7��_�\|d@�r�\|d@�}\|�j�\|�t\|�j�krzd�S�t�\|�j\|�j�\|�j�\|��d�}\|��j�\|7��_�\|�j�\|�t\|�j�kr�d�S�\|�j\|�j�\|�j�\|��}\|��j�\|7��_�\|dkr�\|��\|�S�\|d kr�t�\|�S�d }t\|�\|��)N��r��T�0��z.Unknown ber encoding type {:d} (robey is lazy)) r��lenr��r��util�inflate_long�decode_sequencer��format)r��ident�t�size�data�msgr��r��r ��r��2��sF�� zBER.decode_nextc��C��s0��g�}t�\|��} �\|��}\|d�u�r �\|S�\|�\|��qr��)r��r��append)r,��out�ber�xr��r��r ��r'��`��s�� zBER.decode_sequencec��C��st��\|��j�t\|�7��_�t\|�dkr&t�t\|��}\|��j�tdt\|��\|�7��_�n\|��j�tt\|��7��_�\|��j�\|7��_�d�S�)Nr ��r!��)r��r��r$��r%��deflate_long)r��r)��val�lenstrr��r��r �� encode_tlvk��s�� zBER.encode_tlvc��C��s��t�\|�tu�r\|r\|��dt��d�S�\|��dt��d�S�t�\|�tu�s$t�\|�tu�r/\|��dt�\|��d�S�t�\|�t u�r=\|��d\|��d�S�t�\|�t u�sIt�\|�tu�rT\|��d\|��\|��d�S�t d�t�\|��)Nr��r#��r"��zUnknown type for encoding: {!r})�type�boolr5��r��r��intr��r%��r2��str�list�tuple�encode_sequencer��r(��)r��r1��r��r��r ��encodeu��s��z BER.encodec��C��s"��t��}\|�D�]}\|�\|��q\|��S�r��)r��r>��r��)r,��r0��itemr��r��r ��r=��s��zBER.encode_sequenceN)r ��r ��r��__doc__�bytesr��r��r��r��r��r��staticmethodr'��r5��r>��r=��r��r��r��r ��r��s��. r��) �paramiko.commonr��r��r��r�� paramiko.utilr%��r�� paramiko.sftpr�� Exceptionr��r��r��r��r��r ��<module>��s��__pycache__/kex_curve25519.cpython-310.pyc��0000644��00000007624�15030210772�0014064 0��ustar�00��o ��hT��@��s��d�dl�Z�d�dlZd�dlmZ�d�dlmZmZ�d�dlmZm Z �d�dl mZ�d�dlm Z �d�dlmZ�edd �\ZZd d��edd �D��\ZZG�dd ��d �ZdS�)��N)�UnsupportedAlgorithm)� constant_time� serialization)�X25519PrivateKey�X25519PublicKey)�Message��byte_chr)�SSHException�� c��C��s��g�\|�]}t�\|��qS��r��)�.0�cr ��r ��J/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_curve25519.py� <listcomp>��s��r��c��@��sN��e�Zd�ZejZdd��Zedd��Zdd��Z dd��Z d d ��Zdd��Zd d��Z dS�)� KexCurve25519c��C��s��\|\|�_�d�\|�_d�S��N)� transport�key)�selfr��r ��r ��r��__init__��s�� zKexCurve25519.__init__c��C��s$��zt��W�dS��ty��Y�dS�w�)NFT)r��generater��)�clsr ��r ��r��is_available��s�� zKexCurve25519.is_availablec��C��s$��\|�j��\|�}t�\|d�rtd��\|S�)Ns ��z.peer's curve25519 public value has wrong order)r��exchanger��bytes_eqr ��)r��peer_key�secretr ��r ��r��_perform_exchange$��s��zKexCurve25519._perform_exchangec��C��sn��t��\|�_\|�jjr\|�j�t��d�S�t��}\|�t ��\|� \|�j��t jjt jj��\|�j�\|��\|�j�t��d�S�r��)r��r��r��r��server_mode�_expect_packet�_MSG_KEXECDH_INITr��add_byte�c_MSG_KEXECDH_INIT� add_string� public_key�public_bytesr��Encoding�Raw�PublicFormat� _send_message�_MSG_KEXECDH_REPLY)r��mr ��r ��r�� start_kex,��s�� zKexCurve25519.start_kexc��C��sB��\|�j�jr \|tkr \|��\|�S�\|�j�js\|tkr\|��\|�S�td�\|��)Nz.KexCurve25519 asked to handle packet type {:d})r��r ��r"��_parse_kexecdh_initr,��_parse_kexecdh_replyr ��format)r��ptyper-��r ��r ��r�� parse_next<��s�� zKexCurve25519.parse_nextc�� C��s ��\|��}t�\|�}\|��\|�}tt�\|�d�}t��}\|�\|�j j \|�j j\|�j j\|�j j ��\|�j ��}\|�j��tjjtjj�}\|�\|��\|�\|��\|�\|��\|�\|��\|��\|��}\|�j �\|\|��\|�j ��\|\|�j j�} t��}\|�t��\|�\|��\|�\|��\|�\| ��\|�j � \|��\|�j �!��d�S��N��)"� get_stringr��from_public_bytesr��int�binascii�hexlifyr��addr��remote_version� local_version�remote_kex_init�local_kex_init�get_server_key�asbytesr��r&��r'��r��r(��r)��r��r%�� add_mpint� hash_algo�digest�_set_K_H� sign_ssh_data� host_key_typer#��c_MSG_KEXECDH_REPLYr+��_activate_outbound) r��r-��peer_key_bytesr��K�hm�server_key_bytes�exchange_key_bytes�H�sigr ��r ��r��r/��E��s>�� z!KexCurve25519._parse_kexecdh_initc��C��s��\|��}\|��}\|��}t�\|�}\|��\|�}tt�\|�d�}t��}\|� \|�j j\|�j j\|�j j \|�j j��\|�\|��\|�\|�j��tjjtjj��\|�\|��\|�\|��\|�j �\|\|��\|��\|�j �\|\|��\|�j ��d�S�r4��)r6�� get_binaryr��r7��r��r8��r9��r:��r��r;��r��r=��r<��r?��r>��r%��r��r&��r'��r��r(��r)��r��rB��rE��rC��rA��rD��_verify_keyrI��)r��r-��peer_host_key_bytesrJ��rP��r��rK��rL��r ��r ��r��r0��h��s0�� z"KexCurve25519._parse_kexecdh_replyN)�__name__� __module__�__qualname__�hashlib�sha256rC��r��classmethodr��r��r.��r3��r/��r0��r ��r ��r ��r��r��s�� #r��)r9��rW��cryptography.exceptionsr��cryptography.hazmat.primitivesr��r��0cryptography.hazmat.primitives.asymmetric.x25519r��r��paramiko.messager��paramiko.commonr ��paramiko.ssh_exceptionr ��ranger"��r,��r$��rH��r��r ��r ��r ��r��<module>��s��__pycache__/kex_gss.cpython-310.pyc��0000644��00000040235�15030210772�0013121 0��ustar�00��o ��h�_��@��s��d�Z�ddlZddlmZ�ddlmZmZmZmZm Z m Z �ddlmZ�ddl mZ�ddlmZ�edd �\ZZZZZed d�\ZZdd ��edd �D��\ZZZZZdd ��ed d�D��\ZZG�dd��d�Z G�dd��de �Z!G�dd��d�Z"G�dd��d�Z#dS�)a�� This module provides GSS-API / SSPI Key Exchange as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. note:: `RFC 4462 Section 2.2 <https://tools.ietf.org/html/rfc4462.html#section-2.2>`_ says we are not required to implement GSS-API error messages. Thus, in many methods within this module, if an error occurs an exception will be thrown and the connection will be terminated. .. seealso:: :doc:`/api/ssh_gss` .. versionadded:: 1.15 ��N)�sha1)�DEBUG�max_byte� zero_byte�byte_chr� byte_mask�byte_ord)�util)�Message)�SSHException��#��(����c��C��g�\|�]}t�\|��qS��r��.0�cr��r��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_gss.py� <listcomp>F��s��r��c��C��r��r��r��r��r��r��r��r��G��s��c��@��s\|��e�Zd�ZdZdZdZed�ed��Ze d�Z dZdd ��Zd d��Z dd ��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��ZdS�)�KexGSSGroup1z� GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange as defined in `RFC 4462 Section 2 <https://tools.ietf.org/html/rfc4462.html#section-2>`_ lE��8�{3If?�E y�Z�3�V�58n�oP�e�?a-� �tBL� �y3W[�<�p�6m5��P��&a�F!�33�w& �AR�M;L}.�c\|&A�@�h\�&&#-D�v�d��z(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==c��C��s,��\|\|�_�\|�j�j\|�_d�\|�_d\|�_d\|�_d\|�_d�S�)Nr��)� transport�kexgss_ctxt�kexgss�gss_host�x�e�f��selfr��r��r��r��__init__Y��s�� zKexGSSGroup1.__init__c��C��s��\|��\|�jjrt\|�j\|�j\|�j�\|�_\|�j�t ��dS�t\|�j\|�j\|�j�\|�_ \|�jj\|�_t��}\|� t��\|�\|�jj\|�jd��\|�\|�j ��\|�j�\|��\|�j�tttt��dS�)zU Start the GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange. N��target)�_generate_xr��server_mode�pow�Gr!��Pr#��_expect_packet�MSG_KEXGSS_INITr"��r ��r ��add_byte�c_MSG_KEXGSS_INIT� add_stringr��ssh_init_sec_context� add_mpint� _send_message�MSG_KEXGSS_HOSTKEY�MSG_KEXGSS_CONTINUE�MSG_KEXGSS_COMPLETE�MSG_KEXGSS_ERROR�r%��mr��r��r�� start_kexa��s$�� zKexGSSGroup1.start_kexc��C��s��\|�j�jr \|tkr \|��\|�S�\|�j�js\|tkr\|��\|�S�\|�j�jr'\|tkr'\|��\|�S�\|�j�js4\|tkr4\|�� \|�S�\|t kr=\|��\|�S�d}t\|� \|��)�� Parse the next packet. :param ptype: The (string) type of the incoming packet :param `.Message` m: The packet content z.GSS KexGroup1 asked to handle packet type {:d})r��r��r/��_parse_kexgss_initr6��_parse_kexgss_hostkeyr7��_parse_kexgss_continuer8��_parse_kexgss_completer9��_parse_kexgss_errorr��format�r%��ptyper;��msgr��r��r�� parse_next{��s�� zKexGSSGroup1.parse_nextc��C��sV�� t��d�}t\|d�d�\|dd��}\|dd��}\|\|�j\|�jfvr"nqt�\|�\|�_dS�)ap�� generate an "x" (1 < x < q), where q is (p-1)/2. p is a 128-byte (1024-bit) number, where the first 64 bits are 1. therefore q can be approximated as a 2^1023. we drop the subset of potential x where the first 63 bits are 1, because some of those will be larger than q (but this is a tiny tiny subset of potential x). ��r��r��Nr��)�os�urandomr��b7fffffffffffffff�b0000000000000000r ��inflate_longr!��)r%��x_bytes�firstr��r��r��r)��s�� zKexGSSGroup1._generate_xc��C��8��\|��}\|\|�j_\|��}\|�j�\|\|��\|�j�tt��dS�)z� Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message N�� get_stringr��host_key�_verify_keyr.��r7��r8��r%��r;��rT��sigr��r��r��r?�� z"KexGSSGroup1._parse_kexgss_hostkeyc��C��^��\|�j�js,\|��}t��}\|�t��\|�\|�jj\|�j \|d��\|�j�� \|��\|�j��tt t��dS� �dS�)z� Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `.Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message �r(�� recv_tokenN�r��r��rS��r ��r0��c_MSG_KEXGSS_CONTINUEr2��r��r3��r ��send_messager.��r7��r8��r9��r%��r;�� srv_tokenr��r��r��r@��s�� z#KexGSSGroup1._parse_kexgss_continuec��C��s:��\|�j�jdu�rt��\|�j�_\|��\|�_\|�jdk�s\|�j\|�jd�kr!td��\|��}\|��}d}\|r1\|��}t \|�j\|�j \|�j�}t��}\|�\|�j�j \|�j�j\|�j�j\|�j�j��\|�\|�j�j��\|�\|�j��\|�\|�j��\|�\|��tt\|��}\|�j��\|\|��\|dur�\|�jj\|�j\|d��\|�j�\|\|��n\|�j�\|\|��d\|�j�_\|�j��dS�)z� Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message NrH��Server kex "f" is out of rangerZ��T)r��rT��NullHostKey� get_mpintr#��r-��r��rS��get_booleanr+��r!��r ��add� local_version�remote_version�local_kex_init�remote_kex_initr2��__str__r4��r"��r��str�digest�_set_K_Hr��r3��r �� ssh_check_mic�gss_kex_used�_activate_outbound�r%��r;�� mic_token�boolr`��K�hm�Hr��r��r��rA��s@�� z#KexGSSGroup1._parse_kexgss_completec�� C��s��\|��}\|��\|�_\|�jdk�s\|�j\|�jd�krtd��t\|�j\|�j\|�j�}t��\|�j_ \|�jj � ��}t��}\|�\|�jj \|�jj\|�jj\|�jj��\|�\|��\|�\|�j��\|�\|�j��\|�\|��t\|��}\|�j�\|\|��\|�j�\|�j\|�}t��}\|�jjr�\|�jj\|�jjdd�}\|�t��\|�\|�j��\|�\|��\|dur�\|� d��\|�\|��n\|� d��\|�j�!\|��d\|�j_"\|�j�#��dS�\|�t$��\|�\|��\|�j�!\|��\|�j�%t&t't(��dS�)z� Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_INIT message rH��Client kex "e" is out of rangeT��gss_kexNF))rS��rc��r"��r-��r��r+��r!��rb��r��rT��rj��r ��re��rg��rf��ri��rh��r2��r4��r#��r��asbytesrl��rm��r��ssh_accept_sec_contextr ��_gss_srv_ctxt_status�ssh_get_mic� session_idr0��c_MSG_KEXGSS_COMPLETE�add_booleanr5��ro��rp��r]��r.��r7��r8��r9�� r%��r;��client_tokenrt��keyru��rv��r`��rr��r��r��r��r>��sX�� zKexGSSGroup1._parse_kexgss_initc��C��2��\|��}\|��}\|��}\|��td�\|\|\|��)a�� Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message �CGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} ��get_intrS��r��rC��r%��r;�� maj_status� min_status�err_msgr��r��r��rB����z KexGSSGroup1._parse_kexgss_errorN)�__name__� __module__�__qualname__�__doc__r-��r,��r��r��rL��r��rM��NAMEr&��r<��rG��r)��r?��r@��rA��r>��rB��r��r��r��r��r��L��s �� -8r��c��@��s��e�Zd�ZdZdZdZdZdS�)� KexGSSGroup14z� GSS-API / SSPI Authenticated Diffie-Hellman Group14 Key Exchange as defined in `RFC 4462 Section 2 <https://tools.ietf.org/html/rfc4462.html#section-2>`_ l��&�U�G9 tcb0]Q\-�:�$�90.`U�_�b;YS7x]Ek�`:xds�!,w<G�8�qbdR_��h��d�d��Y6K�pRT{�U�j�K�#�Gt\|�L��4�S�8� �FYpw,(.>��=�H�G2C�d�c_�.K?&j�_�c�}�z[\V�_1M.D�^�/1v5I �j�V&\|� �/�mV�lR�<6#�{n4�(EY91�T�:�g8 H �Ap�cb4B�B�j~H��r��z)gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==N)r��r��r��r��r-��r,��r��r��r��r��r��r��D��s ��r��c��@��sx��e�Zd�ZdZdZdZdZdZdd��Zdd ��Z d d��Z dd ��Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd��ZdS�)� KexGSSGexz� GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange as defined in `RFC 4462 Section 2 <https://tools.ietf.org/html/rfc4462.html#section-2>`_ z%gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==�� i��c��C��sD��\|\|�_�\|�j�j\|�_d�\|�_d�\|�_d�\|�_d�\|�_d�\|�_d�\|�_d�\|�_ d\|�_ d�S�)NF)r��r��r��r ��p�q�gr!��r"��r#�� old_styler$��r��r��r��r&��[��s�� zKexGSSGex.__init__c��C��sr��\|�j�jr\|�j��t��dS�\|�j�j\|�_t��}\|�t��\|�\|�j ��\|�\|�j ��\|�\|�j��\|�j��\|��\|�j��t ��dS�)zV Start the GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange N)r��r��r.��MSG_KEXGSS_GROUPREQr ��r ��r0��c_MSG_KEXGSS_GROUPREQ�add_int�min_bits�preferred_bits�max_bitsr5��MSG_KEXGSS_GROUPr:��r��r��r��r<��g��s�� zKexGSSGex.start_kexc��C��s��\|t�kr \|��\|�S�\|tkr\|��\|�S�\|tkr\|��\|�S�\|tkr$\|��\|�S�\|tkr-\|�� \|�S�\|t kr6\|��\|�S�\|tkr?\|�� \|�S�d}t\|�\|��)r=��z'KexGex asked to handle packet type {:d})r��_parse_kexgss_groupreqr��_parse_kexgss_groupr/��_parse_kexgss_gex_initr6��r?��r7��r@��r8��rA��r9��rB��r��rC��rD��r��r��r��rG��z��s �� zKexGSSGex.parse_nextc��C��s��\|�j�d�d�}t�\|d�}t\|d��}t\|�}d}\|d@�s)\|dK�}\|dL�}\|d@�r �t�\|�}t\|d�\|�\|dd��}t�\|d�}\|dkrK\|\|k�rKnq\|\|�_ d�S�)NrH��r��r��rI��) r��r ��deflate_longr��lenrJ��rK��r��rN��r!��)r%��r��qnorm�qhbyte� byte_count�qmaskrO��r!��r��r��r��r)��s"�� zKexGSSGex._generate_xc��C��s��\|��}\|��}\|��}\|\|�jkr\|�j}\|\|�jk�r\|�j}\|\|kr"\|}\|\|k�r(\|}\|\|�_\|\|�_\|\|�_\|�j��}\|du�r>td��\|�j�td� \|\|\|��\|� \|\|\|�\\|�_\|�_t ��}\|�t��\|�\|�j��\|�\|�j��\|�j�\|��\|�j�t��dS�)z� Parse the SSH2_MSG_KEXGSS_GROUPREQ message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_GROUPREQ message Nz-Can't do server-side gex with no modulus packzPicking p ({} <= {} <= {} bits))r��r��r��r��r��_get_modulus_packr��_logr��rC��get_modulusr��r��r ��r0��c_MSG_KEXGSS_GROUPr4��r5��r.��r/��)r%��r;��minbits� preferredbits�maxbits�packr��r��r��r��s<�� z KexGSSGex._parse_kexgss_groupreqc��C��s��\|��\|�_\|��\|�_t�\|�j�}\|dk�s\|dkrtd�\|��\|�j�t d�\|��\|�� t\|�j\|�j\|�j�\|�_ t��}\|�t��\|�\|�jj\|�jd��\|�\|�j ��\|�j�\|��\|�j�tttt��dS�)z� Parse the SSH2_MSG_KEXGSS_GROUP message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_GROUP message r��r��z<Server-generated gex p (don't ask) is out of range ({} bits)zGot server p ({} bits)r'��N)rc��r��r��r �� bit_lengthr��rC��r��r��r��r)��r+��r!��r"��r ��r0��r1��r2��r��r3��r ��r4��r5��r.��r6��r7��r8��r9��)r%��r;��bitlenr��r��r��r��s0�� zKexGSSGex._parse_kexgss_groupc�� C��s��\|��}\|��\|�_\|�jdk�s\|�j\|�jd�krtd��\|��t\|�j\|�j\|�j�\|�_ t\|�j\|�j\|�j�}t ��\|�j_\|�jj� ��}t��}\|�\|�jj\|�jj\|�jj\|�jj\|��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j ��\|�\|��t\|��}\|�j�\|\|��\|�j�\|�j\|�}t��}\|�jj r�\|�jj!\|�jj"dd�}\|�#t$��\|�\|�j ��\|�%\|��\|dur�\|�&d��\|�%\|��n\|�&d��\|�j�'\|��d\|�j_(\|�j�)��dS�\|�#t��\|�%\|��\|�j�'\|��\|�j�+t,t-t.��dS�)z� Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_INIT message rH��rw��Trx��NF)/rS��rc��r"��r��r��r)��r+��r��r!��r#��rb��r��rT��rj��r ��re��rg��rf��ri��rh��r��r��r��r��r4��r��rz��rl��rm��r��r{��r ��r\|��r}��r~��r0��r��r2��r��r5��ro��rp��r]��r.��r7��r8��r9��r��r��r��r��r��sf�� z KexGSSGex._parse_kexgss_gex_initc��C��rQ��)z� Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message NrR��rV��r��r��r��r?��1��rX��zKexGSSGex._parse_kexgss_hostkeyc��C��rY��)z� Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message rZ��Nr\��r_��r��r��r��r@��>��s�� z KexGSSGex._parse_kexgss_continuec��C��sz��\|�j�jdu�rt��\|�j�_\|��\|�_\|��}\|��}d}\|r \|��}\|�jdk�s-\|�j\|�jd�kr1td��t \|�j\|�j \|�j�}t��}\|�\|�j�j \|�j�j\|�j�j\|�j�j\|�j�j��\|�js[\|�\|�j��\|�\|�j��\|�jsj\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|��t\|��}\|�j��\|\|��\|dur�\|�jj\|�j \|d��\|�j�!\|\|��n\|�j�!\|\|��d\|�j�_"\|�j��#��dS�)z� Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message NrH��ra��rZ��T)$r��rT��rb��rc��r#��rS��rd��r��r��r+��r!��r ��re��rf��rg��rh��ri��rj��r��r��r��r��r��r4��r��r"��r��rz��rl��rm��r��r3��r ��rn��ro��rp��rq��r��r��r��rA��T��sN�� z KexGSSGex._parse_kexgss_completec��C��r��)a�� Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message r��r��r��r��r��r��rB��r��zKexGSSGex._parse_kexgss_errorN)r��r��r��r��r��r��r��r��r&��r<��rG��r)��r��r��r��r?��r@��rA��rB��r��r��r��r��r��P��s"��,!> 2r��c��@��s(��e�Zd�ZdZdd��Zdd��Zdd��ZdS�) rb��z� This class represents the Null Host Key for GSS-API Key Exchange as defined in `RFC 4462 Section 5 <https://tools.ietf.org/html/rfc4462.html#section-5>`_ c��C��s ��d\|�_�d�S�)N��r��r%��r��r��r��r&��s�� zNullHostKey.__init__c��C��\|�j�S��Nr��r��r��r��r��rj��zNullHostKey.__str__c��C��r��r��r��r��r��r��r��get_name��r��zNullHostKey.get_nameN)r��r��r��r��r&��rj��r��r��r��r��r��rb��s ��rb��)$r��rJ��hashlibr��paramiko.commonr��r��r��r��r��r��paramikor ��paramiko.messager ��paramiko.ssh_exceptionr��ranger/��r7��r8��r6��r9��r��r��r1��r]��r��c_MSG_KEXGSS_HOSTKEY�c_MSG_KEXGSS_ERRORr��r��r��r��r��rb��r��r��r��r��<module>��s@�� y��R��__pycache__/proxy.cpython-310.pyc��0000644��00000006704�15030210772�0012642 0��ustar�00��o ��h(�� @��s��d�dl�Z�d�dlZd�dlZd�dlmZ�d�dlZd�dlZd\ZZzd�dlZW�n�ey8�Z �ze ZW�Y�dZ [ ndZ [ ww�d�dl mZ�d�dlm Z �G�dd��de �ZdS�)��N)�select)NN)�ProxyCommandFailure)�ClosingContextManagerc��@��sP��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zed d��Z edd ��Z dd��ZdS�)�ProxyCommanda�� Wraps a subprocess running ProxyCommand-driven programs. This class implements a the socket-like interface needed by the `.Transport` and `.Packetizer` classes. Using this class instead of a regular socket makes it possible to talk with a Popen'd command that will proxy traffic between the client and a server hosted in another machine. Instances of this class may be used as context managers. c��C��s@��t�du�rt�t�\|�\|�_t�j\|�jt�jt�jt�jdd�\|�_d\|�_dS�)a�� Create a new CommandProxy instance. The instance created by this class can be passed as an argument to the `.Transport` class. :param str command_line: the command that should be executed and used as the proxy. Nr��)�stdin�stdout�stderr�bufsize) � subprocess�subprocess_import_error�shlex�split�cmd�Popen�PIPE�process�timeout)�self�command_line��r��A/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/proxy.py�__init__3��s�� zProxyCommand.__init__c�� C��sF��z\|�j�j�\|��W�t\|�S��ty"�}�z td�\|�j�\|j��d}~ww�)z� Write the content received from the SSH client to the standard input of the forked command. :param str content: string to be sent to the forked command � N) r��r��write�IOErrorr��joinr��strerror�len)r��content�er��r��r��sendG��s��zProxyCommand.sendc�� C��s��zWd}t��}t\|�\|k�rUd}\|�jdur(t��\|�}\|\|�jkr#t��\|�j\|�}t\|�jjgg�g�\|�\}}}\|rO\|d�\|�jjkrO\|t�\|�jj� ��\|t\|��7�}t\|�\|k�s \|W�S��tjyf��\|re\|�Y�S��t y{�} �z td�\|�j �\| j��d} ~ ww�)z� Read from the standard output of the forked program. :param int size: how many chars should be read :return: the string of bytes read, which may be shorter than requested ��Nr��r��)�timer��r��socketr��r��r��os�read�filenor��r��r��r��r��) r��size�buffer�start�select_timeout�elapsed�r�w�xr��r��r��r��recvX��s2�� zProxyCommand.recvc��C��s��t��\|�jjtj��d�S��N)r$��killr��pid�signal�SIGTERM�r��r��r��r��closey��s��zProxyCommand.closec��C��s��\|�j�jd�uS�r0��)r�� returncoder5��r��r��r��closed\|��s��zProxyCommand.closedc��C��s��\|�j�S�r0��)r8��r5��r��r��r��_closed��s��zProxyCommand._closedc��C��s ��\|\|�_�d�S�r0��)r��)r��r��r��r��r�� settimeout��s�� zProxyCommand.settimeoutN)�__name__� __module__�__qualname__�__doc__r��r ��r/��r6��propertyr8��r9��r:��r��r��r��r��r��'��s��! r��)r$��r��r3��r��r#��r"��r ��r��ImportErrorr��paramiko.ssh_exceptionr�� paramiko.utilr��r��r��r��r��r��<module>��s ��__pycache__/__init__.cpython-310.pyc��0000644��00000006777�15030210772�0013232 0��ustar�00��o ��h^��@��st��d�dl�Z�d�dlmZmZ�d�dlmZmZmZ�d�dlm Z m Z mZmZm Z �d�dlmZ�d�dlmZmZmZmZmZmZmZmZmZmZ�d�dlmZmZmZ�d�dlm Z m!Z!m"Z"m#Z#�d�d l$m%Z%m&Z&m'Z'm(Z(m)Z)mZm+Z+m,Z,m-Z-m.Z.m/Z/�d�d l0m1Z1m2Z2m3Z3�d�dl4m5Z5�d�dl6m7Z7�d�d l8m9Z9�d�dl:m;Z;�d�dl<m=Z=m>Z>�d�dl?m@Z@mAZA�d�dlBmCZC�d�dlDmEZE�d�dlFmGZG�d�dlHmIZI�d�dlJmKZK�d�dlLmMZM�d�dlNmOZO�d�dlPmQZQ�d�dlRmSZSmTZT�d�dlUmVZVmWZWmXZX�d�dlYmZZZ�d�dl[m\Z\m]Z]�d�dl^m_Z_�d�dl`maZambZbmcZcmdZdmeZemfZfmgZgmhZh�d�dl<miZimjZjmkZkmlZlmmZmmnZnmoZompZpmqZq�d�d l`mrZr�e7e5e;e9gZsd!Ztd"Zug�d#�ZvdS�)$��N)�__version__�__version_info__)�SecurityOptions�ServiceRequestingTransport� Transport)� AutoAddPolicy�MissingHostKeyPolicy�RejectPolicy� SSHClient� WarningPolicy)�AuthHandler) �AuthFailure�AuthStrategy� AuthResult� AuthSource�InMemoryPrivateKey�NoneAuth�OnDiskPrivateKey�Password� PrivateKey�SourceResult)�GSSAuth�GSS_AUTH_AVAILABLE�GSS_EXCEPTIONS)�Channel�ChannelFile�ChannelStderrFile�ChannelStdinFile)�AuthenticationException�BadAuthenticationType�BadHostKeyException�ChannelException�ConfigParseError�CouldNotCanonicalize�IncompatiblePeer�MessageOrderError�PasswordRequiredException�ProxyCommandFailure�SSHException)�ServerInterface�SubsystemHandler�InteractiveQuery)�RSAKey)�DSSKey)�ECDSAKey)� Ed25519Key)� SFTPError�BaseSFTP)�SFTP� SFTPClient)� SFTPServer)�SFTPAttributes)� SFTPHandle)�SFTPServerInterface)�SFTPFile)�Message)� Packetizer)�BufferedFile)�Agent�AgentKey)�PKey� PublicBlob�UnknownKeyType)�HostKeys)� SSHConfig� SSHConfigDict)�ProxyCommand)�AUTH_SUCCESSFUL�AUTH_PARTIALLY_SUCCESSFUL�AUTH_FAILED�OPEN_SUCCEEDED�'OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED�OPEN_FAILED_CONNECT_FAILED� OPEN_FAILED_UNKNOWN_CHANNEL_TYPE�OPEN_FAILED_RESOURCE_SHORTAGE) �SFTP_OK�SFTP_EOF�SFTP_NO_SUCH_FILE�SFTP_PERMISSION_DENIED�SFTP_FAILURE�SFTP_BAD_MESSAGE�SFTP_NO_CONNECTION�SFTP_CONNECTION_LOST�SFTP_OP_UNSUPPORTED)�io_sleepz"Jeff Forcier <jeff@bitprophet.org>z(GNU Lesser General Public License (LGPL))r<��r=��r��r��r��r ��r;��r��r!��r"��r#��r-��r.��r/��rA��r9��r��r>��r&��rD��r'��r,��r ��r2��r5��r3��r0��r8��r6��r4��r7��r ��rB��rC��r(��r��r)��r��r��r��rV��util)w�sys�paramiko._versionr��r��paramiko.transportr��r��r��paramiko.clientr��r��r ��r ��r��paramiko.auth_handlerr��paramiko.auth_strategyr ��r��r��r��r��r��r��r��r��r��paramiko.ssh_gssr��r��r��paramiko.channelr��r��r��r��paramiko.ssh_exceptionr��r��r ��r!��r"��r#��r$��r%��r&��r'��r(��paramiko.serverr)��r��r+��paramiko.rsakeyr,��paramiko.dsskeyr-��paramiko.ecdsakeyr.��paramiko.ed25519keyr/�� paramiko.sftpr0��r1��paramiko.sftp_clientr2��r3��paramiko.sftp_serverr4��paramiko.sftp_attrr5��paramiko.sftp_handler6��paramiko.sftp_sir7��paramiko.sftp_filer8��paramiko.messager9��paramiko.packetr:�� paramiko.filer;��paramiko.agentr<��r=�� paramiko.pkeyr>��r?��r@��paramiko.hostkeysrA��paramiko.configrB��rC��paramiko.proxyrD��paramiko.commonrE��rF��rG��rH��rI��rJ��rK��rL��rM��rN��rO��rP��rQ��rR��rS��rT��rU��rV��key_classes� __author__�__license__�__all__��rz��rz��D/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/__init__.py�<module>��sH��04 (,�__pycache__/client.cpython-310.pyc��0000644��00000062627�15030210772�0012745 0��ustar�00��o ��h��@��s&��d�Z�ddlmZ�ddlZddlZddlZddlZddlZddlm Z m Z �ddlmZ�ddl mZ�ddlmZ�ddlmZ�dd lmZ�dd lmZ�ddlmZ�ddlmZ�dd lmZmZmZ�ddlm Z �ddl!m"Z"�G�dd��de"�Z#G�dd��d�Z$G�dd��de$�Z%G�dd��de$�Z&G�dd��de$�Z'dS�)z SSH client & key policies ��)�hexlifyN)�ECONNREFUSED�EHOSTUNREACH)�Agent)�DEBUG)�SSH_PORT)�DSSKey)�ECDSAKey)� Ed25519Key)�HostKeys)�RSAKey)�SSHException�BadHostKeyException�NoValidConnectionsError)� Transport)�ClosingContextManagerc��@��s��e�Zd�ZdZdd��Zd,dd�Zdd��Zd d ��Zdd��Zd d��Z dd��Z dd��Zedddddddddddddddddddddfdd�Z dd��Z d-dd�Z d.d d!�Zd"d#��Zd$d%��Zd&d'��Zd(d)��Zdd+��ZdS�)/� SSHClienta�� A high-level representation of a session with an SSH server. This class wraps `.Transport`, `.Channel`, and `.SFTPClient` to take care of most aspects of authenticating and opening channels. A typical use case is:: client = SSHClient() client.load_system_host_keys() client.connect('ssh.example.com') stdin, stdout, stderr = client.exec_command('ls -l') You may pass in explicit overrides for authentication and server host key checking. The default mechanism is to try to use local key files or an SSH agent (if one is running). Instances of this class may be used as context managers. .. versionadded:: 1.6 c��C��s4��t��\|�_t��\|�_d\|�_d\|�_t��\|�_d\|�_d\|�_dS�)z) Create a new SSHClient. N) r��_system_host_keys� _host_keys�_host_keys_filename�_log_channel�RejectPolicy�_policy� _transport�_agent��self��r��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/client.py�__init__D��s�� zSSHClient.__init__Nc��C��sL��\|du�rt�j�d�}z \|�j�\|��W�dS��ty��Y�dS�w�\|�j�\|��dS�)a�� Load host keys from a system (read-only) file. Host keys read with this method will not be saved back by `save_host_keys`. This method can be called multiple times. Each new set of host keys will be merged with the existing set (new replacing old if there are conflicts). If ``filename`` is left as ``None``, an attempt will be made to read keys from the user's local "known hosts" file, as used by OpenSSH, and no exception will be raised if the file can't be read. This is probably only useful on posix. :param str filename: the filename to read, or ``None`` :raises: ``IOError`` -- if a filename was provided and the file could not be read Nz~/.ssh/known_hosts)�os�path� expanduserr��load�IOError�r��filenamer��r��r��load_system_host_keysP��s��zSSHClient.load_system_host_keysc��C��s��\|\|�_�\|�j�\|��dS�)a�� Load host keys from a local host-key file. Host keys read with this method will be checked after keys loaded via `load_system_host_keys`, but will be saved back by `save_host_keys` (so they can be modified). The missing host key policy `.AutoAddPolicy` adds keys to this set and saves them, when connecting to a previously-unknown server. This method can be called multiple times. Each new set of host keys will be merged with the existing set (new replacing old if there are conflicts). When automatically saving, the last hostname is used. :param str filename: the filename to read :raises: ``IOError`` -- if the filename could not be read N)r��r��r#��r%��r��r��r��load_host_keysm��s��zSSHClient.load_host_keysc��C��s��\|�j�dur\|��\|�j��t\|d��(}\|�j��D�]\}}\|��D�]\}}\|�d�\|\|\|��qqW�d��dS�1�s;w��Y��dS�)aO�� Save the host keys back to a file. Only the host keys loaded with `load_host_keys` (plus any added directly) will be saved -- not any host keys loaded with `load_system_host_keys`. :param str filename: the filename to save to :raises: ``IOError`` -- if the file could not be written N�wz {} {} {} )r��r(��openr��items�write�format� get_base64)r��r&��f�hostname�keys�keytype�keyr��r��r��save_host_keys��s�� "�zSSHClient.save_host_keysc��C��\|�j�S�)z� Get the local `.HostKeys` object. This can be used to examine the local host keys or change them. :return: the local host keys as a `.HostKeys` object. )r��r��r��r��r�� get_host_keys��s��zSSHClient.get_host_keysc��C��s ��\|\|�_�dS�)z� Set the channel for logging. The default is ``"paramiko.transport"`` but it can be set to anything you want. :param str name: new channel name for logging N)r��)r��namer��r��r��set_log_channel��s�� zSSHClient.set_log_channelc��C��s��t��\|�r\|��}\|\|�_dS�)a�� Set policy to use when connecting to servers without a known host key. Specifically: A policy is a "policy class" (or instance thereof), namely some subclass of `.MissingHostKeyPolicy` such as `.RejectPolicy` (the default), `.AutoAddPolicy`, `.WarningPolicy`, or a user-created subclass. * A host key is known when it appears in the client object's cached host keys structures (those manipulated by `load_system_host_keys` and/or `load_host_keys`). :param .MissingHostKeyPolicy policy: the policy to use when receiving a host key from a previously-unknown server N)�inspect�isclassr��)r��policyr��r��r��set_missing_host_key_policy��s�� z%SSHClient.set_missing_host_key_policyc��c��sp��d}t��\|\|t�jt�j�}\|D�]\}}}}} \|t�jkr"\|\| fV��d}q\|r4\|D�]\}} } } } \|\| fV��q'dS�dS�)a �� Yield pairs of address families and addresses to try for connecting. :param str hostname: the server to connect to :param int port: the server port to connect to :returns: Yields an iterable of ``(family, address)`` tuples TFN)�socket�getaddrinfo� AF_UNSPEC�SOCK_STREAM)r��r0��port�guess� addrinfos�family�socktype�proto� canonname�sockaddr�_r��r��r��_families_and_addresses��s�� z!SSHClient._families_and_addressesTFc��%�� s��\|sci�}t�\|��\|\|��}\|D�]H\}}zt�\|tj�}\|durz\|�\|��W�n��Y�\|�\|��W��n%�tjyV�}�z\|r@\|��\|jt t fvrH��\|\|\|<�W�Y�d}~qd}~ww�t\|�t\|�krct\|��\|du�rit }\|\|\| \|\|d��}\|�_\|j\| d��\|j\|p\|\|\|p�\| d��\|�jdur�\|�\|�j��\|dur�\|\|_\|dur�\|\|_\|dur�\|\|_\|tkr�\|}nd�\|\|�}d}\|�j�\|�}\|du�r�\|�j�\|�}\|dur�\|��d��\|��} ��fdd�\| jD��}!��g\|!�\| _\|j\|d ��\|�jj�s\|� ��}"\|du�r�\|�j!�"\|�\|\|"��n\|�\|"�#��}#\|#\|"k�r\|#du��rt�\|�$��d�}#t%\|\|"\|#��\|du��r't&�'��}\|du�r2\|j(\|d �S�\|du��r:g�}$nt)\|t��rD\|g}$n\|}$\|��+\|\|\|\|$\|\| \|\| \|\|j,\|��dS�)a\�� Connect to an SSH server and authenticate to it. The server's host key is checked against the system host keys (see `load_system_host_keys`) and any local host keys (`load_host_keys`). If the server's hostname is not found in either set of host keys, the missing host key policy is used (see `set_missing_host_key_policy`). The default policy is to reject the key and raise an `.SSHException`. Authentication is attempted in the following order of priority: - The ``pkey`` or ``key_filename`` passed in (if any) - ``key_filename`` may contain OpenSSH public certificate paths as well as regular private-key paths; when files ending in ``-cert.pub`` are found, they are assumed to match a private key, and both components will be loaded. (The private key itself does not need to be listed in ``key_filename`` for this to occur - just the certificate.) - Any key we can find through an SSH agent - Any "id_rsa", "id_dsa" or "id_ecdsa" key discoverable in ``~/.ssh/`` - When OpenSSH-style public certificates exist that match an existing such private key (so e.g. one has ``id_rsa`` and ``id_rsa-cert.pub``) the certificate will be loaded alongside the private key and used for authentication. - Plain username/password auth, if a password was given If a private key requires a password to unlock it, and a password is passed in, that password will be used to attempt to unlock the key. :param str hostname: the server to connect to :param int port: the server port to connect to :param str username: the username to authenticate as (defaults to the current local username) :param str password: Used for password authentication; is also used for private key decryption if ``passphrase`` is not given. :param str passphrase: Used for decrypting private keys. :param .PKey pkey: an optional private key to use for authentication :param str key_filename: the filename, or list of filenames, of optional private key(s) and/or certs to try for authentication :param float timeout: an optional timeout (in seconds) for the TCP connect :param bool allow_agent: set to False to disable connecting to the SSH agent :param bool look_for_keys: set to False to disable searching for discoverable private key files in ``~/.ssh/`` :param bool compress: set to True to turn on compression :param socket sock: an open socket or socket-like object (such as a `.Channel`) to use for communication to the target host :param bool gss_auth: ``True`` if you want to use GSS-API authentication :param bool gss_kex: Perform GSS-API Key Exchange and user authentication :param bool gss_deleg_creds: Delegate GSS-API client credentials or not :param str gss_host: The targets name in the kerberos database. default: hostname :param bool gss_trust_dns: Indicates whether or not the DNS is trusted to securely canonicalize the name of the host being connected to (default ``True``). :param float banner_timeout: an optional timeout (in seconds) to wait for the SSH banner to be presented. :param float auth_timeout: an optional timeout (in seconds) to wait for an authentication response. :param float channel_timeout: an optional timeout (in seconds) to wait for a channel open response. :param dict disabled_algorithms: an optional dict passed directly to `.Transport` and its keyword argument of the same name. :param transport_factory: an optional callable which is handed a subset of the constructor arguments (primarily those related to the socket, GSS functionality, and algorithm selection) and generates a `.Transport` instance to be used by this client. Defaults to `.Transport.__init__`. :param auth_strategy: an optional instance of `.AuthStrategy`, triggering use of this newer authentication mechanism instead of SSHClient's legacy auth method. .. warning:: This parameter is incompatible with all other authentication-related parameters (such as, but not limited to, ``password``, ``key_filename`` and ``allow_agent``) and will trigger an exception if given alongside them. :returns: `.AuthResult` if ``auth_strategy`` is non-``None``; otherwise, returns ``None``. :raises BadHostKeyException: if the server's host key could not be verified. :raises AuthenticationException: if authentication failed. :raises UnableToAuthenticate: if authentication failed (when ``auth_strategy`` is non-``None``; and note that this is a subclass of ``AuthenticationException``). :raises socket.error: if a socket error (other than connection-refused or host-unreachable) occurred while connecting. :raises NoValidConnectionsError: if all valid connection targets for the requested hostname (eg IPv4 and IPv6) yielded connection-refused or host-unreachable socket errors. :raises SSHException: if there was any other error connecting or establishing an SSH session. .. versionchanged:: 1.15 Added the ``banner_timeout``, ``gss_auth``, ``gss_kex``, ``gss_deleg_creds`` and ``gss_host`` arguments. .. versionchanged:: 2.3 Added the ``gss_trust_dns`` argument. .. versionchanged:: 2.4 Added the ``passphrase`` argument. .. versionchanged:: 2.6 Added the ``disabled_algorithms`` argument. .. versionchanged:: 2.12 Added the ``transport_factory`` argument. .. versionchanged:: 3.2 Added the ``auth_strategy`` argument. N)�gss_kex�gss_deleg_creds�disabled_algorithms)�compress)�gss_host� trust_dns�gssapi_requestedz[{}]:{}r��c��s��g�\|�]}\|��kr\|�qS�r��r��)�.0�x�r2��r��r�� <listcomp>��s��z%SSHClient.connect.<locals>.<listcomp>��timeout)� transport)-�listrJ��r=��r@�� settimeout�connect�error�close�errnor��r��lenr��r��r��use_compression�set_gss_hostr��r8��banner_timeout�auth_timeout�channel_timeoutr��r-��r��getr��r1��get_security_options� key_types�start_client�gss_kex_used�get_remote_server_keyr��missing_host_key�get_name�valuesr��getpass�getuser�authenticate� isinstance�str�_authrO��)%r��r0��rA��username�password�pkey�key_filenamerW��allow_agent� look_for_keysrN��sock�gss_authrK��rL��rO��rb��rc��rd�� gss_trust_dns� passphraserM��transport_factory� auth_strategy�errors�to_try�af�addr�e�t�server_hostkey_name�our_server_keys�sec_opts�other_types� server_key�our_key� key_filenamesr��rT��r��r[��s�� zSSHClient.connectc��C��s@��\|�j�du�rdS�\|�j��d\|�_�\|�jdur\|�j��d\|�_dS�dS�)a�� Close this SSHClient and its underlying `.Transport`. This should be called anytime you are done using the client object. .. warning:: Paramiko registers garbage collection hooks that will try to automatically close connections for you, but this is not presently reliable. Failure to explicitly close your client after use may lead to end-of-process hangs! N)r��r]��r��r��r��r��r��r]��s�� zSSHClient.close��c�� C��sj��\|�j�j\|d�}\|r \|��\|�\|��\|r\|�\|��\|�\|��\|�d\|�}\|�d\|�}\|�d\|�} \|\|\| fS�)a�� Execute a command on the SSH server. A new `.Channel` is opened and the requested command is executed. The command's input and output streams are returned as Python ``file``-like objects representing stdin, stdout, and stderr. :param str command: the command to execute :param int bufsize: interpreted the same way as by the built-in ``file()`` function in Python :param int timeout: set command's channel timeout. See `.Channel.settimeout` :param bool get_pty: Request a pseudo-terminal from the server (default ``False``). See `.Channel.get_pty` :param dict environment: a dict of shell environment variables, to be merged into the default environment that the remote command executes within. .. warning:: Servers may silently reject some environment variables; see the warning in `.Channel.set_environment_variable` for details. :return: the stdin, stdout, and stderr of the executing command, as a 3-tuple :raises: `.SSHException` -- if the server fails to execute the command .. versionchanged:: 1.10 Added the ``get_pty`` kwarg. rV��wb�r) r��open_session�get_ptyrZ��update_environment�exec_command�makefile_stdin�makefile�makefile_stderr) r��command�bufsizerW��r��environment�chan�stdin�stdout�stderrr��r��r��r��s��( zSSHClient.exec_command�vt100�P��r��c��C��s(��\|�j��}\|�\|\|\|\|\|��\|��\|S�)a�� Start an interactive shell session on the SSH server. A new `.Channel` is opened and connected to a pseudo-terminal using the requested terminal type and size. :param str term: the terminal type to emulate (for example, ``"vt100"``) :param int width: the width (in characters) of the terminal window :param int height: the height (in characters) of the terminal window :param int width_pixels: the width (in pixels) of the terminal window :param int height_pixels: the height (in pixels) of the terminal window :param dict environment: the command's environment :return: a new `.Channel` connected to the remote shell :raises: `.SSHException` -- if the server fails to invoke a shell )r��r��r��invoke_shell)r��term�width�height�width_pixels� height_pixelsr��r��r��r��r��r��<��s�� zSSHClient.invoke_shellc��C��s ��\|�j��S�)zn Open an SFTP session on the SSH server. :return: a new `.SFTPClient` session object )r��open_sftp_clientr��r��r��r�� open_sftpZ��s�� zSSHClient.open_sftpc��C��r5��)z� Return the underlying `.Transport` object for this SSH connection. This can be used to perform lower-level tasks, like opening specific kinds of channels. :return: the `.Transport` for this connection )r��r��r��r��r�� get_transportb��s��zSSHClient.get_transportc�� C��s��d}\|��\|�r\|dt\|��}\|}n\|}\|\|�}\|�\|\|�}d�t\|��\|�}\|��t\|��tj � \|�rC\|�\|��\|��td�\|��\|S�)a7�� Attempt to derive a `.PKey` from given string path ``filename``: - If ``filename`` appears to be a cert, the matching private key is loaded. - Otherwise, the filename is assumed to be a private key, and the matching public cert will be loaded if it exists. � -cert.pubNzTrying discovered key {} in {}zAdding public certificate {})�endswithr_��from_private_key_filer-��r��get_fingerprint�_logr��r ��r!��isfile�load_certificate) r��r&��klassru��cert_suffix�key_path� cert_pathr3��msgr��r��r��_key_from_filepathl��s�� zSSHClient._key_from_filepathc��C��s��d}d} t��}ddh}\|du�r\|dur\|}\|r9\|�jjr9z \|�j�\|��W�dS��ty8�}�z\|}W�Y�d}~nd}~ww�\|rYz \|�j�\|\| \| �W�S��tyX�}�z\|}W�Y�d}~nd}~ww�\|dur�z!\|��td�t \|� ��t�\|�j�\|\|��}\|\|@�} \| s}W�dS�W�n�ty��}�z\|}W�Y�d}~nd}~ww�\| s�\|D�]=}t tttfD�]4}z\|��\|\|\|�}t�\|�j�\|\|��}\|\|@�} \| s�W��dS�W��n�ty��}�z\|}W�Y�d}~q�d}~ww�q�\| �s'\|�r'\|�jdu�r�t��\|�_\|�j��D�]=}z&t \|� ��}\|��td�\|��t�\|�j�\|\|��}\|\|@�} \| �sW��dS�W��n�t�y&�}�z\|}W�Y�d}~q�d}~ww�\| �s�g�}t dftdftd ftd ffD�]5\}}dD�]-}tj�d�\|\|��}tj�\|��rl\|�\|\|f��tj�\|d ��rl\|�\|\|d �f��q@�q:\|�sug�}\|D�]:\}}z\|��\|\|\|�}t�\|�j�\|\|��}\|\|@�} \| �s�W��dS�W��n�ttf�y��}�z \|}W�Y�d}~�qwd}~ww�\|du�r�z \|�j�\|\|��W�dS��t�y��}�z\|}W�Y�d}~n'd}~ww�\| �r�z \|�j�\|��W�dS��t�y��}�z\|}W�Y�d}~nd}~ww�\|du�r�\|�td��)a�� Try, in order: - The key(s) passed in, if one was passed in. - Any key we can find through an SSH agent (if allowed). - Any "id_rsa", "id_dsa" or "id_ecdsa" key discoverable in ~/.ssh/ (if allowed). - Plain username/password auth, if a password was given. (The password might be needed to unlock a private key [if 'passphrase' isn't also given], or for two-factor authentication [for which it is required].) NFzkeyboard-interactiveru��zTrying SSH key {}zTrying SSH agent key {}�rsa�dsa�ecdsa�ed25519)z.ssh�sshz ~/{}/id_{}r��z#No authentication methods available)�setr��ri��auth_gssapi_keyex� Exception�auth_gssapi_with_micr��r��r-��r��r��auth_publickeyr ��r��r��r ��r ��r��r��r��get_keysr ��r!��r"��r��appendr$�� auth_password�auth_interactive_dumb)r��rt��ru��rv��r��rx��ry��r{��rK��rL��rO��r}��saved_exception� two_factor� allowed_types�two_factor_typesr��rw�� pkey_classr3��id_�keyfilesr2��r7�� directory� full_pathr&��r��r��r��rs��s �� zSSHClient._authc��C��s��\|�j��\|\|��d�S��N)r��r��)r��levelr��r��r��r��r��5��s��zSSHClient._logr��)r��NFN)r��r��r��r��r��N)�__name__� __module__�__qualname__�__doc__r��r'��r(��r4��r6��r8��r<��rJ��r��r[��r]��r��r��r��r��r��rs��r��r��r��r��r��r��0��sl�� 6 � �r��c��@��e�Zd�ZdZdd��ZdS�)�MissingHostKeyPolicya�� Interface for defining the policy that `.SSHClient` should use when the SSH server's hostname is not in either the system host keys or the application's keys. Pre-made classes implement policies for automatically adding the key to the application's `.HostKeys` object (`.AutoAddPolicy`), and for automatically rejecting the key (`.RejectPolicy`). This function may be used to ask the user to verify the key, for example. c��C��s��dS�)a�� Called when an `.SSHClient` receives a server key for a server that isn't in either the system or local `.HostKeys` object. To accept the key, simply return. To reject, raised an exception (which will be passed to the calling application). Nr��r��clientr0��r3��r��r��r��rk��D��s��z%MissingHostKeyPolicy.missing_host_keyN�r��r��r��r��rk��r��r��r��r��r��9��s�� r��c��@��r��)� AutoAddPolicyz� Policy for automatically adding the hostname and new host key to the local `.HostKeys` object, and saving it. This is used by `.SSHClient`. c�� C��sP��\|j��\|\|��\|��\|jd�ur\|�\|j��\|�td�\|��\|t\|� ��d�S�)NzAdding {} host key for {}: {}) r��addrl��r��r4��r��r��r-��r��r��r��r��r��r��rk��T��s�� zAutoAddPolicy.missing_host_keyNr��r��r��r��r��r��N��r��c��@��r��)r��zk Policy for automatically rejecting the unknown hostname & key. This is used by `.SSHClient`. c�� C��s0��\|��td�\|��\|t\|��td�\|��)Nz Rejecting {} host key for {}: {}z$Server {!r} not found in known_hosts)r��r��r-��rl��r��r��r ��r��r��r��r��rk��f��s��zRejectPolicy.missing_host_keyNr��r��r��r��r��r��`��r��r��c��@��r��)� WarningPolicyz� Policy for logging a Python-style warning for an unknown host key, but accepting it. This is used by `.SSHClient`. c�� C��s$��t��d�\|��\|t\|��d�S�)NzUnknown {} host key for {}: {})�warnings�warnr-��rl��r��r��r��r��r��r��rk��x��s ��zWarningPolicy.missing_host_keyNr��r��r��r��r��r��r��r��r��)(r��binasciir��rn��r9��r ��r=��r��r^��r��r��paramiko.agentr��paramiko.commonr��paramiko.configr��paramiko.dsskeyr��paramiko.ecdsakeyr ��paramiko.ed25519keyr ��paramiko.hostkeysr��paramiko.rsakeyr��paramiko.ssh_exceptionr ��r��r��paramiko.transportr�� paramiko.utilr��r��r��r��r��r��r��r��r��r��<module>��s<��__pycache__/ssh_exception.cpython-310.pyc��0000644��00000017253�15030210772�0014335 0��ustar�00��o ��hF��@��s��d�dl�Z�G�dd��de�ZG�dd��de�ZG�dd��de�ZG�dd ��d e�ZG�d d��de�ZG�dd ��d e�ZG�dd��de�ZG�dd��de�Z G�dd��de�Z G�dd��de�ZG�dd��de�j�Z G�dd��de�ZG�dd��de�ZG�dd��de�ZdS�)��Nc��@��e�Zd�ZdZdS�)�SSHExceptionzT Exception raised by failures in SSH2 protocol negotiation or logic errors. N��__name__� __module__�__qualname__�__doc__��r ��r ��I/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/ssh_exception.pyr��r��c��@��r��)�AuthenticationExceptionz� Exception raised when authentication failed for some reason. It may be possible to retry with different credentials. (Other classes specify more specific reasons.) .. versionadded:: 1.6 Nr��r ��r ��r ��r ��r��s��r��c��@��r��)�PasswordRequiredExceptionzR Exception raised when a password is needed to unlock a private key file. Nr��r ��r ��r ��r ��r ����r��r ��c��@��$��e�Zd�ZdZg�Zdd��Zdd��ZdS�)�BadAuthenticationTypez� Exception raised when an authentication type (like password) is used, but the server isn't allowing that type. (It may only allow public-key, for example.) .. versionadded:: 1.1 c��C��t��\|�\|\|��\|\|�_\|\|�_d�S��N)r��__init__�explanation� allowed_types)�selfr��typesr ��r ��r ��r��>��s�� zBadAuthenticationType.__init__c��C��d��\|�j\|�j�S�)Nz{}; allowed types: {!r})�formatr��r��r��r ��r ��r ��__str__E��zBadAuthenticationType.__str__N�r��r��r��r��r��r��r��r ��r ��r ��r ��r��2��s ��r��c��@��r��)�PartialAuthenticationzM An internal exception thrown in the case of partial authentication. c��C��s��t��\|�\|��\|\|�_d�S�r��)r��r��r��)r��r��r ��r ��r ��r��R��s�� zPartialAuthentication.__init__c��C��s��d��\|�j�S�)Nz+Partial authentication; allowed types: {!r})r��r��r��r ��r ��r ��r��V��s��zPartialAuthentication.__str__Nr��r ��r ��r ��r ��r��K��s ��r��c��@��s��e�Zd�ZdS�)�UnableToAuthenticateN)r��r��r��r ��r ��r ��r ��r��]��s��r��c��@�� e�Zd�ZdZdd��Zdd��ZdS�)�ChannelExceptionz� Exception raised when an attempt to open a new `.Channel` fails. :param int code: the error code returned by the server .. versionadded:: 1.6 c��C��r��r��)r��r��code�text)r��r!��r"��r ��r ��r ��r��j�� zChannelException.__init__c��C��r��)NzChannelException({!r}, {!r}))r��r!��r"��r��r ��r ��r ��r��o��s��zChannelException.__str__N�r��r��r��r��r��r��r ��r ��r ��r ��r ��a��s��r ��c��@��r��)�BadHostKeyExceptiona�� The host key given by the SSH server did not match what we were expecting. :param str hostname: the hostname of the SSH server :param PKey got_key: the host key presented by the server :param PKey expected_key: the host key expected .. versionadded:: 1.6 c��C��s&��t��\|�\|\|\|��\|\|�_\|\|�_\|\|�_d�S�r��)r��r��hostname�key�expected_key)r��r&��got_keyr(��r ��r ��r ��r��~��s�� zBadHostKeyException.__init__c��C��s ��d}\|��\|�j\|�j��\|�j��S�)Nz@Host key for server '{}' does not match: got '{}', expected '{}')r��r&��r'�� get_base64r(��)r��msgr ��r ��r ��r��s��zBadHostKeyException.__str__Nr$��r ��r ��r ��r ��r%��s��s�� r%��c��@��r��)�IncompatiblePeerzk A disagreement arose regarding an algorithm required for key exchange. .. versionadded:: 2.9 Nr��r ��r ��r ��r ��r,��s��r,��c��@��r��)�ProxyCommandFailurez� The "ProxyCommand" found in the .ssh/config file returned an error. :param str command: The command line that is generating this exception. :param str error: The error captured from the proxy command output. c��C��r��r��)r��r��command�error)r��r.��r/��r ��r ��r ��r��r#��zProxyCommandFailure.__init__c��C��r��)Nz3ProxyCommand("{}") returned nonzero exit status: {})r��r.��r/��r��r ��r ��r ��r��r��zProxyCommandFailure.__str__Nr$��r ��r ��r ��r ��r-��s��r-��c��s(��e�Zd�ZdZ��fdd�Zdd��Z��ZS�)�NoValidConnectionsErrora�� Multiple connection attempts were made and no families succeeded. This exception class wraps multiple "real" underlying connection errors, all of which represent failed connection attempts. Because these errors are not guaranteed to all be of the same error type (i.e. different errno, `socket.error` subclass, message, etc) we expose a single unified error message and a ``None`` errno so that instances of this class match most normal handling of `socket.error` objects. To see the wrapped exception objects, access the ``errors`` attribute. ``errors`` is a dict whose keys are address tuples (e.g. ``('127.0.0.1', 22)``) and whose values are the exception encountered trying to connect to that address. It is implied/assumed that all the errors given to a single instance of this class are from connecting to the same hostname + port (and thus that the differences are in the resolution of the hostname - e.g. IPv4 vs v6). .. versionadded:: 1.16 c��sl��t�\|��}d�dd��\|dd��D��}\|d�d�}\|rd}nd}t��d\|�\|d�d �\|\|��\|\|�_dS�) zl :param dict errors: The errors dict to store, as described by class docstring. z, c��S��s��g�\|�]}\|d��qS�)r��r ��)�.0�xr ��r ��r �� <listcomp>��s��z4NoValidConnectionsError.__init__.<locals>.<listcomp>N��r��z+Unable to connect to port {0} on {1} or {2}z$Unable to connect to port {0} on {2}��)�sorted�keys�join�superr��r��errors)r��r:��addrs�body�tailr+�� __class__r ��r ��r��s�� z NoValidConnectionsError.__init__c��C��s��\|�j�\|�jffS�r��)r?��r:��r��r ��r ��r �� __reduce__��s��z"NoValidConnectionsError.__reduce__)r��r��r��r��r��r@�� __classcell__r ��r ��r>��r ��r0��s��r0��c��@��r��)�CouldNotCanonicalizezh Raised when hostname canonicalization fails & fallback is disabled. .. versionadded:: 2.7 Nr��r ��r ��r ��r ��rB��rB��c��@��r��)�ConfigParseErrora@�� A fatal error was encountered trying to parse SSH config data. Typically this means a config file violated the ``ssh_config`` specification in a manner that requires exiting immediately, such as not matching ``key = value`` syntax or misusing certain ``Match`` keywords. .. versionadded:: 2.7 Nr��r ��r ��r ��r ��rD��s�� rD��c��@��r��)�MessageOrderErrorzo Out-of-order protocol messages were received, violating "strict kex" mode. .. versionadded:: 3.4 Nr��r ��r ��r ��r ��rE��rC��rE��)�socket� Exceptionr��r��r ��r��r��r��r ��r%��r,��r-��r/��r0��rB��rD��rE��r ��r ��r ��r ��<module>��s��, ��__pycache__/ssh_gss.cpython-310.pyc��0000644��00000051071�15030210772�0013127 0��ustar�00��o ��h�p��@��sD��d�Z�ddlZddlZddlZdZdZdZz"ddlZeed�rej dkrdZej fZndZejjej jjfZW�n-�eefyc��zddlZddlZddlZd ZejfZW�n �ey`��d ZdZY�nw�Y�nw�ddlmZ�ddlmZ�dd lmZ�ddd�ZG�dd��d�ZG�dd��de�Zedk�r�eZG�dd��de�Z G�dd��de�Z!dS�)z� This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 ��NT�� __title__z python-gssapi�MIT�PYTHON-GSSAPI-NEW�SSPIF)�MSG_USERAUTH_REQUEST)�SSHException)�__version_info__c��C��sH��t�dkr t\|�\|�S�t�dkrt\|�\|�S�t�dkr tjdkr t\|�\|�S�td��)a�� Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 <http://www.ietf.org/rfc/rfc4462.txt>`_ :note: Check for the available API and return either an `._SSH_GSSAPI_OLD` (MIT GSSAPI using python-gssapi package) object, an `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object or an `._SSH_SSPI` (MS SSPI) object. If there is no supported API available, ``None`` will be returned. r��r��r��ntz)Unable to import a GSS-API / SSPI module!)�_API�_SSH_GSSAPI_OLD�_SSH_GSSAPI_NEW�os�name� _SSH_SSPI�ImportError)�auth_method�gss_deleg_credsr��r��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/ssh_gss.py�GSSAuthN��s�� r��c��@��sJ��e�Zd�ZdZdd��Zdd��Zdd��Zdd d �Zdd��Zd d��Z dd��Z dS�)�_SSH_GSSAuthzs Contains the shared variables and methods of `._SSH_GSSAPI_OLD`, `._SSH_GSSAPI_NEW` and `._SSH_SSPI`. c��C��sN��\|\|�_�\|\|�_d\|�_d\|�_d\|�_d\|�_ �d\|�_d\|�_d\|�_d\|�_ d\|�_ d\|�_dS�)�� :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not Nzssh-connectionz1.2.840.113554.1.2.2F)�_auth_method�_gss_deleg_creds� _gss_host� _username�_session_id�_service� _krb5_mech� _gss_ctxt�_gss_ctxt_status� _gss_srv_ctxt�_gss_srv_ctxt_status�cc_file��selfr��r��r��r��r��__init__t��s�� z_SSH_GSSAuth.__init__c��C��s��\|��d�r \|\|�_dS�dS�)z� This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service zssh-N)�findr��)r%��servicer��r��r��set_service��s�� z_SSH_GSSAuth.set_servicec��C��s ��\|\|�_�dS�)z� Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login N)r��)r%��usernamer��r��r��set_username��s�� z_SSH_GSSAuth.set_username�clientc��C��s\��ddl�m}�ddlm}�\|��d�}\|�\|\|�j��}\|��t\|��}\|dkr(\|\|�S�\|\|�\|�S�)a�� This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. r��)�ObjectIdentifier)�encoder��server)�pyasn1.type.univr-��pyasn1.codec.derr.��_make_uint32�encoder��len)r%��moder-��r.��OIDs�krb5_OID�OID_lenr��r��r��ssh_gss_oids��s�� z_SSH_GSSAuth.ssh_gss_oidsc��C��s0��ddl�m}�\|�\|�\}}\|��\|�jkrdS�dS�)z� Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} r��decoderFT)r2��r<��decode�__str__r��)r%��desired_mechr<��mech�__r��r��r��ssh_check_mech��s ��z_SSH_GSSAuth.ssh_check_mechc��C��s��t��d\|�S�)z� Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer z!I)�struct�pack)r%��integerr��r��r��r3��s��z_SSH_GSSAuth._make_uint32c��C��s��\|��t\|��}\|\|7�}\|t�dt�7�}\|\|��t\|��7�}\|\|��7�}\|\|��t\|��7�}\|\|��7�}\|\|��t\|��7�}\|\|��7�}\|S�)a�� Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) �B)r3��r5��rC��rD��r��r4��)r%�� session_idr��r(��r��micr��r��r��_ssh_build_mic��s��z_SSH_GSSAuth._ssh_build_micN)r,��)�__name__� __module__�__qualname__�__doc__r&��r)��r+��r:��rB��r3��rI��r��r��r��r��r��n��s�� r��c��@��V��e�Zd�ZdZdd��Z ddd�Zddd �Zdd d�Zddd �Ze dd��Z dd��ZdS�)r��z� Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package. :see: `.GSSAuth` c��C��sD��t��\|�\|\|��\|�jrtjtjtjtjf\|�_dS�tjtjtjf\|�_dS��r��N) r��r&��r��gssapi�C_PROT_READY_FLAG�C_INTEG_FLAG� C_MUTUAL_FLAG�C_DELEG_FLAG� _gss_flagsr$��r��r��r��r&��s�� z_SSH_GSSAPI_OLD.__init__Nc�� C��s��ddl�m}�\|\|�_\|\|�_t�d\|�j�tj�}t��}\|�j\|_ \|du�rtj �\|�j�}n\|� \|�\} } \| ��\|�jkr<td��tj �\|�j�}d}z\|du�r[tj\|\|\|j d�\|�_\|�j�\|�}n\|�j�\|�}W�n�tjyz��d�t��d�\|�j�}t�\|��w�\|�jj\|�_\|S�) a�� Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned r��r;��host@N�Unsupported mechanism OID.)� peer_name� mech_type� req_flagsz {} Target: {}r/��)r2��r<��r��r��rP��Name�C_NT_HOSTBASED_SERVICE�ContextrU��flags�OID�mech_from_stringr��r=��r>��r��InitContextr��step�GSSException�format�sys�exc_info�establishedr ��) r%��targetr?��r�� recv_tokenr<�� targ_name�ctx� krb5_mechr@��rA��token�messager��r��r��ssh_init_sec_context ��s>�� z$_SSH_GSSAPI_OLD.ssh_init_sec_contextFc��C��D��\|\|�_�\|s\|��\|�j�\|�j\|�j\|�j�}\|�j�\|�}\|S�\|�j�\|�j��}\|S�)a�� Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. )r��rI��r��r��r��r��get_micr!��r%��rG��gss_kex� mic_field� mic_tokenr��r��r��ssh_get_micA�� z_SSH_GSSAPI_OLD.ssh_get_micc��C��s:��\|\|�_�\|\|�_\|�jdu�rt��\|�_\|�j�\|�}\|�jj\|�_\|S�)�� Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned N)r��r��r!��rP�� AcceptContextrb��rg��r"��r%��hostnameri��r��rm��r��r��r��ssh_accept_sec_context\��s�� z&_SSH_GSSAPI_OLD.ssh_accept_sec_contextc��C��T��\|\|�_�\|\|�_\|�jdur \|��\|�j�\|�j\|�j\|�j�}\|�j�\|\|��dS�\|�j�\|�j�\|��dS�)at�� Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.GSSException`` -- if the MIC check failed N)r��r��rI��r��r��r!�� verify_micr��r%��ru��rG��r��rt��r��r��r�� ssh_check_micp�� z_SSH_GSSAPI_OLD.ssh_check_micc��C��\|�j�jdurdS�dS�)�� Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` NTF)r!��delegated_cred�r%��r��r��r��credentials_delegated��s��z%_SSH_GSSAPI_OLD.credentials_delegatedc��C��t��)a~�� Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode ��NotImplementedError�r%��client_tokenr��r��r��save_client_creds��z!_SSH_GSSAPI_OLD.save_client_creds�NNN�F�N�rJ��rK��rL��rM��r&��ro��rv��r\|��r��propertyr��r��r��r��r��r��r��s�� 4 r��)��c��@��rN��)r ��z� Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package. :see: `.GSSAuth` c��C��sR��t��\|�\|\|��\|�jrtjjtjjtjjtjjf\|�_ dS�tjjtjjtjjf\|�_ dS�rO��) r��r&��r��rP��RequirementFlag�protection_ready� integrity�mutual_authentication�delegate_to_peerrU��r$��r��r��r��r&��s�� z_SSH_GSSAPI_NEW.__init__Nc��C��s��ddl�m}�\|\|�_\|\|�_tjd\|�j�tjjd�}\|dur.\|�\|�\}}\|� ��\|�j kr.td��tjj } d} \|du�rJtj\|\|�j\| dd�\|�_\|�j�\| �} n\|�j�\|�} \|�jj\|�_\| S�) ae�� Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled by the GSS-API implementation :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned r��r;��rV��)� name_typeNrW��initiate)r��r^��r@��usage)r2��r<��r��r��rP��r[��NameType�hostbased_servicer=��r>��r��r��MechType�kerberos�SecurityContextrU��r��rb��completer ��)r%��rh��r?��r��ri��r<��rj��r@��rA��rl��rm��r��r��r��ro��s0�� z$_SSH_GSSAPI_NEW.ssh_init_sec_contextFc��C��rp��)a�� Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: str )r��rI��r��r��r��r�� get_signaturer!��rr��r��r��r��rv��s��z_SSH_GSSAPI_NEW.ssh_get_micc��C��s>��\|\|�_�\|\|�_\|�jdu�rtjdd�\|�_\|�j�\|�}\|�jj\|�_\|S�)rx��N�accept)r��)r��r��r!��rP��r��rb��r��r"��rz��r��r��r��r\|��s�� z&_SSH_GSSAPI_NEW.ssh_accept_sec_contextc��C��r}��)a{�� Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed N)r��r��rI��r��r��r!��verify_signaturer��r��r��r��r��r��$��r��z_SSH_GSSAPI_NEW.ssh_check_micc��C��r��)z� Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: bool NTF)r!��delegated_credsr��r��r��r��r��>��s��z%_SSH_GSSAPI_NEW.credentials_delegatedc��C��r��)aw�� Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode r��r��r��r��r��r��J��s�� z!_SSH_GSSAPI_NEW.save_client_credsr��r��r��r��r��r��r��r��r ��s�� . r ��c��@��sT��e�Zd�ZdZdd��Z ddd�Zddd �Zd d��Zddd �Ze dd��Z dd��ZdS�)r��zf Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` c��C��s>��t��\|�\|\|��\|�jrtjtjB�tjB�\|�_dS�tjtjB�\|�_dS�rO��)r��r&��r��sspicon�ISC_REQ_INTEGRITY�ISC_REQ_MUTUAL_AUTH�ISC_REQ_DELEGATErU��r$��r��r��r��r&��^��s�� z_SSH_SSPI.__init__Nc�� C��s��ddl�m}�\|\|�_\|\|�_d}d\|�j�}\|dur)\|�\|�\}} \|��\|�jkr)td��z\|du�r8tj d\|�j \|d�\|�_\|�j�\|�\}} \| d�j } W�n�tjy_�}�z\|�jd�\|�j�7��_��d}~ww�\|dkrk �d \|�_d} �\| S�) a�� Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned r��r;��host/NrW��Kerberos)�scflags� targetspnz, Target: {}T)r2��r<��r��r��r=��r>��r��r��sspi� ClientAuthrU��r�� authorize�Buffer� pywintypes�error�strerrorrd��r ��)r%��rh��r?��r��ri��r<��r��rj��r@��rA��rm��er��r��r��ro��q��s6�� z_SSH_SSPI.ssh_init_sec_contextFc��C��rp��)a�� Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. )r��rI��r��r��r��r��signr!��rr��r��r��r��rv��rw��z_SSH_SSPI.ssh_get_micc��C��sV��\|\|�_�\|\|�_d\|�j��}tjd\|d�\|�_\|�j�\|�\}}\|d�j}\|dkr)d\|�_d}\|S�)a�� Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned r��r��)�spnr��TN)r��r��r�� ServerAuthr!��r��r��r"��)r%��r{��r��ri��rj��r��rm��r��r��r��r\|��s�� z _SSH_SSPI.ssh_accept_sec_contextc��C��sR��\|\|�_�\|\|�_\|dur\|��\|�j�\|�j\|�j\|�j�}\|�j�\|\|��dS�\|�j�\|�j�\|��dS�)ak�� Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed N)r��r��rI��r��r��r!��verifyr��r��r��r��r��r��s�� z_SSH_SSPI.ssh_check_micc��C��s��\|�j�tj@�o\|�jp\|�j�S�)r��)rU��r��r��r"��r��r��r��r��r��s�� z_SSH_SSPI.credentials_delegatedc��C��r��)a{�� Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode r��r��r��r��r��r��r��z_SSH_SSPI.save_client_credsr��r��r��r��r��r��r��r��r��W��s�� 4 r��)T)"rM��rC��r��re��GSS_AUTH_AVAILABLE�GSS_EXCEPTIONSr��rP��hasattrr��rc�� exceptions�GeneralError�raw�misc�GSSErrorr��OSErrorr��r��r��r��paramiko.commonr��paramiko.ssh_exceptionr��paramiko._versionr ��r��r��r��_SSH_GSSAPIr ��r��r��r��r��r��<module>��sV�� 5�0��__pycache__/sftp_handle.cpython-310.pyc��0000644��00000015217�15030210772�0013747 0��ustar�00��o ��h��@��sH��d�Z�ddlZddlmZmZ�ddlmZ�G�dd��de�Zddlm Z �dS�)z7 Abstraction of an SFTP file handle (for server mode). ��N)�SFTP_OP_UNSUPPORTED�SFTP_OK)�ClosingContextManagerc��@��sb��e�Zd�ZdZddd�Zdd��Zdd��Zd d ��Zdd��Zd d��Z dd��Z dd��Zdd��Zdd��Z dS�)� SFTPHandlea�� Abstract object representing a handle to an open file (or folder) in an SFTP server implementation. Each handle has a string representation used by the client to refer to the underlying file. Server implementations can (and should) subclass SFTPHandle to implement features of a file handle, like `stat` or `chattr`. Instances of this class may be used as context managers. r��c��C��s��\|\|�_�d\|�_i�\|�_d\|�_dS�)a"�� Create a new file handle representing a local file being served over SFTP. If ``flags`` is passed in, it's used to determine if the file is open in append mode. :param int flags: optional flags as passed to `.SFTPServerInterface.open` N)�_SFTPHandle__flags�_SFTPHandle__name�_SFTPHandle__files�_SFTPHandle__tell)�self�flags��r��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp_handle.py�__init__(��s�� zSFTPHandle.__init__c��C��s@��t�\|�dd�}\|dur\|��t�\|�dd�}\|dur\|��dS�dS�)a�� When a client closes a file, this method is called on the handle. Normally you would use this method to close the underlying OS level file object(s). The default implementation checks for attributes on ``self`` named ``readfile`` and/or ``writefile``, and if either or both are present, their ``close()`` methods are called. This means that if you are using the default implementations of `read` and `write`, this method's default implementation should be fine also. �readfileN� writefile)�getattr�close)r ��r��r��r��r��r ��r��7��s��zSFTPHandle.closec�� C��s��t�\|�dd�}\|du�rtS�z\|�jdu�r\|��\|�_\|\|�jkr$\|�\|��\|\|�_\|�\|�}W�n�tyE�}�zd\|�_t�\|j �W��Y�d}~S�d}~ww�\|��jt \|�7��_\|S�)a5�� Read up to ``length`` bytes from this file, starting at position ``offset``. The offset may be a Python long, since SFTP allows it to be 64 bits. If the end of the file has been reached, this method may return an empty string to signify EOF, or it may also return ``SFTP_EOF``. The default implementation checks for an attribute on ``self`` named ``readfile``, and if present, performs the read operation on the Python file-like object found there. (This is meant as a time saver for the common case where you are wrapping a Python file object.) :param offset: position in the file to start reading from. :param int length: number of bytes to attempt to read. :return: the `bytes` read, or an error code `int`. r��N)r��r��r ��tell�seek�read�IOError� SFTPServer� convert_errno�errno�len)r ��offset�lengthr��data�er��r��r ��r��J��s"�� zSFTPHandle.readc�� C��s��t�\|�dd�}\|du�rtS�z\|�jtj@�dkr,\|�jdu�r\|��\|�_\|\|�jkr,\|�\|��\|\|�_\|�\|��\|� ��W�n�t yQ�}�zd\|�_t�\|j �W��Y�d}~S�d}~ww�\|�jdur`\|��jt\|�7��_tS�)am�� Write ``data`` into this file at position ``offset``. Extending the file past its original end is expected. Unlike Python's normal ``write()`` methods, this method cannot do a partial write: it must write all of ``data`` or else return an error. The default implementation checks for an attribute on ``self`` named ``writefile``, and if present, performs the write operation on the Python file-like object found there. The attribute is named differently from ``readfile`` to make it easy to implement read-only (or write-only) files, but if both attributes are present, they should refer to the same file. :param offset: position in the file to start reading from. :param bytes data: data to write into the file. :return: an SFTP error code like ``SFTP_OK``. r��Nr��)r��r��r��os�O_APPENDr ��r��r��write�flushr��r��r��r��r��r��)r ��r��r��r��r��r��r��r ��r!��l��s(�� zSFTPHandle.writec��C��t�S�)a�� Return an `.SFTPAttributes` object referring to this open file, or an error code. This is equivalent to `.SFTPServerInterface.stat`, except it's called on an open file instead of a path. :return: an attributes object for the given file, or an SFTP error code (like ``SFTP_PERMISSION_DENIED``). :rtype: `.SFTPAttributes` or error code �r��r ��r��r��r ��stat��s��zSFTPHandle.statc��C��r#��)af�� Change the attributes of this file. The ``attr`` object will contain only those fields provided by the client in its request, so you should check for the presence of fields before using them. :param .SFTPAttributes attr: the attributes to change on this file. :return: an `int` error code like ``SFTP_OK``. r$��)r ��attrr��r��r ��chattr��s�� zSFTPHandle.chattrc��C��s ��\|\|�_�dS�)z� Used by the SFTP server code to cache a directory listing. (In the SFTP protocol, listing a directory is a multi-stage process requiring a temporary handle.) N�r��)r ��filesr��r��r �� _set_files��s�� zSFTPHandle._set_filesc��C��s"��\|�j�dd��}\|�j�dd��\|�_�\|S�)z^ Used by the SFTP server code to retrieve a cached directory listing. N��r)��)r ��fnlistr��r��r ��_get_next_files��s��zSFTPHandle._get_next_filesc��C��s��\|�j�S��N�r��r%��r��r��r �� _get_name��s��zSFTPHandle._get_namec��C��s ��\|\|�_�d�S�r/��r0��)r ��namer��r��r �� _set_name��s�� zSFTPHandle._set_nameN)r��)�__name__� __module__�__qualname__�__doc__r��r��r��r!��r&��r(��r+��r.��r1��r3��r��r��r��r ��r��s�� "& r��)r��) r7��r�� paramiko.sftpr��r�� paramiko.utilr��r��paramiko.sftp_serverr��r��r��r��r ��<module>��s��)��__pycache__/compress.cpython-310.pyc��0000644��00000002144�15030210772�0013306 0��ustar�00��o ��h��@��s,��d�Z�ddlZG�dd��d�ZG�dd��d�ZdS�)z. Compression implementations for a Transport. ��Nc��@��e�Zd�Zdd��Zdd��ZdS�)�ZlibCompressorc��C��t��\|�_d�S��N)�zlib�compressobj�z��self��r��D/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/compress.py�__init__��s��zZlibCompressor.__init__c��C��s��\|�j��\|�\|�j��tj��S�r��)r��compress�flushr��Z_FULL_FLUSH�r ��datar��r��r��__call__��s��zZlibCompressor.__call__N��__name__� __module__�__qualname__r ��r��r��r��r��r��r��s��r��c��@��r��)�ZlibDecompressorc��C��r��r��)r�� decompressobjr��r ��r��r��r��r ��$��s��zZlibDecompressor.__init__c��C��s��\|�j��\|�S�r��)r�� decompressr��r��r��r��r��'��s��zZlibDecompressor.__call__Nr��r��r��r��r��r��#��s��r��)�__doc__r��r��r��r��r��r��r��<module>��s�� __pycache__/ecdsakey.cpython-310.pyc��0000644��00000022465�15030210772�0013253 0��ustar�00��o ��h�-��@��s��d�Z�ddlmZmZ�ddlmZ�ddlmZmZ�ddl m Z �ddlmZm Z �ddlmZ�ddlmZ�dd lmZ�dd lmZ�ddlmZ�G�dd ��d �ZG�dd��d�ZG�dd��de�ZdS�)z ECDSA keys ��)�InvalidSignature�UnsupportedAlgorithm)�default_backend)�hashes� serialization)�ec)�decode_dss_signature�encode_dss_signature)� four_byte)�Message)�PKey)�SSHException)�deflate_longc��@��s��e�Zd�ZdZdd��ZdS�)�_ECDSACurvez� Represents a specific ECDSA Curve (nistp256, nistp384, etc). Handles the generation of the key format identifier and the selection of the proper hash function. Also grabs the proper curve from the 'ecdsa' package. c��C��sT��\|\|�_�\|j\|�_d\|�j��\|�_\|�jdkrtj\|�_n\|�jdkr!tj\|�_ntj\|�_\|\|�_ d�S�)N�ecdsa-sha2-��i��) � nist_name�key_size� key_length�key_format_identifierr��SHA256�hash_object�SHA384�SHA512�curve_class)�selfr��r��r��D/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/ecdsakey.py�__init__0��s�� z_ECDSACurve.__init__N)�__name__� __module__�__qualname__�__doc__r��r��r��r��r��r��'��s��r��c��@��s8��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd d��ZdS�) �_ECDSACurveSetz� A collection to hold the ECDSA curves. Allows querying by oid and by key format identifier. The two ways in which ECDSAKey needs to be able to look up curves. c��C��s ��\|\|�_�d�S��N��ecdsa_curves)r��r&��r��r��r��r��I�� z_ECDSACurveSet.__init__c��C��s��dd��\|�j�D��S�)Nc��S��s��g�\|�]}\|j��qS�r��)r��)�.0�curver��r��r�� <listcomp>M��s��zA_ECDSACurveSet.get_key_format_identifier_list.<locals>.<listcomp>r%��r��r��r��r��get_key_format_identifier_listL��s��z-_ECDSACurveSet.get_key_format_identifier_listc��C��"��\|�j�D�]}\|j\|kr\|��S�qd�S�r$��)r&��r��)r��r��r)��r��r��r��get_by_curve_classO�� z!_ECDSACurveSet.get_by_curve_classc��C��r-��r$��)r&��r��)r��r��r)��r��r��r��get_by_key_format_identifierT��r/��z+_ECDSACurveSet.get_by_key_format_identifierc��C��r-��r$��)r&��r��)r��r��r)��r��r��r��get_by_key_lengthY��r/��z _ECDSACurveSet.get_by_key_lengthN) r��r ��r!��r"��r��r,��r.��r0��r1��r��r��r��r��r#��B��s��r#��c��@��s��e�Zd�ZdZeeejd�eejd�eej d�g�Z d-dd�Zed d ��Z edd��Zd d��Zdd��Zedd��Zdd��Zdd��Zdd��Zd.dd�Zdd��Zd.dd�Zd.dd �Zee��ddfd!d"��Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��ZdS�)/�ECDSAKeyz\ Representation of an ECDSA key which can be used to sign and verify SSH2 data. �nistp256�nistp384�nistp521NTc��C��sJ��d�\|�_�d�\|�_d�\|�_\|d�ur\|��\|\|��d�S�\|d�ur!\|��\|\|��d�S�\|d�u�r-\|d�ur-t\|�}\|d�urE\|\\|�_\|�_�\|�jjj}\|�j� \|�\|�_ d�S�\|��} d} \| �\| �rY\| d�t \| ��} \|�j�\| �\|�_ \|�j��}dd��\|D��}\|�j\|\|\|d��\|��} \| \|�j jkr�td�\| ��\|��}ztj�\|�j ��\|�}\|\|�_�W�d�S��ty��td��w�)Nz-cert-v01@openssh.comc��S��s��g�\|�]}d��\|��qS�)z{}-cert-v01@openssh.com)�format)r(��xr��r��r��r��s�� z%ECDSAKey.__init__.<locals>.<listcomp>)�msg�key_type� cert_typezCan't handle curve of type {}zInvalid public key)� verifying_key�signing_key�public_blob�_from_private_key�_from_private_key_filer��r)�� __class__� _ECDSA_CURVESr.��ecdsa_curve�get_text�endswith�lenr0��r,��_check_type_and_load_certr��r ��r6�� get_binaryr��EllipticCurvePublicKey�from_encoded_pointr�� ValueError)r��r8��data�filename�password�vals�file_obj�validate_point�c_classr9��suffix� key_types� cert_types� curvename� pointinfo�keyr��r��r��r��m��sV�� zECDSAKey.__init__c��C��s ��\|�j��S�r$��)rA��r,��clsr��r��r��identifiers��s�� zECDSAKey.identifiersc��C��\|��S�r$��)rZ��rX��r��r��r�� supported_key_format_identifiers��s��z)ECDSAKey.supported_key_format_identifiersc��C��s��\|�j�}t��}\|�\|�jj��\|�\|�jj��\|��}\|jjd�d�}t \|j dd�}d\|t\|��\|�}t \|jdd�}d\|t\|��\|�}t \|�\|�}\|�\|��\|��S�)N��F)�add_sign_padding��)r;��r�� add_stringrB��r��r��public_numbersr)��r��r��r7��rE��yr ��asbytes)r��rW��m�numbers�key_size_bytes�x_bytes�y_bytes� point_strr��r��r��rd��s�� zECDSAKey.asbytesc��C��r[��r$��)rd��r+��r��r��r��__str__��zECDSAKey.__str__c��C��s��\|��\|�j��j\|�j��jfS�r$��)�get_namer;��rb��r7��rc��r+��r��r��r��_fields��s�� zECDSAKey._fieldsc��C��\|�j�jS�r$��)rB��r��r+��r��r��r��rm��rl��zECDSAKey.get_namec��C��ro��r$��)rB��r��r+��r��r��r��get_bits��rl��zECDSAKey.get_bitsc��C��s ��\|�j�d�uS�r$��)r<��r+��r��r��r��can_sign��r'��zECDSAKey.can_signc��C��sT��t��\|�j��}\|�j�\|\|�}t\|�\}}t��}\|�\|�jj ��\|�\|�� \|\|��\|S�r$��)r��ECDSArB��r��r<��signr��r��ra��r�� _sigencode)r��rK�� algorithm�ecdsa�sig�r�sre��r��r��r�� sign_ssh_data��s��zECDSAKey.sign_ssh_datac��C��sl��\|��\|�jjkr dS�\|��}\|��\|�\}}t\|\|�}z\|�j�\|\|t� \|�j� ��W�dS��ty5��Y�dS�w�)NFT)rC��rB��r��rG�� _sigdecoder ��r;��verifyr��rr��r��r��)r��rK��r8��rw��sigR�sigS� signaturer��r��r��verify_ssh_sig��s�� zECDSAKey.verify_ssh_sigc��C��\|�j�\|\|�jtjj\|d��d�S��N)rM��)�_write_private_key_filer<��r�� PrivateFormat�TraditionalOpenSSL)r��rL��rM��r��r��r��write_private_key_file�� zECDSAKey.write_private_key_filec��C��r��r��)�_write_private_keyr<��r��r��r��)r��rO��rM��r��r��r��write_private_key��r��zECDSAKey.write_private_keyc��C��sT��\|dur\|�j��\|�}\|du�rtd�\|��\|��}tj\|t��d�}t\|\|� ��fd�S�)a�� Generate a new private ECDSA key. This factory function can be used to generate a new host key or authentication key. :param progress_func: Not used for this type of key. :returns: A new private key (`.ECDSAKey`) object NzUnsupported key length: {:d})�backend)rN��) rA��r1��rJ��r6��r��r��generate_private_keyr��r2�� public_key)rY��r)�� progress_func�bits�private_keyr��r��r��generate��s�� zECDSAKey.generatec��C��\|��d\|\|�}\|��\|��d�S��N�EC)�_read_private_key_file�_decode_key)r��rL��rM��rK��r��r��r��r?��zECDSAKey._from_private_key_filec��C��r��r��)�_read_private_keyr��)r��rO��rM��rK��r��r��r��r>��r��zECDSAKey._from_private_keyc��C��s��\|\}}\|\|�j�kr+ztj\|d�t��d�}W�n_�ttttfy�}�ztt \|��d�}~ww�\|\|�j kroz,t\|�}\|��}\|� ��}\|��}d\|�} \|�j�\| �} \| sQtd��t�\|\| ��t��}W�n�tyn�}�ztt \|��d�}~ww�\|��\|��\|\|�_\|��\|�_\|jj}\|�j�\|�\|�_d�S�)N)rM��r��r��zInvalid key curve identifier)�_PRIVATE_KEY_FORMAT_ORIGINALr��load_der_private_keyr��rJ��AssertionError� TypeErrorr��r ��str�_PRIVATE_KEY_FORMAT_OPENSSHr��rC��rG�� get_mpintrA��r0��r��derive_private_keyr�� Exception�_got_bad_key_format_idr<��r��r;��r)��r@��r.��rB��)r��rK��pkformatrW��er8�� curve_name�verkey�sigkey�namer)��r��r��r��r��r��"��sJ�� zECDSAKey._decode_keyc��C��s"��t��}\|�\|��\|�\|��\|��S�r$��)r�� add_mpintrd��)r��rx��ry��r8��r��r��r��rt��I��s�� zECDSAKey._sigencodec��C��s ��t�\|�}\|��}\|��}\|\|fS�r$��)r��r��)r��rw��r8��rx��ry��r��r��r��r{��O��s��zECDSAKey._sigdecode)NNNNNNTr$��) r��r ��r!��r"��r#��r��r�� SECP256R1� SECP384R1� SECP521R1rA��r��classmethodrZ��r\��rd��rk��propertyrn��rm��rp��rq��rz��r��r��r��r��r?��r>��r��rt��r{��r��r��r��r��r2��_��sL�� > 'r2��N)r"��cryptography.exceptionsr��r��cryptography.hazmat.backendsr��cryptography.hazmat.primitivesr��r��)cryptography.hazmat.primitives.asymmetricr��/cryptography.hazmat.primitives.asymmetric.utilsr��r ��paramiko.commonr ��paramiko.messager�� paramiko.pkeyr��paramiko.ssh_exceptionr �� paramiko.utilr��r��r#��r2��r��r��r��r��<module>��s��__pycache__/agent.cpython-310.pyc��0000644��00000036360�15030210772�0012560 0��ustar�00��o ��h>��@��s��d�Z�ddlZddlZddlZddlZddlZddlZddlZddlZddl m Z �ddlmZ�ddlm Z mZ�ddlmZmZ�ddlmZ�ddlmZmZ�dd lmZmZ�ed �ZdZed�Zd ZdZdZeed�Z e!e �"��D�]\Z#Z$e$e e#��d�<�qoG�dd��d�Z%G�dd��dej&�Z'G�dd��de'�Z(G�dd��de'�Z)dd��ZG�dd��d�Z+G�dd��de%�Z,G�d d!��d!�Z-G�d"d#��d#e%�Z.G�d$d%��d%e�Z/dS�)&z SSH Agent interface ��N)�DEBUG)�select)�io_sleep�byte_chr)�SSHException�AuthenticationException)�Message)�PKey�UnknownKeyType)�asbytes� get_logger�� )zrsa-sha2-256zrsa-sha2-512z-cert-v01@openssh.comc��@��s<��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d ��Zdd��Zd S�)�AgentSSHc��C��s��d�\|�_�d\|�_d�S��N��)�_conn�_keys��selfr��r��A/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/agent.py�__init__>��s�� zAgentSSH.__init__c��C��\|�j�S�)a�� Return the list of keys available through the SSH agent, if any. If no SSH agent was running (or it couldn't be contacted), an empty list will be returned. This method performs no IO, just returns the list of keys retrieved when the connection was made. :return: a tuple of `.AgentKey` objects representing keys available on the SSH agent )r��r��r��r��r��get_keysB��s�� zAgentSSH.get_keysc��C��sd��\|\|�_�\|��t�\}}\|tkrtd��g�}t\|��D�]}\|�t\|�\|� ��\|� ��d��qt\|�\|�_d�S�)Nz!could not get keys from ssh-agent)�agent�blob�comment) r�� _send_message�cSSH2_AGENTC_REQUEST_IDENTITIES�SSH2_AGENT_IDENTITIES_ANSWERr��range�get_int�append�AgentKey� get_binary�get_text�tupler��)r��conn�ptype�result�keys�ir��r��r��_connectQ��s��zAgentSSH._connectc��C��s$��\|�j�d�ur \|�j��d�\|�_�d\|�_d�S�r��)r��closer��r��r��r��r��_closea��s�� zAgentSSH._closec��C��sX��t�\|�}\|�j�t�dt\|��\|��\|��d�}t\|��t�d\|�d��}t \|� ��\|fS�)Nz>Ir��r��)r��r��send�struct�pack�len� _read_allr��unpack�ord�get_byte)r��msg�datar��r��r��r!��g��s �� zAgentSSH._send_messagec��C��sl��\|�j��\|�}t\|�\|k�r4t\|�dkrtd��\|�j��\|t\|��}t\|�dkrtd��\|\|7�}t\|�\|k�s\|S�)Nr��lost ssh-agent)r��recvr6��r��)r��wantedr-��extrar��r��r��r7��n��s��zAgentSSH._read_allN) �__name__� __module__�__qualname__r��r��r0��r2��r!��r7��r��r��r��r��r��=��s��r��c��@��0��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd S�)�AgentProxyThreadz@ Class in charge of communication between two channels. c��C��s"��t�jj\|�\|�jd��\|\|�_d\|�_d�S�)N)�targetF)� threading�Threadr��run�_agent�_exit�r��r��r��r��r��r��s�� zAgentProxyThread.__init__c��C��sh��z/\|��\}}\|\|�_\|\|�_\|�j��t\|�jt�s)\|�jjd�u�s%t\|�jjd�s)t d��\|�� W�d�S��)N�filenozUnable to connect to SSH agent)�get_connection�_AgentProxyThread__inr�_AgentProxyThread__addrrJ��connect� isinstance�intr��hasattrr��_communicate)r��r�addrr��r��r��rI��s�� zAgentProxyThread.runc��C��s��dd�l�}\|��\|�j\|j�}\|��\|�j\|j\|tjB��\|�jswt\|�jj \|�jgg�g�d�}\|d�D�]A}\|�jj \|krM\|�jj � d�}t\|�dkrG\|�j�\|��q+\|�� n \|�j\|krl\|�j� d�}t\|�dkrf\|�jj �\|��q+\|�� nq+t�t��\|�jrd�S�d�S�)Nr��g��?i��)�fcntlrO��F_GETFL�F_SETFL�os� O_NONBLOCKrK��r��rJ��r��r>��r6��r3��r2��time�sleepr��)r��rX��oldflags�events�fdr<��r��r��r��rU��s�� zAgentProxyThread._communicatec��C��s ��d\|�_�\|�j��\|�jj��d�S�)NT)rK��rO��r1��rJ��r��r��r��r��r��r2��s�� zAgentProxyThread._closeN)rA��rB��rC��__doc__r��rI��rU��r2��r��r��r��r��rE��z��s��rE��c��@�� e�Zd�ZdZdd��Zdd��ZdS�)�AgentLocalProxyz� Class to be used when wanting to ask a local SSH Agent being asked from a remote fake agent (so use a unix socket for ex.) c��C��s��t��\|�\|��d�S��N)rE��r��rL��r��r��r��r��s��zAgentLocalProxy.__init__c��C��sJ��t��t�jt�j�}z\|�\|�j��\|�d��\|��\}}\|\|fW�S��)zX Return a pair of socket object and string address. May block! ��)�socket�AF_UNIX�SOCK_STREAM�bindrJ�� _get_filename�listen�accept)r��r+��rV��rW��r��r��r��rN��s�� zAgentLocalProxy.get_connectionN�rA��rB��rC��rb��r��rN��r��r��r��r��rd��s��rd��c��@��rc��)�AgentRemoteProxyzA Class to be used when wanting to ask a remote SSH Agent c��C��s��t��\|�\|��\|\|�_d�S�re��)rE��r��_AgentRemoteProxy__chan)r��r��chanr��r��r��r��s�� zAgentRemoteProxy.__init__c��C��s ��\|�j�d�fS�re��)rp��r��r��r��r��rN��s�� zAgentRemoteProxy.get_connectionNrn��r��r��r��r��ro��s��ro��c��C��s��dt�jv�r$tjdkr$t�tjtj�}�z\|��t�jd��\|�W�S��Y�dS�tjdkrGddlm }m }�d}�\|��r=\|��}�\|�S�\|��rE\|� ��}�\|�S�dS�)zj Returns some SSH agent object, or None if none were found/supported. .. versionadded:: 2.10 � SSH_AUTH_SOCK�win32Nrf��)�win_pageant�win_openssh)r[��environ�sys�platformrg��rh��ri��rQ��rt��ru��can_talk_to_agent�PageantConnection�OpenSSHAgentConnection)r+��rt��ru��r��r��r��get_agent_connection��s"�� r}��c��@��rD��)�AgentClientProxya�� Class proxying request as a client: #. client ask for a request_forward_agent() #. server creates a proxy and a fake SSH Agent #. server ask for establishing a connection when needed, calling the forward_agent_handler at client side. #. the forward_agent_handler launch a thread for connecting the remote fake agent and the local agent #. Communication occurs ... c��C��s&��d�\|�_�\|\|�_t\|�\|�\|�_\|�j��d�S�re��)r��_AgentClientProxy__chanRro��thread�start�r�� chanRemoter��r��r��r��s��zAgentClientProxy.__init__c��C��\|��d�S�re��r1��r��r��r��r��__del__ ��zAgentClientProxy.__del__c��C��s��t��}\|sdS�\|\|�_dS�)zJ Method automatically called by ``AgentProxyThread.run``. N)r}��r��r��r+��r��r��r��rQ�� s�� zAgentClientProxy.connectc��C��s:��t�\|�d�rd\|�j_\|�j�d��\|�jdur\|�j��dS�dS�)zh Close the current connection and terminate the agent Should be called manually r��T��N)rT��r��rK��joinr��r1��r��r��r��r��r1��s�� zAgentClientProxy.closeN)rA��rB��rC��rb��r��r��rQ��r1��r��r��r��r��r~��s�� r~��c��@��s@��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd d��Zdd ��Z dS�)�AgentServerProxya�� Allows an SSH server to access a forwarded agent. This also creates a unix domain socket on the system to allow external programs to also access the agent. For this reason, you probably only want to create one of these. :meth:`connect` must be called before it is usable. This will also load the list of keys the agent contains. You must also call :meth:`close` in order to clean up the unix socket and the thread that maintains it. (:class:`contextlib.closing` might be helpful to you.) :param .Transport t: Transport used for SSH Agent communication forwarding :raises: `.SSHException` -- mostly if we lost the agent c��C��sP��t��\|��\|\|�_t�d�\|�_t�\|�jtj ��\|�jd�\|�_ t\|��\|�_\|�j� ��d�S�)N�sshproxyz /sshproxy.ssh)r��r��_AgentServerProxy__t�tempfile�mkdtemp�_dirr[��chmod�stat�S_IRWXU�_filerd��r��r��)r��tr��r��r��r��4��s�� zAgentServerProxy.__init__c��C��r��re��r��r��r��r��r��r��=��r��zAgentServerProxy.__del__c��C��s2��\|�j��}\|d�u�r td��\|�d��\|��\|��d�S�)Nr=��z auth-agent)r��open_forward_agent_channelr��set_namer0��)r�� conn_sockr��r��r��rQ��@��s �� zAgentServerProxy.connectc��C��s8��t��\|�j��t��\|�j��d\|�j_\|�j�d��\|��dS�)zk Terminate the agent, clean the files, close connections Should be called manually Tr��N) r[��remover��rmdirr��r��rK��r��r2��r��r��r��r��r1��G��s ��zAgentServerProxy.closec��C��s��d\|��iS�)z� Helper for the environment under unix :return: a dict containing the ``SSH_AUTH_SOCK`` environment variables rr��)rk��r��r��r��r��get_envR��s��zAgentServerProxy.get_envc��C��r��re��)r��r��r��r��r��rk��[��zAgentServerProxy._get_filenameN) rA��rB��rC��rb��r��r��rQ��r1��r��rk��r��r��r��r��r��"��s�� r��c��@��rD��)�AgentRequestHandlera�� Primary/default implementation of SSH agent forwarding functionality. Simply instantiate this class, handing it a live command-executing session object, and it will handle forwarding any local SSH agent processes it finds. For example:: # Connect client = SSHClient() client.connect(host, port, username) # Obtain session session = client.get_transport().open_session() # Forward local agent AgentRequestHandler(session) # Commands executed after this point will see the forwarded agent on # the remote end. session.exec_command("git clone https://my.git.repository/") c��C��s"��d�\|�_�\|\|�_\|�\|�j��g�\|�_d�S�re��)r��_AgentRequestHandler__chanC�request_forward_agent�_forward_agent_handler�"_AgentRequestHandler__clientProxys)r�� chanClientr��r��r��r��u��s�� zAgentRequestHandler.__init__c��C��s��\|�j��t\|��d�S�re��)r��r&��r~��r��r��r��r��r��{��s��zAgentRequestHandler._forward_agent_handlerc��C��r��re��r��r��r��r��r��r��~��r��zAgentRequestHandler.__del__c��C��s��\|�j�D�]}\|��qd�S�re��)r��r1��)r��pr��r��r��r1��s�� zAgentRequestHandler.closeN)rA��rB��rC��rb��r��r��r��r1��r��r��r��r��r��_��s��r��c��@��rc��)�Agenta�� Client interface for using private keys from an SSH agent running on the local machine. If an SSH agent is running, this class can be used to connect to it and retrieve `.PKey` objects which can be used when attempting to authenticate to remote SSH servers. Upon initialization, a session with the local machine's SSH agent is opened, if one is running. If no agent is running, initialization will succeed, but `get_keys` will return an empty tuple. :raises: `.SSHException` -- if an SSH agent is found, but speaks an incompatible protocol .. versionchanged:: 2.10 Added support for native openssh agent on windows (extending previous putty pageant support) c��C��s&��t��\|��t��}\|sd�S�\|��\|��d�S�re��)r��r��r}��r0��r��r��r��r��r��s �� zAgent.__init__c��C��s��\|��dS�)z1 Close the SSH agent connection. N)r2��r��r��r��r��r1��s��zAgent.closeN)rA��rB��rC��rb��r��r1��r��r��r��r��r��s��r��c��s`��e�Zd�ZdZddd�Zdd��Zdd��Zd d ��Z��fdd�Zd d��Z e dd��Zddd�Z��Z S�)r'��a�� Private key held in a local SSH agent. This type of key can be used for authenticating to a remote server (signing). Most other key operations work as expected. .. versionchanged:: 3.2 Added the ``comment`` kwarg and attribute. .. versionchanged:: 3.2 Added the ``.inner_key`` attribute holding a reference to the 'real' key instance this key is a proxy for, if one was obtainable, else None. ry��c�� C��sz��\|\|�_�\|\|�_\|\|�_t\|�}\|��\|�_tt�\|�_d�\|�_ zt j\|�j\|d�\|�_ W�d�S��ty<��d}\|�� t\|�\|�j��Y�d�S�w�)N)�key_type� key_bytesz5Unable to derive inner_key for agent key of type {!r})r��r��r ��r��r)��namer��__file__�_logger� inner_keyr ��from_type_stringr ��logr��format)r��r��r��r ��r;��errr��r��r��r��s�� zAgentKey.__init__c��O��s��\|�j�j\|i�\|��S�re��)r��r��)r��args�kwargsr��r��r��r��s��zAgentKey.logc��C��s��\|�j�r\|�j��S�\|�jS�re��)r��r��r��r��r��r��r��r��s��zAgentKey.asbytesc��C��r��re��)r��r��r��r��r��get_name��r��zAgentKey.get_namec��s��\|�j�d�ur \|�j��S�t��S�re��)r��get_bits�superr�� __class__r��r��r��s�� zAgentKey.get_bitsc��C��s��\|�j�du�r t\|��t\|�j�\|�S�)zO Proxy any un-implemented methods/properties to the inner_key. N)r��AttributeError�getattr)r��r��r��r��r��__getattr__��s�� zAgentKey.__getattr__c��C��s ��\|��\|�jg}\|�jr\|�jjS�\|S�re��)r��r��r��_fields)r��fallbackr��r��r��r��s��zAgentKey._fieldsNc��C��sb��t��}\|�t��\|�\|��\|�\|��\|�t�\|d��\|�j� \|�\}}\|t kr-td��\|��S�)Nr��zkey cannot be used for signing) r��add_byte�cSSH2_AGENTC_SIGN_REQUEST� add_stringr��add_int�ALGORITHM_FLAG_MAP�getr��r!��SSH2_AGENT_SIGN_RESPONSEr��r(��)r��r<�� algorithmr;��r,��r-��r��r��r�� sign_ssh_data��s�� zAgentKey.sign_ssh_data)ry��re��)rA��rB��rC��rb��r��r��r��r��r��r��propertyr��r�� __classcell__r��r��r��r��r'��s�� r'��)0rb��r[��rg��r4��rw��rG��r]��r��r��loggingr��r��paramiko.commonr��r��paramiko.ssh_exceptionr��r��paramiko.messager�� paramiko.pkeyr ��r �� paramiko.utilr��r��r"��r#��r��r��SSH_AGENT_RSA_SHA2_256�SSH_AGENT_RSA_SHA2_512r��list�items�key�valuer��rH��rE��rd��ro��r}��r~��r��r��r��r'��r��r��r��r��<module>��sJ��=; +='"��__pycache__/dsskey.cpython-310.pyc��0000644��00000014426�15030210772�0012763 0��ustar�00��o ��h8 ��@��s��d�Z�ddlmZ�ddlmZ�ddlmZmZ�ddlm Z �ddl mZmZ�ddl mZ�ddlmZ�dd lmZ�dd lmZ�ddlmZmZ�ddlmZ�G�d d��de�ZdS�)z DSS keys. ��)�InvalidSignature)�default_backend)�hashes� serialization)�dsa)�decode_dss_signature�encode_dss_signature)�util)� zero_byte)�SSHException)�Message)�BER�BERException)�PKeyc��@��s��e�Zd�ZdZdZ d#dd�Zdd��Zdd ��Zed d��Z dd ��Z dd��Zdd��Zd$dd�Z dd��Zd$dd�Zd$dd�Zed%dd��Zdd��Zdd ��Zd!d"��ZdS�)&�DSSKeyzX Representation of a DSS key which can be used to sign an verify SSH2 data. zssh-dssNc��C��s��d�\|�_�d�\|�_d�\|�_d�\|�_d�\|�_d�\|�_\|d�ur\|��\|\|��d�S�\|d�ur\|��\|\|��d�S�\|d�u�r6\|d�ur6t\|�}\|d�urE\|\\|�_�\|�_\|�_\|�_n!\|�j \|\|�j \|�j ��d�d��\|��\|�_�\|��\|�_\|��\|�_\|��\|�_t� \|�j��\|�_d�S�)Nz-cert-v01@openssh.com)�msg�key_type� cert_type)�p�q�g�y�x�public_blob�_from_private_key�_from_private_key_filer��_check_type_and_load_cert�name� get_mpintr �� bit_length�size)�selfr��data�filename�password�vals�file_obj��r'��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/dsskey.py�__init__0��s4�� zDSSKey.__init__c��C��sJ��t��}\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|��S��N) r�� add_stringr�� add_mpintr��r��r��r��asbytes)r!��mr'��r'��r(��r-��U��s��zDSSKey.asbytesc��C��s��\|��S�r��)r-��r!��r'��r'��r(��__str__^��s��zDSSKey.__str__c��C��s��\|��\|�j\|�j\|�j\|�jfS�r��)�get_namer��r��r��r��r/��r'��r'��r(��_fieldsa��s��zDSSKey._fieldsc��C��\|�j�S�r��)r��r/��r'��r'��r(��r1��f��zDSSKey.get_namec��C��r3��r��)r ��r/��r'��r'��r(��get_bitsi��r4��zDSSKey.get_bitsc��C��s ��\|�j�d�uS�r��)r��r/��r'��r'��r(��can_signl��s�� zDSSKey.can_signc�� C��s��t�j\|�jt�j\|�jt�j\|�j\|�j\|�jd�d�d�j t ��d�}\|�\|t� ��}t\|�\}}t��}\|�\|�j��t�\|d�}t�\|d�} t\|�dk�rOtdt\|��\|�}t\| �dk�r_tdt\| ��\| �} \|�\|\| ��\|S�)N�r��r��r��r��parameter_numbers�r��public_numbers��backendr��)r��DSAPrivateNumbersr��DSAPublicNumbersr��DSAParameterNumbersr��r��r��private_keyr��signr��SHA1r��r��r+��r��r ��deflate_long�lenr ��) r!��r"�� algorithm�key�sig�r�sr.��rstr�sstrr'��r'��r(�� sign_ssh_datao��s.�� zDSSKey.sign_ssh_datac�� C��s��t�\|��dkr \|��}n\|��}\|\|�jkrdS�\|��}t�\|d�d��d�}t�\|dd��d�}t\|\|�}tj \|�j tj\|�j\|�j \|�jd�d�jt��d�}z\|�\|\|t��W�d S��tya��Y�dS�w�) N�(��r��r>��r7��r8��r<��FT)rF��r-��get_textr�� get_binaryr ��inflate_longr��r��r@��r��rA��r��r��r�� public_keyr��verifyr��rD��r��) r!��r"��r��rI��kind�sigR�sigS� signaturerH��r'��r'��r(��verify_ssh_sig��s.�� zDSSKey.verify_ssh_sigc�� C��R��t�j\|�jt�j\|�jt�j\|�j\|�j\|�jd�d�d�j t ��d�}\|�j\|\|tj j\|d��d�S��Nr7��r8��r:��r<��)r$��)r��r?��r��r@��r��rA��r��r��r��rB��r��_write_private_key_filer�� PrivateFormat�TraditionalOpenSSL)r!��r#��r$��rH��r'��r'��r(��write_private_key_file��"�� zDSSKey.write_private_key_filec�� C��r[��r\��)r��r?��r��r@��r��rA��r��r��r��rB��r��_write_private_keyr��r^��r_��)r!��r&��r$��rH��r'��r'��r(��write_private_key��ra��zDSSKey.write_private_key��c��C��sH��t�j\|�t��d��}t\|jjj\|jjj\|jjj \|jj fd�}\|j\|_\|S�)a$�� Generate a new private DSS key. This factory function can be used to generate a new host key or authentication key. :param int bits: number of bits the generated key should be. :param progress_func: Unused :return: new `.DSSKey` private key r<��)r%��)r��generate_private_keyr��private_numbersr��r;��r9��r��r��r��r��r��)�bits� progress_func�numbersrH��r'��r'��r(��generate��s�� zDSSKey.generatec��C��\|��d\|\|�}\|��\|��d�S��N�DSA)�_read_private_key_file�_decode_key)r!��r#��r$��r"��r'��r'��r(��r��zDSSKey._from_private_key_filec��C��rk��rl��)�_read_private_keyro��)r!��r&��r$��r"��r'��r'��r(��r��rp��zDSSKey._from_private_keyc�� C��s��\|\}}\|\|�j�kr%zt\|��}W�n+�ty$�}�ztd�\|��d�}~ww�\|\|�jkr8\|��\|d�}dgt\|��}n\|�� \|��t \|�tusOt\|�dk�sO\|d�dkrStd��\|d�\|�_\|d�\|�_ \|d�\|�_\|d �\|�_\|d �\|�_t�\|�j�\|�_d�S�)NzUnable to parse key file: {}�iiiiir��z3not a valid DSA private key file (bad ber encoding)rP��)�_PRIVATE_KEY_FORMAT_ORIGINALr ��decoder��r��format�_PRIVATE_KEY_FORMAT_OPENSSH�_uint32_cstruct_unpack�list�_got_bad_key_format_id�typerF��r��r��r��r��r��r ��r��r ��)r!��r"��pkformat�keylist�er'��r'��r(��ro��s,�� $� zDSSKey._decode_key)NNNNNNr��)rd��N)�__name__� __module__�__qualname__�__doc__r��r)��r-��r0��propertyr2��r1��r5��r6��rN��rZ��r`��rc��staticmethodrj��r��r��ro��r'��r'��r'��r(��r��(��s4�� % r��N)r��cryptography.exceptionsr��cryptography.hazmat.backendsr��cryptography.hazmat.primitivesr��r��)cryptography.hazmat.primitives.asymmetricr��/cryptography.hazmat.primitives.asymmetric.utilsr��r��paramikor ��paramiko.commonr ��paramiko.ssh_exceptionr��paramiko.messager��paramiko.berr ��r�� paramiko.pkeyr��r��r'��r'��r'��r(��<module>��s��__pycache__/transport.cpython-310.pyc��0000644��00000264547�15030210772�0013530 0��ustar�00��o ��hs��@��s,��d�Z�ddlZddlZddlZddlZddlZddlZddlmZm Z m Z mZ�ddlm Z �ddlmZmZmZ�ddlZddlmZ�ddlmZmZ�ddlmZ�dd lmZ�dd lmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)mZm+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;m<Z<m=Z=m>Z>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZM�ddlNmOZOmPZP�ddlQmRZR�dd lSmTZT�ddlUmVZV�ddlWmXZXmYZY�ddlZm[Z[�ddl\m]Z]m^Z^�ddl_m`Z`�ddlambZbmcZcmdZd�ddlemfZfmgZgmhZh�ddlimjZj�ddlkmlZlmmZm�ddlnmoZo�ddlpmqZq�ddlrmsZs�ddltmuZu�ddlvmwZw�ddlxmyZymzZzm{Z{m\|Z\|m}Z}m~Z~�ddlm�Z�m�Z�m�Z��zddl�m�Z��W�n�e��yd��ddl�m�Z��Y�nw�g�Z�dd ��Z�ddl�Z�e��e��G�d!d"��d"ej�e��Z�G�d#d$��d$�Z�G�d%d&��d&�Z�G�d'd(��d(e��Z�dS�))z Core protocol implementation ��N)�md5�sha1�sha256�sha512)�default_backend)� algorithms�Cipher�modes)�util)�AuthHandler�AuthOnlyHandler)�GSSAuth)�Channel)2� xffffffff�cMSG_CHANNEL_OPEN�cMSG_IGNORE�cMSG_GLOBAL_REQUEST�DEBUG�MSG_KEXINIT� MSG_IGNORE�MSG_DISCONNECT� MSG_DEBUG�ERROR�WARNING�cMSG_UNIMPLEMENTED�INFO�cMSG_KEXINIT�cMSG_NEWKEYS�MSG_NEWKEYS�cMSG_REQUEST_SUCCESS�cMSG_REQUEST_FAILURE�CONNECTION_FAILED_CODE�'OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED�OPEN_SUCCEEDED�cMSG_CHANNEL_OPEN_FAILURE�cMSG_CHANNEL_OPEN_SUCCESS�MSG_GLOBAL_REQUEST�MSG_REQUEST_SUCCESS�MSG_REQUEST_FAILURE�cMSG_SERVICE_REQUEST�MSG_SERVICE_ACCEPT�MSG_CHANNEL_OPEN_SUCCESS�MSG_CHANNEL_OPEN_FAILURE�MSG_CHANNEL_OPEN�MSG_CHANNEL_SUCCESS�MSG_CHANNEL_FAILURE�MSG_CHANNEL_DATA�MSG_CHANNEL_EXTENDED_DATA�MSG_CHANNEL_WINDOW_ADJUST�MSG_CHANNEL_REQUEST�MSG_CHANNEL_EOF�MSG_CHANNEL_CLOSE�MIN_WINDOW_SIZE�MIN_PACKET_SIZE�MAX_WINDOW_SIZE�DEFAULT_WINDOW_SIZE�DEFAULT_MAX_PACKET_SIZE�HIGHEST_USERAUTH_MESSAGE_ID�MSG_UNIMPLEMENTED� MSG_NAMES�MSG_EXT_INFO� cMSG_EXT_INFO�byte_ord)�ZlibCompressor�ZlibDecompressor)�DSSKey)� Ed25519Key)� KexCurve25519)�KexGex�KexGexSHA256)� KexGroup1)� KexGroup14�KexGroup14SHA256)�KexGroup16SHA512)�KexNistp256�KexNistp384�KexNistp521)� KexGSSGex�KexGSSGroup1� KexGSSGroup14)�Message)� Packetizer�NeedRekeyException)�ModulusPack)�RSAKey)�ECDSAKey)�ServerInterface)� SFTPClient)�BadAuthenticationType�ChannelException�IncompatiblePeer�MessageOrderError�ProxyCommandFailure�SSHException)�ClosingContextManager�clamp_value�b)� TripleDESc��C��s��t�D�]}�\|��qd�S��N)�_active_threads�stop_thread)�thr��rh��E/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/transport.py�_join_lingering_threads��s�� rj��c��@��sL��e�Zd�ZdZe��Ze��ZdZd�e j �ZdZdZ dZdZdZe��r&de�Zd Zd Zejejddd�ejejdd d�ejejddd�ejejddd�ejejdd d�ejejddd�eejdd d�d�Zedd�edd�edd�edd�edd�edd�edd�edd�d�Z i�de!�de!�de!�de!�de!�de!�de"�de"�de#�de#�de#�d e#�d!e#�d"e#�d#e$�d$e$�Z%e&e'e(e)ee+e,e-e.e/e0e1d%�Z2e��r�ee2d&<�e3e4fe3e4fd'd(�Z5d)Z6dZ7e8e9d+d,d)d,d,d)fd-d.�Z:d/d0��Z;e<d1d2��Z=e<d3d4��Z>e<d5d6��Z?e<d7d8��Z@e<d9d:��ZAe<d;d<��ZBd=d>��ZCd?d@��ZDdAdB��ZEd�dCdD�ZFd'dEdF�ZGd'dGdH�ZHdIdJ��ZIdKdL��ZJeKd�dMdN��ZLdOdP��ZMdQdR��ZNdSdT��ZO )d�dUdV�ZPd�dWdX�ZQdYdZ��ZRd[d\��ZS ) ) ) ) )d�d]d^�ZTd�d_d`�ZUdadb��ZVdcdd��ZWd�dedf�ZXdgdh��ZYdidj��ZZd�dkdl�Z[d�dmdn�Z\ ) o ) ) ) + + , ,d�dpdq�Z]drds��Z^dtdu��Z_dvdw��Z`dxdy��Zadzd{��Zbd\|d}��Zcd�d~d�Zdd�d�d��Zed�d�d��Zfd�d�d��Zgd�d��Zhd�d��Zid�d��Zjd�d��Zkd�d��Zld�d��Zmd�d�d��Znd�d��Zod�d��Zpd�d��Zqd�d��Zrd�d��Zsd�d��Ztd�d��Zud�d��Zvd�d��Zwd�d��Zxd�d��Zyd�d��Zzd�d��Z{d�d��Z\|d�d��Z}d�d��Z~d�d��Zd�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�d�dÄ�Z�d�dń�Z�d�d�dǄZ�d�dɄ�Z�d�d˄�Z�d�d̈́�Z�d�dτ�Z�d�dф�Z�d�dӄ�Z�d�dՄ�Z�d�dׄ�Z�d�dل�Z�d�dۄ�Z�d�d݄�Z�d�d߄�Z�d�d��Z�d�d��Z�d�d��Z�d�d��Z�e�e�j�e�e�j�e�e�j�e�e�j�e�e�j�e�e�j�e�e�j�e�e�j�iZ�d)S�)�� Transporta�� An SSH Transport attaches to a stream (usually a socket), negotiates an encrypted session, authenticates, and then creates stream tunnels, called `channels <.Channel>`, across the session. Multiple channels can be multiplexed across a single session (and often are, in the case of port forwardings). Instances of this class may be used as context managers. �2.0zparamiko_{})z aes128-ctrz aes192-ctrz aes256-ctrz aes128-cbcz aes192-cbcz aes256-cbcz3des-cbc)� hmac-sha2-256� hmac-sha2-512�hmac-sha2-256-etm@openssh.com�hmac-sha2-512-etm@openssh.com� hmac-sha1�hmac-md5�hmac-sha1-96�hmac-md5-96)�ssh-ed25519�ecdsa-sha2-nistp256�ecdsa-sha2-nistp384�ecdsa-sha2-nistp521�rsa-sha2-512�rsa-sha2-256�ssh-rsa�ssh-dss) �ecdh-sha2-nistp256�ecdh-sha2-nistp384�ecdh-sha2-nistp521�diffie-hellman-group16-sha512�$diffie-hellman-group-exchange-sha256�diffie-hellman-group14-sha256�"diffie-hellman-group-exchange-sha1�diffie-hellman-group14-sha1�diffie-hellman-group1-sha1)�curve25519-sha256@libssh.org)�%gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==�)gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==�(gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==��none��)�class�mode� block-size�key-size�� )r��size��@��)rq��rs��rm��ro��rn��rp��rr��rt��r{��zssh-rsa-cert-v01@openssh.comrz��z!rsa-sha2-256-cert-v01@openssh.comry��z!rsa-sha2-512-cert-v01@openssh.comr\|��zssh-dss-cert-v01@openssh.comrv��z(ecdsa-sha2-nistp256-cert-v01@openssh.comrw��z(ecdsa-sha2-nistp384-cert-v01@openssh.comrx��z(ecdsa-sha2-nistp521-cert-v01@openssh.comru��z ssh-ed25519-cert-v01@openssh.com)r��r��r��r��r��r��r��r��r��r}��r~��r��r��)NN��zlib@openssh.com�zlibr��N皙��?FTc ��C��sF��d\|�_�d\|�_i�\|�_\|\|�_d\|�_t\|t�r6\|�dd�} \| d�\|�_t\| �dkr,\| d�df}n \| d�t \| d��f}t \|�tu�r�\|\}}\|\|�_d} t� \|\|tjtj�}\|D�]8\}}}}}\|tjkr�\|}t�\|tj�}z \|�\|\|f��W�n�tjy��}�z t\|�} W�Y�d}~qQd}~ww��n qQtd�\|\| ��tj�\|��d \|�_\|\|�_\|�j�\|�j��\| p�t\|�\|�_d \|�j�d�\|�j�\|�_d\|�_ d�\|�_!\|�_"d�\|�_#\|�_$d�\|�_%\|�_&d�\|�_'\|�_(d\|�_)d\|�_d\|�_+\|\|�_,d\|�_-d\|�_.d\|�_/\|�j,r�t0d \|�\|�_.\|�j1\|�j2�\|�_2d\|�_3d\|�_4d\|�_5d\|�_6d\|�_7d\|�_8t��\|�_9t�:��\|�_;t<��\|�_=i�\|�_>i�\|�_?d\|�_@\|\|�_A\|\|�_Bd\|�_Cd\|�_Dd\|�_Ed\|�_Ft�G��\|�_Ht�:��\|�_Id\|�_Jd\|�_KtL�M\|�jK�\|�_N\|�j�O\|�jN��d\|�_Pd\|�_Qd\|�_Rd\|�_Sd\|�_Td\|�_Ud\|�_V\|�phi�\|�_W\|\|�_Xd\|�_Yd\|�_Zi�\|�_[g�\|�_\t�]\|�j;�\|�_^i�\|�__t`\|�jatb\|�jctd\|�jetf\|�jgth\|�jitj\|�jktl\|�jmtn\|�jotp\|�jqi \|�_rdS�)a�� Create a new SSH session over an existing socket, or socket-like object. This only creates the `.Transport` object; it doesn't begin the SSH session yet. Use `connect` or `start_client` to begin a client session, or `start_server` to begin a server session. If the object is not actually a socket, it must have the following methods: - ``send(bytes)``: Writes from 1 to ``len(bytes)`` bytes, and returns an int representing the number of bytes written. Returns 0 or raises ``EOFError`` if the stream has been closed. - ``recv(int)``: Reads from 1 to ``int`` bytes and returns them as a string. Returns 0 or raises ``EOFError`` if the stream has been closed. - ``close()``: Closes the socket. - ``settimeout(n)``: Sets a (float) timeout on I/O operations. For ease of use, you may also pass in an address (as a tuple) or a host string as the ``sock`` argument. (A host string is a hostname with an optional port (separated by ``":"``) which will be converted into a tuple of ``(hostname, port)``.) A socket will be connected to this address and used for communication. Exceptions from the ``socket`` call may be thrown in this case. .. note:: Modifying the the window and packet sizes might have adverse effects on your channels created from this transport. The default values are the same as in the OpenSSH code base and have been battle tested. :param socket sock: a socket or socket-like object to create the session over. :param int default_window_size: sets the default window size on the transport. (defaults to 2097152) :param int default_max_packet_size: sets the default max packet size on the transport. (defaults to 32768) :param bool gss_kex: Whether to enable GSSAPI key exchange when GSSAPI is in play. Default: ``False``. :param bool gss_deleg_creds: Whether to enable GSSAPI credential delegation when GSSAPI is in play. Default: ``True``. :param dict disabled_algorithms: If given, must be a dictionary mapping algorithm type to an iterable of algorithm identifiers, which will be disabled for the lifetime of the transport. Keys should match the last word in the class' builtin algorithm tuple attributes, such as ``"ciphers"`` to disable names within ``_preferred_ciphers``; or ``"kex"`` to disable something defined inside ``_preferred_kex``. Values should exactly match members of the matching attribute. For example, if you need to disable ``diffie-hellman-group16-sha512`` key exchange (perhaps because your code talks to a server which implements it differently from Paramiko), specify ``disabled_algorithms={"kex": ["diffie-hellman-group16-sha512"]}``. :param bool server_sig_algs: Whether to send an extra message to compatible clients, in server mode, with a list of supported pubkey algorithms. Default: ``True``. :param bool strict_kex: Whether to advertise (and implement, if client also advertises support for) a "strict kex" mode for safer handshaking. Default: ``True``. :param packetizer_class: Which class to use for instantiating the internal packet handler. Default: ``None`` (i.e.: use `Packetizer` as normal). .. versionchanged:: 1.15 Added the ``default_window_size`` and ``default_max_packet_size`` arguments. .. versionchanged:: 1.15 Added the ``gss_kex`` and ``gss_deleg_creds`` kwargs. .. versionchanged:: 2.6 Added the ``disabled_algorithms`` kwarg. .. versionchanged:: 2.9 Added the ``server_sig_algs`` kwarg. .. versionchanged:: 3.4 Added the ``strict_kex`` kwarg. .. versionchanged:: 3.4 Added the ``packetizer_class`` kwarg. FN�:��r��zNo suitable address familyzUnable to connect to {}: {}T�SSH-�-��zgssapi-keyexg��>@zparamiko.transport��i��)s�active�hostname�server_extensions�advertise_strict_kex�agreed_on_strict_kex� isinstance�str�split�len�int�type�tuple�socket�getaddrinfo� AF_UNSPEC�SOCK_STREAM�connect�errorr_��format� threading�Thread�__init__�daemon�sock� settimeout�_active_check_timeoutrS�� packetizer� _PROTO_ID� _CLIENT_ID� local_version�remote_version�local_cipher� remote_cipher�local_kex_init�remote_kex_init� local_mac� remote_mac�local_compression�remote_compression� session_id� host_key_type�host_key�use_gss_kex�gss_kex_used�kexgss_ctxt�gss_hostr ��_preferred_gsskex�_preferred_kex� kex_engine�H�K�initial_kex_done�in_kex� authenticated�_expected_packet�Lock�lock� ChannelMap� _channels�channel_events� channels_seen�_channel_counter�default_max_packet_size�default_window_size�_forward_agent_handler�_x11_handler�_tcp_handler�saved_exception�Event� clear_to_send�clear_to_send_lock�clear_to_send_timeout�log_namer �� get_logger�logger�set_log�auth_handler�global_response�completion_event�banner_timeout�handshake_timeout�auth_timeout�channel_timeout�disabled_algorithms�server_sig_algs�server_mode� server_object�server_key_dict�server_accepts� Condition�server_accept_cv�subsystem_tabler>��_parse_ext_infor��_parse_newkeysr&��_parse_global_requestr'��_parse_request_successr(��_parse_request_failurer+��_parse_channel_open_successr,��_parse_channel_open_failurer-��_parse_channel_openr��_negotiate_keys�_handler_table)�selfr��r��r��gss_kex�gss_deleg_credsr��r�� strict_kex�packetizer_class�hlr��port�reason� addrinfos�family�socktype�proto� canonname�sockaddr�af�erh��rh��ri��r��W��s��c � �� zTransport.__init__c��s(��t��d��}t��fdd�\|D��S�)Nz _preferred_{}c��3��s&��\|�]}\|��j��g��vr\|V��qd�S�rd��)r��get��.0�x�r ��type_rh��ri�� <genexpr>F��s��z.Transport._filter_algorithm.<locals>.<genexpr>)�getattrr��r��)r ��r��defaultrh��r��ri��_filter_algorithmD��s��zTransport._filter_algorithmc��C�� \|��d�S�)N�ciphers�r#��r ��rh��rh��ri��preferred_ciphersL�� zTransport.preferred_ciphersc��C��r$��)N�macsr&��r'��rh��rh��ri��preferred_macsP��r)��zTransport.preferred_macsc��C��s$��\|��d�}t\|tdd��\|D��S�)N�keysc��s��s��\|�]}d��\|�V��qdS�)z{}-cert-v01@openssh.comN)r��r��rh��rh��ri��r ��]��s��z+Transport.preferred_keys.<locals>.<genexpr>)r#��r��)r ��filteredrh��rh��ri��preferred_keysT��s�� zTransport.preferred_keysc��C��r$��)N�pubkeysr&��r'��rh��rh��ri��preferred_pubkeys`��r)��zTransport.preferred_pubkeysc��C��r$��)N�kexr&��r'��rh��rh��ri�� preferred_kexd��r)��zTransport.preferred_kexc��C��r$��)N�compressionr&��r'��rh��rh��ri��preferred_compressionh��r)��zTransport.preferred_compressionc��C��s��t�t\|��t@��}d�\|�}\|�js\|d7�}n1\|�jdkr+\|d�\|�j\|�j\|�j�d�d��7�}\|��r:\|d�t\|�j ��7�}n\|�j rB\|d7�}n\|d 7�}\|d 7�}\|S�)�P Returns a string representation of this object, for debugging. z<paramiko.Transport at {}z (unconnected)r��z (cipher {}, {:d} bits)r��r��z (active; {} open channel(s))z (connected; awaiting auth)z (connecting)�>)�hex�idr��r��r��r��_cipher_info�is_authenticatedr��r��r��)r ��id_�outrh��rh��ri��__repr__l��s$�� zTransport.__repr__c��C��s��\|�j��\|��dS�)a�� Terminate this Transport without closing the session. On posix systems, if a Transport is open during process forking, both parent and child will share the underlying socket, but only one process can use the connection (without corrupting the session). Use this method to clean up a Transport object without disrupting the other process. .. versionadded:: 1.5.3 N)r��closer'��rh��rh��ri��atfork��s�� zTransport.atforkc��C��t�\|��S�)a�� Return a `.SecurityOptions` object which can be used to tweak the encryption algorithms this transport will permit (for encryption, digest/hash operations, public keys, and key exchanges) and the order of preference for them. )�SecurityOptionsr'��rh��rh��ri��get_security_options��s��zTransport.get_security_optionsc��C��s6��\|sdS�\|du�r\|�j�}\|r\|durt�\|�}\|\|�_dS�)a�� Normalize/canonicalize ``self.gss_host`` depending on various factors. :param str gss_host: The explicitly requested GSS-oriented hostname to connect to (i.e. what the host's name is in the Kerberos database.) Defaults to ``self.hostname`` (which will be the 'real' target hostname and/or host portion of given socket object.) :param bool trust_dns: Indicates whether or not DNS is trusted; if true, DNS will be used to canonicalize the GSS hostname (which again will either be ``gss_host`` or the transport's default hostname.) (Defaults to True due to backwards compatibility.) :param bool gssapi_requested: Whether GSSAPI key exchange or authentication was even requested. If not, this is a no-op and nothing happens (and ``self.gss_host`` is not set.) (Defaults to True due to backwards compatibility.) :returns: ``None``. N)r��r��getfqdnr��)r ��r�� trust_dns�gssapi_requestedrh��rh��ri��set_gss_host��s�� zTransport.set_gss_hostc��C��s��d\|�_�\|dur\|\|�_\|��dS�t��\|�_}\|��\|dur%t��\|�nd} �\|�d��\|�j�s>\|��}\|dur:\|�td��\|� ��sL\|durNt��\|krNdS�q()a\|�� Negotiate a new SSH2 session as a client. This is the first step after creating a new `.Transport`. A separate thread is created for protocol negotiation. If an event is passed in, this method returns immediately. When negotiation is done (successful or not), the given ``Event`` will be triggered. On failure, `is_active` will return ``False``. (Since 1.4) If ``event`` is ``None``, this method will not return until negotiation is done. On success, the method returns normally. Otherwise an SSHException is raised. After a successful negotiation, you will usually want to authenticate, calling `auth_password <Transport.auth_password>` or `auth_publickey <Transport.auth_publickey>`. .. note:: `connect` is a simpler method for connecting as a client. .. note:: After calling this method (or `start_server` or `connect`), you should no longer directly read from or write to the original socket object. :param .threading.Event event: an event to trigger when negotiation is complete (optional) :param float timeout: a timeout, in seconds, for SSH2 session negotiation (optional) :raises: `.SSHException` -- if negotiation fails (and no ``event`` was passed in) TNr��Negotiation failed.) r��r��startr��r��time�wait� get_exceptionr_��is_set)r ��event�timeout�max_timer��rh��rh��ri��start_client��s&��# �zTransport.start_clientc��C��s��\|du�rt��}d\|�_\|\|�_d\|�_\|dur\|\|�_\|��dS�t��\|�_}\|�� \|�d��\|�js?\|�� }\|dur;\|�t d��\|��rEdS�q))ap�� Negotiate a new SSH2 session as a server. This is the first step after creating a new `.Transport` and setting up your server host key(s). A separate thread is created for protocol negotiation. If an event is passed in, this method returns immediately. When negotiation is done (successful or not), the given ``Event`` will be triggered. On failure, `is_active` will return ``False``. (Since 1.4) If ``event`` is ``None``, this method will not return until negotiation is done. On success, the method returns normally. Otherwise an SSHException is raised. After a successful negotiation, the client will need to authenticate. Override the methods `get_allowed_auths <.ServerInterface.get_allowed_auths>`, `check_auth_none <.ServerInterface.check_auth_none>`, `check_auth_password <.ServerInterface.check_auth_password>`, and `check_auth_publickey <.ServerInterface.check_auth_publickey>` in the given ``server`` object to control the authentication process. After a successful authentication, the client should request to open a channel. Override `check_channel_request <.ServerInterface.check_channel_request>` in the given ``server`` object to allow channels to be opened. .. note:: After calling this method (or `start_client` or `connect`), you should no longer directly read from or write to the original socket object. :param .threading.Event event: an event to trigger when negotiation is complete. :param .ServerInterface server: an object used to perform authentication and create `channels <.Channel>` :raises: `.SSHException` -- if negotiation fails (and no ``event`` was passed in) NTr��rG��)rX��r��r��r��r��rH��r��r��rJ��rK��r_��rL��)r ��rM��serverr��rh��rh��ri��start_server��s�� �zTransport.start_serverc��C��s4��\|\|�j�\|��<�t\|t�r\|\|�j�d<�\|\|�j�d<�dS�dS�)a�� Add a host key to the list of keys used for server mode. When behaving as a server, the host key is used to sign certain packets during the SSH2 negotiation, so that the client can trust that we are who we say we are. Because this is used for signing, the key must contain private key info, not just the public half. Only one key of each type (RSA or DSS) is kept. :param .PKey key: the host key to add, usually an `.RSAKey` or `.DSSKey`. rz��ry��N)r��get_namer��rV��)r ��keyrh��rh��ri��add_server_key9��s �� zTransport.add_server_keyc��C��s$��z\|�j�\|�j�W�S��ty��Y�dS�w�)a�� Return the active host key, in server mode. After negotiating with the client, this method will return the negotiated host key. If only one type of host key was set with `add_server_key`, that's the only key that will ever be returned. But in cases where you have set more than one type of host key (for example, an RSA key and a DSS key), the key type will be negotiated by the client, and this method will return the key of the type agreed on. If the host key has not been negotiated yet, ``None`` is returned. In client mode, the behavior is undefined. :return: host key (`.PKey`) of the type negotiated by the client, or ``None``. N)r��r��KeyErrorr'��rh��rh��ri��get_server_keyM��s��zTransport.get_server_keyc�� C��s^��t��t_ddg}\|�dur\|�d\|��\|D�]}z tj�\|��W��dS��ty)��Y�qw�dt_dS�)a�� (optional) Load a file of prime moduli for use in doing group-exchange key negotiation in server mode. It's a rather obscure option and can be safely ignored. In server mode, the remote client may request "group-exchange" key negotiation, which asks the server to send a random prime number that fits certain criteria. These primes are pretty difficult to compute, so they can't be generated on demand. But many systems contain a file of suitable primes (usually named something like ``/etc/ssh/moduli``). If you call `load_server_moduli` and it returns ``True``, then this file of primes has been loaded and we will support "group-exchange" in server mode. Otherwise server mode will just claim that it doesn't support that method of key negotiation. :param str filename: optional path to the moduli file, if you happen to know that it's not in a standard location. :return: True if a moduli file was successfully loaded; False otherwise. .. note:: This has no effect when used in client mode. z/etc/ssh/moduliz/usr/local/etc/moduliNr��TF)rU��rk�� _modulus_pack�insert� read_file�IOError)�filename� file_list�fnrh��rh��ri��load_server_modulib��s��zTransport.load_server_modulic��C��s<��\|�j�sdS�\|��t\|�j��D�]}\|��q\|�j��dS�)zP Close this session, and any open channels that are tied to it. N)r��rf��listr��values�_unlinkr��r>��)r ��chanrh��rh��ri��r>��s�� zTransport.closec��C��s��\|�j�r\|�js td��\|�jS�)a�� Return the host key of the server (in client mode). .. note:: Previously this call returned a tuple of ``(key type, key string)``. You can get the same effect by calling `.PKey.get_name` for the key type, and ``str(key)`` for the key string. :raises: `.SSHException` -- if no session is currently active. :return: public key (`.PKey`) of the remote server �No existing session)r��r��r_��r��r'��rh��rh��ri��get_remote_server_key��s�� zTransport.get_remote_server_keyc��C��\|�j�S�)z� Return true if this session is active (open). :return: True if the session is still active (open); False if the session is closed )r��r'��rh��rh��ri�� is_active��zTransport.is_activec��C��s��\|�j�d\|\|\|d�S�)a�� Request a new channel to the server, of type ``"session"``. This is just an alias for calling `open_channel` with an argument of ``"session"``. .. note:: Modifying the the window and packet sizes might have adverse effects on the session created. The default values are the same as in the OpenSSH code base and have been battle tested. :param int window_size: optional window size for this session. :param int max_packet_size: optional max packet size for this session. :return: a new `.Channel` :raises: `.SSHException` -- if the request is rejected or the session ends prematurely .. versionchanged:: 1.13.4/1.14.3/1.15.3 Added the ``timeout`` argument. .. versionchanged:: 1.15 Added the ``window_size`` and ``max_packet_size`` arguments. �session)�window_size�max_packet_sizerN��open_channel)r ��rj��rk��rN��rh��rh��ri��open_session��s��zTransport.open_sessionc��C��s��\|�j�d\|d�S�)a�� Request a new channel to the client, of type ``"x11"``. This is just an alias for ``open_channel('x11', src_addr=src_addr)``. :param tuple src_addr: the source address (``(str, int)``) of the x11 server (port is the x11 port, ie. 6010) :return: a new `.Channel` :raises: `.SSHException` -- if the request is rejected or the session ends prematurely �x11)�src_addrrl��)r ��rp��rh��rh��ri��open_x11_channel��s��zTransport.open_x11_channelc��C��r$��)aB�� Request a new channel to the client, of type ``"auth-agent@openssh.com"``. This is just an alias for ``open_channel('auth-agent@openssh.com')``. :return: a new `.Channel` :raises: `.SSHException` -- if the request is rejected or the session ends prematurely �auth-agent@openssh.comrl��r'��rh��rh��ri��open_forward_agent_channel��s�� z$Transport.open_forward_agent_channelc��C��s��\|��d\|\|�S�)aC�� Request a new channel back to the client, of type ``forwarded-tcpip``. This is used after a client has requested port forwarding, for sending incoming connections back to the client. :param src_addr: originator's address :param dest_addr: local (server) connected address �forwarded-tcpiprl��)r ��rp�� dest_addrrh��rh��ri��open_forwarded_tcpip_channel��s�� z&Transport.open_forwarded_tcpip_channelc�� C��s��\|�j�std��\|du�r\|�jn\|}\|�j��z�\|��\|�}\|��\|�}\|��}t��}\|� t ��\|�\|��\|�\|��\|�\|��\|�\|��\|dksH\|dkre\|�\|d��\|�\|d��\|�\|d��\|�\|d��n\|dkrw\|�\|d��\|�\|d��t \|�} \|�j�\|\| ��t��\|�j\|<�} d\|�j\|<�\| �\|��\| �\|\|��W�\|�j��n\|�j��w�\|��\|��t��} �\| �d ��\|�j�s�\|��}\|du�r�td �}\|�\| ��r�n \|\|�t��k�r�td��q�\|�j�\|�} \| dur�\| S�\|��}\|du�r�td �}\|�)ar�� Request a new channel to the server. `Channels <.Channel>` are socket-like objects used for the actual transfer of data across the session. You may only request a channel after negotiating encryption (using `connect` or `start_client`) and authenticating. .. note:: Modifying the the window and packet sizes might have adverse effects on the channel created. The default values are the same as in the OpenSSH code base and have been battle tested. :param str kind: the kind of channel requested (usually ``"session"``, ``"forwarded-tcpip"``, ``"direct-tcpip"``, or ``"x11"``) :param tuple dest_addr: the destination address (address + port tuple) of this port forwarding, if ``kind`` is ``"forwarded-tcpip"`` or ``"direct-tcpip"`` (ignored for other channel types) :param src_addr: the source address of this port forwarding, if ``kind`` is ``"forwarded-tcpip"``, ``"direct-tcpip"``, or ``"x11"`` :param int window_size: optional window size for this session. :param int max_packet_size: optional max packet size for this session. :param float timeout: optional timeout opening a channel, default 3600s (1h) :return: a new `.Channel` on success :raises: `.SSHException` -- if the request is rejected, the session ends prematurely or there is a timeout opening a channel .. versionchanged:: 1.15 Added the ``window_size`` and ``max_packet_size`` arguments. �SSH session not activeNrt��direct-tcpipr��r��ro��Tr��zUnable to open channel.zTimeout opening channel.)r��r_��r��r��acquire�_sanitize_window_size�_sanitize_packet_size� _next_channelrR��add_byter�� add_string�add_intr��r��putr��r��r��r��_set_transport�_set_window�release�_send_user_messagerI��rJ��rK��rL��r��) r ��kindru��rp��rj��rk��rN��chanid�mrc��rM��start_tsr��rh��rh��ri��rm��sd��, �zTransport.open_channelc��sl��j�std��t\|�}��jd\|\|fdd�}\|du�rtd��\|dkr%\|��}\|du�r1��fdd �}\|}\|��_\|S�) a�� Ask the server to forward TCP connections from a listening port on the server, across this SSH session. If a handler is given, that handler is called from a different thread whenever a forwarded connection arrives. The handler parameters are:: handler( channel, (origin_addr, origin_port), (server_addr, server_port), ) where ``server_addr`` and ``server_port`` are the address and port that the server was listening on. If no handler is set, the default behavior is to send new incoming forwarded connections into the accept queue, to be picked up via `accept`. :param str address: the address to bind when forwarding :param int port: the port to forward, or 0 to ask the server to allocate any port :param callable handler: optional handler for incoming forwarded connections, of the form ``func(Channel, (str, int), (str, int))``. :return: the port number (`int`) allocated by the server :raises: `.SSHException` -- if the server refused the TCP forward request rw�� tcpip-forwardT�rJ��NzTCP forwarding request deniedr��c��\|��d�S�rd��_queue_incoming_channel)�channelrp��dest_addr_portr'��rh��ri��default_handler��s��z7Transport.request_port_forward.<locals>.default_handler)r��r_��r��global_request�get_intr��)r ��addressr��handler�responser��rh��r'��ri��request_port_forward]��s��! �zTransport.request_port_forwardc��C��s(��\|�j�sdS�d\|�_\|�jd\|\|fdd��dS�)a.�� Ask the server to cancel a previous port-forwarding request. No more connections to the given address & port will be forwarded across this ssh connection. :param str address: the address to stop forwarding :param int port: the port to stop forwarding N�cancel-tcpip-forwardTr��)r��r��r��)r ��r��r��rh��rh��ri��cancel_port_forward��s�� zTransport.cancel_port_forwardc��C��s ��t��\|��S�)aE�� Create an SFTP client channel from an open transport. On success, an SFTP session will be opened with the remote host, and a new `.SFTPClient` object will be returned. :return: a new `.SFTPClient` referring to an sftp session (channel) across this transport )rY��from_transportr'��rh��rh��ri��open_sftp_client��s�� zTransport.open_sftp_clientc��C��sL��t��}\|�t��\|du�rtt�d��d�d�}\|�t�\|��\|��\|��dS�)a�� Send a junk packet across the encrypted link. This is sometimes used to add "noise" to a connection to confuse would-be attackers. It can also be used as a keep-alive for long lived connections traversing firewalls. :param int byte_count: the number of random bytes to send in the payload of the ignored packet -- defaults to a random number from 10 to 41. Nr��r�� )rR��r}��r��r@��os�urandom� add_bytesr��)r �� byte_countr��rh��rh��ri��send_ignore��s�� zTransport.send_ignorec��C��sT��t��\|�_\|�� \|�j�d��\|�js!\|��}\|dur\|�td��\|�j��r) �dS�q )aK�� Force this session to switch to new keys. Normally this is done automatically after the session hits a certain number of packets or bytes sent or received, but this method gives you the option of forcing new keys whenever you want. Negotiating new keys causes a pause in traffic both ways as the two sides swap keys and do computations. This method returns when the session has switched to new keys. :raises: `.SSHException` -- if the key renegotiation failed (which causes the session to end) Tr��NrG��) r��r��r��_send_kex_initrJ��r��rK��r_��rL��r ��r��rh��rh��ri��renegotiate_keys��s�� zTransport.renegotiate_keysc��C��s$��t��\|��fdd�}\|�j�\|\|��dS�)a�� Turn on/off keepalive packets (default is off). If this is set, after ``interval`` seconds without sending any data over the connection, a "keepalive" packet will be sent (and ignored by the remote host). This can be useful to keep connections alive over a NAT, for example. :param int interval: seconds to wait before sending a keepalive packet (or 0 to disable keepalives). c��S��s��\|�j�ddd�S�)Nzkeepalive@lag.netFr��)r��)r��rh��rh��ri��_request��z)Transport.set_keepalive.<locals>._requestN)�weakref�proxyr�� set_keepalive)r ��intervalr��rh��rh��ri��r��s��zTransport.set_keepalivec��C��s��\|rt��\|�_t��}\|�t��\|�\|��\|�\|��\|dur"\|j\|��\|�� t d�\|��\|��\|��\|s4dS� �\|�j� d��\|�js@dS�\|�j��rI �\|�jS�q5)a�� Make a global request to the remote host. These are normally extensions to the SSH2 protocol. :param str kind: name of the request. :param tuple data: an optional tuple containing additional data to attach to the request. :param bool wait: ``True`` if this method should not return until a response is received; ``False`` otherwise. :return: a `.Message` containing possible additional data if the request was successful (or an empty `.Message` if ``wait`` was ``False``); ``None`` if the request was denied. NzSending global request "{}"Tr��)r��r��r��rR��r}��r��r~��add_boolean�add�_logr��r��r��rJ��r��rL��r��)r ��r��datarJ��r��rh��rh��ri��r��s(�� zTransport.global_requestc��C��s��\|�j��z<t\|�j�dkr\|�j�d�}n\|�j�\|��t\|�j�dkr(\|�j�d�}nd}W�\|�j��\|S�W�\|�j��\|S�W�\|�j��\|S�\|�j��w�)aW�� Return the next channel opened by the client over this transport, in server mode. If no channel is opened before the given timeout, ``None`` is returned. :param int timeout: seconds to wait for a channel, or ``None`` to wait forever :return: a new `.Channel` opened by the client r��N)r��ry��r��r��popr��rJ��r��)r ��rN��rc��rh��rh��ri��accept��s"�� zTransport.acceptr��c �� C��s~��\|durt�\|t�rg�d�\|�_n\|��g\|�_\|�j\|\| \|p\|d��\|��\|durr\|sr\|��} \| ��\|��ks=\| ��\|��krg\|��t d��\|��t d� \|��t\|��\|��t d� \| ��t\| ��td��\|��t d� \|��\|dus~\|dus~\|s~\|r�\|r�\|��t d��\|�� \|\|�j\|��dS�\|r�\|��t d ��\|��\|��dS�\|dur�\|��t d ��\|��\|\|��dS�\|��t d��\|��\|\|��dS�)a �� Negotiate an SSH2 session, and optionally verify the server's host key and authenticate using a password or private key. This is a shortcut for `start_client`, `get_remote_server_key`, and `Transport.auth_password` or `Transport.auth_publickey`. Use those methods if you want more control. You can use this method immediately after creating a Transport to negotiate encryption with a server. If it fails, an exception will be thrown. On success, the method will return cleanly, and an encrypted session exists. You may immediately call `open_channel` or `open_session` to get a `.Channel` object, which is used for data transfer. .. note:: If you fail to supply a password or private key, this method may succeed, but a subsequent `open_channel` or `open_session` call may fail because you haven't authenticated yet. :param .PKey hostkey: the host key expected from the server, or ``None`` if you don't want to do host key verification. :param str username: the username to authenticate as. :param str password: a password to use for authentication, if you want to use password authentication; otherwise ``None``. :param .PKey pkey: a private key to use for authentication, if you want to use private key authentication; otherwise ``None``. :param str gss_host: The target's name in the kerberos database. Default: hostname :param bool gss_auth: ``True`` if you want to use GSS-API authentication. :param bool gss_kex: Perform GSS-API Key Exchange and user authentication. :param bool gss_deleg_creds: Whether to delegate GSS-API client credentials. :param gss_trust_dns: Indicates whether or not the DNS is trusted to securely canonicalize the name of the host being connected to (default ``True``). :raises: `.SSHException` -- if the SSH2 negotiation fails, the host key supplied by the server is incorrect, or authentication fails. .. versionchanged:: 2.3 Added the ``gss_trust_dns`` argument. N)ry��rz��r{��)r��rD��rE��zBad host key from serverzExpected: {}: {}zGot : {}: {}zHost key verified ({})z,Attempting GSS-API auth... (gssapi-with-mic)z)Attempting GSS-API auth... (gssapi-keyex)zAttempting public-key auth...zAttempting password auth...)r��rV��_preferred_keysrS��rF��rP��re��asbytesr��r��r��reprr_��auth_gssapi_with_micr��auth_gssapi_keyex�auth_publickey� auth_password)r ��hostkey�username�password�pkeyr��gss_authr��r�� gss_trust_dnsrT��rh��rh��ri��r��(��sf��< �� zTransport.connectc��C��s4��\|�j��z\|�j}d\|�_\|W�\|�j��S�\|�j��w�)ay�� Return any exception that happened during the last server request. This can be used to fetch more specific error information after using calls like `start_client`. The exception (if any) is cleared after this call. :return: an exception, or ``None`` if there is no stored exception. .. versionadded:: 1.1 N)r��ry��r��r��r��rh��rh��ri��rK��s�� zTransport.get_exceptionc��O��s8��z\|�j��\|\|\|f\|�j\|<�W�\|�j��dS�\|�j��w�)a'�� Set the handler class for a subsystem in server mode. If a request for this subsystem is made on an open ssh channel later, this handler will be constructed and called -- see `.SubsystemHandler` for more detailed documentation. Any extra parameters (including keyword arguments) are saved and passed to the `.SubsystemHandler` constructor later. :param str name: name of the subsystem. :param handler: subclass of `.SubsystemHandler` that handles this subsystem. N�r��ry��r��r��)r ��namer��args�kwargsrh��rh��ri��set_subsystem_handler��s�� zTransport.set_subsystem_handlerc��C��s��\|�j�o\|�jduo\|�j��S�)a�� Return true if this session is active and authenticated. :return: True if the session is still open and has been authenticated successfully; False if authentication failed and/or the session is closed. N)r��r��r:��r'��rh��rh��ri��r:��s �� zTransport.is_authenticatedc��C��s��\|�j�r\|�jdu�r dS�\|�j��S�)a�� Return the username this connection is authenticated for. If the session is not authenticated (or authentication failed), this method returns ``None``. :return: username that was authenticated (a `str`), or ``None``. N)r��r��get_usernamer'��rh��rh��ri��r��s�� zTransport.get_usernamec��C��s��\|�j�r\|�jdu�r dS�\|�jjS�)z� Return the banner supplied by the server upon connect. If no banner is supplied, this method returns ``None``. :returns: server supplied banner (`str`), or ``None``. .. versionadded:: 1.13 N)r��r��bannerr'��rh��rh��ri�� get_banner��s�� zTransport.get_bannerc��C��@��\|�j�r\|�js td��t��}t\|��\|�_\|�j�\|\|��\|�j�\|�S�)a�� Try to authenticate to the server using no authentication at all. This will almost always fail. It may be useful for determining the list of authentication types supported by the server, by catching the `.BadAuthenticationType` exception raised. :param str username: the username to authenticate as :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if "none" authentication isn't allowed by the server for this user :raises: `.SSHException` -- if the authentication failed due to a network error .. versionadded:: 1.5 rd��) r��r��r_��r��r��r��r�� auth_none�wait_for_response�r ��r��my_eventrh��rh��ri��r��s�� zTransport.auth_nonec��s��\|�j�r\|�js td��\|du�rt��}n\|}t\|��\|�_\|�j�\|��\|��\|dur(g�S�z\|�j�\|�W�S��t y`�}�z%\|r>d\|j vr?��z��fdd�}\|��\|\|�W�W��Y�d}~S��ty[��\|�w�d}~ww�)a� �� Authenticate to the server using a password. The username and password are sent over an encrypted link. If an ``event`` is passed in, this method will return immediately, and the event will be triggered once authentication succeeds or fails. On success, `is_authenticated` will return ``True``. On failure, you may use `get_exception` to get more detailed error information. Since 1.1, if no event is passed, this method will block until the authentication succeeds or fails. On failure, an exception is raised. Otherwise, the method simply returns. Since 1.5, if no event is passed and ``fallback`` is ``True`` (the default), if the server doesn't support plain password authentication but does support so-called "keyboard-interactive" mode, an attempt will be made to authenticate using this interactive mode. If it fails, the normal exception will be thrown as if the attempt had never been made. This is useful for some recent Gentoo and Debian distributions, which turn off plain password authentication in a misguided belief that interactive authentication is "more secure". (It's not.) If the server requires multi-step authentication (which is very rare), this method will return a list of auth types permissible for the next step. Otherwise, in the normal case, an empty list is returned. :param str username: the username to authenticate as :param basestring password: the password to authenticate with :param .threading.Event event: an event to trigger when the authentication attempt is complete (whether it was successful or not) :param bool fallback: ``True`` if an attempt at an automated "interactive" password auth should be made if the server doesn't support normal password auth :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if password authentication isn't allowed by the server for this user (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error rd��N�keyboard-interactivec����t�\|�dkr td��t�\|�dkrg�S��gS��Nr��zFallback authentication failed.r��r��r_��title�instructions�fields�r��rh��ri��r��Y�� z(Transport.auth_password.<locals>.handler)r��r��r_��r��r��r��r��r��r��rZ�� allowed_types�auth_interactive)r ��r��r��rM��fallbackr��r��r��rh��r��ri��r��s,��/ ��zTransport.auth_passwordc��C��s\��\|�j�r\|�js td��\|du�rt��}n\|}t\|��\|�_\|�j�\|\|\|��\|dur(g�S�\|�j�\|�S�)a�� Authenticate to the server using a private key. The key is used to sign data from the server, so it must include the private part. If an ``event`` is passed in, this method will return immediately, and the event will be triggered once authentication succeeds or fails. On success, `is_authenticated` will return ``True``. On failure, you may use `get_exception` to get more detailed error information. Since 1.1, if no event is passed, this method will block until the authentication succeeds or fails. On failure, an exception is raised. Otherwise, the method simply returns. If the server requires multi-step authentication (which is very rare), this method will return a list of auth types permissible for the next step. Otherwise, in the normal case, an empty list is returned. :param str username: the username to authenticate as :param .PKey key: the private key to authenticate with :param .threading.Event event: an event to trigger when the authentication attempt is complete (whether it was successful or not) :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if public-key authentication isn't allowed by the server for this user (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error rd��N) r��r��r_��r��r��r��r��r��r��)r ��r��rT��rM��r��rh��rh��ri��r��i��s��# zTransport.auth_publickeyc��C��sD��\|�j�r\|�js td��t��}t\|��\|�_\|�j�\|\|\|\|��\|�j�\|�S�)a�� Authenticate to the server interactively. A handler is used to answer arbitrary questions from the server. On many servers, this is just a dumb wrapper around PAM. This method will block until the authentication succeeds or fails, periodically calling the handler asynchronously to get answers to authentication questions. The handler may be called more than once if the server continues to ask questions. The handler is expected to be a callable that will handle calls of the form: ``handler(title, instructions, prompt_list)``. The ``title`` is meant to be a dialog-window title, and the ``instructions`` are user instructions (both are strings). ``prompt_list`` will be a list of prompts, each prompt being a tuple of ``(str, bool)``. The string is the prompt and the boolean indicates whether the user text should be echoed. A sample call would thus be: ``handler('title', 'instructions', [('Password:', False)])``. The handler should return a list or tuple of answers to the server's questions. If the server requires multi-step authentication (which is very rare), this method will return a list of auth types permissible for the next step. Otherwise, in the normal case, an empty list is returned. :param str username: the username to authenticate as :param callable handler: a handler for responding to server questions :param str submethods: a string list of desired submethods (optional) :return: list of auth types permissible for the next stage of authentication (normally empty). :raises: `.BadAuthenticationType` -- if public-key authentication isn't allowed by the server for this user :raises: `.AuthenticationException` -- if the authentication failed :raises: `.SSHException` -- if there was a network error .. versionadded:: 1.5 rd��) r��r��r_��r��r��r��r��r��r��)r ��r��r�� submethodsr��rh��rh��ri��r��s��+ �zTransport.auth_interactivec��C��s��\|sdd��}\|��\|\|\|�S�)a�� Authenticate to the server interactively but dumber. Just print the prompt and / or instructions to stdout and send back the response. This is good for situations where partial auth is achieved by key and then the user has to enter a 2fac token. c��S��R��g�}\|�r t�\|��\|rt�\|��\|D�]\}}t�\|��dd��\|�t��q\|S��N� )�end��print�strip�append�input�r��r��prompt_list�answers�prompt� show_inputrh��rh��ri��r��z0Transport.auth_interactive_dumb.<locals>.handler)r��r ��r��r��r��rh��rh��ri��auth_interactive_dumb��s��zTransport.auth_interactive_dumbc��C��sD��\|�j�r\|�js td��t��}t\|��\|�_\|�j�\|\|\|\|��\|�j�\|�S�)a�� Authenticate to the Server using GSS-API / SSPI. :param str username: The username to authenticate as :param str gss_host: The target host :param bool gss_deleg_creds: Delegate credentials or not :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if gssapi-with-mic isn't allowed by the server (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error rd��) r��r��r_��r��r��r��r��r��r��)r ��r��r��r��r��rh��rh��ri��r��s�� zTransport.auth_gssapi_with_micc��C��r��)aZ�� Authenticate to the server with GSS-API/SSPI if GSS-API kex is in use. :param str username: The username to authenticate as. :returns: a list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if GSS-API Key Exchange was not performed (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error rd��) r��r��r_��r��r��r��r��r��r��r��rh��rh��ri��r��s�� zTransport.auth_gssapi_keyexc��C��s$��\|\|�_�t�\|�\|�_\|�j�\|�j��dS�)ag�� Set the channel for this transport's logging. The default is ``"paramiko.transport"`` but it can be set to anything you want. (See the `.logging` module for more info.) SSH Channels will log to a sub-channel of the one specified. :param str name: new channel name for logging .. versionadded:: 1.1 N)r��r ��r��r��r��r��r ��r��rh��rh��ri��set_log_channel��s��zTransport.set_log_channelc��C��rf��)z� Return the channel name used for this transport's logging. :return: channel name as a `str` .. versionadded:: 1.2 )r��r'��rh��rh��ri��get_log_channel&��rh��zTransport.get_log_channelc��C��\|�j��\|��dS�)aa�� Turn on/off logging a hex dump of protocol traffic at DEBUG level in the logs. Normally you would want this off (which is the default), but if you are debugging something, it may be useful. :param bool hexdump: ``True`` to log protocol traffix (in hex) to the log; ``False`` otherwise. N)r��set_hexdump)r ��hexdumprh��rh��ri��r��0��s�� zTransport.set_hexdumpc��C��s ��\|�j��S�)z� Return ``True`` if the transport is currently logging hex dumps of protocol traffic. :return: ``True`` if hex dumps are being logged, else ``False``. .. versionadded:: 1.4 )r��get_hexdumpr'��rh��rh��ri��r��<��s�� zTransport.get_hexdumpc��C��s��\|rd\|�_�dS�d\|�_�dS�)a�� Turn on/off compression. This will only have an affect before starting the transport (ie before calling `connect`, etc). By default, compression is off since it negatively affects interactive sessions. :param bool compress: ``True`` to ask the remote client/server to compress traffic; ``False`` to refuse compression .. versionadded:: 1.5.2 r��r��N)�_preferred_compression)r ��compressrh��rh��ri��use_compressionG��s�� zTransport.use_compressionc��C��s ��t�\|�jdd�}\|du�r dS�\|��S�)a�� Return the address of the remote side of this Transport, if possible. This is effectively a wrapper around ``getpeername`` on the underlying socket. If the socket-like object has no ``getpeername`` method, then ``("unknown", 0)`` is returned. :return: the address of the remote host, if known, as a ``(str, int)`` tuple. �getpeernameN)�unknownr��)r!��r��)r ��gprh��rh��ri��r��X��s��zTransport.getpeernamec��C��s��d\|�_�\|�j��\|��r3\|�t��ur7\|�jjs9\|�jjs;\|�� d��\|��r5\|�t��ur=\|�jjs?\|�jjrd�S�d�S�d�S�d�S�d�S�d�S�d�S�d�S�)NFr��) r��r��r>��is_aliver��current_threadr��_closed�closed�joinr'��rh��rh��ri��rf��i��s&�� zTransport.stop_threadc��G��sD��t�t\|�t�r\|D�] }\|�j�\|\|��q d�S�\|�jj\|\|g\|�R��d�S�rd��)� issubclassr��r`��r��log)r ��level�msgr��r��rh��rh��ri��r��~��s ��zTransport._logc��C��rf��)z0used by KexGex to find primes for group exchange)rX��r'��rh��rh��ri��_get_modulus_pack��s��zTransport._get_modulus_packc��C��sP��\|�j�}\|�j�\|�dur\|�j�d�d@�\|�_�\|�j�}\|�j�\|�dus\|�j�d�d@�\|�_�\|S�)zyou are holding the lockNr��i��)r��r��r��r ��r��rh��rh��ri��r\|��s��zTransport._next_channelc��C��r��)z?used by a Channel to remove itself from the active channel listN)r��deleter��rh��rh��ri��_unlink_channel��s��zTransport._unlink_channelc��C��s��\|�j��\|��d�S�rd��)r��send_message)r ��r��rh��rh��ri�� _send_message��s��zTransport._send_messagec��C��s��t��} �\|�j�d��\|�js\|��td��dS�\|�j��\|�j��r!n\|�j� ��t��\|\|�j �kr3td��qz \|��\|��W�\|�j� ��dS�\|�j� ��w�)z{ send a message, but block if we're in key negotiation. this is used for user-initiated requests. Tr��z0Dropping user packet because connection is dead.Nz2Key-exchange timed out waiting for key negotiation) rI��r��rJ��r��r��r��r��ry��rL��r��r��r_��r��)r ��r��rH��rh��rh��ri��r��s(�� zTransport._send_user_messagec��C��s$��\|\|�_�\|\|�_\|�jdu�r\|\|�_dS�dS�)zR Used by a kex obj to set the K (root key) and H (exchange hash). N)r��r��r��)r ��k�hrh��rh��ri��_set_K_H��s �� zTransport._set_K_Hc��G��s��t�\|�\|�_dS�)zW Used by a kex obj to register the next packet type it expects to see. N)r��r��)r ��ptypesrh��rh��ri��_expect_packet��s��zTransport._expect_packetc��C��sP��\|�j�\|�j�t\|��}\|d�u�rtd��\|�\|�jt\|��s#td�\|�j��\|\|�_d�S�)NzUnknown host key typez#Signature verification ({}) failed.)� _key_infor��rR��r_��verify_ssh_sigr��r��r��)r ��r��sigrT��rh��rh��ri��_verify_key��s�� zTransport._verify_keyc�� C��s��t��}\|�\|�j��\|�\|�j��\|�t\|��\|�\|�j��t\|�j dd�}d� \|�j jj\|�}\|du�r6t }\|d7�}t\|�d�sG\|��t\|��t\|�dd��\|\|��}}t\|�\|k�r�t��}\|�\|�j��\|�\|�j��\|�\|��\|\|��}\|\|7�}\|\|7�}t\|�\|k�sW\|d\|��S�)z0id is 'A' - 'F' for the various keys used by ssh� hash_algoNz&kex engine {} specified hash_algo {!r}z, falling back to sha1�_logged_hash_selectionT)rR�� add_mpintr��r��r��r}��rb��r��r!��r��r�� __class__�__name__r��hasattrr��r��setattrr��digestr��) r ��r8��nbytesr��r��hash_select_msgr<��sofarr��rh��rh��ri��_compute_key��s4�� zTransport._compute_keyc��C��s\��\|\|�j�vrtd\|��t\|�j�\|�d�\|�\|�j�\|�d�\|�t��d�}\|\|�ju�r\|��S�\|��S�)NzUnknown client cipher r��r��)�backend)r9��r_��r��r��_ENCRYPT� encryptor� decryptor)r ��r��rT��iv� operation�cipherrh��rh��ri��_get_cipher��s�� zTransport._get_cipherc��(��\|d�u�r��fdd�}\|��_�d�S�\|��_�d�S�)Nc��r��rd��r��)r��r'��rh��ri��r��r��z=Transport._set_forward_agent_handler.<locals>.default_handler)r��r ��r��r��rh��r'��ri��_set_forward_agent_handler��s�� z$Transport._set_forward_agent_handlerc��r"��)Nc��r��rd��r��)r�� src_addr_portr'��rh��ri��r��r��z3Transport._set_x11_handler.<locals>.default_handler)r��r#��rh��r'��ri��_set_x11_handler��s�� zTransport._set_x11_handlerc��C��s>��\|�j��z\|�j�\|��\|�j��W�\|�j��d�S�\|�j��w�rd��)r��ry��r��r��r��notifyr��)r ��r��rh��rh��ri��r��s �� z!Transport._queue_incoming_channelc��C��\|d�u�r\|�j�}tt\|t�S�rd��)r��ra��r6��r8��)r ��rj��rh��rh��ri��rz��zTransport._sanitize_window_sizec��C��r(��rd��)r��ra��r7��r8��)r ��rk��rh��rh��ri��r{��r)��zTransport._sanitize_packet_sizec��C��s��\|�j�r\|tks\|��r dS�t��}\|tkr\|�t��\|S�\|tkr@\|��}\|� ��}\|�t ��\|�\|��\|�t��\|� d��\|� d��\|S�)ao�� Checks message type against current auth state. If server mode, and auth has not succeeded, and the message is of a post-auth type (channel open or global request) an appropriate error response Message is crafted and returned to caller for sending. Otherwise (client mode, authed, or pre-auth message) returns None. Nr��en)r��r;��r:��rR��r&��r}��r ��r-��get_textr��r$��r��r"��r~��)r ��ptype�message�replyr��r��rh��rh��ri��_ensure_authed!��s&�� zTransport._ensure_authedc��C��s6��\|�j�r\|�jst�\|d\|��}td\|�d��dS�dS�)a �� Conditionally raise `MessageOrderError` during strict initial kex. This method should only be called inside code that handles non-KEXINIT messages; it does not interrogate ``ptype`` besides using it to log more accurately. zmsg z!In strict-kex mode, but was sent �!N)r��r��r=��r��r]��)r ��r,��r��rh��rh��ri��_enforce_strict_kexG��s�� zTransport._enforce_strict_kexc�� C��s(��t�\|�_�t�\|��tt\|��t@��}\|�jr\|��td� \|��n \|��td� \|��z^�zE\|�j �t\|�j d��\|��td� \|�j ��\|��\|�j �\|�j��\|��\|��t��\|�j�rm\|�j ��rc\|�jsc\|��z \|�j ��\}}W�n �tyu��Y�qSw�\|tkr�\|��\|��qS\|tkr�\|��\|��n�\|tkr�\|��\|��\|��\|��qSt\|�j �dkr�\|\|�j vr�t!}\|�j"r�t#}\|d� \|�j \|��t$��\|�_ \|dkr�\|dkr�\|�j%�&\|\|��qS\|\|�j'v�r�\|��(\|\|�}\|r�\|��)\|��n�\|�j'\|�\|��n�\|\|�jv��r\|�+��}\|�j,�-\|�}\|d�u�r\|�j\|�\|\|��nc\|\|�j.v��r\|��td � \|��nS\|��t/d � \|��nQ\|�j0d�u�r=\|\|�j0j'v��r=\|�j0j'\|�}\|\|��t\|�j �dk�r<qSn(t1\|�} d� \|\| �} \|��t2\| ��\|t3k�ret4��}\|�5t6��\|�7\|j8��\|��)\|��\|�j �9��\|�jsWW�n��t!�y��}�z!\|��t/d� \|�j�r�d nd\|��\|��t/t:�;��\|\|�_<W�Y�d�}~n�d�}~w�t=�y��}�z\|��td��\|\|�_<W�Y�d�}~npd�}~w�t>j?�y��}�z7t@\|jA�t$u��r�\|jA�r�d� \|jAd�\|jAd��} n tB\|��p�tC\|�} n\|jA} \|��t/d\| ��\|\|�_<W�Y�d�}~n,d�}~w�tD�y"�}�z\|��t/dtB\|��\|��t/t:�;��\|\|�_<W�Y�d�}~nd�}~ww�t�E\|��tF\|�j,�G��D�]}\|�H��q/\|�j�r~d\|�_\|�j �I��\|�jJd�u�rN\|�jJ�K��\|�j0d�u�rY\|�j0�L��\|�jM�G��D�]}\|�K��q^z\|�jN�O��\|�jP�Q��W�\|�jN�R��n\|�jN�R��w�\|�jS�I��W�d�S��\|�j�jTd�u�r��Y�d�S�)Nz!starting thread (server mode): {}z!starting thread (client mode): {}z zLocal version/idstring: {}r��z$Expecting packet from {!r}, got {:d}r��)��z&Ignoring message for dead channel {:d}z(Channel request for unknown channel {:d}zOops, unhandled type {} ({!r})zException ({}): {}rQ��clientzEOF in transport threadz {} ({:d})r��zSocket exception: zUnknown exception: F)U�sysre��r��r7��r8��r��r��r��r��r��r�� write_allrb��r�� _check_banner�start_handshaker��r��r ��r��r�� need_rekeyr��read_messagerT��r��r1��r��_parse_disconnectr��_parse_debugr��r��r_��r��r]��r��r�� parse_nextr ��r/��r��_channel_handler_tabler��r��r��r��r��r��r=��r��r<��rR��r}��r��r��seqno�complete_handshaker �� tb_stringsr��EOFErrorr��r��r��r��r��r�� Exception�remover`��ra��rb��r>��r��set�abortr��r��ry��r��r'��r��r��modules)r ��tidr,��r�� exc_class� error_msgr��rc��r��r��warningr��r��emsgrM��rh��rh��ri��runU��s�� T�� z Transport.runc��C��s<��d��\|�}\|\|kr\|\|7�}n\|d��\|\|�7�}\|��t\|��d�S�)Nz{}: zlocal={}, remote={})r��r��r��)r ��which�local�remoter��rh��rh��ri��_log_agreement ��s �� zTransport._log_agreementc��C��sZ��\|�j��z\|�j��W�\|�j��n\|�j��w�\|�jd�u�r!\|��\|��\|��\|�j� ��d�S�rd��) r��ry��r��clearr��r��r��_parse_kex_initr�� start_kex�r ��r��rh��rh��ri��r�� s�� zTransport._negotiate_keysc�� C��sR��t�d�D�]B}\|dkr\|�j}nd}z\|�j�\|�}W�n�ty ��ty3�}�ztdt\|��d�}~ww�\|d�d��dkr>�n \|��t d\|��q\|d�d��dkrWtd\|�d ��\|\|�_ \|��t d �\|��\|�d�}\|dkrr\|d�\|��}\|� dd�}t\|�d k�r�td��\|d�}\|d�}\|dkr�\|dkr�d}t\|�\|��d�\|\|�}\|��t\|��d�S�)N�d��r��z!Error reading SSH protocol banner��r��zBanner: z!Indecipherable protocol version "�"zRemote version/idstring: {}r��r��zInvalid SSH bannerr��z1.99rl��z(Incompatible version ({} instead of 2.0)z!Connected (version {}, client {}))�ranger��r��readliner^��rB��r_��r��r��r��r��r��findr��r��r\��r��) r ��irN��bufr��segs�versionr3��r��rh��rh��ri��r6�� sD�� zTransport._check_bannerc��s��\|�j��z\|�j��W�\|�j��n\|�j��w�d\|�_d\|�_t\|�j�}\|�j r\d��fdd�\|D��}\|�j du�rMt\|�dkrM��fdd�\|��j D��}\|\|��_ ttt\|�j��j\|�j��}n\|�j}\|�d ��\|�jrw\|�j rld nd}\|�d\|��d ��t��}\|�t��\|�t�d��\|�\|��\|�\|��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�t ��\|�t ��\|�!d��\|�"d��\|�#��\|�_$\|�_%\|��&\|��dS�)z� announce to the other side that we'd like to negotiate keys, and what kind of key negotiation we support. FTz!diffie-hellman-group-exchange-shac��s��g�\|�] }\|��r\|�qS�rh�� startswith�r��r��mp_required_prefixrh��ri�� <listcomp>U ��s��z,Transport._send_kex_init.<locals>.<listcomp>Nr��c��s��g�\|�] }\|��s\|�qS�rh��ra��rc��rd��rh��ri��rf��Y ��s�� ext-info-c�s�c�kex-strict-�-v00@openssh.comr��)'r��ry��r��rQ��r��r��r��r`��r2��r��rX��r��rB��r1��filterr��r,��__contains__r.��r��r��rR��r}��r��r��r��r��add_listr(��r+��r4��r~��bytesr��r��r��r��_latest_kex_initr��)r �� kex_algos�kex_mp�pkex�available_server_keysrM��r��rh��rd��ri��r��F ��sV�� zTransport._send_kex_initc��C��s��i�}\|r\|��\|�d��\|��\|d<�\|��\|d<�\|��\|d<�\|��\|d<�\|��\|d<�\|��\|d<�\|��\|d<�\|��\|d <�\|��\|d <�\|��\|d<�\|��\|d<�\|��\|S�) Nr�� kex_algo_list�server_key_algo_list�client_encrypt_algo_list�server_encrypt_algo_list�client_mac_algo_list�server_mac_algo_list�client_compress_algo_list�server_compress_algo_list�client_lang_list�server_lang_list�kex_follows)�get_byte� get_bytes�get_list�get_booleanr��)r ��r��ignore_first_byte�parsedrh��rh��ri��_really_parse_kex_init� ��s"�� z Transport._really_parse_kex_initc��C��s��\|�j�t\|�j�dd�S�)NT)r��)r��rR��rp��r'��rh��rh��ri��_get_latest_kex_init� ��s��zTransport._get_latest_kex_initc��C��s��\|��\|�}\|d�}\|d�}\|d�}\|d�}\|d�}\|d�}\|d�} \|d�} \|d �}\|d �}\|d�} \|��td��d \|fd\|fd\|fd\|fd\|fd\|fd\| fd\| fd\|fd\|ff D�]\}}\|dgkrcdg}d�\|�}\|��td�\|\|��qW\|��td�\| ��\|��td��d�\|�_d�\|�_g�}t\|�D�]=\}}\|�d�r�\|\|�_\|� d\|��q�\|�d�r�\|�j r�d nd!}d\|��d"�}\|\|ko�\|�j\|�_\|��td#\|�j��\|� d\|��q�\|D�]}\|� \|��q�\|�jr�\|�js�\|jdkr�td$��\|�j r�tt\|�jj\|��}n tt\|j\|�j��}t\|�dk�rtd%��\|�j\|d��\|��\|�_\|��td&�\|d��\|�j �r6ttt\|�j��j\|�j��}tt\|j\|��}n tt\|j\|�j��}t\|�dk�rJtd'��\|d�\|�_\|�j �r^\|��d�u��r^td(��\|��d)\|d�\|d��\|�j �r�tt\|�jj\|��}tt\|�jj\|��}ntt\|j\|�j��}tt\|j\|�j��}t\|�dk�s�t\|�dk�r�td��\|d�\|�_ \|d�\|�_!\|�jd+\|�j \|�j!d,��\|�j �r�tt\|�j"j\|��}tt\|�j"j\|��}ntt\|j\|�j"��}tt\|j\|�j"��}t\|�dk�s�t\|�dk�r�td-��\|d�\|�_#\|d�\|�_$\|�jd.\|�j#\|�j$d,��\|�j �rtt\|�j%j\| ��}tt\|�j%j\| ��}ntt\| j\|�j%��}tt\| j\|�j%��}t\|�dk�s>t\|�dk�rNd/}\|d07�}t\|�\|\|\|�j%��\|d�\|�_&\|d�\|�_'\|�jd1\|�j&\|�j'd,��\|��td2��t(\|�)��\|�_d�S�)3Nru��rv��rw��rx��ry��rz��r{��r\|��r}��r~��r��z"=== Key exchange possibilities ===z kex algosz server keyzclient encryptzserver encryptz client macz server maczclient compresszserver compresszclient langzserver langr��z<none>z, z{}: {}zkex follows: {}z=== Key exchange agreements ===z ext-info-r��rj��ri��rh��rk��zStrict kex mode: z9In strict-kex mode, but KEXINIT was not the first packet!z3Incompatible ssh peer (no acceptable kex algorithm)zKex: {}z.Incompatible ssh peer (no acceptable host key)z;Incompatible ssh peer (can't match requested host key type)�HostKeyz/Incompatible ssh server (no acceptable ciphers)r��)rN��rO��z,Incompatible ssh server (no acceptable macs)�MACz3Incompatible ssh server (no acceptable compression)z {!r} {!r} {!r}�Compressionz=== End of kex handshake ===)+r��r��r��r��r��_remote_ext_info�_remote_strict_kex� enumeraterb��rY��r��r��r��r��r��r>��r]��r`��rl��r2��rm��r��r\�� _kex_infor��r��r,��r.��r��rW��rP��r(��r��r��r+��r��r��r4��r��r��r�� get_so_farr��)r ��r��r��ru��rv��rw��rx��ry��rz��r{��r\|��r}��r~��r��prefix�value�to_popr]��algorM��expected� agreed_kexrt��agreed_keys�agreed_local_ciphers�agreed_remote_ciphers�agreed_remote_macs�agreed_local_macs�agreed_remote_compression�agreed_local_compressionr��rh��rh��ri��rR�� s�� zTransport._parse_kex_initc�� C��sD��\|�j�\|�j�d�}\|�jr\|��d\|�}\|��d\|�j�\|�j�d��}n\|��d\|�}\|��d\|�j�\|�j�d��}\|��\|�j\|\|\|�j�}d\|�jv�}\|�j\|�j�d�}\|�j\|�j�d �}\|�jr[\|��d \|��j�}n\|��d\|��j�}\|�j j \|\|\|\|\|\|d��\|�j\|�j�d �} \| dur�\|�jdks�\|�j r�\|��td��\|�j �\| ��\|�jr�\|��td��\|�j ��dS�dS�)zLswitch on newly negotiated encryption parameters for inbound trafficr��A�Cr��B�D�etm@openssh.comr��r��E�F��etmr��Nr��$Switching on inbound compression ...z8Resetting inbound seqno after NEWKEYS due to strict mode)r9��r��r��r��r!��_DECRYPTr�� _mac_info�digest_sizer��set_inbound_cipher�_compression_infor��r��r��r��set_inbound_compressorr��reset_seqno_in) r �� block_size�IV_in�key_in�enginer��mac_size� mac_engine�mac_key�compress_inrh��rh��ri��_activate_inbound� ��sD�� zTransport._activate_inboundc�� C��s��t��}\|�t��\|��\|��\|�jr\|��td��\|�j��\|�j \|�j �d�}\|�jr9\|��d\|�}\|��d\|�j \|�j �d��}n\|��d\|�}\|��d\|�j \|�j �d��}\|�� \|�j \|\|\|�j�}d\|�jv�}\|�j\|�j�d �}\|�j\|�j�d �}\|�jrv\|��d\|��j�} n\|��d\|��j�} \|�j �d �} \|�jj\|\|\|\|\| \| \|d��\|�j\|�j�d�}\|dur�\|�jdks�\|�jr�\|��td��\|�j�\|��\|�j��s�d\|�_\|�jr�\|�jr�\|�jdkr�dd�\|�j�i}t��}\|�t��\|�t \|��t!\|�"��D�]\} }\|�#\| ��\|�#\|��q�\|��\|��\|��$t%��dS�)zMswitch on newly negotiated encryption parameters for outbound trafficz9Resetting outbound seqno after NEWKEYS due to strict moder��r��r��r��r��r��r��r��r��r��r��z-ctrr��r��Nr��%Switching on outbound compression ...Frg��zserver-sig-algs�,)&rR��r}��r��r��r��r��r��r��reset_seqno_outr9��r��r��r��r!��r��r��r��r��endswith�set_outbound_cipherr��r��r��set_outbound_compressorr8��r��r��r��r��r0��r?��r��r��sorted�itemsr~��r ��r��)r ��r��r��IV_out�key_outr��r��r��r��r��sdctr�compress_out� extensionsr��r��rh��rh��ri��_activate_outbound� ��sj�� zTransport._activate_outboundc��C��sv��d\|�_�\|�jdkr\|�j\|�j�d�}\|��td��\|�j�\|��\|�jdkr9\|�j\|�j�d�}\|��td��\|�j�\|��d�S�d�S�)NTr��r��r��r��r��) r��r��r��r��r��r��r��r��r��)r ��r��r��rh��rh��ri�� _auth_trigger� ��s�� zTransport._auth_triggerc��C��sJ��i�}t�\|��D�]}\|��}\|��}\|\|\|<�q\|��td�\|��\|\|�_d�S�)NzGot EXT_INFO: {})rZ��r��r+�� get_stringr��r��r��r��)r ��r��r��_r��r��rh��rh��ri��r�� s�� zTransport._parse_ext_infoc��C��s��\|��td��\|��d��\|�_\|�_d�\|�_d�\|�_\|�jr#\|�jd�u�r#t \|��\|�_\|�j s-d�\|�_ \|�j_\|�j d�ur7\|�j ��\|�j��s?d\|�_\|�j��z \|�j��W�\|�j��d�S�\|�j��w�)NzSwitch to new keys ...TF)r��r��r��r��r��r��r��r��r��r��r��r��_initial_kex_doner��rD��r8��r��r��ry��r��r��rT��rh��rh��ri��r��s&�� zTransport._parse_newkeysc��C��s(��\|��}\|��}\|��td�\|\|��d�S�)NzDisconnect (code {:d}): {})r��r+��r��r��r��)r ��r��code�descrh��rh��ri��r:��3��s��zTransport._parse_disconnectc�� C��s��\|��}\|��td�\|��\|��}\|�js \|��td�\|��d}n6\|dkr9\|��}\|��}\|�j�\|\|�}\|r8\|f}n\|dkrO\|��}\|��}\|�j� \|\|��d}n\|�j� \|\|�}d}t\|�tu�rb\|}d}\|r�t ��}\|rt\|�t��\|j\|��n\|�t��\|��\|��d�S�d�S�)NzReceived global request "{}"zRejecting "{}" global request from server.Fr��r��Trh��)r+��r��r��r��r��r��r��r��check_port_forward_request�cancel_port_forward_request�check_global_requestr��r��rR��r}��r��r��r ��r��) r ��r��r�� want_reply�okr��r��extrar��rh��rh��ri��r��8��sD�� zTransport._parse_global_requestc��C��s.��\|��td��\|\|�_\|�jd�ur\|�j��d�S�d�S�)NzGlobal request successful.�r��r��r��r��rD��rT��rh��rh��ri��r��\�� z Transport._parse_request_successc��C��s.��\|��td��d�\|�_\|�jd�ur\|�j��d�S�d�S�)NzGlobal request denied.r��rT��rh��rh��ri��r��b��r��z Transport._parse_request_failurec��C��s��\|��}\|��}\|��}\|��}\|�j�\|�}\|d�u�r"\|��td��d�S�\|�j��z0\|�\|\|\|��\|��td� \|��\|\|�j v�rP\|�j \|��\|�j \|=�W�\|�j��d�S�W�\|�j��d�S�\|�j��w�)Nz%Success for unrequested channel! [??]zSecsh channel {:d} opened.) r��r��r��r��r��r��ry��_set_remote_channelr��r��r��rD��r��)r ��r��r�� server_chanid�server_window_size�server_max_packet_sizerc��rh��rh��ri��r��h��s.�� z%Transport._parse_channel_open_successc��C��s��\|��}\|��}\|��}\|��t�\|d�}\|��td�\|\|\|��\|�j��z9t \|\|�\|�_ \|\|�jv�rP\|�j� \|��\|\|�jv�rX\|�j\|��\|�j\|=�W�\|�j��d�S�W�\|�j��d�S�W�\|�j��d�S�\|�j��w�)Nz(unknown code)z&Secsh channel {:d} open FAILED: {}: {})r��r+��r!��r��r��r��r��r��ry��r[��r��r��r��r��rD��r��)r ��r��r��r�� reason_str�reason_textrh��rh��ri��r��~��s8�� z%Transport._parse_channel_open_failurec��C��s��\|��}\|��}\|��}\|��}d}\|dkr8\|�jd�ur8\|��td��\|�j��z\|��}W�\|�j��n�\|�j��w�\|dkrj\|�j d�urj\|��}\|��} \|��td� \|\| ��\|�j��z\|��}W�\|�j��n�\|�j��w�\|dkr�\|�jd�ur�\|��} \|��}\|��}\|��} \|��td� \|\| ��\|�j��z\|��}W�\|�j��nf\|�j��w�\|�js�\|��td� \|��d }t }nO\|�j��z\|��}W�\|�j��n\|�j��w�\|d kr�\|��} \|��}\|��}\|��} \|�j�\|\|\| f\| \|f�}n\|�j�\|\|�}\|tk�r\|��td� \|��d }\|�rt��}\|�t��\|�\|��\|�\|��\|�d��\|�d ��\|��\|��d�S�t\|�}\|�j��z'\|�j�\|\|��d \|�j\|<�\|�\|��\|�\|�j\|�j��\|� \|\|\|��W�\|�j��n\|�j��w�t��}\|�t!��\|�\|��\|�\|��\|�\|�j��\|�\|�j��\|��\|��\|��td� \|\|��\|dk�r�\|��\|��d�S�\|dk�r�\|�� \|\|\| f��d�S�\|dk�r�\|\| f\|_"\|��\|\|\| f\| \|f��d�S�\|��#\|��d�S�)NFrr��z!Incoming forward agent connectionro��z$Incoming x11 connection from {}:{:d}rt��z.Incoming tcp forwarded connection from {}:{:d}z+Rejecting "{}" channel request from server.Trx��z+Rejecting "{}" channel request from client.r��r��zSecsh channel {:d} ({}) opened.)$r+��r��r��r��r��r��ry��r\|��r��r��r��r��r��r"��r��"check_channel_direct_tcpip_request�check_channel_requestr#��rR��r}��r$��r��r~��r��r��r��r��r��r��r��r��r��r��r%��origin_addrr��)r ��r��r��r��initial_window_sizerk��reject� my_chanidr��origin_port�server_addr�server_portr��ru�� dest_portr��rc��rh��rh��ri��r��s�� zTransport._parse_channel_openc��C��s4��\|��\|��}\|��\|��td�t�\|��d�S�)Nz Debug msg: {})r��r��r��r��r��r ��safe_string)r ��r��r��rh��rh��ri��r;��s��zTransport._parse_debugc��C��sN��z \|�j��\|\|�jvrd�g�i�fW�\|�j��S�\|�j\|�W�\|�j��S�\|�j��w�rd��r��r��rh��rh��ri��_get_subsystem_handler��s�� z Transport._get_subsystem_handler)TTrd��)NNN)NNNNN)NT) Nr��NNNFFTT�r��Nr��T)F)�r�� __module__�__qualname__�__doc__�objectr��r��r��r��paramiko�__version__r��_preferred_ciphers�_preferred_macsr��_preferred_pubkeysr��rE��is_availabler��r��r��AESr ��CTR�CBCrc��r9��r��r��r��r��r��rV��rC��rW��rD��r ��rH��rI��rF��rG��rJ��rK��rP��rQ��rO��rL��rM��rN��r��rA��rB��r��rX��r��r9��r:��r��r#��propertyr(��r+��r.��r0��r2��r4��r=��r?��rB��rF��rP��rR��rU��rW��staticmethodr_��r>��re��rg��rn��rq��rs��rv��rm��r��r��r��r��r��r��r��r��r��rK��r��r:��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��rf��r��r��r\|��r��r��r��r��r ��r ��r��r!��r$��r&��r��rz��r{��r/��r1��rL��rP��r��r6��r��r��r��rR��r��r��r��r��r��r:��r��r��r��r��r��r��r;��r��r.��r��_request_successr/��_request_failedr0��_feedr1��_feed_extendedr2��_window_adjustr3��_handle_requestr4��_handle_eofr5�� _handle_closer=��rh��rh��rh��ri��rk��s�� .�� n " :B( � # � _6 % �� U 1 5 &�- + H�k+A$~ �rk��c��@��s��e�Zd�ZdZdZdd��Zdd��Zdd��Zed d ��Z e j dd ��Z edd ��Zej dd ��Zedd��Zej dd��Zedd��Z e j dd��Z edd��Zej dd��ZdS�)rA��a:�� Simple object containing the security preferences of an ssh transport. These are tuples of acceptable ciphers, digests, key types, and key exchange algorithms, listed in order of preference. Changing the contents and/or order of these fields affects the underlying `.Transport` (but only if you change them before starting the session). If you try to add an algorithm that paramiko doesn't recognize, ``ValueError`` will be raised. If you try to assign something besides a tuple to one of the fields, ``TypeError`` will be raised. � _transportc��C��s ��\|\|�_�d�S�rd��)r��)r �� transportrh��rh��ri��r��A��s�� zSecurityOptions.__init__c��C��s��d��\|�j�S�)r5��z#<paramiko.SecurityOptions for {!r}>)r��r��r'��rh��rh��ri��r=��D��s��zSecurityOptions.__repr__c��st��t�\|�tu�r t\|�}t�\|�turtd��tt\|�j\|��fdd�\|D��}t\|�dkr1td��t \|�j\|\|��d�S�)Nzexpected tuple or listc��s��g�\|�]}\|��vr\|�qS�rh��rh��)r��n��possiblerh��ri��rf��P��s��z(SecurityOptions._set.<locals>.<listcomp>r��zunknown cipher) r��r`��r�� TypeErrorr!��r��r,��r�� ValueErrorr��)r ��r��origr�� forbiddenrh��r��ri��_setJ��s��zSecurityOptions._setc��C��\|�j�jS�)zSymmetric encryption ciphers)r��r��r'��rh��rh��ri��r%��U��zSecurityOptions.ciphersc��C��\|��dd\|��d�S�)Nr��r9��r��r ��r��rh��rh��ri��r%��Z��c��C��r ��)z Digest (one-way hash) algorithms)r��r��r'��rh��rh��ri��digests^��r ��zSecurityOptions.digestsc��C��r��)Nr��r��r��r ��rh��rh��ri��r��c��r��c��C��r ��)zPublic-key algorithms)r��r��r'��rh��rh��ri�� key_typesg��r ��zSecurityOptions.key_typesc��C��r��)Nr��r ��r��r ��rh��rh��ri��r��l��r��c��C��r ��)zKey exchange algorithms)r��r��r'��rh��rh��ri��r1��p��r ��zSecurityOptions.kexc��C��r��)Nr��r��r��r ��rh��rh��ri��r1��u��r��c��C��r ��)zCompression algorithms)r��r��r'��rh��rh��ri��r3��y��r ��zSecurityOptions.compressionc��C��r��)Nr��r��r��r ��rh��rh��ri��r3��~��r��N)r��r��r��r�� __slots__r��r=��r��r��r%��setterr��r��r1��r3��rh��rh��rh��ri��rA��2��s4�� rA��c��@��s<��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d ��Zdd��Zd S�)r��c��C��s��t��\|�_t��\|�_d�S�rd��)r��WeakValueDictionary�_mapr��r��_lockr'��rh��rh��ri��r��s�� zChannelMap.__init__c��C��s2��\|�j��z \|\|�j\|<�W�\|�j��d�S�\|�j��w�rd��)r��ry��r��r��)r ��r��rc��rh��rh��ri��r��s�� zChannelMap.putc��C��s2��\|�j��z \|�j�\|d��W�\|�j��S�\|�j��w�rd��)r��ry��r��r��r��r��rh��rh��ri��r�� zChannelMap.getc��C��sX��\|�j��z z\|�j\|=�W�n �ty��Y�n w�W�\|�j��d�S�W�\|�j��d�S�\|�j��w�rd��)r��ry��r��rV��r��r��rh��rh��ri��r��s�� zChannelMap.deletec��C��s2��\|�j��z t\|�j��W�\|�j��S�\|�j��w�rd��)r��ry��r`��r��ra��r��r'��rh��rh��ri��ra��r��zChannelMap.valuesc��C��s.��\|�j��zt\|�j�W�\|�j��S�\|�j��w�rd��)r��ry��r��r��r��r'��rh��rh��ri��__len__��s�� zChannelMap.__len__N) r��r��r��r��r��r��r��ra��r��rh��rh��rh��ri��r��s�� r��c��sv��e�Zd�ZdZ��fdd�Zdd��Zdd��Zdd ��Zd d��Zdd d�Z dd��Z ddd�Zddd�Zdd��Z dd��Z��ZS�)�ServiceRequestingTransportzd Transport, but also handling service requests, like it oughtta! .. versionadded:: 3.2 c��s(��t��j\|i�\|��d\|�_\|�j\|�jt<�d�S�)NF)�superr��_service_userauth_accepted�_parse_service_acceptr ��r��)r ��r��r��r��rh��ri��r��s��z#ServiceRequestingTransport.__init__c��C��s<��\|��}\|dkr\|��td�\|��d�S�d\|�_\|��td��d�S�)N�ssh-userauthz!Service request "{}" accepted (?)Tz+MSG_SERVICE_ACCEPT received; auth may begin)r+��r��r��r��r��)r ��r��servicerh��rh��ri��r��s�� z0ServiceRequestingTransport._parse_service_acceptc��C��sr��\|�j�r\|�js td��\|�jrd�S�t��}\|�t��\|�d��\|��t d��\|�� \|��\|�js2t�d��\|�jr\|�� \|�_d�S�)Nrd��r��z)Sending MSG_SERVICE_REQUEST: ssh-userauthr��)r��r��r_��r��rR��r}��r)��r~��r��r��r��rI��sleep�get_auth_handlerr��rT��rh��rh��ri��ensure_session��s�� z)ServiceRequestingTransport.ensure_sessionc��C��r@��rd��)r��r'��rh��rh��ri��r ��s��z+ServiceRequestingTransport.get_auth_handlerc��C��s��\|��\|�j�\|�S�rd��)r!��r��r��r ��r��rh��rh��ri��r��s��z$ServiceRequestingTransport.auth_noneTc��s\|��\|��z\|�j�\|��W�S��ty=�}�z%\|rd\|jvr��z��fdd�}\|��\|\|�W�W��Y�d�}~S��ty8��\|�w�d�}~ww�)Nr��c��r��r��r��r��r��rh��ri��r�� r��z9ServiceRequestingTransport.auth_password.<locals>.handler)r!��r��r��rZ��r��r��r_��)r ��r��r��r��r��r��rh��r��ri��r�� s��z(ServiceRequestingTransport.auth_passwordc��C��s��\|��\|�j�\|\|�S�rd��)r!��r��r��)r ��r��rT��rh��rh��ri��r�� s��z)ServiceRequestingTransport.auth_publickeyr��c��C��s��\|��\|�j�\|\|\|�S�rd��)r!��r��r��r��rh��rh��ri��r��# ��s��z+ServiceRequestingTransport.auth_interactiveNc��C��s"��\|��\|s dd��}\|��\|\|\|�S�)Nc��S��r��r��r��r��rh��rh��ri��r��2 ��r��zAServiceRequestingTransport.auth_interactive_dumb.<locals>.handler)r!��r��r��rh��rh��ri��r�� ��s��z0ServiceRequestingTransport.auth_interactive_dumbc��C��s"��\|��\|��\|�_\|�j�\|\|\|�S�rd��)r!��r ��r��r��)r ��r��r��r��rh��rh��ri��r��? ��s �� z/ServiceRequestingTransport.auth_gssapi_with_micc��C��s��\|��\|��\|�_\|�j�\|�S�rd��)r!��r ��r��r��r"��rh��rh��ri��r��G ��s�� z,ServiceRequestingTransport.auth_gssapi_keyexr��r��r��)r��r��r��r��r��r��r!��r ��r��r��r��r��r��r��r�� __classcell__rh��rh��r��ri��r��s�� $ r��)�r��r��r��r4��r��rI��r��hashlibr��r��r��r��cryptography.hazmat.backendsr��&cryptography.hazmat.primitives.ciphersr��r��r ��r��r ��paramiko.auth_handlerr��r��paramiko.ssh_gssr ��paramiko.channelr��paramiko.commonr��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r ��r!��r"��r#��r$��r%��r&��r'��r(��r)��r��r+��r,��r-��r.��r/��r0��r1��r2��r3��r4��r5��r6��r7��r8��r9��r:��r;��r<��r=��r>��r?��r@��paramiko.compressrA��rB��paramiko.dsskeyrC��paramiko.ed25519keyrD��paramiko.kex_curve25519rE��paramiko.kex_gexrF��rG��paramiko.kex_group1rH��paramiko.kex_group14rI��rJ��paramiko.kex_group16rK��paramiko.kex_ecdh_nistrL��rM��rN��paramiko.kex_gssrO��rP��rQ��paramiko.messagerR��paramiko.packetrS��rT��paramiko.primesrU��paramiko.rsakeyrV��paramiko.ecdsakeyrW��paramiko.serverrX��paramiko.sftp_clientrY��paramiko.ssh_exceptionrZ��r[��r\��r]��r^��r_�� paramiko.utilr`��ra��rb��/cryptography.hazmat.decrepit.ciphers.algorithmsrc��ImportError�1cryptography.hazmat.primitives.ciphers.algorithmsre��rj��atexit�registerr��rk��rA��r��r��rh��rh��rh��ri��<module>��s��4 � ��1Q-��__pycache__/win_openssh.cpython-310.pyc��0000644��00000003023�15030210772�0014004 0��ustar�00��o ��h~��@��s.��d�dl�Zd�dlZdZdd��ZG�dd��d�ZdS�)��Nz\\.\pipe\openssh-ssh-agentc��s4��t�j�t�\}��t��fdd�t��\|��D��S�)Nc��3��s��\|�] }��\|��kV��qd�S��N)�lower)�.0�n��name��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/win_openssh.py� <genexpr> ��s��z$can_talk_to_agent.<locals>.<genexpr>)�os�path�split� PIPE_NAMEr��any�listdir)�dir_r��r��r ��can_talk_to_agent��s��r��c��@��s,��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd S�) �OpenSSHAgentConnectionc�� C��s\�� zt��tt�jt�jB��\|�_W�d�S��ty'�}�z\|jdkr��W�Y�d�}~nd�}~ww�t� d��q)NT��g��?) r��openr��O_RDWR�O_BINARY�_pipe�OSError�errno�time�sleep)�self�er��r��r ��__init__$��s�� zOpenSSHAgentConnection.__init__c��C��t��\|�j\|�S�r��)r��writer��)r��datar��r��r ��send1��zOpenSSHAgentConnection.sendc��C��r ��r��)r��readr��)r��r��r��r��r ��recv4��r$��zOpenSSHAgentConnection.recvc��C��s��t��\|�j�S�r��)r��closer��)r��r��r��r ��r'��7��s��zOpenSSHAgentConnection.closeN)�__name__� __module__�__qualname__r��r#��r&��r'��r��r��r��r ��r��#��s �� r��)�os.pathr��r��r��r��r��r��r��r��r ��<module>��s �� __pycache__/kex_group14.cpython-310.pyc��0000644��00000002204�15030210772�0013620 0��ustar�00��o ��h)��@��sD��d�Z�ddlmZ�ddlmZmZ�G�dd��de�ZG�dd��de�ZdS�) z� Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 2048 bit key halves, using a known "p" prime and "g" generator. ��)� KexGroup1)�sha1�sha256c��@��s��e�Zd�ZdZdZdZeZdS�)� KexGroup14l��&�U�G9 tcb0]Q\-�:�$�90.`U�_�b;YS7x]Ek�`:xds�!,w<G�8�qbdR_��h��d�d��Y6K�pRT{�U�j�K�#�Gt\|�L��4�S�8� �FYpw,(.>��=�H�G2C�d�c_�.K?&j�_�c�}�z[\V�_1M.D�^�/1v5I �j�V&\|� �/�mV�lR�<6#�{n4�(EY91�T�:�g8 H �Ap�cb4B�B�j~H��zdiffie-hellman-group14-sha1N)�__name__� __module__�__qualname__�P�G�namer�� hash_algo��r��r��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_group14.pyr��s ��r��c��@��s��e�Zd�ZdZeZdS�)�KexGroup14SHA256zdiffie-hellman-group14-sha256N)r��r��r ��r��r��r ��r��r��r��r��r��&��s��r��N)�__doc__�paramiko.kex_group1r��hashlibr��r��r��r��r��r��r��r��<module>��s �� __pycache__/primes.cpython-310.pyc��0000644��00000005254�15030210772�0012757 0��ustar�00��o ��h��@��sJ��d�Z�ddlZddlmZ�ddlmZ�ddlmZ�dd��ZG�dd ��d �Z dS�) z, Utility functions for dealing with primes. ��N)�util)� byte_mask)�SSHExceptionc��C��sv��t��\|�d��}\|d�d�}td\|d��d�} �t�\|�}\|dkr-t\|d�\|�\|dd��}t��\|d�}\|\|�k�r: �\|S�q)z returns a random # from 0 to N-1��Tr��N)r�� bit_length�pow�os�urandomr��inflate_long)�n�bits� byte_count� hbyte_mask�x�num��r��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/primes.py�_roll_random��s�� r��c��@��s0��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd S�)�ModulusPackzx convenience object for holding the contents of the /etc/ssh/moduli file, on systems that have such a file. c��C��s��i�\|�_�g�\|�_d�S�)N)�pack� discarded)�selfr��r��r��__init__:��s�� zModulusPack.__init__c�� C��s��\|��\}}}}}}}t\|�}t\|�}t\|�}t\|�}t\|�}t\|d�}\|dk�s8\|dk�s8\|d@�rB\|dk�rB\|dk�rB\|�j�\|df��d�S�\|dkrHd}t�\|�} \| \|krd\| \|d�krd\|�j�\|d �\|�f��d�S�\| \|�jvrng�\|�j\| <�\|�j\| ��\|\|f��d�S�) N��r��r��d��z does not meet basic requirementsr��r��z"incorrectly reported bit length {})�split�intr��appendr��r ��formatr��) r��line� timestamp�mod_type�tests�tries�size� generator�modulus�blr��r��r��_parse_modulus?��sF�� zModulusPack._parse_modulusc��C��sz��i�\|�_�t\|d��+}\|D�]}\|��}t\|�dks\|d�dkrqz\|��\|��W�q��Y�qW�d��dS�1�s6w��Y��dS�)zM :raises IOError: passed from any file operations that fail. �rr��#N)r��open�strip�lenr,��)r��filename�fr#��r��r��r�� read_filem��s��"�zModulusPack.read_filec��C��s��t�\|�j��}t\|�dkrtd��d}\|D�]}\|\|kr)\|\|kr)\|\|k�s'\|dkr)\|}q\|dkrA\|D�]}\|\|kr@\|\|kr@\|\|kr@\|}q0\|dkrQ\|d�}\|\|krQ\|d�}tt\|�j\|��}\|�j\|�\|�S�)Nr��zno moduli available��)�sortedr��keysr1��r��r��)r��min�prefer�max�bitsizes�good�br��r��r��r��get_modulus\|��s&�� zModulusPack.get_modulusN)�__name__� __module__�__qualname__�__doc__r��r,��r4��r>��r��r��r��r��r��4��s��.r��) rB��r��paramikor��paramiko.commonr��paramiko.ssh_exceptionr��r��r��r��r��r��r��<module>��s��__pycache__/_winapi.cpython-310.pyc��0000644��00000022602�15030210772�0013102 0��ustar�00��o ��h�+��@��s��d�Z�ddlZddlZddlmZ�dd��ZG�dd��dej�Zdd ��Zd Z ej jjZej jejfe_ej je_ej jjZej jfe_ej je_ej jjZej jfe_ej je_ej jjZej jfe_eje_ej jjZej jejej jej jej jej jge_ej je_ej jjZej je_ej jjZej jfe_ej jj Z ejejejfe _ej j!fej jj"_G�dd��d�Z#d Z$dZ%e$Z&e$Z'e$Z(dZ)dZd Z+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4dZ5dZ6e%eB�e+B�e,B�e-B�e.B�e/B�e0B�e1B�e2B�e3B�e4B�e5B�Z7e&e+B�e,B�Z8e'e-B�e.B�e/B�e0B�e1B�e2B�e3B�e4B�Z9e(eB�e5B�Z:G�dd��d�Z;G�dd��d�Z<G�d d!��d!ej=�Z>G�d"d#��d#ej=�Z?G�d$d%��d%ej=�Z@e�Ae?�ejej jfej jBjC_d&d'��ZDd(d)��ZEdd+��ZFd.d,d-�ZGdS�)/z� Windows API functions implemented as ctypes functions and classes as found in jaraco.windows (3.4.1). If you encounter issues with this module, please consider reporting the issues in jaraco.windows and asking the author to port the fixes back here. ��N)�uc�� C��sn��d}d}\|\|B�}d}\|�}d}t�j��}d}d} t�jj�\|\|\|\|t��\|�\|\| �} t\| ��\|j}t�jj� \|��\|S�)zf Call FormatMessage with a system error number to retrieve the descriptive error message. ��Nr��) �ctypes�wintypes�LPWSTR�windll�kernel32�FormatMessageW�byref�handle_nonzero_success�value� LocalFree)�errno�ALLOCATE_BUFFER�FROM_SYSTEM�flags�source� message_id�language_id� result_buffer�buffer_size� arguments�bytes�message��r��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/_winapi.py�format_system_message��s,�� r��c��sJ��e�Zd�ZdZd ��fdd� Zedd��Zedd��Zd d ��Zdd��Z ��Z S�)�WindowsErrorzZmore info about errors at http://msdn.microsoft.com/en-us/library/ms681381(VS.85).aspxNc��s8��\|d�u�r t�jj��}t\|�}d\|d�\|f}t��j\|��d�S��Nr��)r��r��r ��GetLastErrorr��super�__init__)�selfr ��strerror�args�� __class__r��r��r"��;��s ��zWindowsError.__init__c��C��\|�j�S��N)r$��r#��r��r��r��r��B��zWindowsError.messagec��C��r(��r)��)�winerrorr��r��r��r��codeF��r+��zWindowsError.codec��C��r(��r)��)r��r��r��r��r��__str__J��s��zWindowsError.__str__c��C��s��dj�di�t��S�)Nz{self.__class__.__name__}({self.winerror})r��)�format�varsr��r��r��r��__repr__M��s��zWindowsError.__repr__r)��)�__name__� __module__�__qualname__�__doc__r"��propertyr��r-��r.��r1�� __classcell__r��r��r&��r��r��7��s�� r��c��C��s��\|�dkrt��d�S�r��)r��)�resultr��r��r��r��Q��s��r��c��@��sB��e�Zd�ZdZddd�Zdd��Zdd��Zd d ��Zdd��Zd d��Z dS�)� MemoryMapzL A memory map object which can have security attributes overridden. Nc��C��s��\|\|�_�\|\|�_\|\|�_d\|�_d�S�r��)�name�length�security_attributes�pos)r#��r;��r<��r=��r��r��r��r"��s�� zMemoryMap.__init__c�� C��sv��\|�j�r t�\|�j��nd�}d}d}d}tjj�\|\|\|d\|�jt\|�j��}t \|��\|\|kr-t d��\|\|�_t\|\|ddd�\|�_ \|�S�)N��r9��r��zFailed to create file mapping)r=��r��r��r��r ��CreateFileMappingWr<��r��r;��r�� Exception�filemap� MapViewOfFile�view)r#��p_SA�INVALID_HANDLE_VALUE�PAGE_READWRITE�FILE_MAP_WRITErC��r��r��r�� __enter__��s��zMemoryMap.__enter__c��C��s ��\|\|�_�d�S�r)��)r>��)r#��r>��r��r��r��seek��s�� zMemoryMap.seekc��C��sp��t�\|t�sJ��t\|�}\|�j\|�\|�jkrtd\|��d��\|�j\|�j�}t�\|�}tj j �\|\|\|��\|��j\|7��_d�S�)NzRefusing to write z bytes)� isinstancer��lenr>��r<�� ValueErrorrE��r��c_size_tr��r �� RtlMoveMemory)r#��msg�n�destr<��r��r��r��write��s�� zMemoryMap.writec��C��sF��t��\|�}\|�j\|�j�}t��\|�}t�jj�\|\|\|��\|��j\|7��_\|jS�)z0 Read n bytes from mapped view. ) r��create_string_bufferrE��r>��rO��r��r ��rP��raw)r#��rR��outr��r<��r��r��r��read��s�� zMemoryMap.readc��C��s$��t�jj�\|�j��t�jj�\|�j��d�S�r)��)r��r��r ��UnmapViewOfFilerE��CloseHandlerC��)r#��exc_type�exc_val�tbr��r��r��__exit__��s��zMemoryMap.__exit__r)��) r2��r3��r4��r5��r"��rJ��rK��rT��rX��r^��r��r��r��r��r:��s�� r:��i��i��i��r@�� @��r��i��i��i��r��c��@��e�Zd�ZdZdS�)�TokenAccessr`��N)r2��r3��r4��TOKEN_QUERYr��r��r��r��rf�� rf��c��@��re��)�TokenInformationClassr_��N)r2��r3��r4�� TokenUserr��r��r��r��ri�� rh��ri��c��@��s&��e�Zd�ZdZdejfdejjfgZdS�)� TOKEN_USERr_��SID� ATTRIBUTESN) r2��r3��r4��numr��c_void_pr��DWORD�_fields_r��r��r��r��rk��s �� rk��c��@��sV��e�Zd�ZdZejjZdZdej fdej fdefdej fdej fdej fd ej fgZd S�)�SECURITY_DESCRIPTORz� typedef struct _SECURITY_DESCRIPTOR { UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; PSID Owner; PSID Group; PACL Sacl; PACL Dacl; } SECURITY_DESCRIPTOR; r_��Revision�Sbz1�Control�Owner�Group�Sacl�DaclN)r2��r3��r4��r5��r��r��USHORT�SECURITY_DESCRIPTOR_CONTROL�REVISION�c_ubytero��rq��r��r��r��r��rr��s�� rr��c��sZ��e�Zd�ZdZdejjfdejfdejjfgZ ��fdd�Z edd��Zej d d��Z��ZS�) �SECURITY_ATTRIBUTESz� typedef struct _SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; } SECURITY_ATTRIBUTES; �nLength�lpSecurityDescriptor�bInheritHandlec��s"��t��j\|i�\|��t�t�\|�_d�S�r)��)r!��r"��r��sizeofr~��r��)r#��r%��kwargsr&��r��r��r"��D��s��zSECURITY_ATTRIBUTES.__init__c��C��r(��r)��)�_descriptorr��r��r��r�� descriptorH��r+��zSECURITY_ATTRIBUTES.descriptorc��C��s��\|\|�_�t�\|�\|�_d�S�r)��)r��r�� addressofr��)r#��r ��r��r��r��r��L��s��)r2��r3��r4��r5��r��r��rp��ro��BOOLrq��r"��r6��r��setterr7��r��r��r&��r��r~��5��s�� r~��c�� C��sv��t�j��}t�jj�\|�\|jddt��\|��t��\|j �}t t�jj�\|�\|jt��\|�t��\|�t��\|��t��\|t�� t��jS�)z: Given a token, get the token information for it. r��)r��r��rp��r��advapi32�GetTokenInformationrn��r��rU��r ��r��r��cast�POINTERrk��contents)�token�information_class� data_size�datar��r��r��r��\��s�� r��c��C��s6��t�j��}t�j�\|��}�tt�jj�\|�\|t��\|��\|S�r)��)r��r��HANDLEr��r��r��OpenProcessTokenr��)�proc_handle�accessr8��r��r��r��r��q��s�� r��c��C��s��t�tjj��tj�}�t\|�t�S�)z< Return a TOKEN_USER for the owner of this process. ) r��r��r��r ��GetCurrentProcessrf��rg��r��rk��)�processr��r��r��get_current_user\|��s�� r��c��C��sn��\|�du�rt��}�t\|�t�sJ�d��t��}t��}\|\|_d\|_tjj � t�\|�tj��tjj � t�\|�\|�jd��\|S�)z� Return a SECURITY_ATTRIBUTES structure with the SID set to the specified user (uses current user if none is specified). Nz user must be TOKEN_USER instancer_��r��)r��rL��rk��rr��r~��r��r��r��r��r��InitializeSecurityDescriptorr��r\|��SetSecurityDescriptorOwnerrl��)�user�SD�SAr��r��r�� get_security_attributes_for_user��s��r��r)��)Hr5��builtins�ctypes.wintypesr�� paramiko.utilr��r��r��r�� GMEM_MOVEABLEr��r ��GlobalAllocr��UINTrO��argtypesr��restype� GlobalLock�HGLOBAL�LPVOID�GlobalUnlockr�� GlobalSizerA��CreateFileMappingro��rp��r��rD��rY��rP��HLOCALr��r:��READ_CONTROL�STANDARD_RIGHTS_REQUIRED�STANDARD_RIGHTS_READ�STANDARD_RIGHTS_WRITE�STANDARD_RIGHTS_EXECUTE�STANDARD_RIGHTS_ALL�POLICY_VIEW_LOCAL_INFORMATION�POLICY_VIEW_AUDIT_INFORMATION�POLICY_GET_PRIVATE_INFORMATION�POLICY_TRUST_ADMIN�POLICY_CREATE_ACCOUNT�POLICY_CREATE_SECRET�POLICY_CREATE_PRIVILEGE�POLICY_SET_DEFAULT_QUOTA_LIMITS�POLICY_SET_AUDIT_REQUIREMENTS�POLICY_AUDIT_LOG_ADMIN�POLICY_SERVER_ADMIN�POLICY_LOOKUP_NAMES�POLICY_NOTIFICATION�POLICY_ALL_ACCESS�POLICY_READ�POLICY_WRITE�POLICY_EXECUTErf��ri�� Structurerk��rr��r~��r��r��r��r��r��r��r��r��r��r��r��<module>��s��$ � D�� __pycache__/kex_gex.cpython-310.pyc��0000644��00000014620�15030210772�0013107 0��ustar�00��o ��hP(��@��s��d�Z�ddlZddlmZmZ�ddlmZ�ddlmZm Z m Z mZ�ddlm Z �ddlmZ�edd �\ZZZZZd d��edd �D��\ZZZZZG�dd ��d �ZG�dd��de�ZdS�)z� Variant on `KexGroup1 <paramiko.kex_group1.KexGroup1>` where the prime "p" and generator "g" are provided by the server. A bit more work is required on the client side, and a lot* more on the server side. ��N)�sha1�sha256)�util)�DEBUG�byte_chr�byte_ord� byte_mask)�Message)�SSHException��#��c��C��s��g�\|�]}t�\|��qS��)r��)�.0�cr ��r ��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_gex.py� <listcomp>0��s��r��c��@��sj��e�Zd�ZdZdZdZdZeZdd��Z ddd �Z d d��Zdd ��Zdd��Z dd��Zdd��Zdd��Zdd��ZdS�)�KexGexz"diffie-hellman-group-exchange-sha1�� i��c��C��s4��\|\|�_�d�\|�_d�\|�_d�\|�_d�\|�_d�\|�_d�\|�_d\|�_d�S�)NF)� transport�p�q�g�x�e�f� old_style)�selfr��r ��r ��r��__init__;��s�� zKexGex.__init__Fc��C��s��\|�j�jr \|�j��tt��d�S�t��}\|r!\|�t��\|�\|�j ��d\|�_ n\|�t��\|�\|�j��\|�\|�j ��\|�\|�j ��\|�j��\|��\|�j��t��d�S�)NT)r��server_mode�_expect_packet�_MSG_KEXDH_GEX_REQUEST�_MSG_KEXDH_GEX_REQUEST_OLDr ��add_byte�c_MSG_KEXDH_GEX_REQUEST_OLD�add_int�preferred_bitsr��c_MSG_KEXDH_GEX_REQUEST�min_bits�max_bits� _send_message�_MSG_KEXDH_GEX_GROUP)r��_test_old_style�mr ��r ��r�� start_kexE��s �� zKexGex.start_kexc��C��sp��\|t�kr \|��\|�S�\|tkr\|��\|�S�\|tkr\|��\|�S�\|tkr$\|��\|�S�\|tkr-\|�� \|�S�d}t \|�\|�j\|��)NzKexGex {} asked to handle packet type {:d}) r!��_parse_kexdh_gex_requestr+��_parse_kexdh_gex_group�_MSG_KEXDH_GEX_INIT�_parse_kexdh_gex_init�_MSG_KEXDH_GEX_REPLY�_parse_kexdh_gex_replyr"��_parse_kexdh_gex_request_oldr ��format�name)r��ptyper-��msgr ��r ��r�� parse_next\��s�� zKexGex.parse_nextc��C��s��\|�j�d�d�}t�\|d�}t\|d��}t\|�}d}\|d@�s)\|dK�}\|dL�}\|d@�r �t�\|�}t\|d�\|�\|dd��}t�\|d�}\|dkrK\|\|k�rKnq\|\|�_ d�S�)N��r��) r��r��deflate_longr��len�os�urandomr��inflate_longr��)r��r��qnorm�qhbyte� byte_count�qmask�x_bytesr��r ��r ��r��_generate_xl��s"�� zKexGex._generate_xc��C��s��\|��}\|��}\|��}\|\|�jkr\|�j}\|\|�jk�r\|�j}\|\|kr"\|}\|\|k�r(\|}\|\|�_\|\|�_\|\|�_\|�j��}\|d�u�r>td��\|�j�td� \|\|\|��\|� \|\|\|�\\|�_\|�_t ��}\|�t��\|�\|�j��\|�\|�j��\|�j�\|��\|�j�t��d�S�)N�-Can't do server-side gex with no modulus packzPicking p ({} <= {} <= {} bits))�get_intr)��r(��r&��r��_get_modulus_packr ��_logr��r6��get_modulusr��r��r ��r#��c_MSG_KEXDH_GEX_GROUP� add_mpintr��r ��r1��)r��r-��minbits� preferredbits�maxbits�packr ��r ��r��r/��~��s<�� zKexGex._parse_kexdh_gex_requestc��C��s��\|��\|�_\|�j\|�jkr\|�j\|�_\|�j\|�jk�r\|�j\|�_\|�j��}\|d�u�r&td��\|�j�td� \|�j��\|� \|�j\|�j\|�j�\\|�_\|�_t ��}\|�t��\|�\|�j��\|�\|�j��\|�j�\|��\|�j�t��d\|�_d�S�)NrJ��zPicking p (~ {} bits)T)rK��r&��r)��r(��r��rL��r ��rM��r��r6��rN��r��r��r ��r#��rO��rP��r��r ��r1��r��)r��r-��rT��r ��r ��r��r5��s�� z#KexGex._parse_kexdh_gex_request_oldc��C��s��\|��\|�_\|��\|�_t�\|�j�}\|dk�s\|dkrtd�\|��\|�j�t d�\|��\|�� t\|�j\|�j\|�j�\|�_ t��}\|�t��\|�\|�j ��\|�j�\|��\|�j�t��d�S�)Nr��r��z<Server-generated gex p (don't ask) is out of range ({} bits)zGot server p ({} bits))� get_mpintr��r��r�� bit_lengthr ��r6��r��rM��r��rI��powr��r��r ��r#��c_MSG_KEXDH_GEX_INITrP��r��r ��r3��)r��r-��bitlenr ��r ��r��r0��s �� zKexGex._parse_kexdh_gex_groupc��C��sz��\|��\|�_\|�jdk�s\|�j\|�jd�krtd��\|��t\|�j\|�j\|�j�\|�_t\|�j\|�j\|�j�}\|�j � ��}t��}\|� \|�j j\|�j j\|�j j\|�j j\|��\|�jsQ\|�\|�j��\|�\|�j��\|�js`\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|��\|��\|��}\|�j �\|\|��\|�j � ��\|\|�j j�}t��}\|�t��\|�\|��\|�\|�j��\|�\|��\|�j � \|��\|�j �!��d�S�)Nr;��zClient kex "e" is out of range)"rU��r��r��r ��rI��rW��r��r��r��r��get_server_key�asbytesr ��add�remote_version� local_version�remote_kex_init�local_kex_initr��r%��r(��r&��r)��rP�� hash_algo�digest�_set_K_H� sign_ssh_data� host_key_typer#��c_MSG_KEXDH_GEX_REPLY� add_stringr��_activate_outbound)r��r-��K�key�hm�H�sigr ��r ��r��r2��sJ�� zKexGex._parse_kexdh_gex_initc��C��s��\|��}\|��\|�_\|��}\|�jdk�s\|�j\|�jd�krtd��t\|�j\|�j\|�j�}t��}\|�\|�j j \|�j j\|�j j\|�j j \|��\|�jsD\|�\|�j��\|�\|�j��\|�jsS\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|�j��\|�\|��\|�j �\|\|��\|��\|�j �\|\|��\|�j ��d�S�)Nr;��zServer kex "f" is out of range)� get_stringrU��r��r��r ��rW��r��r ��r\��r��r^��r]��r`��r_��r��r%��r(��r&��r)��rP��r��r��rc��ra��r[��rb��_verify_keyrh��)r��r-��host_keyrm��ri��rk��r ��r ��r��r4��s6�� zKexGex._parse_kexdh_gex_replyN)F)�__name__� __module__�__qualname__r7��r(��r)��r&��r��ra��r��r.��r:��rI��r/��r5��r0��r2��r4��r ��r ��r ��r��r��3��s�� &+r��c��@��s��e�Zd�ZdZeZdS�)�KexGexSHA256z$diffie-hellman-group-exchange-sha256N)rq��rr��rs��r7��r��ra��r ��r ��r ��r��rt��s��rt��)�__doc__rA��hashlibr��r��paramikor��paramiko.commonr��r��r��r��paramiko.messager ��paramiko.ssh_exceptionr ��ranger"��r+��r1��r3��r!��r$��rO��rX��rf��r'��r��rt��r ��r ��r ��r��<module>��s0�� l��__pycache__/ed25519key.cpython-310.pyc��0000644��00000011163�15030210772�0013163 0��ustar�00��o ��h!��@��sx��d�dl�Z�d�dlmZ�d�dlmZ�d�dlZd�dlmZ�d�dl m Z mZmZ�d�dl mZ�d�dlmZmZ�G�dd ��d e �ZdS�) ��N)�default_backend)�Cipher)�Message)�PKey�OPENSSH_AUTH_MAGIC�_unpad_openssh)�b)�SSHException�PasswordRequiredExceptionc��@��sf��e�Zd�ZdZdZ ddd�Zdd��Zdd ��Zed d��Z dd ��Z dd��Zdd��Zddd�Z dd��ZdS�)� Ed25519Keya�� Representation of an `Ed25519 <https://ed25519.cr.yp.to/>`_ key. .. note:: Ed25519 key support was added to OpenSSH in version 6.5. .. versionadded:: 2.2 .. versionchanged:: 2.3 Added a ``file_obj`` parameter to match other key classes. zssh-ed25519Nc�� C��s��d�\|�_�d��}}\|d�u�r\|d�urt\|�}\|d�ur)\|�j\|\|�jdd��tj�\|��}n.\|d�urKt\|d��}\|�� d\|�\} }W�d��n1�sEw��Y��n\|d�urW\|�� d\|�\} }\|s[\|ra\|�� \|\|�}\|d�u�rm\|d�u�rmtd��\|\|�_\|\|�_ d�S�)Nz ssh-ed25519-cert-v01@openssh.com)�msg�key_type� cert_type�r�OPENSSHz need a key)�public_blobr��_check_type_and_load_cert�name�nacl�signing� VerifyKey� get_binary�open�_read_private_key�_parse_signing_key_data� ValueError�_signing_key�_verifying_key) �selfr��data�filename�password�file_obj� verifying_key�signing_key�f�pkformat��r'��F/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/ed25519key.py�__init__,��s0�� zEd25519Key.__init__c��C��sn��ddl�m}�t\|�}\|�tt��tkrtd��\|��}\|��}\|��}\|� ��}\|dkr6\|s1\|dkr5td��n\|dkrM\|s@t d��t\|�} \| ��} \| � ��}ntd��\|dkr^\|\|jvr^td��g�}t\|�D�]} t\|��}\|��\|�j krwtd��\|�\|��qd\|��}\|dkr�\|}n>\|j\|�}tjt\|�\| \|d�\|d��\|d d �}t\|d�\|d�\|d��\|d�\|\|d�d��t��d ��}\|�\|�\|��}tt\|��}\|� ��\|� ��kr�td��g�}t\|�D�]G}\|��\|�j kr�td��\|��}\|��}tj�\|d�d��}\|j��\|��k�r\|\|��k�r\|dd��k�sJ��J��\|�\|��\|��q�t\|�dk�r3td��\|d�S�)Nr��)� TransportzInvalid key�none�bcryptzPrivate key file is encryptedzkey-sizez block-sizeT)r!��salt�desired_key_bytes�rounds�ignore_few_rounds�class�mode)�backend� ��)�paramiko.transportr��r�� get_bytes�lenr��r ��get_textr��get_intr ��_cipher_info�ranger��appendr,��kdfr��r��r�� decryptor�update�finalizer��r��r�� SigningKey� verify_key�encode)r��r��r!��r��message� ciphername�kdfname� kdfoptions�num_keysr>��bcrypt_salt� bcrypt_rounds�public_keys�_�pubkey�private_ciphertext�private_data�cipher�keyr?��signing_keys�i�public�key_datar$��r'��r'��r(��r��I��s�� z"Ed25519Key._parse_signing_key_datac��C��s@��\|��r \|�jj}n\|�j}t��}\|�\|�j��\|�\|��\|��S��N) �can_signr��rC��r��r�� add_stringr��rD��asbytes)r��v�mr'��r'��r(��rZ��s�� zEd25519Key.asbytesc��C��s$��\|��r \|�jj}n\|�j}\|��\|fS�rW��)rX��r��rC��r��get_name)r��r[��r'��r'��r(��_fields��s�� zEd25519Key._fieldsc��C��s��\|�j�S�rW��)r��r��r'��r'��r(��r]��s��zEd25519Key.get_namec��C��s��dS�)N��r'��r_��r'��r'��r(��get_bits��s��zEd25519Key.get_bitsc��C��s ��\|�j�d�uS�rW��)r��r_��r'��r'��r(��rX��s�� zEd25519Key.can_signc��C��s��t��}\|�\|�j��\|�\|�j�\|�j��\|S�rW��)r��rY��r��r��sign� signature)r��r�� algorithmr\��r'��r'��r(�� sign_ssh_data��s��zEd25519Key.sign_ssh_datac��C��sD��\|��\|�jkr dS�z\|�j�\|\|��W�dS��tjjy!��Y�dS�w�)NFT)r9��r��r��verifyr��r�� exceptions�BadSignatureError)r��r��r��r'��r'��r(��verify_ssh_sig��s��zEd25519Key.verify_ssh_sig)NNNNNrW��)�__name__� __module__�__qualname__�__doc__r��r)��r��rZ��propertyr^��r]��ra��rX��re��ri��r'��r'��r'��r(��r��s�� ` r��)r,��cryptography.hazmat.backendsr��&cryptography.hazmat.primitives.ciphersr��nacl.signingr��paramiko.messager�� paramiko.pkeyr��r��r�� paramiko.utilr��paramiko.ssh_exceptionr ��r ��r��r'��r'��r'��r(��<module>��s��__pycache__/auth_handler.cpython-310.pyc��0000644��00000060534�15030210772�0014120 0��ustar�00��o ��h��@��s8��d�Z�ddlZddlZddlZddlZddlmZmZmZm Z m Z mZmZm Z mZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(�ddl)mZ�ddl+m,Z,m-Z-�ddl.m/Z/m0Z0m1Z1m2Z2�ddl3m4Z4�ddl5m6Z6m7Z7�G�d d ��d �Z8G�dd��d�Z9G�d d��de8�Z:dS�)z `.AuthHandler` ��N)#�cMSG_SERVICE_REQUEST�cMSG_DISCONNECT� DISCONNECT_SERVICE_NOT_AVAILABLE�)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE�cMSG_USERAUTH_REQUEST�cMSG_SERVICE_ACCEPT�DEBUG�AUTH_SUCCESSFUL�INFO�cMSG_USERAUTH_SUCCESS�cMSG_USERAUTH_FAILURE�AUTH_PARTIALLY_SUCCESSFUL�cMSG_USERAUTH_INFO_REQUEST�WARNING�AUTH_FAILED�cMSG_USERAUTH_PK_OK�cMSG_USERAUTH_INFO_RESPONSE�MSG_SERVICE_REQUEST�MSG_SERVICE_ACCEPT�MSG_USERAUTH_REQUEST�MSG_USERAUTH_SUCCESS�MSG_USERAUTH_FAILURE�MSG_USERAUTH_BANNER�MSG_USERAUTH_INFO_REQUEST�MSG_USERAUTH_INFO_RESPONSE�cMSG_USERAUTH_GSSAPI_RESPONSE�cMSG_USERAUTH_GSSAPI_TOKEN�cMSG_USERAUTH_GSSAPI_MIC�MSG_USERAUTH_GSSAPI_RESPONSE�MSG_USERAUTH_GSSAPI_TOKEN�MSG_USERAUTH_GSSAPI_ERROR�MSG_USERAUTH_GSSAPI_ERRTOK�MSG_USERAUTH_GSSAPI_MIC� MSG_NAMES�cMSG_USERAUTH_BANNER)�Message)�b�u)�SSHException�AuthenticationException�BadAuthenticationType�PartialAuthentication)�InteractiveQuery)�GSSAuth�GSS_EXCEPTIONSc��@��s.��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd d��Zdd ��Z dd��Z dHdd�Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd ��Zd!d"��Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��Zd-d.��Zd/d0��Zd1d2��Zd3d4��Zd5d6��Zd7d8��Zd9d:��Zd;d<��Z d=d>��Z!d?d@��Z"e#dAdB��Z$e#dCdD��Z%e#dEdF��Z&dGS�)I�AuthHandlerzC Internal class to handle the mechanics of authentication. c��C��s^��t��\|�\|�_d�\|�_d\|�_d�\|�_d\|�_d�\|�_d�\|�_d�\|�_ d�\|�_ d�\|�_d�\|�_d\|�_ d�\|�_d\|�_d�S�)NF��r��T)�weakref�proxy� transport�username� authenticated� auth_event�auth_method�banner�password�private_key�interactive_handler� submethods� auth_username�auth_fail_count�gss_host�gss_deleg_creds)�selfr3��rB��H/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/auth_handler.py�__init__R��s�� zAuthHandler.__init__c��G��s��\|�j�j\|��S��N)r3��_log)rA��argsrB��rB��rC��rF��d��zAuthHandler._logc��C��\|�j�S�rE��)r5��rA��rB��rB��rC��is_authenticatedg��s��zAuthHandler.is_authenticatedc��C��\|�j�jr\|�jS�\|�jS�rE��)r3��server_moder=��r4��rJ��rB��rB��rC��get_usernamej��s��zAuthHandler.get_usernamec��C��H��\|�j�j��z\|\|�_d\|�_\|\|�_\|��W�\|�j�j��d�S�\|�j�j��w��N�none�r3��lock�acquirer6��r7��r4�� _request_auth�release�rA��r4��eventrB��rB��rC�� auth_nonep�� zAuthHandler.auth_nonec��C��N��\|�j�j��z\|\|�_d\|�_\|\|�_\|\|�_\|��W�\|�j�j��d�S�\|�j�j��w�)N� publickey) r3��rS��rT��r6��r7��r4��r:��rU��rV��)rA��r4��keyrX��rB��rB��rC��auth_publickeyz�� zAuthHandler.auth_publickeyc��C��r[��)Nr9��) r3��rS��rT��r6��r7��r4��r9��rU��rV��)rA��r4��r9��rX��rB��rB��rC�� auth_password��r_��zAuthHandler.auth_passwordr0��c��C��sT��\|�j�j��z\|\|�_d\|�_\|\|�_\|\|�_\|\|�_\|��W�\|�j�j� ��dS�\|�j�j� ��w�)�K response_list = handler(title, instructions, prompt_list) �keyboard-interactiveN) r3��rS��rT��r6��r7��r4��r;��r<��rU��rV��)rA��r4��handlerrX��r<��rB��rB��rC��auth_interactive��s�� zAuthHandler.auth_interactivec��C��sT��\|�j�j��z\|\|�_d\|�_\|\|�_\|\|�_\|\|�_\|��W�\|�j�j� ��d�S�\|�j�j� ��w�)N�gssapi-with-mic) r3��rS��rT��r6��r7��r4��r?��r@��rU��rV��)rA��r4��r?��r@��rX��rB��rB��rC��auth_gssapi_with_mic��s�� z AuthHandler.auth_gssapi_with_micc��C��rO��)N�gssapi-keyexrR��rW��rB��rB��rC��auth_gssapi_keyex��rZ��zAuthHandler.auth_gssapi_keyexc��C��s��\|�j�d�ur\|�j��d�S�d�S�rE��)r6��setrJ��rB��rB��rC��abort��s�� zAuthHandler.abortc��C��s��t��}\|�t��\|�d��\|�j�\|��d�S��N�ssh-userauth)r%��add_byter�� add_stringr3�� _send_message�rA��mrB��rB��rC��rU��s�� zAuthHandler._request_authc��C��H��t��}\|�t��\|�t��\|�d��\|�d��\|�j�\|��\|�j��d�S�)NzService not available�en) r%��rm��r��add_intr��rn��r3��ro��closerp��rB��rB��rC��!_disconnect_service_not_available�� z-AuthHandler._disconnect_service_not_availablec��C��rr��)NzNo more auth methods availablers��) r%��rm��r��rt��r��rn��r3��ro��ru��rp��rB��rB��rC��_disconnect_no_more_auth��rw��z$AuthHandler._disconnect_no_more_authc��C��s"��\|j�r\|j�j\|j�jfS�\|��\|fS�)z� Given any key, return its type/algorithm & bits-to-sign. Intended for input to or verification of, key signatures. )�public_blob�key_type�key_blob�get_name)rA��r]��rB��rB��rC��_get_key_type_and_bits��s��z"AuthHandler._get_key_type_and_bitsc��C��sp��t��}\|�\|�jj��\|�t��\|�\|��\|�\|��\|�d��\|�d��\|��\|�\}}\|�\|��\|�\|��\|��S�)Nr\��T) r%��rn��r3�� session_idrm��r��add_booleanr}��asbytes)rA��r]��servicer4�� algorithmrq��_�bitsrB��rB��rC��_get_session_blob��s�� zAuthHandler._get_session_blobc��C��s��d�}\|�j�jd�urt��\|�j�j�} �\|�d��\|�j��s0\|�j��}\|d�u�st\|jt�r.t d�}\|�\|� ��r5n\|d�urC\|t��krCt d��q\|��s`\|�j��}\|d�u�rUt d�}t\|jt�r^\|j S�\|�g�S�)NTg��?z5Authentication failed: transport shut down or saw EOFzAuthentication timeout.zAuthentication failed.)r3��auth_timeout�time�wait� is_active� get_exception� issubclass� __class__�EOFErrorr)��is_setrK��r+�� allowed_types)rA��rX��max_ts�erB��rB��rC��wait_for_response��s2�� zAuthHandler.wait_for_responsec��C��s��\|��}\|�jjrC\|dkrCt��}\|�t��\|�\|��\|�j�\|��\|�jj� ��\}}\|rAt��}\|�t ��\|�\|��\|�\|��\|�j�\|��d�S�\|��d�S�rk��)�get_textr3��rM��r%��rm��r��rn��ro�� server_object� get_bannerr$��rv��)rA��rq��r��r8��languagerB��rB��rC��_parse_service_request ��s�� z"AuthHandler._parse_service_requestc��C��sF��\|�j�j}\|�dd�\|vrd}\|��t\|�\|��d�S�\|�j�j\|�t\|��S�)N�-cert-v01@openssh.comr0��z<Auth rejected: pubkey algorithm '{}' unsupported or disabled)r3��preferred_pubkeys�replacerF��r ��format� _key_infor%��)rA��r��keyblob�options�errrB��rB��rC��_generate_key_from_request��s��z&AuthHandler._generate_key_from_requestc��C��s.��\|d�}d}\|��t\|�\|��\|��td��\|S�)Nr��zYServer did not send a server-sig-algs list; defaulting to our first preferred algo ({!r})z�NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!)rF��r��r��)rA��rz��my_algos�pubkey_algo�msgrB��rB��rC��!_choose_fallback_pubkey_algorithm(��s��z-AuthHandler._choose_fallback_pubkey_algorithmc��C��sJ��d\|vr\|S�\|��td�\|��\|�d�r3t�d\|�jj�r3d}\|\|�j_\|��td��\|��td�\|��\|S�dd ��\|�jj D��}\|��td �\|��\|sKt d��t\|�jj� dtd ��}d�}\|r�\|�d�}\|��td�\|��tt\|j\|��}\|r�\|d�}\|��td�\|��n\|��td��d}t\|�\|��\|��\|\|�}\|�d�r�\|d7�}\|\|�j_\|S�)N�rsaz0Finalizing pubkey algorithm for key of type {!r}r��z-OpenSSH_(?:[1-6]\|7\.[0-7])zssh-rsa-cert-v01@openssh.comz)OpenSSH<7.8 + RSA cert = forcing ssh-rsa!z!Agreed upon {!r} pubkey algorithmc��S��s��g�\|�]}d�\|v�r\|�qS�)r��rB��)�.0�xrB��rB��rC�� <listcomp>O��s��z:AuthHandler._finalize_pubkey_algorithm.<locals>.<listcomp>zOur pubkey algorithm list: {}zFAn RSA key was specified, but no RSA pubkey algorithms are configured!zserver-sig-algsr0��,zServer-side algorithm list: {}r��z)No common pubkey algorithms exist! Dying.z=Unable to agree on a pubkey algorithm for signing a {!r} key!)rF��r��r��endswith�re�searchr3��remote_version�_agreed_pubkey_algorithmr��r(��r'��server_extensions�getr&��split�list�filter�__contains__r)��r��)rA��rz��r��r��server_algo_str�server_algos� agreementr��rB��rB��rC��_finalize_pubkey_algorithm3��sd�� z&AuthHandler._finalize_pubkey_algorithmc�� C��s��\|��}\|dk�r�\|��td��t��}\|�t��\|�\|�j��\|�d��\|�\|�j��\|�jdkr>\|� d��t \|�j�}\|�\|��n�\|�jdkrw\|� d��\|��\|�j �\}}\|��\|�}\|�\|��\|�\|��\|��\|�j d\|�j\|�}\|�j �\|\|�}\|�\|��nS\|�jdkr�\|�d ��\|�\|�j��nA\|�jd k�r�t\|�j\|�j�} \|�\| ��\|�j�\|��\|�jj��\} }\| tkr�\|��\|��\|�jj��\} }\| tk�r]\|��}t��}\|�t��z\|�\| �\|�j \|\|�j��W�n�t!y��}�z\|��"\|�W��Y�d�}~S�d�}~ww�\|�j�\|�� \|�jj��\} }\| t#k�rI\|��} z\| �\|�j \|\|�j\| �}W�n�t!�y/�}�z\|��"\|�W��Y�d�}~S�d�}~ww�\|d�u��r6nt��}\|�t��\|�\|��\|�j�$\|��q�t��}\|�t(��\|�\| �)\|�jj��nm\| t+k�rft%d��\| t,k�r�\|�-��}\|�-��}\|��}\|��t%d �&\|\|\|��\| t.k�r�\|��/\|��d�S�t%d�&t'\| ��\|�jdk�r�\|�jj0�r�\|�jj1}\|�2\|�j��\|�)\|�jj�}\|�\|��n\|�jdk�r�nt%d�&\|�j��\|�j�\|��d�S�\|��td�&\|��d�S�)Nrl��zuserauth is OK�ssh-connectionr9��Fr\��Trb��r0��re��zReceived Package: {}zServer returned an error tokenzCGSS-API Error: Major Status: {} Minor Status: {} Error Message: {} rg��rQ��zUnknown auth method "{}"z!Service request "{}" accepted (?))3r��rF��r��r%��rm��r��rn��r4��r7��r��r&��r9��r}��r:��r��r�� sign_ssh_datar<��r-��r@�� add_bytes�ssh_gss_oidsr3��ro�� packetizer�read_messager��_parse_userauth_bannerr�� get_stringr��ssh_init_sec_contextr?��r.��_handle_local_gss_failurer��send_messager(��r��r#��r��ssh_get_micr~��r!��r ��get_intr��_parse_userauth_failure�gss_kex_used�kexgss_ctxt�set_username)rA��rq��r��r9��rz��r��r��blob�sig�sshgss�ptype�mechr�� srv_token� next_token� maj_status� min_status�err_msg�kexgss� mic_tokenrB��rB��rC��_parse_service_accept{��s�� z!AuthHandler._parse_service_acceptc��C��s��t��}\|tkr\|��td�\|��\|�t��d\|�_n.\|��td�\|��\|�t��\|� \|�j j�\|��\|t kr;\|�d��n\|�d��\|��jd7��_\|�j �\|��\|�jdkrV\|��\|tkra\|�j ��d�S�d�S�)NzAuth granted ({}).TzAuth rejected ({}).F�� )r%��r ��rF��r ��r��rm��r��r5��r��rn��r3��r��get_allowed_authsr ��r��r>��ro��rx�� _auth_trigger)rA��r4��method�resultrq��rB��rB��rC��_send_auth_result��s(�� zAuthHandler._send_auth_resultc��C��s\|��t��}\|�t��\|�\|j��\|�\|j��\|�t��\|�t\|j ��\|j D�]}\|�\|d��\|� \|d��q%\|�j�\|��d�S�)Nr��r��) r%��rm��r��rn��name�instructions�bytesrt��len�promptsr��r3��ro��)rA��qrq��prB��rB��rC��_interactive_query��s�� zAuthHandler._interactive_queryc�� C��sv��\|�j�jst��}\|�t��\|�d��\|�d��\|�j��\|��d�S�\|�jr#d�S�\|� ��}\|� ��}\|� ��}\|�� td�\|\|\|��\|dkrD\|�� d�S�\|�jd�urZ\|�j\|krZ\|�� td��\|��d�S�\|\|�_\|�j�j��}\|dkrp\|�j�j�\|�}�n�\|dkr�\|��}\|��}z\|�d�}W�n �ty��Y�nw�\|r�\|�� td��\|��} z\| �dd �} W�n �ty��Y�nw�t}�n�\|�j�j�\|\|�}�ny\|d k�rg\|��} \|� ��}\|��}z\|��\|\|�} W�nA�ty��}�z\|�� td�t\|��d�} W�Y�d�}~n'd�}~w�t�y�}�zd}\|�� t\|�\|jj \|��d�} W�Y�d�}~nd�}~ww�\| d�u��r\|��d�S�\|�j�j�!\|\| �}\|tk�rf\| �sIt��}\|�t"��\|�\|��\|�\|��\|�j��\|��d�S�t\|��}\|��#\| \|\|\|�}\| �$\|\|��sf\|�� td ��t}n�\|dk�r�\|�%��}\|�j�j�&\|\|�}t'\|t(��r�\|��)\|��d�S�n�\|dk�r�\|�r�t\|�}\|�+��}\|dk�r�\|�� td��\|��\|�%��}\|�,\|�}\|�s�\|�� td��\|��\|�-d�}t��}\|�t.��\|�/\|��t0\|�\|�\|�j�_1t2t3t4f\|�j�_5\|�j��\|��d�S�\|dk�r+\|�r+\|�%��}\|�j�j6}\|d�u��rt}\|��7\|\|\|��z\|�8\|\|�j�j9\|�j��W�n�t�y��t}\|��7\|\|\|��w�t:}\|�j�j�;\|\|��n\|�j�j�\|�}\|��7\|\|\|��d�S�)NrQ��Fz.Auth request (type={}) service={}, username={}r��zKAuth rejected because the client attempted to change username in mid-flightr9��zUTF-8z+Auth request to change passwords (rejected)r��r\��zAuth rejected: public key: {}z9Auth rejected: unsupported or mangled public key ({}: {})z Auth rejected: invalid signaturerb��re��r��z8Disconnect: Received more than one GSS-API OID mechanismz5Disconnect: Received an invalid GSS-API OID mechanism�serverrg��)<r3��rM��r%��rm��r��rn��r��ro��r5��r��rF��r��r��rv��r=��r��rx��r��enable_auth_gssapi�check_auth_none�get_boolean� get_binary�decode�UnicodeErrorr��check_auth_passwordr��r(��r ��str� Exceptionr��__name__�check_auth_publickeyr��r��verify_ssh_sigr��check_auth_interactive� isinstancer,��r��r-��r��ssh_check_mechr��r��r��GssapiWithMicAuthHandler�auth_handlerr��r��r��_expected_packetr��r�� ssh_check_micr~��r ��check_auth_gssapi_keyex)rA��rq��r4��r��r��gss_authr�� changereqr9��newpassword�sig_attachedr��r��r]��r��r��r��r��r<��r��mechs�desired_mech�mech_ok�supported_mechr��rB��rB��rC��_parse_userauth_request%��s.�� z#AuthHandler._parse_userauth_requestc��C��s@��\|��td�\|�j��d\|�_\|�j��\|�jd�ur\|�j��d�S�d�S�)NzAuthentication ({}) successful!T) rF��r ��r��r7��r5��r3��r��r6��ri��rp��rB��rB��rC��_parse_userauth_success��s�� z#AuthHandler._parse_userauth_successc��C��s��\|��}\|��}\|r!\|��td��\|��tdt\|��t\|�\|�j_n+\|�j \|vrBd� \|�j �d� \|�fD�]}\|��t\|��q1td\|�\|�j_n \|��td� \|�j ��d\|�_d�\|�_ \|�jd�ur^\|�j��d�S�d�S�)NzAuthentication continues...z Methods: z'Authentication type ({}) not permitted.zAllowed methods: {}zBad authentication type�Authentication ({}) failed.F)�get_listr��rF��r ��r��r��r+��r3��saved_exceptionr7��r��r��r5��r4��r6��ri��)rA��rq��authlist�partialr��rB��rB��rC��r��s0�� z#AuthHandler._parse_userauth_failurec��C��s$��\|��}\|\|�_\|��td�\|��d�S�)NzAuth banner: {})r��r8��rF��r ��r��)rA��rq��r8��rB��rB��rC��r��s��z"AuthHandler._parse_userauth_bannerc�� C��s��\|�j�dkr td��\|��}\|��}\|��\|��}g�}t\|�D�] }\|�\|��\|��f��q\|��\|\|\|�}t ��}\|� t��\|�t \|��\|D�]}\|�\|��qE\|�j�\|��d�S�)Nrb��z Illegal info request from server)r7��r(��r��r��r��range�appendr��r;��r%��rm��r��rt��r��rn��r3��ro��) rA��rq��titler��r��prompt_list�i� response_list�rrB��rB��rC��_parse_userauth_info_request��s$�� z(AuthHandler._parse_userauth_info_requestc��C��sr��\|�j�jstd��\|��}g�}t\|�D�] }\|�\|��q\|�j�j�\|�}t \|t �r/\|��\|��d�S�\|��\|�j d\|��d�S�)Nz!Illegal info response from serverrb��)r3��rM��r(��r��r ��r��r��r��check_auth_interactive_responser��r,��r��r��r=��)rA��rq��n� responsesr��r��rB��rB��rC��_parse_userauth_info_response��s�� z)AuthHandler._parse_userauth_info_responsec��C��sR��\|\|�j�_\|��td�\|��\|��td�\|�j��d\|�_d�\|�_\|�j d�ur'\|�j � ��d�S�)NzGSSAPI failure: {}r��F)r3��r��rF��r��r��r ��r7��r5��r4��r6��ri��)rA��r��rB��rB��rC��r����s�� z%AuthHandler._handle_local_gss_failurec��C��s��t�\|�jt\|�jt\|�jiS�rE��)r��r��r��r��r��r��rJ��rB��rB��rC��_server_handler_table<��s��z!AuthHandler._server_handler_tablec�� C��s"��t�\|�jt\|�jt\|�jt\|�jt\|�j iS�rE��) r��r��r��r��r��r��r��r��r��r��rJ��rB��rB��rC��_client_handler_tableH��s��z!AuthHandler._client_handler_tablec��C��rL��rE��)r3��rM��r��r��rJ��rB��rB��rC��_handler_tableT��s��zAuthHandler._handler_tableN�r0��)'r�� __module__�__qualname__�__doc__rD��rF��rK��rN��rY��r^��r`��rd��rf��rh��rj��rU��rv��rx��r}��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��propertyr��r��r��rB��rB��rB��rC��r/��M��sR�� H� �2 r/��c��@��s��e�Zd�ZdZdZdd��Zdd��Zedd��Zed d ��Z edd��Z ed d��Zdd��Zdd��Z dd��Zdd��Zdd��Zeeeeee eeiZedd��ZdS�)r��z�A specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. re��c��C��s��\|\|�_�\|\|�_d�S�rE��)� _delegater��)rA��delegater��rB��rB��rC��rD��e��s�� z!GssapiWithMicAuthHandler.__init__c��C��s��\|��\|�j��S�rE��)�_restore_delegate_auth_handlerr��rj��rJ��rB��rB��rC��rj��i��s�� zGssapiWithMicAuthHandler.abortc��C��\|�j�jS�rE��)r��r3��rJ��rB��rB��rC��r3��m��z"GssapiWithMicAuthHandler.transportc��C��r!��rE��)r��r��rJ��rB��rB��rC��r��q��r"��zGssapiWithMicAuthHandler._send_auth_resultc��C��r!��rE��)r��r=��rJ��rB��rB��rC��r=��u��r"��z&GssapiWithMicAuthHandler.auth_usernamec��C��r!��rE��)r��r?��rJ��rB��rB��rC��r?��y��r"��z!GssapiWithMicAuthHandler.gss_hostc��C��s��\|�j�\|�j_d�S�rE��)r��r3��r��rJ��rB��rB��rC��r ��}��s��z7GssapiWithMicAuthHandler._restore_delegate_auth_handlerc�� C��s��\|��}\|�j}z\|�\|�j\|\|�j�}W�n �ty2�}�z\|\|�j_t}\|�� \|�� \|�j\|�j\|��d�}~ww�\|d�urSt��}\|� t��\|�\|��tttf\|�j_\|�j�\|��d�S�d�S�rE��)r��r��ssh_accept_sec_contextr?��r=��r��r3��r��r��r ��r��r��r%��rm��r��rn��r��r"��r��r��ro��)rA��rq��client_tokenr��tokenr��r��rB��rB��rC��_parse_userauth_gssapi_token��s0�� z5GssapiWithMicAuthHandler._parse_userauth_gssapi_tokenc�� C��s��\|��}\|�j}\|�j}\|��z\|�\|\|�jj\|��W�n�ty4�}�z\|\|�j_t }\|�� \|\|�j\|��d�}~ww�t}\|�jj �\|\|��\|�� \|\|�j\|��d�S�rE��)r��r��r=��r ��r��r3��r~��r��r��r��r��r��r ��r��check_auth_gssapi_with_mic)rA��rq��r��r��r4��r��r��rB��rB��rC��_parse_userauth_gssapi_mic��s(�� z3GssapiWithMicAuthHandler._parse_userauth_gssapi_micc��C��\|��\|�j�\|�S�rE��)r ��r��r��rp��rB��rB��rC��r��z/GssapiWithMicAuthHandler._parse_service_requestc��C��r)��rE��)r ��r��r��rp��rB��rB��rC��r��r��z0GssapiWithMicAuthHandler._parse_userauth_requestc��C��rI��rE��)�(_GssapiWithMicAuthHandler__handler_tablerJ��rB��rB��rC��r��s��z'GssapiWithMicAuthHandler._handler_tableN)r��r��r��r��r��rD��rj��r��r3��r��r=��r?��r ��r&��r(��r��r��r��r��r��r"��r+��r��rB��rB��rB��rC��r��\��s2�� r��c��sX��e�Zd�ZdZe��fdd��Zddd�Zdd��Zd d ��Zdd��Z ddd�Z dd��Z��ZS�)�AuthOnlyHandlerzU AuthHandler, and just auth, no service requests! .. versionadded:: 3.2 c��s��t��j��}\|t=�\|S�rE��)�superr��copyr��)rA��my_table�r��rB��rC��r��s��z%AuthOnlyHandler._client_handler_tableNc��C��s��\|\|�_�\|\|�_t��}\|�t��\|�\|��\|�d��\|�\|��\|\|��\|�jj��\|�j�\|��W�d��n1�s6w��Y��t � ��\|�_\|��\|�j�S�)a�� Submit a userauth request message & wait for response. Performs the transport message send call, sets self.auth_event, and will lock-n-block as necessary to both send, and wait for response to, the USERAUTH_REQUEST. Most callers will want to supply a callback to ``finish_message``, which accepts a Message ``m`` and may call mutator methods on it to add more fields. r��N) r7��r4��r%��rm��r��rn��r3��rS��ro�� threading�Eventr6��r��)rA��r4��r��finish_messagerq��rB��rB��rC��send_auth_request��s�� z!AuthOnlyHandler.send_auth_requestc��C��s��\|��\|d�S�rP��r4��)rA��r4��rB��rB��rC��rY��rH��zAuthOnlyHandler.auth_nonec��sH��\|��\}�\|��\|��\|��d\|��fdd�}\|��\|d\|�S�)Nr��c��s4��\|��d��\|��\|��\|��d�S�)NT)r��rn��r��rq��r��r��r��r]��rB��rC��finish��s�� z.AuthOnlyHandler.auth_publickey.<locals>.finishr\��)r}��r��r��r4��)rA��r4��r]��rz��r8��rB��r7��rC��r^��s�� zAuthOnlyHandler.auth_publickeyc��s��fdd�}\|��\|d\|�S�)Nc��s��\|��d��\|��t��d�S�)NF)r��rn��r&��r6��r9��rB��rC��r8��s�� z-AuthOnlyHandler.auth_password.<locals>.finishr9��r5��)rA��r4��r9��r8��rB��r9��rC��r`��s��zAuthOnlyHandler.auth_passwordr0��c��s&��d\|�_�\|\|�_��fdd�}\|��\|d\|�S�)ra��keyboard_interactivec��s��\|��d��\|��d�S�)Nr0��)rn��r6��r<��rB��rC��r8��/��s�� z0AuthOnlyHandler.auth_interactive.<locals>.finishrb��)r7��r;��r4��)rA��r4��rc��r<��r8��rB��r;��rC��rd��%��s��z AuthOnlyHandler.auth_interactivec��C��st��d}\|��t\|��\|�dd�}\|\|v�s\|\|v�r'\|\|v�r\|n\|}d\|�d�}\|}n\|d�}\|�d\|��}\|��t\|��\|S�)NzdServer did not send a server-sig-algs list; defaulting to something in our preferred algorithms listr��r0��zCurrent key type, z&, is in our preferred list; using thatr��z3 not in our list - trying first list item instead, )rF��r��r��)rA��rz��r��r��noncert_key_type�actual�algorB��rB��rC��r��8��s��z1AuthOnlyHandler._choose_fallback_pubkey_algorithmrE��r��) r��r��r��r��r��r��r4��rY��r^��r`��rd��r�� __classcell__rB��rB��r0��rC��r,��s�� ) r,��);r��r1��r1��r��r��paramiko.commonr��r��r��r��r��r��r��r ��r ��r��r��r ��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r ��r!��r"��r#��r$��paramiko.messager%�� paramiko.utilr&��r'��paramiko.ssh_exceptionr(��r)��r��r+��paramiko.serverr,��paramiko.ssh_gssr-��r.��r/��r��r,��rB��rB��rB��rC��<module>��s(��%��l��__pycache__/hostkeys.cpython-310.pyc��0000644��00000027570�15030210772�0013336 0��ustar�00��o ��h�3��@��s��d�dl�mZmZ�d�dlZd�dlZd�dlZd�dlmZ�d�dlm Z �d�dl mZ�d�dlm Z mZ�d�dlmZmZmZmZ�d�dlmZ�G�d d ��d e�ZG�dd��de�ZG�d d��d�ZdS�)��)�encodebytes�decodebytesN)�MutableMapping)�sha1)�HMAC)�PKey�UnknownKeyType)� get_logger�constant_time_bytes_eq�b�u)�SSHExceptionc��@��s��e�Zd�ZdZd#dd�Zdd��Zdd��Zd d ��Zdd��Zd d��Z dd��Z dd��Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd ��Zed#d!d"��ZdS�)$�HostKeysaZ�� Representation of an OpenSSH-style "known hosts" file. Host keys can be read from one or more files, and then individual hosts can be looked up to verify server keys during SSH negotiation. A `.HostKeys` object can be treated like a dict; any dict lookup is equivalent to calling `lookup`. .. versionadded:: 1.5.3 Nc��C��s ��g�\|�_�\|dur\|��\|��dS�dS�)z� Create a new HostKeys object, optionally loading keys from an OpenSSH style host-key file. :param str filename: filename to load host keys from, or ``None`` N)�_entries�load)�self�filename��r��D/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/hostkeys.py�__init__/��s��zHostKeys.__init__c��C��sH��\|�j�D�]}\|\|jv�r\|j��\|kr\|\|_�dS�q\|�j��t\|g\|��dS�)a.�� Add a host key entry to the table. Any existing entry for a ``(hostname, keytype)`` pair will be replaced. :param str hostname: the hostname (or IP) to add :param str keytype: key type (``"ssh-rsa"`` or ``"ssh-dss"``) :param .PKey key: the key to add N)r�� hostnames�key�get_name�append�HostKeyEntry)r��hostname�keytyper��er��r��r��add;��s�� zHostKeys.addc�� C��s��t�\|d��Z}t\|d�D�]K\}}\|��}t\|�dks\|d�dkr qzt�\|\|�}W�n �ty1��Y�qw�\|durV\|j}\|D�]}\|��\|\|j �rJ\|j� \|��q;t\|j�rV\|�j�\|��qW�d��dS�1�sbw��Y��dS�)a]�� Read a file of known SSH host keys, in the format used by OpenSSH. This type of file unfortunately doesn't exist on Windows, but on posix, it will usually be stored in ``os.path.expanduser("~/.ssh/known_hosts")``. If this method is called multiple times, the host keys are merged, not cleared. So multiple calls to `load` will just call `add`, replacing any existing entries and adding new ones. :param str filename: name of the file to read host keys from :raises: ``IOError`` -- if there was an error reading the file �r��r��#N) �open� enumerate�strip�lenr�� from_liner ��r��checkr��remover��r��)r��r��f�lineno�line�entry� _hostnames�hr��r��r��r��J��s�� "�z HostKeys.loadc��C��sR��t�\|d��}\|�jD�] }\|��}\|r\|�\|��q W�d��dS�1�s"w��Y��dS�)a�� Save host keys into a file, in the format used by OpenSSH. The order of keys in the file will be preserved when possible (if these keys were loaded from a file originally). The single exception is that combined lines will be split into individual key lines, which is arguably a bug. :param str filename: name of the file to write :raises: ``IOError`` -- if there was an error writing the file .. versionadded:: 1.6.1 �wN)r"��r��to_line�write)r��r��r)��r��r+��r��r��r��savej��s�� "�z HostKeys.savec��sV��G��fdd�dt��}g�}\|�jD�] }\|��\|�r\|�\|��qt\|�dkr%dS�\|��\|\|��S�)a�� Find a hostkey entry for a given hostname or IP. If no entry is found, ``None`` is returned. Otherwise a dictionary of keytype to key is returned. The keytype will be either ``"ssh-rsa"`` or ``"ssh-dss"``. :param str hostname: the hostname (or IP) to lookup :return: dict of `str` -> `.PKey` keys associated with this host (or ``None``) c��sH��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d ��Z��fdd�Zd d��Z dS�)z HostKeys.lookup.<locals>.SubDictc��S��s��\|\|�_�\|\|�_\|\|�_d�S��N)� _hostnamer�� _hostkeys)r��r��entries�hostkeysr��r��r��r��s�� z)HostKeys.lookup.<locals>.SubDict.__init__c��s��\|��D�]}\|V��qd�S�r3��keys�r��kr��r��r��__iter__��z)HostKeys.lookup.<locals>.SubDict.__iter__c��S��t�\|��S�r3��r%��r:��r��r��r��r��__len__��z(HostKeys.lookup.<locals>.SubDict.__len__c��S��s8��t�\|�j�D�]}\|j��\|kr\|�j�\|��d�S�qt\|��r3��)�listr��r��r��r(��KeyError�r��r��r��r��r��r��__delitem__��s��z,HostKeys.lookup.<locals>.SubDict.__delitem__c��S��s,��\|�j�D�]}\|j��\|kr\|j��S�qt\|��r3��)r��r��r��rE��rF��r��r��r��__getitem__��s �� z,HostKeys.lookup.<locals>.SubDict.__getitem__c��s\��\|�j�D�]}\|jd�u�rq\|j��\|kr\|\|_�d�S�qt��g\|�}\|�j��\|��\|�jj��\|��d�S�r3��)r��r��r��r��r��r5��)r��r��valr��r��r��r��__setitem__��s�� z,HostKeys.lookup.<locals>.SubDict.__setitem__c��S��s��dd��\|�j�D��S�)Nc��S��s ��g�\|�]}\|j�d�ur\|j��qS�r3��)r��r��)�.0r��r��r��r�� <listcomp>��s �� z9HostKeys.lookup.<locals>.SubDict.keys.<locals>.<listcomp>�r��rA��r��r��r��r:��s��z%HostKeys.lookup.<locals>.SubDict.keysN) �__name__� __module__�__qualname__r��r=��rB��rG��rH��rK��r:��r��rJ��r��r��SubDict��s��rR��r��N)r��r��_hostname_matchesr��r%��)r��r��rR��r6��r��r��rJ��r��lookup}��s��0 �zHostKeys.lookupc��C��sD��\|j�D�]}\|\|ks\|�d�r\|�d�st\|��\|\|�\|�r�dS�qdS�)zl Tests whether ``hostname`` string matches given SubDict ``entry``. :returns bool: �\|1\|TF)r�� startswithr �� hash_host)r��r��r,��r.��r��r��r��rS��s�� zHostKeys._hostname_matchesc��C��sB��\|��\|�}\|du�rdS�\|�\|��d�}\|du�rdS�\|��\|��kS�)a=�� Return True if the given key is associated with the given hostname in this dictionary. :param str hostname: hostname (or IP) of the SSH server :param .PKey key: the key to check :return: ``True`` if the key is associated with the hostname; else ``False`` NF)rT��getr��asbytes)r��r��r��r<��host_keyr��r��r��r'��s�� zHostKeys.checkc��C��s ��g�\|�_�dS�)z; Remove all host keys from the dictionary. NrN��rA��r��r��r��clear��s�� zHostKeys.clearc��c��r8��r3��r9��r;��r��r��r��r=��r>��zHostKeys.__iter__c��C��r?��r3��r@��rA��r��r��r��rB��rC��zHostKeys.__len__c��C��s��\|��\|�}\|d�u�r t\|��\|S�r3��)rT��rE��)r��r��retr��r��r��rH��s�� zHostKeys.__getitem__c��C��sL��d�}t�\|�j�D�]\}}\|��\|\|�r\|}�nq\|d�u�rt\|��\|�j�\|��d�S�r3��)r#��r��rS��rE��pop)r��r��index�ir,��r��r��r��rG��s��zHostKeys.__delitem__c��C��s��t�\|�dkr\|�j�t\|gd��d�S�\|��D�]+}d}\|�jD�]}\|\|jv�r2\|j��\|kr2\|\|�\|_d}q\|sA\|�j�t\|g\|\|��qd�S�)Nr��FT)r%��r��r��r��r:��r��r��r��)r��r��r,��key_type�foundr��r��r��r��rK��s�� zHostKeys.__setitem__c��C��s2��g�}\|�j�D�]}\|jD�]}\|\|vr\|�\|��q q\|S�r3��)r��r��r��)r��r\��r��r.��r��r��r��r:��s�� z HostKeys.keysc��C��s&��g�}\|��D�] }\|�\|��\|��q\|S�r3��)r:��r��rT��)r��r\��r<��r��r��r��values��s��zHostKeys.valuesc��C��s��\|du�rt��t��j�}n\|�d�r\|�d�d�}tt\|��}t\|�t��jks(J��t \|t\|��t�� }d�tt \|��tt \|��}\|�dd�S�)aM�� Return a "hashed" form of the hostname, as used by OpenSSH when storing hashed hostnames in the known_hosts file. :param str hostname: the hostname to hash :param str salt: optional salt to use when hashing (must be 20 bytes long) :return: the hashed hostname as a `str` NrU��\|��z\|1\|{}\|{}� ��)�os�urandomr��digest_sizerV��splitr��r��r%��r��digest�formatr��r��replace)r��salt�hmac�hostkeyr��r��r��rW��s�� zHostKeys.hash_hostr3��)rO��rP��rQ��__doc__r��r��r��r2��rT��rS��r'��r[��r=��rB��rH��rG��rK��r:��rb��staticmethodrW��r��r��r��r��r��#��s&�� C r��c��@��s��e�Zd�Zdd��ZdS�)�InvalidHostKeyc��C��s��\|\|�_�\|\|�_\|\|f\|�_d�S�r3��)r+��exc�args)r��r+��rt��r��r��r��r��4��s��zInvalidHostKey.__init__N)rO��rP��rQ��r��r��r��r��r��rs��3��s��rs��c��@��s8��e�Zd�ZdZddd�Zeddd��Zdd��Zd d ��ZdS�) r��zJ Representation of a line in an OpenSSH-style "known hosts" file. Nc��C��s"��\|d�uo\|d�u\|�_�\|\|�_\|\|�_d�S�r3��)�validr��r��)r��r��r��r��r��r��r��?��s�� zHostKeyEntry.__init__c�� C��s��t�d�}t�d\|�}t\|�dk�rd}\|�\|�\|\|��dS�\|dd��}\|\}}}\|�d�}ztt\|��} W�n�tj yG�} �zt \|\| ��d} ~ ww�z \|�\|t�\|\| ��W�S��t yd��\|�d�\|��Y�dS�w�)a�� Parses the given line of text to find the names for the host, the type of key, and the key data. The line is expected to be in the format used by the OpenSSH known_hosts file. Fields are separated by a single space or tab. Lines are expected to not have leading or trailing whitespace. We don't bother to check for comments or empty lines. All of that should be taken care of before sending the line to us. :param str line: a line from an OpenSSH known_hosts file zparamiko.hostkeysz \| ��z8Not enough fields found in known_hosts in line {} ({!r})N�,zUnable to handle key of type {})r ��rerj��r%��inforl��r��r��binascii�Errorrs��r��from_type_stringr��)�clsr+��r��log�fields�msg�namesr`��r�� key_bytesr��r��r��r��r&��D��s�� zHostKeyEntry.from_linec��C��s,��\|�j�rd�d�\|�j�\|�j��\|�j��S�dS�)z� Returns a string in OpenSSH known_hosts file format, or None if the object is not in a valid state. A trailing newline is included. z {} {} {} rx��N)rv��rl��joinr��r��r�� get_base64rA��r��r��r��r0��q��s�� zHostKeyEntry.to_linec��C��s��d��\|�j\|�j�S�)Nz<HostKeyEntry {!r}: {!r}>)rl��r��r��rA��r��r��r��__repr__��s��zHostKeyEntry.__repr__)NNr3��) rO��rP��rQ��rq��r��classmethodr&��r0��r��r��r��r��r��r��:��s�� ,r��)�base64r��r��r{��rg��ry��collections.abcr��hashlibr��ro��r�� paramiko.pkeyr��r�� paramiko.utilr ��r ��r��r��paramiko.ssh_exceptionr ��r�� Exceptionrs��r��r��r��r��r��<module>��s��__pycache__/auth_strategy.cpython-310.pyc��0000644��00000024026�15030210772�0014341 0��ustar�00��o ��h�,��@��s��d�Z�ddlmZ�ddlmZ�ddlmZ�ddlmZ�G�dd��d�Z G�d d ��d e �Z G�dd��de �ZG�d d��de �ZG�dd��de�Z G�dd��de�Zedddg�ZG�dd��de�ZG�dd��de�ZG�dd��d�ZdS�)z� Modern, adaptable authentication machinery. Replaces certain parts of `.SSHClient`. For a concrete implementation, see the ``OpenSSHAuthStrategy`` class in `Fabric <https://fabfile.org>`_. ��)� namedtuple��)�AgentKey)� get_logger)�AuthenticationExceptionc��@��s0��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd S�)� AuthSourcez� Some SSH authentication source, such as a password, private key, or agent. See subclasses in this module for concrete implementations. All implementations must accept at least a ``username`` (``str``) kwarg. c��C�� \|\|�_�d�S��N��username)�selfr��r ��I/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/auth_strategy.py�__init__�� zAuthSource.__init__c��K��s0��dd��\|��D��}d�\|�}\|�jj��d\|��d�S�)Nc��S��s��g�\|�]\}}\|��d�\|��qS�)�=r ��)�.0�k�vr ��r ��r�� <listcomp>��s��z$AuthSource._repr.<locals>.<listcomp>z, �(�))�items�join� __class__�__name__)r��kwargs�pairs�joinedr ��r ��r��_repr��s�� zAuthSource._reprc��C��s��\|��S�r ��)r��r��r ��r ��r��__repr__"��s��zAuthSource.__repr__c��C��t��)z) Perform authentication. ��NotImplementedError�r�� transportr ��r ��r��authenticate%��s��zAuthSource.authenticateN)r�� __module__�__qualname__�__doc__r��r��r!��r'��r ��r ��r ��r��r��s��r��c��@��e�Zd�ZdZdd��ZdS�)�NoneAuthzS Auth type "none", ie https://www.rfc-editor.org/rfc/rfc4252#section-5.2 . c��C��s��\|��\|�j�S�r ��)� auth_noner��r%��r ��r ��r��r'��1��s��zNoneAuth.authenticateN�r��r(��r)��r��r'��r ��r ��r ��r��r,��,��s��r,��c��s4��e�Zd�ZdZ��fdd�Z��fdd�Zdd��Z��ZS�)�Passworda�� Password authentication. :param callable password_getter: A lazy callable that should return a `str` password value at authentication time, such as a `functools.partial` wrapping `getpass.getpass`, an API call to a secrets store, or similar. If you already know the password at instantiation time, you should simply use something like ``lambda: "my literal"`` (for a literal, but also, shame on you!) or ``lambda: variable_name`` (for something stored in a variable). c��t��j\|d��\|\|�_d�S��Nr ��)�superr��password_getter)r��r��r3��r��r ��r��r��D��s�� zPassword.__init__c��s��t��j\|�jd�S�)N)�user)r2��r��r��r ��r4��r ��r��r!��H��s��zPassword.__repr__c��C��s��\|��}\|�\|�j\|�S�r ��)r3�� auth_passwordr��)r��r&��passwordr ��r ��r��r'��M��s��zPassword.authenticate)r��r(��r)��r��r��r!��r'�� __classcell__r ��r ��r4��r��r/��5��s ��r/��c��@��r+��)� PrivateKeya�� Essentially a mixin for private keys. Knows how to auth, but leaves key material discovery/loading/decryption to subclasses. Subclasses must ensure that they've set ``self.pkey`` to a decrypted `.PKey` instance before calling ``super().authenticate``; typically either in their ``__init__``, or in an overridden ``authenticate`` prior to its `super` call. c��C��s��\|��\|�j\|�j�S�r ��)�auth_publickeyr��pkeyr%��r ��r ��r��r'��e��s��zPrivateKey.authenticateNr.��r ��r ��r ��r��r9��X��s��r9��c��s,��e�Zd�ZdZ��fdd�Z��fdd�Z��ZS�)�InMemoryPrivateKeyz1 An in-memory, decrypted `.PKey` object. c��r0��r1��)r2��r��r;��)r��r��r;��r4��r ��r��r��n��s�� zInMemoryPrivateKey.__init__c��s(��t��j\|�jd�}t\|�jt�r\|d7�}\|S�)N)r;��z [agent])r2��r��r;�� isinstancer��)r��repr4��r ��r��r!��s��s��zInMemoryPrivateKey.__repr__�r��r(��r)��r��r��r!��r8��r ��r ��r4��r��r<��i��s��r<��c��(��e�Zd�ZdZ��fdd�Zdd��Z��ZS�)�OnDiskPrivateKeya�� Some on-disk private key that needs opening and possibly decrypting. :param str source: String tracking where this key's path was specified; should be one of ``"ssh-config"``, ``"python-config"``, or ``"implicit-home"``. :param Path path: The filesystem path this key was loaded from. :param PKey pkey: The `PKey` object this auth source uses/represents. c��s>��t��j\|d��\|\|�_d}\|\|vrtd\|��\|\|�_\|\|�_d�S�)Nr ��)z ssh-configz python-configz implicit-homez source argument must be one of: )r2��r��source� ValueError�pathr;��)r��r��rB��rD��r;��allowedr4��r ��r��r��s�� zOnDiskPrivateKey.__init__c��C��s��\|�j�\|�j\|�jt\|�j�d�S�)N)�keyrB��rD��)r��r;��rB��strrD��r ��r ��r ��r��r!��s��zOnDiskPrivateKey.__repr__r?��r ��r ��r4��r��rA��\|��s�� rA��SourceResultrB��resultc��r@��)� AuthResulta�� Represents a partial or complete SSH authentication attempt. This class conceptually extends `AuthStrategy` by pairing the former's authentication sources* with the results of trying to authenticate with them. `AuthResult` is a (subclass of) `list` of `namedtuple`, which are of the form ``namedtuple('SourceResult', 'source', 'result')`` (where the ``source`` member is an `AuthSource` and the ``result`` member is either a return value from the relevant `.Transport` method, or an exception object). .. note:: Transport auth method results are always themselves a ``list`` of "next allowable authentication methods". In the simple case of "you just authenticated successfully", it's an empty list; if your auth was rejected but you're allowed to try again, it will be a list of string method names like ``pubkey`` or ``password``. The ``__str__`` of this class represents the empty-list scenario as the word ``success``, which should make reading the result of an authentication session more obvious to humans. Instances also have a `strategy` attribute referencing the `AuthStrategy` which was attempted. c��s��\|\|�_�t��j\|i�\|��d�S�r ��)�strategyr2��r��)r��rK��argsr��r4��r ��r��r��s��zAuthResult.__init__c��C��s��d��dd��\|�D��S�)N� c��s��s&��\|�]}\|j��d�\|jpd��V��qdS�)z -> �successN)rB��rI��)r��xr ��r ��r�� <genexpr>��s�� z%AuthResult.__str__.<locals>.<genexpr>)r��r ��r ��r ��r��__str__��s�� zAuthResult.__str__)r��r(��r)��r��r��rQ��r8��r ��r ��r4��r��rJ��s��rJ��c��@��s ��e�Zd�ZdZdd��Zdd��ZdS�)�AuthFailurea�� Basic exception wrapping an `AuthResult` indicating overall auth failure. Note that `AuthFailure` descends from `AuthenticationException` but is generally "higher level"; the latter is now only raised by individual `AuthSource` attempts and should typically only be seen by users when encapsulated in this class. It subclasses `AuthenticationException` primarily for backwards compatibility reasons. c��C��r��r ��rI��)r��rI��r ��r ��r��r��r��zAuthFailure.__init__c��C��s��dt�\|�j��S�)NrM��)rG��rI��r ��r ��r ��r��rQ��s��zAuthFailure.__str__N)r��r(��r)��r��r��rQ��r ��r ��r ��r��rR��s�� rR��c��@��s(��e�Zd�ZdZdd��Zdd��Zdd��ZdS�) �AuthStrategya�� This class represents one or more attempts to auth with an SSH server. By default, subclasses must at least accept an ``ssh_config`` (`.SSHConfig`) keyword argument, but may opt to accept more as needed for their particular strategy. c��C��s��\|\|�_�tt�\|�_d�S�r ��)� ssh_configr��r��log)r��rU��r ��r ��r��r��s��zAuthStrategy.__init__c��C��r"��)a[�� Generator yielding `AuthSource` instances, in the order to try. This is the primary override point for subclasses: you figure out what sources you need, and ``yield`` them. Subclasses _of_ subclasses may find themselves wanting to do things like filtering or discarding around a call to `super`. r#��r ��r ��r ��r��get_sources��s�� zAuthStrategy.get_sourcesc��C��s��d}t�\|�d�}\|��D�]E}\|�j�d\|��z \|�\|�}d}W�n$�tyC�}�z\|}\|jj}\|�j�d\|��d\|��W�Y�d}~nd}~ww�\|� t \|\|��\|rP�nq\|sXt\|d��\|S�) z� Handles attempting `AuthSource` instances yielded from `get_sources`. You normally won't need to override this, but it's an option for advanced users. F)rK��zTrying TzAuthentication via z failed with NrS��)rJ��rW��rV��debugr'�� Exceptionr��r��info�appendrH��rR��)r��r&�� succeeded�overall_resultrB��rI��e�source_classr ��r ��r��r'��s,�� zAuthStrategy.authenticateN)r��r(��r)��r��r��rW��r'��r ��r ��r ��r��rT��s ��rT��N)r��collectionsr��agentr��utilr�� ssh_exceptionr��r��r,��r/��r9��r<��rA��rH��listrJ��rR��rT��r ��r ��r ��r��<module>��s�� #!.��__pycache__/sftp_si.cpython-310.pyc��0000644��00000031034�15030210772�0013122 0��ustar�00��o ��h�1��@��s2��d�Z�ddlZddlZddlmZ�G�dd��d�ZdS�)z3 An interface to override for SFTP server support. ��N��SFTP_OP_UNSUPPORTEDc��s��e�Zd�ZdZ��fdd�Zdd��Zdd��Zdd ��Zd d��Zdd ��Z dd��Z dd��Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd��Zd d!��Z��ZS�)"�SFTPServerInterfacea�� This class defines an interface for controlling the behavior of paramiko when using the `.SFTPServer` subsystem to provide an SFTP server. Methods on this class are called from the SFTP session's thread, so you can block as long as necessary without affecting other sessions (even other SFTP sessions). However, raising an exception will usually cause the SFTP session to abruptly end, so you will usually want to catch exceptions and return an appropriate error code. All paths are in string form instead of unicode because not all SFTP clients & servers obey the requirement that paths be encoded in UTF-8. c��s��t��j\|i�\|��dS�)a�� Create a new SFTPServerInterface object. This method does nothing by default and is meant to be overridden by subclasses. :param .ServerInterface server: the server object associated with this channel and SFTP subsystem N)�super�__init__)�self�server�args�kwargs�� __class__��C/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp_si.pyr��+��s��zSFTPServerInterface.__init__c��C��dS�)z� The SFTP server session has just started. This method is meant to be overridden to perform any necessary setup before handling callbacks from SFTP operations. Nr ��r��r ��r ��r��session_started5��s��z#SFTPServerInterface.session_startedc��C��r��)z� The SFTP server session has just ended, either cleanly or via an exception. This method is meant to be overridden to perform any necessary cleanup before this `.SFTPServerInterface` object is destroyed. Nr ��r��r ��r ��r�� session_ended=��s��z!SFTPServerInterface.session_endedc��C��t�S�)a�� Open a file on the server and create a handle for future operations on that file. On success, a new object subclassed from `.SFTPHandle` should be returned. This handle will be used for future operations on the file (read, write, etc). On failure, an error code such as ``SFTP_PERMISSION_DENIED`` should be returned. ``flags`` contains the requested mode for opening (read-only, write-append, etc) as a bitset of flags from the ``os`` module: - ``os.O_RDONLY`` - ``os.O_WRONLY`` - ``os.O_RDWR`` - ``os.O_APPEND`` - ``os.O_CREAT`` - ``os.O_TRUNC`` - ``os.O_EXCL`` (One of ``os.O_RDONLY``, ``os.O_WRONLY``, or ``os.O_RDWR`` will always be set.) The ``attr`` object contains requested attributes of the file if it has to be created. Some or all attribute fields may be missing if the client didn't specify them. .. note:: The SFTP protocol defines all files to be in "binary" mode. There is no equivalent to Python's "text" mode. :param str path: the requested path (relative or absolute) of the file to be opened. :param int flags: flags or'd together from the ``os`` module indicating the requested mode for opening the file. :param .SFTPAttributes attr: requested attributes of the file if it is newly created. :return: a new `.SFTPHandle` or error code. r��)r��path�flags�attrr ��r ��r��openF��s��&zSFTPServerInterface.openc��C��r��)ab�� Return a list of files within a given folder. The ``path`` will use posix notation (``"/"`` separates folder names) and may be an absolute or relative path. The list of files is expected to be a list of `.SFTPAttributes` objects, which are similar in structure to the objects returned by ``os.stat``. In addition, each object should have its ``filename`` field filled in, since this is important to a directory listing and not normally present in ``os.stat`` results. The method `.SFTPAttributes.from_stat` will usually do what you want. In case of an error, you should return one of the ``SFTP_`` error codes, such as ``SFTP_PERMISSION_DENIED``. :param str path: the requested path (relative or absolute) to be listed. :return: a list of the files in the given folder, using `.SFTPAttributes` objects. .. note:: You should normalize the given ``path`` first (see the `os.path` module) and check appropriate permissions before returning the list of files. Be careful of malicious clients attempting to use relative paths to escape restricted folders, if you're doing a direct translation from the SFTP server path to your local filesystem. r��r��r��r ��r ��r��list_foldern��s��zSFTPServerInterface.list_folderc��C��r��)a�� Return an `.SFTPAttributes` object for a path on the server, or an error code. If your server supports symbolic links (also known as "aliases"), you should follow them. (`lstat` is the corresponding call that doesn't follow symlinks/aliases.) :param str path: the requested path (relative or absolute) to fetch file statistics for. :return: an `.SFTPAttributes` object for the given file, or an SFTP error code (like ``SFTP_PERMISSION_DENIED``). r��r��r ��r ��r��stat��s��zSFTPServerInterface.statc��C��r��)a�� Return an `.SFTPAttributes` object for a path on the server, or an error code. If your server supports symbolic links (also known as "aliases"), you should not follow them -- instead, you should return data on the symlink or alias itself. (`stat` is the corresponding call that follows symlinks/aliases.) :param str path: the requested path (relative or absolute) to fetch file statistics for. :type path: str :return: an `.SFTPAttributes` object for the given file, or an SFTP error code (like ``SFTP_PERMISSION_DENIED``). r��r��r ��r ��r��lstat��s��zSFTPServerInterface.lstatc��C��r��)z� Delete a file, if possible. :param str path: the requested path (relative or absolute) of the file to delete. :return: an SFTP error code `int` like ``SFTP_OK``. r��r��r ��r ��r��remove��s��zSFTPServerInterface.removec��C��r��)a�� Rename (or move) a file. The SFTP specification implies that this method can be used to move an existing file into a different folder, and since there's no other (easy) way to move files via SFTP, it's probably a good idea to implement "move" in this method too, even for files that cross disk partition boundaries, if at all possible. .. note:: You should return an error if a file with the same name as ``newpath`` already exists. (The rename operation should be non-desctructive.) .. note:: This method implements 'standard' SFTP ``RENAME`` behavior; those seeking the OpenSSH "POSIX rename" extension behavior should use `posix_rename`. :param str oldpath: the requested path (relative or absolute) of the existing file. :param str newpath: the requested new path of the file. :return: an SFTP error code `int` like ``SFTP_OK``. r��r��oldpath�newpathr ��r ��r��rename��s��zSFTPServerInterface.renamec��C��r��)a�� Rename (or move) a file, following posix conventions. If newpath already exists, it will be overwritten. :param str oldpath: the requested path (relative or absolute) of the existing file. :param str newpath: the requested new path of the file. :return: an SFTP error code `int` like ``SFTP_OK``. :versionadded: 2.2 r��r��r ��r ��r��posix_rename��z SFTPServerInterface.posix_renamec��C��r��)a}�� Create a new directory with the given attributes. The ``attr`` object may be considered a "hint" and ignored. The ``attr`` object will contain only those fields provided by the client in its request, so you should use ``hasattr`` to check for the presence of fields before using them. In some cases, the ``attr`` object may be completely empty. :param str path: requested path (relative or absolute) of the new folder. :param .SFTPAttributes attr: requested attributes of the new folder. :return: an SFTP error code `int` like ``SFTP_OK``. r��r��r��r��r ��r ��r��mkdir��s��zSFTPServerInterface.mkdirc��C��r��)aL�� Remove a directory if it exists. The ``path`` should refer to an existing, empty folder -- otherwise this method should return an error. :param str path: requested path (relative or absolute) of the folder to remove. :return: an SFTP error code `int` like ``SFTP_OK``. r��r��r ��r ��r��rmdir��s�� zSFTPServerInterface.rmdirc��C��r��)a�� Change the attributes of a file. The ``attr`` object will contain only those fields provided by the client in its request, so you should check for the presence of fields before using them. :param str path: requested path (relative or absolute) of the file to change. :param attr: requested attributes to change on the file (an `.SFTPAttributes` object) :return: an error code `int` like ``SFTP_OK``. r��r#��r ��r ��r��chattr��s�� zSFTPServerInterface.chattrc��C��sD��t�j�\|�r t�j�\|�}nt�j�d\|��}tjdkr \|�dd�}\|S�)ac�� Return the canonical form of a path on the server. For example, if the server's home folder is ``/home/foo``, the path ``"../betty"`` would be canonicalized to ``"/home/betty"``. Note the obvious security issues: if you're serving files only from a specific folder, you probably don't want this method to reveal path names outside that folder. You may find the Python methods in ``os.path`` useful, especially ``os.path.normpath`` and ``os.path.realpath``. The default implementation returns ``os.path.normpath('/' + path)``. �/�win32�\)�osr��isabs�normpath�sys�platform�replace)r��r��outr ��r ��r��canonicalize��s�� z SFTPServerInterface.canonicalizec��C��r��)a�� Return the target of a symbolic link (or shortcut) on the server. If the specified path doesn't refer to a symbolic link, an error should be returned. :param str path: path (relative or absolute) of the symbolic link. :return: the target `str` path of the symbolic link, or an error code like ``SFTP_NO_SUCH_FILE``. r��r��r ��r ��r��readlink#��s��zSFTPServerInterface.readlinkc��C��r��)a�� Create a symbolic link on the server, as new pathname ``path``, with ``target_path`` as the target of the link. :param str target_path: path (relative or absolute) of the target for this new symbolic link. :param str path: path (relative or absolute) of the symbolic link to create. :return: an error code `int` like ``SFTP_OK``. r��)r��target_pathr��r ��r ��r��symlink0��r"��zSFTPServerInterface.symlink)�__name__� __module__�__qualname__�__doc__r��r��r��r��r��r��r��r��r ��r!��r$��r%��r&��r1��r2��r4�� __classcell__r ��r ��r��r��r��s$�� ( r��)r8��r��r-�� paramiko.sftpr��r��r ��r ��r ��r��<module>��s ��__pycache__/config.cpython-310.pyc��0000644��00000042606�15030210772�0012727 0��ustar�00��o ��h�j�� @��s��d�Z�ddlZddlZddlZddlZddlZddlZddlmZ�ddl m Z �ddlmZ�d\Z Zzddl Z W�n�eyJ�Z�zeZW�Y�dZ[ndZ[ww�ddlmZmZ�d ZG�d d��d�Zdd ��ZG�dd��d�ZG�dd��de�ZdS�)z2 Configuration file (aka ``ssh_config``) support. ��N)�sha1)�StringIO)�partial)NN��)�CouldNotCanonicalize�ConfigParseError��c��@��s��e�Zd�ZdZe�d�Zg�d�dgg�d�g�d�g�d�g�d�d �Zd d��Ze dd ��Z e dd��Ze dd��Zdd��Z dd��Zd.dd�Zdd��Zdd��Zdd��Zd d!��Zd"d#��Zd$d%��Zd&d'��Zd(d)��Zdd+��Zd,d-��ZdS�)/� SSHConfiga�� Representation of config information as stored in the format used by OpenSSH. Queries can be made via `lookup`. The format is described in OpenSSH's ``ssh_config`` man page. This class is provided primarily as a convenience to posix users (since the OpenSSH format is a de-facto standard on posix) but should work fine on Windows too. .. versionadded:: 1.6 z(\w+)(?:\s=\s\|\s+)(.+))�%C�%h�%l�%L�%n�%p�%r�%ur��)r ��~�%dr��r��r��r��)r��r��r��r��)r��r��r��) r ��r��r��r ��r��r��r��r��r��)�controlpath�hostname�identityfile�proxycommand� proxyjump� match-execc��C��s ��g�\|�_�dS�)a�� Create a new OpenSSH config object. Note: the newer alternate constructors `from_path`, `from_file` and `from_text` are simpler to use, as they parse on instantiation. For example, instead of:: config = SSHConfig() config.parse(open("some-path.config") you could:: config = SSHConfig.from_file(open("some-path.config")) # Or more directly: config = SSHConfig.from_path("some-path.config") # Or if you have arbitrary ssh_config text from some other source: config = SSHConfig.from_text("Host foo\n\tUser bar") N)�_config)�self��r��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/config.py�__init__H��s�� zSSHConfig.__init__c��C��s��\|��t\|��S�)zg Create a new, parsed `SSHConfig` from ``text`` string. .. versionadded:: 2.7 )� from_filer��)�cls�textr��r��r�� from_text]��s��zSSHConfig.from_textc��C��s6��t�\|�� }\|��\|�W��d��S�1�sw��Y��dS�)zr Create a new, parsed `SSHConfig` from the file found at ``path``. .. versionadded:: 2.7 N)�openr��)r ��path�flor��r��r�� from_pathf��s�� $�zSSHConfig.from_pathc��C��s��\|��}\|��\|��\|S�)zp Create a new, parsed `SSHConfig` from file-like object ``flo``. .. versionadded:: 2.7 )�parse)r ��r%��objr��r��r��r��p��s�� zSSHConfig.from_filec��C��sL��dgi�d�}\|D�]�}\|��}\|r\|�d�rqt�\|�j\|�}\|s&td�\|��\|�d��}\|�d�}\|dv�rT\|�j � \|��di�i}\|d krL\|��\|�\|d <�q\|��\|�\|d <�q\|dkre\|��dkred \|d�\|<�q\|�d�ru\|� d�ru\|dd��}\|dv�r�\|\|d�v�r�\|d�\|�� \|��q\|g\|d�\|<�q\|\|d�vr�\|\|d�\|<�q\|�j � \|��d S�)z� Read an OpenSSH config from the given file object. :param file_obj: a file-like object to read the config file from �)�host�config�#zUnparsable line {}r��)r��matchr+��r��matchesr��noneN�"��)r��localforward� remoteforward)�strip� startswith�rer.��SETTINGS_REGEXr��format�group�lowerr��append� _get_hosts�_get_matches�endswith)r��file_obj�context�liner.��key�valuer��r��r��r'��{��s8�� zSSHConfig.parsec��C��s��\|�j�\|d�}d\|vr\|\|d<�\|�dd�dv�}t\|�dd��}\|rC\|�d�\|krC\|d ��}\|��\|\|\|�}\|\|d<�\|�j�\|\|d d d�}\|S�\|�j�\|\|dd d�}\|S�) a �� Return a dict (`SSHConfigDict`) of config options for a given hostname. The host-matching rules of OpenSSH's ``ssh_config`` man page are used: For each parameter, the first obtained value will be used. The configuration files contain sections separated by ``Host`` and/or ``Match`` specifications, and that section is only applied for hosts which match the given patterns or keywords Since the first obtained value for each parameter is used, more host- specific declarations should be given near the beginning of the file, and general defaults at the end. The keys in the returned dict are all normalized to lowercase (look for ``"port"``, not ``"Port"``. The values are processed according to the rules for substitution variable expansion in ``ssh_config``. Finally, please see the docs for `SSHConfigDict` for deeper info on features such as optional type conversion methods, e.g.:: conf = my_config.lookup('myhost') assert conf['passwordauthentication'] == 'yes' assert conf.as_bool('passwordauthentication') is True .. note:: If there is no explicitly configured ``HostName`` value, it will be set to the being-looked-up hostname, which is as close as we can get to OpenSSH's behavior around that particular option. :param str hostname: the hostname to lookup .. versionchanged:: 2.5 Returns `SSHConfigDict` objects instead of dict literals. .. versionchanged:: 2.7 Added canonicalization support. .. versionchanged:: 2.7 Added ``Match`` support. .. versionchanged:: 3.3 Added ``Match final`` support. )r��r��canonicalizehostnameN)�yes�always�canonicalizemaxdotsr��.�canonicaldomainsT)� canonical�finalF)�_lookup�get�int�count�split�canonicalize)r��r��options�canon�maxdots�domainsr��r��r��lookup��s"����zSSHConfig.lookupNFc��s��d�u�rt��\|�jD�]K}\|��\|�dg��\|�s$\|��\|�dg��\|\|\|��s$q \|d��D�]\��}��vrA\|d�ur<\|d�d��n\|��<�q��dkrT��fdd�\|D��qq \|r^\|��\|��S�)Nr��r/��r+��r��c��3��s ��\|�]}\|��vr\|V��qd�S��Nr��.0�x�rC��rS��r��r�� <genexpr>��s��z$SSHConfig._lookup.<locals>.<genexpr>)� SSHConfigDictr��_pattern_matchesrN��_does_match�items�extend�_expand_variables)r��r��rS��rK��rL��rA��rD��r��r\��r��rM��s4�� zSSHConfig._lookupc�� C��s��d}\|D�].}d��\|\|�}t\|\|�}\|dur\|d�}nzt�\|�}W�n �tjy+��Y�nw�\|r2\|��S�q\|�dd�dkr=\|S�t\|��)ag�� Return canonicalized version of ``hostname``. :param str hostname: Target hostname. :param options: An `SSHConfigDict` from a previous lookup pass. :param domains: List of domains (e.g. ``["paramiko.org"]``). :returns: A canonicalized hostname if one was found, else ``None``. .. versionadded:: 2.7 Fz{}.{}Nr��canonicalizefallbacklocalrF��)r9��_addressfamily_host_lookup�socket� gethostbyname�gaierrorrN��r��)r��r��rS��rV��found�domain� candidate�family_specificr��r��r��rR��s"�� zSSHConfig.canonicalizec��C��s$��t��}\|�jD�] }\|�\|d��q\|S�)z� Return the set of literal hostnames defined in the SSH config (both explicit hostnames and wildcard entries). r��)�setr��update)r��hosts�entryr��r��r�� get_hostnamesE��s�� zSSHConfig.get_hostnamesc��C��sZ��t�\|d�r \|�d�}d}\|D�]}\|�d�r"t�\|\|dd��r"�dS�t�\|\|�rd}q\|S�)NrQ��,F�!r��T)�hasattrrQ��r6��fnmatch)r��patterns�targetr.��patternr��r��r��r_��O��s�� zSSHConfig._pattern_matchesc��C��sN��g�}\|d�d��}t��}\|r�\|�d�} d�} \|�dd��}\|�dd��}\| d�\| d�} }\| dkr6\|��\|\| �r6dS�\| dkr=\|} nU\| d krCd S�\| dkrR\|pJ\|}\|��\|\|�} n@\| dkr]\|��\|\|�} n5\| dkrl\|pd\|}\|��\|\|�} n&\| d krw\|��\|\|�} n\| dkr�\|��\|\|d\|�}td�u�r�t�tj \|dd d�j } \| d�ur�\|��\| \| �r�dS�\|�\| ��\|s\|S�)Nr��r��user�type�paramrK��FrL��allTr��originalhost� localuser�execr��stdout)�hide�warn)�getpass�getuser�poprN��_should_failr_�� _tokenize�invoke�invoke_import_error�run�okr<��)r�� match_list�target_hostnamerK��rL��rS��matched� candidates�local_usernamerk��passed�configured_host�configured_user�type_r{��hostvalry��exec_cmdr��r��r��r`��`��sL�� 0zSSHConfig._does_matchc��C��s��\|d�r\|S�\|�S�)N�negater��)r�� would_passrk��r��r��r��r��s��zSSHConfig._should_failc��C��s��\|��\|�}\|s \|S�\|}\|dkr\|�d\|�}d\|v�r\|d�}nt}t��}d\|v�r-\|d�} n\|} t��d�d�} t\|\| �}t j �d�}\| \|�t\|��\| �} t \| ��\|\|\| \|\|\|\| \|\|d� }\|}\|��D�]\}}\|\|vroqf\|�\|t\|��}qf\|S�)a�� Tokenize a string based on current config/hostname data. :param config: Current config data. :param target_hostname: Original target connection hostname. :param key: Config key being tokenized (used to filter token list). :param value: Config value being tokenized. :returns: The tokenized version of the input ``value`` string. r��portry��rI��r��r��) r ��r��r��r ��r��r��r��r��r��r��)�_allowed_tokensrN��SSH_PORTr��r��rf��gethostnamerQ��LazyFqdn�osr$�� expanduser�reprr��encode� hexdigestra��replace�str)r��r+��r��rC��rD��allowed_tokens�configured_hostnamer��ry�� remoteuser�local_hostname� local_fqdn�homedir�tohash�replacements� tokenized�findr��r��r��r��r��sD�� zSSHConfig._tokenizec��C��s��\|�j��\|g��S�)aJ�� Given config ``key``, return list of token strings to tokenize. .. note:: This feels like it wants to eventually go away, but is used to preserve as-strict-as-possible compatibility with OpenSSH, which for whatever reason only applies some tokens to some config keys. )�TOKENS_BY_CONFIG_KEYrN��r��rC��r��r��r��r��s�� zSSHConfig._allowed_tokensc��C��sr��\|D�]4}\|\|�du�rqt�\|�j\|\|\|�}t\|\|�t�r.t\|\|��D�]\}}\|\|�\|\|�\|<�q q\|\|\|��\|\|<�q\|S�)aA�� Return a dict of config options with expanded substitutions for a given original & current target hostname. Please refer to :doc:`/api/config` for details. :param dict config: the currently parsed config :param str hostname: the hostname whose config is being looked up N)r��r�� isinstance�list� enumerate)r��r+��r��k� tokenizer�irD��r��r��r��rc��s�� zSSHConfig._expand_variablesc��C��s��zt��\|�W�S��ty��td�\|��w�)z> Return a list of host_names from host value. zUnparsable host {})�shlexrQ�� ValueErrorr��r9��)r��r��r��r��r��r=��s ��zSSHConfig._get_hostsc�� s��g�}t��\|�}\|rHdddd�}\|�d�}\|�d�r#d\|d<�\|dd��}\|\|d <�\|d v�r1\|�\|��q\|s:td�\|��\|�d�\|d<�\|�\|��\|s d d��\|D��}d\|v�r�d��tt��fdd�\|��tt��fdd�\|��}}d}t \|�rud}nd\|v�r�\|� d�\|� d�kr�d}\|dur�t\|��\|S�)z� Parse a specific Match config line into a list-of-dicts for its values. Performs some parse-time validation as well. NF)rz��r{��r��r��rs��Tr��r��rz��)r\|��rK��rL��z'Missing parameter to Match '{}' keywordr{��c��S��s��g�\|�]}\|d��qS�)rz��r��rY��r��r��r�� <listcomp>��s��zSSHConfig._get_matches.<locals>.<listcomp>r\|��)r\|��rK��c��s��\|��v�S�rX��r��r[�� allowabler��r��<lambda>"��z(SSHConfig._get_matches.<locals>.<lambda>c��s��\|��vS�rX��r��r��r��r��r��r��#��r��z>Match does not allow 'all' mixed with anything but 'canonical'rK��z-Match does not allow 'all' before 'canonical')r��rQ��r��r6��r<��r��r9��r��filter�any�index) r��r.��r/��tokensr��keywordsr��bad�errr��r��r��r>��sB�� zSSHConfig._get_matches)NFF)�__name__� __module__�__qualname__�__doc__r7��compiler8��r��r��classmethodr"��r&��r��r'��rW��rM��rR��rq��r_��r`��r��r��r��rc��r=��r>��r��r��r��r��r ��.��s<�� < B#) 8> r ��c��C��sd��\|��dd��}\|dkrdS�ztj}\|dkrtj}t�\|�d\|tjtjtj�W�S��tj y1��Y�dS�w�)a�� Try looking up ``hostname`` in an IPv4 or IPv6 specific manner. This is an odd duck due to needing use in two divergent use cases. It looks up ``AddressFamily`` in ``options`` and if it is ``inet`` or ``inet6``, this function uses `socket.getaddrinfo` to perform a family-specific lookup, returning the result if successful. In any other situation -- lookup failure, or ``AddressFamily`` being unspecified or ``any`` -- ``None`` is returned instead and the caller is expected to do something situation-appropriate like calling `socket.gethostbyname`. :param str hostname: Hostname to look up. :param options: `SSHConfigDict` instance w/ parsed options. :returns: ``getaddrinfo``-style tuples, or ``None``, depending. � addressfamilyr��N�inet) rN��r;��rf��AF_INET6�AF_INET�getaddrinfo� SOCK_DGRAM� IPPROTO_IP�AI_CANONNAMErh��)r��rS��address_family�familyr��r��r��re��/��s$��re��c��@��s"��e�Zd�ZdZddd�Zdd��ZdS�)r��z7 Returns the host's fqdn on request as string. Nc��C��s��d�\|�_�\|\|�_\|\|�_d�S�rX��)�fqdnr+��r��)r��r+��r��r��r��r��r��Y��s�� zLazyFqdn.__init__c�� C��sl��\|�j�d�u�r3d�}t\|�j\|�j�}\|d�ur(\|D�]}\|\}}}}}\|r'd\|v�r'\|}�nq\|d�u�r0t��}\|\|�_�\|�j�S�)NrI��)r��re��r��r+��rf��getfqdn) r��r��results�res�af�socktype�proto� canonname�sar��r��r��__str__^��s�� zLazyFqdn.__str__rX��)r��r��r��r��r��r��r��r��r��r��r��T��s�� r��c��@��s ��e�Zd�ZdZdd��Zdd��ZdS�)r^��a�� A dictionary wrapper/subclass for per-host configuration structures. This class introduces some usage niceties for consumers of `SSHConfig`, specifically around the issue of variable type conversions: normal value access yields strings, but there are now methods such as `as_bool` and `as_int` that yield casted values instead. For example, given the following ``ssh_config`` file snippet:: Host foo.example.com PasswordAuthentication no Compression yes ServerAliveInterval 60 the following code highlights how you can access the raw strings as well as usefully Python type-casted versions (recalling that keys are all normalized to lowercase first):: my_config = SSHConfig() my_config.parse(open('~/.ssh/config')) conf = my_config.lookup('foo.example.com') assert conf['passwordauthentication'] == 'no' assert conf.as_bool('passwordauthentication') is False assert conf['compression'] == 'yes' assert conf.as_bool('compression') is True assert conf['serveraliveinterval'] == '60' assert conf.as_int('serveraliveinterval') == 60 .. versionadded:: 2.5 c��C��s"��\|�\|�}t�\|t�r\|S�\|��dkS�)a�� Express given key's value as a boolean type. Typically, this is used for ``ssh_config``'s pseudo-boolean values which are either ``"yes"`` or ``"no"``. In such cases, ``"yes"`` yields ``True`` and any other value becomes ``False``. .. note:: If (for whatever reason) the stored value is already boolean in nature, it's simply returned. .. versionadded:: 2.5 rF��)r��boolr;��)r��rC��valr��r��r��as_bool��s�� zSSHConfigDict.as_boolc��C��s��t�\|�\|��S�)z� Express given key's value as an integer, if possible. This method will raise ``ValueError`` or similar if the value is not int-appropriate, same as the builtin `int` type. .. versionadded:: 2.5 )rO��r��r��r��r��as_int��s�� zSSHConfigDict.as_intN)r��r��r��r��r��r��r��r��r��r��r^��z��s��!r^��)r��ru��r��r��r7��r��rf��hashlibr��ior�� functoolsr��r��r��ImportError�e� ssh_exceptionr��r��r��r ��re��r��dictr^��r��r��r��r��<module>��s6��%&��__pycache__/sftp.cpython-310.pyc��0000644��00000011217�15030210772�0012430 0��ustar�00��o ��hG��@��s��d�dl�Z�d�dlZd�dlZd�dlmZ�d�dlmZmZmZ�d�dl m Z �edd�\ZZ ZZZZZZZZZZZZZZZZZZedd�\Z Z!Z"Z#Z$ed d �\Z%Z&d�Z'edd�\Z(Z)ZZ+Z,Z-Z.Z/g�d�Z0dZ1d Z2dZ3dZ4dZ5dZ6dZ7i�ed�e d�ed�ed�ed�ed�ed�ed�ed�ed�ed�ed�ed�ed �ed!�ed"�ed#�ed$ed%ed&e d'e!d(e"d)e#de$d+e%d,e&d-i �Z8G�d.d/��d/e9�Z:G�d0d1��d1e;�Z<G�d2d3��d3�Z=dS�)4��N)�util)�DEBUG�byte_chr�byte_ord)�Message��e��j�� ) �SuccesszEnd of filezNo such filezPermission denied�FailurezBad messagez No connectionzConnection lostzOperation unsupported�� init�version�open�close�read�write�lstat�fstat�setstat�fsetstat�opendir�readdir�remove�mkdir�rmdir�realpath�stat�rename�readlink�symlink�status�handle�data�name�attrs�extended�extended_replyc��@��e�Zd�ZdS�)�int64N��__name__� __module__�__qualname__��r7��r7��@/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp.pyr2��}��r2��c��@��r1��)� SFTPErrorNr3��r7��r7��r7��r8��r:��r9��r:��c��@��sL��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d ��Zdd��Zd d��Z dd��Z dS�)�BaseSFTPc��C��s��t��d�\|�_d�\|�_d\|�_d�S�)Nz paramiko.sftpF)r�� get_logger�logger�sock�ultra_debug)�selfr7��r7��r8��__init__��s�� zBaseSFTP.__init__c��C��sT��t��}\|�t��\|��t\|��\|��\}}\|tkrtd��t� d\|d�d��d�}\|S�)N�Incompatible sftp protocol�>Ir��r��) r��add_int�_VERSION�_send_packet�CMD_INIT�_read_packet�CMD_VERSIONr:��struct�unpack)r@��m�tr,��r��r7��r7��r8�� _send_version��s�� zBaseSFTP._send_versionc��C��sf��\|��\}}\|tkrtd��t�d\|d�d��d�}ddg}t��}\|�t��\|j\|��\|�� t \|��\|S�)NrB��rC��r��r��z check-filezmd5,sha1)rH��rG��r:��rJ��rK��r��rD��rE��addrF��rI��)r@��rM��r,��r��extension_pairs�msgr7��r7��r8��_send_server_version��s�� zBaseSFTP._send_server_versionc��G��s��\|�j�j\|\|g\|�R��d�S�)N)r=��log)r@��levelrQ��argsr7��r7��r8��_log��s��z BaseSFTP._logc��C��sR��t�\|�dkr'\|�j�\|�}\|dkrt��\|t�\|�krd�S�\|\|d��}t�\|�dksd�S�)Nr��)�lenr>��send�EOFError)r@��out�nr7��r7��r8�� _write_all��s��zBaseSFTP._write_allc��C��s��t��}\|dkrHt\|�jtj�r+ �t�\|�jgg�g�d�\}}}t\|�dkr)\|�j�\|�}nqn\|�j�\|�}t\|�dkr:t��\|\|7�}\|t\|�8�}\|dks\|S�)Nr��Tg��?)�bytes� isinstancer>��socket�selectrW��recvrY��)r@��r[��rZ��r��r��err�xr7��r7��r8�� _read_all��s"��zBaseSFTP._read_allc��C��sP��\|��}t�dt\|�d��t\|��\|�}\|�jr!\|��tt� \|d��\|�� \|��d�S�)NrC��r��zOUT: )�asbytesrJ��packrW��r��r?��rV��r��r�� format_binaryr\��)r@��rM��packetrZ��r7��r7��r8��rF��s �� zBaseSFTP._send_packetc��C��s��\|��d�}t\|d��rtd��t�d\|�d�}\|��\|�}\|�jr)\|��tt� \|d��\|dkr;t\|d��}\|\|dd��fS�dt ��fS�)Nr��r��zGarbage packet receivedrC��zIN: r��)rd��r��r:��rJ��rK��r?��rV��r��r��rg��r]��)r@��rc��sizer,��rM��r7��r7��r8��rH��s�� zBaseSFTP._read_packetN)r4��r5��r6��rA��rN��rR��rV��r\��rd��rF��rH��r7��r7��r7��r8��r;��s�� r;��)>r`��r_��rJ��paramikor��paramiko.commonr��r��r��paramiko.messager��rangerG��rI��CMD_OPEN� CMD_CLOSE�CMD_READ� CMD_WRITE� CMD_LSTAT� CMD_FSTAT�CMD_SETSTAT�CMD_FSETSTAT�CMD_OPENDIR�CMD_READDIR� CMD_REMOVE� CMD_MKDIR� CMD_RMDIR�CMD_REALPATH�CMD_STAT� CMD_RENAME�CMD_READLINK�CMD_SYMLINK� CMD_STATUS� CMD_HANDLE�CMD_DATA�CMD_NAME� CMD_ATTRS�CMD_EXTENDED�CMD_EXTENDED_REPLY�SFTP_OK�SFTP_EOF�SFTP_NO_SUCH_FILE�SFTP_PERMISSION_DENIED�SFTP_FAILURE�SFTP_BAD_MESSAGE�SFTP_NO_CONNECTION�SFTP_CONNECTION_LOST�SFTP_OP_UNSUPPORTED� SFTP_DESC�SFTP_FLAG_READ�SFTP_FLAG_WRITE�SFTP_FLAG_APPEND�SFTP_FLAG_CREATE�SFTP_FLAG_TRUNC�SFTP_FLAG_EXCLrE�� CMD_NAMES�intr2�� Exceptionr:��r;��r7��r7��r7��r8��<module>��s�� %��__pycache__/sftp_attr.cpython-310.pyc��0000644��00000013116�15030210772�0013462 0��ustar�00��o ��hB ��@��s:��d�dl�Z�d�dlZd�dlmZmZmZmZ�G�dd��d�ZdS�)��N)� x80000000�o700�o70� xffffffffc��@��s��e�Zd�ZdZdZdZdZdZeZ dd��Z edd d ��Zdd��Z edd d��Zdd��Zdd��Zdd��Zeddd��Zdd��Zdd��ZdS�)�SFTPAttributesai�� Representation of the attributes of a file (or proxied file) for SFTP in client or server mode. It attempts to mirror the object returned by `os.stat` as closely as possible, so it may have the following fields, with the same meanings as those returned by an `os.stat` object: - ``st_size`` - ``st_uid`` - ``st_gid`` - ``st_mode`` - ``st_atime`` - ``st_mtime`` Because SFTP allows flags to have other arbitrary named attributes, these are stored in a dict named ``attr``. Occasionally, the filename is also stored, in ``filename``. ��c��C��s4��d\|�_�d\|�_d\|�_d\|�_d\|�_d\|�_d\|�_i�\|�_dS�)zX Create a new (empty) SFTPAttributes object. All fields will be empty. r��N)�_flags�st_size�st_uid�st_gid�st_mode�st_atime�st_mtime�attr��self��r��E/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp_attr.py�__init__1��s�� zSFTPAttributes.__init__Nc��C��sH��\|��}\|j�\|_�\|j\|_\|j\|_\|j\|_\|j\|_\|j\|_\|dur"\|\|_\|S�)a`�� Create an `.SFTPAttributes` object from an existing ``stat`` object (an object returned by `os.stat`). :param object obj: an object returned by `os.stat` (or equivalent). :param str filename: the filename associated with this file. :return: new `.SFTPAttributes` object with the same attribute fields. N)r��r ��r��r��r��r��filename)�cls�objr��r��r��r��r�� from_stat>��s�� zSFTPAttributes.from_statc��C��s��d��\|��S�)Nz<SFTPAttributes: {}>)�format� _debug_strr��r��r��r��__repr__S��s��zSFTPAttributes.__repr__c��C��s0��\|��}\|��\|��\|d�ur\|\|_\|d�ur\|\|_\|S��N)�_unpackr��longname)r��msgr��r!��r��r��r��r�� _from_msgW��s�� zSFTPAttributes._from_msgc��C��s��\|��\|�_\|�j\|�j@�r\|��\|�_\|�j\|�j@�r \|��\|�_\|��\|�_\|�j\|�j@�r+\|��\|�_ \|�j\|�j @�r;\|��\|�_\|��\|�_\|�j\|�j @�rU\|��}t\|�D�] }\|��\|�j\|��<�qId�S�d�S�r��)�get_intr�� FLAG_SIZE� get_int64r��FLAG_UIDGIDr ��r��FLAG_PERMISSIONSr��FLAG_AMTIMEr��r�� FLAG_EXTENDED�range� get_stringr��)r��r"��count�ir��r��r��r ��a��s"�� zSFTPAttributes._unpackc��C��st��d\|�_�\|�jd�ur\|��j�\|�jO��_�\|�jd�ur"\|�jd�ur"\|��j�\|�jO��_�\|�jd�ur/\|��j�\|�jO��_�\|�jd�urA\|�j d�urA\|��j�\|�j O��_�t\|�j�dkrP\|��j�\|�j O��_�\|�\|�j��\|�j�\|�j@�rb\|�\|�j��\|�j�\|�j@�rt\|�\|�j��\|�\|�j��\|�j�\|�j@�r�\|�\|�j��\|�j�\|�j @�r�\|�t\|�j��\|�t\|�j ��\|�j�\|�j @�r�\|�t\|�j��\|�j��D�]\}}\|�\|��\|�\|��q�d�S�)Nr��)r��r��r%��r ��r��r'��r��r(��r��r��r)��lenr��r��add_int� add_int64�int�items� add_string)r��r"��key�valr��r��r��_packr��s8�� zSFTPAttributes._packc��C��s��d}\|�j�d�ur\|d�\|�j��7�}\|�jd�ur#\|�jd�ur#\|d�\|�j\|�j�7�}\|�jd�ur3\|dt\|�j��d�7�}\|�jd�urG\|�jd�urG\|d�\|�j\|�j�7�}\|�j� ��D�]\}}\|d�t \|�\|�7�}qL\|d7�}\|S�) Nz[ zsize={} zuid={} gid={} zmode=� zatime={} mtime={} z "{}"={!r} �])r��r��r ��r��r��octr��r��r��r3��str)r��out�k�vr��r��r��r��s�� zSFTPAttributes._debug_strFc��C��sX��\|rd}d\|�d?��d\|�d?�d@��}\|r \|d\|\|�d@��7�}\|S�\|d\|\|�d@��7�}\|S�)Nr��z-rz-wr��z-xTtz-xSsr��)�n�suid�stickyr<��r��r��r��_rwx��s��zSFTPAttributes._rwxc�� C��s��\|�j�durxt�\|�j��}\|tjkrd}n2\|tjkrd}n\|tjkr#d}n"\|tjkr+d}n\|tjkr3d}n\|tjkr;d}n \|tj krCd}nd }\|\|�� \|�j�t@�d ?�\|�j�tj@��7�}\|\|�� \|�j�t @�d?�\|�j�tj@��7�}\|\|�� \|�j�d@�\|�j�tj@�d �7�}nd}\|�jdu�s�\|�jtkr�d}nt�\|�j�}tt��\|�j��dkr�t�d\|�}nt�d\|�}t\|�dd �}\|�j}\|�j}\|�j}\|du�r�d}\|du�r�d}\|du�r�d}d\|\|\|\|\|\|f�S�)z=create a unix-style long description of the file (like ls -l)N�p�c�d�b�-�l�s�?��Tz ?---------z(unknown date)i�N��z%d %b %Yz%d %b %H:%Mr��r��z%s 1 %-8d %-8d %8d %-12s %s)r��stat�S_IFMT�S_IFIFO�S_IFCHR�S_IFDIR�S_IFBLK�S_IFREG�S_IFLNK�S_IFSOCKrB��r��S_ISUIDr��S_ISGID�S_ISVTXr��r��time� localtime�abs�strftime�getattrr ��r��r��) r��kind�ks�datestr� time_tupler��uid�gid�sizer��r��r��__str__��sf�� zSFTPAttributes.__str__c��C��s��t�\|��S�r��)r;��encoder��r��r��r��asbytes��s��zSFTPAttributes.asbytesr��)NN)F)�__name__� __module__�__qualname__�__doc__r%��r'��r(��r)��r��r��r��classmethodr��r��r#��r ��r7��r��staticmethodrB��rf��rh��r��r��r��r��r��s(�� Cr��)rN��rZ��paramiko.commonr��r��r��r��r��r��r��r��r��<module>��s��__pycache__/pkey.cpython-310.pyc��0000644��00000065011�15030210772�0012425 0��ustar�00��o ��h��@��sL��d�Z�ddlZddlmZmZ�ddlmZ�ddlZddlmZ�ddl m Z mZ�ddlZddl Z ddlZddlmZ�ddlmZ�dd lmZmZmZ�dd lmZ�ddlmZ�ddlmZmZ�dd lmZ�ddlm Z m!Z!�ddl"m#Z#�zddl$m%Z%�W�n�e&y��ddl'm%Z%�Y�nw�dZ(dd��Z)G�dd��de�Z+G�dd��d�Z,G�dd��d�Z-dS�)z! Common API for all public keys. ��N)�encodebytes�decodebytes)� unhexlify)�Path)�md5�sha256)�default_backend)� serialization)� algorithms�modes�Cipher)� asymmetric)�util)�u�b)�o600)�SSHException�PasswordRequiredException)�Message)� TripleDESs��openssh-key-v1�c��C��sh��\|�d�}d\|��krdk�r\|�S��\|dkrt�d��t\|�D�]}\|�\|\|��\|d�kr,t�d��q\|�d�\|��S�)N�� zInvalid key��)r��range)�data�padding_length�i��r��@/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/pkey.py�_unpad_openssh?��s��r!��c��@��s"��e�Zd�ZdZddd�Zdd��ZdS�)�UnknownKeyTypezK An unknown public/private key algorithm was attempted to be read. Nc��C��s��\|\|�_�\|\|�_d�S��N��key_type� key_bytes)�selfr%��r&��r��r��r ��__init__S��s�� zUnknownKeyType.__init__c��C��s��d\|�j��dt\|�j��d�S�)NzUnknownKeyType(type=z , bytes=<z>))r%��lenr&��r'��r��r��r ��__str__W��s��zUnknownKeyType.__str__�NN)�__name__� __module__�__qualname__�__doc__r(��r+��r��r��r��r ��r"��N��s�� r"��c��@��s��e�Zd�ZdZejddejd�ejddejd�eddejd�d�Z dZ d Ze� d �Ze� d�ZedOd d��Zedd��Zedd��ZdPdd�Zdd��Zdd��Zdd��Zdd��Zdd��Zedd ��Zd!d"��Zed#d$��Zd%d&��Zd'd(��Z d)d��Z!ed+d,��Z"d-d.��Z#dOd/d0�Z$d1d2��Z%edOd3d4��Z&edOd5d6��Z'dOd7d8�Z(dOd9d:�Z)dOd;d<�ZdOd=d>�Z+d?d@��Z,dAdB��Z-dCdD��Z.dEdF��Z/dOdGdH�Z0dOdIdJ�Z1dKdL��Z2dMdN��Z3dS�)Q�PKeyz� Base class for public keys. Also includes some "meta" level convenience constructors such as `.from_type_string`. ��)�cipher�keysize� blocksize�moder��)zAES-128-CBCzAES-256-CBCzDES-EDE3-CBCr��z3^-{5}BEGIN (RSA\|DSA\|EC\|OPENSSH) PRIVATE KEY-{5}\s$z1^-{5}END (RSA\|DSA\|EC\|OPENSSH) PRIVATE KEY-{5}\s$Nc��C��s\��ddl�m}m}m}m}�t\|��}�d}t\|��\|�r%\|�dt\|��}\|�}n\|�}\|�\|�}t\|�� }t\|�� }\|� ��} z tj\| \|d�} W�n�t yT��tj\| \|d�} Y�nw�d}t\| tjj�ra\|}n%t\| tjj�rk\|}nt\| tjj�ru\|}nt\| tjj�r\|}nt\| \| jd��\|��}\|j\|\|d�} W�d��n1�s�w��Y��\|��r�\| �t\|��\| S�)aV�� Attempt to instantiate appropriate key subclass from given file path. :param Path path: The path to load (may also be a `str`). :returns: A `PKey` subclass instance. :raises: `UnknownKeyType`, if our crypto backend doesn't know this key type. .. versionadded:: 3.2 r��)�DSSKey�RSAKey� Ed25519Key�ECDSAKeyz -cert.pubN)r��password)r&��r%��r>��)�paramikor:��r;��r<��r=��str�endswithr)��r�� expanduser� read_bytesr ��load_ssh_private_key� ValueError�load_pem_private_key� isinstancer ��dsa� DSAPrivateKey�rsa� RSAPrivateKey�ed25519�Ed25519PrivateKey�ec�EllipticCurvePrivateKeyr"�� __class__�open�from_private_key�exists�load_certificate)�path� passphraser:��r;��r<��r=��cert_suffix�key_path� cert_pathr��loaded� key_class�fd�keyr��r��r �� from_path��sH�� zPKey.from_pathc��C��s<��ddl�m}�\|D�]}\|�\|��v�r\|\|d��S�qt\|�\|d��)av�� Given type `str` & raw `bytes`, return a `PKey` subclass instance. For example, ``PKey.from_type_string("ssh-ed25519", <public bytes>)`` will (if successful) return a new `.Ed25519Key`. :param str key_type: The key type, eg ``"ssh-ed25519"``. :param bytes key_bytes: The raw byte data forming the key material, as expected by subclasses' ``data`` parameter. :returns: A `PKey` subclass instance. :raises: `UnknownKeyType`, if no registered classes knew about this type. .. versionadded:: 3.2 r��)�key_classes)r��r$��)r@��r`��identifiersr"��)r%��r&��r`��r\��r��r��r ��from_type_string��s��zPKey.from_type_stringc��C��s��\|�j�gS�)z� returns an iterable of key format/name strings this class can handle. Most classes only have a single identifier, and thus this default implementation suffices; see `.ECDSAKey` for one example of an override. )�name)�clsr��r��r ��ra��s�� zPKey.identifiersc��C��dS�)aV�� Create a new instance of this public key type. If ``msg`` is given, the key's public part(s) will be filled in from the message. If ``data`` is given, the key's public part(s) will be filled in from the string. :param .Message msg: an optional SSH `.Message` containing a public key of this type. :param bytes data: optional, the bytes of a public key of this type :raises: `.SSHException` -- if a key cannot be created from the ``data`` or ``msg`` given, or no key was passed in. Nr��)r'��msgr��r��r��r ��r(��s��z PKey.__init__c��C��sD��d}t�\|�d�r\|�jrd\|�j��}d\|�j��d\|��d\|�j��\|��d�S�)N��commentz , comment=z PKey(alg=z, bits=z, fp=�))�hasattrrh��algorithm_name�get_bits�fingerprint)r'��rh��r��r��r ��__repr__��s��$z PKey.__repr__c��C��t��S�)z� Return a string of an SSH `.Message` made up of the public part(s) of this key. This string is suitable for passing to `__init__` to re-create the key object later. ��bytesr��r��r��r ��asbytes��s��zPKey.asbytesc��C��s��\|��S�r#��)rr��r��r��r��r �� __bytes__ ��s��zPKey.__bytes__c��C��s��t�\|t�o \|�j\|jkS�r#��)rH��r1��_fields�r'��otherr��r��r ��__eq__#��s��zPKey.__eq__c��C��s ��t�\|�j�S�r#��)�hashrt��r��r��r��r ��__hash__&�� z PKey.__hash__c��C��s��t��r#��)�NotImplementedErrorr��r��r��r ��rt��)��s��zPKey._fieldsc��C��re��)z� Return the name of this private key implementation. :return: name of this private key type, in SSH terminology, as a `str` (for example, ``"ssh-rsa"``). rg��r��r��r��r��r ��get_name-��s��z PKey.get_namec��C��sF��\|��dd�}d}\|\|v�r\|�\|d�}\|��S�\|�d�d�}\|��S�)z� Return the key algorithm identifier for this key. Similar to `get_name`, but aimed at pure algorithm name instead of SSH protocol field value. zssh-rg��z-cert-v01@openssh.comz-cert�-r��)r\|��replace�split�upper)r'��rc�� cert_tailr��r��r ��rk��7��s�� zPKey.algorithm_namec��C��re��)z� Return the number of significant bits in this key. This is useful for judging the relative security of a key. :return: bits in the key (as an `int`) r��r��r��r��r��r ��rl��K��s�� z PKey.get_bitsc��C��re��)zf Return ``True`` if this key has the private part necessary for signing data. Fr��r��r��r��r ��can_signV��s��z PKey.can_signc��C��s��t�\|��S�)z� Return an MD5 fingerprint of the public part of this key. Nothing secret is revealed. :return: a 16-byte `string <str>` (binary) of the MD5 fingerprint, in SSH format. )r��rr��digestr��r��r��r ��get_fingerprint]��s�� zPKey.get_fingerprintc��C��sB��t�t\|��}\|j��}t\|��}t\|��d�}\|��d\|��S�)z� Modern fingerprint property designed to be comparable to OpenSSH. Currently only does SHA256 (the OpenSSH default). .. versionadded:: 3.2 �=�:) r��rq��rc��r��r��r��r��strip�rstrip)r'��hashy� hash_name�b64ed�cleanedr��r��r ��rm��h��s �� zPKey.fingerprintc��C��s��t�t\|��dd�S�)a+�� Return a base64 string containing the public part of this key. Nothing secret is revealed. This format is compatible with that used to store public key files or recognized host keys. :return: a base64 `string <str>` containing the public part of the key. � rg��)r��r��rr��r~��r��r��r��r �� get_base64w��s��zPKey.get_base64c��C��ro��)a�� Sign a blob of data with this private key, and return a `.Message` representing an SSH signature message. :param bytes data: the data to sign. :param str algorithm: the signature algorithm to use, if different from the key's internal name. Default: ``None``. :return: an SSH signature `message <.Message>`. .. versionchanged:: 2.9 Added the ``algorithm`` kwarg. rp��)r'��r�� algorithmr��r��r �� sign_ssh_data��s��zPKey.sign_ssh_datac��C��re��)a^�� Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key. :param bytes data: the data that was signed. :param .Message msg: an SSH signature message :return: ``True`` if the signature verifies correctly; ``False`` otherwise. Fr��)r'��r��rf��r��r��r ��verify_ssh_sig��s�� zPKey.verify_ssh_sigc��C��\|�\|\|d�}\|S�)a�� Create a key object by reading a private key file. If the private key is encrypted and ``password`` is not ``None``, the given password will be used to decrypt the key (otherwise `.PasswordRequiredException` is thrown). Through the magic of Python, this factory method will exist in all subclasses of PKey (such as `.RSAKey` or `.DSSKey`), but is useless on the abstract PKey class. :param str filename: name of the file to read :param str password: an optional password to use to decrypt the key file, if it's encrypted :return: a new `.PKey` based on the given private key :raises: ``IOError`` -- if there was an error reading the file :raises: `.PasswordRequiredException` -- if the private key file is encrypted, and ``password`` is ``None`` :raises: `.SSHException` -- if the key file is invalid )�filenamer>��r��)rd��r��r>��r^��r��r��r ��from_private_key_file��s��zPKey.from_private_key_filec��C��r��)a�� Create a key object by reading a private key from a file (or file-like) object. If the private key is encrypted and ``password`` is not ``None``, the given password will be used to decrypt the key (otherwise `.PasswordRequiredException` is thrown). :param file_obj: the file-like object to read from :param str password: an optional password to use to decrypt the key, if it's encrypted :return: a new `.PKey` based on the given private key :raises: ``IOError`` -- if there was an error reading the key :raises: `.PasswordRequiredException` -- if the private key file is encrypted, and ``password`` is ``None`` :raises: `.SSHException` -- if the key file is invalid )�file_objr>��r��)rd��r��r>��r^��r��r��r ��rS��s��zPKey.from_private_keyc��C��t�d��)a�� Write private key contents into a file. If the password is not ``None``, the key is encrypted before writing. :param str filename: name of the file to write :param str password: an optional password to use to encrypt the key file :raises: ``IOError`` -- if there was an error writing the file :raises: `.SSHException` -- if the key is invalid �Not implemented in PKey�� Exception)r'��r��r>��r��r��r ��write_private_key_file��zPKey.write_private_key_filec��C��r��)a�� Write private key contents into a file (or file-like) object. If the password is not ``None``, the key is encrypted before writing. :param file_obj: the file-like object to write into :param str password: an optional password to use to encrypt the key :raises: ``IOError`` -- if there was an error writing to the file :raises: `.SSHException` -- if the key is invalid r��r��)r'��r��r>��r��r��r ��write_private_key��r��zPKey.write_private_keyc��C��s>��t�\|d��}\|��\|\|\|�}W�d��\|S�1�sw��Y��\|S�)a�� Read an SSH2-format private key file, looking for a string of the type ``"BEGIN xxx PRIVATE KEY"`` for some ``xxx``, base64-decode the text we find, and return it as a string. If the private key is encrypted and ``password`` is not ``None``, the given password will be used to decrypt the key (otherwise `.PasswordRequiredException` is thrown). :param str tag: ``"RSA"`` or ``"DSA"``, the tag used to mark the data block. :param str filename: name of the file to read. :param str password: an optional password to use to decrypt the key file, if it's encrypted. :return: the `bytes` that make up the private key. :raises: ``IOError`` -- if there was an error reading the file. :raises: `.PasswordRequiredException` -- if the private key file is encrypted, and ``password`` is ``None``. :raises: `.SSHException` -- if the key file is invalid. �rN)rR��_read_private_key)r'��tagr��r>��fr��r��r��r ��_read_private_key_file��s�� zPKey._read_private_key_filec��C��sH��\|��}\|s td�\|��d}\|�j�\|\|��}t\|�d�}\|\|k�r5\|s5\|d7�}\|�j�\|\|��}\|\|k�r5\|r#\|d7�}\|r@\|�d�nd�}\|t\|�ksL\|d�u�rStd�\|��\|} \|�j�\|\| ��}\| \|k�ru\|su\| d7�} \|�j�\|\| ��}\| \|k�ru\|rc\|\|kr�\|��\|\| \|�} \|�j }\|\| fS�\|dkr�\|�� \|\|\| ��\|�} \|�j}\|\| fS�td�\|\|��)Nzno lines in {} private key filer��r��znot a valid {} private key file�OPENSSHz#encountered {} key, expected {} key)� readlinesr��format� BEGIN_TAG�matchr)��group�END_TAG�_read_private_key_pem�_PRIVATE_KEY_FORMAT_ORIGINAL�_read_private_key_openssh�_PRIVATE_KEY_FORMAT_OPENSSH)r'��r��r��r>��lines�start�m� line_range�keytype�endr��pkformatr��r��r ��r��s>�� zPKey._read_private_keyc��C��s��d}t�\|�\|�jj\|��)Nz={}._read_private_key() spat out an unknown key format id '{}')r��r��rQ��r-��)r'��id_�errr��r��r ��_got_bad_key_format_id%��s��zPKey._got_bad_key_format_idc�� C��s��d}i�}\|d7�}\|t�\|�k�r2\|\|��d�}t�\|�dkrn\|d��\|\|d��<�\|d7�}\|t�\|�k�szttd�\|\|\|��}W�n�tjj yV�}�zt d�\|��d�}~ww�d\|vr]\|S�\|d�} \| dkrlt d�\| ��z\|d ��d �\} }W�n��t d��\| \|�jvr�t d�\| ��\|d�u�r�t d ��\|�j\| �d�}\|�j\| �d�} \|�j\| �d�}tt\|��}t�t\|\|\| �}t\|\|�\|\|�t��d��}\|�\|�\|��S�)Nr��r��z: rg��base64 decoding error: {}z proc-typez4,ENCRYPTEDz"Unknown private key structure "{}"zdek-info�,z(Can't parse DEK-info in private key filezUnknown private key cipher "{}"zPrivate key file is encryptedr3��r4��r6��)�backend)r)��r��r��lowerr��r��join�base64�binascii�Errorr��r�� _CIPHER_TABLEr��r��r��generate_key_bytesr��r��r�� decryptor�update�finalize)r'��r��r��r>��r��headers�liner��e� proc_type�encryption_type�saltstrr3��r4��r6��saltr^��r��r��r��r ��r��)��sX�� zPKey._read_private_key_pemc�� C��s��zt�td�\|��}W�n�tjjy �}�ztd�\|��d}~ww�\|dd��}\|tkr/td��\|�� \|dd��d�}\|\}}} } }\| dkrHtd��\|�� \|d �\}} \|td �kr�\|td�kr`t j}n\|td�krjt j}n td �\|� d��\|du�r\|td��\|�� \| d�\}}tjt\|�t\|�d\|dd�}\|dd��}\|dd��}tt�\|�\|\|�t��}\|�\| �}\|\|��7�}n\|td�kr�\|td�kr�\| }ntd��\|�� \|d�}\|\}}}}\|\|kr�td��t\|�S�)z� Read the new OpenSSH SSH2 private key format available since OpenSSH version 6.5 Reference: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key rg��r��Nr��z)unexpected OpenSSH key header encountered�sssurr��z.unsupported: private keyfile has multiple keys�ss�bcryptz aes256-cbcz aes256-ctrz,unknown cipher `{}` used in private key filezutf-8zprivate key file is encrypted�su�0��T)�ignore_few_roundsr��nonez.unknown cipher or kdf used in private key file�uusrz/OpenSSH private key file checkints do not match)r��r��r��r��r��r��r��r��OPENSSH_AUTH_MAGIC�_uint32_cstruct_unpackr��CBC�CTR�decoder��r��kdfr��r ��AESr��r��r��r��r!��)r'��r��r>��r��r�� auth_magic�cstructr3��kdfname�kdf_options�num_pubkeys� remainder�pubkey�privkey_blobr6��r��rounds�key_ivr^��ivr��decrypted_privkey� checkint1� checkint2r��keydatar��r��r ��r��X��sv�� zPKey._read_private_key_opensshc�� C��sP��g�}d}z�\|D�]�}\|dkr0t��d\|\|\|d��d�}\|d7�}\|\|\|\|��}\|\|7�}\|�\|��\|dkr^t��d\|\|\|d��d�}\|d7�}\|\|\|\|��}\|\|7�}t�\|d�}\|�\|��q\|dkrzt��d\|\|\|d��d�} \|d7�}\|�\| ��q\|dkr�\|\|d ��}\|�\|��nqW�t\|�S�W�t\|�S��ty��} �ztt\| ��d } ~ ww�) a�� Used to read new OpenSSH private key format. Unpacks a c data structure containing a mix of 32-bit uints and variable length strings prefixed by 32-bit uint size field, according to the specified format. Returns the unpacked vars in a tuple. Format strings: s - denotes a string i - denotes a long integer, encoded as a byte string u - denotes a 32-bit unsigned integer r - the remainder of the input string, returned as a string r��sz>L��r��Tr��r��N) �struct�unpack�appendr��inflate_longr��r��rA��tuple)r'��r�� strformat�arr�idxr��s_sizer��r��r��r��r��r��r ��r��sD�� zPKey._uint32_cstruct_unpackc��C��s^��t��t�j\|t�jt�jB�t�jB�td�d��}\|�j\|\|\|\|d��W�d��dS�1�s(w��Y��dS�)a�� Write an SSH2-format private key file in a form that can be read by paramiko or openssh. If no password is given, the key is written in a trivially-encoded format (base64) which is completely insecure. If a password is given, DES-EDE3-CBC is used. :param str tag: ``"RSA"`` or ``"DSA"``, the tag used to mark the data block. :param filename: name of the file to write. :param bytes data: data blob that makes up the private key. :param str password: an optional password to use to encrypt the file. :raises: ``IOError`` -- if there was an error writing the file. )�flagsr6��wr?��N)�os�fdopenrR��O_WRONLY�O_TRUNC�O_CREATr��_write_private_key)r'��r��r^��r��r>��r��r��r��r ��_write_private_key_file��s�� "�zPKey._write_private_key_filec��C��s@��\|d�u�r t��}nt��t\|��}\|�\|�t�jj\|\|��d�S�r#��) r ��NoEncryption�BestAvailableEncryptionr��write� private_bytes�Encoding�PEMr��)r'��r��r^��r��r>�� encryptionr��r��r ��r��s�� zPKey._write_private_keyc��C��s��\|}\|}t�\|t�r\|g}t�\|t�r\|g}\|du�rtd��\|��\|��}\|\|v�rdS�\|\|v�r=\|��t\|��\|��dS�d}t\|� \|�j j\|��)a�� Perform message type-checking & optional certificate loading. This includes fast-forwarding cert ``msg`` objects past the nonce, so that the subsequent fields are the key numbers; thus the caller may expect to treat the message as key material afterwards either way. The obtained key type is returned for classes which need to know what it was (e.g. ECDSA.) NzKey object may not be emptyz%Invalid key (class: {}, data type: {})rH��rA��r��rewind�get_textrU��r��rr�� get_stringr��rQ��r-��)r'��rf��r%�� cert_type� key_types� cert_types�type_r��r��r��r ��_check_type_and_load_cert ��s"�� zPKey._check_type_and_load_certc��C��sh��t�\|t�rd}ntj�\|�rd}nd}tt\|�\|�}\|j�\|�� s/d}t \|�\|j\|�� \|\|�_dS�)a5�� Supplement the private key contents with data loaded from an OpenSSH public key (``.pub``) or certificate (``-cert.pub``) file, a string containing such a file, or a `.Message` object. The .pub contents adds no real value, since the private key file includes sufficient information to derive the public key info. For certificates, however, this can be used on the client side to offer authentication requests to the server based on certificate instead of raw public key. See: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys Note: very little effort is made to validate the certificate contents, that is for the server to decide if it is good enough to authenticate successfully. �from_message� from_file�from_stringz0PublicBlob type {} incompatible with key type {}N) rH��r��r��rV��isfile�getattr� PublicBlobr%�� startswithr\|��rF��r��public_blob)r'��value�constructor�blobr��r��r��r ��rU��>��s�� zPKey.load_certificater#��r,��)4r-��r.��r/��r0��r ��r��r��r��r��r��r��r��re�compiler��r��staticmethodr_��rb��classmethodra��r(��rn��rr��rs��rw��ry��propertyrt��r\|��rk��rl��r��r��rm��r��r��r��r��rS��r��r��r��r��r��r��r��r��r��r��r��rU��r��r��r��r ��r1��[��s�� I %/V 1 "1r1��c��@��sV��e�Zd�ZdZddd�Zedd��Zedd��Zed d ��Zdd��Z d d��Z dd��ZdS�)r��a�� OpenSSH plain public key or OpenSSH signed public key (certificate). Tries to be as dumb as possible and barely cares about specific per-key-type data. .. note:: Most of the time you'll want to call `from_file`, `from_string` or `from_message` for useful instantiation, the main constructor is basically "I should be using ``attrs`` for this." Nc��C��s��\|\|�_�\|\|�_\|\|�_dS�)a�� Create a new public blob of given type and contents. :param str type_: Type indicator, eg ``ssh-rsa``. :param bytes blob: The blob bytes themselves. :param str comment: A comment, if one was given (e.g. file-based.) N)r%��key_blobrh��)r'��r ��r��rh��r��r��r ��r(��r��s�� zPublicBlob.__init__c��C��s:��t�\|��}\|��}W�d��n1�sw��Y��\|��\|�S�)zO Create a public blob from a ``-cert.pub``-style file on disk. N)rR��readr��)rd��r��r��stringr��r��r ��r ��~��s�� zPublicBlob.from_filec�� C��s��\|��dd�}t\|�dk�rd}t\|�\|��\|d�}tt\|d��}z\|d��}W�n�ty4��d}Y�nw�t\|�}\|� ��}\|\|krNd�\|\|�} td�\| ��\|�\|\|\|d�S�) zI Create a public blob from a ``-cert.pub``-style string. Nr9��z%Not enough fields for public blob: {}r��r��z!key type={!r}, but blob type={!r}zInvalid PublicBlob contents: {})r ��r��rh��) r��r)��rF��r��r��r��r�� IndexErrorr��r��) rd��r��fieldsrf��r%��r��rh��r�� blob_type�deetsr��r��r ��r��s&��zPublicBlob.from_stringc��C��s��\|��}\|�\|\|��d�S�)z� Create a public blob from a network `.Message`. Specifically, a cert-bearing pubkey auth packet, because by definition OpenSSH-style certificates 'are' their own network representation." )r ��r��)r��rr��)rd��messager ��r��r��r ��r��s��zPublicBlob.from_messagec��C��s&��d��\|�j�}\|�jr\|d��\|�j�7�}\|S�)Nz{} public key/certificatez- {})r��r%��rh��)r'��retr��r��r ��r+��s��zPublicBlob.__str__c��C��s��\|�o \|o \|�j�\|j�kS�r#��)r��ru��r��r��r ��rw��s��zPublicBlob.__eq__c��C��s ��\|�\|k�S�r#��r��ru��r��r��r ��__ne__��rz��zPublicBlob.__ne__r#��)r-��r.��r/��r0��r(��r��r ��r��r��r+��rw��r%��r��r��r��r ��r��d��s�� r��).r0��r��r��r��r��r��r��pathlibr��hashlibr��r��r��r��r��cryptography.hazmat.backendsr��cryptography.hazmat.primitivesr ��&cryptography.hazmat.primitives.ciphersr ��r��r��r ��r@��r�� paramiko.utilr��r��paramiko.commonr��paramiko.ssh_exceptionr��r��paramiko.messager��/cryptography.hazmat.decrepit.ciphers.algorithmsr��ImportError�1cryptography.hazmat.primitives.ciphers.algorithmsr��r!��r��r"��r1��r��r��r��r��r ��<module>��sF�� __pycache__/win_pageant.cpython-310.pyc��0000644��00000006645�15030210772�0013761 0��ustar�00��o ��hQ��@��s��d�Z�ddlZddlZddlZddlZddlmZ�ddlm Z �ddl Zddlm Z �dZdZd Zd d��Zdd ��Ze��d�dkrBejZnejZG�dd��dej�Zdd��ZG�dd��d�ZdS�)zP Functions for communicating with Pageant, the basic windows ssh agent program. ��N)� zero_byte)�b��)�_winapil��P��i� ��J��c��C��s��t�jj�dd�S�)Ns��Pageant)�ctypes�windll�user32�FindWindowA��r��r��G/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/win_pageant.py�_get_pageant_window_object+��s��r ��c��C��s ��t�t��S�)z� Check to see if there is a "Pageant" agent we can talk to. This checks both if we have the required libraries (win32all or ctypes) and if there is a Pageant currently running. )�boolr ��r��r��r��r��can_talk_to_agent/��s�� r��64bitc��@��s,��e�Zd�ZdZdefdejjfdejfgZ dS�)�COPYDATASTRUCTzy ctypes implementation of http://msdn.microsoft.com/en-us/library/windows/desktop/ms649010%28v=vs.85%29.aspx �num_data� data_size�data_locN) �__name__� __module__�__qualname__�__doc__� ULONG_PTRr��wintypes�DWORD�c_void_p�_fields_r��r��r��r��r��?��s�� r��c�� C��s��t��}\|sdS�dt��d��}t�\|tt��}\|�Y�\|�\|��t�dt \|�t ��}\|��\}}tt \|\|�}tjj�\|tt�\|�t�\|��}\|dkrj\|�d��\|�d�} t�d\| �d�} \| \|�\| ��W��d��S� �W�d��dS�1�svw��Y��dS�)za Communication with the Pageant process is done through a shared memory-mapped file. N�PageantRequest�08xr��r��z>I)r ��thread� get_identr�� MemoryMap�_AGENT_MAX_MSGLEN� get_security_attributes_for_user�write�arrayr��r��buffer_infor��_AGENT_COPYDATA_IDr��r��r ��SendMessageA�win32con_WM_COPYDATA�sizeof�byref�seek�read�struct�unpack)�msg�hwnd�map_name�pymap�char_buffer�char_buffer_address�char_buffer_size�cds�response�datalen�retlenr��r��r��_query_pageantL��s2�� $�r=��c��@��s0��e�Zd�ZdZdd��Zdd��Zdd��Zdd ��Zd S�)�PageantConnectiona�� Mock "connection" to an agent which roughly approximates the behavior of a unix local-domain socket (as used by Agent). Requests are sent to the pageant daemon via special Windows magick, and responses are buffered back for subsequent reads. c��C��s ��d�\|�_�d�S��N�� _response��selfr��r��r��__init__z��s�� zPageantConnection.__init__c��C��s��t�\|�\|�_d�S�r?��)r=��rA��)rC��datar��r��r��send}��s��zPageantConnection.sendc��C��s@��\|�j�d�u�rdS�\|�j�d�\|��}\|�j�\|d��\|�_�\|�j�dkrd�\|�_�\|S�)N��r@��)rC��n�retr��r��r��recv��s�� zPageantConnection.recvc��C��s��d�S�r?��r��rB��r��r��r��close��s��zPageantConnection.closeN)r��r��r��r��rD��rF��rJ��rK��r��r��r��r��r>��r��s�� r>��)r��r'��ctypes.wintypesr��platformr0��paramiko.commonr�� paramiko.utilr��_threadr!��rG��r��r)��r$��r+��r ��r��architecture�c_uint64r��c_uint32� Structurer��r=��r>��r��r��r��r��<module>��s(�� &��__pycache__/kex_ecdh_nist.cpython-310.pyc��0000644��00000010414�15030210772�0014261 0��ustar�00��o ��h��@��s��d�Z�ddlmZmZmZ�ddlmZ�ddlmZ�ddl m Z �ddlmZ�ddl mZ�ddlmZ�dd lmZ�ed d�\ZZdd ��ed d�D��\ZZG�dd��d�ZG�dd��de�ZG�dd��de�ZdS�)zQ Ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange RFC 5656, Section 4 ��)�sha256�sha384�sha512��byte_chr)�Message)�SSHException)�default_backend)�ec)� serialization)�hexlify�� c��C��s��g�\|�]}t�\|��qS��r��)�.0�cr��r��I/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/kex_ecdh_nist.py� <listcomp>��s��r��c��@��sL��e�Zd�ZdZeZe��Zdd��Z dd��Z dd��Zdd ��Zd d��Z dd ��ZdS�)�KexNistp256zecdh-sha2-nistp256c��C��s��\|\|�_�d\|�_d�\|�_d�\|�_d�S�)Nr��)� transport�P�Q_C�Q_S)�selfr��r��r��r��__init__��s�� zKexNistp256.__init__c��C��sh��\|��\|�jjr\|�j�t��d�S�t��}\|�t��\|�\|�j � tjj tjj��\|�j�\|��\|�j�t��d�S��N)�_generate_key_pairr��server_mode�_expect_packet�_MSG_KEXECDH_INITr��add_byte�c_MSG_KEXECDH_INIT� add_stringr��public_bytesr��Encoding�X962�PublicFormat�UncompressedPoint� _send_message�_MSG_KEXECDH_REPLY)r��mr��r��r�� start_kex ��s�� zKexNistp256.start_kexc��C��sB��\|�j�jr \|tkr \|��\|�S�\|�j�js\|tkr\|��\|�S�td�\|��)Nz(KexECDH asked to handle packet type {:d})r��r��r��_parse_kexecdh_initr)��_parse_kexecdh_replyr��format)r��ptyper��r��r��r�� parse_next1��s�� zKexNistp256.parse_nextc��C��s:��t��\|�jt��\|�_\|�jjr\|�j��\|�_d�S�\|�j��\|�_ d�S�r��) r ��generate_private_key�curver ��r��r��r�� public_keyr��r��)r��r��r��r��r��:��s ��zKexNistp256._generate_key_pairc��C��s>��\|��}tj�\|�j\|�\|�_\|�j��}\|�j � t��\|�j�}tt \|�d�}t��}\|�\|�jj\|�jj\|�jj\|�jj��\|�\|��\|�\|��\|�\|�j�tjjtjj��\|�t\|��\|��\|��}\|�j�\|\|��\|�j�� \|\|�jj!�}t��}\|�"t#��\|�\|��\|�\|�j�tjjtjj��\|�\|��\|�j�$\|��\|�j�%��d�S��N��)&� get_stringr ��EllipticCurvePublicKey�from_encoded_pointr2��r��r��get_server_key�asbytesr��exchange�ECDH�intr��r��add�remote_version� local_version�remote_kex_init�local_kex_initr"��r��r#��r��r$��r%��r&��r'�� add_mpint� hash_algo�digest�_set_K_H� sign_ssh_data� host_key_typer ��c_MSG_KEXECDH_REPLYr(��_activate_outbound)r��r�� Q_C_bytes�K_S�K�hm�H�sigr��r��r��r,��A��sP�� zKexNistp256._parse_kexecdh_initc��C��s��\|��}\|��}tj�\|�j\|�\|�_\|��}\|�j�t� ��\|�j�}t t\|�d�}t��}\|� \|�jj\|�jj\|�jj\|�jj��\|�\|��\|�\|�j�tjjtjj��\|�\|��\|�\|��\|�j�\|\|��\|��\|�j� \|\|��\|�j�!��d�S�r4��)"r6��r ��r7��r8��r2��r�� get_binaryr��r;��r<��r=��r��r��r>��r��r@��r?��rB��rA��r"��r��r#��r��r$��r%��r&��r'��rC��rF��rD��r:��rE��_verify_keyrJ��)r��r��rL�� Q_S_bytesrP��rM��rN��r��r��r��r-��n��s6�� z KexNistp256._parse_kexecdh_replyN)�__name__� __module__�__qualname__�namer��rD��r �� SECP256R1r2��r��r+��r0��r��r,��r-��r��r��r��r��r��s�� -r��c��@��e�Zd�ZdZeZe��ZdS�)�KexNistp384zecdh-sha2-nistp384N) rT��rU��rV��rW��r��rD��r �� SECP384R1r2��r��r��r��r��rZ��rZ��c��@��rY��)�KexNistp521zecdh-sha2-nistp521N) rT��rU��rV��rW��r��rD��r �� SECP521R1r2��r��r��r��r��r]��r\��r]��N)�__doc__�hashlibr��r��r��paramiko.commonr��paramiko.messager��paramiko.ssh_exceptionr��cryptography.hazmat.backendsr ��)cryptography.hazmat.primitives.asymmetricr ��cryptography.hazmat.primitivesr��binasciir��ranger��r)��r!��rI��r��rZ��r]��r��r��r��r��<module>��s��{��__pycache__/buffered_pipe.cpython-310.pyc��0000644��00000013416�15030210772�0014256 0��ustar�00��o ��h9��@��sJ��d�Z�ddlZddlZddlZddlmZ�G�dd��de�ZG�dd��d�ZdS�)z� Attempt to generalize the "feeder" part of a `.Channel`: an object which can be read from and closed, but is reading from a buffer fed by another thread. The read operations are blocking and can have a timeout set. ��N)�bc��@��s��e�Zd�ZdZdS�)�PipeTimeoutzP Indicates that a timeout was reached on a read from a `.BufferedPipe`. N)�__name__� __module__�__qualname__�__doc__��r��r��I/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/buffered_pipe.pyr��s��r��c��@��sd��e�Zd�ZdZdd��Zdd��Zddd�Zd d ��Zdd��Zd d��Z ddd�Z dd��Zdd��Zdd��Z dS�)�BufferedPipez� A buffer that obeys normal read (with timeout) & close semantics for a file or socket, but is fed data from another thread. This is used by `.Channel`. c��C��s4��t��\|�_t��\|�j�\|�_d�\|�_t�d�\|�_d\|�_d�S�)N�BF) � threading�Lock�_lock� Condition�_cv�_event�array�_buffer�_closed��selfr��r��r ��__init__.��s �� zBufferedPipe.__init__c��C��s��\|�j��\|��d�S��N)r�� frombytes�r��datar��r��r ��_buffer_frombytes5��s��zBufferedPipe._buffer_frombytesNc��C��s��\|�j�d�\|��S�r��)r��tobytes)r��limitr��r��r ��_buffer_tobytes8��s��zBufferedPipe._buffer_tobytesc��C��sd��\|�j��z&\|\|�_\|�jst\|�j�dkr\|��n\|��W�\|�j��dS�W�\|�j��dS�\|�j��w�)a�� Set an event on this buffer. When data is ready to be read (or the buffer has been closed), the event will be set. When no data is ready, the event will be cleared. :param threading.Event event: the event to set/clear r��N) r��acquirer��r��lenr��set�clear�release)r��eventr��r��r �� set_event;��s�� zBufferedPipe.set_eventc��C��sT��\|�j��z\|�jdur\|�j��\|��t\|��\|�j��W�\|�j��dS�\|�j��w�)z� Feed new data into this pipe. This method is assumed to be called from a separate thread, so synchronization is done. :param data: the data to add, as a ``str`` or ``bytes`` N) r��r ��r��r"��r��r��r�� notify_allr$��r��r��r��r ��feedR��s�� zBufferedPipe.feedc��C��sF��\|�j��zt\|�j�dkrW�\|�j��dS�W�\|�j��dS�\|�j��w�)ad�� Returns true if data is buffered and ready to be read from this feeder. A ``False`` result does not mean that the feeder has closed; it means you may need to wait before more data arrives. :return: ``True`` if a `read` call would immediately return at least one byte; ``False`` otherwise. r��FT�r��r ��r!��r��r$��r��r��r��r �� read_readyb��s�� zBufferedPipe.read_readyc��C��s&��t��}\|�j��z�t\|�j�dkrS\|�jr\|W�\|�j��S�\|dkr"t��t\|�j�dkrS\|�jsSt��}\|�j � \|��\|durI\|t��\|�8�}\|dkrIt��t\|�j�dkrS\|�jr,t\|�j�\|krr\|��}\|�jdd�=�\|�jdurq\|�jsq\|�j� ��n\|��\|�}\|�jd\|�=�W�\|�j��\|S�W�\|�j��\|S�\|�j��w�)a\|�� Read data from the pipe. The return value is a string representing the data received. The maximum amount of data to be received at once is specified by ``nbytes``. If a string of length zero is returned, the pipe has been closed. The optional ``timeout`` argument can be a nonnegative float expressing seconds, or ``None`` for no timeout. If a float is given, a `.PipeTimeout` will be raised if the timeout period value has elapsed before any data arrives. :param int nbytes: maximum number of bytes to read :param float timeout: maximum seconds to wait (or ``None``, the default, to wait forever) :return: the read data, as a ``str`` or ``bytes`` :raises: `.PipeTimeout` -- if a timeout was specified and no data was ready before that timeout r��g��N)�bytesr��r ��r!��r��r��r$��r��timer��waitr��r��r#��)r��nbytes�timeout�out�thenr��r��r ��readt��s>�� zBufferedPipe.readc��C��sV��\|�j��z\|��}\|�jdd�=�\|�jdur\|�js\|�j��\|W�\|�j��S�\|�j��w�)z� Clear out the buffer and return all data that was in it. :return: any data that was in the buffer prior to clearing it out, as a `str` N)r��r ��r��r��r��r��r#��r$��)r��r0��r��r��r ��empty��s�� zBufferedPipe.emptyc��C��s\��\|�j��z"d\|�_\|�j��\|�jdur \|�j��W�\|�j��dS�W�\|�j��dS�\|�j��w�)z� Close this pipe object. Future calls to `read` after the buffer has been emptied will return immediately with an empty string. TN)r��r ��r��r��r'��r��r"��r$��r��r��r��r ��close��s�� zBufferedPipe.closec��C��s.��\|�j��zt\|�j�W�\|�j��S�\|�j��w�)zi Return the number of bytes buffered. :return: number (`int`) of bytes buffered r)��r��r��r��r ��__len__��s�� zBufferedPipe.__len__r��)r��r��r��r��r��r��r��r&��r(��r��r2��r3��r4��r5��r��r��r��r ��r ��'��s�� 6r ��) r��r��r��r,�� paramiko.utilr��IOErrorr��r ��r��r��r��r ��<module>��s��__pycache__/rsakey.cpython-310.pyc��0000644��00000013740�15030210772�0012755 0��ustar�00��o ��hz��@��sx��d�Z�ddlmZmZ�ddlmZ�ddlmZmZ�ddl m Z mZ�ddlm Z �ddlmZ�ddlmZ�G�d d ��d e�ZdS�)z RSA keys. ��)�InvalidSignature�UnsupportedAlgorithm)�default_backend)�hashes� serialization)�rsa�padding)�Message)�PKey)�SSHExceptionc��@��s��e�Zd�ZdZdZejejejejejejd�Z d)dd�Z edd��Ze d d ��Ze dd��Zd d��Zdd��Ze dd��Zdd��Zdd��Zdd��Zddd�Zdd��Zddd�Zddd �Zedd!d"��Zd#d$��Zd%d&��Zd'd(��ZdS�)+�RSAKeyzZ Representation of an RSA key which can be used to sign and verify SSH2 data. �ssh-rsa)r ��ssh-rsa-cert-v01@openssh.comzrsa-sha2-256z!rsa-sha2-256-cert-v01@openssh.comzrsa-sha2-512z!rsa-sha2-512-cert-v01@openssh.comNc��C��s��d�\|�_�d�\|�_\|d�ur\|��\|\|��d�S�\|d�ur\|��\|\|��d�S�\|d�u�r\|d�urt\|�}\|d�ur3\|\|�_�d�S�\|�j\|\|�jdd��tj\|� ��\|� ��d�� t��\|�_�d�S�)Nr��)�msg�key_type� cert_type��e�n)�key�public_blob�_from_private_key�_from_private_key_filer ��_check_type_and_load_cert�namer��RSAPublicNumbers� get_mpint� public_keyr��)�selfr��data�filename�passwordr��file_obj��r#��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/rsakey.py�__init__1��s,�� zRSAKey.__init__c��C��s��t�\|�j��S��N)�list�HASHES�keys)�clsr#��r#��r$��identifiersR��s��zRSAKey.identifiersc��C��s��\|�j�jS�r&��)r��key_size�r��r#��r#��r$��sizeV��s��zRSAKey.sizec��C��s$��t�\|�jtj�r \|�j��jS�\|�j��S�r&��)� isinstancer��r�� RSAPrivateKey�private_numbers�public_numbersr-��r#��r#��r$��r2��Z��s�� zRSAKey.public_numbersc��C��s6��t��}\|�\|�j��\|�\|�jj��\|�\|�jj��\|��S�r&��)r �� add_stringr�� add_mpintr2��r��r��asbytes)r��mr#��r#��r$��r5��a��s ��zRSAKey.asbytesc��C��s��\|��jddd�S�)N�utf8�ignore)�errors)r5��decoder-��r#��r#��r$��__str__h��s��zRSAKey.__str__c��C��s��\|��\|�jj\|�jjfS�r&��)�get_namer2��r��r��r-��r#��r#��r$��_fieldsm��s��zRSAKey._fieldsc��C��\|�j�S�r&��)r��r-��r#��r#��r$��r<��q��zRSAKey.get_namec��C��r>��r&��)r.��r-��r#��r#��r$��get_bitst��r?��zRSAKey.get_bitsc��C��s��t�\|�jtj�S�r&��)r/��r��r��r0��r-��r#��r#��r$��can_signw��s��zRSAKey.can_signc��C��sR��\|d�u�r\|�j�}\|�jj\|t��\|�j\|��d�}t��}\|�\|�dd��\|�\|��\|S�)N)r�� algorithmz-cert-v01@openssh.com��) r��r��signr��PKCS1v15r(��r ��r3��replace)r��r��rB��sigr6��r#��r#��r$�� sign_ssh_dataz��s�� zRSAKey.sign_ssh_datac��C��s��\|��}\|\|�jvrdS�\|�j}t\|tj�r\|��}\|��}\|jt \|�d��}\|dkr3d\|d�d��\|�}z\|� \|\|t��\|�j\|��W�dS��t yN��Y�dS�w�)NF��r��T)�get_textr(��r��r/��r��r0��r�� get_binaryr,��len�verifyr��rE��r��)r��r��r�� sig_algorithmr��rD��diffr#��r#��r$��verify_ssh_sig��s$�� zRSAKey.verify_ssh_sigc��C��\|�j�\|\|�jtjj\|d��d�S��N)r!��)�_write_private_key_filer��r�� PrivateFormat�TraditionalOpenSSL)r��r ��r!��r#��r#��r$��write_private_key_file�� zRSAKey.write_private_key_filec��C��rS��rT��)�_write_private_keyr��r��rV��rW��)r��r"��r!��r#��r#��r$��write_private_key��rY��zRSAKey.write_private_keyc��C��s��t�jd\|�t��d�}t\|d�S�)a$�� Generate a new private RSA key. This factory function can be used to generate a new host key or authentication key. :param int bits: number of bits the generated key should be. :param progress_func: Unused :return: new `.RSAKey` private key i��)�public_exponentr,��backend)r��)r��generate_private_keyr��r��)�bits� progress_funcr��r#��r#��r$��generate��s�� zRSAKey.generatec��C��\|��d\|\|�}\|��\|��d�S��N�RSA)�_read_private_key_file�_decode_key)r��r ��r!��r��r#��r#��r$��r��zRSAKey._from_private_key_filec��C��rb��rc��)�_read_private_keyrf��)r��r"��r!��r��r#��r#��r$��r��rg��zRSAKey._from_private_keyc�� C��s��\|\}}\|\|�j�krztj\|d�t��d�}W�nK�tttfy)�}�ztt\|��d�}~ww�\|\|�j kr[\|�� \|d�\}}}}}} tj\|\|d�} tj \|\| \|\|\|d��\|\| d��\|\| d��t��}n\|��\|��t\|tj�shJ��\|\|�_d�S�)N)r!��r]��iiiiiir��)�p�q�d�dmp1�dmq1�iqmpr2��)�_PRIVATE_KEY_FORMAT_ORIGINALr��load_der_private_keyr�� ValueError� TypeErrorr��r��str�_PRIVATE_KEY_FORMAT_OPENSSH�_uint32_cstruct_unpackr��r��RSAPrivateNumbers�private_key�_got_bad_key_format_idr/��r0��r��)r��r��pkformatr��r��r��rm��rp��rk��rl��r2��r#��r#��r$��rf��s6�� zRSAKey._decode_key)NNNNNNr&��)�__name__� __module__�__qualname__�__doc__r��r��SHA1�SHA256�SHA512r(��r%��classmethodr+��propertyr.��r2��r5��r;��r=��r<��r@��rA��rH��rR��rX��r[��staticmethodra��r��r��rf��r#��r#��r#��r$��r��!��sN�� ! r��N)r��cryptography.exceptionsr��r��cryptography.hazmat.backendsr��cryptography.hazmat.primitivesr��r��)cryptography.hazmat.primitives.asymmetricr��r��paramiko.messager �� paramiko.pkeyr ��paramiko.ssh_exceptionr��r��r#��r#��r#��r$��<module>��s��__pycache__/_version.cpython-310.pyc��0000644��00000000367�15030210772�0013304 0��ustar�00��o ��hP��@��s��d�Z�d�eee��ZdS�))��.N)�__version_info__�join�map�str�__version__��r ��r ��D/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/_version.py�<module>��s��__pycache__/file.cpython-310.pyc��0000644��00000033137�15030210772�0012400 0��ustar�00��o ��hwJ��@��sL��d�dl�mZ�d�dlmZmZmZmZmZ�d�dlm Z m Z �G�dd��de �ZdS�)��)�BytesIO)�linefeed_byte_value�crlf�cr_byte� linefeed_byte� cr_byte_value)�ClosingContextManager�uc��@��s��e�Zd�ZdZdZdZdZdZdZdZ dZ dZdZd Z d Zdd��Zd d��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zd@d d!�Zd@d"d#�Zd@d$d%�ZdAd&d'�Zd(d)��Zdd+��Zd,d-��Zd.d/��Z e!d0d1��Z"d2d3��Z#d4d5��Z$d6d7��Z%dBd:d;�Z&d<d=��Z'd>d?��Z(dS�)C�BufferedFilezc Reusable base class to implement Python-style file buffering around a simpler stream. i� ��r�� @��c��C��sF��d�\|�_�d\|�_\|�j\|�_t��\|�_t��\|�_d\|�_d\|�_ d�\|�_ \|�_d\|�_d�S�)Nr��F) �newlines�_flags�_DEFAULT_BUFSIZE�_bufsizer��_wbuffer�bytes�_rbuffer�_at_trailing_cr�_closed�_pos�_realpos�_size��self��r ��@/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/file.py�__init__3��s�� zBufferedFile.__init__c��C��s��\|��d�S��N)�closer��r ��r ��r!��__del__B��s��zBufferedFile.__del__c��C��s��\|�j�rtd��\|�S�)z� Returns an iterator that can be used to iterate over the lines in this file. This iterator happens to return the file itself, since a file is its own iterator. :raises: ``ValueError`` -- if the file is closed. zI/O operation on closed file)r�� ValueErrorr��r ��r ��r!��__iter__E��s��zBufferedFile.__iter__c��C��s��\|��d\|�_dS�)zN Close the file. Future read and write operations will fail. TN)�flushr��r��r ��r ��r!��r$��Q��s�� zBufferedFile.closec��C��s��\|��\|�j��t��\|�_dS�)z{ Write out any data in the write buffer. This may do nothing if write buffering is not turned on. N)� _write_allr��getvaluer��r��r ��r ��r!��r(��X��s��zBufferedFile.flushc��C��s��\|��}\|st�\|S�)a�� Returns the next line from the input, or raises ``StopIteration`` when EOF is hit. Unlike python file objects, it's okay to mix calls to `.next` and `.readline`. :raises: ``StopIteration`` -- when the end of the file is reached. :returns: a line (`str`, or `bytes` if the file was opened in binary mode) read from the file. )�readline� StopIteration)r��liner ��r ��r!��__next__a��s��zBufferedFile.__next__c��C��\|�j�\|�j@�\|�jkS�)z� Check if the file can be read from. :returns: `True` if the file can be read from. If `False`, `read` will raise an exception. )r�� FLAG_READr��r ��r ��r!��readabler��zBufferedFile.readablec��C��r/��)z� Check if the file can be written to. :returns: `True` if the file can be written to. If `False`, `write` will raise an exception. )r�� FLAG_WRITEr��r ��r ��r!��writable\|��r2��zBufferedFile.writablec��C��dS�)z� Check if the file supports random access. :returns: `True` if the file supports random access. If `False`, `seek` will raise an exception. Fr ��r��r ��r ��r!��seekable��s��zBufferedFile.seekablec��C��s&��\|��t\|��}\|\|dt\|��<�t\|�S�)z� Read up to ``len(buff)`` bytes into ``bytearray`` buff* and return the number of bytes read. :returns: The number of bytes read. N)�read�len)r��buff�datar ��r ��r!��readinto��s��zBufferedFile.readintoNc��C��s��\|�j�rtd��\|�j\|�j@�std��\|du�s\|dk�rgt\|�j�}t��\|�_\|��jt\|�7��_ �z\|�� \|�j �}W�n�ty?��d}Y�nw�\|du�sJt\|�dkrO �t\|�S�\|�\|��\|��j t\|�7��_ \|��jt\|�7��_q,\|t\|�j�kr�\|�jd\|��}\|�j\|d��\|�_\|��jt\|�7��_\|S�t\|�j�\|k�r�\|t\|�j��}\|�j\|�j@�r�t\|�j\|�}z\|�� \|�}W�n�ty��d}Y�nw�\|du�s�t\|�dkr�n\|��j\|7��_\|��j t\|�7��_ t\|�j�\|k�s�\|�jd\|��}\|�j\|d��\|�_\|��jt\|�7��_\|S�)a�� Read at most ``size`` bytes from the file (less if we hit the end of the file first). If the ``size`` argument is negative or omitted, read all the remaining data in the file. .. note:: ``'b'`` mode flag is ignored (``self.FLAG_BINARY`` in ``self._flags``), because SSH treats all files as binary, since we have no idea what encoding the file is in, or even if the file is text data. :param int size: maximum number of bytes to read :returns: data read from the file (as bytes), or an empty string if EOF was encountered immediately �File is closedzFile is not open for readingNr��)r��IOErrorr��r0�� bytearrayr��r��r��r8��_readr��EOFError�extendr�� FLAG_BUFFERED�maxr��)r��size�result�new_data� read_sizer ��r ��r!��r7��sX�� zBufferedFile.readc�� C��s��\|�j�rtd��\|�j\|�j@�std��\|�j}d} �\|�jr@\|�j\|�j@�r@t\|�dkr@\|d�tkr8\|dd��}\|�� t ��n\|�� t��d\|�_\|dure\|dkret\|�\|kr^\|\|d��\|�_\|d\|��}d}n]\|t\|��}n\|�j}t \|v�sv\|�j\|�j@�rwt\|v�rwnDz\|��\|�}W�n�ty��d}Y�nw�\|du�s�t\|�dkr�t��\|�_\|��jt\|�7��_\|�j\|�j@�r�\|S�t\|�S�\|\|7�}\|��jt\|�7��_q\|�t �}\|�j\|�j@�r�\|�t�}\|dkr�\|\|k�s�\|dk�r�\|}\|dkr�\|��jt\|�7��_\|�j\|�j@�r�\|S�t\|�S�\|d�}\|\|�tk�r\|t\|�k��r\|\|�tk�r\|d7�}\|�r\|\|d��\|�j�\|�_n\|\|d��\|�_\|\|\|��} \|d\|��t �}t\|�j�dk�rC\| tk�rCd\|�_n\|�� \| ��\|��jt\|�7��_\|�j\|�j@��rZ\|S�t\|�S�) a�� Read one entire line from the file. A trailing newline character is kept in the string (but may be absent when a file ends with an incomplete line). If the size argument is present and non-negative, it is a maximum byte count (including the trailing newline) and an incomplete line may be returned. An empty string is returned only when EOF is encountered immediately. .. note:: Unlike stdio's ``fgets``, the returned string contains null characters (``'\0'``) if they occurred in the input. :param int size: maximum length of returned string. :returns: next line of the file, or an empty string if the end of the file has been reached. If the file was opened in binary (``'b'``) mode: bytes are returned Else: the encoding of the file is assumed to be UTF-8 and character strings (`str`) are returned r<��zFile not open for readingFTr��r��N��)r��r=��r��r0��r��r��FLAG_UNIVERSAL_NEWLINEr8��r��_record_newliner��r��r��r��r?��r@��r��r��FLAG_BINARYr ��r��findr��) r��rD��r-�� truncated�nrF��pos�rpos�xpos�lfr ��r ��r!��r+��s�� ) zBufferedFile.readlinec��C��sR��g�}d} �\|��}t\|�dkr �\|S�\|�\|��\|t\|�7�}\|dur(\|\|kr( �\|S�q)a�� Read all remaining lines using `readline` and return them as a list. If the optional ``sizehint`` argument is present, instead of reading up to EOF, whole lines totalling approximately sizehint bytes (possibly after rounding up to an internal buffer size) are read. :param int sizehint: desired maximum number of bytes to read. :returns: list of lines read from the file. r��TN)r+��r8��append)r��sizehint�lines� byte_countr-��r ��r ��r!�� readlines@��s�� zBufferedFile.readlinesc��C��t�d��)a�� Set the file's current position, like stdio's ``fseek``. Not all file objects support seeking. .. note:: If a file is opened in append mode (``'a'`` or ``'a+'``), any seek operations will be undone at the next write (as the file position will move back to the end of the file). :param int offset: position to move to within the file, relative to ``whence``. :param int whence: type of movement: 0 = absolute; 1 = relative to the current position; 2 = relative to the end of the file. :raises: ``IOError`` -- if the file doesn't support random access. zFile does not support seeking.�r=��)r��offset�whencer ��r ��r!��seekV��s��zBufferedFile.seekc��C��\|�j�S�)z� Return the file's current position. This may not be accurate or useful if the underlying file doesn't support random access, or was opened in append mode. :returns: file position (`number <int>` of bytes). )r��r��r ��r ��r!��tellj��s��zBufferedFile.tellc��C��s��t�\|t�r \|�d�}\|�jrtd��\|�j\|�j@�std��\|�j\|�j@�s(\|��\|��dS�\|�j � \|��\|�j\|�j@�ri\|�t �}\|dkrg\|�j ��}\|t\|�t\|��7�}\|��\|d\|d��t��\|�_ \|�j � \|\|d�d��dS�\|�j ��\|�jkru\|��dS�)a8�� Write data to the file. If write buffering is on (``bufsize`` was specified and non-zero), some or all of the data may not actually be written yet. (Use `flush` or `close` to force buffered data to be written out.) :param data: ``str``/``bytes`` data to write zutf-8r<��zFile not open for writingNr��r��)� isinstance�str�encoder��r=��r��r3��rB��r)��r��write�FLAG_LINE_BUFFERED�rfindr��r��r8��r��r^��r��r(��)r��r:��last_newline_pos�wbufr ��r ��r!��rb��t��s,�� zBufferedFile.writec��C��s��\|D�]}\|��\|��qdS�)a?�� Write a sequence of strings to the file. The sequence can be any iterable object producing strings, typically a list of strings. (The name is intended to match `readlines`; `writelines` does not add line separators.) :param sequence: an iterable sequence of strings. N)rb��)r��sequencer-��r ��r ��r!�� writelines��s�� zBufferedFile.writelinesc��C��s��\|�S�)z Identical to ``iter(f)``. This is a deprecated file interface that predates Python iterator support. r ��r��r ��r ��r!�� xreadlines��s��zBufferedFile.xreadlinesc��C��r]��r#��)r��r��r ��r ��r!��closed��s��zBufferedFile.closedc��C��s��t��)z� (subclass override) Read data from the stream. Return ``None`` or raise ``EOFError`` to indicate EOF. )r@��)r��rD��r ��r ��r!��r?��s��zBufferedFile._readc��C��rX��)zI (subclass override) Write data into the stream. zwrite not implementedrY��)r��r:��r ��r ��r!��_write��s��zBufferedFile._writec��C��r5��)ai�� (subclass override) Return the size of the file. This is called from within `_set_mode` if the file is opened in append mode, so the file position can be tracked and `seek` and `tell` will work correctly. If the file is a stream that can't be randomly accessed, you don't need to override this method, r��r ��r��r ��r ��r!�� _get_size��s�� zBufferedFile._get_size�rrH��c��C��s:��\|�j�\|�_\|dk�r d}\|dkr\|��j\|�j\|�jB�O��_n)\|dkr3\|\|�_\|��j\|�jO��_\|��j\|�j�M��_n\|dkrC\|��j\|�j\|�jB��M��_d\|v�sKd\|v�rS\|��j\|�jO��_d\|v�s[d\|v�rc\|��j\|�jO��_d\|v�r~\|��j\|�j\|�jB�O��_\|��\|�_ \|�j �\|�_ \|�_d\|v�r�\|��j\|�jO��_d\|v�r�\|��j\|�j O��_d \|�_d S�d S�) zM Subclasses call this method to initialize the BufferedFile. r��r��rm��+�w�a�b�UN)r��r��r��rB��rc��r0��r3��FLAG_APPENDrl��r��r��r��rK��rI��r��)r��mode�bufsizer ��r ��r!�� _set_mode��s2�� zBufferedFile._set_modec��C��s��t�\|�}t\|�dkr>\|��\|�}\|\|d��}\|�j\|�j@�r\|��j\|7��_\|�j�\|�_\|�_n\|��j\|7��_\|��j\|7��_t\|�dks d�S�)Nr��)� memoryviewr8��rk��r��rs��r��r��r��)r��raw_datar:��countr ��r ��r!��r)��s�� zBufferedFile._write_allc��C��sl��\|�j�\|�j@�sd�S�\|�jd�u�r\|\|�_d�S�\|�j\|kr%t\|�jt�r%\|�j\|f\|�_d�S�\|\|�jvr4\|��j\|f7��_d�S�d�S�r#��)r��rI��r��r_��r��)r��newliner ��r ��r!��rJ��s�� zBufferedFile._record_newliner#��)r��)rm��rH��))�__name__� __module__�__qualname__�__doc__r��SEEK_SET�SEEK_CUR�SEEK_ENDr0��r3��rs��rK��rB��rc��rI��r"��r%��r'��r$��r(��r.��r1��r4��r6��r;��r7��r+��rW��r\��r^��rb��rh��ri��propertyrj��r?��rk��rl��rv��r)��rJ��r ��r ��r ��r!��r ��sN�� ; i $ (r ��N)�ior��paramiko.commonr��r��r��r��r�� paramiko.utilr��r ��r ��r ��r ��r ��r!��<module>��s��__pycache__/sftp_file.cpython-310.pyc��0000644��00000043725�15030210772�0013440 0��ustar�00��o ��h<U��@��s��d�Z�ddlmZ�ddlmZ�ddlZddlZddlZddlm Z m Z �ddlmZ�ddl mZ�ddlmZmZmZmZmZmZmZmZmZmZmZ�dd lmZ�G�d d��de�ZdS�)z SFTP file object ��)�hexlify)�dequeN)�DEBUG�io_sleep)�BufferedFile)�u)� CMD_CLOSE�CMD_READ�CMD_DATA� SFTPError� CMD_WRITE� CMD_STATUS� CMD_FSTAT� CMD_ATTRS�CMD_FSETSTAT�CMD_EXTENDED�int64)�SFTPAttributesc��@��s��e�Zd�ZdZdZdAdd�Zdd��Zd d ��ZdBdd �Zdd��Z dd��Z dd��Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��ZdCd!d"�Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��ZdDd-d.�ZdEd0d1�ZdFd3d4�ZdGd5d6�Zd7d8��ZdGd9d:�Zd;d<��Zd=d>��Zd?d@��Z d2S�)H�SFTPFilez� Proxy object for a file on the remote server, in client mode SFTP. Instances of this class may be used as context managers in the same way that built-in Python file objects are. i��r��c��C��s^��t��\|��\|\|�_\|\|�_t��\|�\|\|��d\|�_d\|�_d\|�_i�\|�_i�\|�_ t ��\|�_d�\|�_ t��\|�_d�S�)NF)r��__init__�sftp�handle� _set_mode� pipelined�_prefetching�_prefetch_done�_prefetch_data�_prefetch_extents� threading�Lock�_prefetch_lock�_saved_exceptionr��_reqs)�selfr��r��mode�bufsize��r(��E/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/sftp_file.pyr��=��s�� zSFTPFile.__init__c��C��s��\|�j�dd��d�S�)NT��async_��_close�r%��r(��r(��r)��__del__K��s��zSFTPFile.__del__c��C��s��\|�j�dd��dS�)z! Close the file. Fr��Nr,��r.��r(��r(��r)��closeN��s��zSFTPFile.closeFc�� C��s��\|�j�rd�S�\|�j�td�tt\|�j��\|�jr\|�j� \|��t �\|��z\|r3\|�j�t d��t\|�j��W�d�S�\|�j�t\|�j��W�d�S��tyG��Y�d�S��ttjfyS��Y�d�S�w�)Nz close({}))�_closedr��_logr��formatr��r��r��r��_finish_responsesr��r0��_async_request�typer��_request�EOFError�IOError�socket�error)r%��r+��r(��r(��r)��r-��T��s�� zSFTPFile._closec��s��fdd�t�\|�j��D��}t\|�dkrdS�\|jdd��d��\|d�\}}\|\|��kr,dS�\|\|��\|�kr6d S�\|��\|\|��\|�\|�\|��S�) Nc��s��g�\|�] }\|d��kr\|�qS��r��r(��)�.0�x��offsetr(��r)�� <listcomp>q��s��z7SFTPFile._data_in_prefetch_requests.<locals>.<listcomp>r��Fc��S��s��\|�d�S��Nr��r(��)r>��r(��r(��r)��<lambda>v��s��z5SFTPFile._data_in_prefetch_requests.<locals>.<lambda>)�keyr��T)�listr��values�len�sort�_data_in_prefetch_requests)r%��r@��size�k� buf_offset�buf_sizer(��r?��r)��rI��p��s�� z#SFTPFile._data_in_prefetch_requestsc��sR��fdd�\|�j��D��}t\|�dkrdS�t\|�}��\|�}\|t\|�j�\|��kr'dS�\|S�)a�� if a block of data is present in the prefetch buffers, at the given offset, return the offset of the relevant prefetch buffer. otherwise, return None. this guarantees nothing about the number of bytes collected in the prefetch buffer so far. c��s��g�\|�]}\|��kr\|�qS�r(��r(��)r=��ir?��r(��r)��rA��s��z6SFTPFile._data_in_prefetch_buffers.<locals>.<listcomp>r��N)r��keysrG��max)r%��r@��rK��indexrL��r(��r?��r)��_data_in_prefetch_buffers��s��z"SFTPFile._data_in_prefetch_buffersc��C��s�� \|��\|�j�}\|durn\|�js\|�jrn \|�j��\|��q\|du�r&d\|�_dS�\|�j\|�}\|�j\|=�\|�j\|�}\|dkrG\|d\|��\|�j\|<�\|\|d��}\|t \|�k�r_\|\|d��\|�j\|�j\|�<�\|d\|��}\|S�)z� read data out of the prefetch buffer, if possible. if the data isn't in the buffer, return None. otherwise, behaves like a normal read. TNFr��) rR��_realposr��r1��r��_read_response�_check_exceptionr��r��rG��)r%��rJ��r@��prefetchrL��r(��r(��r)��_read_prefetch��s,�� zSFTPFile._read_prefetchc��C��sb��t�\|\|�j�}\|�jr\|��\|�}\|d�ur\|S�\|�j�t\|�jt\|�j �t \|��\}}\|tkr-td��\|� ��S�)N� Expected data)�min�MAX_REQUEST_SIZEr��rW��r��r7��r ��r��r��rS��intr ��r�� get_string)r%��rJ��data�t�msgr(��r(��r)��_read��s�� zSFTPFile._readc�� C��s��t�t\|�\|�j�}\|�j�td��t\|�jt\|�j �\|d�\|��}\|�j �\|��\|�jr2t\|�j �dkrQ\|�jj ��rQt\|�j �rQ\|�j ��}\|�j�\|�\}}\|tkrLtd��t\|�j �s7\|S�)N�d��zExpected status)rY��rG��rZ��r��r5��r6��r��r��r��rS��r$��appendr��sock� recv_ready�popleftrT��r ��r��)r%��r]��chunk�sftp_async_request�reqr^��r_��r(��r(��r)��_write��s$�� zSFTPFile._writec��C��\|�j�j�\|��dS�)a@�� Set a timeout on read/write operations on the underlying socket or ssh `.Channel`. :param float timeout: seconds to wait for a pending read/write operation before raising ``socket.timeout``, or ``None`` for no timeout .. seealso:: `.Channel.settimeout` N)r��rc�� settimeout)r%��timeoutr(��r(��r)��rk��s��zSFTPFile.settimeoutc��C��s��\|�j�j��S�)z� Returns the timeout in seconds (as a `float`) associated with the socket or ssh `.Channel` used for this file. .. seealso:: `.Channel.gettimeout` )r��rc�� gettimeoutr.��r(��r(��r)��rm��s��zSFTPFile.gettimeoutc��C��rj��)z� Set blocking or non-blocking mode on the underiying socket or ssh `.Channel`. :param int blocking: 0 to set non-blocking mode; non-0 to set blocking mode. .. seealso:: `.Channel.setblocking` N)r��rc��setblocking)r%��blockingr(��r(��r)��rn��s�� zSFTPFile.setblockingc��C��s��dS�)z� Check if the file supports random access. :return: `True` if the file supports random access. If `False`, :meth:`seek` will raise an exception Tr(��r.��r(��r(��r)��seekable��s��zSFTPFile.seekabler��c��C��sb��\|��\|\|�jkr\|�\|�_\|�_n\|\|�jkr!\|��j\|7��_\|�j\|�_n \|��\|��\|�_\|�_t��\|�_dS�)zX Set the file's current position. See `file.seek` for details. N)�flush�SEEK_SETrS��_pos�SEEK_CUR� _get_size�bytes�_rbuffer)r%��r@��whencer(��r(��r)��seek��s�� z SFTPFile.seekc��C��s.��\|�j��t\|�j�\}}\|tkrtd��t�\|�S�)a�� Retrieve information about this file from the remote system. This is exactly like `.SFTPClient.stat`, except that it operates on an already-open file. :returns: an `.SFTPAttributes` object containing attributes about this file. zExpected attributes)r��r7��r��r��r��r��r�� _from_msg)r%��r^��r_��r(��r(��r)��stat��s�� z SFTPFile.statc��C��>��\|�j��td�t\|�j�\|��t��}\|\|_\|�j��t \|�j\|��dS�)z� Change the mode (permissions) of this file. The permissions are unix-style and identical to those used by Python's `os.chmod` function. :param int mode: new permissions zchmod({}, {!r})N) r��r2��r��r3��r��r��r��st_moder7��r��)r%��r&��attrr(��r(��r)��chmod ��zSFTPFile.chmodc��C��sH��\|�j��td�t\|�j�\|\|��t��}\|\|\|_\|_\|�j�� t \|�j\|��dS�)aV�� Change the owner (``uid``) and group (``gid``) of this file. As with Python's `os.chown` function, you must pass both arguments, so if you only want to change one, use `stat` first to retrieve the current owner and group. :param int uid: new owner's uid :param int gid: new group id zchown({}, {!r}, {!r})N)r��r2��r��r3��r��r��r��st_uid�st_gidr7��r��)r%��uid�gidr~��r(��r(��r)��chown/��s�� zSFTPFile.chownc��C��s\��\|du�rt��t��f}\|�j�td�t\|�j�\|��t��}\|\\|_\|_ \|�j� t\|�j\|��dS�)ad�� Set the access and modified times of this file. If ``times`` is ``None``, then the file's access and modified times are set to the current time. Otherwise, ``times`` must be a 2-tuple of numbers, of the form ``(atime, mtime)``, which is used to set the access and modified times, respectively. This bizarre API is mimicked from Python for the sake of consistency -- I apologize. :param tuple times: ``None`` or a tuple of (access time, modified time) in standard internet epoch time (seconds since 01 January 1970 GMT) Nzutime({}, {!r}))�timer��r2��r��r3��r��r��r��st_atime�st_mtimer7��r��)r%��timesr~��r(��r(��r)��utimeA��s�� zSFTPFile.utimec��C��r\|��)z� Change the size of this file. This usually extends or shrinks the size of the file, just like the ``truncate()`` method on Python file objects. :param size: the new size of the file ztruncate({}, {!r})N) r��r2��r��r3��r��r��r��st_sizer7��r��)r%��rJ��r~��r(��r(��r)��truncateW��r��zSFTPFile.truncatec�� C��sB��\|�j��td\|�j\|t\|�t\|�\|�\}}\|��\|��\|��}\|S�)a�� Ask the server for a hash of a section of this file. This can be used to verify a successful upload or download, or for various rsync-like operations. The file is hashed from ``offset``, for ``length`` bytes. If ``length`` is 0, the remainder of the file is hashed. Thus, if both ``offset`` and ``length`` are zero, the entire file is hashed. Normally, ``block_size`` will be 0 (the default), and this method will return a byte string representing the requested hash (for example, a string of length 16 for MD5, or 20 for SHA-1). If a non-zero ``block_size`` is given, each chunk of the file (from ``offset`` to ``offset + length``) of ``block_size`` bytes is computed as a separate hash. The hash results are all concatenated and returned as a single string. For example, ``check('sha1', 0, 1024, 512)`` will return a string of length 40. The first 20 bytes will be the SHA-1 of the first 512 bytes of the file, and the last 20 bytes will be the SHA-1 of the next 512 bytes. :param str hash_algorithm: the name of the hash algorithm to use (normally ``"sha1"`` or ``"md5"``) :param offset: offset into the file to begin hashing (0 means to start from the beginning) :param length: number of bytes to hash (0 means continue to the end of the file) :param int block_size: number of bytes to hash per result (must not be less than 256; 0 means to compute only one hash of the entire segment) :return: `str` of bytes representing the hash of each block, concatenated together :raises: ``IOError`` -- if the server doesn't support the "check-file" extension, or possibly doesn't support the hash algorithm requested .. note:: Many (most?) servers don't support this extension yet. .. versionadded:: 1.4 z check-file)r��r7��r��r��r��get_text� get_remainder)r%��hash_algorithmr@��length� block_sizer^��r_��r]��r(��r(��r)��checkf��s��.� zSFTPFile.checkTc��C��s ��\|\|�_�dS�)a�� Turn on/off the pipelining of write operations to this file. When pipelining is on, paramiko won't wait for the server response after each write operation. Instead, they're collected as they come in. At the first non-write operation (including `.close`), all remaining server responses are collected. This means that if there was an error with one of your later writes, an exception might be thrown from within `.close` instead of `.write`. By default, files are not pipelined. :param bool pipelined: ``True`` if pipelining should be turned on for this file; ``False`` otherwise .. versionadded:: 1.5 N)r��)r%��r��r(��r(��r)�� set_pipelined��s�� zSFTPFile.set_pipelinedNc��C��sr��\|du�r \|��j}g�}\|�j}\|\|k�r)t\|�j\|\|��}\|�\|\|f��\|\|7�}\|\|k�st\|�dkr7\|��\|\|��dS�dS�)aE�� Pre-fetch the remaining contents of this file in anticipation of future `.read` calls. If reading the entire file, pre-fetching can dramatically improve the download speed by avoiding roundtrip latency. The file's contents are incrementally buffered in a background thread. The prefetched data is stored in a buffer until read via the `.read` method. Once data has been read, it's removed from the buffer. The data may be read in a random order (using `.seek`); chunks of the buffer that haven't been read will continue to be buffered. :param int file_size: When this is ``None`` (the default), this method calls `stat` to determine the remote file size. In some situations, doing so can cause exceptions or hangs (see `#562 <https://github.com/paramiko/paramiko/pull/562>`_); as a workaround, one may call `stat` explicitly and pass its value in via this parameter. :param int max_concurrent_requests: The maximum number of concurrent read requests to prefetch. See `.SFTPClient.get` (its ``max_concurrent_prefetch_requests`` param) for details. .. versionadded:: 1.5.1 .. versionchanged:: 1.16.0 The ``file_size`` parameter was added (with no default value). .. versionchanged:: 1.16.1 The ``file_size`` parameter was made optional for backwards compatibility. .. versionchanged:: 3.3 Added ``max_concurrent_requests``. Nr��)r{��r��rS��rY��rZ��rb��rG��_start_prefetch)r%�� file_size�max_concurrent_requests�chunks�nrf��r(��r(��r)��rV��s��! ��zSFTPFile.prefetchc��c��s��\|�j��td�t\|�j�\|��g�}\|D�]-\}}\|��\|�s"\|��\|\|�r#q\|dkr@t\|\|�j �}\|� \|\|f��\|\|7�}\|\|8�}\|dks'q\|��\|\|��\|D�]}\|��\|d��\|�� \|d��V��qIdS�)a/�� Read a set of blocks from the file by (offset, length). This is more efficient than doing a series of `.seek` and `.read` calls, since the prefetch machinery is used to retrieve all the requested blocks at once. :param chunks: a list of ``(offset, length)`` tuples indicating which sections of the file to read :param int max_concurrent_prefetch_requests: The maximum number of concurrent read requests to prefetch. See `.SFTPClient.get` (its ``max_concurrent_prefetch_requests`` param) for details. :return: a list of blocks read, in the same order as in ``chunks`` .. versionadded:: 1.5.4 .. versionchanged:: 3.3 Added ``max_concurrent_prefetch_requests``. zreadv({}, {!r})r��N)r��r2��r��r3��r��r��rR��rI��rY��rZ��rb��r��ry��read)r%��r�� max_concurrent_prefetch_requests�read_chunksr@��rJ�� chunk_sizer>��r(��r(��r)��readv��s0�� zSFTPFile.readvc��C��s��z\|��jW�S��Y�dS�rB��)r{��r��r.��r(��r(��r)��ru��s��zSFTPFile._get_sizec��C��s2��d\|�_�d\|�_tj\|�j\|\|fd�}d\|_\|��d�S�)NTF)�target�args)r��r��r ��Thread�_prefetch_thread�daemon�start)r%��r��r��r^��r(��r(��r)��r��s��zSFTPFile._start_prefetchc�� C��s��\|D�]\\}}\|d�ur5 �\|�j��t\|�j�}\|\|k�r �W�d��nW�d��n1�sw��Y��t�t��q\|�j�\|�t\|�j t \|�t\|��}\|�j��\|\|f\|�j\|<�W�d��n1�sYw��Y��qd�S��N)r"��rG��r��r��sleepr��r��r5��r ��r��r��r[��)r%��r��r��r@��r��pf_len�numr(��r(��r)��r��$��s(�� zSFTPFile._prefetch_threadc�� C��s��\|t�kr$z \|�j�\|��W�d�S��ty#�}�z \|\|�_W�Y�d�}~d�S�d�}~ww�\|tkr,td��\|��} �\|�j�0�\|\|�j v�r]\|�j \|�\}}\|\|�j \|<�\|�j \|=�t\|�j �dkrTd\|�_ �W�d��d�S�W�d��n1�sgw��Y��q1)NrX��Tr��) r ��r��_convert_status� Exceptionr#��r ��r��r\��r"��r��r��rG��r��)r%��r^��r_��r��er]��r@��r��r(��r(��r)��_async_response7��s2�� zSFTPFile._async_responsec��C��s��\|�j�dur \|�j�}d\|�_�\|�dS�)z.if there's a saved exception, raise & clear itN)r#��)r%��r>��r(��r(��r)��rU��M��s �� zSFTPFile._check_exception)r��r��)Fr<��)r��r��r��)T)NNr��)!�__name__� __module__�__qualname__�__doc__rZ��r��r/��r0��r-��rI��rR��rW��r`��ri��rk��rm��rn��rp��ry��r{��r��r��r��r��r��r��rV��r��ru��r��r��r��rU��r(��r(��r(��r)��r��1��s>�� < ./ r��)r��binasciir��collectionsr��r:��r ��r��paramiko.commonr��r�� paramiko.filer�� paramiko.utilr�� paramiko.sftpr��r ��r ��r��r��r ��r��r��r��r��r��paramiko.sftp_attrr��r��r(��r(��r(��r)��<module>��s��4 ��__pycache__/common.cpython-310.pyc��0000644��00000012325�15030210772�0012745 0��ustar�00��o ��hL��@��s��d�Z�ddlZddlZdd��Zdd��Zdd��Zed d �\ZZZ Z ZZZ edd�\ZZed d�\ZZZZdZedd�\ZZedd�\ZZedd�\ZZZZdZedd�\ZZZ edd�\Z!Z"Z#Z$Z%Z&Z'Z(Z)ZZ+ee�Z,ee�Z-ee �Z.ee �Z/ee�Z0ee�Z1ee �Z2ee�Z3ee�Z4ee�Z5ee�Z6ee�Z7ee�Z8ee�Z9ee�Z:ee�Z;ee�Z<ee�Z=ee�Z>ee�Z?ee�Z@ee�ZAee�ZBee�ZCee �ZDee!�ZEee"�ZFee#�ZGee$�ZHee%�ZIee&�ZJee'�ZKee(�ZLee)�ZMee�ZNee+�ZOi�ed�ed�e d�e d�ed�ed�ed�e d�ed �d!d"�d#d$�d%d&�d'd(�d)d�d+d,�d-d.�ed/�i�ed0�ed1�ed2�ed3�ed4�ed5�ed6�e d7�e!d8�e"d9�e#d:�e$d;�e%d<�e&d=�e'd>�e(d?�e)d@��edAe+dBedCedDedEedFedGedHi�ZPedI�\ZQZRZSeddJ�\ZTZUZVZWZXdKdLdMdNdO�ZYdP\ZZZ[Z\ed�Z]ed �Z^edQ�Z_edR�Z`edS�ZaedT�Zbeaeb�ZcdSZddTZedUZfdVZgdWZhdXZidYZjdZZkd[Zld\Zmd]ZnejoZoejpZpejqZqejrZrejsZsd^Ztd_Zud`Zvd`ZwdaZxdUZydS�)bz( Common constants and global variables. ��Nc��C��s��t�\|�t�sJ��t�d\|��S��N�B�� isinstance�int�struct�pack��c��r��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/common.py�byte_chr��s��r ��c��C��s��t�\|�t�sJ��t�d\|�\|@��S�r��r��)r ��maskr��r��r�� byte_mask#��s��r��c��C��s��t�\|�t�s t\|��}�\|�S�)N)r��r��ordr ��r��r��r��byte_ord(��s�� r��2��6��<��>��?��C��O��P��S��Z��e�� disconnect�ignore� unimplemented�debugzservice-requestzservice-accept�kexinitzext-info�newkeys��kex30��kex31� ��kex32�!��kex33�"��kex34�(��kex40�)��kex41zuserauth-requestzuserauth-failurezuserauth-successzuserauth--bannerzuserauth-60(pk-ok/info-request)zuserauth-info-responsezglobal-requestzrequest-successzrequest-failurezchannel-openzchannel-open-successzchannel-open-failurezchannel-window-adjustzchannel-datazchannel-extended-datazchannel-eofz channel-closezchannel-requestzchannel-successzchannel-failurezuserauth-gssapi-responsezuserauth-gssapi-tokenz!userauth-gssapi-exchange-completezuserauth-gssapi-errorzuserauth-gssapi-error-tokenzuserauth-gssapi-mic��zAdministratively prohibitedzConnect failedzUnknown channel typezResource shortage)r��r5��)�� r8��r:�� l��l��i��i��i��i��i��i��8��g{�G�z�?i�� i��i��)z�__doc__�loggingr��r ��r��r��range�MSG_DISCONNECT� MSG_IGNORE�MSG_UNIMPLEMENTED� MSG_DEBUG�MSG_SERVICE_REQUEST�MSG_SERVICE_ACCEPT�MSG_EXT_INFO�MSG_KEXINIT�MSG_NEWKEYS�MSG_USERAUTH_REQUEST�MSG_USERAUTH_FAILURE�MSG_USERAUTH_SUCCESS�MSG_USERAUTH_BANNER�MSG_USERAUTH_PK_OK�MSG_USERAUTH_INFO_REQUEST�MSG_USERAUTH_INFO_RESPONSE�MSG_USERAUTH_GSSAPI_RESPONSE�MSG_USERAUTH_GSSAPI_TOKEN�%MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE�MSG_USERAUTH_GSSAPI_ERROR�MSG_USERAUTH_GSSAPI_ERRTOK�MSG_USERAUTH_GSSAPI_MIC�HIGHEST_USERAUTH_MESSAGE_ID�MSG_GLOBAL_REQUEST�MSG_REQUEST_SUCCESS�MSG_REQUEST_FAILURE�MSG_CHANNEL_OPEN�MSG_CHANNEL_OPEN_SUCCESS�MSG_CHANNEL_OPEN_FAILURE�MSG_CHANNEL_WINDOW_ADJUST�MSG_CHANNEL_DATA�MSG_CHANNEL_EXTENDED_DATA�MSG_CHANNEL_EOF�MSG_CHANNEL_CLOSE�MSG_CHANNEL_REQUEST�MSG_CHANNEL_SUCCESS�MSG_CHANNEL_FAILURE�cMSG_DISCONNECT�cMSG_IGNORE�cMSG_UNIMPLEMENTED� cMSG_DEBUG�cMSG_SERVICE_REQUEST�cMSG_SERVICE_ACCEPT� cMSG_EXT_INFO�cMSG_KEXINIT�cMSG_NEWKEYS�cMSG_USERAUTH_REQUEST�cMSG_USERAUTH_FAILURE�cMSG_USERAUTH_SUCCESS�cMSG_USERAUTH_BANNER�cMSG_USERAUTH_PK_OK�cMSG_USERAUTH_INFO_REQUEST�cMSG_USERAUTH_INFO_RESPONSE�cMSG_USERAUTH_GSSAPI_RESPONSE�cMSG_USERAUTH_GSSAPI_TOKEN�&cMSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE�cMSG_USERAUTH_GSSAPI_ERROR�cMSG_USERAUTH_GSSAPI_ERRTOK�cMSG_USERAUTH_GSSAPI_MIC�cMSG_GLOBAL_REQUEST�cMSG_REQUEST_SUCCESS�cMSG_REQUEST_FAILURE�cMSG_CHANNEL_OPEN�cMSG_CHANNEL_OPEN_SUCCESS�cMSG_CHANNEL_OPEN_FAILURE�cMSG_CHANNEL_WINDOW_ADJUST�cMSG_CHANNEL_DATA�cMSG_CHANNEL_EXTENDED_DATA�cMSG_CHANNEL_EOF�cMSG_CHANNEL_CLOSE�cMSG_CHANNEL_REQUEST�cMSG_CHANNEL_SUCCESS�cMSG_CHANNEL_FAILURE� MSG_NAMES�AUTH_SUCCESSFUL�AUTH_PARTIALLY_SUCCESSFUL�AUTH_FAILED�OPEN_SUCCEEDED�'OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED�OPEN_FAILED_CONNECT_FAILED� OPEN_FAILED_UNKNOWN_CHANNEL_TYPE�OPEN_FAILED_RESOURCE_SHORTAGE�CONNECTION_FAILED_CODE� DISCONNECT_SERVICE_NOT_AVAILABLE�!DISCONNECT_AUTH_CANCELLED_BY_USER�)DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE� zero_byte�one_byte� four_byte�max_byte�cr_byte� linefeed_byte�crlf� cr_byte_value�linefeed_byte_value� xffffffff� x80000000�o666�o660�o644�o600�o777�o700�o70�DEBUG�INFO�WARNING�ERROR�CRITICAL�io_sleep�DEFAULT_WINDOW_SIZE�DEFAULT_MAX_PACKET_SIZE�MIN_WINDOW_SIZE�MIN_PACKET_SIZE�MAX_WINDOW_SIZEr��r��r��r��<module>��s�� !�"�#�/ ��__pycache__/packet.cpython-310.pyc��0000644��00000034535�15030210772�0012733 0��ustar�00��o ��h�V��@��s��d�Z�ddlZddlZddlZddlZddlZddlZddlmZ�ddl m Z �ddlmZm Z mZmZmZmZmZ�ddlmZ�ddlmZmZ�ddlmZ�d d ��ZG�dd��de�Zd d��ZG�dd��d�ZdS�)z Packet handling ��N)�HMAC)�util)� linefeed_byte� cr_byte_value� MSG_NAMES�DEBUG� xffffffff� zero_byte�byte_ord)�u)�SSHException�ProxyCommandFailure)�Messagec��C��s��t�\|�\|\|��S��N)r��digest)�key�message�digest_class��r��B/usr/local/CyberCP/lib/python3.10/site-packages/paramiko/packet.py�compute_hmac.��s��r��c��@��s��e�Zd�ZdZdS�)�NeedRekeyExceptionz1 Exception indicating a rekey is needed. N)�__name__� __module__�__qualname__�__doc__r��r��r��r��r��2��s��r��c��C��s.��d�}t�\|�j�tu�rt\|�j�dkr\|�jd�}\|S��Nr��)�type�args�tuple�len)�e�argr��r��r�� first_arg:��s�� r#��c��@��s8��e�Zd�ZdZedd�Zedd�Zedd�Zedd�Zdd��Z e dd��Zdd ��Zd d��Z dd ��Z dBdd�Z dCdd�Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd ��Zd!d"��Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��ZdCd-d.�Zd/d0��Zd1d2��Z d3d4��Z!d5d6��Z"d7d8��Z#d9d:��Z$d;d<��Z%d=d>��Z&d?d@��Z'dAS�)D� Packetizerz9 Implementation of the base SSH packet protocol. ��c��C��s��\|\|�_�d�\|�_d\|�_d\|�_d\|�_d\|�_t��\|�_d\|�_d\|�_ d\|�_ d\|�_d\|�_d\|�_ d\|�_d\|�_d\|�_d\|�_d\|�_d�\|�_d�\|�_d\|�_d�\|�_d�\|�_t��\|�_t��\|�_d�\|�_d�\|�_d\|�_d\|�_d\|�_d\|�_t �!��\|�_"d\|�_#t$�$��\|�_%d�\|�_&d�\|�_'d\|�_(d\|�_)d�S�)NFr��)�_Packetizer__socket�_Packetizer__logger�_Packetizer__closed�_Packetizer__dump_packets�_Packetizer__need_rekey�_Packetizer__init_count�bytes�_Packetizer__remainder�_initial_kex_done�_Packetizer__sent_bytes�_Packetizer__sent_packets�_Packetizer__received_bytes�_Packetizer__received_packets�$_Packetizer__received_bytes_overflow�&_Packetizer__received_packets_overflow�_Packetizer__block_size_out�_Packetizer__block_size_in�_Packetizer__mac_size_out�_Packetizer__mac_size_in�_Packetizer__block_engine_out�_Packetizer__block_engine_in�_Packetizer__sdctr_out�_Packetizer__mac_engine_out�_Packetizer__mac_engine_in�_Packetizer__mac_key_out�_Packetizer__mac_key_in� _Packetizer__compress_engine_out�_Packetizer__compress_engine_in� _Packetizer__sequence_number_out�_Packetizer__sequence_number_in�_Packetizer__etm_out�_Packetizer__etm_in� threading�RLock�_Packetizer__write_lock�_Packetizer__keepalive_interval�time�_Packetizer__keepalive_last�_Packetizer__keepalive_callback�_Packetizer__timer�_Packetizer__handshake_complete�_Packetizer__timer_expired)�self�socketr��r��r��__init__Q��sL�� zPacketizer.__init__c��C��\|�j�S�r��)r��rR��r��r��r��closed��s��zPacketizer.closedc��C�� d\|�_�d�S�r��)rD��rV��r��r��r��reset_seqno_out�� zPacketizer.reset_seqno_outc��C��rX��r��)rE��rV��r��r��r��reset_seqno_in��rZ��zPacketizer.reset_seqno_inc��C��s ��\|\|�_�dS�)z? Set the Python log object to use for logging. N)r)��)rR��logr��r��r��set_log��s�� zPacketizer.set_logFc��C��sb��\|\|�_�\|\|�_\|\|�_\|\|�_\|\|�_\|\|�_d\|�_d\|�_\|\|�_\|��j dO��_ \|�j dkr/d\|�_ d\|�_ dS�dS�)zd Switch outbound data cipher. :param etm: Set encrypt-then-mac from OpenSSH r��FN)r;��r=��r7��r>��r9��r@��r1��r2��rF��r-��r,��)rR��block_engine� block_size� mac_engine�mac_size�mac_key�sdctr�etmr��r��r��set_outbound_cipher��s�� zPacketizer.set_outbound_cipherc��C��sh��\|\|�_�\|\|�_\|\|�_\|\|�_\|\|�_d\|�_d\|�_d\|�_d\|�_\|\|�_ \|��j dO��_ \|�j dkr2d\|�_ d\|�_dS�dS�)zc Switch inbound data cipher. :param etm: Set encrypt-then-mac from OpenSSH r��r%��r_��FN)r<��r8��r?��r:��rA��r3��r4��r5��r6��rG��r-��r,��)rR��r`��ra��rb��rc��rd��rf��r��r��r��set_inbound_cipher��s�� zPacketizer.set_inbound_cipherc��C�� \|\|�_�d�S�r��)rB��rR�� compressorr��r��r��set_outbound_compressor��rZ��z"Packetizer.set_outbound_compressorc��C��ri��r��)rC��rj��r��r��r��set_inbound_compressor��rZ��z!Packetizer.set_inbound_compressorc��C��s��d\|�_�\|�j��d�S��NT)r��r(��closerV��r��r��r��ro��s��zPacketizer.closec��C��ri��r��r+��)rR��hexdumpr��r��r��set_hexdump��rZ��zPacketizer.set_hexdumpc��C��rU��r��rp��rV��r��r��r��get_hexdump��zPacketizer.get_hexdumpc��C��rU��r��)r:��rV��r��r��r��get_mac_size_in��rt��zPacketizer.get_mac_size_inc��C��rU��r��)r9��rV��r��r��r��get_mac_size_out��rt��zPacketizer.get_mac_size_outc��C��rU��)z� Returns ``True`` if a new set of keys needs to be negotiated. This will be triggered during a packet read or write, so it should be checked after every read or write, or at least after every few. �r,��rV��r��r��r�� need_rekey��s��zPacketizer.need_rekeyc��C��s��\|\|�_�\|\|�_t��\|�_dS�)z� Turn on/off the callback keepalive. If ``interval`` seconds pass with no data read from or written to the socket, the callback will be executed and the timer will be reset. N)rK��rN��rL��rM��)rR��interval�callbackr��r��r�� set_keepalive��s��zPacketizer.set_keepalivec��C��rX��rn��)rQ��rV��r��r��r�� read_timer��rZ��zPacketizer.read_timerc��C��s,��\|�j�st�t\|�\|�j�\|�_�\|�j��dS�dS�)z� Tells `Packetizer` that the handshake process started. Starts a book keeping timer that can signal a timeout in the handshake process. :param float timeout: amount of seconds to wait before timing out N)rO��rH��Timer�floatr\|��start)rR��timeoutr��r��r��start_handshake��s��zPacketizer.start_handshakec��C��s��\|�j�sdS�\|�jr dS�\|�jS�)aR�� Checks if the handshake has timed out. If `start_handshake` wasn't called before the call to this function, the return value will always be `False`. If the handshake completed before a timeout was reached, the return value will be `False` :return: handshake time out status, as a `bool` F)rO��rP��rQ��rV��r��r��r��handshake_timed_out��s �� zPacketizer.handshake_timed_outc��C��s$��\|�j�r\|�j��d\|�_d\|�_dS�dS�)zF Tells `Packetizer` that the handshake has completed. FTN)rO��cancelrQ��rP��rV��r��r��r��complete_handshake��s �� zPacketizer.complete_handshakec�� C��s2��t��}t\|�j�dkr\|�jd\|��}\|�j\|d��\|�_\|t\|�8�}\|dkr�d}\|��r,t��z\|�j�\|�}t\|�dkr<t��\|\|7�}\|t\|�8�}W�n1�tjyS��d}Y�n&�tj yx�}�zt \|�}\|tjkrgd}n\|�j rmt��W�Y�d}~nd}~ww�\|r�\|�j r�t��\|r�t\|�dkr�\|�jr�t��\|��\|dks#\|S�)a&�� Read as close to N bytes as possible, blocking as long as necessary. :param int n: number of bytes to read :return: the data read, as a `str` :raises: ``EOFError`` -- if the socket was closed before all the bytes could be read r��NFT)r.��r ��r/��r��EOFErrorr(��recvrS��r��errorr#��errno�EAGAINr��r,��r��_check_keepalive)rR��n�check_rekey�out�got_timeout�xr!��r"��r��r��r��read_all��sF�� zPacketizer.read_allc�� C��s��t��\|�_d}t\|�dkr�d}z\|�j�\|�}W�n=�tjy#��d}Y�n2�tjyC�}�zt\|�}\|t j kr7d}nd}W�Y�d�}~nd�}~w�tyJ��tyT��d}Y�nw�\|r_d}\|�j r^d}n\|dkri\|dkrid}\|d7�}\|dk�rtt��\|t\|�kr} �d�S�\|\|d��}t\|�dks d�S�)Nr��FT�� r^��)rL��rM��r ��r(��sendrS��r��r��r#��r��r��r �� Exceptionr��r��)rR��r��#iteration_with_zero_as_return_value�retry_writer��r!��r"��r��r��r�� write_allN��sF�� #zPacketizer.write_allc��C��sx��\|�j�}t\|vr\|\|��\|�7�}t\|vs\|�t�}\|\|d�d��\|�_�\|d\|��}t\|�dkr8\|d�tkr8\|dd��}t\|�S�)z� Read a line from the socket. We assume no data is pending after the line, so it's okay to attempt large reads. r^��Nr��r��)r/��r�� _read_timeout�indexr ��r��r��)rR��r��bufr��r��r��r��readlinev��s�� zPacketizer.readlinec��C��s��\|��}t\|d��}\|tv�rt\|�}nd�\|�}t\|�}\|�j��z�\|�jdur,\|��\|�}\|��\|�}\|�j rH\|�� td�\|\|��\|�� tt� \|d��\|�jdurh\|�jra\|dd��\|�j�\|dd��}n \|�j�\|�}n\|}\|�jdur�t�d\|�j�}\|\|�jr\|\|n\|�}\|t\|�j\|\|�j�d\|�j��7�}\|�jd�t@�} \| dkr�\|�js�td ��\| \|�_\|��\|��\|��jt\|�7��_\|��jd7��_\|�j\|�jkp�\|�j\|�jk} \| r�\|�j s�d }\|�� t\|�\|�j\|�j��d\|�_!d\|�_"\|��#��W�\|�j�$��dS�W�\|�j�$��dS�W�\|�j�$��dS�\|�j�$��w�)zR Write a block of data using the current cipher, as an SSH block. r��${:x}NzWrite packet <{}>, length {}zOUT: ��>Ir^��/Sequence number rolled over during initial kex!z(Rekeying (hit {} packets, {} bytes sent))%�asbytesr ��r��formatr ��rJ��acquirerB�� _build_packetr+��_logr��r�� format_binaryr;��rF��update�struct�packrD��r��r@��r>��r9��r��r0��r��r��r1��r2�� REKEY_PACKETS�REKEY_BYTESr,��r5��r6��_trigger_rekey�release)rR��data�cmd�cmd_name�orig_len�packetr��packed�payload�next_seq� sent_too_much�msgr��r��r��send_message��sr�� zPacketizer.send_messagec��C��s��\|�j�\|�jdd�}\|�jrVt�d\|dd��d�}\|\|�j�d�}\|dd��\|�j�\|dd��}\|�j�\|�jdd�}t�d\|�j\|�\|�}t\|�j \|\|�j �d\|�j��}t�\|\|�sTt d ��\|}\|�jdura\|�j�\|�}\|�jrn\|��tt�\|d ��\|�jrt\|}nPt�d\|dd��d�}\|dd��}\|t\|��\|�j�dkr�t d��\|��\|\|�j�t\|��} \| d\|t\|��}\| \|t\|��d��} \|�jdur�\|�j�\|�}\|\|�}\|�jr�\|��tt�\|d ��\|�jdk�r\|�j�s\| d\|�j��}t�d\|�j\|�\|�}t\|�j \|\|�j �d\|�j��}t�\|\|��st d ��t\|d��}\|d\|\|��}\|�j�r \|��td �\|\|��\|�jdu�r+\|��\|�}t\|dd��} \|�j\| _\|�jd�t@�}\|dk�rK\|�j�sKt d��\|\|�_\|\|�j�d�}\|��j\|7��_\|��jd7��_\|�j�r�\|��j\|7��_\|��j d7��_ \|�j \|�j!k�s�\|�j\|�j"k�r�t d��n&\|�j\|�j#k�s�\|�j\|�j$k�r�d}\|��t\|�\|�j\|�j��d\|�_d\|�_ \|��%��t\|d��}\|t&v��r�t&\|�}nd�\|�}\|�j�r�\|��td�\|t\|��\|\| fS�)z� Only one thread should ever be in this function (no other locking is done). :raises: `.SSHException` -- if the packet is mangled :raises: `.NeedRekeyException` -- if the transport should rekey T)r��r��Nr��r��Fz>IIzMismatched MACzIN: zInvalid packet blockingr^��z"Got payload ({} bytes, {} padding)r��z+Remote transport is ignoring rekey requestsz,Rekeying (hit {} packets, {} bytes received)r��zRead packet <{}>, length {})'r��r8��rG��r��unpackr:��r��rE��r��rA��r?��r��constant_time_bytes_eqr��r<��r��r+��r��r��r��r ��r ��r��rC��r��seqnor��r0��r3��r4��r,��r5��r6��REKEY_PACKETS_OVERFLOW_MAX�REKEY_BYTES_OVERFLOW_MAXr��r��r��r��)rR��header�packet_size� remainingr��mac�mac_payload�my_mac�leftoverr��post_packet�paddingr��r��r��raw_packet_size�errr��r��r��r��r��read_message��s�� zPacketizer.read_messagec��C��sJ��\|�j�d�u�rd�S�tt\|�t�r\|D�] }\|�j��\|\|��qd�S�\|�j��\|\|��d�S�r��)r)�� issubclassr��listr\��)rR��levelr��mr��r��r��r��N��s�� zPacketizer._logc��C��sD��\|�j�r \|�jr \|�jrd�S�t��}\|\|�j\|�j��kr \|��\|\|�_d�S�d�S�r��)rK��r;��r,��rL��rM��rN��)rR��nowr��r��r��r��W��s�� zPacketizer._check_keepalivec��C��sn��t��} �z\|�j�d�}t\|�dkrt��W�\|S��tjy!��Y�nw�\|�jr(t��t��}\|\|�\|kr6t��q)NT��r��)rL��r(��r��r ��r��rS��r��r��)rR��r��r��r��r��r��r��r��r��d��s"��zPacketizer._read_timeoutc��C��s��\|�j�}\|�jrdnd}d\|�t\|�\|�\|��}t�dt\|�\|�d�\|�}\|\|7�}\|�js/\|�jd�u�r7\|t\|�7�}\|S�\|t� \|�7�}\|S�)Nr��r'��r_��z>IBr^��) r7��rF��r ��r��r��r=��r;��r ��os�urandom)rR��r��bsize�addlenr��r��r��r��r��r��u��s��zPacketizer._build_packetc��C��rX��rn��rw��rV��r��r��r��r��s�� zPacketizer._trigger_rekeyN)FF)F)(r��r��r��r��powr��r��r��r��rT��propertyrW��rY��r[��r]��rg��rh��rl��rm��ro��rr��rs��ru��rv��rx��r{��r\|��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r��r$��A��sR�� 1 �% � 0(B� r$��)r��r��r��rS��r��rH��rL��hmacr��paramikor��paramiko.commonr��r��r��r��r��r ��r �� paramiko.utilr��paramiko.ssh_exceptionr��r ��paramiko.messager��r��r��r��r#��r$��r��r��r��r��<module>��s"��$ ��sftp_server.py��0000644��00000046044�15030210772�0007465 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Server-mode SFTP support. """ import os import errno import sys from hashlib import md5, sha1 from paramiko import util from paramiko.sftp import ( BaseSFTP, Message, SFTP_FAILURE, SFTP_PERMISSION_DENIED, SFTP_NO_SUCH_FILE, int64, ) from paramiko.sftp_si import SFTPServerInterface from paramiko.sftp_attr import SFTPAttributes from paramiko.common import DEBUG from paramiko.server import SubsystemHandler from paramiko.util import b # known hash algorithms for the "check-file" extension from paramiko.sftp import ( CMD_HANDLE, SFTP_DESC, CMD_STATUS, SFTP_EOF, CMD_NAME, SFTP_BAD_MESSAGE, CMD_EXTENDED_REPLY, SFTP_FLAG_READ, SFTP_FLAG_WRITE, SFTP_FLAG_APPEND, SFTP_FLAG_CREATE, SFTP_FLAG_TRUNC, SFTP_FLAG_EXCL, CMD_NAMES, CMD_OPEN, CMD_CLOSE, SFTP_OK, CMD_READ, CMD_DATA, CMD_WRITE, CMD_REMOVE, CMD_RENAME, CMD_MKDIR, CMD_RMDIR, CMD_OPENDIR, CMD_READDIR, CMD_STAT, CMD_ATTRS, CMD_LSTAT, CMD_FSTAT, CMD_SETSTAT, CMD_FSETSTAT, CMD_READLINK, CMD_SYMLINK, CMD_REALPATH, CMD_EXTENDED, SFTP_OP_UNSUPPORTED, ) _hash_class = {"sha1": sha1, "md5": md5} class SFTPServer(BaseSFTP, SubsystemHandler): """ Server-side SFTP subsystem support. Since this is a `.SubsystemHandler`, it can be (and is meant to be) set as the handler for ``"sftp"`` requests. Use `.Transport.set_subsystem_handler` to activate this class. """ def __init__( self, channel, name, server, sftp_si=SFTPServerInterface, args, kwargs ): """ The constructor for SFTPServer is meant to be called from within the `.Transport` as a subsystem handler. ``server`` and any additional parameters or keyword parameters are passed from the original call to `.Transport.set_subsystem_handler`. :param .Channel channel: channel passed from the `.Transport`. :param str name: name of the requested subsystem. :param .ServerInterface server: the server object associated with this channel and subsystem :param sftp_si: a subclass of `.SFTPServerInterface` to use for handling individual requests. """ BaseSFTP.__init__(self) SubsystemHandler.__init__(self, channel, name, server) transport = channel.get_transport() self.logger = util.get_logger(transport.get_log_channel() + ".sftp") self.ultra_debug = transport.get_hexdump() self.next_handle = 1 # map of handle-string to SFTPHandle for files & folders: self.file_table = {} self.folder_table = {} self.server = sftp_si(server, args, *kwargs) def _log(self, level, msg): if issubclass(type(msg), list): for m in msg: super()._log(level, "[chan " + self.sock.get_name() + "] " + m) else: super()._log(level, "[chan " + self.sock.get_name() + "] " + msg) def start_subsystem(self, name, transport, channel): self.sock = channel self._log(DEBUG, "Started sftp server on channel {!r}".format(channel)) self._send_server_version() self.server.session_started() while True: try: t, data = self._read_packet() except EOFError: self._log(DEBUG, "EOF -- end of session") return except Exception as e: self._log(DEBUG, "Exception on channel: " + str(e)) self._log(DEBUG, util.tb_strings()) return msg = Message(data) request_number = msg.get_int() try: self._process(t, request_number, msg) except Exception as e: self._log(DEBUG, "Exception in server processing: " + str(e)) self._log(DEBUG, util.tb_strings()) # send some kind of failure message, at least try: self._send_status(request_number, SFTP_FAILURE) except: pass def finish_subsystem(self): self.server.session_ended() super().finish_subsystem() # close any file handles that were left open # (so we can return them to the OS quickly) for f in self.file_table.values(): f.close() for f in self.folder_table.values(): f.close() self.file_table = {} self.folder_table = {} @staticmethod def convert_errno(e): """ Convert an errno value (as from an ``OSError`` or ``IOError``) into a standard SFTP result code. This is a convenience function for trapping exceptions in server code and returning an appropriate result. :param int e: an errno code, as from ``OSError.errno``. :return: an `int` SFTP error code like ``SFTP_NO_SUCH_FILE``. """ if e == errno.EACCES: # permission denied return SFTP_PERMISSION_DENIED elif (e == errno.ENOENT) or (e == errno.ENOTDIR): # no such file return SFTP_NO_SUCH_FILE else: return SFTP_FAILURE @staticmethod def set_file_attr(filename, attr): """ Change a file's attributes on the local filesystem. The contents of ``attr`` are used to change the permissions, owner, group ownership, and/or modification & access time of the file, depending on which attributes are present in ``attr``. This is meant to be a handy helper function for translating SFTP file requests into local file operations. :param str filename: name of the file to alter (should usually be an absolute path). :param .SFTPAttributes attr: attributes to change. """ if sys.platform != "win32": # mode operations are meaningless on win32 if attr._flags & attr.FLAG_PERMISSIONS: os.chmod(filename, attr.st_mode) if attr._flags & attr.FLAG_UIDGID: os.chown(filename, attr.st_uid, attr.st_gid) if attr._flags & attr.FLAG_AMTIME: os.utime(filename, (attr.st_atime, attr.st_mtime)) if attr._flags & attr.FLAG_SIZE: with open(filename, "w+") as f: f.truncate(attr.st_size) # ...internals... def _response(self, request_number, t, args): msg = Message() msg.add_int(request_number) for item in args: # NOTE: this is a very silly tiny class used for SFTPFile mostly if isinstance(item, int64): msg.add_int64(item) elif isinstance(item, int): msg.add_int(item) elif isinstance(item, (str, bytes)): msg.add_string(item) elif type(item) is SFTPAttributes: item._pack(msg) else: raise Exception( "unknown type for {!r} type {!r}".format(item, type(item)) ) self._send_packet(t, msg) def _send_handle_response(self, request_number, handle, folder=False): if not issubclass(type(handle), SFTPHandle): # must be error code self._send_status(request_number, handle) return handle._set_name(b("hx{:d}".format(self.next_handle))) self.next_handle += 1 if folder: self.folder_table[handle._get_name()] = handle else: self.file_table[handle._get_name()] = handle self._response(request_number, CMD_HANDLE, handle._get_name()) def _send_status(self, request_number, code, desc=None): if desc is None: try: desc = SFTP_DESC[code] except IndexError: desc = "Unknown" # some clients expect a "language" tag at the end # (but don't mind it being blank) self._response(request_number, CMD_STATUS, code, desc, "") def _open_folder(self, request_number, path): resp = self.server.list_folder(path) if issubclass(type(resp), list): # got an actual list of filenames in the folder folder = SFTPHandle() folder._set_files(resp) self._send_handle_response(request_number, folder, True) return # must be an error code self._send_status(request_number, resp) def _read_folder(self, request_number, folder): flist = folder._get_next_files() if len(flist) == 0: self._send_status(request_number, SFTP_EOF) return msg = Message() msg.add_int(request_number) msg.add_int(len(flist)) for attr in flist: msg.add_string(attr.filename) msg.add_string(attr) attr._pack(msg) self._send_packet(CMD_NAME, msg) def _check_file(self, request_number, msg): # this extension actually comes from v6 protocol, but since it's an # extension, i feel like we can reasonably support it backported. # it's very useful for verifying uploaded files or checking for # rsync-like differences between local and remote files. handle = msg.get_binary() alg_list = msg.get_list() start = msg.get_int64() length = msg.get_int64() block_size = msg.get_int() if handle not in self.file_table: self._send_status( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) return f = self.file_table[handle] for x in alg_list: if x in _hash_class: algname = x alg = _hash_class[x] break else: self._send_status( request_number, SFTP_FAILURE, "No supported hash types found" ) return if length == 0: st = f.stat() if not issubclass(type(st), SFTPAttributes): self._send_status(request_number, st, "Unable to stat file") return length = st.st_size - start if block_size == 0: block_size = length if block_size < 256: self._send_status( request_number, SFTP_FAILURE, "Block size too small" ) return sum_out = bytes() offset = start while offset < start + length: blocklen = min(block_size, start + length - offset) # don't try to read more than about 64KB at a time chunklen = min(blocklen, 65536) count = 0 hash_obj = alg() while count < blocklen: data = f.read(offset, chunklen) if not isinstance(data, bytes): self._send_status( request_number, data, "Unable to hash file" ) return hash_obj.update(data) count += len(data) offset += count sum_out += hash_obj.digest() msg = Message() msg.add_int(request_number) msg.add_string("check-file") msg.add_string(algname) msg.add_bytes(sum_out) self._send_packet(CMD_EXTENDED_REPLY, msg) def _convert_pflags(self, pflags): """convert SFTP-style open() flags to Python's os.open() flags""" if (pflags & SFTP_FLAG_READ) and (pflags & SFTP_FLAG_WRITE): flags = os.O_RDWR elif pflags & SFTP_FLAG_WRITE: flags = os.O_WRONLY else: flags = os.O_RDONLY if pflags & SFTP_FLAG_APPEND: flags \|= os.O_APPEND if pflags & SFTP_FLAG_CREATE: flags \|= os.O_CREAT if pflags & SFTP_FLAG_TRUNC: flags \|= os.O_TRUNC if pflags & SFTP_FLAG_EXCL: flags \|= os.O_EXCL return flags def _process(self, t, request_number, msg): self._log(DEBUG, "Request: {}".format(CMD_NAMES[t])) if t == CMD_OPEN: path = msg.get_text() flags = self._convert_pflags(msg.get_int()) attr = SFTPAttributes._from_msg(msg) self._send_handle_response( request_number, self.server.open(path, flags, attr) ) elif t == CMD_CLOSE: handle = msg.get_binary() if handle in self.folder_table: del self.folder_table[handle] self._send_status(request_number, SFTP_OK) return if handle in self.file_table: self.file_table[handle].close() del self.file_table[handle] self._send_status(request_number, SFTP_OK) return self._send_status( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) elif t == CMD_READ: handle = msg.get_binary() offset = msg.get_int64() length = msg.get_int() if handle not in self.file_table: self._send_status( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) return data = self.file_table[handle].read(offset, length) if isinstance(data, (bytes, str)): if len(data) == 0: self._send_status(request_number, SFTP_EOF) else: self._response(request_number, CMD_DATA, data) else: self._send_status(request_number, data) elif t == CMD_WRITE: handle = msg.get_binary() offset = msg.get_int64() data = msg.get_binary() if handle not in self.file_table: self._send_status( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) return self._send_status( request_number, self.file_table[handle].write(offset, data) ) elif t == CMD_REMOVE: path = msg.get_text() self._send_status(request_number, self.server.remove(path)) elif t == CMD_RENAME: oldpath = msg.get_text() newpath = msg.get_text() self._send_status( request_number, self.server.rename(oldpath, newpath) ) elif t == CMD_MKDIR: path = msg.get_text() attr = SFTPAttributes._from_msg(msg) self._send_status(request_number, self.server.mkdir(path, attr)) elif t == CMD_RMDIR: path = msg.get_text() self._send_status(request_number, self.server.rmdir(path)) elif t == CMD_OPENDIR: path = msg.get_text() self._open_folder(request_number, path) return elif t == CMD_READDIR: handle = msg.get_binary() if handle not in self.folder_table: self._send_status( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) return folder = self.folder_table[handle] self._read_folder(request_number, folder) elif t == CMD_STAT: path = msg.get_text() resp = self.server.stat(path) if issubclass(type(resp), SFTPAttributes): self._response(request_number, CMD_ATTRS, resp) else: self._send_status(request_number, resp) elif t == CMD_LSTAT: path = msg.get_text() resp = self.server.lstat(path) if issubclass(type(resp), SFTPAttributes): self._response(request_number, CMD_ATTRS, resp) else: self._send_status(request_number, resp) elif t == CMD_FSTAT: handle = msg.get_binary() if handle not in self.file_table: self._send_status( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) return resp = self.file_table[handle].stat() if issubclass(type(resp), SFTPAttributes): self._response(request_number, CMD_ATTRS, resp) else: self._send_status(request_number, resp) elif t == CMD_SETSTAT: path = msg.get_text() attr = SFTPAttributes._from_msg(msg) self._send_status(request_number, self.server.chattr(path, attr)) elif t == CMD_FSETSTAT: handle = msg.get_binary() attr = SFTPAttributes._from_msg(msg) if handle not in self.file_table: self._response( request_number, SFTP_BAD_MESSAGE, "Invalid handle" ) return self._send_status( request_number, self.file_table[handle].chattr(attr) ) elif t == CMD_READLINK: path = msg.get_text() resp = self.server.readlink(path) if isinstance(resp, (bytes, str)): self._response( request_number, CMD_NAME, 1, resp, "", SFTPAttributes() ) else: self._send_status(request_number, resp) elif t == CMD_SYMLINK: # the sftp 2 draft is incorrect here! # path always follows target_path target_path = msg.get_text() path = msg.get_text() self._send_status( request_number, self.server.symlink(target_path, path) ) elif t == CMD_REALPATH: path = msg.get_text() rpath = self.server.canonicalize(path) self._response( request_number, CMD_NAME, 1, rpath, "", SFTPAttributes() ) elif t == CMD_EXTENDED: tag = msg.get_text() if tag == "check-file": self._check_file(request_number, msg) elif tag == "posix-rename@openssh.com": oldpath = msg.get_text() newpath = msg.get_text() self._send_status( request_number, self.server.posix_rename(oldpath, newpath) ) else: self._send_status(request_number, SFTP_OP_UNSUPPORTED) else: self._send_status(request_number, SFTP_OP_UNSUPPORTED) from paramiko.sftp_handle import SFTPHandle ��message.py��0000644��00000022205�15030210772�0006540 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Implementation of an SSH2 "message". """ import struct from io import BytesIO from paramiko import util from paramiko.common import zero_byte, max_byte, one_byte from paramiko.util import u class Message: """ An SSH2 message is a stream of bytes that encodes some combination of strings, integers, bools, and infinite-precision integers. This class builds or breaks down such a byte stream. Normally you don't need to deal with anything this low-level, but it's exposed for people implementing custom extensions, or features that paramiko doesn't support yet. """ big_int = 0xFF000000 def __init__(self, content=None): """ Create a new SSH2 message. :param bytes content: the byte stream to use as the message content (passed in only when decomposing a message). """ if content is not None: self.packet = BytesIO(content) else: self.packet = BytesIO() def __bytes__(self): return self.asbytes() def __repr__(self): """ Returns a string representation of this object, for debugging. """ return "paramiko.Message(" + repr(self.packet.getvalue()) + ")" # TODO 4.0: just merge into __bytes__ (everywhere) def asbytes(self): """ Return the byte stream content of this Message, as a `bytes`. """ return self.packet.getvalue() def rewind(self): """ Rewind the message to the beginning as if no items had been parsed out of it yet. """ self.packet.seek(0) def get_remainder(self): """ Return the `bytes` of this message that haven't already been parsed and returned. """ position = self.packet.tell() remainder = self.packet.read() self.packet.seek(position) return remainder def get_so_far(self): """ Returns the `bytes` of this message that have been parsed and returned. The string passed into a message's constructor can be regenerated by concatenating ``get_so_far`` and `get_remainder`. """ position = self.packet.tell() self.rewind() return self.packet.read(position) def get_bytes(self, n): """ Return the next ``n`` bytes of the message, without decomposing into an int, decoded string, etc. Just the raw bytes are returned. Returns a string of ``n`` zero bytes if there weren't ``n`` bytes remaining in the message. """ b = self.packet.read(n) max_pad_size = 1 << 20 # Limit padding to 1 MB if len(b) < n < max_pad_size: return b + zero_byte * (n - len(b)) return b def get_byte(self): """ Return the next byte of the message, without decomposing it. This is equivalent to `get_bytes(1) <get_bytes>`. :return: the next (`bytes`) byte of the message, or ``b'\000'`` if there aren't any bytes remaining. """ return self.get_bytes(1) def get_boolean(self): """ Fetch a boolean from the stream. """ b = self.get_bytes(1) return b != zero_byte def get_adaptive_int(self): """ Fetch an int from the stream. :return: a 32-bit unsigned `int`. """ byte = self.get_bytes(1) if byte == max_byte: return util.inflate_long(self.get_binary()) byte += self.get_bytes(3) return struct.unpack(">I", byte)[0] def get_int(self): """ Fetch an int from the stream. """ return struct.unpack(">I", self.get_bytes(4))[0] def get_int64(self): """ Fetch a 64-bit int from the stream. :return: a 64-bit unsigned integer (`int`). """ return struct.unpack(">Q", self.get_bytes(8))[0] def get_mpint(self): """ Fetch a long int (mpint) from the stream. :return: an arbitrary-length integer (`int`). """ return util.inflate_long(self.get_binary()) # TODO 4.0: depending on where this is used internally or downstream, force # users to specify get_binary instead and delete this. def get_string(self): """ Fetch a "string" from the stream. This will actually be a `bytes` object, and may contain unprintable characters. (It's not unheard of for a string to contain another byte-stream message.) """ return self.get_bytes(self.get_int()) # TODO 4.0: also consider having this take over the get_string name, and # remove this name instead. def get_text(self): """ Fetch a Unicode string from the stream. This currently operates by attempting to encode the next "string" as ``utf-8``. """ return u(self.get_string()) def get_binary(self): """ Alias for `get_string` (obtains a bytestring). """ return self.get_bytes(self.get_int()) def get_list(self): """ Fetch a list of `strings <str>` from the stream. These are trivially encoded as comma-separated values in a string. """ return self.get_text().split(",") def add_bytes(self, b): """ Write bytes to the stream, without any formatting. :param bytes b: bytes to add """ self.packet.write(b) return self def add_byte(self, b): """ Write a single byte to the stream, without any formatting. :param bytes b: byte to add """ self.packet.write(b) return self def add_boolean(self, b): """ Add a boolean value to the stream. :param bool b: boolean value to add """ if b: self.packet.write(one_byte) else: self.packet.write(zero_byte) return self def add_int(self, n): """ Add an integer to the stream. :param int n: integer to add """ self.packet.write(struct.pack(">I", n)) return self def add_adaptive_int(self, n): """ Add an integer to the stream. :param int n: integer to add """ if n >= Message.big_int: self.packet.write(max_byte) self.add_string(util.deflate_long(n)) else: self.packet.write(struct.pack(">I", n)) return self def add_int64(self, n): """ Add a 64-bit int to the stream. :param int n: long int to add """ self.packet.write(struct.pack(">Q", n)) return self def add_mpint(self, z): """ Add a long int to the stream, encoded as an infinite-precision integer. This method only works on positive numbers. :param int z: long int to add """ self.add_string(util.deflate_long(z)) return self # TODO: see the TODO for get_string/get_text/et al, this should change # to match. def add_string(self, s): """ Add a bytestring to the stream. :param byte s: bytestring to add """ s = util.asbytes(s) self.add_int(len(s)) self.packet.write(s) return self def add_list(self, l): # noqa: E741 """ Add a list of strings to the stream. They are encoded identically to a single string of values separated by commas. (Yes, really, that's how SSH2 does it.) :param l: list of strings to add """ self.add_string(",".join(l)) return self def _add(self, i): if type(i) is bool: return self.add_boolean(i) elif isinstance(i, int): return self.add_adaptive_int(i) elif type(i) is list: return self.add_list(i) else: return self.add_string(i) # TODO: this would never have worked for unicode strings under Python 3, # guessing nobody/nothing ever used it for that purpose? def add(self, seq): """ Add a sequence of items to the stream. The values are encoded based on their type: bytes, str, int, bool, or list. .. warning:: Longs are encoded non-deterministically. Don't use this method. :param seq: the sequence of items """ for item in seq: self._add(item) ��kex_gss.py��0000644��00000057762�15030210772�0006577 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # Copyright (C) 2013-2014 science + computing ag # Author: Sebastian Deiss <sebastian.deiss@t-online.de> # # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ This module provides GSS-API / SSPI Key Exchange as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. note:: `RFC 4462 Section 2.2 <https://tools.ietf.org/html/rfc4462.html#section-2.2>`_ says we are not required to implement GSS-API error messages. Thus, in many methods within this module, if an error occurs an exception will be thrown and the connection will be terminated. .. seealso:: :doc:`/api/ssh_gss` .. versionadded:: 1.15 """ import os from hashlib import sha1 from paramiko.common import ( DEBUG, max_byte, zero_byte, byte_chr, byte_mask, byte_ord, ) from paramiko import util from paramiko.message import Message from paramiko.ssh_exception import SSHException ( MSG_KEXGSS_INIT, MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_HOSTKEY, MSG_KEXGSS_ERROR, ) = range(30, 35) (MSG_KEXGSS_GROUPREQ, MSG_KEXGSS_GROUP) = range(40, 42) ( c_MSG_KEXGSS_INIT, c_MSG_KEXGSS_CONTINUE, c_MSG_KEXGSS_COMPLETE, c_MSG_KEXGSS_HOSTKEY, c_MSG_KEXGSS_ERROR, ) = [byte_chr(c) for c in range(30, 35)] (c_MSG_KEXGSS_GROUPREQ, c_MSG_KEXGSS_GROUP) = [ byte_chr(c) for c in range(40, 42) ] class KexGSSGroup1: """ GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange as defined in `RFC 4462 Section 2 <https://tools.ietf.org/html/rfc4462.html#section-2>`_ """ # draft-ietf-secsh-transport-09.txt, page 17 P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF # noqa G = 2 b7fffffffffffffff = byte_chr(0x7F) + max_byte 7 # noqa b0000000000000000 = zero_byte * 8 # noqa NAME = "gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==" def __init__(self, transport): self.transport = transport self.kexgss = self.transport.kexgss_ctxt self.gss_host = None self.x = 0 self.e = 0 self.f = 0 def start_kex(self): """ Start the GSS-API / SSPI Authenticated Diffie-Hellman Key Exchange. """ self._generate_x() if self.transport.server_mode: # compute f = g^x mod p, but don't send it yet self.f = pow(self.G, self.x, self.P) self.transport._expect_packet(MSG_KEXGSS_INIT) return # compute e = g^x mod p (where g=2), and send it self.e = pow(self.G, self.x, self.P) # Initialize GSS-API Key Exchange self.gss_host = self.transport.gss_host m = Message() m.add_byte(c_MSG_KEXGSS_INIT) m.add_string(self.kexgss.ssh_init_sec_context(target=self.gss_host)) m.add_mpint(self.e) self.transport._send_message(m) self.transport._expect_packet( MSG_KEXGSS_HOSTKEY, MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_ERROR, ) def parse_next(self, ptype, m): """ Parse the next packet. :param ptype: The (string) type of the incoming packet :param `.Message` m: The packet content """ if self.transport.server_mode and (ptype == MSG_KEXGSS_INIT): return self._parse_kexgss_init(m) elif not self.transport.server_mode and (ptype == MSG_KEXGSS_HOSTKEY): return self._parse_kexgss_hostkey(m) elif self.transport.server_mode and (ptype == MSG_KEXGSS_CONTINUE): return self._parse_kexgss_continue(m) elif not self.transport.server_mode and (ptype == MSG_KEXGSS_COMPLETE): return self._parse_kexgss_complete(m) elif ptype == MSG_KEXGSS_ERROR: return self._parse_kexgss_error(m) msg = "GSS KexGroup1 asked to handle packet type {:d}" raise SSHException(msg.format(ptype)) # ## internals... def _generate_x(self): """ generate an "x" (1 < x < q), where q is (p-1)/2. p is a 128-byte (1024-bit) number, where the first 64 bits are 1. therefore q can be approximated as a 2^1023. we drop the subset of potential x where the first 63 bits are 1, because some of those will be larger than q (but this is a tiny tiny subset of potential x). """ while 1: x_bytes = os.urandom(128) x_bytes = byte_mask(x_bytes[0], 0x7F) + x_bytes[1:] first = x_bytes[:8] if first not in (self.b7fffffffffffffff, self.b0000000000000000): break self.x = util.inflate_long(x_bytes) def _parse_kexgss_hostkey(self, m): """ Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message """ # client mode host_key = m.get_string() self.transport.host_key = host_key sig = m.get_string() self.transport._verify_key(host_key, sig) self.transport._expect_packet(MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE) def _parse_kexgss_continue(self, m): """ Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `.Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message """ if not self.transport.server_mode: srv_token = m.get_string() m = Message() m.add_byte(c_MSG_KEXGSS_CONTINUE) m.add_string( self.kexgss.ssh_init_sec_context( target=self.gss_host, recv_token=srv_token ) ) self.transport.send_message(m) self.transport._expect_packet( MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_ERROR ) else: pass def _parse_kexgss_complete(self, m): """ Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message """ # client mode if self.transport.host_key is None: self.transport.host_key = NullHostKey() self.f = m.get_mpint() if (self.f < 1) or (self.f > self.P - 1): raise SSHException('Server kex "f" is out of range') mic_token = m.get_string() # This must be TRUE, if there is a GSS-API token in this message. bool = m.get_boolean() srv_token = None if bool: srv_token = m.get_string() K = pow(self.f, self.x, self.P) # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| e \|\| f \|\| K) hm = Message() hm.add( self.transport.local_version, self.transport.remote_version, self.transport.local_kex_init, self.transport.remote_kex_init, ) hm.add_string(self.transport.host_key.__str__()) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) H = sha1(str(hm)).digest() self.transport._set_K_H(K, H) if srv_token is not None: self.kexgss.ssh_init_sec_context( target=self.gss_host, recv_token=srv_token ) self.kexgss.ssh_check_mic(mic_token, H) else: self.kexgss.ssh_check_mic(mic_token, H) self.transport.gss_kex_used = True self.transport._activate_outbound() def _parse_kexgss_init(self, m): """ Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_INIT message """ # server mode client_token = m.get_string() self.e = m.get_mpint() if (self.e < 1) or (self.e > self.P - 1): raise SSHException('Client kex "e" is out of range') K = pow(self.e, self.x, self.P) self.transport.host_key = NullHostKey() key = self.transport.host_key.__str__() # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| e \|\| f \|\| K) hm = Message() hm.add( self.transport.remote_version, self.transport.local_version, self.transport.remote_kex_init, self.transport.local_kex_init, ) hm.add_string(key) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) H = sha1(hm.asbytes()).digest() self.transport._set_K_H(K, H) srv_token = self.kexgss.ssh_accept_sec_context( self.gss_host, client_token ) m = Message() if self.kexgss._gss_srv_ctxt_status: mic_token = self.kexgss.ssh_get_mic( self.transport.session_id, gss_kex=True ) m.add_byte(c_MSG_KEXGSS_COMPLETE) m.add_mpint(self.f) m.add_string(mic_token) if srv_token is not None: m.add_boolean(True) m.add_string(srv_token) else: m.add_boolean(False) self.transport._send_message(m) self.transport.gss_kex_used = True self.transport._activate_outbound() else: m.add_byte(c_MSG_KEXGSS_CONTINUE) m.add_string(srv_token) self.transport._send_message(m) self.transport._expect_packet( MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_ERROR ) def _parse_kexgss_error(self, m): """ Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message """ maj_status = m.get_int() min_status = m.get_int() err_msg = m.get_string() m.get_string() # we don't care about the language! raise SSHException( """GSS-API Error: Major Status: {} Minor Status: {} Error Message: {} """.format( maj_status, min_status, err_msg ) ) class KexGSSGroup14(KexGSSGroup1): """ GSS-API / SSPI Authenticated Diffie-Hellman Group14 Key Exchange as defined in `RFC 4462 Section 2 <https://tools.ietf.org/html/rfc4462.html#section-2>`_ """ P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF # noqa G = 2 NAME = "gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==" class KexGSSGex: """ GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange as defined in `RFC 4462 Section 2 <https://tools.ietf.org/html/rfc4462.html#section-2>`_ """ NAME = "gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==" min_bits = 1024 max_bits = 8192 preferred_bits = 2048 def __init__(self, transport): self.transport = transport self.kexgss = self.transport.kexgss_ctxt self.gss_host = None self.p = None self.q = None self.g = None self.x = None self.e = None self.f = None self.old_style = False def start_kex(self): """ Start the GSS-API / SSPI Authenticated Diffie-Hellman Group Exchange """ if self.transport.server_mode: self.transport._expect_packet(MSG_KEXGSS_GROUPREQ) return # request a bit range: we accept (min_bits) to (max_bits), but prefer # (preferred_bits). according to the spec, we shouldn't pull the # minimum up above 1024. self.gss_host = self.transport.gss_host m = Message() m.add_byte(c_MSG_KEXGSS_GROUPREQ) m.add_int(self.min_bits) m.add_int(self.preferred_bits) m.add_int(self.max_bits) self.transport._send_message(m) self.transport._expect_packet(MSG_KEXGSS_GROUP) def parse_next(self, ptype, m): """ Parse the next packet. :param ptype: The (string) type of the incoming packet :param `.Message` m: The packet content """ if ptype == MSG_KEXGSS_GROUPREQ: return self._parse_kexgss_groupreq(m) elif ptype == MSG_KEXGSS_GROUP: return self._parse_kexgss_group(m) elif ptype == MSG_KEXGSS_INIT: return self._parse_kexgss_gex_init(m) elif ptype == MSG_KEXGSS_HOSTKEY: return self._parse_kexgss_hostkey(m) elif ptype == MSG_KEXGSS_CONTINUE: return self._parse_kexgss_continue(m) elif ptype == MSG_KEXGSS_COMPLETE: return self._parse_kexgss_complete(m) elif ptype == MSG_KEXGSS_ERROR: return self._parse_kexgss_error(m) msg = "KexGex asked to handle packet type {:d}" raise SSHException(msg.format(ptype)) # ## internals... def _generate_x(self): # generate an "x" (1 < x < (p-1)/2). q = (self.p - 1) // 2 qnorm = util.deflate_long(q, 0) qhbyte = byte_ord(qnorm[0]) byte_count = len(qnorm) qmask = 0xFF while not (qhbyte & 0x80): qhbyte <<= 1 qmask >>= 1 while True: x_bytes = os.urandom(byte_count) x_bytes = byte_mask(x_bytes[0], qmask) + x_bytes[1:] x = util.inflate_long(x_bytes, 1) if (x > 1) and (x < q): break self.x = x def _parse_kexgss_groupreq(self, m): """ Parse the SSH2_MSG_KEXGSS_GROUPREQ message (server mode). :param `.Message` m: The content of the SSH2_MSG_KEXGSS_GROUPREQ message """ minbits = m.get_int() preferredbits = m.get_int() maxbits = m.get_int() # smoosh the user's preferred size into our own limits if preferredbits > self.max_bits: preferredbits = self.max_bits if preferredbits < self.min_bits: preferredbits = self.min_bits # fix min/max if they're inconsistent. technically, we could just pout # and hang up, but there's no harm in giving them the benefit of the # doubt and just picking a bitsize for them. if minbits > preferredbits: minbits = preferredbits if maxbits < preferredbits: maxbits = preferredbits # now save a copy self.min_bits = minbits self.preferred_bits = preferredbits self.max_bits = maxbits # generate prime pack = self.transport._get_modulus_pack() if pack is None: raise SSHException("Can't do server-side gex with no modulus pack") self.transport._log( DEBUG, # noqa "Picking p ({} <= {} <= {} bits)".format( minbits, preferredbits, maxbits ), ) self.g, self.p = pack.get_modulus(minbits, preferredbits, maxbits) m = Message() m.add_byte(c_MSG_KEXGSS_GROUP) m.add_mpint(self.p) m.add_mpint(self.g) self.transport._send_message(m) self.transport._expect_packet(MSG_KEXGSS_INIT) def _parse_kexgss_group(self, m): """ Parse the SSH2_MSG_KEXGSS_GROUP message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_GROUP message """ self.p = m.get_mpint() self.g = m.get_mpint() # reject if p's bit length < 1024 or > 8192 bitlen = util.bit_length(self.p) if (bitlen < 1024) or (bitlen > 8192): raise SSHException( "Server-generated gex p (don't ask) is out of range " "({} bits)".format(bitlen) ) self.transport._log( DEBUG, "Got server p ({} bits)".format(bitlen) ) # noqa self._generate_x() # now compute e = g^x mod p self.e = pow(self.g, self.x, self.p) m = Message() m.add_byte(c_MSG_KEXGSS_INIT) m.add_string(self.kexgss.ssh_init_sec_context(target=self.gss_host)) m.add_mpint(self.e) self.transport._send_message(m) self.transport._expect_packet( MSG_KEXGSS_HOSTKEY, MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_ERROR, ) def _parse_kexgss_gex_init(self, m): """ Parse the SSH2_MSG_KEXGSS_INIT message (server mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_INIT message """ client_token = m.get_string() self.e = m.get_mpint() if (self.e < 1) or (self.e > self.p - 1): raise SSHException('Client kex "e" is out of range') self._generate_x() self.f = pow(self.g, self.x, self.p) K = pow(self.e, self.x, self.p) self.transport.host_key = NullHostKey() key = self.transport.host_key.__str__() # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| min \|\| n \|\| max \|\| p \|\| g \|\| e \|\| f \|\| K) # noqa hm = Message() hm.add( self.transport.remote_version, self.transport.local_version, self.transport.remote_kex_init, self.transport.local_kex_init, key, ) hm.add_int(self.min_bits) hm.add_int(self.preferred_bits) hm.add_int(self.max_bits) hm.add_mpint(self.p) hm.add_mpint(self.g) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) H = sha1(hm.asbytes()).digest() self.transport._set_K_H(K, H) srv_token = self.kexgss.ssh_accept_sec_context( self.gss_host, client_token ) m = Message() if self.kexgss._gss_srv_ctxt_status: mic_token = self.kexgss.ssh_get_mic( self.transport.session_id, gss_kex=True ) m.add_byte(c_MSG_KEXGSS_COMPLETE) m.add_mpint(self.f) m.add_string(mic_token) if srv_token is not None: m.add_boolean(True) m.add_string(srv_token) else: m.add_boolean(False) self.transport._send_message(m) self.transport.gss_kex_used = True self.transport._activate_outbound() else: m.add_byte(c_MSG_KEXGSS_CONTINUE) m.add_string(srv_token) self.transport._send_message(m) self.transport._expect_packet( MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_ERROR ) def _parse_kexgss_hostkey(self, m): """ Parse the SSH2_MSG_KEXGSS_HOSTKEY message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_HOSTKEY message """ # client mode host_key = m.get_string() self.transport.host_key = host_key sig = m.get_string() self.transport._verify_key(host_key, sig) self.transport._expect_packet(MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE) def _parse_kexgss_continue(self, m): """ Parse the SSH2_MSG_KEXGSS_CONTINUE message. :param `Message` m: The content of the SSH2_MSG_KEXGSS_CONTINUE message """ if not self.transport.server_mode: srv_token = m.get_string() m = Message() m.add_byte(c_MSG_KEXGSS_CONTINUE) m.add_string( self.kexgss.ssh_init_sec_context( target=self.gss_host, recv_token=srv_token ) ) self.transport.send_message(m) self.transport._expect_packet( MSG_KEXGSS_CONTINUE, MSG_KEXGSS_COMPLETE, MSG_KEXGSS_ERROR ) else: pass def _parse_kexgss_complete(self, m): """ Parse the SSH2_MSG_KEXGSS_COMPLETE message (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_COMPLETE message """ if self.transport.host_key is None: self.transport.host_key = NullHostKey() self.f = m.get_mpint() mic_token = m.get_string() # This must be TRUE, if there is a GSS-API token in this message. bool = m.get_boolean() srv_token = None if bool: srv_token = m.get_string() if (self.f < 1) or (self.f > self.p - 1): raise SSHException('Server kex "f" is out of range') K = pow(self.f, self.x, self.p) # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| min \|\| n \|\| max \|\| p \|\| g \|\| e \|\| f \|\| K) # noqa hm = Message() hm.add( self.transport.local_version, self.transport.remote_version, self.transport.local_kex_init, self.transport.remote_kex_init, self.transport.host_key.__str__(), ) if not self.old_style: hm.add_int(self.min_bits) hm.add_int(self.preferred_bits) if not self.old_style: hm.add_int(self.max_bits) hm.add_mpint(self.p) hm.add_mpint(self.g) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) H = sha1(hm.asbytes()).digest() self.transport._set_K_H(K, H) if srv_token is not None: self.kexgss.ssh_init_sec_context( target=self.gss_host, recv_token=srv_token ) self.kexgss.ssh_check_mic(mic_token, H) else: self.kexgss.ssh_check_mic(mic_token, H) self.transport.gss_kex_used = True self.transport._activate_outbound() def _parse_kexgss_error(self, m): """ Parse the SSH2_MSG_KEXGSS_ERROR message (client mode). The server may send a GSS-API error message. if it does, we display the error by throwing an exception (client mode). :param `Message` m: The content of the SSH2_MSG_KEXGSS_ERROR message :raise SSHException: Contains GSS-API major and minor status as well as the error message and the language tag of the message """ maj_status = m.get_int() min_status = m.get_int() err_msg = m.get_string() m.get_string() # we don't care about the language (lang_tag)! raise SSHException( """GSS-API Error: Major Status: {} Minor Status: {} Error Message: {} """.format( maj_status, min_status, err_msg ) ) class NullHostKey: """ This class represents the Null Host Key for GSS-API Key Exchange as defined in `RFC 4462 Section 5 <https://tools.ietf.org/html/rfc4462.html#section-5>`_ """ def __init__(self): self.key = "" def __str__(self): return self.key def get_name(self): return self.key ��sftp_attr.py��0000644��00000020102�15030210772�0007114 0��ustar�00��# Copyright (C) 2003-2006 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. import stat import time from paramiko.common import x80000000, o700, o70, xffffffff class SFTPAttributes: """ Representation of the attributes of a file (or proxied file) for SFTP in client or server mode. It attempts to mirror the object returned by `os.stat` as closely as possible, so it may have the following fields, with the same meanings as those returned by an `os.stat` object: - ``st_size`` - ``st_uid`` - ``st_gid`` - ``st_mode`` - ``st_atime`` - ``st_mtime`` Because SFTP allows flags to have other arbitrary named attributes, these are stored in a dict named ``attr``. Occasionally, the filename is also stored, in ``filename``. """ FLAG_SIZE = 1 FLAG_UIDGID = 2 FLAG_PERMISSIONS = 4 FLAG_AMTIME = 8 FLAG_EXTENDED = x80000000 def __init__(self): """ Create a new (empty) SFTPAttributes object. All fields will be empty. """ self._flags = 0 self.st_size = None self.st_uid = None self.st_gid = None self.st_mode = None self.st_atime = None self.st_mtime = None self.attr = {} @classmethod def from_stat(cls, obj, filename=None): """ Create an `.SFTPAttributes` object from an existing ``stat`` object (an object returned by `os.stat`). :param object obj: an object returned by `os.stat` (or equivalent). :param str filename: the filename associated with this file. :return: new `.SFTPAttributes` object with the same attribute fields. """ attr = cls() attr.st_size = obj.st_size attr.st_uid = obj.st_uid attr.st_gid = obj.st_gid attr.st_mode = obj.st_mode attr.st_atime = obj.st_atime attr.st_mtime = obj.st_mtime if filename is not None: attr.filename = filename return attr def __repr__(self): return "<SFTPAttributes: {}>".format(self._debug_str()) # ...internals... @classmethod def _from_msg(cls, msg, filename=None, longname=None): attr = cls() attr._unpack(msg) if filename is not None: attr.filename = filename if longname is not None: attr.longname = longname return attr def _unpack(self, msg): self._flags = msg.get_int() if self._flags & self.FLAG_SIZE: self.st_size = msg.get_int64() if self._flags & self.FLAG_UIDGID: self.st_uid = msg.get_int() self.st_gid = msg.get_int() if self._flags & self.FLAG_PERMISSIONS: self.st_mode = msg.get_int() if self._flags & self.FLAG_AMTIME: self.st_atime = msg.get_int() self.st_mtime = msg.get_int() if self._flags & self.FLAG_EXTENDED: count = msg.get_int() for i in range(count): self.attr[msg.get_string()] = msg.get_string() def _pack(self, msg): self._flags = 0 if self.st_size is not None: self._flags \|= self.FLAG_SIZE if (self.st_uid is not None) and (self.st_gid is not None): self._flags \|= self.FLAG_UIDGID if self.st_mode is not None: self._flags \|= self.FLAG_PERMISSIONS if (self.st_atime is not None) and (self.st_mtime is not None): self._flags \|= self.FLAG_AMTIME if len(self.attr) > 0: self._flags \|= self.FLAG_EXTENDED msg.add_int(self._flags) if self._flags & self.FLAG_SIZE: msg.add_int64(self.st_size) if self._flags & self.FLAG_UIDGID: msg.add_int(self.st_uid) msg.add_int(self.st_gid) if self._flags & self.FLAG_PERMISSIONS: msg.add_int(self.st_mode) if self._flags & self.FLAG_AMTIME: # throw away any fractional seconds msg.add_int(int(self.st_atime)) msg.add_int(int(self.st_mtime)) if self._flags & self.FLAG_EXTENDED: msg.add_int(len(self.attr)) for key, val in self.attr.items(): msg.add_string(key) msg.add_string(val) return def _debug_str(self): out = "[ " if self.st_size is not None: out += "size={} ".format(self.st_size) if (self.st_uid is not None) and (self.st_gid is not None): out += "uid={} gid={} ".format(self.st_uid, self.st_gid) if self.st_mode is not None: out += "mode=" + oct(self.st_mode) + " " if (self.st_atime is not None) and (self.st_mtime is not None): out += "atime={} mtime={} ".format(self.st_atime, self.st_mtime) for k, v in self.attr.items(): out += '"{}"={!r} '.format(str(k), v) out += "]" return out @staticmethod def _rwx(n, suid, sticky=False): if suid: suid = 2 out = "-r"[n >> 2] + "-w"[(n >> 1) & 1] if sticky: out += "-xTt"[suid + (n & 1)] else: out += "-xSs"[suid + (n & 1)] return out def __str__(self): """create a unix-style long description of the file (like ls -l)""" if self.st_mode is not None: kind = stat.S_IFMT(self.st_mode) if kind == stat.S_IFIFO: ks = "p" elif kind == stat.S_IFCHR: ks = "c" elif kind == stat.S_IFDIR: ks = "d" elif kind == stat.S_IFBLK: ks = "b" elif kind == stat.S_IFREG: ks = "-" elif kind == stat.S_IFLNK: ks = "l" elif kind == stat.S_IFSOCK: ks = "s" else: ks = "?" ks += self._rwx( (self.st_mode & o700) >> 6, self.st_mode & stat.S_ISUID ) ks += self._rwx( (self.st_mode & o70) >> 3, self.st_mode & stat.S_ISGID ) ks += self._rwx( self.st_mode & 7, self.st_mode & stat.S_ISVTX, True ) else: ks = "?---------" # compute display date if (self.st_mtime is None) or (self.st_mtime == xffffffff): # shouldn't really happen datestr = "(unknown date)" else: time_tuple = time.localtime(self.st_mtime) if abs(time.time() - self.st_mtime) > 15_552_000: # (15,552,000s = 6 months) datestr = time.strftime("%d %b %Y", time_tuple) else: datestr = time.strftime("%d %b %H:%M", time_tuple) filename = getattr(self, "filename", "?") # not all servers support uid/gid uid = self.st_uid gid = self.st_gid size = self.st_size if uid is None: uid = 0 if gid is None: gid = 0 if size is None: size = 0 # TODO: not sure this actually worked as expected beforehand, leaving # it untouched for the time being, re: .format() upgrade, until someone # has time to doublecheck return "%s 1 %-8d %-8d %8d %-12s %s" % ( ks, uid, gid, size, datestr, filename, ) def asbytes(self): return str(self).encode() ��ssh_exception.py��0000644��00000016506�15030210772�0007776 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. import socket class SSHException(Exception): """ Exception raised by failures in SSH2 protocol negotiation or logic errors. """ pass class AuthenticationException(SSHException): """ Exception raised when authentication failed for some reason. It may be possible to retry with different credentials. (Other classes specify more specific reasons.) .. versionadded:: 1.6 """ pass class PasswordRequiredException(AuthenticationException): """ Exception raised when a password is needed to unlock a private key file. """ pass class BadAuthenticationType(AuthenticationException): """ Exception raised when an authentication type (like password) is used, but the server isn't allowing that type. (It may only allow public-key, for example.) .. versionadded:: 1.1 """ allowed_types = [] # TODO 4.0: remove explanation kwarg def __init__(self, explanation, types): # TODO 4.0: remove this supercall unless it's actually required for # pickling (after fixing pickling) AuthenticationException.__init__(self, explanation, types) self.explanation = explanation self.allowed_types = types def __str__(self): return "{}; allowed types: {!r}".format( self.explanation, self.allowed_types ) class PartialAuthentication(AuthenticationException): """ An internal exception thrown in the case of partial authentication. """ allowed_types = [] def __init__(self, types): AuthenticationException.__init__(self, types) self.allowed_types = types def __str__(self): return "Partial authentication; allowed types: {!r}".format( self.allowed_types ) # TODO 4.0: stop inheriting from SSHException, move to auth.py class UnableToAuthenticate(AuthenticationException): pass class ChannelException(SSHException): """ Exception raised when an attempt to open a new `.Channel` fails. :param int code: the error code returned by the server .. versionadded:: 1.6 """ def __init__(self, code, text): SSHException.__init__(self, code, text) self.code = code self.text = text def __str__(self): return "ChannelException({!r}, {!r})".format(self.code, self.text) class BadHostKeyException(SSHException): """ The host key given by the SSH server did not match what we were expecting. :param str hostname: the hostname of the SSH server :param PKey got_key: the host key presented by the server :param PKey expected_key: the host key expected .. versionadded:: 1.6 """ def __init__(self, hostname, got_key, expected_key): SSHException.__init__(self, hostname, got_key, expected_key) self.hostname = hostname self.key = got_key self.expected_key = expected_key def __str__(self): msg = "Host key for server '{}' does not match: got '{}', expected '{}'" # noqa return msg.format( self.hostname, self.key.get_base64(), self.expected_key.get_base64(), ) class IncompatiblePeer(SSHException): """ A disagreement arose regarding an algorithm required for key exchange. .. versionadded:: 2.9 """ # TODO 4.0: consider making this annotate w/ 1..N 'missing' algorithms, # either just the first one that would halt kex, or even updating the # Transport logic so we record /all/ that /could/ halt kex. # TODO: update docstrings where this may end up raised so they are more # specific. pass class ProxyCommandFailure(SSHException): """ The "ProxyCommand" found in the .ssh/config file returned an error. :param str command: The command line that is generating this exception. :param str error: The error captured from the proxy command output. """ def __init__(self, command, error): SSHException.__init__(self, command, error) self.command = command self.error = error def __str__(self): return 'ProxyCommand("{}") returned nonzero exit status: {}'.format( self.command, self.error ) class NoValidConnectionsError(socket.error): """ Multiple connection attempts were made and no families succeeded. This exception class wraps multiple "real" underlying connection errors, all of which represent failed connection attempts. Because these errors are not guaranteed to all be of the same error type (i.e. different errno, `socket.error` subclass, message, etc) we expose a single unified error message and a ``None`` errno so that instances of this class match most normal handling of `socket.error` objects. To see the wrapped exception objects, access the ``errors`` attribute. ``errors`` is a dict whose keys are address tuples (e.g. ``('127.0.0.1', 22)``) and whose values are the exception encountered trying to connect to that address. It is implied/assumed that all the errors given to a single instance of this class are from connecting to the same hostname + port (and thus that the differences are in the resolution of the hostname - e.g. IPv4 vs v6). .. versionadded:: 1.16 """ def __init__(self, errors): """ :param dict errors: The errors dict to store, as described by class docstring. """ addrs = sorted(errors.keys()) body = ", ".join([x[0] for x in addrs[:-1]]) tail = addrs[-1][0] if body: msg = "Unable to connect to port {0} on {1} or {2}" else: msg = "Unable to connect to port {0} on {2}" super().__init__( None, msg.format(addrs[0][1], body, tail) # stand-in for errno ) self.errors = errors def __reduce__(self): return (self.__class__, (self.errors,)) class CouldNotCanonicalize(SSHException): """ Raised when hostname canonicalization fails & fallback is disabled. .. versionadded:: 2.7 """ pass class ConfigParseError(SSHException): """ A fatal error was encountered trying to parse SSH config data. Typically this means a config file violated the ``ssh_config`` specification in a manner that requires exiting immediately, such as not matching ``key = value`` syntax or misusing certain ``Match`` keywords. .. versionadded:: 2.7 """ pass class MessageOrderError(SSHException): """ Out-of-order protocol messages were received, violating "strict kex" mode. .. versionadded:: 3.4 """ pass ��auth_handler.py��0000644��00000123776�15030210772�0007571 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ `.AuthHandler` """ import weakref import threading import time import re from paramiko.common import ( cMSG_SERVICE_REQUEST, cMSG_DISCONNECT, DISCONNECT_SERVICE_NOT_AVAILABLE, DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, cMSG_USERAUTH_REQUEST, cMSG_SERVICE_ACCEPT, DEBUG, AUTH_SUCCESSFUL, INFO, cMSG_USERAUTH_SUCCESS, cMSG_USERAUTH_FAILURE, AUTH_PARTIALLY_SUCCESSFUL, cMSG_USERAUTH_INFO_REQUEST, WARNING, AUTH_FAILED, cMSG_USERAUTH_PK_OK, cMSG_USERAUTH_INFO_RESPONSE, MSG_SERVICE_REQUEST, MSG_SERVICE_ACCEPT, MSG_USERAUTH_REQUEST, MSG_USERAUTH_SUCCESS, MSG_USERAUTH_FAILURE, MSG_USERAUTH_BANNER, MSG_USERAUTH_INFO_REQUEST, MSG_USERAUTH_INFO_RESPONSE, cMSG_USERAUTH_GSSAPI_RESPONSE, cMSG_USERAUTH_GSSAPI_TOKEN, cMSG_USERAUTH_GSSAPI_MIC, MSG_USERAUTH_GSSAPI_RESPONSE, MSG_USERAUTH_GSSAPI_TOKEN, MSG_USERAUTH_GSSAPI_ERROR, MSG_USERAUTH_GSSAPI_ERRTOK, MSG_USERAUTH_GSSAPI_MIC, MSG_NAMES, cMSG_USERAUTH_BANNER, ) from paramiko.message import Message from paramiko.util import b, u from paramiko.ssh_exception import ( SSHException, AuthenticationException, BadAuthenticationType, PartialAuthentication, ) from paramiko.server import InteractiveQuery from paramiko.ssh_gss import GSSAuth, GSS_EXCEPTIONS class AuthHandler: """ Internal class to handle the mechanics of authentication. """ def __init__(self, transport): self.transport = weakref.proxy(transport) self.username = None self.authenticated = False self.auth_event = None self.auth_method = "" self.banner = None self.password = None self.private_key = None self.interactive_handler = None self.submethods = None # for server mode: self.auth_username = None self.auth_fail_count = 0 # for GSSAPI self.gss_host = None self.gss_deleg_creds = True def _log(self, args): return self.transport._log(args) def is_authenticated(self): return self.authenticated def get_username(self): if self.transport.server_mode: return self.auth_username else: return self.username def auth_none(self, username, event): self.transport.lock.acquire() try: self.auth_event = event self.auth_method = "none" self.username = username self._request_auth() finally: self.transport.lock.release() def auth_publickey(self, username, key, event): self.transport.lock.acquire() try: self.auth_event = event self.auth_method = "publickey" self.username = username self.private_key = key self._request_auth() finally: self.transport.lock.release() def auth_password(self, username, password, event): self.transport.lock.acquire() try: self.auth_event = event self.auth_method = "password" self.username = username self.password = password self._request_auth() finally: self.transport.lock.release() def auth_interactive(self, username, handler, event, submethods=""): """ response_list = handler(title, instructions, prompt_list) """ self.transport.lock.acquire() try: self.auth_event = event self.auth_method = "keyboard-interactive" self.username = username self.interactive_handler = handler self.submethods = submethods self._request_auth() finally: self.transport.lock.release() def auth_gssapi_with_mic(self, username, gss_host, gss_deleg_creds, event): self.transport.lock.acquire() try: self.auth_event = event self.auth_method = "gssapi-with-mic" self.username = username self.gss_host = gss_host self.gss_deleg_creds = gss_deleg_creds self._request_auth() finally: self.transport.lock.release() def auth_gssapi_keyex(self, username, event): self.transport.lock.acquire() try: self.auth_event = event self.auth_method = "gssapi-keyex" self.username = username self._request_auth() finally: self.transport.lock.release() def abort(self): if self.auth_event is not None: self.auth_event.set() # ...internals... def _request_auth(self): m = Message() m.add_byte(cMSG_SERVICE_REQUEST) m.add_string("ssh-userauth") self.transport._send_message(m) def _disconnect_service_not_available(self): m = Message() m.add_byte(cMSG_DISCONNECT) m.add_int(DISCONNECT_SERVICE_NOT_AVAILABLE) m.add_string("Service not available") m.add_string("en") self.transport._send_message(m) self.transport.close() def _disconnect_no_more_auth(self): m = Message() m.add_byte(cMSG_DISCONNECT) m.add_int(DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE) m.add_string("No more auth methods available") m.add_string("en") self.transport._send_message(m) self.transport.close() def _get_key_type_and_bits(self, key): """ Given any key, return its type/algorithm & bits-to-sign. Intended for input to or verification of, key signatures. """ # Use certificate contents, if available, plain pubkey otherwise if key.public_blob: return key.public_blob.key_type, key.public_blob.key_blob else: return key.get_name(), key def _get_session_blob(self, key, service, username, algorithm): m = Message() m.add_string(self.transport.session_id) m.add_byte(cMSG_USERAUTH_REQUEST) m.add_string(username) m.add_string(service) m.add_string("publickey") m.add_boolean(True) _, bits = self._get_key_type_and_bits(key) m.add_string(algorithm) m.add_string(bits) return m.asbytes() def wait_for_response(self, event): max_ts = None if self.transport.auth_timeout is not None: max_ts = time.time() + self.transport.auth_timeout while True: event.wait(0.1) if not self.transport.is_active(): e = self.transport.get_exception() if (e is None) or issubclass(e.__class__, EOFError): e = AuthenticationException( "Authentication failed: transport shut down or saw EOF" ) raise e if event.is_set(): break if max_ts is not None and max_ts <= time.time(): raise AuthenticationException("Authentication timeout.") if not self.is_authenticated(): e = self.transport.get_exception() if e is None: e = AuthenticationException("Authentication failed.") # this is horrible. Python Exception isn't yet descended from # object, so type(e) won't work. :( # TODO 4.0: lol. just lmao. if issubclass(e.__class__, PartialAuthentication): return e.allowed_types raise e return [] def _parse_service_request(self, m): service = m.get_text() if self.transport.server_mode and (service == "ssh-userauth"): # accepted m = Message() m.add_byte(cMSG_SERVICE_ACCEPT) m.add_string(service) self.transport._send_message(m) banner, language = self.transport.server_object.get_banner() if banner: m = Message() m.add_byte(cMSG_USERAUTH_BANNER) m.add_string(banner) m.add_string(language) self.transport._send_message(m) return # dunno this one self._disconnect_service_not_available() def _generate_key_from_request(self, algorithm, keyblob): # For use in server mode. options = self.transport.preferred_pubkeys if algorithm.replace("-cert-v01@openssh.com", "") not in options: err = ( "Auth rejected: pubkey algorithm '{}' unsupported or disabled" ) self._log(INFO, err.format(algorithm)) return None return self.transport._key_info[algorithm](Message(keyblob)) def _choose_fallback_pubkey_algorithm(self, key_type, my_algos): # Fallback: first one in our (possibly tweaked by caller) list pubkey_algo = my_algos[0] msg = "Server did not send a server-sig-algs list; defaulting to our first preferred algo ({!r})" # noqa self._log(DEBUG, msg.format(pubkey_algo)) self._log( DEBUG, "NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!", # noqa ) return pubkey_algo def _finalize_pubkey_algorithm(self, key_type): # Short-circuit for non-RSA keys if "rsa" not in key_type: return key_type self._log( DEBUG, "Finalizing pubkey algorithm for key of type {!r}".format( key_type ), ) # NOTE re #2017: When the key is an RSA cert and the remote server is # OpenSSH 7.7 or earlier, always use ssh-rsa-cert-v01@openssh.com. # Those versions of the server won't support rsa-sha2 family sig algos # for certs specifically, and in tandem with various server bugs # regarding server-sig-algs, it's impossible to fit this into the rest # of the logic here. if key_type.endswith("-cert-v01@openssh.com") and re.search( r"-OpenSSH_(?:[1-6]\|7\.[0-7])", self.transport.remote_version ): pubkey_algo = "ssh-rsa-cert-v01@openssh.com" self.transport._agreed_pubkey_algorithm = pubkey_algo self._log(DEBUG, "OpenSSH<7.8 + RSA cert = forcing ssh-rsa!") self._log( DEBUG, "Agreed upon {!r} pubkey algorithm".format(pubkey_algo) ) return pubkey_algo # Normal attempts to handshake follow from here. # Only consider RSA algos from our list, lest we agree on another! my_algos = [x for x in self.transport.preferred_pubkeys if "rsa" in x] self._log(DEBUG, "Our pubkey algorithm list: {}".format(my_algos)) # Short-circuit negatively if user disabled all RSA algos (heh) if not my_algos: raise SSHException( "An RSA key was specified, but no RSA pubkey algorithms are configured!" # noqa ) # Check for server-sig-algs if supported & sent server_algo_str = u( self.transport.server_extensions.get("server-sig-algs", b("")) ) pubkey_algo = None # Prefer to match against server-sig-algs if server_algo_str: server_algos = server_algo_str.split(",") self._log( DEBUG, "Server-side algorithm list: {}".format(server_algos) ) # Only use algos from our list that the server likes, in our own # preference order. (NOTE: purposefully using same style as in # Transport...expect to refactor later) agreement = list(filter(server_algos.__contains__, my_algos)) if agreement: pubkey_algo = agreement[0] self._log( DEBUG, "Agreed upon {!r} pubkey algorithm".format(pubkey_algo), ) else: self._log(DEBUG, "No common pubkey algorithms exist! Dying.") # TODO: MAY want to use IncompatiblePeer again here but that's # technically for initial key exchange, not pubkey auth. err = "Unable to agree on a pubkey algorithm for signing a {!r} key!" # noqa raise AuthenticationException(err.format(key_type)) # Fallback to something based purely on the key & our configuration else: pubkey_algo = self._choose_fallback_pubkey_algorithm( key_type, my_algos ) if key_type.endswith("-cert-v01@openssh.com"): pubkey_algo += "-cert-v01@openssh.com" self.transport._agreed_pubkey_algorithm = pubkey_algo return pubkey_algo def _parse_service_accept(self, m): service = m.get_text() if service == "ssh-userauth": self._log(DEBUG, "userauth is OK") m = Message() m.add_byte(cMSG_USERAUTH_REQUEST) m.add_string(self.username) m.add_string("ssh-connection") m.add_string(self.auth_method) if self.auth_method == "password": m.add_boolean(False) password = b(self.password) m.add_string(password) elif self.auth_method == "publickey": m.add_boolean(True) key_type, bits = self._get_key_type_and_bits(self.private_key) algorithm = self._finalize_pubkey_algorithm(key_type) m.add_string(algorithm) m.add_string(bits) blob = self._get_session_blob( self.private_key, "ssh-connection", self.username, algorithm, ) sig = self.private_key.sign_ssh_data(blob, algorithm) m.add_string(sig) elif self.auth_method == "keyboard-interactive": m.add_string("") m.add_string(self.submethods) elif self.auth_method == "gssapi-with-mic": sshgss = GSSAuth(self.auth_method, self.gss_deleg_creds) m.add_bytes(sshgss.ssh_gss_oids()) # send the supported GSSAPI OIDs to the server self.transport._send_message(m) ptype, m = self.transport.packetizer.read_message() if ptype == MSG_USERAUTH_BANNER: self._parse_userauth_banner(m) ptype, m = self.transport.packetizer.read_message() if ptype == MSG_USERAUTH_GSSAPI_RESPONSE: # Read the mechanism selected by the server. We send just # the Kerberos V5 OID, so the server can only respond with # this OID. mech = m.get_string() m = Message() m.add_byte(cMSG_USERAUTH_GSSAPI_TOKEN) try: m.add_string( sshgss.ssh_init_sec_context( self.gss_host, mech, self.username ) ) except GSS_EXCEPTIONS as e: return self._handle_local_gss_failure(e) self.transport._send_message(m) while True: ptype, m = self.transport.packetizer.read_message() if ptype == MSG_USERAUTH_GSSAPI_TOKEN: srv_token = m.get_string() try: next_token = sshgss.ssh_init_sec_context( self.gss_host, mech, self.username, srv_token, ) except GSS_EXCEPTIONS as e: return self._handle_local_gss_failure(e) # After this step the GSSAPI should not return any # token. If it does, we keep sending the token to # the server until no more token is returned. if next_token is None: break else: m = Message() m.add_byte(cMSG_USERAUTH_GSSAPI_TOKEN) m.add_string(next_token) self.transport.send_message(m) else: raise SSHException( "Received Package: {}".format(MSG_NAMES[ptype]) ) m = Message() m.add_byte(cMSG_USERAUTH_GSSAPI_MIC) # send the MIC to the server m.add_string(sshgss.ssh_get_mic(self.transport.session_id)) elif ptype == MSG_USERAUTH_GSSAPI_ERRTOK: # RFC 4462 says we are not required to implement GSS-API # error messages. # See RFC 4462 Section 3.8 in # http://www.ietf.org/rfc/rfc4462.txt raise SSHException("Server returned an error token") elif ptype == MSG_USERAUTH_GSSAPI_ERROR: maj_status = m.get_int() min_status = m.get_int() err_msg = m.get_string() m.get_string() # Lang tag - discarded raise SSHException( """GSS-API Error: Major Status: {} Minor Status: {} Error Message: {} """.format( maj_status, min_status, err_msg ) ) elif ptype == MSG_USERAUTH_FAILURE: self._parse_userauth_failure(m) return else: raise SSHException( "Received Package: {}".format(MSG_NAMES[ptype]) ) elif ( self.auth_method == "gssapi-keyex" and self.transport.gss_kex_used ): kexgss = self.transport.kexgss_ctxt kexgss.set_username(self.username) mic_token = kexgss.ssh_get_mic(self.transport.session_id) m.add_string(mic_token) elif self.auth_method == "none": pass else: raise SSHException( 'Unknown auth method "{}"'.format(self.auth_method) ) self.transport._send_message(m) else: self._log( DEBUG, 'Service request "{}" accepted (?)'.format(service) ) def _send_auth_result(self, username, method, result): # okay, send result m = Message() if result == AUTH_SUCCESSFUL: self._log(INFO, "Auth granted ({}).".format(method)) m.add_byte(cMSG_USERAUTH_SUCCESS) self.authenticated = True else: self._log(INFO, "Auth rejected ({}).".format(method)) m.add_byte(cMSG_USERAUTH_FAILURE) m.add_string( self.transport.server_object.get_allowed_auths(username) ) if result == AUTH_PARTIALLY_SUCCESSFUL: m.add_boolean(True) else: m.add_boolean(False) self.auth_fail_count += 1 self.transport._send_message(m) if self.auth_fail_count >= 10: self._disconnect_no_more_auth() if result == AUTH_SUCCESSFUL: self.transport._auth_trigger() def _interactive_query(self, q): # make interactive query instead of response m = Message() m.add_byte(cMSG_USERAUTH_INFO_REQUEST) m.add_string(q.name) m.add_string(q.instructions) m.add_string(bytes()) m.add_int(len(q.prompts)) for p in q.prompts: m.add_string(p[0]) m.add_boolean(p[1]) self.transport._send_message(m) def _parse_userauth_request(self, m): if not self.transport.server_mode: # er, uh... what? m = Message() m.add_byte(cMSG_USERAUTH_FAILURE) m.add_string("none") m.add_boolean(False) self.transport._send_message(m) return if self.authenticated: # ignore return username = m.get_text() service = m.get_text() method = m.get_text() self._log( DEBUG, "Auth request (type={}) service={}, username={}".format( method, service, username ), ) if service != "ssh-connection": self._disconnect_service_not_available() return if (self.auth_username is not None) and ( self.auth_username != username ): self._log( WARNING, "Auth rejected because the client attempted to change username in mid-flight", # noqa ) self._disconnect_no_more_auth() return self.auth_username = username # check if GSS-API authentication is enabled gss_auth = self.transport.server_object.enable_auth_gssapi() if method == "none": result = self.transport.server_object.check_auth_none(username) elif method == "password": changereq = m.get_boolean() password = m.get_binary() try: password = password.decode("UTF-8") except UnicodeError: # some clients/servers expect non-utf-8 passwords! # in this case, just return the raw byte string. pass if changereq: # always treated as failure, since we don't support changing # passwords, but collect the list of valid auth types from # the callback anyway self._log(DEBUG, "Auth request to change passwords (rejected)") newpassword = m.get_binary() try: newpassword = newpassword.decode("UTF-8", "replace") except UnicodeError: pass result = AUTH_FAILED else: result = self.transport.server_object.check_auth_password( username, password ) elif method == "publickey": sig_attached = m.get_boolean() # NOTE: server never wants to guess a client's algo, they're # telling us directly. No need for _finalize_pubkey_algorithm # anywhere in this flow. algorithm = m.get_text() keyblob = m.get_binary() try: key = self._generate_key_from_request(algorithm, keyblob) except SSHException as e: self._log(INFO, "Auth rejected: public key: {}".format(str(e))) key = None except Exception as e: msg = "Auth rejected: unsupported or mangled public key ({}: {})" # noqa self._log(INFO, msg.format(e.__class__.__name__, e)) key = None if key is None: self._disconnect_no_more_auth() return # first check if this key is okay... if not, we can skip the verify result = self.transport.server_object.check_auth_publickey( username, key ) if result != AUTH_FAILED: # key is okay, verify it if not sig_attached: # client wants to know if this key is acceptable, before it # signs anything... send special "ok" message m = Message() m.add_byte(cMSG_USERAUTH_PK_OK) m.add_string(algorithm) m.add_string(keyblob) self.transport._send_message(m) return sig = Message(m.get_binary()) blob = self._get_session_blob( key, service, username, algorithm ) if not key.verify_ssh_sig(blob, sig): self._log(INFO, "Auth rejected: invalid signature") result = AUTH_FAILED elif method == "keyboard-interactive": submethods = m.get_string() result = self.transport.server_object.check_auth_interactive( username, submethods ) if isinstance(result, InteractiveQuery): # make interactive query instead of response self._interactive_query(result) return elif method == "gssapi-with-mic" and gss_auth: sshgss = GSSAuth(method) # Read the number of OID mechanisms supported by the client. # OpenSSH sends just one OID. It's the Kerveros V5 OID and that's # the only OID we support. mechs = m.get_int() # We can't accept more than one OID, so if the SSH client sends # more than one, disconnect. if mechs > 1: self._log( INFO, "Disconnect: Received more than one GSS-API OID mechanism", ) self._disconnect_no_more_auth() desired_mech = m.get_string() mech_ok = sshgss.ssh_check_mech(desired_mech) # if we don't support the mechanism, disconnect. if not mech_ok: self._log( INFO, "Disconnect: Received an invalid GSS-API OID mechanism", ) self._disconnect_no_more_auth() # send the Kerberos V5 GSSAPI OID to the client supported_mech = sshgss.ssh_gss_oids("server") # RFC 4462 says we are not required to implement GSS-API error # messages. See section 3.8 in http://www.ietf.org/rfc/rfc4462.txt m = Message() m.add_byte(cMSG_USERAUTH_GSSAPI_RESPONSE) m.add_bytes(supported_mech) self.transport.auth_handler = GssapiWithMicAuthHandler( self, sshgss ) self.transport._expected_packet = ( MSG_USERAUTH_GSSAPI_TOKEN, MSG_USERAUTH_REQUEST, MSG_SERVICE_REQUEST, ) self.transport._send_message(m) return elif method == "gssapi-keyex" and gss_auth: mic_token = m.get_string() sshgss = self.transport.kexgss_ctxt if sshgss is None: # If there is no valid context, we reject the authentication result = AUTH_FAILED self._send_auth_result(username, method, result) try: sshgss.ssh_check_mic( mic_token, self.transport.session_id, self.auth_username ) except Exception: result = AUTH_FAILED self._send_auth_result(username, method, result) raise result = AUTH_SUCCESSFUL self.transport.server_object.check_auth_gssapi_keyex( username, result ) else: result = self.transport.server_object.check_auth_none(username) # okay, send result self._send_auth_result(username, method, result) def _parse_userauth_success(self, m): self._log( INFO, "Authentication ({}) successful!".format(self.auth_method) ) self.authenticated = True self.transport._auth_trigger() if self.auth_event is not None: self.auth_event.set() def _parse_userauth_failure(self, m): authlist = m.get_list() # TODO 4.0: we aren't giving callers access to authlist _unless_ it's # partial authentication, so eg authtype=none can't work unless we # tweak this. partial = m.get_boolean() if partial: self._log(INFO, "Authentication continues...") self._log(DEBUG, "Methods: " + str(authlist)) self.transport.saved_exception = PartialAuthentication(authlist) elif self.auth_method not in authlist: for msg in ( "Authentication type ({}) not permitted.".format( self.auth_method ), "Allowed methods: {}".format(authlist), ): self._log(DEBUG, msg) self.transport.saved_exception = BadAuthenticationType( "Bad authentication type", authlist ) else: self._log( INFO, "Authentication ({}) failed.".format(self.auth_method) ) self.authenticated = False self.username = None if self.auth_event is not None: self.auth_event.set() def _parse_userauth_banner(self, m): banner = m.get_string() self.banner = banner self._log(INFO, "Auth banner: {}".format(banner)) # who cares. def _parse_userauth_info_request(self, m): if self.auth_method != "keyboard-interactive": raise SSHException("Illegal info request from server") title = m.get_text() instructions = m.get_text() m.get_binary() # lang prompts = m.get_int() prompt_list = [] for i in range(prompts): prompt_list.append((m.get_text(), m.get_boolean())) response_list = self.interactive_handler( title, instructions, prompt_list ) m = Message() m.add_byte(cMSG_USERAUTH_INFO_RESPONSE) m.add_int(len(response_list)) for r in response_list: m.add_string(r) self.transport._send_message(m) def _parse_userauth_info_response(self, m): if not self.transport.server_mode: raise SSHException("Illegal info response from server") n = m.get_int() responses = [] for i in range(n): responses.append(m.get_text()) result = self.transport.server_object.check_auth_interactive_response( responses ) if isinstance(result, InteractiveQuery): # make interactive query instead of response self._interactive_query(result) return self._send_auth_result( self.auth_username, "keyboard-interactive", result ) def _handle_local_gss_failure(self, e): self.transport.saved_exception = e self._log(DEBUG, "GSSAPI failure: {}".format(e)) self._log(INFO, "Authentication ({}) failed.".format(self.auth_method)) self.authenticated = False self.username = None if self.auth_event is not None: self.auth_event.set() return # TODO 4.0: MAY make sense to make these tables into actual # classes/instances that can be fed a mode bool or whatever. Or, # alternately (both?) make the message types small classes or enums that # embed this info within themselves (which could also then tidy up the # current 'integer -> human readable short string' stuff in common.py). # TODO: if we do that, also expose 'em publicly. # Messages which should be handled _by_ servers (sent by clients) @property def _server_handler_table(self): return { # TODO 4.0: MSG_SERVICE_REQUEST ought to eventually move into # Transport's server mode like the client side did, just for # consistency. MSG_SERVICE_REQUEST: self._parse_service_request, MSG_USERAUTH_REQUEST: self._parse_userauth_request, MSG_USERAUTH_INFO_RESPONSE: self._parse_userauth_info_response, } # Messages which should be handled _by_ clients (sent by servers) @property def _client_handler_table(self): return { MSG_SERVICE_ACCEPT: self._parse_service_accept, MSG_USERAUTH_SUCCESS: self._parse_userauth_success, MSG_USERAUTH_FAILURE: self._parse_userauth_failure, MSG_USERAUTH_BANNER: self._parse_userauth_banner, MSG_USERAUTH_INFO_REQUEST: self._parse_userauth_info_request, } # NOTE: prior to the fix for #1283, this was a static dict instead of a # property. Should be backwards compatible in most/all cases. @property def _handler_table(self): if self.transport.server_mode: return self._server_handler_table else: return self._client_handler_table class GssapiWithMicAuthHandler: """A specialized Auth handler for gssapi-with-mic During the GSSAPI token exchange we need a modified dispatch table, because the packet type numbers are not unique. """ method = "gssapi-with-mic" def __init__(self, delegate, sshgss): self._delegate = delegate self.sshgss = sshgss def abort(self): self._restore_delegate_auth_handler() return self._delegate.abort() @property def transport(self): return self._delegate.transport @property def _send_auth_result(self): return self._delegate._send_auth_result @property def auth_username(self): return self._delegate.auth_username @property def gss_host(self): return self._delegate.gss_host def _restore_delegate_auth_handler(self): self.transport.auth_handler = self._delegate def _parse_userauth_gssapi_token(self, m): client_token = m.get_string() # use the client token as input to establish a secure # context. sshgss = self.sshgss try: token = sshgss.ssh_accept_sec_context( self.gss_host, client_token, self.auth_username ) except Exception as e: self.transport.saved_exception = e result = AUTH_FAILED self._restore_delegate_auth_handler() self._send_auth_result(self.auth_username, self.method, result) raise if token is not None: m = Message() m.add_byte(cMSG_USERAUTH_GSSAPI_TOKEN) m.add_string(token) self.transport._expected_packet = ( MSG_USERAUTH_GSSAPI_TOKEN, MSG_USERAUTH_GSSAPI_MIC, MSG_USERAUTH_REQUEST, ) self.transport._send_message(m) def _parse_userauth_gssapi_mic(self, m): mic_token = m.get_string() sshgss = self.sshgss username = self.auth_username self._restore_delegate_auth_handler() try: sshgss.ssh_check_mic( mic_token, self.transport.session_id, username ) except Exception as e: self.transport.saved_exception = e result = AUTH_FAILED self._send_auth_result(username, self.method, result) raise # TODO: Implement client credential saving. # The OpenSSH server is able to create a TGT with the delegated # client credentials, but this is not supported by GSS-API. result = AUTH_SUCCESSFUL self.transport.server_object.check_auth_gssapi_with_mic( username, result ) # okay, send result self._send_auth_result(username, self.method, result) def _parse_service_request(self, m): self._restore_delegate_auth_handler() return self._delegate._parse_service_request(m) def _parse_userauth_request(self, m): self._restore_delegate_auth_handler() return self._delegate._parse_userauth_request(m) __handler_table = { MSG_SERVICE_REQUEST: _parse_service_request, MSG_USERAUTH_REQUEST: _parse_userauth_request, MSG_USERAUTH_GSSAPI_TOKEN: _parse_userauth_gssapi_token, MSG_USERAUTH_GSSAPI_MIC: _parse_userauth_gssapi_mic, } @property def _handler_table(self): # TODO: determine if we can cut this up like we did for the primary # AuthHandler class. return self.__handler_table class AuthOnlyHandler(AuthHandler): """ AuthHandler, and just auth, no service requests! .. versionadded:: 3.2 """ # NOTE: this purposefully duplicates some of the parent class in order to # modernize, refactor, etc. The intent is that eventually we will collapse # this one onto the parent in a backwards incompatible release. @property def _client_handler_table(self): my_table = super()._client_handler_table.copy() del my_table[MSG_SERVICE_ACCEPT] return my_table def send_auth_request(self, username, method, finish_message=None): """ Submit a userauth request message & wait for response. Performs the transport message send call, sets self.auth_event, and will lock-n-block as necessary to both send, and wait for response to, the USERAUTH_REQUEST. Most callers will want to supply a callback to ``finish_message``, which accepts a Message ``m`` and may call mutator methods on it to add more fields. """ # Store a few things for reference in handlers, including auth failure # handler (which needs to know if we were using a bad method, etc) self.auth_method = method self.username = username # Generic userauth request fields m = Message() m.add_byte(cMSG_USERAUTH_REQUEST) m.add_string(username) m.add_string("ssh-connection") m.add_string(method) # Caller usually has more to say, such as injecting password, key etc finish_message(m) # TODO 4.0: seems odd to have the client handle the lock and not # Transport; that _may_ have been an artifact of allowing user # threading event injection? Regardless, we don't want to move _this_ # locking into Transport._send_message now, because lots of other # untouched code also uses that method and we might end up # double-locking (?) but 4.0 would be a good time to revisit. with self.transport.lock: self.transport._send_message(m) # We have cut out the higher level event args, but self.auth_event is # still required for self.wait_for_response to function correctly (it's # the mechanism used by the auth success/failure handlers, the abort # handler, and a few other spots like in gssapi. # TODO: interestingly, wait_for_response itself doesn't actually # enforce that its event argument and self.auth_event are the same... self.auth_event = threading.Event() return self.wait_for_response(self.auth_event) def auth_none(self, username): return self.send_auth_request(username, "none") def auth_publickey(self, username, key): key_type, bits = self._get_key_type_and_bits(key) algorithm = self._finalize_pubkey_algorithm(key_type) blob = self._get_session_blob( key, "ssh-connection", username, algorithm, ) def finish(m): # This field doesn't appear to be named, but is False when querying # for permission (ie knowing whether to even prompt a user for # passphrase, etc) or True when just going for it. Paramiko has # never bothered with the former type of message, apparently. m.add_boolean(True) m.add_string(algorithm) m.add_string(bits) m.add_string(key.sign_ssh_data(blob, algorithm)) return self.send_auth_request(username, "publickey", finish) def auth_password(self, username, password): def finish(m): # Unnamed field that equates to "I am changing my password", which # Paramiko clientside never supported and serverside only sort of # supported. m.add_boolean(False) m.add_string(b(password)) return self.send_auth_request(username, "password", finish) def auth_interactive(self, username, handler, submethods=""): """ response_list = handler(title, instructions, prompt_list) """ # Unlike most siblings, this auth method _does_ require other # superclass handlers (eg userauth info request) to understand # what's going on, so we still set some self attributes. self.auth_method = "keyboard_interactive" self.interactive_handler = handler def finish(m): # Empty string for deprecated language tag field, per RFC 4256: # https://www.rfc-editor.org/rfc/rfc4256#section-3.1 m.add_string("") m.add_string(submethods) return self.send_auth_request(username, "keyboard-interactive", finish) # NOTE: not strictly 'auth only' related, but allows users to opt-in. def _choose_fallback_pubkey_algorithm(self, key_type, my_algos): msg = "Server did not send a server-sig-algs list; defaulting to something in our preferred algorithms list" # noqa self._log(DEBUG, msg) noncert_key_type = key_type.replace("-cert-v01@openssh.com", "") if key_type in my_algos or noncert_key_type in my_algos: actual = key_type if key_type in my_algos else noncert_key_type msg = f"Current key type, {actual!r}, is in our preferred list; using that" # noqa algo = actual else: algo = my_algos[0] msg = f"{key_type!r} not in our list - trying first list item instead, {algo!r}" # noqa self._log(DEBUG, msg) return algo ��primes.py��0000644��00000011763�15030210772�0006422 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Utility functions for dealing with primes. """ import os from paramiko import util from paramiko.common import byte_mask from paramiko.ssh_exception import SSHException def _roll_random(n): """returns a random # from 0 to N-1""" bits = util.bit_length(n - 1) byte_count = (bits + 7) // 8 hbyte_mask = pow(2, bits % 8) - 1 # so here's the plan: # we fetch as many random bits as we'd need to fit N-1, and if the # generated number is >= N, we try again. in the worst case (N-1 is a # power of 2), we have slightly better than 50% odds of getting one that # fits, so i can't guarantee that this loop will ever finish, but the odds # of it looping forever should be infinitesimal. while True: x = os.urandom(byte_count) if hbyte_mask > 0: x = byte_mask(x[0], hbyte_mask) + x[1:] num = util.inflate_long(x, 1) if num < n: break return num class ModulusPack: """ convenience object for holding the contents of the /etc/ssh/moduli file, on systems that have such a file. """ def __init__(self): # pack is a hash of: bits -> [ (generator, modulus) ... ] self.pack = {} self.discarded = [] def _parse_modulus(self, line): ( timestamp, mod_type, tests, tries, size, generator, modulus, ) = line.split() mod_type = int(mod_type) tests = int(tests) tries = int(tries) size = int(size) generator = int(generator) modulus = int(modulus, 16) # weed out primes that aren't at least: # type 2 (meets basic structural requirements) # test 4 (more than just a small-prime sieve) # tries < 100 if test & 4 (at least 100 tries of miller-rabin) if ( mod_type < 2 or tests < 4 or (tests & 4 and tests < 8 and tries < 100) ): self.discarded.append( (modulus, "does not meet basic requirements") ) return if generator == 0: generator = 2 # there's a bug in the ssh "moduli" file (yeah, i know: shock! dismay! # call cnn!) where it understates the bit lengths of these primes by 1. # this is okay. bl = util.bit_length(modulus) if (bl != size) and (bl != size + 1): self.discarded.append( (modulus, "incorrectly reported bit length {}".format(size)) ) return if bl not in self.pack: self.pack[bl] = [] self.pack[bl].append((generator, modulus)) def read_file(self, filename): """ :raises IOError: passed from any file operations that fail. """ self.pack = {} with open(filename, "r") as f: for line in f: line = line.strip() if (len(line) == 0) or (line[0] == "#"): continue try: self._parse_modulus(line) except: continue def get_modulus(self, min, prefer, max): bitsizes = sorted(self.pack.keys()) if len(bitsizes) == 0: raise SSHException("no moduli available") good = -1 # find nearest bitsize >= preferred for b in bitsizes: if (b >= prefer) and (b <= max) and (b < good or good == -1): good = b # if that failed, find greatest bitsize >= min if good == -1: for b in bitsizes: if (b >= min) and (b <= max) and (b > good): good = b if good == -1: # their entire (min, max) range has no intersection with our range. # if their range is below ours, pick the smallest. otherwise pick # the largest. it'll be out of their range requirement either way, # but we'll be sending them the closest one we have. good = bitsizes[0] if min > good: good = bitsizes[-1] # now pick a random modulus of this bitsize n = _roll_random(len(self.pack[good])) return self.pack[good][n] ��kex_gex.py��0000644��00000024120�15030210772�0006544 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Variant on `KexGroup1 <paramiko.kex_group1.KexGroup1>` where the prime "p" and generator "g" are provided by the server. A bit more work is required on the client side, and a lot more on the server side. """ import os from hashlib import sha1, sha256 from paramiko import util from paramiko.common import DEBUG, byte_chr, byte_ord, byte_mask from paramiko.message import Message from paramiko.ssh_exception import SSHException ( _MSG_KEXDH_GEX_REQUEST_OLD, _MSG_KEXDH_GEX_GROUP, _MSG_KEXDH_GEX_INIT, _MSG_KEXDH_GEX_REPLY, _MSG_KEXDH_GEX_REQUEST, ) = range(30, 35) ( c_MSG_KEXDH_GEX_REQUEST_OLD, c_MSG_KEXDH_GEX_GROUP, c_MSG_KEXDH_GEX_INIT, c_MSG_KEXDH_GEX_REPLY, c_MSG_KEXDH_GEX_REQUEST, ) = [byte_chr(c) for c in range(30, 35)] class KexGex: name = "diffie-hellman-group-exchange-sha1" min_bits = 1024 max_bits = 8192 preferred_bits = 2048 hash_algo = sha1 def __init__(self, transport): self.transport = transport self.p = None self.q = None self.g = None self.x = None self.e = None self.f = None self.old_style = False def start_kex(self, _test_old_style=False): if self.transport.server_mode: self.transport._expect_packet( _MSG_KEXDH_GEX_REQUEST, _MSG_KEXDH_GEX_REQUEST_OLD ) return # request a bit range: we accept (min_bits) to (max_bits), but prefer # (preferred_bits). according to the spec, we shouldn't pull the # minimum up above 1024. m = Message() if _test_old_style: # only used for unit tests: we shouldn't ever send this m.add_byte(c_MSG_KEXDH_GEX_REQUEST_OLD) m.add_int(self.preferred_bits) self.old_style = True else: m.add_byte(c_MSG_KEXDH_GEX_REQUEST) m.add_int(self.min_bits) m.add_int(self.preferred_bits) m.add_int(self.max_bits) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXDH_GEX_GROUP) def parse_next(self, ptype, m): if ptype == _MSG_KEXDH_GEX_REQUEST: return self._parse_kexdh_gex_request(m) elif ptype == _MSG_KEXDH_GEX_GROUP: return self._parse_kexdh_gex_group(m) elif ptype == _MSG_KEXDH_GEX_INIT: return self._parse_kexdh_gex_init(m) elif ptype == _MSG_KEXDH_GEX_REPLY: return self._parse_kexdh_gex_reply(m) elif ptype == _MSG_KEXDH_GEX_REQUEST_OLD: return self._parse_kexdh_gex_request_old(m) msg = "KexGex {} asked to handle packet type {:d}" raise SSHException(msg.format(self.name, ptype)) # ...internals... def _generate_x(self): # generate an "x" (1 < x < (p-1)/2). q = (self.p - 1) // 2 qnorm = util.deflate_long(q, 0) qhbyte = byte_ord(qnorm[0]) byte_count = len(qnorm) qmask = 0xFF while not (qhbyte & 0x80): qhbyte <<= 1 qmask >>= 1 while True: x_bytes = os.urandom(byte_count) x_bytes = byte_mask(x_bytes[0], qmask) + x_bytes[1:] x = util.inflate_long(x_bytes, 1) if (x > 1) and (x < q): break self.x = x def _parse_kexdh_gex_request(self, m): minbits = m.get_int() preferredbits = m.get_int() maxbits = m.get_int() # smoosh the user's preferred size into our own limits if preferredbits > self.max_bits: preferredbits = self.max_bits if preferredbits < self.min_bits: preferredbits = self.min_bits # fix min/max if they're inconsistent. technically, we could just pout # and hang up, but there's no harm in giving them the benefit of the # doubt and just picking a bitsize for them. if minbits > preferredbits: minbits = preferredbits if maxbits < preferredbits: maxbits = preferredbits # now save a copy self.min_bits = minbits self.preferred_bits = preferredbits self.max_bits = maxbits # generate prime pack = self.transport._get_modulus_pack() if pack is None: raise SSHException("Can't do server-side gex with no modulus pack") self.transport._log( DEBUG, "Picking p ({} <= {} <= {} bits)".format( minbits, preferredbits, maxbits ), ) self.g, self.p = pack.get_modulus(minbits, preferredbits, maxbits) m = Message() m.add_byte(c_MSG_KEXDH_GEX_GROUP) m.add_mpint(self.p) m.add_mpint(self.g) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXDH_GEX_INIT) def _parse_kexdh_gex_request_old(self, m): # same as above, but without min_bits or max_bits (used by older # clients like putty) self.preferred_bits = m.get_int() # smoosh the user's preferred size into our own limits if self.preferred_bits > self.max_bits: self.preferred_bits = self.max_bits if self.preferred_bits < self.min_bits: self.preferred_bits = self.min_bits # generate prime pack = self.transport._get_modulus_pack() if pack is None: raise SSHException("Can't do server-side gex with no modulus pack") self.transport._log( DEBUG, "Picking p (~ {} bits)".format(self.preferred_bits) ) self.g, self.p = pack.get_modulus( self.min_bits, self.preferred_bits, self.max_bits ) m = Message() m.add_byte(c_MSG_KEXDH_GEX_GROUP) m.add_mpint(self.p) m.add_mpint(self.g) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXDH_GEX_INIT) self.old_style = True def _parse_kexdh_gex_group(self, m): self.p = m.get_mpint() self.g = m.get_mpint() # reject if p's bit length < 1024 or > 8192 bitlen = util.bit_length(self.p) if (bitlen < 1024) or (bitlen > 8192): raise SSHException( "Server-generated gex p (don't ask) is out of range " "({} bits)".format(bitlen) ) self.transport._log(DEBUG, "Got server p ({} bits)".format(bitlen)) self._generate_x() # now compute e = g^x mod p self.e = pow(self.g, self.x, self.p) m = Message() m.add_byte(c_MSG_KEXDH_GEX_INIT) m.add_mpint(self.e) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXDH_GEX_REPLY) def _parse_kexdh_gex_init(self, m): self.e = m.get_mpint() if (self.e < 1) or (self.e > self.p - 1): raise SSHException('Client kex "e" is out of range') self._generate_x() self.f = pow(self.g, self.x, self.p) K = pow(self.e, self.x, self.p) key = self.transport.get_server_key().asbytes() # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| min \|\| n \|\| max \|\| p \|\| g \|\| e \|\| f \|\| K) # noqa hm = Message() hm.add( self.transport.remote_version, self.transport.local_version, self.transport.remote_kex_init, self.transport.local_kex_init, key, ) if not self.old_style: hm.add_int(self.min_bits) hm.add_int(self.preferred_bits) if not self.old_style: hm.add_int(self.max_bits) hm.add_mpint(self.p) hm.add_mpint(self.g) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) H = self.hash_algo(hm.asbytes()).digest() self.transport._set_K_H(K, H) # sign it sig = self.transport.get_server_key().sign_ssh_data( H, self.transport.host_key_type ) # send reply m = Message() m.add_byte(c_MSG_KEXDH_GEX_REPLY) m.add_string(key) m.add_mpint(self.f) m.add_string(sig) self.transport._send_message(m) self.transport._activate_outbound() def _parse_kexdh_gex_reply(self, m): host_key = m.get_string() self.f = m.get_mpint() sig = m.get_string() if (self.f < 1) or (self.f > self.p - 1): raise SSHException('Server kex "f" is out of range') K = pow(self.f, self.x, self.p) # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| min \|\| n \|\| max \|\| p \|\| g \|\| e \|\| f \|\| K) # noqa hm = Message() hm.add( self.transport.local_version, self.transport.remote_version, self.transport.local_kex_init, self.transport.remote_kex_init, host_key, ) if not self.old_style: hm.add_int(self.min_bits) hm.add_int(self.preferred_bits) if not self.old_style: hm.add_int(self.max_bits) hm.add_mpint(self.p) hm.add_mpint(self.g) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) self.transport._set_K_H(K, self.hash_algo(hm.asbytes()).digest()) self.transport._verify_key(host_key, sig) self.transport._activate_outbound() class KexGexSHA256(KexGex): name = "diffie-hellman-group-exchange-sha256" hash_algo = sha256 ��hostkeys.py��0000644��00000031630�15030210772�0006767 0��ustar�00��# Copyright (C) 2006-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. from base64 import encodebytes, decodebytes import binascii import os import re from collections.abc import MutableMapping from hashlib import sha1 from hmac import HMAC from paramiko.pkey import PKey, UnknownKeyType from paramiko.util import get_logger, constant_time_bytes_eq, b, u from paramiko.ssh_exception import SSHException class HostKeys(MutableMapping): """ Representation of an OpenSSH-style "known hosts" file. Host keys can be read from one or more files, and then individual hosts can be looked up to verify server keys during SSH negotiation. A `.HostKeys` object can be treated like a dict; any dict lookup is equivalent to calling `lookup`. .. versionadded:: 1.5.3 """ def __init__(self, filename=None): """ Create a new HostKeys object, optionally loading keys from an OpenSSH style host-key file. :param str filename: filename to load host keys from, or ``None`` """ # emulate a dict of { hostname: { keytype: PKey } } self._entries = [] if filename is not None: self.load(filename) def add(self, hostname, keytype, key): """ Add a host key entry to the table. Any existing entry for a ``(hostname, keytype)`` pair will be replaced. :param str hostname: the hostname (or IP) to add :param str keytype: key type (``"ssh-rsa"`` or ``"ssh-dss"``) :param .PKey key: the key to add """ for e in self._entries: if (hostname in e.hostnames) and (e.key.get_name() == keytype): e.key = key return self._entries.append(HostKeyEntry([hostname], key)) def load(self, filename): """ Read a file of known SSH host keys, in the format used by OpenSSH. This type of file unfortunately doesn't exist on Windows, but on posix, it will usually be stored in ``os.path.expanduser("~/.ssh/known_hosts")``. If this method is called multiple times, the host keys are merged, not cleared. So multiple calls to `load` will just call `add`, replacing any existing entries and adding new ones. :param str filename: name of the file to read host keys from :raises: ``IOError`` -- if there was an error reading the file """ with open(filename, "r") as f: for lineno, line in enumerate(f, 1): line = line.strip() if (len(line) == 0) or (line[0] == "#"): continue try: entry = HostKeyEntry.from_line(line, lineno) except SSHException: continue if entry is not None: _hostnames = entry.hostnames for h in _hostnames: if self.check(h, entry.key): entry.hostnames.remove(h) if len(entry.hostnames): self._entries.append(entry) def save(self, filename): """ Save host keys into a file, in the format used by OpenSSH. The order of keys in the file will be preserved when possible (if these keys were loaded from a file originally). The single exception is that combined lines will be split into individual key lines, which is arguably a bug. :param str filename: name of the file to write :raises: ``IOError`` -- if there was an error writing the file .. versionadded:: 1.6.1 """ with open(filename, "w") as f: for e in self._entries: line = e.to_line() if line: f.write(line) def lookup(self, hostname): """ Find a hostkey entry for a given hostname or IP. If no entry is found, ``None`` is returned. Otherwise a dictionary of keytype to key is returned. The keytype will be either ``"ssh-rsa"`` or ``"ssh-dss"``. :param str hostname: the hostname (or IP) to lookup :return: dict of `str` -> `.PKey` keys associated with this host (or ``None``) """ class SubDict(MutableMapping): def __init__(self, hostname, entries, hostkeys): self._hostname = hostname self._entries = entries self._hostkeys = hostkeys def __iter__(self): for k in self.keys(): yield k def __len__(self): return len(self.keys()) def __delitem__(self, key): for e in list(self._entries): if e.key.get_name() == key: self._entries.remove(e) break else: raise KeyError(key) def __getitem__(self, key): for e in self._entries: if e.key.get_name() == key: return e.key raise KeyError(key) def __setitem__(self, key, val): for e in self._entries: if e.key is None: continue if e.key.get_name() == key: # replace e.key = val break else: # add a new one e = HostKeyEntry([hostname], val) self._entries.append(e) self._hostkeys._entries.append(e) def keys(self): return [ e.key.get_name() for e in self._entries if e.key is not None ] entries = [] for e in self._entries: if self._hostname_matches(hostname, e): entries.append(e) if len(entries) == 0: return None return SubDict(hostname, entries, self) def _hostname_matches(self, hostname, entry): """ Tests whether ``hostname`` string matches given SubDict ``entry``. :returns bool: """ for h in entry.hostnames: if ( h == hostname or h.startswith("\|1\|") and not hostname.startswith("\|1\|") and constant_time_bytes_eq(self.hash_host(hostname, h), h) ): return True return False def check(self, hostname, key): """ Return True if the given key is associated with the given hostname in this dictionary. :param str hostname: hostname (or IP) of the SSH server :param .PKey key: the key to check :return: ``True`` if the key is associated with the hostname; else ``False`` """ k = self.lookup(hostname) if k is None: return False host_key = k.get(key.get_name(), None) if host_key is None: return False return host_key.asbytes() == key.asbytes() def clear(self): """ Remove all host keys from the dictionary. """ self._entries = [] def __iter__(self): for k in self.keys(): yield k def __len__(self): return len(self.keys()) def __getitem__(self, key): ret = self.lookup(key) if ret is None: raise KeyError(key) return ret def __delitem__(self, key): index = None for i, entry in enumerate(self._entries): if self._hostname_matches(key, entry): index = i break if index is None: raise KeyError(key) self._entries.pop(index) def __setitem__(self, hostname, entry): # don't use this please. if len(entry) == 0: self._entries.append(HostKeyEntry([hostname], None)) return for key_type in entry.keys(): found = False for e in self._entries: if (hostname in e.hostnames) and e.key.get_name() == key_type: # replace e.key = entry[key_type] found = True if not found: self._entries.append(HostKeyEntry([hostname], entry[key_type])) def keys(self): ret = [] for e in self._entries: for h in e.hostnames: if h not in ret: ret.append(h) return ret def values(self): ret = [] for k in self.keys(): ret.append(self.lookup(k)) return ret @staticmethod def hash_host(hostname, salt=None): """ Return a "hashed" form of the hostname, as used by OpenSSH when storing hashed hostnames in the known_hosts file. :param str hostname: the hostname to hash :param str salt: optional salt to use when hashing (must be 20 bytes long) :return: the hashed hostname as a `str` """ if salt is None: salt = os.urandom(sha1().digest_size) else: if salt.startswith("\|1\|"): salt = salt.split("\|")[2] salt = decodebytes(b(salt)) assert len(salt) == sha1().digest_size hmac = HMAC(salt, b(hostname), sha1).digest() hostkey = "\|1\|{}\|{}".format(u(encodebytes(salt)), u(encodebytes(hmac))) return hostkey.replace("\n", "") class InvalidHostKey(Exception): def __init__(self, line, exc): self.line = line self.exc = exc self.args = (line, exc) class HostKeyEntry: """ Representation of a line in an OpenSSH-style "known hosts" file. """ def __init__(self, hostnames=None, key=None): self.valid = (hostnames is not None) and (key is not None) self.hostnames = hostnames self.key = key @classmethod def from_line(cls, line, lineno=None): """ Parses the given line of text to find the names for the host, the type of key, and the key data. The line is expected to be in the format used by the OpenSSH known_hosts file. Fields are separated by a single space or tab. Lines are expected to not have leading or trailing whitespace. We don't bother to check for comments or empty lines. All of that should be taken care of before sending the line to us. :param str line: a line from an OpenSSH known_hosts file """ log = get_logger("paramiko.hostkeys") fields = re.split(" \|\t", line) if len(fields) < 3: # Bad number of fields msg = "Not enough fields found in known_hosts in line {} ({!r})" log.info(msg.format(lineno, line)) return None fields = fields[:3] names, key_type, key = fields names = names.split(",") # Decide what kind of key we're looking at and create an object # to hold it accordingly. try: # TODO: this grew organically and doesn't seem /wrong/ per se (file # read -> unicode str -> bytes for base64 decode -> decoded bytes); # but in Python 3 forever land, can we simply use # `base64.b64decode(str-from-file)` here? key_bytes = decodebytes(b(key)) except binascii.Error as e: raise InvalidHostKey(line, e) try: return cls(names, PKey.from_type_string(key_type, key_bytes)) except UnknownKeyType: # TODO 4.0: consider changing HostKeys API so this just raises # naturally and the exception is muted higher up in the stack? log.info("Unable to handle key of type {}".format(key_type)) return None def to_line(self): """ Returns a string in OpenSSH known_hosts file format, or None if the object is not in a valid state. A trailing newline is included. """ if self.valid: return "{} {} {}\n".format( ",".join(self.hostnames), self.key.get_name(), self.key.get_base64(), ) return None def __repr__(self): return "<HostKeyEntry {!r}: {!r}>".format(self.hostnames, self.key) ��win_openssh.py��0000644��00000003576�15030210772�0007462 0��ustar�00��# Copyright (C) 2021 Lew Gordon <lew.gordon@genesys.com> # Copyright (C) 2022 Patrick Spendrin <ps_ml@gmx.de> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. import os.path import time PIPE_NAME = r"\\.\pipe\openssh-ssh-agent" def can_talk_to_agent(): # use os.listdir() instead of os.path.exists(), because os.path.exists() # uses CreateFileW() API and the pipe cannot be reopen unless the server # calls DisconnectNamedPipe(). dir_, name = os.path.split(PIPE_NAME) name = name.lower() return any(name == n.lower() for n in os.listdir(dir_)) class OpenSSHAgentConnection: def __init__(self): while True: try: self._pipe = os.open(PIPE_NAME, os.O_RDWR \| os.O_BINARY) except OSError as e: # retry when errno 22 which means that the server has not # called DisconnectNamedPipe() yet. if e.errno != 22: raise else: break time.sleep(0.1) def send(self, data): return os.write(self._pipe, data) def recv(self, n): return os.read(self._pipe, n) def close(self): return os.close(self._pipe) ��buffered_pipe.py��0000644��00000016071�15030210772�0007717 0��ustar�00��# Copyright (C) 2006-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Attempt to generalize the "feeder" part of a `.Channel`: an object which can be read from and closed, but is reading from a buffer fed by another thread. The read operations are blocking and can have a timeout set. """ import array import threading import time from paramiko.util import b class PipeTimeout(IOError): """ Indicates that a timeout was reached on a read from a `.BufferedPipe`. """ pass class BufferedPipe: """ A buffer that obeys normal read (with timeout) & close semantics for a file or socket, but is fed data from another thread. This is used by `.Channel`. """ def __init__(self): self._lock = threading.Lock() self._cv = threading.Condition(self._lock) self._event = None self._buffer = array.array("B") self._closed = False def _buffer_frombytes(self, data): self._buffer.frombytes(data) def _buffer_tobytes(self, limit=None): return self._buffer[:limit].tobytes() def set_event(self, event): """ Set an event on this buffer. When data is ready to be read (or the buffer has been closed), the event will be set. When no data is ready, the event will be cleared. :param threading.Event event: the event to set/clear """ self._lock.acquire() try: self._event = event # Make sure the event starts in `set` state if we appear to already # be closed; otherwise, if we start in `clear` state & are closed, # nothing will ever call `.feed` and the event (& OS pipe, if we're # wrapping one - see `Channel.fileno`) will permanently stay in # `clear`, causing deadlock if e.g. `select`ed upon. if self._closed or len(self._buffer) > 0: event.set() else: event.clear() finally: self._lock.release() def feed(self, data): """ Feed new data into this pipe. This method is assumed to be called from a separate thread, so synchronization is done. :param data: the data to add, as a ``str`` or ``bytes`` """ self._lock.acquire() try: if self._event is not None: self._event.set() self._buffer_frombytes(b(data)) self._cv.notify_all() finally: self._lock.release() def read_ready(self): """ Returns true if data is buffered and ready to be read from this feeder. A ``False`` result does not mean that the feeder has closed; it means you may need to wait before more data arrives. :return: ``True`` if a `read` call would immediately return at least one byte; ``False`` otherwise. """ self._lock.acquire() try: if len(self._buffer) == 0: return False return True finally: self._lock.release() def read(self, nbytes, timeout=None): """ Read data from the pipe. The return value is a string representing the data received. The maximum amount of data to be received at once is specified by ``nbytes``. If a string of length zero is returned, the pipe has been closed. The optional ``timeout`` argument can be a nonnegative float expressing seconds, or ``None`` for no timeout. If a float is given, a `.PipeTimeout` will be raised if the timeout period value has elapsed before any data arrives. :param int nbytes: maximum number of bytes to read :param float timeout: maximum seconds to wait (or ``None``, the default, to wait forever) :return: the read data, as a ``str`` or ``bytes`` :raises: `.PipeTimeout` -- if a timeout was specified and no data was ready before that timeout """ out = bytes() self._lock.acquire() try: if len(self._buffer) == 0: if self._closed: return out # should we block? if timeout == 0.0: raise PipeTimeout() # loop here in case we get woken up but a different thread has # grabbed everything in the buffer. while (len(self._buffer) == 0) and not self._closed: then = time.time() self._cv.wait(timeout) if timeout is not None: timeout -= time.time() - then if timeout <= 0.0: raise PipeTimeout() # something's in the buffer and we have the lock! if len(self._buffer) <= nbytes: out = self._buffer_tobytes() del self._buffer[:] if (self._event is not None) and not self._closed: self._event.clear() else: out = self._buffer_tobytes(nbytes) del self._buffer[:nbytes] finally: self._lock.release() return out def empty(self): """ Clear out the buffer and return all data that was in it. :return: any data that was in the buffer prior to clearing it out, as a `str` """ self._lock.acquire() try: out = self._buffer_tobytes() del self._buffer[:] if (self._event is not None) and not self._closed: self._event.clear() return out finally: self._lock.release() def close(self): """ Close this pipe object. Future calls to `read` after the buffer has been emptied will return immediately with an empty string. """ self._lock.acquire() try: self._closed = True self._cv.notify_all() if self._event is not None: self._event.set() finally: self._lock.release() def __len__(self): """ Return the number of bytes buffered. :return: number (`int`) of bytes buffered """ self._lock.acquire() try: return len(self._buffer) finally: self._lock.release() ��pkey.py��0000644��00000107345�15030210772�0006075 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Common API for all public keys. """ import base64 from base64 import encodebytes, decodebytes from binascii import unhexlify import os from pathlib import Path from hashlib import md5, sha256 import re import struct import bcrypt from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.ciphers import algorithms, modes, Cipher from cryptography.hazmat.primitives import asymmetric from paramiko import util from paramiko.util import u, b from paramiko.common import o600 from paramiko.ssh_exception import SSHException, PasswordRequiredException from paramiko.message import Message # TripleDES is moving from `cryptography.hazmat.primitives.ciphers.algorithms` # in cryptography>=43.0.0 to `cryptography.hazmat.decrepit.ciphers.algorithms` # It will be removed from `cryptography.hazmat.primitives.ciphers.algorithms` # in cryptography==48.0.0. # # Source References: # - https://github.com/pyca/cryptography/commit/722a6393e61b3ac # - https://github.com/pyca/cryptography/pull/11407/files try: from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES except ImportError: from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES OPENSSH_AUTH_MAGIC = b"openssh-key-v1\x00" def _unpad_openssh(data): # At the moment, this is only used for unpadding private keys on disk. This # really ought to be made constant time (possibly by upstreaming this logic # into pyca/cryptography). padding_length = data[-1] if 0x20 <= padding_length < 0x7F: return data # no padding, last byte part comment (printable ascii) if padding_length > 15: raise SSHException("Invalid key") for i in range(padding_length): if data[i - padding_length] != i + 1: raise SSHException("Invalid key") return data[:-padding_length] class UnknownKeyType(Exception): """ An unknown public/private key algorithm was attempted to be read. """ def __init__(self, key_type=None, key_bytes=None): self.key_type = key_type self.key_bytes = key_bytes def __str__(self): return f"UnknownKeyType(type={self.key_type!r}, bytes=<{len(self.key_bytes)}>)" # noqa class PKey: """ Base class for public keys. Also includes some "meta" level convenience constructors such as `.from_type_string`. """ # known encryption types for private key files: _CIPHER_TABLE = { "AES-128-CBC": { "cipher": algorithms.AES, "keysize": 16, "blocksize": 16, "mode": modes.CBC, }, "AES-256-CBC": { "cipher": algorithms.AES, "keysize": 32, "blocksize": 16, "mode": modes.CBC, }, "DES-EDE3-CBC": { "cipher": TripleDES, "keysize": 24, "blocksize": 8, "mode": modes.CBC, }, } _PRIVATE_KEY_FORMAT_ORIGINAL = 1 _PRIVATE_KEY_FORMAT_OPENSSH = 2 BEGIN_TAG = re.compile( r"^-{5}BEGIN (RSA\|DSA\|EC\|OPENSSH) PRIVATE KEY-{5}\s$" ) END_TAG = re.compile(r"^-{5}END (RSA\|DSA\|EC\|OPENSSH) PRIVATE KEY-{5}\s$") @staticmethod def from_path(path, passphrase=None): """ Attempt to instantiate appropriate key subclass from given file path. :param Path path: The path to load (may also be a `str`). :returns: A `PKey` subclass instance. :raises: `UnknownKeyType`, if our crypto backend doesn't know this key type. .. versionadded:: 3.2 """ # TODO: make sure sphinx is reading Path right in param list... # Lazy import to avoid circular import issues from paramiko import DSSKey, RSAKey, Ed25519Key, ECDSAKey # Normalize to string, as cert suffix isn't quite an extension, so # pathlib isn't useful for this. path = str(path) # Sort out cert vs key, i.e. it is 'legal' to hand this kind of API # /either/ the key /or/ the cert, when there is a key/cert pair. cert_suffix = "-cert.pub" if str(path).endswith(cert_suffix): key_path = path[: -len(cert_suffix)] cert_path = path else: key_path = path cert_path = path + cert_suffix key_path = Path(key_path).expanduser() cert_path = Path(cert_path).expanduser() data = key_path.read_bytes() # Like OpenSSH, try modern/OpenSSH-specific key load first try: loaded = serialization.load_ssh_private_key( data=data, password=passphrase ) # Then fall back to assuming legacy PEM type except ValueError: loaded = serialization.load_pem_private_key( data=data, password=passphrase ) # TODO Python 3.10: match statement? (NOTE: we cannot use a dict # because the results from the loader are literal backend, eg openssl, # private classes, so isinstance tests work but exact 'x class is y' # tests will not work) # TODO: leverage already-parsed/math'd obj to avoid duplicate cpu # cycles? seemingly requires most of our key subclasses to be rewritten # to be cryptography-object-forward. this is still likely faster than # the old SSHClient code that just tried instantiating every class! key_class = None if isinstance(loaded, asymmetric.dsa.DSAPrivateKey): key_class = DSSKey elif isinstance(loaded, asymmetric.rsa.RSAPrivateKey): key_class = RSAKey elif isinstance(loaded, asymmetric.ed25519.Ed25519PrivateKey): key_class = Ed25519Key elif isinstance(loaded, asymmetric.ec.EllipticCurvePrivateKey): key_class = ECDSAKey else: raise UnknownKeyType(key_bytes=data, key_type=loaded.__class__) with key_path.open() as fd: key = key_class.from_private_key(fd, password=passphrase) if cert_path.exists(): # load_certificate can take Message, path-str, or value-str key.load_certificate(str(cert_path)) return key @staticmethod def from_type_string(key_type, key_bytes): """ Given type `str` & raw `bytes`, return a `PKey` subclass instance. For example, ``PKey.from_type_string("ssh-ed25519", <public bytes>)`` will (if successful) return a new `.Ed25519Key`. :param str key_type: The key type, eg ``"ssh-ed25519"``. :param bytes key_bytes: The raw byte data forming the key material, as expected by subclasses' ``data`` parameter. :returns: A `PKey` subclass instance. :raises: `UnknownKeyType`, if no registered classes knew about this type. .. versionadded:: 3.2 """ from paramiko import key_classes for key_class in key_classes: if key_type in key_class.identifiers(): # TODO: needs to passthru things like passphrase return key_class(data=key_bytes) raise UnknownKeyType(key_type=key_type, key_bytes=key_bytes) @classmethod def identifiers(cls): """ returns an iterable of key format/name strings this class can handle. Most classes only have a single identifier, and thus this default implementation suffices; see `.ECDSAKey` for one example of an override. """ return [cls.name] # TODO 4.0: make this and subclasses consistent, some of our own # classmethods even assume kwargs we don't define! # TODO 4.0: prob also raise NotImplementedError instead of pass'ing; the # contract is pretty obviously that you need to handle msg/data/filename # appropriately. (If 'pass' is a concession to testing, see about doing the # work to fix the tests instead) def __init__(self, msg=None, data=None): """ Create a new instance of this public key type. If ``msg`` is given, the key's public part(s) will be filled in from the message. If ``data`` is given, the key's public part(s) will be filled in from the string. :param .Message msg: an optional SSH `.Message` containing a public key of this type. :param bytes data: optional, the bytes of a public key of this type :raises: `.SSHException` -- if a key cannot be created from the ``data`` or ``msg`` given, or no key was passed in. """ pass # TODO: arguably this might want to be __str__ instead? ehh # TODO: ditto the interplay between showing class name (currently we just # say PKey writ large) and algorithm (usually == class name, but not # always, also sometimes shows certificate-ness) # TODO: if we do change it, we also want to tweak eg AgentKey, as it # currently displays agent-ness with a suffix def __repr__(self): comment = "" # Works for AgentKey, may work for others? if hasattr(self, "comment") and self.comment: comment = f", comment={self.comment!r}" return f"PKey(alg={self.algorithm_name}, bits={self.get_bits()}, fp={self.fingerprint}{comment})" # noqa # TODO 4.0: just merge into __bytes__ (everywhere) def asbytes(self): """ Return a string of an SSH `.Message` made up of the public part(s) of this key. This string is suitable for passing to `__init__` to re-create the key object later. """ return bytes() def __bytes__(self): return self.asbytes() def __eq__(self, other): return isinstance(other, PKey) and self._fields == other._fields def __hash__(self): return hash(self._fields) @property def _fields(self): raise NotImplementedError def get_name(self): """ Return the name of this private key implementation. :return: name of this private key type, in SSH terminology, as a `str` (for example, ``"ssh-rsa"``). """ return "" @property def algorithm_name(self): """ Return the key algorithm identifier for this key. Similar to `get_name`, but aimed at pure algorithm name instead of SSH protocol field value. """ # Nuke the leading 'ssh-' # TODO in Python 3.9: use .removeprefix() name = self.get_name().replace("ssh-", "") # Trim any cert suffix (but leave the -cert, as OpenSSH does) cert_tail = "-cert-v01@openssh.com" if cert_tail in name: name = name.replace(cert_tail, "-cert") # Nuke any eg ECDSA suffix, OpenSSH does basically this too. else: name = name.split("-")[0] return name.upper() def get_bits(self): """ Return the number of significant bits in this key. This is useful for judging the relative security of a key. :return: bits in the key (as an `int`) """ # TODO 4.0: raise NotImplementedError, 0 is unlikely to ever be # _correct_ and nothing in the critical path seems to use this. return 0 def can_sign(self): """ Return ``True`` if this key has the private part necessary for signing data. """ return False def get_fingerprint(self): """ Return an MD5 fingerprint of the public part of this key. Nothing secret is revealed. :return: a 16-byte `string <str>` (binary) of the MD5 fingerprint, in SSH format. """ return md5(self.asbytes()).digest() @property def fingerprint(self): """ Modern fingerprint property designed to be comparable to OpenSSH. Currently only does SHA256 (the OpenSSH default). .. versionadded:: 3.2 """ hashy = sha256(bytes(self)) hash_name = hashy.name.upper() b64ed = encodebytes(hashy.digest()) cleaned = u(b64ed).strip().rstrip("=") # yes, OpenSSH does this too! return f"{hash_name}:{cleaned}" def get_base64(self): """ Return a base64 string containing the public part of this key. Nothing secret is revealed. This format is compatible with that used to store public key files or recognized host keys. :return: a base64 `string <str>` containing the public part of the key. """ return u(encodebytes(self.asbytes())).replace("\n", "") def sign_ssh_data(self, data, algorithm=None): """ Sign a blob of data with this private key, and return a `.Message` representing an SSH signature message. :param bytes data: the data to sign. :param str algorithm: the signature algorithm to use, if different from the key's internal name. Default: ``None``. :return: an SSH signature `message <.Message>`. .. versionchanged:: 2.9 Added the ``algorithm`` kwarg. """ return bytes() def verify_ssh_sig(self, data, msg): """ Given a blob of data, and an SSH message representing a signature of that data, verify that it was signed with this key. :param bytes data: the data that was signed. :param .Message msg: an SSH signature message :return: ``True`` if the signature verifies correctly; ``False`` otherwise. """ return False @classmethod def from_private_key_file(cls, filename, password=None): """ Create a key object by reading a private key file. If the private key is encrypted and ``password`` is not ``None``, the given password will be used to decrypt the key (otherwise `.PasswordRequiredException` is thrown). Through the magic of Python, this factory method will exist in all subclasses of PKey (such as `.RSAKey` or `.DSSKey`), but is useless on the abstract PKey class. :param str filename: name of the file to read :param str password: an optional password to use to decrypt the key file, if it's encrypted :return: a new `.PKey` based on the given private key :raises: ``IOError`` -- if there was an error reading the file :raises: `.PasswordRequiredException` -- if the private key file is encrypted, and ``password`` is ``None`` :raises: `.SSHException` -- if the key file is invalid """ key = cls(filename=filename, password=password) return key @classmethod def from_private_key(cls, file_obj, password=None): """ Create a key object by reading a private key from a file (or file-like) object. If the private key is encrypted and ``password`` is not ``None``, the given password will be used to decrypt the key (otherwise `.PasswordRequiredException` is thrown). :param file_obj: the file-like object to read from :param str password: an optional password to use to decrypt the key, if it's encrypted :return: a new `.PKey` based on the given private key :raises: ``IOError`` -- if there was an error reading the key :raises: `.PasswordRequiredException` -- if the private key file is encrypted, and ``password`` is ``None`` :raises: `.SSHException` -- if the key file is invalid """ key = cls(file_obj=file_obj, password=password) return key def write_private_key_file(self, filename, password=None): """ Write private key contents into a file. If the password is not ``None``, the key is encrypted before writing. :param str filename: name of the file to write :param str password: an optional password to use to encrypt the key file :raises: ``IOError`` -- if there was an error writing the file :raises: `.SSHException` -- if the key is invalid """ raise Exception("Not implemented in PKey") def write_private_key(self, file_obj, password=None): """ Write private key contents into a file (or file-like) object. If the password is not ``None``, the key is encrypted before writing. :param file_obj: the file-like object to write into :param str password: an optional password to use to encrypt the key :raises: ``IOError`` -- if there was an error writing to the file :raises: `.SSHException` -- if the key is invalid """ # TODO 4.0: NotImplementedError (plus everywhere else in here) raise Exception("Not implemented in PKey") def _read_private_key_file(self, tag, filename, password=None): """ Read an SSH2-format private key file, looking for a string of the type ``"BEGIN xxx PRIVATE KEY"`` for some ``xxx``, base64-decode the text we find, and return it as a string. If the private key is encrypted and ``password`` is not ``None``, the given password will be used to decrypt the key (otherwise `.PasswordRequiredException` is thrown). :param str tag: ``"RSA"`` or ``"DSA"``, the tag used to mark the data block. :param str filename: name of the file to read. :param str password: an optional password to use to decrypt the key file, if it's encrypted. :return: the `bytes` that make up the private key. :raises: ``IOError`` -- if there was an error reading the file. :raises: `.PasswordRequiredException` -- if the private key file is encrypted, and ``password`` is ``None``. :raises: `.SSHException` -- if the key file is invalid. """ with open(filename, "r") as f: data = self._read_private_key(tag, f, password) return data def _read_private_key(self, tag, f, password=None): lines = f.readlines() if not lines: raise SSHException("no lines in {} private key file".format(tag)) # find the BEGIN tag start = 0 m = self.BEGIN_TAG.match(lines[start]) line_range = len(lines) - 1 while start < line_range and not m: start += 1 m = self.BEGIN_TAG.match(lines[start]) start += 1 keytype = m.group(1) if m else None if start >= len(lines) or keytype is None: raise SSHException("not a valid {} private key file".format(tag)) # find the END tag end = start m = self.END_TAG.match(lines[end]) while end < line_range and not m: end += 1 m = self.END_TAG.match(lines[end]) if keytype == tag: data = self._read_private_key_pem(lines, end, password) pkformat = self._PRIVATE_KEY_FORMAT_ORIGINAL elif keytype == "OPENSSH": data = self._read_private_key_openssh(lines[start:end], password) pkformat = self._PRIVATE_KEY_FORMAT_OPENSSH else: raise SSHException( "encountered {} key, expected {} key".format(keytype, tag) ) return pkformat, data def _got_bad_key_format_id(self, id_): err = "{}._read_private_key() spat out an unknown key format id '{}'" raise SSHException(err.format(self.__class__.__name__, id_)) def _read_private_key_pem(self, lines, end, password): start = 0 # parse any headers first headers = {} start += 1 while start < len(lines): line = lines[start].split(": ") if len(line) == 1: break headers[line[0].lower()] = line[1].strip() start += 1 # if we trudged to the end of the file, just try to cope. try: data = decodebytes(b("".join(lines[start:end]))) except base64.binascii.Error as e: raise SSHException("base64 decoding error: {}".format(e)) if "proc-type" not in headers: # unencryped: done return data # encrypted keyfile: will need a password proc_type = headers["proc-type"] if proc_type != "4,ENCRYPTED": raise SSHException( 'Unknown private key structure "{}"'.format(proc_type) ) try: encryption_type, saltstr = headers["dek-info"].split(",") except: raise SSHException("Can't parse DEK-info in private key file") if encryption_type not in self._CIPHER_TABLE: raise SSHException( 'Unknown private key cipher "{}"'.format(encryption_type) ) # if no password was passed in, # raise an exception pointing out that we need one if password is None: raise PasswordRequiredException("Private key file is encrypted") cipher = self._CIPHER_TABLE[encryption_type]["cipher"] keysize = self._CIPHER_TABLE[encryption_type]["keysize"] mode = self._CIPHER_TABLE[encryption_type]["mode"] salt = unhexlify(b(saltstr)) key = util.generate_key_bytes(md5, salt, password, keysize) decryptor = Cipher( cipher(key), mode(salt), backend=default_backend() ).decryptor() return decryptor.update(data) + decryptor.finalize() def _read_private_key_openssh(self, lines, password): """ Read the new OpenSSH SSH2 private key format available since OpenSSH version 6.5 Reference: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key """ try: data = decodebytes(b("".join(lines))) except base64.binascii.Error as e: raise SSHException("base64 decoding error: {}".format(e)) # read data struct auth_magic = data[:15] if auth_magic != OPENSSH_AUTH_MAGIC: raise SSHException("unexpected OpenSSH key header encountered") cstruct = self._uint32_cstruct_unpack(data[15:], "sssur") cipher, kdfname, kdf_options, num_pubkeys, remainder = cstruct # For now, just support 1 key. if num_pubkeys > 1: raise SSHException( "unsupported: private keyfile has multiple keys" ) pubkey, privkey_blob = self._uint32_cstruct_unpack(remainder, "ss") if kdfname == b("bcrypt"): if cipher == b("aes256-cbc"): mode = modes.CBC elif cipher == b("aes256-ctr"): mode = modes.CTR else: raise SSHException( "unknown cipher `{}` used in private key file".format( cipher.decode("utf-8") ) ) # Encrypted private key. # If no password was passed in, raise an exception pointing # out that we need one if password is None: raise PasswordRequiredException( "private key file is encrypted" ) # Unpack salt and rounds from kdfoptions salt, rounds = self._uint32_cstruct_unpack(kdf_options, "su") # run bcrypt kdf to derive key and iv/nonce (32 + 16 bytes) key_iv = bcrypt.kdf( b(password), b(salt), 48, rounds, # We can't control how many rounds are on disk, so no sense # warning about it. ignore_few_rounds=True, ) key = key_iv[:32] iv = key_iv[32:] # decrypt private key blob decryptor = Cipher( algorithms.AES(key), mode(iv), default_backend() ).decryptor() decrypted_privkey = decryptor.update(privkey_blob) decrypted_privkey += decryptor.finalize() elif cipher == b("none") and kdfname == b("none"): # Unencrypted private key decrypted_privkey = privkey_blob else: raise SSHException( "unknown cipher or kdf used in private key file" ) # Unpack private key and verify checkints cstruct = self._uint32_cstruct_unpack(decrypted_privkey, "uusr") checkint1, checkint2, keytype, keydata = cstruct if checkint1 != checkint2: raise SSHException( "OpenSSH private key file checkints do not match" ) return _unpad_openssh(keydata) def _uint32_cstruct_unpack(self, data, strformat): """ Used to read new OpenSSH private key format. Unpacks a c data structure containing a mix of 32-bit uints and variable length strings prefixed by 32-bit uint size field, according to the specified format. Returns the unpacked vars in a tuple. Format strings: s - denotes a string i - denotes a long integer, encoded as a byte string u - denotes a 32-bit unsigned integer r - the remainder of the input string, returned as a string """ arr = [] idx = 0 try: for f in strformat: if f == "s": # string s_size = struct.unpack(">L", data[idx : idx + 4])[0] idx += 4 s = data[idx : idx + s_size] idx += s_size arr.append(s) if f == "i": # long integer s_size = struct.unpack(">L", data[idx : idx + 4])[0] idx += 4 s = data[idx : idx + s_size] idx += s_size i = util.inflate_long(s, True) arr.append(i) elif f == "u": # 32-bit unsigned int u = struct.unpack(">L", data[idx : idx + 4])[0] idx += 4 arr.append(u) elif f == "r": # remainder as string s = data[idx:] arr.append(s) break except Exception as e: # PKey-consuming code frequently wants to save-and-skip-over issues # with loading keys, and uses SSHException as the (really friggin # awful) signal for this. So for now...we do this. raise SSHException(str(e)) return tuple(arr) def _write_private_key_file(self, filename, key, format, password=None): """ Write an SSH2-format private key file in a form that can be read by paramiko or openssh. If no password is given, the key is written in a trivially-encoded format (base64) which is completely insecure. If a password is given, DES-EDE3-CBC is used. :param str tag: ``"RSA"`` or ``"DSA"``, the tag used to mark the data block. :param filename: name of the file to write. :param bytes data: data blob that makes up the private key. :param str password: an optional password to use to encrypt the file. :raises: ``IOError`` -- if there was an error writing the file. """ # Ensure that we create new key files directly with a user-only mode, # instead of opening, writing, then chmodding, which leaves us open to # CVE-2022-24302. with os.fdopen( os.open( filename, # NOTE: O_TRUNC is a noop on new files, and O_CREAT is a noop # on existing files, so using all 3 in both cases is fine. flags=os.O_WRONLY \| os.O_TRUNC \| os.O_CREAT, # Ditto the use of the 'mode' argument; it should be safe to # give even for existing files (though it will not act like a # chmod in that case). mode=o600, ), # Yea, you still gotta inform the FLO that it is in "write" mode. "w", ) as f: self._write_private_key(f, key, format, password=password) def _write_private_key(self, f, key, format, password=None): if password is None: encryption = serialization.NoEncryption() else: encryption = serialization.BestAvailableEncryption(b(password)) f.write( key.private_bytes( serialization.Encoding.PEM, format, encryption ).decode() ) def _check_type_and_load_cert(self, msg, key_type, cert_type): """ Perform message type-checking & optional certificate loading. This includes fast-forwarding cert ``msg`` objects past the nonce, so that the subsequent fields are the key numbers; thus the caller may expect to treat the message as key material afterwards either way. The obtained key type is returned for classes which need to know what it was (e.g. ECDSA.) """ # Normalization; most classes have a single key type and give a string, # but eg ECDSA is a 1:N mapping. key_types = key_type cert_types = cert_type if isinstance(key_type, str): key_types = [key_types] if isinstance(cert_types, str): cert_types = [cert_types] # Can't do much with no message, that should've been handled elsewhere if msg is None: raise SSHException("Key object may not be empty") # First field is always key type, in either kind of object. (make sure # we rewind before grabbing it - sometimes caller had to do their own # introspection first!) msg.rewind() type_ = msg.get_text() # Regular public key - nothing special to do besides the implicit # type check. if type_ in key_types: pass # OpenSSH-compatible certificate - store full copy as .public_blob # (so signing works correctly) and then fast-forward past the # nonce. elif type_ in cert_types: # This seems the cleanest way to 'clone' an already-being-read # message; they're IO objects at heart and their .getvalue() # always returns the full value regardless of pointer position. self.load_certificate(Message(msg.asbytes())) # Read out nonce as it comes before the public numbers - our caller # is likely going to use the (only borrowed by us, not owned) # 'msg' object for loading those numbers right after this. # TODO: usefully interpret it & other non-public-number fields # (requires going back into per-type subclasses.) msg.get_string() else: err = "Invalid key (class: {}, data type: {}" raise SSHException(err.format(self.__class__.__name__, type_)) def load_certificate(self, value): """ Supplement the private key contents with data loaded from an OpenSSH public key (``.pub``) or certificate (``-cert.pub``) file, a string containing such a file, or a `.Message` object. The .pub contents adds no real value, since the private key file includes sufficient information to derive the public key info. For certificates, however, this can be used on the client side to offer authentication requests to the server based on certificate instead of raw public key. See: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys Note: very little effort is made to validate the certificate contents, that is for the server to decide if it is good enough to authenticate successfully. """ if isinstance(value, Message): constructor = "from_message" elif os.path.isfile(value): constructor = "from_file" else: constructor = "from_string" blob = getattr(PublicBlob, constructor)(value) if not blob.key_type.startswith(self.get_name()): err = "PublicBlob type {} incompatible with key type {}" raise ValueError(err.format(blob.key_type, self.get_name())) self.public_blob = blob # General construct for an OpenSSH style Public Key blob # readable from a one-line file of the format: # <key-name> <base64-blob> [<comment>] # Of little value in the case of standard public keys # {ssh-rsa, ssh-dss, ssh-ecdsa, ssh-ed25519}, but should # provide rudimentary support for {-cert.v01} class PublicBlob: """ OpenSSH plain public key or OpenSSH signed public key (certificate). Tries to be as dumb as possible and barely cares about specific per-key-type data. .. note:: Most of the time you'll want to call `from_file`, `from_string` or `from_message` for useful instantiation, the main constructor is basically "I should be using ``attrs`` for this." """ def __init__(self, type_, blob, comment=None): """ Create a new public blob of given type and contents. :param str type_: Type indicator, eg ``ssh-rsa``. :param bytes blob: The blob bytes themselves. :param str comment: A comment, if one was given (e.g. file-based.) """ self.key_type = type_ self.key_blob = blob self.comment = comment @classmethod def from_file(cls, filename): """ Create a public blob from a ``-cert.pub``-style file on disk. """ with open(filename) as f: string = f.read() return cls.from_string(string) @classmethod def from_string(cls, string): """ Create a public blob from a ``-cert.pub``-style string. """ fields = string.split(None, 2) if len(fields) < 2: msg = "Not enough fields for public blob: {}" raise ValueError(msg.format(fields)) key_type = fields[0] key_blob = decodebytes(b(fields[1])) try: comment = fields[2].strip() except IndexError: comment = None # Verify that the blob message first (string) field matches the # key_type m = Message(key_blob) blob_type = m.get_text() if blob_type != key_type: deets = "key type={!r}, but blob type={!r}".format( key_type, blob_type ) raise ValueError("Invalid PublicBlob contents: {}".format(deets)) # All good? All good. return cls(type_=key_type, blob=key_blob, comment=comment) @classmethod def from_message(cls, message): """ Create a public blob from a network `.Message`. Specifically, a cert-bearing pubkey auth packet, because by definition OpenSSH-style certificates 'are' their own network representation." """ type_ = message.get_text() return cls(type_=type_, blob=message.asbytes()) def __str__(self): ret = "{} public key/certificate".format(self.key_type) if self.comment: ret += "- {}".format(self.comment) return ret def __eq__(self, other): # Just piggyback on Message/BytesIO, since both of these should be one. return self and other and self.key_blob == other.key_blob def __ne__(self, other): return not self == other ��pipe.py��0000644��00000007476�15030210772�0006066 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Abstraction of a one-way pipe where the read end can be used in `select.select`. Normally this is trivial, but Windows makes it nearly impossible. The pipe acts like an Event, which can be set or cleared. When set, the pipe will trigger as readable in `select <select.select>`. """ import sys import os import socket def make_pipe(): if sys.platform[:3] != "win": p = PosixPipe() else: p = WindowsPipe() return p class PosixPipe: def __init__(self): self._rfd, self._wfd = os.pipe() self._set = False self._forever = False self._closed = False def close(self): os.close(self._rfd) os.close(self._wfd) # used for unit tests: self._closed = True def fileno(self): return self._rfd def clear(self): if not self._set or self._forever: return os.read(self._rfd, 1) self._set = False def set(self): if self._set or self._closed: return self._set = True os.write(self._wfd, b"") def set_forever(self): self._forever = True self.set() class WindowsPipe: """ On Windows, only an OS-level "WinSock" may be used in select(), but reads and writes must be to the actual socket object. """ def __init__(self): serv = socket.socket(socket.AF_INET, socket.SOCK_STREAM) serv.bind(("127.0.0.1", 0)) serv.listen(1) # need to save sockets in _rsock/_wsock so they don't get closed self._rsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self._rsock.connect(("127.0.0.1", serv.getsockname()[1])) self._wsock, addr = serv.accept() serv.close() self._set = False self._forever = False self._closed = False def close(self): self._rsock.close() self._wsock.close() # used for unit tests: self._closed = True def fileno(self): return self._rsock.fileno() def clear(self): if not self._set or self._forever: return self._rsock.recv(1) self._set = False def set(self): if self._set or self._closed: return self._set = True self._wsock.send(b"") def set_forever(self): self._forever = True self.set() class OrPipe: def __init__(self, pipe): self._set = False self._partner = None self._pipe = pipe def set(self): self._set = True if not self._partner._set: self._pipe.set() def clear(self): self._set = False if not self._partner._set: self._pipe.clear() def make_or_pipe(pipe): """ wraps a pipe into two pipe-like objects which are "or"d together to affect the real pipe. if either returned pipe is set, the wrapped pipe is set. when both are cleared, the wrapped pipe is cleared. """ p1 = OrPipe(pipe) p2 = OrPipe(pipe) p1._partner = p2 p2._partner = p1 return p1, p2 ��ssh_gss.py��0000644��00000070327�15030210772�0006575 0��ustar�00��# Copyright (C) 2013-2014 science + computing ag # Author: Sebastian Deiss <sebastian.deiss@t-online.de> # # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ This module provides GSS-API / SSPI authentication as defined in :rfc:`4462`. .. note:: Credential delegation is not supported in server mode. .. seealso:: :doc:`/api/kex_gss` .. versionadded:: 1.15 """ import struct import os import sys #: A boolean constraint that indicates if GSS-API / SSPI is available. GSS_AUTH_AVAILABLE = True #: A tuple of the exception types used by the underlying GSSAPI implementation. GSS_EXCEPTIONS = () #: :var str _API: Constraint for the used API _API = None try: import gssapi if hasattr(gssapi, "__title__") and gssapi.__title__ == "python-gssapi": # old, unmaintained python-gssapi package _API = "MIT" # keep this for compatibility GSS_EXCEPTIONS = (gssapi.GSSException,) else: _API = "PYTHON-GSSAPI-NEW" GSS_EXCEPTIONS = ( gssapi.exceptions.GeneralError, gssapi.raw.misc.GSSError, ) except (ImportError, OSError): try: import pywintypes import sspicon import sspi _API = "SSPI" GSS_EXCEPTIONS = (pywintypes.error,) except ImportError: GSS_AUTH_AVAILABLE = False _API = None from paramiko.common import MSG_USERAUTH_REQUEST from paramiko.ssh_exception import SSHException from paramiko._version import __version_info__ def GSSAuth(auth_method, gss_deleg_creds=True): """ Provide SSH2 GSS-API / SSPI authentication. :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not. We delegate credentials by default. :return: Either an `._SSH_GSSAPI_OLD` or `._SSH_GSSAPI_NEW` (Unix) object or an `_SSH_SSPI` (Windows) object :rtype: object :raises: ``ImportError`` -- If no GSS-API / SSPI module could be imported. :see: `RFC 4462 <http://www.ietf.org/rfc/rfc4462.txt>`_ :note: Check for the available API and return either an `._SSH_GSSAPI_OLD` (MIT GSSAPI using python-gssapi package) object, an `._SSH_GSSAPI_NEW` (MIT GSSAPI using gssapi package) object or an `._SSH_SSPI` (MS SSPI) object. If there is no supported API available, ``None`` will be returned. """ if _API == "MIT": return _SSH_GSSAPI_OLD(auth_method, gss_deleg_creds) elif _API == "PYTHON-GSSAPI-NEW": return _SSH_GSSAPI_NEW(auth_method, gss_deleg_creds) elif _API == "SSPI" and os.name == "nt": return _SSH_SSPI(auth_method, gss_deleg_creds) else: raise ImportError("Unable to import a GSS-API / SSPI module!") class _SSH_GSSAuth: """ Contains the shared variables and methods of `._SSH_GSSAPI_OLD`, `._SSH_GSSAPI_NEW` and `._SSH_SSPI`. """ def __init__(self, auth_method, gss_deleg_creds): """ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not """ self._auth_method = auth_method self._gss_deleg_creds = gss_deleg_creds self._gss_host = None self._username = None self._session_id = None self._service = "ssh-connection" """ OpenSSH supports Kerberos V5 mechanism only for GSS-API authentication, so we also support the krb5 mechanism only. """ self._krb5_mech = "1.2.840.113554.1.2.2" # client mode self._gss_ctxt = None self._gss_ctxt_status = False # server mode self._gss_srv_ctxt = None self._gss_srv_ctxt_status = False self.cc_file = None def set_service(self, service): """ This is just a setter to use a non default service. I added this method, because RFC 4462 doesn't specify "ssh-connection" as the only service value. :param str service: The desired SSH service """ if service.find("ssh-"): self._service = service def set_username(self, username): """ Setter for C{username}. If GSS-API Key Exchange is performed, the username is not set by C{ssh_init_sec_context}. :param str username: The name of the user who attempts to login """ self._username = username def ssh_gss_oids(self, mode="client"): """ This method returns a single OID, because we only support the Kerberos V5 mechanism. :param str mode: Client for client mode and server for server mode :return: A byte sequence containing the number of supported OIDs, the length of the OID and the actual OID encoded with DER :note: In server mode we just return the OID length and the DER encoded OID. """ from pyasn1.type.univ import ObjectIdentifier from pyasn1.codec.der import encoder OIDs = self._make_uint32(1) krb5_OID = encoder.encode(ObjectIdentifier(self._krb5_mech)) OID_len = self._make_uint32(len(krb5_OID)) if mode == "server": return OID_len + krb5_OID return OIDs + OID_len + krb5_OID def ssh_check_mech(self, desired_mech): """ Check if the given OID is the Kerberos V5 OID (server mode). :param str desired_mech: The desired GSS-API mechanism of the client :return: ``True`` if the given OID is supported, otherwise C{False} """ from pyasn1.codec.der import decoder mech, __ = decoder.decode(desired_mech) if mech.__str__() != self._krb5_mech: return False return True # Internals # ------------------------------------------------------------------------- def _make_uint32(self, integer): """ Create a 32 bit unsigned integer (The byte sequence of an integer). :param int integer: The integer value to convert :return: The byte sequence of an 32 bit integer """ return struct.pack("!I", integer) def _ssh_build_mic(self, session_id, username, service, auth_method): """ Create the SSH2 MIC filed for gssapi-with-mic. :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :param str service: The requested SSH service :param str auth_method: The requested SSH authentication mechanism :return: The MIC as defined in RFC 4462. The contents of the MIC field are: string session_identifier, byte SSH_MSG_USERAUTH_REQUEST, string user-name, string service (ssh-connection), string authentication-method (gssapi-with-mic or gssapi-keyex) """ mic = self._make_uint32(len(session_id)) mic += session_id mic += struct.pack("B", MSG_USERAUTH_REQUEST) mic += self._make_uint32(len(username)) mic += username.encode() mic += self._make_uint32(len(service)) mic += service.encode() mic += self._make_uint32(len(auth_method)) mic += auth_method.encode() return mic class _SSH_GSSAPI_OLD(_SSH_GSSAuth): """ Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the older (unmaintained) python-gssapi package. :see: `.GSSAuth` """ def __init__(self, auth_method, gss_deleg_creds): """ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not """ _SSH_GSSAuth.__init__(self, auth_method, gss_deleg_creds) if self._gss_deleg_creds: self._gss_flags = ( gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_MUTUAL_FLAG, gssapi.C_DELEG_FLAG, ) else: self._gss_flags = ( gssapi.C_PROT_READY_FLAG, gssapi.C_INTEG_FLAG, gssapi.C_MUTUAL_FLAG, ) def ssh_init_sec_context( self, target, desired_mech=None, username=None, recv_token=None ): """ Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned """ from pyasn1.codec.der import decoder self._username = username self._gss_host = target targ_name = gssapi.Name( "host@" + self._gss_host, gssapi.C_NT_HOSTBASED_SERVICE ) ctx = gssapi.Context() ctx.flags = self._gss_flags if desired_mech is None: krb5_mech = gssapi.OID.mech_from_string(self._krb5_mech) else: mech, __ = decoder.decode(desired_mech) if mech.__str__() != self._krb5_mech: raise SSHException("Unsupported mechanism OID.") else: krb5_mech = gssapi.OID.mech_from_string(self._krb5_mech) token = None try: if recv_token is None: self._gss_ctxt = gssapi.InitContext( peer_name=targ_name, mech_type=krb5_mech, req_flags=ctx.flags, ) token = self._gss_ctxt.step(token) else: token = self._gss_ctxt.step(recv_token) except gssapi.GSSException: message = "{} Target: {}".format(sys.exc_info()[1], self._gss_host) raise gssapi.GSSException(message) self._gss_ctxt_status = self._gss_ctxt.established return token def ssh_get_mic(self, session_id, gss_kex=False): """ Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. """ self._session_id = session_id if not gss_kex: mic_field = self._ssh_build_mic( self._session_id, self._username, self._service, self._auth_method, ) mic_token = self._gss_ctxt.get_mic(mic_field) else: # for key exchange with gssapi-keyex mic_token = self._gss_srv_ctxt.get_mic(self._session_id) return mic_token def ssh_accept_sec_context(self, hostname, recv_token, username=None): """ Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned """ # hostname and username are not required for GSSAPI, but for SSPI self._gss_host = hostname self._username = username if self._gss_srv_ctxt is None: self._gss_srv_ctxt = gssapi.AcceptContext() token = self._gss_srv_ctxt.step(recv_token) self._gss_srv_ctxt_status = self._gss_srv_ctxt.established return token def ssh_check_mic(self, mic_token, session_id, username=None): """ Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.GSSException`` -- if the MIC check failed """ self._session_id = session_id self._username = username if self._username is not None: # server mode mic_field = self._ssh_build_mic( self._session_id, self._username, self._service, self._auth_method, ) self._gss_srv_ctxt.verify_mic(mic_field, mic_token) else: # for key exchange with gssapi-keyex # client mode self._gss_ctxt.verify_mic(self._session_id, mic_token) @property def credentials_delegated(self): """ Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` """ if self._gss_srv_ctxt.delegated_cred is not None: return True return False def save_client_creds(self, client_token): """ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode """ raise NotImplementedError if __version_info__ < (2, 5): # provide the old name for strict backward compatibility _SSH_GSSAPI = _SSH_GSSAPI_OLD class _SSH_GSSAPI_NEW(_SSH_GSSAuth): """ Implementation of the GSS-API MIT Kerberos Authentication for SSH2, using the newer, currently maintained gssapi package. :see: `.GSSAuth` """ def __init__(self, auth_method, gss_deleg_creds): """ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not """ _SSH_GSSAuth.__init__(self, auth_method, gss_deleg_creds) if self._gss_deleg_creds: self._gss_flags = ( gssapi.RequirementFlag.protection_ready, gssapi.RequirementFlag.integrity, gssapi.RequirementFlag.mutual_authentication, gssapi.RequirementFlag.delegate_to_peer, ) else: self._gss_flags = ( gssapi.RequirementFlag.protection_ready, gssapi.RequirementFlag.integrity, gssapi.RequirementFlag.mutual_authentication, ) def ssh_init_sec_context( self, target, desired_mech=None, username=None, recv_token=None ): """ Initialize a GSS-API context. :param str username: The name of the user who attempts to login :param str target: The hostname of the target to connect to :param str desired_mech: The negotiated GSS-API mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param str recv_token: The GSS-API token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :raises: ``gssapi.exceptions.GSSError`` if there is an error signaled by the GSS-API implementation :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned """ from pyasn1.codec.der import decoder self._username = username self._gss_host = target targ_name = gssapi.Name( "host@" + self._gss_host, name_type=gssapi.NameType.hostbased_service, ) if desired_mech is not None: mech, __ = decoder.decode(desired_mech) if mech.__str__() != self._krb5_mech: raise SSHException("Unsupported mechanism OID.") krb5_mech = gssapi.MechType.kerberos token = None if recv_token is None: self._gss_ctxt = gssapi.SecurityContext( name=targ_name, flags=self._gss_flags, mech=krb5_mech, usage="initiate", ) token = self._gss_ctxt.step(token) else: token = self._gss_ctxt.step(recv_token) self._gss_ctxt_status = self._gss_ctxt.complete return token def ssh_get_mic(self, session_id, gss_kex=False): """ Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for GSS-API Key Exchange or not :return: gssapi-with-mic: Returns the MIC token from GSS-API for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from GSS-API with the SSH session ID as message. :rtype: str """ self._session_id = session_id if not gss_kex: mic_field = self._ssh_build_mic( self._session_id, self._username, self._service, self._auth_method, ) mic_token = self._gss_ctxt.get_signature(mic_field) else: # for key exchange with gssapi-keyex mic_token = self._gss_srv_ctxt.get_signature(self._session_id) return mic_token def ssh_accept_sec_context(self, hostname, recv_token, username=None): """ Accept a GSS-API context (server mode). :param str hostname: The servers hostname :param str username: The name of the user who attempts to login :param str recv_token: The GSS-API Token received from the server, if it's not the initial call. :return: A ``String`` if the GSS-API has returned a token or ``None`` if no token was returned """ # hostname and username are not required for GSSAPI, but for SSPI self._gss_host = hostname self._username = username if self._gss_srv_ctxt is None: self._gss_srv_ctxt = gssapi.SecurityContext(usage="accept") token = self._gss_srv_ctxt.step(recv_token) self._gss_srv_ctxt_status = self._gss_srv_ctxt.complete return token def ssh_check_mic(self, mic_token, session_id, username=None): """ Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``gssapi.exceptions.GSSError`` -- if the MIC check failed """ self._session_id = session_id self._username = username if self._username is not None: # server mode mic_field = self._ssh_build_mic( self._session_id, self._username, self._service, self._auth_method, ) self._gss_srv_ctxt.verify_signature(mic_field, mic_token) else: # for key exchange with gssapi-keyex # client mode self._gss_ctxt.verify_signature(self._session_id, mic_token) @property def credentials_delegated(self): """ Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` :rtype: bool """ if self._gss_srv_ctxt.delegated_creds is not None: return True return False def save_client_creds(self, client_token): """ Save the Client token in a file. This is used by the SSH server to store the client credentials if credentials are delegated (server mode). :param str client_token: The GSS-API token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode """ raise NotImplementedError class _SSH_SSPI(_SSH_GSSAuth): """ Implementation of the Microsoft SSPI Kerberos Authentication for SSH2. :see: `.GSSAuth` """ def __init__(self, auth_method, gss_deleg_creds): """ :param str auth_method: The name of the SSH authentication mechanism (gssapi-with-mic or gss-keyex) :param bool gss_deleg_creds: Delegate client credentials or not """ _SSH_GSSAuth.__init__(self, auth_method, gss_deleg_creds) if self._gss_deleg_creds: self._gss_flags = ( sspicon.ISC_REQ_INTEGRITY \| sspicon.ISC_REQ_MUTUAL_AUTH \| sspicon.ISC_REQ_DELEGATE ) else: self._gss_flags = ( sspicon.ISC_REQ_INTEGRITY \| sspicon.ISC_REQ_MUTUAL_AUTH ) def ssh_init_sec_context( self, target, desired_mech=None, username=None, recv_token=None ): """ Initialize a SSPI context. :param str username: The name of the user who attempts to login :param str target: The FQDN of the target to connect to :param str desired_mech: The negotiated SSPI mechanism ("pseudo negotiated" mechanism, because we support just the krb5 mechanism :-)) :param recv_token: The SSPI token received from the Server :raises: `.SSHException` -- Is raised if the desired mechanism of the client is not supported :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned """ from pyasn1.codec.der import decoder self._username = username self._gss_host = target error = 0 targ_name = "host/" + self._gss_host if desired_mech is not None: mech, __ = decoder.decode(desired_mech) if mech.__str__() != self._krb5_mech: raise SSHException("Unsupported mechanism OID.") try: if recv_token is None: self._gss_ctxt = sspi.ClientAuth( "Kerberos", scflags=self._gss_flags, targetspn=targ_name ) error, token = self._gss_ctxt.authorize(recv_token) token = token[0].Buffer except pywintypes.error as e: e.strerror += ", Target: {}".format(self._gss_host) raise if error == 0: """ if the status is GSS_COMPLETE (error = 0) the context is fully established an we can set _gss_ctxt_status to True. """ self._gss_ctxt_status = True token = None """ You won't get another token if the context is fully established, so i set token to None instead of "" """ return token def ssh_get_mic(self, session_id, gss_kex=False): """ Create the MIC token for a SSH2 message. :param str session_id: The SSH session ID :param bool gss_kex: Generate the MIC for Key Exchange with SSPI or not :return: gssapi-with-mic: Returns the MIC token from SSPI for the message we created with ``_ssh_build_mic``. gssapi-keyex: Returns the MIC token from SSPI with the SSH session ID as message. """ self._session_id = session_id if not gss_kex: mic_field = self._ssh_build_mic( self._session_id, self._username, self._service, self._auth_method, ) mic_token = self._gss_ctxt.sign(mic_field) else: # for key exchange with gssapi-keyex mic_token = self._gss_srv_ctxt.sign(self._session_id) return mic_token def ssh_accept_sec_context(self, hostname, username, recv_token): """ Accept a SSPI context (server mode). :param str hostname: The servers FQDN :param str username: The name of the user who attempts to login :param str recv_token: The SSPI Token received from the server, if it's not the initial call. :return: A ``String`` if the SSPI has returned a token or ``None`` if no token was returned """ self._gss_host = hostname self._username = username targ_name = "host/" + self._gss_host self._gss_srv_ctxt = sspi.ServerAuth("Kerberos", spn=targ_name) error, token = self._gss_srv_ctxt.authorize(recv_token) token = token[0].Buffer if error == 0: self._gss_srv_ctxt_status = True token = None return token def ssh_check_mic(self, mic_token, session_id, username=None): """ Verify the MIC token for a SSH2 message. :param str mic_token: The MIC token received from the client :param str session_id: The SSH session ID :param str username: The name of the user who attempts to login :return: None if the MIC check was successful :raises: ``sspi.error`` -- if the MIC check failed """ self._session_id = session_id self._username = username if username is not None: # server mode mic_field = self._ssh_build_mic( self._session_id, self._username, self._service, self._auth_method, ) # Verifies data and its signature. If verification fails, an # sspi.error will be raised. self._gss_srv_ctxt.verify(mic_field, mic_token) else: # for key exchange with gssapi-keyex # client mode # Verifies data and its signature. If verification fails, an # sspi.error will be raised. self._gss_ctxt.verify(self._session_id, mic_token) @property def credentials_delegated(self): """ Checks if credentials are delegated (server mode). :return: ``True`` if credentials are delegated, otherwise ``False`` """ return self._gss_flags & sspicon.ISC_REQ_DELEGATE and ( self._gss_srv_ctxt_status or self._gss_flags ) def save_client_creds(self, client_token): """ Save the Client token in a file. This is used by the SSH server to store the client credentails if credentials are delegated (server mode). :param str client_token: The SSPI token received form the client :raises: ``NotImplementedError`` -- Credential delegation is currently not supported in server mode """ raise NotImplementedError ��win_pageant.py��0000644��00000010121�15030210772�0007402 0��ustar�00��# Copyright (C) 2005 John Arbash-Meinel <john@arbash-meinel.com> # Modified up by: Todd Whiteman <ToddW@ActiveState.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Functions for communicating with Pageant, the basic windows ssh agent program. """ import array import ctypes.wintypes import platform import struct from paramiko.common import zero_byte from paramiko.util import b import _thread as thread from . import _winapi _AGENT_COPYDATA_ID = 0x804E50BA _AGENT_MAX_MSGLEN = 8192 # Note: The WM_COPYDATA value is pulled from win32con, as a workaround # so we do not have to import this huge library just for this one variable. win32con_WM_COPYDATA = 74 def _get_pageant_window_object(): return ctypes.windll.user32.FindWindowA(b"Pageant", b"Pageant") def can_talk_to_agent(): """ Check to see if there is a "Pageant" agent we can talk to. This checks both if we have the required libraries (win32all or ctypes) and if there is a Pageant currently running. """ return bool(_get_pageant_window_object()) if platform.architecture()[0] == "64bit": ULONG_PTR = ctypes.c_uint64 else: ULONG_PTR = ctypes.c_uint32 class COPYDATASTRUCT(ctypes.Structure): """ ctypes implementation of http://msdn.microsoft.com/en-us/library/windows/desktop/ms649010%28v=vs.85%29.aspx """ _fields_ = [ ("num_data", ULONG_PTR), ("data_size", ctypes.wintypes.DWORD), ("data_loc", ctypes.c_void_p), ] def _query_pageant(msg): """ Communication with the Pageant process is done through a shared memory-mapped file. """ hwnd = _get_pageant_window_object() if not hwnd: # Raise a failure to connect exception, pageant isn't running anymore! return None # create a name for the mmap map_name = f"PageantRequest{thread.get_ident():08x}" pymap = _winapi.MemoryMap( map_name, _AGENT_MAX_MSGLEN, _winapi.get_security_attributes_for_user() ) with pymap: pymap.write(msg) # Create an array buffer containing the mapped filename char_buffer = array.array("b", b(map_name) + zero_byte) # noqa char_buffer_address, char_buffer_size = char_buffer.buffer_info() # Create a string to use for the SendMessage function call cds = COPYDATASTRUCT( _AGENT_COPYDATA_ID, char_buffer_size, char_buffer_address ) response = ctypes.windll.user32.SendMessageA( hwnd, win32con_WM_COPYDATA, ctypes.sizeof(cds), ctypes.byref(cds) ) if response > 0: pymap.seek(0) datalen = pymap.read(4) retlen = struct.unpack(">I", datalen)[0] return datalen + pymap.read(retlen) return None class PageantConnection: """ Mock "connection" to an agent which roughly approximates the behavior of a unix local-domain socket (as used by Agent). Requests are sent to the pageant daemon via special Windows magick, and responses are buffered back for subsequent reads. """ def __init__(self): self._response = None def send(self, data): self._response = _query_pageant(data) def recv(self, n): if self._response is None: return "" ret = self._response[:n] self._response = self._response[n:] if self._response == "": self._response = None return ret def close(self): pass ��ber.py��0000644��00000010421�15030210772�0005661 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. from paramiko.common import max_byte, zero_byte, byte_ord, byte_chr import paramiko.util as util from paramiko.util import b from paramiko.sftp import int64 class BERException(Exception): pass class BER: """ Robey's tiny little attempt at a BER decoder. """ def __init__(self, content=bytes()): self.content = b(content) self.idx = 0 def asbytes(self): return self.content def __str__(self): return self.asbytes() def __repr__(self): return "BER('" + repr(self.content) + "')" def decode(self): return self.decode_next() def decode_next(self): if self.idx >= len(self.content): return None ident = byte_ord(self.content[self.idx]) self.idx += 1 if (ident & 31) == 31: # identifier > 30 ident = 0 while self.idx < len(self.content): t = byte_ord(self.content[self.idx]) self.idx += 1 ident = (ident << 7) \| (t & 0x7F) if not (t & 0x80): break if self.idx >= len(self.content): return None # now fetch length size = byte_ord(self.content[self.idx]) self.idx += 1 if size & 0x80: # more complimicated... # FIXME: theoretically should handle indefinite-length (0x80) t = size & 0x7F if self.idx + t > len(self.content): return None size = util.inflate_long( self.content[self.idx : self.idx + t], True ) self.idx += t if self.idx + size > len(self.content): # can't fit return None data = self.content[self.idx : self.idx + size] self.idx += size # now switch on id if ident == 0x30: # sequence return self.decode_sequence(data) elif ident == 2: # int return util.inflate_long(data) else: # 1: boolean (00 false, otherwise true) msg = "Unknown ber encoding type {:d} (robey is lazy)" raise BERException(msg.format(ident)) @staticmethod def decode_sequence(data): out = [] ber = BER(data) while True: x = ber.decode_next() if x is None: break out.append(x) return out def encode_tlv(self, ident, val): # no need to support ident > 31 here self.content += byte_chr(ident) if len(val) > 0x7F: lenstr = util.deflate_long(len(val)) self.content += byte_chr(0x80 + len(lenstr)) + lenstr else: self.content += byte_chr(len(val)) self.content += val def encode(self, x): if type(x) is bool: if x: self.encode_tlv(1, max_byte) else: self.encode_tlv(1, zero_byte) elif (type(x) is int) or (type(x) is int64): self.encode_tlv(2, util.deflate_long(x)) elif type(x) is str: self.encode_tlv(4, x) elif (type(x) is list) or (type(x) is tuple): self.encode_tlv(0x30, self.encode_sequence(x)) else: raise BERException( "Unknown type for encoding: {!r}".format(type(x)) ) @staticmethod def encode_sequence(data): ber = BER() for item in data: ber.encode(item) return ber.asbytes() ��config.py��0000644��00000065342�15030210772�0006372 0��ustar�00��# Copyright (C) 2006-2007 Robey Pointer <robeypointer@gmail.com> # Copyright (C) 2012 Olle Lundberg <geek@nerd.sh> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Configuration file (aka ``ssh_config``) support. """ import fnmatch import getpass import os import re import shlex import socket from hashlib import sha1 from io import StringIO from functools import partial invoke, invoke_import_error = None, None try: import invoke except ImportError as e: invoke_import_error = e from .ssh_exception import CouldNotCanonicalize, ConfigParseError SSH_PORT = 22 class SSHConfig: """ Representation of config information as stored in the format used by OpenSSH. Queries can be made via `lookup`. The format is described in OpenSSH's ``ssh_config`` man page. This class is provided primarily as a convenience to posix users (since the OpenSSH format is a de-facto standard on posix) but should work fine on Windows too. .. versionadded:: 1.6 """ SETTINGS_REGEX = re.compile(r"(\w+)(?:\s=\s\|\s+)(.+)") # TODO: do a full scan of ssh.c & friends to make sure we're fully # compatible across the board, e.g. OpenSSH 8.1 added %n to ProxyCommand. TOKENS_BY_CONFIG_KEY = { "controlpath": ["%C", "%h", "%l", "%L", "%n", "%p", "%r", "%u"], "hostname": ["%h"], "identityfile": ["%C", "~", "%d", "%h", "%l", "%u", "%r"], "proxycommand": ["~", "%h", "%p", "%r"], "proxyjump": ["%h", "%p", "%r"], # Doesn't seem worth making this 'special' for now, it will fit well # enough (no actual match-exec config key to be confused with). "match-exec": ["%C", "%d", "%h", "%L", "%l", "%n", "%p", "%r", "%u"], } def __init__(self): """ Create a new OpenSSH config object. Note: the newer alternate constructors `from_path`, `from_file` and `from_text` are simpler to use, as they parse on instantiation. For example, instead of:: config = SSHConfig() config.parse(open("some-path.config") you could:: config = SSHConfig.from_file(open("some-path.config")) # Or more directly: config = SSHConfig.from_path("some-path.config") # Or if you have arbitrary ssh_config text from some other source: config = SSHConfig.from_text("Host foo\\n\\tUser bar") """ self._config = [] @classmethod def from_text(cls, text): """ Create a new, parsed `SSHConfig` from ``text`` string. .. versionadded:: 2.7 """ return cls.from_file(StringIO(text)) @classmethod def from_path(cls, path): """ Create a new, parsed `SSHConfig` from the file found at ``path``. .. versionadded:: 2.7 """ with open(path) as flo: return cls.from_file(flo) @classmethod def from_file(cls, flo): """ Create a new, parsed `SSHConfig` from file-like object ``flo``. .. versionadded:: 2.7 """ obj = cls() obj.parse(flo) return obj def parse(self, file_obj): """ Read an OpenSSH config from the given file object. :param file_obj: a file-like object to read the config file from """ # Start out w/ implicit/anonymous global host-like block to hold # anything not contained by an explicit one. context = {"host": [""], "config": {}} for line in file_obj: # Strip any leading or trailing whitespace from the line. # Refer to https://github.com/paramiko/paramiko/issues/499 line = line.strip() # Skip blanks, comments if not line or line.startswith("#"): continue # Parse line into key, value match = re.match(self.SETTINGS_REGEX, line) if not match: raise ConfigParseError("Unparsable line {}".format(line)) key = match.group(1).lower() value = match.group(2) # Host keyword triggers switch to new block/context if key in ("host", "match"): self._config.append(context) context = {"config": {}} if key == "host": # TODO 4.0: make these real objects or at least name this # "hosts" to acknowledge it's an iterable. (Doing so prior # to 3.0, despite it being a private API, feels bad - # surely such an old codebase has folks actually relying on # these keys.) context["host"] = self._get_hosts(value) else: context["matches"] = self._get_matches(value) # Special-case for noop ProxyCommands elif key == "proxycommand" and value.lower() == "none": # Store 'none' as None - not as a string implying that the # proxycommand is the literal shell command "none"! context["config"][key] = None # All other keywords get stored, directly or via append else: if value.startswith('"') and value.endswith('"'): value = value[1:-1] # identityfile, localforward, remoteforward keys are special # cases, since they are allowed to be specified multiple times # and they should be tried in order of specification. if key in ["identityfile", "localforward", "remoteforward"]: if key in context["config"]: context["config"][key].append(value) else: context["config"][key] = [value] elif key not in context["config"]: context["config"][key] = value # Store last 'open' block and we're done self._config.append(context) def lookup(self, hostname): """ Return a dict (`SSHConfigDict`) of config options for a given hostname. The host-matching rules of OpenSSH's ``ssh_config`` man page are used: For each parameter, the first obtained value will be used. The configuration files contain sections separated by ``Host`` and/or ``Match`` specifications, and that section is only applied for hosts which match the given patterns or keywords Since the first obtained value for each parameter is used, more host- specific declarations should be given near the beginning of the file, and general defaults at the end. The keys in the returned dict are all normalized to lowercase (look for ``"port"``, not ``"Port"``. The values are processed according to the rules for substitution variable expansion in ``ssh_config``. Finally, please see the docs for `SSHConfigDict` for deeper info on features such as optional type conversion methods, e.g.:: conf = my_config.lookup('myhost') assert conf['passwordauthentication'] == 'yes' assert conf.as_bool('passwordauthentication') is True .. note:: If there is no explicitly configured ``HostName`` value, it will be set to the being-looked-up hostname, which is as close as we can get to OpenSSH's behavior around that particular option. :param str hostname: the hostname to lookup .. versionchanged:: 2.5 Returns `SSHConfigDict` objects instead of dict literals. .. versionchanged:: 2.7 Added canonicalization support. .. versionchanged:: 2.7 Added ``Match`` support. .. versionchanged:: 3.3 Added ``Match final`` support. """ # First pass options = self._lookup(hostname=hostname) # Inject HostName if it was not set (this used to be done incidentally # during tokenization, for some reason). if "hostname" not in options: options["hostname"] = hostname # Handle canonicalization canon = options.get("canonicalizehostname", None) in ("yes", "always") maxdots = int(options.get("canonicalizemaxdots", 1)) if canon and hostname.count(".") <= maxdots: # NOTE: OpenSSH manpage does not explicitly state this, but its # implementation for CanonicalDomains is 'split on any whitespace'. domains = options["canonicaldomains"].split() hostname = self.canonicalize(hostname, options, domains) # Overwrite HostName again here (this is also what OpenSSH does) options["hostname"] = hostname options = self._lookup( hostname, options, canonical=True, final=True ) else: options = self._lookup( hostname, options, canonical=False, final=True ) return options def _lookup(self, hostname, options=None, canonical=False, final=False): # Init if options is None: options = SSHConfigDict() # Iterate all stanzas, applying any that match, in turn (so that things # like Match can reference currently understood state) for context in self._config: if not ( self._pattern_matches(context.get("host", []), hostname) or self._does_match( context.get("matches", []), hostname, canonical, final, options, ) ): continue for key, value in context["config"].items(): if key not in options: # Create a copy of the original value, # else it will reference the original list # in self._config and update that value too # when the extend() is being called. options[key] = value[:] if value is not None else value elif key == "identityfile": options[key].extend( x for x in value if x not in options[key] ) if final: # Expand variables in resulting values # (besides 'Match exec' which was already handled above) options = self._expand_variables(options, hostname) return options def canonicalize(self, hostname, options, domains): """ Return canonicalized version of ``hostname``. :param str hostname: Target hostname. :param options: An `SSHConfigDict` from a previous lookup pass. :param domains: List of domains (e.g. ``["paramiko.org"]``). :returns: A canonicalized hostname if one was found, else ``None``. .. versionadded:: 2.7 """ found = False for domain in domains: candidate = "{}.{}".format(hostname, domain) family_specific = _addressfamily_host_lookup(candidate, options) if family_specific is not None: # TODO: would we want to dig deeper into other results? e.g. to # find something that satisfies PermittedCNAMEs when that is # implemented? found = family_specific[0] else: # TODO: what does ssh use here and is there a reason to use # that instead of gethostbyname? try: found = socket.gethostbyname(candidate) except socket.gaierror: pass if found: # TODO: follow CNAME (implied by found != candidate?) if # CanonicalizePermittedCNAMEs allows it return candidate # If we got here, it means canonicalization failed. # When CanonicalizeFallbackLocal is undefined or 'yes', we just spit # back the original hostname. if options.get("canonicalizefallbacklocal", "yes") == "yes": return hostname # And here, we failed AND fallback was set to a non-yes value, so we # need to get mad. raise CouldNotCanonicalize(hostname) def get_hostnames(self): """ Return the set of literal hostnames defined in the SSH config (both explicit hostnames and wildcard entries). """ hosts = set() for entry in self._config: hosts.update(entry["host"]) return hosts def _pattern_matches(self, patterns, target): # Convenience auto-splitter if not already a list if hasattr(patterns, "split"): patterns = patterns.split(",") match = False for pattern in patterns: # Short-circuit if target matches a negated pattern if pattern.startswith("!") and fnmatch.fnmatch( target, pattern[1:] ): return False # Flag a match, but continue (in case of later negation) if regular # match occurs elif fnmatch.fnmatch(target, pattern): match = True return match def _does_match( self, match_list, target_hostname, canonical, final, options ): matched = [] candidates = match_list[:] local_username = getpass.getuser() while candidates: candidate = candidates.pop(0) passed = None # Obtain latest host/user value every loop, so later Match may # reference values assigned within a prior Match. configured_host = options.get("hostname", None) configured_user = options.get("user", None) type_, param = candidate["type"], candidate["param"] # Canonical is a hard pass/fail based on whether this is a # canonicalized re-lookup. if type_ == "canonical": if self._should_fail(canonical, candidate): return False if type_ == "final": passed = final # The parse step ensures we only see this by itself or after # canonical, so it's also an easy hard pass. (No negation here as # that would be uh, pretty weird?) elif type_ == "all": return True # From here, we are testing various non-hard criteria, # short-circuiting only on fail elif type_ == "host": hostval = configured_host or target_hostname passed = self._pattern_matches(param, hostval) elif type_ == "originalhost": passed = self._pattern_matches(param, target_hostname) elif type_ == "user": user = configured_user or local_username passed = self._pattern_matches(param, user) elif type_ == "localuser": passed = self._pattern_matches(param, local_username) elif type_ == "exec": exec_cmd = self._tokenize( options, target_hostname, "match-exec", param ) # This is the laziest spot in which we can get mad about an # inability to import Invoke. if invoke is None: raise invoke_import_error # Like OpenSSH, we 'redirect' stdout but let stderr bubble up passed = invoke.run(exec_cmd, hide="stdout", warn=True).ok # Tackle any 'passed, but was negated' results from above if passed is not None and self._should_fail(passed, candidate): return False # Made it all the way here? Everything matched! matched.append(candidate) # Did anything match? (To be treated as bool, usually.) return matched def _should_fail(self, would_pass, candidate): return would_pass if candidate["negate"] else not would_pass def _tokenize(self, config, target_hostname, key, value): """ Tokenize a string based on current config/hostname data. :param config: Current config data. :param target_hostname: Original target connection hostname. :param key: Config key being tokenized (used to filter token list). :param value: Config value being tokenized. :returns: The tokenized version of the input ``value`` string. """ allowed_tokens = self._allowed_tokens(key) # Short-circuit if no tokenization possible if not allowed_tokens: return value # Obtain potentially configured hostname, for use with %h. # Special-case where we are tokenizing the hostname itself, to avoid # replacing %h with a %h-bearing value, etc. configured_hostname = target_hostname if key != "hostname": configured_hostname = config.get("hostname", configured_hostname) # Ditto the rest of the source values if "port" in config: port = config["port"] else: port = SSH_PORT user = getpass.getuser() if "user" in config: remoteuser = config["user"] else: remoteuser = user local_hostname = socket.gethostname().split(".")[0] local_fqdn = LazyFqdn(config, local_hostname) homedir = os.path.expanduser("~") tohash = local_hostname + target_hostname + repr(port) + remoteuser # The actual tokens! replacements = { # TODO: %%??? "%C": sha1(tohash.encode()).hexdigest(), "%d": homedir, "%h": configured_hostname, # TODO: %i? "%L": local_hostname, "%l": local_fqdn, # also this is pseudo buggy when not in Match exec mode so document # that. also WHY is that the case?? don't we do all of this late? "%n": target_hostname, "%p": port, "%r": remoteuser, # TODO: %T? don't believe this is possible however "%u": user, "~": homedir, } # Do the thing with the stuff tokenized = value for find, replace in replacements.items(): if find not in allowed_tokens: continue tokenized = tokenized.replace(find, str(replace)) # TODO: log? eg that value -> tokenized return tokenized def _allowed_tokens(self, key): """ Given config ``key``, return list of token strings to tokenize. .. note:: This feels like it wants to eventually go away, but is used to preserve as-strict-as-possible compatibility with OpenSSH, which for whatever reason only applies some tokens to some config keys. """ return self.TOKENS_BY_CONFIG_KEY.get(key, []) def _expand_variables(self, config, target_hostname): """ Return a dict of config options with expanded substitutions for a given original & current target hostname. Please refer to :doc:`/api/config` for details. :param dict config: the currently parsed config :param str hostname: the hostname whose config is being looked up """ for k in config: if config[k] is None: continue tokenizer = partial(self._tokenize, config, target_hostname, k) if isinstance(config[k], list): for i, value in enumerate(config[k]): config[k][i] = tokenizer(value) else: config[k] = tokenizer(config[k]) return config def _get_hosts(self, host): """ Return a list of host_names from host value. """ try: return shlex.split(host) except ValueError: raise ConfigParseError("Unparsable host {}".format(host)) def _get_matches(self, match): """ Parse a specific Match config line into a list-of-dicts for its values. Performs some parse-time validation as well. """ matches = [] tokens = shlex.split(match) while tokens: match = {"type": None, "param": None, "negate": False} type_ = tokens.pop(0) # Handle per-keyword negation if type_.startswith("!"): match["negate"] = True type_ = type_[1:] match["type"] = type_ # all/canonical have no params (everything else does) if type_ in ("all", "canonical", "final"): matches.append(match) continue if not tokens: raise ConfigParseError( "Missing parameter to Match '{}' keyword".format(type_) ) match["param"] = tokens.pop(0) matches.append(match) # Perform some (easier to do now than in the middle) validation that is # better handled here than at lookup time. keywords = [x["type"] for x in matches] if "all" in keywords: allowable = ("all", "canonical") ok, bad = ( list(filter(lambda x: x in allowable, keywords)), list(filter(lambda x: x not in allowable, keywords)), ) err = None if any(bad): err = "Match does not allow 'all' mixed with anything but 'canonical'" # noqa elif "canonical" in ok and ok.index("canonical") > ok.index("all"): err = "Match does not allow 'all' before 'canonical'" if err is not None: raise ConfigParseError(err) return matches def _addressfamily_host_lookup(hostname, options): """ Try looking up ``hostname`` in an IPv4 or IPv6 specific manner. This is an odd duck due to needing use in two divergent use cases. It looks up ``AddressFamily`` in ``options`` and if it is ``inet`` or ``inet6``, this function uses `socket.getaddrinfo` to perform a family-specific lookup, returning the result if successful. In any other situation -- lookup failure, or ``AddressFamily`` being unspecified or ``any`` -- ``None`` is returned instead and the caller is expected to do something situation-appropriate like calling `socket.gethostbyname`. :param str hostname: Hostname to look up. :param options: `SSHConfigDict` instance w/ parsed options. :returns: ``getaddrinfo``-style tuples, or ``None``, depending. """ address_family = options.get("addressfamily", "any").lower() if address_family == "any": return try: family = socket.AF_INET6 if address_family == "inet": family = socket.AF_INET return socket.getaddrinfo( hostname, None, family, socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME, ) except socket.gaierror: pass class LazyFqdn: """ Returns the host's fqdn on request as string. """ def __init__(self, config, host=None): self.fqdn = None self.config = config self.host = host def __str__(self): if self.fqdn is None: # # If the SSH config contains AddressFamily, use that when # determining the local host's FQDN. Using socket.getfqdn() from # the standard library is the most general solution, but can # result in noticeable delays on some platforms when IPv6 is # misconfigured or not available, as it calls getaddrinfo with no # address family specified, so both IPv4 and IPv6 are checked. # # Handle specific option fqdn = None results = _addressfamily_host_lookup(self.host, self.config) if results is not None: for res in results: af, socktype, proto, canonname, sa = res if canonname and "." in canonname: fqdn = canonname break # Handle 'any' / unspecified / lookup failure if fqdn is None: fqdn = socket.getfqdn() # Cache self.fqdn = fqdn return self.fqdn class SSHConfigDict(dict): """ A dictionary wrapper/subclass for per-host configuration structures. This class introduces some usage niceties for consumers of `SSHConfig`, specifically around the issue of variable type conversions: normal value access yields strings, but there are now methods such as `as_bool` and `as_int` that yield casted values instead. For example, given the following ``ssh_config`` file snippet:: Host foo.example.com PasswordAuthentication no Compression yes ServerAliveInterval 60 the following code highlights how you can access the raw strings as well as usefully Python type-casted versions (recalling that keys are all normalized to lowercase first):: my_config = SSHConfig() my_config.parse(open('~/.ssh/config')) conf = my_config.lookup('foo.example.com') assert conf['passwordauthentication'] == 'no' assert conf.as_bool('passwordauthentication') is False assert conf['compression'] == 'yes' assert conf.as_bool('compression') is True assert conf['serveraliveinterval'] == '60' assert conf.as_int('serveraliveinterval') == 60 .. versionadded:: 2.5 """ def as_bool(self, key): """ Express given key's value as a boolean type. Typically, this is used for ``ssh_config``'s pseudo-boolean values which are either ``"yes"`` or ``"no"``. In such cases, ``"yes"`` yields ``True`` and any other value becomes ``False``. .. note:: If (for whatever reason) the stored value is already boolean in nature, it's simply returned. .. versionadded:: 2.5 """ val = self[key] if isinstance(val, bool): return val return val.lower() == "yes" def as_int(self, key): """ Express given key's value as an integer, if possible. This method will raise ``ValueError`` or similar if the value is not int-appropriate, same as the builtin `int` type. .. versionadded:: 2.5 """ return int(self[key]) ��file.py��0000644��00000045167�15030210772�0006047 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. from io import BytesIO from paramiko.common import ( linefeed_byte_value, crlf, cr_byte, linefeed_byte, cr_byte_value, ) from paramiko.util import ClosingContextManager, u class BufferedFile(ClosingContextManager): """ Reusable base class to implement Python-style file buffering around a simpler stream. """ _DEFAULT_BUFSIZE = 8192 SEEK_SET = 0 SEEK_CUR = 1 SEEK_END = 2 FLAG_READ = 0x1 FLAG_WRITE = 0x2 FLAG_APPEND = 0x4 FLAG_BINARY = 0x10 FLAG_BUFFERED = 0x20 FLAG_LINE_BUFFERED = 0x40 FLAG_UNIVERSAL_NEWLINE = 0x80 def __init__(self): self.newlines = None self._flags = 0 self._bufsize = self._DEFAULT_BUFSIZE self._wbuffer = BytesIO() self._rbuffer = bytes() self._at_trailing_cr = False self._closed = False # pos - position within the file, according to the user # realpos - position according the OS # (these may be different because we buffer for line reading) self._pos = self._realpos = 0 # size only matters for seekable files self._size = 0 def __del__(self): self.close() def __iter__(self): """ Returns an iterator that can be used to iterate over the lines in this file. This iterator happens to return the file itself, since a file is its own iterator. :raises: ``ValueError`` -- if the file is closed. """ if self._closed: raise ValueError("I/O operation on closed file") return self def close(self): """ Close the file. Future read and write operations will fail. """ self.flush() self._closed = True def flush(self): """ Write out any data in the write buffer. This may do nothing if write buffering is not turned on. """ self._write_all(self._wbuffer.getvalue()) self._wbuffer = BytesIO() return def __next__(self): """ Returns the next line from the input, or raises ``StopIteration`` when EOF is hit. Unlike python file objects, it's okay to mix calls to `.next` and `.readline`. :raises: ``StopIteration`` -- when the end of the file is reached. :returns: a line (`str`, or `bytes` if the file was opened in binary mode) read from the file. """ line = self.readline() if not line: raise StopIteration return line def readable(self): """ Check if the file can be read from. :returns: `True` if the file can be read from. If `False`, `read` will raise an exception. """ return (self._flags & self.FLAG_READ) == self.FLAG_READ def writable(self): """ Check if the file can be written to. :returns: `True` if the file can be written to. If `False`, `write` will raise an exception. """ return (self._flags & self.FLAG_WRITE) == self.FLAG_WRITE def seekable(self): """ Check if the file supports random access. :returns: `True` if the file supports random access. If `False`, `seek` will raise an exception. """ return False def readinto(self, buff): """ Read up to ``len(buff)`` bytes into ``bytearray`` buff* and return the number of bytes read. :returns: The number of bytes read. """ data = self.read(len(buff)) buff[: len(data)] = data return len(data) def read(self, size=None): """ Read at most ``size`` bytes from the file (less if we hit the end of the file first). If the ``size`` argument is negative or omitted, read all the remaining data in the file. .. note:: ``'b'`` mode flag is ignored (``self.FLAG_BINARY`` in ``self._flags``), because SSH treats all files as binary, since we have no idea what encoding the file is in, or even if the file is text data. :param int size: maximum number of bytes to read :returns: data read from the file (as bytes), or an empty string if EOF was encountered immediately """ if self._closed: raise IOError("File is closed") if not (self._flags & self.FLAG_READ): raise IOError("File is not open for reading") if (size is None) or (size < 0): # go for broke result = bytearray(self._rbuffer) self._rbuffer = bytes() self._pos += len(result) while True: try: new_data = self._read(self._DEFAULT_BUFSIZE) except EOFError: new_data = None if (new_data is None) or (len(new_data) == 0): break result.extend(new_data) self._realpos += len(new_data) self._pos += len(new_data) return bytes(result) if size <= len(self._rbuffer): result = self._rbuffer[:size] self._rbuffer = self._rbuffer[size:] self._pos += len(result) return result while len(self._rbuffer) < size: read_size = size - len(self._rbuffer) if self._flags & self.FLAG_BUFFERED: read_size = max(self._bufsize, read_size) try: new_data = self._read(read_size) except EOFError: new_data = None if (new_data is None) or (len(new_data) == 0): break self._rbuffer += new_data self._realpos += len(new_data) result = self._rbuffer[:size] self._rbuffer = self._rbuffer[size:] self._pos += len(result) return result def readline(self, size=None): """ Read one entire line from the file. A trailing newline character is kept in the string (but may be absent when a file ends with an incomplete line). If the size argument is present and non-negative, it is a maximum byte count (including the trailing newline) and an incomplete line may be returned. An empty string is returned only when EOF is encountered immediately. .. note:: Unlike stdio's ``fgets``, the returned string contains null characters (``'\\0'``) if they occurred in the input. :param int size: maximum length of returned string. :returns: next line of the file, or an empty string if the end of the file has been reached. If the file was opened in binary (``'b'``) mode: bytes are returned Else: the encoding of the file is assumed to be UTF-8 and character strings (`str`) are returned """ # it's almost silly how complex this function is. if self._closed: raise IOError("File is closed") if not (self._flags & self.FLAG_READ): raise IOError("File not open for reading") line = self._rbuffer truncated = False while True: if ( self._at_trailing_cr and self._flags & self.FLAG_UNIVERSAL_NEWLINE and len(line) > 0 ): # edge case: the newline may be '\r\n' and we may have read # only the first '\r' last time. if line[0] == linefeed_byte_value: line = line[1:] self._record_newline(crlf) else: self._record_newline(cr_byte) self._at_trailing_cr = False # check size before looking for a linefeed, in case we already have # enough. if (size is not None) and (size >= 0): if len(line) >= size: # truncate line self._rbuffer = line[size:] line = line[:size] truncated = True break n = size - len(line) else: n = self._bufsize if linefeed_byte in line or ( self._flags & self.FLAG_UNIVERSAL_NEWLINE and cr_byte in line ): break try: new_data = self._read(n) except EOFError: new_data = None if (new_data is None) or (len(new_data) == 0): self._rbuffer = bytes() self._pos += len(line) return line if self._flags & self.FLAG_BINARY else u(line) line += new_data self._realpos += len(new_data) # find the newline pos = line.find(linefeed_byte) if self._flags & self.FLAG_UNIVERSAL_NEWLINE: rpos = line.find(cr_byte) if (rpos >= 0) and (rpos < pos or pos < 0): pos = rpos if pos == -1: # we couldn't find a newline in the truncated string, return it self._pos += len(line) return line if self._flags & self.FLAG_BINARY else u(line) xpos = pos + 1 if ( line[pos] == cr_byte_value and xpos < len(line) and line[xpos] == linefeed_byte_value ): xpos += 1 # if the string was truncated, _rbuffer needs to have the string after # the newline character plus the truncated part of the line we stored # earlier in _rbuffer if truncated: self._rbuffer = line[xpos:] + self._rbuffer else: self._rbuffer = line[xpos:] lf = line[pos:xpos] line = line[:pos] + linefeed_byte if (len(self._rbuffer) == 0) and (lf == cr_byte): # we could read the line up to a '\r' and there could still be a # '\n' following that we read next time. note that and eat it. self._at_trailing_cr = True else: self._record_newline(lf) self._pos += len(line) return line if self._flags & self.FLAG_BINARY else u(line) def readlines(self, sizehint=None): """ Read all remaining lines using `readline` and return them as a list. If the optional ``sizehint`` argument is present, instead of reading up to EOF, whole lines totalling approximately sizehint bytes (possibly after rounding up to an internal buffer size) are read. :param int sizehint: desired maximum number of bytes to read. :returns: list of lines read from the file. """ lines = [] byte_count = 0 while True: line = self.readline() if len(line) == 0: break lines.append(line) byte_count += len(line) if (sizehint is not None) and (byte_count >= sizehint): break return lines def seek(self, offset, whence=0): """ Set the file's current position, like stdio's ``fseek``. Not all file objects support seeking. .. note:: If a file is opened in append mode (``'a'`` or ``'a+'``), any seek operations will be undone at the next write (as the file position will move back to the end of the file). :param int offset: position to move to within the file, relative to ``whence``. :param int whence: type of movement: 0 = absolute; 1 = relative to the current position; 2 = relative to the end of the file. :raises: ``IOError`` -- if the file doesn't support random access. """ raise IOError("File does not support seeking.") def tell(self): """ Return the file's current position. This may not be accurate or useful if the underlying file doesn't support random access, or was opened in append mode. :returns: file position (`number <int>` of bytes). """ return self._pos def write(self, data): """ Write data to the file. If write buffering is on (``bufsize`` was specified and non-zero), some or all of the data may not actually be written yet. (Use `flush` or `close` to force buffered data to be written out.) :param data: ``str``/``bytes`` data to write """ if isinstance(data, str): # Accept text and encode as utf-8 for compatibility only. data = data.encode("utf-8") if self._closed: raise IOError("File is closed") if not (self._flags & self.FLAG_WRITE): raise IOError("File not open for writing") if not (self._flags & self.FLAG_BUFFERED): self._write_all(data) return self._wbuffer.write(data) if self._flags & self.FLAG_LINE_BUFFERED: # only scan the new data for linefeed, to avoid wasting time. last_newline_pos = data.rfind(linefeed_byte) if last_newline_pos >= 0: wbuf = self._wbuffer.getvalue() last_newline_pos += len(wbuf) - len(data) self._write_all(wbuf[: last_newline_pos + 1]) self._wbuffer = BytesIO() self._wbuffer.write(wbuf[last_newline_pos + 1 :]) return # even if we're line buffering, if the buffer has grown past the # buffer size, force a flush. if self._wbuffer.tell() >= self._bufsize: self.flush() return def writelines(self, sequence): """ Write a sequence of strings to the file. The sequence can be any iterable object producing strings, typically a list of strings. (The name is intended to match `readlines`; `writelines` does not add line separators.) :param sequence: an iterable sequence of strings. """ for line in sequence: self.write(line) return def xreadlines(self): """ Identical to ``iter(f)``. This is a deprecated file interface that predates Python iterator support. """ return self @property def closed(self): return self._closed # ...overrides... def _read(self, size): """ (subclass override) Read data from the stream. Return ``None`` or raise ``EOFError`` to indicate EOF. """ raise EOFError() def _write(self, data): """ (subclass override) Write data into the stream. """ raise IOError("write not implemented") def _get_size(self): """ (subclass override) Return the size of the file. This is called from within `_set_mode` if the file is opened in append mode, so the file position can be tracked and `seek` and `tell` will work correctly. If the file is a stream that can't be randomly accessed, you don't need to override this method, """ return 0 # ...internals... def _set_mode(self, mode="r", bufsize=-1): """ Subclasses call this method to initialize the BufferedFile. """ # set bufsize in any event, because it's used for readline(). self._bufsize = self._DEFAULT_BUFSIZE if bufsize < 0: # do no buffering by default, because otherwise writes will get # buffered in a way that will probably confuse people. bufsize = 0 if bufsize == 1: # apparently, line buffering only affects writes. reads are only # buffered if you call readline (directly or indirectly: iterating # over a file will indirectly call readline). self._flags \|= self.FLAG_BUFFERED \| self.FLAG_LINE_BUFFERED elif bufsize > 1: self._bufsize = bufsize self._flags \|= self.FLAG_BUFFERED self._flags &= ~self.FLAG_LINE_BUFFERED elif bufsize == 0: # unbuffered self._flags &= ~(self.FLAG_BUFFERED \| self.FLAG_LINE_BUFFERED) if ("r" in mode) or ("+" in mode): self._flags \|= self.FLAG_READ if ("w" in mode) or ("+" in mode): self._flags \|= self.FLAG_WRITE if "a" in mode: self._flags \|= self.FLAG_WRITE \| self.FLAG_APPEND self._size = self._get_size() self._pos = self._realpos = self._size if "b" in mode: self._flags \|= self.FLAG_BINARY if "U" in mode: self._flags \|= self.FLAG_UNIVERSAL_NEWLINE # built-in file objects have this attribute to store which kinds of # line terminations they've seen: # <http://www.python.org/doc/current/lib/built-in-funcs.html> self.newlines = None def _write_all(self, raw_data): # the underlying stream may be something that does partial writes (like # a socket). data = memoryview(raw_data) while len(data) > 0: count = self._write(data) data = data[count:] if self._flags & self.FLAG_APPEND: self._size += count self._pos = self._realpos = self._size else: self._pos += count self._realpos += count return None def _record_newline(self, newline): # silliness about tracking what kinds of newlines we've seen. # i don't understand why it can be None, a string, or a tuple, instead # of just always being a tuple, but we'll emulate that behavior anyway. if not (self._flags & self.FLAG_UNIVERSAL_NEWLINE): return if self.newlines is None: self.newlines = newline elif self.newlines != newline and isinstance(self.newlines, bytes): self.newlines = (self.newlines, newline) elif newline not in self.newlines: self.newlines += (newline,) ��kex_curve25519.py��0000644��00000010524�15030210772�0007516 0��ustar�00��import binascii import hashlib from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import constant_time, serialization from cryptography.hazmat.primitives.asymmetric.x25519 import ( X25519PrivateKey, X25519PublicKey, ) from paramiko.message import Message from paramiko.common import byte_chr from paramiko.ssh_exception import SSHException _MSG_KEXECDH_INIT, _MSG_KEXECDH_REPLY = range(30, 32) c_MSG_KEXECDH_INIT, c_MSG_KEXECDH_REPLY = [byte_chr(c) for c in range(30, 32)] class KexCurve25519: hash_algo = hashlib.sha256 def __init__(self, transport): self.transport = transport self.key = None @classmethod def is_available(cls): try: X25519PrivateKey.generate() except UnsupportedAlgorithm: return False else: return True def _perform_exchange(self, peer_key): secret = self.key.exchange(peer_key) if constant_time.bytes_eq(secret, b"\x00" * 32): raise SSHException( "peer's curve25519 public value has wrong order" ) return secret def start_kex(self): self.key = X25519PrivateKey.generate() if self.transport.server_mode: self.transport._expect_packet(_MSG_KEXECDH_INIT) return m = Message() m.add_byte(c_MSG_KEXECDH_INIT) m.add_string( self.key.public_key().public_bytes( serialization.Encoding.Raw, serialization.PublicFormat.Raw ) ) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXECDH_REPLY) def parse_next(self, ptype, m): if self.transport.server_mode and (ptype == _MSG_KEXECDH_INIT): return self._parse_kexecdh_init(m) elif not self.transport.server_mode and (ptype == _MSG_KEXECDH_REPLY): return self._parse_kexecdh_reply(m) raise SSHException( "KexCurve25519 asked to handle packet type {:d}".format(ptype) ) def _parse_kexecdh_init(self, m): peer_key_bytes = m.get_string() peer_key = X25519PublicKey.from_public_bytes(peer_key_bytes) K = self._perform_exchange(peer_key) K = int(binascii.hexlify(K), 16) # compute exchange hash hm = Message() hm.add( self.transport.remote_version, self.transport.local_version, self.transport.remote_kex_init, self.transport.local_kex_init, ) server_key_bytes = self.transport.get_server_key().asbytes() exchange_key_bytes = self.key.public_key().public_bytes( serialization.Encoding.Raw, serialization.PublicFormat.Raw ) hm.add_string(server_key_bytes) hm.add_string(peer_key_bytes) hm.add_string(exchange_key_bytes) hm.add_mpint(K) H = self.hash_algo(hm.asbytes()).digest() self.transport._set_K_H(K, H) sig = self.transport.get_server_key().sign_ssh_data( H, self.transport.host_key_type ) # construct reply m = Message() m.add_byte(c_MSG_KEXECDH_REPLY) m.add_string(server_key_bytes) m.add_string(exchange_key_bytes) m.add_string(sig) self.transport._send_message(m) self.transport._activate_outbound() def _parse_kexecdh_reply(self, m): peer_host_key_bytes = m.get_string() peer_key_bytes = m.get_string() sig = m.get_binary() peer_key = X25519PublicKey.from_public_bytes(peer_key_bytes) K = self._perform_exchange(peer_key) K = int(binascii.hexlify(K), 16) # compute exchange hash and verify signature hm = Message() hm.add( self.transport.local_version, self.transport.remote_version, self.transport.local_kex_init, self.transport.remote_kex_init, ) hm.add_string(peer_host_key_bytes) hm.add_string( self.key.public_key().public_bytes( serialization.Encoding.Raw, serialization.PublicFormat.Raw ) ) hm.add_string(peer_key_bytes) hm.add_mpint(K) self.transport._set_K_H(K, self.hash_algo(hm.asbytes()).digest()) self.transport._verify_key(peer_host_key_bytes, sig) self.transport._activate_outbound() ��util.py��0000644��00000022516�15030210772�0006076 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Useful functions used by the rest of paramiko. """ import sys import struct import traceback import threading import logging from paramiko.common import ( DEBUG, zero_byte, xffffffff, max_byte, byte_ord, byte_chr, ) from paramiko.config import SSHConfig def inflate_long(s, always_positive=False): """turns a normalized byte string into a long-int (adapted from Crypto.Util.number)""" out = 0 negative = 0 if not always_positive and (len(s) > 0) and (byte_ord(s[0]) >= 0x80): negative = 1 if len(s) % 4: filler = zero_byte if negative: filler = max_byte # never convert this to ``s +=`` because this is a string, not a number # noinspection PyAugmentAssignment s = filler * (4 - len(s) % 4) + s for i in range(0, len(s), 4): out = (out << 32) + struct.unpack(">I", s[i : i + 4])[0] if negative: out -= 1 << (8 * len(s)) return out def deflate_long(n, add_sign_padding=True): """turns a long-int into a normalized byte string (adapted from Crypto.Util.number)""" # after much testing, this algorithm was deemed to be the fastest s = bytes() n = int(n) while (n != 0) and (n != -1): s = struct.pack(">I", n & xffffffff) + s n >>= 32 # strip off leading zeros, FFs for i in enumerate(s): if (n == 0) and (i[1] != 0): break if (n == -1) and (i[1] != 0xFF): break else: # degenerate case, n was either 0 or -1 i = (0,) if n == 0: s = zero_byte else: s = max_byte s = s[i[0] :] if add_sign_padding: if (n == 0) and (byte_ord(s[0]) >= 0x80): s = zero_byte + s if (n == -1) and (byte_ord(s[0]) < 0x80): s = max_byte + s return s def format_binary(data, prefix=""): x = 0 out = [] while len(data) > x + 16: out.append(format_binary_line(data[x : x + 16])) x += 16 if x < len(data): out.append(format_binary_line(data[x:])) return [prefix + line for line in out] def format_binary_line(data): left = " ".join(["{:02X}".format(byte_ord(c)) for c in data]) right = "".join( [".{:c}..".format(byte_ord(c))[(byte_ord(c) + 63) // 95] for c in data] ) return "{:50s} {}".format(left, right) def safe_string(s): out = b"" for c in s: i = byte_ord(c) if 32 <= i <= 127: out += byte_chr(i) else: out += b("%{:02X}".format(i)) return out def bit_length(n): try: return n.bit_length() except AttributeError: norm = deflate_long(n, False) hbyte = byte_ord(norm[0]) if hbyte == 0: return 1 bitlen = len(norm) * 8 while not (hbyte & 0x80): hbyte <<= 1 bitlen -= 1 return bitlen def tb_strings(): return "".join(traceback.format_exception(sys.exc_info())).split("\n") def generate_key_bytes(hash_alg, salt, key, nbytes): """ Given a password, passphrase, or other human-source key, scramble it through a secure hash into some keyworthy bytes. This specific algorithm is used for encrypting/decrypting private key files. :param function hash_alg: A function which creates a new hash object, such as ``hashlib.sha256``. :param salt: data to salt the hash with. :type bytes salt: Hash salt bytes. :param str key: human-entered password or passphrase. :param int nbytes: number of bytes to generate. :return: Key data, as `bytes`. """ keydata = bytes() digest = bytes() if len(salt) > 8: salt = salt[:8] while nbytes > 0: hash_obj = hash_alg() if len(digest) > 0: hash_obj.update(digest) hash_obj.update(b(key)) hash_obj.update(salt) digest = hash_obj.digest() size = min(nbytes, len(digest)) keydata += digest[:size] nbytes -= size return keydata def load_host_keys(filename): """ Read a file of known SSH host keys, in the format used by openssh, and return a compound dict of ``hostname -> keytype ->`` `PKey <paramiko.pkey.PKey>`. The hostname may be an IP address or DNS name. The keytype will be either ``"ssh-rsa"`` or ``"ssh-dss"``. This type of file unfortunately doesn't exist on Windows, but on posix, it will usually be stored in ``os.path.expanduser("~/.ssh/known_hosts")``. Since 1.5.3, this is just a wrapper around `.HostKeys`. :param str filename: name of the file to read host keys from :return: nested dict of `.PKey` objects, indexed by hostname and then keytype """ from paramiko.hostkeys import HostKeys return HostKeys(filename) def parse_ssh_config(file_obj): """ Provided only as a backward-compatible wrapper around `.SSHConfig`. .. deprecated:: 2.7 Use `SSHConfig.from_file` instead. """ config = SSHConfig() config.parse(file_obj) return config def lookup_ssh_host_config(hostname, config): """ Provided only as a backward-compatible wrapper around `.SSHConfig`. """ return config.lookup(hostname) def mod_inverse(x, m): # it's crazy how small Python can make this function. u1, u2, u3 = 1, 0, m v1, v2, v3 = 0, 1, x while v3 > 0: q = u3 // v3 u1, v1 = v1, u1 - v1 q u2, v2 = v2, u2 - v2 * q u3, v3 = v3, u3 - v3 * q if u2 < 0: u2 += m return u2 _g_thread_data = threading.local() _g_thread_counter = 0 _g_thread_lock = threading.Lock() def get_thread_id(): global _g_thread_data, _g_thread_counter, _g_thread_lock try: return _g_thread_data.id except AttributeError: with _g_thread_lock: _g_thread_counter += 1 _g_thread_data.id = _g_thread_counter return _g_thread_data.id def log_to_file(filename, level=DEBUG): """send paramiko logs to a logfile, if they're not already going somewhere""" logger = logging.getLogger("paramiko") if len(logger.handlers) > 0: return logger.setLevel(level) f = open(filename, "a") handler = logging.StreamHandler(f) frm = "%(levelname)-.3s [%(asctime)s.%(msecs)03d] thr=%(_threadid)-3d" frm += " %(name)s: %(message)s" handler.setFormatter(logging.Formatter(frm, "%Y%m%d-%H:%M:%S")) logger.addHandler(handler) # make only one filter object, so it doesn't get applied more than once class PFilter: def filter(self, record): record._threadid = get_thread_id() return True _pfilter = PFilter() def get_logger(name): logger = logging.getLogger(name) logger.addFilter(_pfilter) return logger def constant_time_bytes_eq(a, b): if len(a) != len(b): return False res = 0 # noinspection PyUnresolvedReferences for i in range(len(a)): # noqa: F821 res \|= byte_ord(a[i]) ^ byte_ord(b[i]) return res == 0 class ClosingContextManager: def __enter__(self): return self def __exit__(self, type, value, traceback): self.close() def clamp_value(minimum, val, maximum): return max(minimum, min(val, maximum)) def asbytes(s): """ Coerce to bytes if possible or return unchanged. """ try: # Attempt to run through our version of b(), which does the Right Thing # for unicode strings vs bytestrings, and raises TypeError if it's not # one of those types. return b(s) except TypeError: try: # If it wasn't a string/byte/buffer-ish object, try calling an # asbytes() method, which many of our internal classes implement. return s.asbytes() except AttributeError: # Finally, just do nothing & assume this object is sufficiently # byte-y or buffer-y that everything will work out (or that callers # are capable of handling whatever it is.) return s # TODO: clean this up / force callers to assume bytes OR unicode def b(s, encoding="utf8"): """cast unicode or bytes to bytes""" if isinstance(s, bytes): return s elif isinstance(s, str): return s.encode(encoding) else: raise TypeError(f"Expected unicode or bytes, got {type(s)}") # TODO: clean this up / force callers to assume bytes OR unicode def u(s, encoding="utf8"): """cast bytes or unicode to unicode""" if isinstance(s, bytes): return s.decode(encoding) elif isinstance(s, str): return s else: raise TypeError(f"Expected unicode or bytes, got {type(s)}") ��transport.py��0000644��00000405563�15030210772�0007164 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Core protocol implementation """ import os import socket import sys import threading import time import weakref from hashlib import md5, sha1, sha256, sha512 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes import paramiko from paramiko import util from paramiko.auth_handler import AuthHandler, AuthOnlyHandler from paramiko.ssh_gss import GSSAuth from paramiko.channel import Channel from paramiko.common import ( xffffffff, cMSG_CHANNEL_OPEN, cMSG_IGNORE, cMSG_GLOBAL_REQUEST, DEBUG, MSG_KEXINIT, MSG_IGNORE, MSG_DISCONNECT, MSG_DEBUG, ERROR, WARNING, cMSG_UNIMPLEMENTED, INFO, cMSG_KEXINIT, cMSG_NEWKEYS, MSG_NEWKEYS, cMSG_REQUEST_SUCCESS, cMSG_REQUEST_FAILURE, CONNECTION_FAILED_CODE, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED, OPEN_SUCCEEDED, cMSG_CHANNEL_OPEN_FAILURE, cMSG_CHANNEL_OPEN_SUCCESS, MSG_GLOBAL_REQUEST, MSG_REQUEST_SUCCESS, MSG_REQUEST_FAILURE, cMSG_SERVICE_REQUEST, MSG_SERVICE_ACCEPT, MSG_CHANNEL_OPEN_SUCCESS, MSG_CHANNEL_OPEN_FAILURE, MSG_CHANNEL_OPEN, MSG_CHANNEL_SUCCESS, MSG_CHANNEL_FAILURE, MSG_CHANNEL_DATA, MSG_CHANNEL_EXTENDED_DATA, MSG_CHANNEL_WINDOW_ADJUST, MSG_CHANNEL_REQUEST, MSG_CHANNEL_EOF, MSG_CHANNEL_CLOSE, MIN_WINDOW_SIZE, MIN_PACKET_SIZE, MAX_WINDOW_SIZE, DEFAULT_WINDOW_SIZE, DEFAULT_MAX_PACKET_SIZE, HIGHEST_USERAUTH_MESSAGE_ID, MSG_UNIMPLEMENTED, MSG_NAMES, MSG_EXT_INFO, cMSG_EXT_INFO, byte_ord, ) from paramiko.compress import ZlibCompressor, ZlibDecompressor from paramiko.dsskey import DSSKey from paramiko.ed25519key import Ed25519Key from paramiko.kex_curve25519 import KexCurve25519 from paramiko.kex_gex import KexGex, KexGexSHA256 from paramiko.kex_group1 import KexGroup1 from paramiko.kex_group14 import KexGroup14, KexGroup14SHA256 from paramiko.kex_group16 import KexGroup16SHA512 from paramiko.kex_ecdh_nist import KexNistp256, KexNistp384, KexNistp521 from paramiko.kex_gss import KexGSSGex, KexGSSGroup1, KexGSSGroup14 from paramiko.message import Message from paramiko.packet import Packetizer, NeedRekeyException from paramiko.primes import ModulusPack from paramiko.rsakey import RSAKey from paramiko.ecdsakey import ECDSAKey from paramiko.server import ServerInterface from paramiko.sftp_client import SFTPClient from paramiko.ssh_exception import ( BadAuthenticationType, ChannelException, IncompatiblePeer, MessageOrderError, ProxyCommandFailure, SSHException, ) from paramiko.util import ( ClosingContextManager, clamp_value, b, ) # TripleDES is moving from `cryptography.hazmat.primitives.ciphers.algorithms` # in cryptography>=43.0.0 to `cryptography.hazmat.decrepit.ciphers.algorithms` # It will be removed from `cryptography.hazmat.primitives.ciphers.algorithms` # in cryptography==48.0.0. # # Source References: # - https://github.com/pyca/cryptography/commit/722a6393e61b3ac # - https://github.com/pyca/cryptography/pull/11407/files try: from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES except ImportError: from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES # for thread cleanup _active_threads = [] def _join_lingering_threads(): for thr in _active_threads: thr.stop_thread() import atexit atexit.register(_join_lingering_threads) class Transport(threading.Thread, ClosingContextManager): """ An SSH Transport attaches to a stream (usually a socket), negotiates an encrypted session, authenticates, and then creates stream tunnels, called `channels <.Channel>`, across the session. Multiple channels can be multiplexed across a single session (and often are, in the case of port forwardings). Instances of this class may be used as context managers. """ _ENCRYPT = object() _DECRYPT = object() _PROTO_ID = "2.0" _CLIENT_ID = "paramiko_{}".format(paramiko.__version__) # These tuples of algorithm identifiers are in preference order; do not # reorder without reason! # NOTE: if you need to modify these, we suggest leveraging the # `disabled_algorithms` constructor argument (also available in SSHClient) # instead of monkeypatching or subclassing. _preferred_ciphers = ( "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-cbc", "aes192-cbc", "aes256-cbc", "3des-cbc", ) _preferred_macs = ( "hmac-sha2-256", "hmac-sha2-512", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1", "hmac-md5", "hmac-sha1-96", "hmac-md5-96", ) # ~= HostKeyAlgorithms in OpenSSH land _preferred_keys = ( "ssh-ed25519", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss", ) # ~= PubKeyAcceptedAlgorithms _preferred_pubkeys = ( "ssh-ed25519", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ssh-dss", ) _preferred_kex = ( "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1", ) if KexCurve25519.is_available(): _preferred_kex = ("curve25519-sha256@libssh.org",) + _preferred_kex _preferred_gsskex = ( "gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==", "gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==", "gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==", ) _preferred_compression = ("none",) _cipher_info = { "aes128-ctr": { "class": algorithms.AES, "mode": modes.CTR, "block-size": 16, "key-size": 16, }, "aes192-ctr": { "class": algorithms.AES, "mode": modes.CTR, "block-size": 16, "key-size": 24, }, "aes256-ctr": { "class": algorithms.AES, "mode": modes.CTR, "block-size": 16, "key-size": 32, }, "aes128-cbc": { "class": algorithms.AES, "mode": modes.CBC, "block-size": 16, "key-size": 16, }, "aes192-cbc": { "class": algorithms.AES, "mode": modes.CBC, "block-size": 16, "key-size": 24, }, "aes256-cbc": { "class": algorithms.AES, "mode": modes.CBC, "block-size": 16, "key-size": 32, }, "3des-cbc": { "class": TripleDES, "mode": modes.CBC, "block-size": 8, "key-size": 24, }, } _mac_info = { "hmac-sha1": {"class": sha1, "size": 20}, "hmac-sha1-96": {"class": sha1, "size": 12}, "hmac-sha2-256": {"class": sha256, "size": 32}, "hmac-sha2-256-etm@openssh.com": {"class": sha256, "size": 32}, "hmac-sha2-512": {"class": sha512, "size": 64}, "hmac-sha2-512-etm@openssh.com": {"class": sha512, "size": 64}, "hmac-md5": {"class": md5, "size": 16}, "hmac-md5-96": {"class": md5, "size": 12}, } _key_info = { # TODO: at some point we will want to drop this as it's no longer # considered secure due to using SHA-1 for signatures. OpenSSH 8.8 no # longer supports it. Question becomes at what point do we want to # prevent users with older setups from using this? "ssh-rsa": RSAKey, "ssh-rsa-cert-v01@openssh.com": RSAKey, "rsa-sha2-256": RSAKey, "rsa-sha2-256-cert-v01@openssh.com": RSAKey, "rsa-sha2-512": RSAKey, "rsa-sha2-512-cert-v01@openssh.com": RSAKey, "ssh-dss": DSSKey, "ssh-dss-cert-v01@openssh.com": DSSKey, "ecdsa-sha2-nistp256": ECDSAKey, "ecdsa-sha2-nistp256-cert-v01@openssh.com": ECDSAKey, "ecdsa-sha2-nistp384": ECDSAKey, "ecdsa-sha2-nistp384-cert-v01@openssh.com": ECDSAKey, "ecdsa-sha2-nistp521": ECDSAKey, "ecdsa-sha2-nistp521-cert-v01@openssh.com": ECDSAKey, "ssh-ed25519": Ed25519Key, "ssh-ed25519-cert-v01@openssh.com": Ed25519Key, } _kex_info = { "diffie-hellman-group1-sha1": KexGroup1, "diffie-hellman-group14-sha1": KexGroup14, "diffie-hellman-group-exchange-sha1": KexGex, "diffie-hellman-group-exchange-sha256": KexGexSHA256, "diffie-hellman-group14-sha256": KexGroup14SHA256, "diffie-hellman-group16-sha512": KexGroup16SHA512, "gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==": KexGSSGroup1, "gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==": KexGSSGroup14, "gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==": KexGSSGex, "ecdh-sha2-nistp256": KexNistp256, "ecdh-sha2-nistp384": KexNistp384, "ecdh-sha2-nistp521": KexNistp521, } if KexCurve25519.is_available(): _kex_info["curve25519-sha256@libssh.org"] = KexCurve25519 _compression_info = { # zlib@openssh.com is just zlib, but only turned on after a successful # authentication. openssh servers may only offer this type because # they've had troubles with security holes in zlib in the past. "zlib@openssh.com": (ZlibCompressor, ZlibDecompressor), "zlib": (ZlibCompressor, ZlibDecompressor), "none": (None, None), } _modulus_pack = None _active_check_timeout = 0.1 def __init__( self, sock, default_window_size=DEFAULT_WINDOW_SIZE, default_max_packet_size=DEFAULT_MAX_PACKET_SIZE, gss_kex=False, gss_deleg_creds=True, disabled_algorithms=None, server_sig_algs=True, strict_kex=True, packetizer_class=None, ): """ Create a new SSH session over an existing socket, or socket-like object. This only creates the `.Transport` object; it doesn't begin the SSH session yet. Use `connect` or `start_client` to begin a client session, or `start_server` to begin a server session. If the object is not actually a socket, it must have the following methods: - ``send(bytes)``: Writes from 1 to ``len(bytes)`` bytes, and returns an int representing the number of bytes written. Returns 0 or raises ``EOFError`` if the stream has been closed. - ``recv(int)``: Reads from 1 to ``int`` bytes and returns them as a string. Returns 0 or raises ``EOFError`` if the stream has been closed. - ``close()``: Closes the socket. - ``settimeout(n)``: Sets a (float) timeout on I/O operations. For ease of use, you may also pass in an address (as a tuple) or a host string as the ``sock`` argument. (A host string is a hostname with an optional port (separated by ``":"``) which will be converted into a tuple of ``(hostname, port)``.) A socket will be connected to this address and used for communication. Exceptions from the ``socket`` call may be thrown in this case. .. note:: Modifying the the window and packet sizes might have adverse effects on your channels created from this transport. The default values are the same as in the OpenSSH code base and have been battle tested. :param socket sock: a socket or socket-like object to create the session over. :param int default_window_size: sets the default window size on the transport. (defaults to 2097152) :param int default_max_packet_size: sets the default max packet size on the transport. (defaults to 32768) :param bool gss_kex: Whether to enable GSSAPI key exchange when GSSAPI is in play. Default: ``False``. :param bool gss_deleg_creds: Whether to enable GSSAPI credential delegation when GSSAPI is in play. Default: ``True``. :param dict disabled_algorithms: If given, must be a dictionary mapping algorithm type to an iterable of algorithm identifiers, which will be disabled for the lifetime of the transport. Keys should match the last word in the class' builtin algorithm tuple attributes, such as ``"ciphers"`` to disable names within ``_preferred_ciphers``; or ``"kex"`` to disable something defined inside ``_preferred_kex``. Values should exactly match members of the matching attribute. For example, if you need to disable ``diffie-hellman-group16-sha512`` key exchange (perhaps because your code talks to a server which implements it differently from Paramiko), specify ``disabled_algorithms={"kex": ["diffie-hellman-group16-sha512"]}``. :param bool server_sig_algs: Whether to send an extra message to compatible clients, in server mode, with a list of supported pubkey algorithms. Default: ``True``. :param bool strict_kex: Whether to advertise (and implement, if client also advertises support for) a "strict kex" mode for safer handshaking. Default: ``True``. :param packetizer_class: Which class to use for instantiating the internal packet handler. Default: ``None`` (i.e.: use `Packetizer` as normal). .. versionchanged:: 1.15 Added the ``default_window_size`` and ``default_max_packet_size`` arguments. .. versionchanged:: 1.15 Added the ``gss_kex`` and ``gss_deleg_creds`` kwargs. .. versionchanged:: 2.6 Added the ``disabled_algorithms`` kwarg. .. versionchanged:: 2.9 Added the ``server_sig_algs`` kwarg. .. versionchanged:: 3.4 Added the ``strict_kex`` kwarg. .. versionchanged:: 3.4 Added the ``packetizer_class`` kwarg. """ self.active = False self.hostname = None self.server_extensions = {} self.advertise_strict_kex = strict_kex self.agreed_on_strict_kex = False # TODO: these two overrides on sock's type should go away sometime, too # many ways to do it! if isinstance(sock, str): # convert "host:port" into (host, port) hl = sock.split(":", 1) self.hostname = hl[0] if len(hl) == 1: sock = (hl[0], 22) else: sock = (hl[0], int(hl[1])) if type(sock) is tuple: # connect to the given (host, port) hostname, port = sock self.hostname = hostname reason = "No suitable address family" addrinfos = socket.getaddrinfo( hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM ) for family, socktype, proto, canonname, sockaddr in addrinfos: if socktype == socket.SOCK_STREAM: af = family # addr = sockaddr sock = socket.socket(af, socket.SOCK_STREAM) try: sock.connect((hostname, port)) except socket.error as e: reason = str(e) else: break else: raise SSHException( "Unable to connect to {}: {}".format(hostname, reason) ) # okay, normal socket-ish flow here... threading.Thread.__init__(self) self.daemon = True self.sock = sock # we set the timeout so we can check self.active periodically to # see if we should bail. socket.timeout exception is never propagated. self.sock.settimeout(self._active_check_timeout) # negotiated crypto parameters self.packetizer = (packetizer_class or Packetizer)(sock) self.local_version = "SSH-" + self._PROTO_ID + "-" + self._CLIENT_ID self.remote_version = "" self.local_cipher = self.remote_cipher = "" self.local_kex_init = self.remote_kex_init = None self.local_mac = self.remote_mac = None self.local_compression = self.remote_compression = None self.session_id = None self.host_key_type = None self.host_key = None # GSS-API / SSPI Key Exchange self.use_gss_kex = gss_kex # This will be set to True if GSS-API Key Exchange was performed self.gss_kex_used = False self.kexgss_ctxt = None self.gss_host = None if self.use_gss_kex: self.kexgss_ctxt = GSSAuth("gssapi-keyex", gss_deleg_creds) self._preferred_kex = self._preferred_gsskex + self._preferred_kex # state used during negotiation self.kex_engine = None self.H = None self.K = None self.initial_kex_done = False self.in_kex = False self.authenticated = False self._expected_packet = tuple() # synchronization (always higher level than write_lock) self.lock = threading.Lock() # tracking open channels self._channels = ChannelMap() self.channel_events = {} # (id -> Event) self.channels_seen = {} # (id -> True) self._channel_counter = 0 self.default_max_packet_size = default_max_packet_size self.default_window_size = default_window_size self._forward_agent_handler = None self._x11_handler = None self._tcp_handler = None self.saved_exception = None self.clear_to_send = threading.Event() self.clear_to_send_lock = threading.Lock() self.clear_to_send_timeout = 30.0 self.log_name = "paramiko.transport" self.logger = util.get_logger(self.log_name) self.packetizer.set_log(self.logger) self.auth_handler = None # response Message from an arbitrary global request self.global_response = None # user-defined event callbacks self.completion_event = None # how long (seconds) to wait for the SSH banner self.banner_timeout = 15 # how long (seconds) to wait for the handshake to finish after SSH # banner sent. self.handshake_timeout = 15 # how long (seconds) to wait for the auth response. self.auth_timeout = 30 # how long (seconds) to wait for opening a channel self.channel_timeout = 60 * 60 self.disabled_algorithms = disabled_algorithms or {} self.server_sig_algs = server_sig_algs # server mode: self.server_mode = False self.server_object = None self.server_key_dict = {} self.server_accepts = [] self.server_accept_cv = threading.Condition(self.lock) self.subsystem_table = {} # Handler table, now set at init time for easier per-instance # manipulation and subclass twiddling. self._handler_table = { MSG_EXT_INFO: self._parse_ext_info, MSG_NEWKEYS: self._parse_newkeys, MSG_GLOBAL_REQUEST: self._parse_global_request, MSG_REQUEST_SUCCESS: self._parse_request_success, MSG_REQUEST_FAILURE: self._parse_request_failure, MSG_CHANNEL_OPEN_SUCCESS: self._parse_channel_open_success, MSG_CHANNEL_OPEN_FAILURE: self._parse_channel_open_failure, MSG_CHANNEL_OPEN: self._parse_channel_open, MSG_KEXINIT: self._negotiate_keys, } def _filter_algorithm(self, type_): default = getattr(self, "_preferred_{}".format(type_)) return tuple( x for x in default if x not in self.disabled_algorithms.get(type_, []) ) @property def preferred_ciphers(self): return self._filter_algorithm("ciphers") @property def preferred_macs(self): return self._filter_algorithm("macs") @property def preferred_keys(self): # Interleave cert variants here; resistant to various background # overwriting of _preferred_keys, and necessary as hostkeys can't use # the logic pubkey auth does re: injecting/checking for certs at # runtime filtered = self._filter_algorithm("keys") return tuple( filtered + tuple("{}-cert-v01@openssh.com".format(x) for x in filtered) ) @property def preferred_pubkeys(self): return self._filter_algorithm("pubkeys") @property def preferred_kex(self): return self._filter_algorithm("kex") @property def preferred_compression(self): return self._filter_algorithm("compression") def __repr__(self): """ Returns a string representation of this object, for debugging. """ id_ = hex(id(self) & xffffffff) out = "<paramiko.Transport at {}".format(id_) if not self.active: out += " (unconnected)" else: if self.local_cipher != "": out += " (cipher {}, {:d} bits)".format( self.local_cipher, self._cipher_info[self.local_cipher]["key-size"] * 8, ) if self.is_authenticated(): out += " (active; {} open channel(s))".format( len(self._channels) ) elif self.initial_kex_done: out += " (connected; awaiting auth)" else: out += " (connecting)" out += ">" return out def atfork(self): """ Terminate this Transport without closing the session. On posix systems, if a Transport is open during process forking, both parent and child will share the underlying socket, but only one process can use the connection (without corrupting the session). Use this method to clean up a Transport object without disrupting the other process. .. versionadded:: 1.5.3 """ self.sock.close() self.close() def get_security_options(self): """ Return a `.SecurityOptions` object which can be used to tweak the encryption algorithms this transport will permit (for encryption, digest/hash operations, public keys, and key exchanges) and the order of preference for them. """ return SecurityOptions(self) def set_gss_host(self, gss_host, trust_dns=True, gssapi_requested=True): """ Normalize/canonicalize ``self.gss_host`` depending on various factors. :param str gss_host: The explicitly requested GSS-oriented hostname to connect to (i.e. what the host's name is in the Kerberos database.) Defaults to ``self.hostname`` (which will be the 'real' target hostname and/or host portion of given socket object.) :param bool trust_dns: Indicates whether or not DNS is trusted; if true, DNS will be used to canonicalize the GSS hostname (which again will either be ``gss_host`` or the transport's default hostname.) (Defaults to True due to backwards compatibility.) :param bool gssapi_requested: Whether GSSAPI key exchange or authentication was even requested. If not, this is a no-op and nothing happens (and ``self.gss_host`` is not set.) (Defaults to True due to backwards compatibility.) :returns: ``None``. """ # No GSSAPI in play == nothing to do if not gssapi_requested: return # Obtain the correct host first - did user request a GSS-specific name # to use that is distinct from the actual SSH target hostname? if gss_host is None: gss_host = self.hostname # Finally, canonicalize via DNS if DNS is trusted. if trust_dns and gss_host is not None: gss_host = socket.getfqdn(gss_host) # And set attribute for reference later. self.gss_host = gss_host def start_client(self, event=None, timeout=None): """ Negotiate a new SSH2 session as a client. This is the first step after creating a new `.Transport`. A separate thread is created for protocol negotiation. If an event is passed in, this method returns immediately. When negotiation is done (successful or not), the given ``Event`` will be triggered. On failure, `is_active` will return ``False``. (Since 1.4) If ``event`` is ``None``, this method will not return until negotiation is done. On success, the method returns normally. Otherwise an SSHException is raised. After a successful negotiation, you will usually want to authenticate, calling `auth_password <Transport.auth_password>` or `auth_publickey <Transport.auth_publickey>`. .. note:: `connect` is a simpler method for connecting as a client. .. note:: After calling this method (or `start_server` or `connect`), you should no longer directly read from or write to the original socket object. :param .threading.Event event: an event to trigger when negotiation is complete (optional) :param float timeout: a timeout, in seconds, for SSH2 session negotiation (optional) :raises: `.SSHException` -- if negotiation fails (and no ``event`` was passed in) """ self.active = True if event is not None: # async, return immediately and let the app poll for completion self.completion_event = event self.start() return # synchronous, wait for a result self.completion_event = event = threading.Event() self.start() max_time = time.time() + timeout if timeout is not None else None while True: event.wait(0.1) if not self.active: e = self.get_exception() if e is not None: raise e raise SSHException("Negotiation failed.") if event.is_set() or ( timeout is not None and time.time() >= max_time ): break def start_server(self, event=None, server=None): """ Negotiate a new SSH2 session as a server. This is the first step after creating a new `.Transport` and setting up your server host key(s). A separate thread is created for protocol negotiation. If an event is passed in, this method returns immediately. When negotiation is done (successful or not), the given ``Event`` will be triggered. On failure, `is_active` will return ``False``. (Since 1.4) If ``event`` is ``None``, this method will not return until negotiation is done. On success, the method returns normally. Otherwise an SSHException is raised. After a successful negotiation, the client will need to authenticate. Override the methods `get_allowed_auths <.ServerInterface.get_allowed_auths>`, `check_auth_none <.ServerInterface.check_auth_none>`, `check_auth_password <.ServerInterface.check_auth_password>`, and `check_auth_publickey <.ServerInterface.check_auth_publickey>` in the given ``server`` object to control the authentication process. After a successful authentication, the client should request to open a channel. Override `check_channel_request <.ServerInterface.check_channel_request>` in the given ``server`` object to allow channels to be opened. .. note:: After calling this method (or `start_client` or `connect`), you should no longer directly read from or write to the original socket object. :param .threading.Event event: an event to trigger when negotiation is complete. :param .ServerInterface server: an object used to perform authentication and create `channels <.Channel>` :raises: `.SSHException` -- if negotiation fails (and no ``event`` was passed in) """ if server is None: server = ServerInterface() self.server_mode = True self.server_object = server self.active = True if event is not None: # async, return immediately and let the app poll for completion self.completion_event = event self.start() return # synchronous, wait for a result self.completion_event = event = threading.Event() self.start() while True: event.wait(0.1) if not self.active: e = self.get_exception() if e is not None: raise e raise SSHException("Negotiation failed.") if event.is_set(): break def add_server_key(self, key): """ Add a host key to the list of keys used for server mode. When behaving as a server, the host key is used to sign certain packets during the SSH2 negotiation, so that the client can trust that we are who we say we are. Because this is used for signing, the key must contain private key info, not just the public half. Only one key of each type (RSA or DSS) is kept. :param .PKey key: the host key to add, usually an `.RSAKey` or `.DSSKey`. """ self.server_key_dict[key.get_name()] = key # Handle SHA-2 extensions for RSA by ensuring that lookups into # self.server_key_dict will yield this key for any of the algorithm # names. if isinstance(key, RSAKey): self.server_key_dict["rsa-sha2-256"] = key self.server_key_dict["rsa-sha2-512"] = key def get_server_key(self): """ Return the active host key, in server mode. After negotiating with the client, this method will return the negotiated host key. If only one type of host key was set with `add_server_key`, that's the only key that will ever be returned. But in cases where you have set more than one type of host key (for example, an RSA key and a DSS key), the key type will be negotiated by the client, and this method will return the key of the type agreed on. If the host key has not been negotiated yet, ``None`` is returned. In client mode, the behavior is undefined. :return: host key (`.PKey`) of the type negotiated by the client, or ``None``. """ try: return self.server_key_dict[self.host_key_type] except KeyError: pass return None @staticmethod def load_server_moduli(filename=None): """ (optional) Load a file of prime moduli for use in doing group-exchange key negotiation in server mode. It's a rather obscure option and can be safely ignored. In server mode, the remote client may request "group-exchange" key negotiation, which asks the server to send a random prime number that fits certain criteria. These primes are pretty difficult to compute, so they can't be generated on demand. But many systems contain a file of suitable primes (usually named something like ``/etc/ssh/moduli``). If you call `load_server_moduli` and it returns ``True``, then this file of primes has been loaded and we will support "group-exchange" in server mode. Otherwise server mode will just claim that it doesn't support that method of key negotiation. :param str filename: optional path to the moduli file, if you happen to know that it's not in a standard location. :return: True if a moduli file was successfully loaded; False otherwise. .. note:: This has no effect when used in client mode. """ Transport._modulus_pack = ModulusPack() # places to look for the openssh "moduli" file file_list = ["/etc/ssh/moduli", "/usr/local/etc/moduli"] if filename is not None: file_list.insert(0, filename) for fn in file_list: try: Transport._modulus_pack.read_file(fn) return True except IOError: pass # none succeeded Transport._modulus_pack = None return False def close(self): """ Close this session, and any open channels that are tied to it. """ if not self.active: return self.stop_thread() for chan in list(self._channels.values()): chan._unlink() self.sock.close() def get_remote_server_key(self): """ Return the host key of the server (in client mode). .. note:: Previously this call returned a tuple of ``(key type, key string)``. You can get the same effect by calling `.PKey.get_name` for the key type, and ``str(key)`` for the key string. :raises: `.SSHException` -- if no session is currently active. :return: public key (`.PKey`) of the remote server """ if (not self.active) or (not self.initial_kex_done): raise SSHException("No existing session") return self.host_key def is_active(self): """ Return true if this session is active (open). :return: True if the session is still active (open); False if the session is closed """ return self.active def open_session( self, window_size=None, max_packet_size=None, timeout=None ): """ Request a new channel to the server, of type ``"session"``. This is just an alias for calling `open_channel` with an argument of ``"session"``. .. note:: Modifying the the window and packet sizes might have adverse effects on the session created. The default values are the same as in the OpenSSH code base and have been battle tested. :param int window_size: optional window size for this session. :param int max_packet_size: optional max packet size for this session. :return: a new `.Channel` :raises: `.SSHException` -- if the request is rejected or the session ends prematurely .. versionchanged:: 1.13.4/1.14.3/1.15.3 Added the ``timeout`` argument. .. versionchanged:: 1.15 Added the ``window_size`` and ``max_packet_size`` arguments. """ return self.open_channel( "session", window_size=window_size, max_packet_size=max_packet_size, timeout=timeout, ) def open_x11_channel(self, src_addr=None): """ Request a new channel to the client, of type ``"x11"``. This is just an alias for ``open_channel('x11', src_addr=src_addr)``. :param tuple src_addr: the source address (``(str, int)``) of the x11 server (port is the x11 port, ie. 6010) :return: a new `.Channel` :raises: `.SSHException` -- if the request is rejected or the session ends prematurely """ return self.open_channel("x11", src_addr=src_addr) def open_forward_agent_channel(self): """ Request a new channel to the client, of type ``"auth-agent@openssh.com"``. This is just an alias for ``open_channel('auth-agent@openssh.com')``. :return: a new `.Channel` :raises: `.SSHException` -- if the request is rejected or the session ends prematurely """ return self.open_channel("auth-agent@openssh.com") def open_forwarded_tcpip_channel(self, src_addr, dest_addr): """ Request a new channel back to the client, of type ``forwarded-tcpip``. This is used after a client has requested port forwarding, for sending incoming connections back to the client. :param src_addr: originator's address :param dest_addr: local (server) connected address """ return self.open_channel("forwarded-tcpip", dest_addr, src_addr) def open_channel( self, kind, dest_addr=None, src_addr=None, window_size=None, max_packet_size=None, timeout=None, ): """ Request a new channel to the server. `Channels <.Channel>` are socket-like objects used for the actual transfer of data across the session. You may only request a channel after negotiating encryption (using `connect` or `start_client`) and authenticating. .. note:: Modifying the the window and packet sizes might have adverse effects on the channel created. The default values are the same as in the OpenSSH code base and have been battle tested. :param str kind: the kind of channel requested (usually ``"session"``, ``"forwarded-tcpip"``, ``"direct-tcpip"``, or ``"x11"``) :param tuple dest_addr: the destination address (address + port tuple) of this port forwarding, if ``kind`` is ``"forwarded-tcpip"`` or ``"direct-tcpip"`` (ignored for other channel types) :param src_addr: the source address of this port forwarding, if ``kind`` is ``"forwarded-tcpip"``, ``"direct-tcpip"``, or ``"x11"`` :param int window_size: optional window size for this session. :param int max_packet_size: optional max packet size for this session. :param float timeout: optional timeout opening a channel, default 3600s (1h) :return: a new `.Channel` on success :raises: `.SSHException` -- if the request is rejected, the session ends prematurely or there is a timeout opening a channel .. versionchanged:: 1.15 Added the ``window_size`` and ``max_packet_size`` arguments. """ if not self.active: raise SSHException("SSH session not active") timeout = self.channel_timeout if timeout is None else timeout self.lock.acquire() try: window_size = self._sanitize_window_size(window_size) max_packet_size = self._sanitize_packet_size(max_packet_size) chanid = self._next_channel() m = Message() m.add_byte(cMSG_CHANNEL_OPEN) m.add_string(kind) m.add_int(chanid) m.add_int(window_size) m.add_int(max_packet_size) if (kind == "forwarded-tcpip") or (kind == "direct-tcpip"): m.add_string(dest_addr[0]) m.add_int(dest_addr[1]) m.add_string(src_addr[0]) m.add_int(src_addr[1]) elif kind == "x11": m.add_string(src_addr[0]) m.add_int(src_addr[1]) chan = Channel(chanid) self._channels.put(chanid, chan) self.channel_events[chanid] = event = threading.Event() self.channels_seen[chanid] = True chan._set_transport(self) chan._set_window(window_size, max_packet_size) finally: self.lock.release() self._send_user_message(m) start_ts = time.time() while True: event.wait(0.1) if not self.active: e = self.get_exception() if e is None: e = SSHException("Unable to open channel.") raise e if event.is_set(): break elif start_ts + timeout < time.time(): raise SSHException("Timeout opening channel.") chan = self._channels.get(chanid) if chan is not None: return chan e = self.get_exception() if e is None: e = SSHException("Unable to open channel.") raise e def request_port_forward(self, address, port, handler=None): """ Ask the server to forward TCP connections from a listening port on the server, across this SSH session. If a handler is given, that handler is called from a different thread whenever a forwarded connection arrives. The handler parameters are:: handler( channel, (origin_addr, origin_port), (server_addr, server_port), ) where ``server_addr`` and ``server_port`` are the address and port that the server was listening on. If no handler is set, the default behavior is to send new incoming forwarded connections into the accept queue, to be picked up via `accept`. :param str address: the address to bind when forwarding :param int port: the port to forward, or 0 to ask the server to allocate any port :param callable handler: optional handler for incoming forwarded connections, of the form ``func(Channel, (str, int), (str, int))``. :return: the port number (`int`) allocated by the server :raises: `.SSHException` -- if the server refused the TCP forward request """ if not self.active: raise SSHException("SSH session not active") port = int(port) response = self.global_request( "tcpip-forward", (address, port), wait=True ) if response is None: raise SSHException("TCP forwarding request denied") if port == 0: port = response.get_int() if handler is None: def default_handler(channel, src_addr, dest_addr_port): # src_addr, src_port = src_addr_port # dest_addr, dest_port = dest_addr_port self._queue_incoming_channel(channel) handler = default_handler self._tcp_handler = handler return port def cancel_port_forward(self, address, port): """ Ask the server to cancel a previous port-forwarding request. No more connections to the given address & port will be forwarded across this ssh connection. :param str address: the address to stop forwarding :param int port: the port to stop forwarding """ if not self.active: return self._tcp_handler = None self.global_request("cancel-tcpip-forward", (address, port), wait=True) def open_sftp_client(self): """ Create an SFTP client channel from an open transport. On success, an SFTP session will be opened with the remote host, and a new `.SFTPClient` object will be returned. :return: a new `.SFTPClient` referring to an sftp session (channel) across this transport """ return SFTPClient.from_transport(self) def send_ignore(self, byte_count=None): """ Send a junk packet across the encrypted link. This is sometimes used to add "noise" to a connection to confuse would-be attackers. It can also be used as a keep-alive for long lived connections traversing firewalls. :param int byte_count: the number of random bytes to send in the payload of the ignored packet -- defaults to a random number from 10 to 41. """ m = Message() m.add_byte(cMSG_IGNORE) if byte_count is None: byte_count = (byte_ord(os.urandom(1)) % 32) + 10 m.add_bytes(os.urandom(byte_count)) self._send_user_message(m) def renegotiate_keys(self): """ Force this session to switch to new keys. Normally this is done automatically after the session hits a certain number of packets or bytes sent or received, but this method gives you the option of forcing new keys whenever you want. Negotiating new keys causes a pause in traffic both ways as the two sides swap keys and do computations. This method returns when the session has switched to new keys. :raises: `.SSHException` -- if the key renegotiation failed (which causes the session to end) """ self.completion_event = threading.Event() self._send_kex_init() while True: self.completion_event.wait(0.1) if not self.active: e = self.get_exception() if e is not None: raise e raise SSHException("Negotiation failed.") if self.completion_event.is_set(): break return def set_keepalive(self, interval): """ Turn on/off keepalive packets (default is off). If this is set, after ``interval`` seconds without sending any data over the connection, a "keepalive" packet will be sent (and ignored by the remote host). This can be useful to keep connections alive over a NAT, for example. :param int interval: seconds to wait before sending a keepalive packet (or 0 to disable keepalives). """ def _request(x=weakref.proxy(self)): return x.global_request("keepalive@lag.net", wait=False) self.packetizer.set_keepalive(interval, _request) def global_request(self, kind, data=None, wait=True): """ Make a global request to the remote host. These are normally extensions to the SSH2 protocol. :param str kind: name of the request. :param tuple data: an optional tuple containing additional data to attach to the request. :param bool wait: ``True`` if this method should not return until a response is received; ``False`` otherwise. :return: a `.Message` containing possible additional data if the request was successful (or an empty `.Message` if ``wait`` was ``False``); ``None`` if the request was denied. """ if wait: self.completion_event = threading.Event() m = Message() m.add_byte(cMSG_GLOBAL_REQUEST) m.add_string(kind) m.add_boolean(wait) if data is not None: m.add(data) self._log(DEBUG, 'Sending global request "{}"'.format(kind)) self._send_user_message(m) if not wait: return None while True: self.completion_event.wait(0.1) if not self.active: return None if self.completion_event.is_set(): break return self.global_response def accept(self, timeout=None): """ Return the next channel opened by the client over this transport, in server mode. If no channel is opened before the given timeout, ``None`` is returned. :param int timeout: seconds to wait for a channel, or ``None`` to wait forever :return: a new `.Channel` opened by the client """ self.lock.acquire() try: if len(self.server_accepts) > 0: chan = self.server_accepts.pop(0) else: self.server_accept_cv.wait(timeout) if len(self.server_accepts) > 0: chan = self.server_accepts.pop(0) else: # timeout chan = None finally: self.lock.release() return chan def connect( self, hostkey=None, username="", password=None, pkey=None, gss_host=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_trust_dns=True, ): """ Negotiate an SSH2 session, and optionally verify the server's host key and authenticate using a password or private key. This is a shortcut for `start_client`, `get_remote_server_key`, and `Transport.auth_password` or `Transport.auth_publickey`. Use those methods if you want more control. You can use this method immediately after creating a Transport to negotiate encryption with a server. If it fails, an exception will be thrown. On success, the method will return cleanly, and an encrypted session exists. You may immediately call `open_channel` or `open_session` to get a `.Channel` object, which is used for data transfer. .. note:: If you fail to supply a password or private key, this method may succeed, but a subsequent `open_channel` or `open_session` call may fail because you haven't authenticated yet. :param .PKey hostkey: the host key expected from the server, or ``None`` if you don't want to do host key verification. :param str username: the username to authenticate as. :param str password: a password to use for authentication, if you want to use password authentication; otherwise ``None``. :param .PKey pkey: a private key to use for authentication, if you want to use private key authentication; otherwise ``None``. :param str gss_host: The target's name in the kerberos database. Default: hostname :param bool gss_auth: ``True`` if you want to use GSS-API authentication. :param bool gss_kex: Perform GSS-API Key Exchange and user authentication. :param bool gss_deleg_creds: Whether to delegate GSS-API client credentials. :param gss_trust_dns: Indicates whether or not the DNS is trusted to securely canonicalize the name of the host being connected to (default ``True``). :raises: `.SSHException` -- if the SSH2 negotiation fails, the host key supplied by the server is incorrect, or authentication fails. .. versionchanged:: 2.3 Added the ``gss_trust_dns`` argument. """ if hostkey is not None: # TODO: a more robust implementation would be to ask each key class # for its nameS plural, and just use that. # TODO: that could be used in a bunch of other spots too if isinstance(hostkey, RSAKey): self._preferred_keys = [ "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", ] else: self._preferred_keys = [hostkey.get_name()] self.set_gss_host( gss_host=gss_host, trust_dns=gss_trust_dns, gssapi_requested=gss_kex or gss_auth, ) self.start_client() # check host key if we were given one # If GSS-API Key Exchange was performed, we are not required to check # the host key. if (hostkey is not None) and not gss_kex: key = self.get_remote_server_key() if ( key.get_name() != hostkey.get_name() or key.asbytes() != hostkey.asbytes() ): self._log(DEBUG, "Bad host key from server") self._log( DEBUG, "Expected: {}: {}".format( hostkey.get_name(), repr(hostkey.asbytes()) ), ) self._log( DEBUG, "Got : {}: {}".format( key.get_name(), repr(key.asbytes()) ), ) raise SSHException("Bad host key from server") self._log( DEBUG, "Host key verified ({})".format(hostkey.get_name()) ) if (pkey is not None) or (password is not None) or gss_auth or gss_kex: if gss_auth: self._log( DEBUG, "Attempting GSS-API auth... (gssapi-with-mic)" ) # noqa self.auth_gssapi_with_mic( username, self.gss_host, gss_deleg_creds ) elif gss_kex: self._log(DEBUG, "Attempting GSS-API auth... (gssapi-keyex)") self.auth_gssapi_keyex(username) elif pkey is not None: self._log(DEBUG, "Attempting public-key auth...") self.auth_publickey(username, pkey) else: self._log(DEBUG, "Attempting password auth...") self.auth_password(username, password) return def get_exception(self): """ Return any exception that happened during the last server request. This can be used to fetch more specific error information after using calls like `start_client`. The exception (if any) is cleared after this call. :return: an exception, or ``None`` if there is no stored exception. .. versionadded:: 1.1 """ self.lock.acquire() try: e = self.saved_exception self.saved_exception = None return e finally: self.lock.release() def set_subsystem_handler(self, name, handler, args, *kwargs): """ Set the handler class for a subsystem in server mode. If a request for this subsystem is made on an open ssh channel later, this handler will be constructed and called -- see `.SubsystemHandler` for more detailed documentation. Any extra parameters (including keyword arguments) are saved and passed to the `.SubsystemHandler` constructor later. :param str name: name of the subsystem. :param handler: subclass of `.SubsystemHandler` that handles this subsystem. """ try: self.lock.acquire() self.subsystem_table[name] = (handler, args, kwargs) finally: self.lock.release() def is_authenticated(self): """ Return true if this session is active and authenticated. :return: True if the session is still open and has been authenticated successfully; False if authentication failed and/or the session is closed. """ return ( self.active and self.auth_handler is not None and self.auth_handler.is_authenticated() ) def get_username(self): """ Return the username this connection is authenticated for. If the session is not authenticated (or authentication failed), this method returns ``None``. :return: username that was authenticated (a `str`), or ``None``. """ if not self.active or (self.auth_handler is None): return None return self.auth_handler.get_username() def get_banner(self): """ Return the banner supplied by the server upon connect. If no banner is supplied, this method returns ``None``. :returns: server supplied banner (`str`), or ``None``. .. versionadded:: 1.13 """ if not self.active or (self.auth_handler is None): return None return self.auth_handler.banner def auth_none(self, username): """ Try to authenticate to the server using no authentication at all. This will almost always fail. It may be useful for determining the list of authentication types supported by the server, by catching the `.BadAuthenticationType` exception raised. :param str username: the username to authenticate as :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if "none" authentication isn't allowed by the server for this user :raises: `.SSHException` -- if the authentication failed due to a network error .. versionadded:: 1.5 """ if (not self.active) or (not self.initial_kex_done): raise SSHException("No existing session") my_event = threading.Event() self.auth_handler = AuthHandler(self) self.auth_handler.auth_none(username, my_event) return self.auth_handler.wait_for_response(my_event) def auth_password(self, username, password, event=None, fallback=True): """ Authenticate to the server using a password. The username and password are sent over an encrypted link. If an ``event`` is passed in, this method will return immediately, and the event will be triggered once authentication succeeds or fails. On success, `is_authenticated` will return ``True``. On failure, you may use `get_exception` to get more detailed error information. Since 1.1, if no event is passed, this method will block until the authentication succeeds or fails. On failure, an exception is raised. Otherwise, the method simply returns. Since 1.5, if no event is passed and ``fallback`` is ``True`` (the default), if the server doesn't support plain password authentication but does support so-called "keyboard-interactive" mode, an attempt will be made to authenticate using this interactive mode. If it fails, the normal exception will be thrown as if the attempt had never been made. This is useful for some recent Gentoo and Debian distributions, which turn off plain password authentication in a misguided belief that interactive authentication is "more secure". (It's not.) If the server requires multi-step authentication (which is very rare), this method will return a list of auth types permissible for the next step. Otherwise, in the normal case, an empty list is returned. :param str username: the username to authenticate as :param basestring password: the password to authenticate with :param .threading.Event event: an event to trigger when the authentication attempt is complete (whether it was successful or not) :param bool fallback: ``True`` if an attempt at an automated "interactive" password auth should be made if the server doesn't support normal password auth :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if password authentication isn't allowed by the server for this user (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error """ if (not self.active) or (not self.initial_kex_done): # we should never try to send the password unless we're on a secure # link raise SSHException("No existing session") if event is None: my_event = threading.Event() else: my_event = event self.auth_handler = AuthHandler(self) self.auth_handler.auth_password(username, password, my_event) if event is not None: # caller wants to wait for event themselves return [] try: return self.auth_handler.wait_for_response(my_event) except BadAuthenticationType as e: # if password auth isn't allowed, but keyboard-interactive is, # try to fudge it if not fallback or ("keyboard-interactive" not in e.allowed_types): raise try: def handler(title, instructions, fields): if len(fields) > 1: raise SSHException("Fallback authentication failed.") if len(fields) == 0: # for some reason, at least on os x, a 2nd request will # be made with zero fields requested. maybe it's just # to try to fake out automated scripting of the exact # type we're doing here. shrug* :) return [] return [password] return self.auth_interactive(username, handler) except SSHException: # attempt failed; just raise the original exception raise e def auth_publickey(self, username, key, event=None): """ Authenticate to the server using a private key. The key is used to sign data from the server, so it must include the private part. If an ``event`` is passed in, this method will return immediately, and the event will be triggered once authentication succeeds or fails. On success, `is_authenticated` will return ``True``. On failure, you may use `get_exception` to get more detailed error information. Since 1.1, if no event is passed, this method will block until the authentication succeeds or fails. On failure, an exception is raised. Otherwise, the method simply returns. If the server requires multi-step authentication (which is very rare), this method will return a list of auth types permissible for the next step. Otherwise, in the normal case, an empty list is returned. :param str username: the username to authenticate as :param .PKey key: the private key to authenticate with :param .threading.Event event: an event to trigger when the authentication attempt is complete (whether it was successful or not) :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if public-key authentication isn't allowed by the server for this user (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error """ if (not self.active) or (not self.initial_kex_done): # we should never try to authenticate unless we're on a secure link raise SSHException("No existing session") if event is None: my_event = threading.Event() else: my_event = event self.auth_handler = AuthHandler(self) self.auth_handler.auth_publickey(username, key, my_event) if event is not None: # caller wants to wait for event themselves return [] return self.auth_handler.wait_for_response(my_event) def auth_interactive(self, username, handler, submethods=""): """ Authenticate to the server interactively. A handler is used to answer arbitrary questions from the server. On many servers, this is just a dumb wrapper around PAM. This method will block until the authentication succeeds or fails, periodically calling the handler asynchronously to get answers to authentication questions. The handler may be called more than once if the server continues to ask questions. The handler is expected to be a callable that will handle calls of the form: ``handler(title, instructions, prompt_list)``. The ``title`` is meant to be a dialog-window title, and the ``instructions`` are user instructions (both are strings). ``prompt_list`` will be a list of prompts, each prompt being a tuple of ``(str, bool)``. The string is the prompt and the boolean indicates whether the user text should be echoed. A sample call would thus be: ``handler('title', 'instructions', [('Password:', False)])``. The handler should return a list or tuple of answers to the server's questions. If the server requires multi-step authentication (which is very rare), this method will return a list of auth types permissible for the next step. Otherwise, in the normal case, an empty list is returned. :param str username: the username to authenticate as :param callable handler: a handler for responding to server questions :param str submethods: a string list of desired submethods (optional) :return: list of auth types permissible for the next stage of authentication (normally empty). :raises: `.BadAuthenticationType` -- if public-key authentication isn't allowed by the server for this user :raises: `.AuthenticationException` -- if the authentication failed :raises: `.SSHException` -- if there was a network error .. versionadded:: 1.5 """ if (not self.active) or (not self.initial_kex_done): # we should never try to authenticate unless we're on a secure link raise SSHException("No existing session") my_event = threading.Event() self.auth_handler = AuthHandler(self) self.auth_handler.auth_interactive( username, handler, my_event, submethods ) return self.auth_handler.wait_for_response(my_event) def auth_interactive_dumb(self, username, handler=None, submethods=""): """ Authenticate to the server interactively but dumber. Just print the prompt and / or instructions to stdout and send back the response. This is good for situations where partial auth is achieved by key and then the user has to enter a 2fac token. """ if not handler: def handler(title, instructions, prompt_list): answers = [] if title: print(title.strip()) if instructions: print(instructions.strip()) for prompt, show_input in prompt_list: print(prompt.strip(), end=" ") answers.append(input()) return answers return self.auth_interactive(username, handler, submethods) def auth_gssapi_with_mic(self, username, gss_host, gss_deleg_creds): """ Authenticate to the Server using GSS-API / SSPI. :param str username: The username to authenticate as :param str gss_host: The target host :param bool gss_deleg_creds: Delegate credentials or not :return: list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if gssapi-with-mic isn't allowed by the server (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error """ if (not self.active) or (not self.initial_kex_done): # we should never try to authenticate unless we're on a secure link raise SSHException("No existing session") my_event = threading.Event() self.auth_handler = AuthHandler(self) self.auth_handler.auth_gssapi_with_mic( username, gss_host, gss_deleg_creds, my_event ) return self.auth_handler.wait_for_response(my_event) def auth_gssapi_keyex(self, username): """ Authenticate to the server with GSS-API/SSPI if GSS-API kex is in use. :param str username: The username to authenticate as. :returns: a list of auth types permissible for the next stage of authentication (normally empty) :raises: `.BadAuthenticationType` -- if GSS-API Key Exchange was not performed (and no event was passed in) :raises: `.AuthenticationException` -- if the authentication failed (and no event was passed in) :raises: `.SSHException` -- if there was a network error """ if (not self.active) or (not self.initial_kex_done): # we should never try to authenticate unless we're on a secure link raise SSHException("No existing session") my_event = threading.Event() self.auth_handler = AuthHandler(self) self.auth_handler.auth_gssapi_keyex(username, my_event) return self.auth_handler.wait_for_response(my_event) def set_log_channel(self, name): """ Set the channel for this transport's logging. The default is ``"paramiko.transport"`` but it can be set to anything you want. (See the `.logging` module for more info.) SSH Channels will log to a sub-channel of the one specified. :param str name: new channel name for logging .. versionadded:: 1.1 """ self.log_name = name self.logger = util.get_logger(name) self.packetizer.set_log(self.logger) def get_log_channel(self): """ Return the channel name used for this transport's logging. :return: channel name as a `str` .. versionadded:: 1.2 """ return self.log_name def set_hexdump(self, hexdump): """ Turn on/off logging a hex dump of protocol traffic at DEBUG level in the logs. Normally you would want this off (which is the default), but if you are debugging something, it may be useful. :param bool hexdump: ``True`` to log protocol traffix (in hex) to the log; ``False`` otherwise. """ self.packetizer.set_hexdump(hexdump) def get_hexdump(self): """ Return ``True`` if the transport is currently logging hex dumps of protocol traffic. :return: ``True`` if hex dumps are being logged, else ``False``. .. versionadded:: 1.4 """ return self.packetizer.get_hexdump() def use_compression(self, compress=True): """ Turn on/off compression. This will only have an affect before starting the transport (ie before calling `connect`, etc). By default, compression is off since it negatively affects interactive sessions. :param bool compress: ``True`` to ask the remote client/server to compress traffic; ``False`` to refuse compression .. versionadded:: 1.5.2 """ if compress: self._preferred_compression = ("zlib@openssh.com", "zlib", "none") else: self._preferred_compression = ("none",) def getpeername(self): """ Return the address of the remote side of this Transport, if possible. This is effectively a wrapper around ``getpeername`` on the underlying socket. If the socket-like object has no ``getpeername`` method, then ``("unknown", 0)`` is returned. :return: the address of the remote host, if known, as a ``(str, int)`` tuple. """ gp = getattr(self.sock, "getpeername", None) if gp is None: return "unknown", 0 return gp() def stop_thread(self): self.active = False self.packetizer.close() # Keep trying to join() our main thread, quickly, until: # * We join()ed successfully (self.is_alive() == False) # * Or it looks like we've hit issue #520 (socket.recv hitting some # race condition preventing it from timing out correctly), wherein # our socket and packetizer are both closed (but where we'd # otherwise be sitting forever on that recv()). while ( self.is_alive() and self is not threading.current_thread() and not self.sock._closed and not self.packetizer.closed ): self.join(0.1) # internals... # TODO 4.0: make a public alias for this because multiple other classes # already explicitly rely on it...or just rewrite logging :D def _log(self, level, msg, args): if issubclass(type(msg), list): for m in msg: self.logger.log(level, m) else: self.logger.log(level, msg, args) def _get_modulus_pack(self): """used by KexGex to find primes for group exchange""" return self._modulus_pack def _next_channel(self): """you are holding the lock""" chanid = self._channel_counter while self._channels.get(chanid) is not None: self._channel_counter = (self._channel_counter + 1) & 0xFFFFFF chanid = self._channel_counter self._channel_counter = (self._channel_counter + 1) & 0xFFFFFF return chanid def _unlink_channel(self, chanid): """used by a Channel to remove itself from the active channel list""" self._channels.delete(chanid) def _send_message(self, data): self.packetizer.send_message(data) def _send_user_message(self, data): """ send a message, but block if we're in key negotiation. this is used for user-initiated requests. """ start = time.time() while True: self.clear_to_send.wait(0.1) if not self.active: self._log( DEBUG, "Dropping user packet because connection is dead." ) # noqa return self.clear_to_send_lock.acquire() if self.clear_to_send.is_set(): break self.clear_to_send_lock.release() if time.time() > start + self.clear_to_send_timeout: raise SSHException( "Key-exchange timed out waiting for key negotiation" ) # noqa try: self._send_message(data) finally: self.clear_to_send_lock.release() def _set_K_H(self, k, h): """ Used by a kex obj to set the K (root key) and H (exchange hash). """ self.K = k self.H = h if self.session_id is None: self.session_id = h def _expect_packet(self, ptypes): """ Used by a kex obj to register the next packet type it expects to see. """ self._expected_packet = tuple(ptypes) def _verify_key(self, host_key, sig): key = self._key_info[self.host_key_type](Message(host_key)) if key is None: raise SSHException("Unknown host key type") if not key.verify_ssh_sig(self.H, Message(sig)): raise SSHException( "Signature verification ({}) failed.".format( self.host_key_type ) ) # noqa self.host_key = key def _compute_key(self, id, nbytes): """id is 'A' - 'F' for the various keys used by ssh""" m = Message() m.add_mpint(self.K) m.add_bytes(self.H) m.add_byte(b(id)) m.add_bytes(self.session_id) # Fallback to SHA1 for kex engines that fail to specify a hex # algorithm, or for e.g. transport tests that don't run kexinit. hash_algo = getattr(self.kex_engine, "hash_algo", None) hash_select_msg = "kex engine {} specified hash_algo {!r}".format( self.kex_engine.__class__.__name__, hash_algo ) if hash_algo is None: hash_algo = sha1 hash_select_msg += ", falling back to sha1" if not hasattr(self, "_logged_hash_selection"): self._log(DEBUG, hash_select_msg) setattr(self, "_logged_hash_selection", True) out = sofar = hash_algo(m.asbytes()).digest() while len(out) < nbytes: m = Message() m.add_mpint(self.K) m.add_bytes(self.H) m.add_bytes(sofar) digest = hash_algo(m.asbytes()).digest() out += digest sofar += digest return out[:nbytes] def _get_cipher(self, name, key, iv, operation): if name not in self._cipher_info: raise SSHException("Unknown client cipher " + name) else: cipher = Cipher( self._cipher_info[name]["class"](key), self._cipher_info[name]["mode"](iv), backend=default_backend(), ) if operation is self._ENCRYPT: return cipher.encryptor() else: return cipher.decryptor() def _set_forward_agent_handler(self, handler): if handler is None: def default_handler(channel): self._queue_incoming_channel(channel) self._forward_agent_handler = default_handler else: self._forward_agent_handler = handler def _set_x11_handler(self, handler): # only called if a channel has turned on x11 forwarding if handler is None: # by default, use the same mechanism as accept() def default_handler(channel, src_addr_port): self._queue_incoming_channel(channel) self._x11_handler = default_handler else: self._x11_handler = handler def _queue_incoming_channel(self, channel): self.lock.acquire() try: self.server_accepts.append(channel) self.server_accept_cv.notify() finally: self.lock.release() def _sanitize_window_size(self, window_size): if window_size is None: window_size = self.default_window_size return clamp_value(MIN_WINDOW_SIZE, window_size, MAX_WINDOW_SIZE) def _sanitize_packet_size(self, max_packet_size): if max_packet_size is None: max_packet_size = self.default_max_packet_size return clamp_value(MIN_PACKET_SIZE, max_packet_size, MAX_WINDOW_SIZE) def _ensure_authed(self, ptype, message): """ Checks message type against current auth state. If server mode, and auth has not succeeded, and the message is of a post-auth type (channel open or global request) an appropriate error response Message is crafted and returned to caller for sending. Otherwise (client mode, authed, or pre-auth message) returns None. """ if ( not self.server_mode or ptype <= HIGHEST_USERAUTH_MESSAGE_ID or self.is_authenticated() ): return None # WELP. We must be dealing with someone trying to do non-auth things # without being authed. Tell them off, based on message class. reply = Message() # Global requests have no details, just failure. if ptype == MSG_GLOBAL_REQUEST: reply.add_byte(cMSG_REQUEST_FAILURE) # Channel opens let us reject w/ a specific type + message. elif ptype == MSG_CHANNEL_OPEN: kind = message.get_text() # noqa chanid = message.get_int() reply.add_byte(cMSG_CHANNEL_OPEN_FAILURE) reply.add_int(chanid) reply.add_int(OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED) reply.add_string("") reply.add_string("en") # NOTE: Post-open channel messages do not need checking; the above will # reject attempts to open channels, meaning that even if a malicious # user tries to send a MSG_CHANNEL_REQUEST, it will simply fall under # the logic that handles unknown channel IDs (as the channel list will # be empty.) return reply def _enforce_strict_kex(self, ptype): """ Conditionally raise `MessageOrderError` during strict initial kex. This method should only be called inside code that handles non-KEXINIT messages; it does not interrogate ``ptype`` besides using it to log more accurately. """ if self.agreed_on_strict_kex and not self.initial_kex_done: name = MSG_NAMES.get(ptype, f"msg {ptype}") raise MessageOrderError( f"In strict-kex mode, but was sent {name!r}!" ) def run(self): # (use the exposed "run" method, because if we specify a thread target # of a private method, threading.Thread will keep a reference to it # indefinitely, creating a GC cycle and not letting Transport ever be # GC'd. it's a bug in Thread.) # Hold reference to 'sys' so we can test sys.modules to detect # interpreter shutdown. self.sys = sys # active=True occurs before the thread is launched, to avoid a race _active_threads.append(self) tid = hex(id(self) & xffffffff) if self.server_mode: self._log(DEBUG, "starting thread (server mode): {}".format(tid)) else: self._log(DEBUG, "starting thread (client mode): {}".format(tid)) try: try: self.packetizer.write_all(b(self.local_version + "\r\n")) self._log( DEBUG, "Local version/idstring: {}".format(self.local_version), ) # noqa self._check_banner() # The above is actually very much part of the handshake, but # sometimes the banner can be read but the machine is not # responding, for example when the remote ssh daemon is loaded # in to memory but we can not read from the disk/spawn a new # shell. # Make sure we can specify a timeout for the initial handshake. # Re-use the banner timeout for now. self.packetizer.start_handshake(self.handshake_timeout) self._send_kex_init() self._expect_packet(MSG_KEXINIT) while self.active: if self.packetizer.need_rekey() and not self.in_kex: self._send_kex_init() try: ptype, m = self.packetizer.read_message() except NeedRekeyException: continue if ptype == MSG_IGNORE: self._enforce_strict_kex(ptype) continue elif ptype == MSG_DISCONNECT: self._parse_disconnect(m) break elif ptype == MSG_DEBUG: self._enforce_strict_kex(ptype) self._parse_debug(m) continue if len(self._expected_packet) > 0: if ptype not in self._expected_packet: exc_class = SSHException if self.agreed_on_strict_kex: exc_class = MessageOrderError raise exc_class( "Expecting packet from {!r}, got {:d}".format( self._expected_packet, ptype ) ) # noqa self._expected_packet = tuple() # These message IDs indicate key exchange & will differ # depending on exact exchange algorithm if (ptype >= 30) and (ptype <= 41): self.kex_engine.parse_next(ptype, m) continue if ptype in self._handler_table: error_msg = self._ensure_authed(ptype, m) if error_msg: self._send_message(error_msg) else: self._handler_table[ptype](m) elif ptype in self._channel_handler_table: chanid = m.get_int() chan = self._channels.get(chanid) if chan is not None: self._channel_handler_table[ptype](chan, m) elif chanid in self.channels_seen: self._log( DEBUG, "Ignoring message for dead channel {:d}".format( # noqa chanid ), ) else: self._log( ERROR, "Channel request for unknown channel {:d}".format( # noqa chanid ), ) break elif ( self.auth_handler is not None and ptype in self.auth_handler._handler_table ): handler = self.auth_handler._handler_table[ptype] handler(m) if len(self._expected_packet) > 0: continue else: # Respond with "I don't implement this particular # message type" message (unless the message type was # itself literally MSG_UNIMPLEMENTED, in which case, we # just shut up to avoid causing a useless loop). name = MSG_NAMES[ptype] warning = "Oops, unhandled type {} ({!r})".format( ptype, name ) self._log(WARNING, warning) if ptype != MSG_UNIMPLEMENTED: msg = Message() msg.add_byte(cMSG_UNIMPLEMENTED) msg.add_int(m.seqno) self._send_message(msg) self.packetizer.complete_handshake() except SSHException as e: self._log( ERROR, "Exception ({}): {}".format( "server" if self.server_mode else "client", e ), ) self._log(ERROR, util.tb_strings()) self.saved_exception = e except EOFError as e: self._log(DEBUG, "EOF in transport thread") self.saved_exception = e except socket.error as e: if type(e.args) is tuple: if e.args: emsg = "{} ({:d})".format(e.args[1], e.args[0]) else: # empty tuple, e.g. socket.timeout emsg = str(e) or repr(e) else: emsg = e.args self._log(ERROR, "Socket exception: " + emsg) self.saved_exception = e except Exception as e: self._log(ERROR, "Unknown exception: " + str(e)) self._log(ERROR, util.tb_strings()) self.saved_exception = e _active_threads.remove(self) for chan in list(self._channels.values()): chan._unlink() if self.active: self.active = False self.packetizer.close() if self.completion_event is not None: self.completion_event.set() if self.auth_handler is not None: self.auth_handler.abort() for event in self.channel_events.values(): event.set() try: self.lock.acquire() self.server_accept_cv.notify() finally: self.lock.release() self.sock.close() except: # Don't raise spurious 'NoneType has no attribute X' errors when we # wake up during interpreter shutdown. Or rather -- raise # everything if* sys.modules (used as a convenient sentinel) # appears to still exist. if self.sys.modules is not None: raise def _log_agreement(self, which, local, remote): # Log useful, non-duplicative line re: an agreed-upon algorithm. # Old code implied algorithms could be asymmetrical (different for # inbound vs outbound) so we preserve that possibility. msg = "{}: ".format(which) if local == remote: msg += local else: msg += "local={}, remote={}".format(local, remote) self._log(DEBUG, msg) # protocol stages def _negotiate_keys(self, m): # throws SSHException on anything unusual self.clear_to_send_lock.acquire() try: self.clear_to_send.clear() finally: self.clear_to_send_lock.release() if self.local_kex_init is None: # remote side wants to renegotiate self._send_kex_init() self._parse_kex_init(m) self.kex_engine.start_kex() def _check_banner(self): # this is slow, but we only have to do it once for i in range(100): # give them 15 seconds for the first line, then just 2 seconds # each additional line. (some sites have very high latency.) if i == 0: timeout = self.banner_timeout else: timeout = 2 try: buf = self.packetizer.readline(timeout) except ProxyCommandFailure: raise except Exception as e: raise SSHException( "Error reading SSH protocol banner" + str(e) ) if buf[:4] == "SSH-": break self._log(DEBUG, "Banner: " + buf) if buf[:4] != "SSH-": raise SSHException('Indecipherable protocol version "' + buf + '"') # save this server version string for later self.remote_version = buf self._log(DEBUG, "Remote version/idstring: {}".format(buf)) # pull off any attached comment # NOTE: comment used to be stored in a variable and then...never used. # since 2003. ca 877cd974b8182d26fa76d566072917ea67b64e67 i = buf.find(" ") if i >= 0: buf = buf[:i] # parse out version string and make sure it matches segs = buf.split("-", 2) if len(segs) < 3: raise SSHException("Invalid SSH banner") version = segs[1] client = segs[2] if version != "1.99" and version != "2.0": msg = "Incompatible version ({} instead of 2.0)" raise IncompatiblePeer(msg.format(version)) msg = "Connected (version {}, client {})".format(version, client) self._log(INFO, msg) def _send_kex_init(self): """ announce to the other side that we'd like to negotiate keys, and what kind of key negotiation we support. """ self.clear_to_send_lock.acquire() try: self.clear_to_send.clear() finally: self.clear_to_send_lock.release() self.gss_kex_used = False self.in_kex = True kex_algos = list(self.preferred_kex) if self.server_mode: mp_required_prefix = "diffie-hellman-group-exchange-sha" kex_mp = [k for k in kex_algos if k.startswith(mp_required_prefix)] if (self._modulus_pack is None) and (len(kex_mp) > 0): # can't do group-exchange if we don't have a pack of potential # primes pkex = [ k for k in self.get_security_options().kex if not k.startswith(mp_required_prefix) ] self.get_security_options().kex = pkex available_server_keys = list( filter( list(self.server_key_dict.keys()).__contains__, # TODO: ensure tests will catch if somebody streamlines # this by mistake - case is the admittedly silly one where # the only calls to add_server_key() contain keys which # were filtered out of the below via disabled_algorithms. # If this is streamlined, we would then be allowing the # disabled algorithm(s) for hostkey use # TODO: honestly this prob just wants to get thrown out # when we make kex configuration more straightforward self.preferred_keys, ) ) else: available_server_keys = self.preferred_keys # Signal support for MSG_EXT_INFO so server will send it to us. # NOTE: doing this here handily means we don't even consider this # value when agreeing on real kex algo to use (which is a common # pitfall when adding this apparently). kex_algos.append("ext-info-c") # Similar to ext-info, but used in both server modes, so done outside # of above if/else. if self.advertise_strict_kex: which = "s" if self.server_mode else "c" kex_algos.append(f"kex-strict-{which}-v00@openssh.com") m = Message() m.add_byte(cMSG_KEXINIT) m.add_bytes(os.urandom(16)) m.add_list(kex_algos) m.add_list(available_server_keys) m.add_list(self.preferred_ciphers) m.add_list(self.preferred_ciphers) m.add_list(self.preferred_macs) m.add_list(self.preferred_macs) m.add_list(self.preferred_compression) m.add_list(self.preferred_compression) m.add_string(bytes()) m.add_string(bytes()) m.add_boolean(False) m.add_int(0) # save a copy for later (needed to compute a hash) self.local_kex_init = self._latest_kex_init = m.asbytes() self._send_message(m) def _really_parse_kex_init(self, m, ignore_first_byte=False): parsed = {} if ignore_first_byte: m.get_byte() m.get_bytes(16) # cookie, discarded parsed["kex_algo_list"] = m.get_list() parsed["server_key_algo_list"] = m.get_list() parsed["client_encrypt_algo_list"] = m.get_list() parsed["server_encrypt_algo_list"] = m.get_list() parsed["client_mac_algo_list"] = m.get_list() parsed["server_mac_algo_list"] = m.get_list() parsed["client_compress_algo_list"] = m.get_list() parsed["server_compress_algo_list"] = m.get_list() parsed["client_lang_list"] = m.get_list() parsed["server_lang_list"] = m.get_list() parsed["kex_follows"] = m.get_boolean() m.get_int() # unused return parsed def _get_latest_kex_init(self): return self._really_parse_kex_init( Message(self._latest_kex_init), ignore_first_byte=True, ) def _parse_kex_init(self, m): parsed = self._really_parse_kex_init(m) kex_algo_list = parsed["kex_algo_list"] server_key_algo_list = parsed["server_key_algo_list"] client_encrypt_algo_list = parsed["client_encrypt_algo_list"] server_encrypt_algo_list = parsed["server_encrypt_algo_list"] client_mac_algo_list = parsed["client_mac_algo_list"] server_mac_algo_list = parsed["server_mac_algo_list"] client_compress_algo_list = parsed["client_compress_algo_list"] server_compress_algo_list = parsed["server_compress_algo_list"] client_lang_list = parsed["client_lang_list"] server_lang_list = parsed["server_lang_list"] kex_follows = parsed["kex_follows"] self._log(DEBUG, "=== Key exchange possibilities ===") for prefix, value in ( ("kex algos", kex_algo_list), ("server key", server_key_algo_list), # TODO: shouldn't these two lines say "cipher" to match usual # terminology (including elsewhere in paramiko!)? ("client encrypt", client_encrypt_algo_list), ("server encrypt", server_encrypt_algo_list), ("client mac", client_mac_algo_list), ("server mac", server_mac_algo_list), ("client compress", client_compress_algo_list), ("server compress", server_compress_algo_list), ("client lang", client_lang_list), ("server lang", server_lang_list), ): if value == [""]: value = ["<none>"] value = ", ".join(value) self._log(DEBUG, "{}: {}".format(prefix, value)) self._log(DEBUG, "kex follows: {}".format(kex_follows)) self._log(DEBUG, "=== Key exchange agreements ===") # Record, and strip out, ext-info and/or strict-kex non-algorithms self._remote_ext_info = None self._remote_strict_kex = None to_pop = [] for i, algo in enumerate(kex_algo_list): if algo.startswith("ext-info-"): self._remote_ext_info = algo to_pop.insert(0, i) elif algo.startswith("kex-strict-"): # NOTE: this is what we are expecting from the /remote/ end. which = "c" if self.server_mode else "s" expected = f"kex-strict-{which}-v00@openssh.com" # Set strict mode if agreed. self.agreed_on_strict_kex = ( algo == expected and self.advertise_strict_kex ) self._log( DEBUG, f"Strict kex mode: {self.agreed_on_strict_kex}" ) to_pop.insert(0, i) for i in to_pop: kex_algo_list.pop(i) # CVE mitigation: expect zeroed-out seqno anytime we are performing kex # init phase, if strict mode was negotiated. if ( self.agreed_on_strict_kex and not self.initial_kex_done and m.seqno != 0 ): raise MessageOrderError( "In strict-kex mode, but KEXINIT was not the first packet!" ) # as a server, we pick the first item in the client's list that we # support. # as a client, we pick the first item in our list that the server # supports. if self.server_mode: agreed_kex = list( filter(self.preferred_kex.__contains__, kex_algo_list) ) else: agreed_kex = list( filter(kex_algo_list.__contains__, self.preferred_kex) ) if len(agreed_kex) == 0: # TODO: do an auth-overhaul style aggregate exception here? # TODO: would let us streamline log output & show all failures up # front raise IncompatiblePeer( "Incompatible ssh peer (no acceptable kex algorithm)" ) # noqa self.kex_engine = self._kex_info[agreed_kex[0]](self) self._log(DEBUG, "Kex: {}".format(agreed_kex[0])) if self.server_mode: available_server_keys = list( filter( list(self.server_key_dict.keys()).__contains__, self.preferred_keys, ) ) agreed_keys = list( filter( available_server_keys.__contains__, server_key_algo_list ) ) else: agreed_keys = list( filter(server_key_algo_list.__contains__, self.preferred_keys) ) if len(agreed_keys) == 0: raise IncompatiblePeer( "Incompatible ssh peer (no acceptable host key)" ) # noqa self.host_key_type = agreed_keys[0] if self.server_mode and (self.get_server_key() is None): raise IncompatiblePeer( "Incompatible ssh peer (can't match requested host key type)" ) # noqa self._log_agreement("HostKey", agreed_keys[0], agreed_keys[0]) if self.server_mode: agreed_local_ciphers = list( filter( self.preferred_ciphers.__contains__, server_encrypt_algo_list, ) ) agreed_remote_ciphers = list( filter( self.preferred_ciphers.__contains__, client_encrypt_algo_list, ) ) else: agreed_local_ciphers = list( filter( client_encrypt_algo_list.__contains__, self.preferred_ciphers, ) ) agreed_remote_ciphers = list( filter( server_encrypt_algo_list.__contains__, self.preferred_ciphers, ) ) if len(agreed_local_ciphers) == 0 or len(agreed_remote_ciphers) == 0: raise IncompatiblePeer( "Incompatible ssh server (no acceptable ciphers)" ) # noqa self.local_cipher = agreed_local_ciphers[0] self.remote_cipher = agreed_remote_ciphers[0] self._log_agreement( "Cipher", local=self.local_cipher, remote=self.remote_cipher ) if self.server_mode: agreed_remote_macs = list( filter(self.preferred_macs.__contains__, client_mac_algo_list) ) agreed_local_macs = list( filter(self.preferred_macs.__contains__, server_mac_algo_list) ) else: agreed_local_macs = list( filter(client_mac_algo_list.__contains__, self.preferred_macs) ) agreed_remote_macs = list( filter(server_mac_algo_list.__contains__, self.preferred_macs) ) if (len(agreed_local_macs) == 0) or (len(agreed_remote_macs) == 0): raise IncompatiblePeer( "Incompatible ssh server (no acceptable macs)" ) self.local_mac = agreed_local_macs[0] self.remote_mac = agreed_remote_macs[0] self._log_agreement( "MAC", local=self.local_mac, remote=self.remote_mac ) if self.server_mode: agreed_remote_compression = list( filter( self.preferred_compression.__contains__, client_compress_algo_list, ) ) agreed_local_compression = list( filter( self.preferred_compression.__contains__, server_compress_algo_list, ) ) else: agreed_local_compression = list( filter( client_compress_algo_list.__contains__, self.preferred_compression, ) ) agreed_remote_compression = list( filter( server_compress_algo_list.__contains__, self.preferred_compression, ) ) if ( len(agreed_local_compression) == 0 or len(agreed_remote_compression) == 0 ): msg = "Incompatible ssh server (no acceptable compression)" msg += " {!r} {!r} {!r}" raise IncompatiblePeer( msg.format( agreed_local_compression, agreed_remote_compression, self.preferred_compression, ) ) self.local_compression = agreed_local_compression[0] self.remote_compression = agreed_remote_compression[0] self._log_agreement( "Compression", local=self.local_compression, remote=self.remote_compression, ) self._log(DEBUG, "=== End of kex handshake ===") # save for computing hash later... # now wait! openssh has a bug (and others might too) where there are # actually some extra bytes (one NUL byte in openssh's case) added to # the end of the packet but not parsed. turns out we need to throw # away those bytes because they aren't part of the hash. self.remote_kex_init = cMSG_KEXINIT + m.get_so_far() def _activate_inbound(self): """switch on newly negotiated encryption parameters for inbound traffic""" block_size = self._cipher_info[self.remote_cipher]["block-size"] if self.server_mode: IV_in = self._compute_key("A", block_size) key_in = self._compute_key( "C", self._cipher_info[self.remote_cipher]["key-size"] ) else: IV_in = self._compute_key("B", block_size) key_in = self._compute_key( "D", self._cipher_info[self.remote_cipher]["key-size"] ) engine = self._get_cipher( self.remote_cipher, key_in, IV_in, self._DECRYPT ) etm = "etm@openssh.com" in self.remote_mac mac_size = self._mac_info[self.remote_mac]["size"] mac_engine = self._mac_info[self.remote_mac]["class"] # initial mac keys are done in the hash's natural size (not the # potentially truncated transmission size) if self.server_mode: mac_key = self._compute_key("E", mac_engine().digest_size) else: mac_key = self._compute_key("F", mac_engine().digest_size) self.packetizer.set_inbound_cipher( engine, block_size, mac_engine, mac_size, mac_key, etm=etm ) compress_in = self._compression_info[self.remote_compression][1] if compress_in is not None and ( self.remote_compression != "zlib@openssh.com" or self.authenticated ): self._log(DEBUG, "Switching on inbound compression ...") self.packetizer.set_inbound_compressor(compress_in()) # Reset inbound sequence number if strict mode. if self.agreed_on_strict_kex: self._log( DEBUG, "Resetting inbound seqno after NEWKEYS due to strict mode", ) self.packetizer.reset_seqno_in() def _activate_outbound(self): """switch on newly negotiated encryption parameters for outbound traffic""" m = Message() m.add_byte(cMSG_NEWKEYS) self._send_message(m) # Reset outbound sequence number if strict mode. if self.agreed_on_strict_kex: self._log( DEBUG, "Resetting outbound seqno after NEWKEYS due to strict mode", ) self.packetizer.reset_seqno_out() block_size = self._cipher_info[self.local_cipher]["block-size"] if self.server_mode: IV_out = self._compute_key("B", block_size) key_out = self._compute_key( "D", self._cipher_info[self.local_cipher]["key-size"] ) else: IV_out = self._compute_key("A", block_size) key_out = self._compute_key( "C", self._cipher_info[self.local_cipher]["key-size"] ) engine = self._get_cipher( self.local_cipher, key_out, IV_out, self._ENCRYPT ) etm = "etm@openssh.com" in self.local_mac mac_size = self._mac_info[self.local_mac]["size"] mac_engine = self._mac_info[self.local_mac]["class"] # initial mac keys are done in the hash's natural size (not the # potentially truncated transmission size) if self.server_mode: mac_key = self._compute_key("F", mac_engine().digest_size) else: mac_key = self._compute_key("E", mac_engine().digest_size) sdctr = self.local_cipher.endswith("-ctr") self.packetizer.set_outbound_cipher( engine, block_size, mac_engine, mac_size, mac_key, sdctr, etm=etm ) compress_out = self._compression_info[self.local_compression][0] if compress_out is not None and ( self.local_compression != "zlib@openssh.com" or self.authenticated ): self._log(DEBUG, "Switching on outbound compression ...") self.packetizer.set_outbound_compressor(compress_out()) if not self.packetizer.need_rekey(): self.in_kex = False # If client indicated extension support, send that packet immediately if ( self.server_mode and self.server_sig_algs and self._remote_ext_info == "ext-info-c" ): extensions = {"server-sig-algs": ",".join(self.preferred_pubkeys)} m = Message() m.add_byte(cMSG_EXT_INFO) m.add_int(len(extensions)) for name, value in sorted(extensions.items()): m.add_string(name) m.add_string(value) self._send_message(m) # we always expect to receive NEWKEYS now self._expect_packet(MSG_NEWKEYS) def _auth_trigger(self): self.authenticated = True # delayed initiation of compression if self.local_compression == "zlib@openssh.com": compress_out = self._compression_info[self.local_compression][0] self._log(DEBUG, "Switching on outbound compression ...") self.packetizer.set_outbound_compressor(compress_out()) if self.remote_compression == "zlib@openssh.com": compress_in = self._compression_info[self.remote_compression][1] self._log(DEBUG, "Switching on inbound compression ...") self.packetizer.set_inbound_compressor(compress_in()) def _parse_ext_info(self, msg): # Packet is a count followed by that many key-string to possibly-bytes # pairs. extensions = {} for _ in range(msg.get_int()): name = msg.get_text() value = msg.get_string() extensions[name] = value self._log(DEBUG, "Got EXT_INFO: {}".format(extensions)) # NOTE: this should work ok in cases where a server sends /two/ such # messages; the RFC explicitly states a 2nd one should overwrite the # 1st. self.server_extensions = extensions def _parse_newkeys(self, m): self._log(DEBUG, "Switch to new keys ...") self._activate_inbound() # can also free a bunch of stuff here self.local_kex_init = self.remote_kex_init = None self.K = None self.kex_engine = None if self.server_mode and (self.auth_handler is None): # create auth handler for server mode self.auth_handler = AuthHandler(self) if not self.initial_kex_done: # this was the first key exchange # (also signal to packetizer as it sometimes wants to know this # status as well, eg when seqnos rollover) self.initial_kex_done = self.packetizer._initial_kex_done = True # send an event? if self.completion_event is not None: self.completion_event.set() # it's now okay to send data again (if this was a re-key) if not self.packetizer.need_rekey(): self.in_kex = False self.clear_to_send_lock.acquire() try: self.clear_to_send.set() finally: self.clear_to_send_lock.release() return def _parse_disconnect(self, m): code = m.get_int() desc = m.get_text() self._log(INFO, "Disconnect (code {:d}): {}".format(code, desc)) def _parse_global_request(self, m): kind = m.get_text() self._log(DEBUG, 'Received global request "{}"'.format(kind)) want_reply = m.get_boolean() if not self.server_mode: self._log( DEBUG, 'Rejecting "{}" global request from server.'.format(kind), ) ok = False elif kind == "tcpip-forward": address = m.get_text() port = m.get_int() ok = self.server_object.check_port_forward_request(address, port) if ok: ok = (ok,) elif kind == "cancel-tcpip-forward": address = m.get_text() port = m.get_int() self.server_object.cancel_port_forward_request(address, port) ok = True else: ok = self.server_object.check_global_request(kind, m) extra = () if type(ok) is tuple: extra = ok ok = True if want_reply: msg = Message() if ok: msg.add_byte(cMSG_REQUEST_SUCCESS) msg.add(extra) else: msg.add_byte(cMSG_REQUEST_FAILURE) self._send_message(msg) def _parse_request_success(self, m): self._log(DEBUG, "Global request successful.") self.global_response = m if self.completion_event is not None: self.completion_event.set() def _parse_request_failure(self, m): self._log(DEBUG, "Global request denied.") self.global_response = None if self.completion_event is not None: self.completion_event.set() def _parse_channel_open_success(self, m): chanid = m.get_int() server_chanid = m.get_int() server_window_size = m.get_int() server_max_packet_size = m.get_int() chan = self._channels.get(chanid) if chan is None: self._log(WARNING, "Success for unrequested channel! [??]") return self.lock.acquire() try: chan._set_remote_channel( server_chanid, server_window_size, server_max_packet_size ) self._log(DEBUG, "Secsh channel {:d} opened.".format(chanid)) if chanid in self.channel_events: self.channel_events[chanid].set() del self.channel_events[chanid] finally: self.lock.release() return def _parse_channel_open_failure(self, m): chanid = m.get_int() reason = m.get_int() reason_str = m.get_text() m.get_text() # ignored language reason_text = CONNECTION_FAILED_CODE.get(reason, "(unknown code)") self._log( ERROR, "Secsh channel {:d} open FAILED: {}: {}".format( chanid, reason_str, reason_text ), ) self.lock.acquire() try: self.saved_exception = ChannelException(reason, reason_text) if chanid in self.channel_events: self._channels.delete(chanid) if chanid in self.channel_events: self.channel_events[chanid].set() del self.channel_events[chanid] finally: self.lock.release() return def _parse_channel_open(self, m): kind = m.get_text() chanid = m.get_int() initial_window_size = m.get_int() max_packet_size = m.get_int() reject = False if ( kind == "auth-agent@openssh.com" and self._forward_agent_handler is not None ): self._log(DEBUG, "Incoming forward agent connection") self.lock.acquire() try: my_chanid = self._next_channel() finally: self.lock.release() elif (kind == "x11") and (self._x11_handler is not None): origin_addr = m.get_text() origin_port = m.get_int() self._log( DEBUG, "Incoming x11 connection from {}:{:d}".format( origin_addr, origin_port ), ) self.lock.acquire() try: my_chanid = self._next_channel() finally: self.lock.release() elif (kind == "forwarded-tcpip") and (self._tcp_handler is not None): server_addr = m.get_text() server_port = m.get_int() origin_addr = m.get_text() origin_port = m.get_int() self._log( DEBUG, "Incoming tcp forwarded connection from {}:{:d}".format( origin_addr, origin_port ), ) self.lock.acquire() try: my_chanid = self._next_channel() finally: self.lock.release() elif not self.server_mode: self._log( DEBUG, 'Rejecting "{}" channel request from server.'.format(kind), ) reject = True reason = OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED else: self.lock.acquire() try: my_chanid = self._next_channel() finally: self.lock.release() if kind == "direct-tcpip": # handle direct-tcpip requests coming from the client dest_addr = m.get_text() dest_port = m.get_int() origin_addr = m.get_text() origin_port = m.get_int() reason = self.server_object.check_channel_direct_tcpip_request( my_chanid, (origin_addr, origin_port), (dest_addr, dest_port), ) else: reason = self.server_object.check_channel_request( kind, my_chanid ) if reason != OPEN_SUCCEEDED: self._log( DEBUG, 'Rejecting "{}" channel request from client.'.format(kind), ) reject = True if reject: msg = Message() msg.add_byte(cMSG_CHANNEL_OPEN_FAILURE) msg.add_int(chanid) msg.add_int(reason) msg.add_string("") msg.add_string("en") self._send_message(msg) return chan = Channel(my_chanid) self.lock.acquire() try: self._channels.put(my_chanid, chan) self.channels_seen[my_chanid] = True chan._set_transport(self) chan._set_window( self.default_window_size, self.default_max_packet_size ) chan._set_remote_channel( chanid, initial_window_size, max_packet_size ) finally: self.lock.release() m = Message() m.add_byte(cMSG_CHANNEL_OPEN_SUCCESS) m.add_int(chanid) m.add_int(my_chanid) m.add_int(self.default_window_size) m.add_int(self.default_max_packet_size) self._send_message(m) self._log( DEBUG, "Secsh channel {:d} ({}) opened.".format(my_chanid, kind) ) if kind == "auth-agent@openssh.com": self._forward_agent_handler(chan) elif kind == "x11": self._x11_handler(chan, (origin_addr, origin_port)) elif kind == "forwarded-tcpip": chan.origin_addr = (origin_addr, origin_port) self._tcp_handler( chan, (origin_addr, origin_port), (server_addr, server_port) ) else: self._queue_incoming_channel(chan) def _parse_debug(self, m): m.get_boolean() # always_display msg = m.get_string() m.get_string() # language self._log(DEBUG, "Debug msg: {}".format(util.safe_string(msg))) def _get_subsystem_handler(self, name): try: self.lock.acquire() if name not in self.subsystem_table: return None, [], {} return self.subsystem_table[name] finally: self.lock.release() _channel_handler_table = { MSG_CHANNEL_SUCCESS: Channel._request_success, MSG_CHANNEL_FAILURE: Channel._request_failed, MSG_CHANNEL_DATA: Channel._feed, MSG_CHANNEL_EXTENDED_DATA: Channel._feed_extended, MSG_CHANNEL_WINDOW_ADJUST: Channel._window_adjust, MSG_CHANNEL_REQUEST: Channel._handle_request, MSG_CHANNEL_EOF: Channel._handle_eof, MSG_CHANNEL_CLOSE: Channel._handle_close, } # TODO 4.0: drop this, we barely use it ourselves, it badly replicates the # Transport-internal algorithm management, AND does so in a way which doesn't # honor newer things like disabled_algorithms! class SecurityOptions: """ Simple object containing the security preferences of an ssh transport. These are tuples of acceptable ciphers, digests, key types, and key exchange algorithms, listed in order of preference. Changing the contents and/or order of these fields affects the underlying `.Transport` (but only if you change them before starting the session). If you try to add an algorithm that paramiko doesn't recognize, ``ValueError`` will be raised. If you try to assign something besides a tuple to one of the fields, ``TypeError`` will be raised. """ __slots__ = "_transport" def __init__(self, transport): self._transport = transport def __repr__(self): """ Returns a string representation of this object, for debugging. """ return "<paramiko.SecurityOptions for {!r}>".format(self._transport) def _set(self, name, orig, x): if type(x) is list: x = tuple(x) if type(x) is not tuple: raise TypeError("expected tuple or list") possible = list(getattr(self._transport, orig).keys()) forbidden = [n for n in x if n not in possible] if len(forbidden) > 0: raise ValueError("unknown cipher") setattr(self._transport, name, x) @property def ciphers(self): """Symmetric encryption ciphers""" return self._transport._preferred_ciphers @ciphers.setter def ciphers(self, x): self._set("_preferred_ciphers", "_cipher_info", x) @property def digests(self): """Digest (one-way hash) algorithms""" return self._transport._preferred_macs @digests.setter def digests(self, x): self._set("_preferred_macs", "_mac_info", x) @property def key_types(self): """Public-key algorithms""" return self._transport._preferred_keys @key_types.setter def key_types(self, x): self._set("_preferred_keys", "_key_info", x) @property def kex(self): """Key exchange algorithms""" return self._transport._preferred_kex @kex.setter def kex(self, x): self._set("_preferred_kex", "_kex_info", x) @property def compression(self): """Compression algorithms""" return self._transport._preferred_compression @compression.setter def compression(self, x): self._set("_preferred_compression", "_compression_info", x) class ChannelMap: def __init__(self): # (id -> Channel) self._map = weakref.WeakValueDictionary() self._lock = threading.Lock() def put(self, chanid, chan): self._lock.acquire() try: self._map[chanid] = chan finally: self._lock.release() def get(self, chanid): self._lock.acquire() try: return self._map.get(chanid, None) finally: self._lock.release() def delete(self, chanid): self._lock.acquire() try: try: del self._map[chanid] except KeyError: pass finally: self._lock.release() def values(self): self._lock.acquire() try: return list(self._map.values()) finally: self._lock.release() def __len__(self): self._lock.acquire() try: return len(self._map) finally: self._lock.release() class ServiceRequestingTransport(Transport): """ Transport, but also handling service requests, like it oughtta! .. versionadded:: 3.2 """ # NOTE: this purposefully duplicates some of the parent class in order to # modernize, refactor, etc. The intent is that eventually we will collapse # this one onto the parent in a backwards incompatible release. def __init__(self, args, *kwargs): super().__init__(args, *kwargs) self._service_userauth_accepted = False self._handler_table[MSG_SERVICE_ACCEPT] = self._parse_service_accept def _parse_service_accept(self, m): service = m.get_text() # Short-circuit for any service name not ssh-userauth. # NOTE: it's technically possible for 'service name' in # SERVICE_REQUEST/ACCEPT messages to be "ssh-connection" -- # but I don't see evidence of Paramiko ever initiating or expecting to # receive one of these. We /do/ see the 'service name' field in # MSG_USERAUTH_REQUEST/ACCEPT/FAILURE set to this string, but that is a # different set of handlers, so...! if service != "ssh-userauth": # TODO 4.0: consider erroring here (with an ability to opt out?) # instead as it probably means something went Very Wrong. self._log( DEBUG, 'Service request "{}" accepted (?)'.format(service) ) return # Record that we saw a service-userauth acceptance, meaning we are free # to submit auth requests. self._service_userauth_accepted = True self._log(DEBUG, "MSG_SERVICE_ACCEPT received; auth may begin") def ensure_session(self): # Make sure we're not trying to auth on a not-yet-open or # already-closed transport session; that's our responsibility, not that # of AuthHandler. if (not self.active) or (not self.initial_kex_done): # TODO: better error message? this can happen in many places, eg # user error (authing before connecting) or developer error (some # improperly handled pre/mid auth shutdown didn't become fatal # enough). The latter is much more common & should ideally be fixed # by terminating things harder? raise SSHException("No existing session") # Also make sure we've actually been told we are allowed to auth. if self._service_userauth_accepted: return # Or request to do so, otherwise. m = Message() m.add_byte(cMSG_SERVICE_REQUEST) m.add_string("ssh-userauth") self._log(DEBUG, "Sending MSG_SERVICE_REQUEST: ssh-userauth") self._send_message(m) # Now we wait to hear back; the user is expecting a blocking-style auth # request so there's no point giving control back anywhere. while not self._service_userauth_accepted: # TODO: feels like we're missing an AuthHandler Event like # 'self.auth_event' which is set when AuthHandler shuts down in # ways good AND bad. Transport only seems to have completion_event # which is unclear re: intent, eg it's set by newkeys which always # happens on connection, so it'll always be set by the time we get # here. # NOTE: this copies the timing of event.wait() in # AuthHandler.wait_for_response, re: 1/10 of a second. Could # presumably be smaller, but seems unlikely this period is going to # be "too long" for any code doing ssh networking... time.sleep(0.1) self.auth_handler = self.get_auth_handler() def get_auth_handler(self): # NOTE: using new sibling subclass instead of classic AuthHandler return AuthOnlyHandler(self) def auth_none(self, username): # TODO 4.0: merge to parent, preserving (most of) docstring self.ensure_session() return self.auth_handler.auth_none(username) def auth_password(self, username, password, fallback=True): # TODO 4.0: merge to parent, preserving (most of) docstring self.ensure_session() try: return self.auth_handler.auth_password(username, password) except BadAuthenticationType as e: # if password auth isn't allowed, but keyboard-interactive is, # try to fudge it if not fallback or ("keyboard-interactive" not in e.allowed_types): raise try: def handler(title, instructions, fields): if len(fields) > 1: raise SSHException("Fallback authentication failed.") if len(fields) == 0: # for some reason, at least on os x, a 2nd request will # be made with zero fields requested. maybe it's just # to try to fake out automated scripting of the exact # type we're doing here. shrug* :) return [] return [password] return self.auth_interactive(username, handler) except SSHException: # attempt to fudge failed; just raise the original exception raise e def auth_publickey(self, username, key): # TODO 4.0: merge to parent, preserving (most of) docstring self.ensure_session() return self.auth_handler.auth_publickey(username, key) def auth_interactive(self, username, handler, submethods=""): # TODO 4.0: merge to parent, preserving (most of) docstring self.ensure_session() return self.auth_handler.auth_interactive( username, handler, submethods ) def auth_interactive_dumb(self, username, handler=None, submethods=""): # TODO 4.0: merge to parent, preserving (most of) docstring # NOTE: legacy impl omitted equiv of ensure_session since it just wraps # another call to an auth method. however we reinstate it for # consistency reasons. self.ensure_session() if not handler: def handler(title, instructions, prompt_list): answers = [] if title: print(title.strip()) if instructions: print(instructions.strip()) for prompt, show_input in prompt_list: print(prompt.strip(), end=" ") answers.append(input()) return answers return self.auth_interactive(username, handler, submethods) def auth_gssapi_with_mic(self, username, gss_host, gss_deleg_creds): # TODO 4.0: merge to parent, preserving (most of) docstring self.ensure_session() self.auth_handler = self.get_auth_handler() return self.auth_handler.auth_gssapi_with_mic( username, gss_host, gss_deleg_creds ) def auth_gssapi_keyex(self, username): # TODO 4.0: merge to parent, preserving (most of) docstring self.ensure_session() self.auth_handler = self.get_auth_handler() return self.auth_handler.auth_gssapi_keyex(username) ��packet.py��0000644��00000053325�15030210772�0006372 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Packet handling """ import errno import os import socket import struct import threading import time from hmac import HMAC from paramiko import util from paramiko.common import ( linefeed_byte, cr_byte_value, MSG_NAMES, DEBUG, xffffffff, zero_byte, byte_ord, ) from paramiko.util import u from paramiko.ssh_exception import SSHException, ProxyCommandFailure from paramiko.message import Message def compute_hmac(key, message, digest_class): return HMAC(key, message, digest_class).digest() class NeedRekeyException(Exception): """ Exception indicating a rekey is needed. """ pass def first_arg(e): arg = None if type(e.args) is tuple and len(e.args) > 0: arg = e.args[0] return arg class Packetizer: """ Implementation of the base SSH packet protocol. """ # READ the secsh RFC's before raising these values. if anything, # they should probably be lower. REKEY_PACKETS = pow(2, 29) REKEY_BYTES = pow(2, 29) # Allow receiving this many packets after a re-key request before # terminating REKEY_PACKETS_OVERFLOW_MAX = pow(2, 29) # Allow receiving this many bytes after a re-key request before terminating REKEY_BYTES_OVERFLOW_MAX = pow(2, 29) def __init__(self, socket): self.__socket = socket self.__logger = None self.__closed = False self.__dump_packets = False self.__need_rekey = False self.__init_count = 0 self.__remainder = bytes() self._initial_kex_done = False # used for noticing when to re-key: self.__sent_bytes = 0 self.__sent_packets = 0 self.__received_bytes = 0 self.__received_packets = 0 self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 # current inbound/outbound ciphering: self.__block_size_out = 8 self.__block_size_in = 8 self.__mac_size_out = 0 self.__mac_size_in = 0 self.__block_engine_out = None self.__block_engine_in = None self.__sdctr_out = False self.__mac_engine_out = None self.__mac_engine_in = None self.__mac_key_out = bytes() self.__mac_key_in = bytes() self.__compress_engine_out = None self.__compress_engine_in = None self.__sequence_number_out = 0 self.__sequence_number_in = 0 self.__etm_out = False self.__etm_in = False # lock around outbound writes (packet computation) self.__write_lock = threading.RLock() # keepalives: self.__keepalive_interval = 0 self.__keepalive_last = time.time() self.__keepalive_callback = None self.__timer = None self.__handshake_complete = False self.__timer_expired = False @property def closed(self): return self.__closed def reset_seqno_out(self): self.__sequence_number_out = 0 def reset_seqno_in(self): self.__sequence_number_in = 0 def set_log(self, log): """ Set the Python log object to use for logging. """ self.__logger = log def set_outbound_cipher( self, block_engine, block_size, mac_engine, mac_size, mac_key, sdctr=False, etm=False, ): """ Switch outbound data cipher. :param etm: Set encrypt-then-mac from OpenSSH """ self.__block_engine_out = block_engine self.__sdctr_out = sdctr self.__block_size_out = block_size self.__mac_engine_out = mac_engine self.__mac_size_out = mac_size self.__mac_key_out = mac_key self.__sent_bytes = 0 self.__sent_packets = 0 self.__etm_out = etm # wait until the reset happens in both directions before clearing # rekey flag self.__init_count \|= 1 if self.__init_count == 3: self.__init_count = 0 self.__need_rekey = False def set_inbound_cipher( self, block_engine, block_size, mac_engine, mac_size, mac_key, etm=False, ): """ Switch inbound data cipher. :param etm: Set encrypt-then-mac from OpenSSH """ self.__block_engine_in = block_engine self.__block_size_in = block_size self.__mac_engine_in = mac_engine self.__mac_size_in = mac_size self.__mac_key_in = mac_key self.__received_bytes = 0 self.__received_packets = 0 self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 self.__etm_in = etm # wait until the reset happens in both directions before clearing # rekey flag self.__init_count \|= 2 if self.__init_count == 3: self.__init_count = 0 self.__need_rekey = False def set_outbound_compressor(self, compressor): self.__compress_engine_out = compressor def set_inbound_compressor(self, compressor): self.__compress_engine_in = compressor def close(self): self.__closed = True self.__socket.close() def set_hexdump(self, hexdump): self.__dump_packets = hexdump def get_hexdump(self): return self.__dump_packets def get_mac_size_in(self): return self.__mac_size_in def get_mac_size_out(self): return self.__mac_size_out def need_rekey(self): """ Returns ``True`` if a new set of keys needs to be negotiated. This will be triggered during a packet read or write, so it should be checked after every read or write, or at least after every few. """ return self.__need_rekey def set_keepalive(self, interval, callback): """ Turn on/off the callback keepalive. If ``interval`` seconds pass with no data read from or written to the socket, the callback will be executed and the timer will be reset. """ self.__keepalive_interval = interval self.__keepalive_callback = callback self.__keepalive_last = time.time() def read_timer(self): self.__timer_expired = True def start_handshake(self, timeout): """ Tells `Packetizer` that the handshake process started. Starts a book keeping timer that can signal a timeout in the handshake process. :param float timeout: amount of seconds to wait before timing out """ if not self.__timer: self.__timer = threading.Timer(float(timeout), self.read_timer) self.__timer.start() def handshake_timed_out(self): """ Checks if the handshake has timed out. If `start_handshake` wasn't called before the call to this function, the return value will always be `False`. If the handshake completed before a timeout was reached, the return value will be `False` :return: handshake time out status, as a `bool` """ if not self.__timer: return False if self.__handshake_complete: return False return self.__timer_expired def complete_handshake(self): """ Tells `Packetizer` that the handshake has completed. """ if self.__timer: self.__timer.cancel() self.__timer_expired = False self.__handshake_complete = True def read_all(self, n, check_rekey=False): """ Read as close to N bytes as possible, blocking as long as necessary. :param int n: number of bytes to read :return: the data read, as a `str` :raises: ``EOFError`` -- if the socket was closed before all the bytes could be read """ out = bytes() # handle over-reading from reading the banner line if len(self.__remainder) > 0: out = self.__remainder[:n] self.__remainder = self.__remainder[n:] n -= len(out) while n > 0: got_timeout = False if self.handshake_timed_out(): raise EOFError() try: x = self.__socket.recv(n) if len(x) == 0: raise EOFError() out += x n -= len(x) except socket.timeout: got_timeout = True except socket.error as e: # on Linux, sometimes instead of socket.timeout, we get # EAGAIN. this is a bug in recent (> 2.6.9) kernels but # we need to work around it. arg = first_arg(e) if arg == errno.EAGAIN: got_timeout = True elif self.__closed: raise EOFError() else: raise if got_timeout: if self.__closed: raise EOFError() if check_rekey and (len(out) == 0) and self.__need_rekey: raise NeedRekeyException() self._check_keepalive() return out def write_all(self, out): self.__keepalive_last = time.time() iteration_with_zero_as_return_value = 0 while len(out) > 0: retry_write = False try: n = self.__socket.send(out) except socket.timeout: retry_write = True except socket.error as e: arg = first_arg(e) if arg == errno.EAGAIN: retry_write = True else: n = -1 except ProxyCommandFailure: raise # so it doesn't get swallowed by the below catchall except Exception: # could be: (32, 'Broken pipe') n = -1 if retry_write: n = 0 if self.__closed: n = -1 else: if n == 0 and iteration_with_zero_as_return_value > 10: # We shouldn't retry the write, but we didn't # manage to send anything over the socket. This might be an # indication that we have lost contact with the remote # side, but are yet to receive an EOFError or other socket # errors. Let's give it some iteration to try and catch up. n = -1 iteration_with_zero_as_return_value += 1 if n < 0: raise EOFError() if n == len(out): break out = out[n:] return def readline(self, timeout): """ Read a line from the socket. We assume no data is pending after the line, so it's okay to attempt large reads. """ buf = self.__remainder while linefeed_byte not in buf: buf += self._read_timeout(timeout) n = buf.index(linefeed_byte) self.__remainder = buf[n + 1 :] buf = buf[:n] if (len(buf) > 0) and (buf[-1] == cr_byte_value): buf = buf[:-1] return u(buf) def send_message(self, data): """ Write a block of data using the current cipher, as an SSH block. """ # encrypt this sucka data = data.asbytes() cmd = byte_ord(data[0]) if cmd in MSG_NAMES: cmd_name = MSG_NAMES[cmd] else: cmd_name = "${:x}".format(cmd) orig_len = len(data) self.__write_lock.acquire() try: if self.__compress_engine_out is not None: data = self.__compress_engine_out(data) packet = self._build_packet(data) if self.__dump_packets: self._log( DEBUG, "Write packet <{}>, length {}".format(cmd_name, orig_len), ) self._log(DEBUG, util.format_binary(packet, "OUT: ")) if self.__block_engine_out is not None: if self.__etm_out: # packet length is not encrypted in EtM out = packet[0:4] + self.__block_engine_out.update( packet[4:] ) else: out = self.__block_engine_out.update(packet) else: out = packet # + mac if self.__block_engine_out is not None: packed = struct.pack(">I", self.__sequence_number_out) payload = packed + (out if self.__etm_out else packet) out += compute_hmac( self.__mac_key_out, payload, self.__mac_engine_out )[: self.__mac_size_out] next_seq = (self.__sequence_number_out + 1) & xffffffff if next_seq == 0 and not self._initial_kex_done: raise SSHException( "Sequence number rolled over during initial kex!" ) self.__sequence_number_out = next_seq self.write_all(out) self.__sent_bytes += len(out) self.__sent_packets += 1 sent_too_much = ( self.__sent_packets >= self.REKEY_PACKETS or self.__sent_bytes >= self.REKEY_BYTES ) if sent_too_much and not self.__need_rekey: # only ask once for rekeying msg = "Rekeying (hit {} packets, {} bytes sent)" self._log( DEBUG, msg.format(self.__sent_packets, self.__sent_bytes) ) self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 self._trigger_rekey() finally: self.__write_lock.release() def read_message(self): """ Only one thread should ever be in this function (no other locking is done). :raises: `.SSHException` -- if the packet is mangled :raises: `.NeedRekeyException` -- if the transport should rekey """ header = self.read_all(self.__block_size_in, check_rekey=True) if self.__etm_in: packet_size = struct.unpack(">I", header[:4])[0] remaining = packet_size - self.__block_size_in + 4 packet = header[4:] + self.read_all(remaining, check_rekey=False) mac = self.read_all(self.__mac_size_in, check_rekey=False) mac_payload = ( struct.pack(">II", self.__sequence_number_in, packet_size) + packet ) my_mac = compute_hmac( self.__mac_key_in, mac_payload, self.__mac_engine_in )[: self.__mac_size_in] if not util.constant_time_bytes_eq(my_mac, mac): raise SSHException("Mismatched MAC") header = packet if self.__block_engine_in is not None: header = self.__block_engine_in.update(header) if self.__dump_packets: self._log(DEBUG, util.format_binary(header, "IN: ")) # When ETM is in play, we've already read the packet size & decrypted # everything, so just set the packet back to the header we obtained. if self.__etm_in: packet = header # Otherwise, use the older non-ETM logic else: packet_size = struct.unpack(">I", header[:4])[0] # leftover contains decrypted bytes from the first block (after the # length field) leftover = header[4:] if (packet_size - len(leftover)) % self.__block_size_in != 0: raise SSHException("Invalid packet blocking") buf = self.read_all( packet_size + self.__mac_size_in - len(leftover) ) packet = buf[: packet_size - len(leftover)] post_packet = buf[packet_size - len(leftover) :] if self.__block_engine_in is not None: packet = self.__block_engine_in.update(packet) packet = leftover + packet if self.__dump_packets: self._log(DEBUG, util.format_binary(packet, "IN: ")) if self.__mac_size_in > 0 and not self.__etm_in: mac = post_packet[: self.__mac_size_in] mac_payload = ( struct.pack(">II", self.__sequence_number_in, packet_size) + packet ) my_mac = compute_hmac( self.__mac_key_in, mac_payload, self.__mac_engine_in )[: self.__mac_size_in] if not util.constant_time_bytes_eq(my_mac, mac): raise SSHException("Mismatched MAC") padding = byte_ord(packet[0]) payload = packet[1 : packet_size - padding] if self.__dump_packets: self._log( DEBUG, "Got payload ({} bytes, {} padding)".format( packet_size, padding ), ) if self.__compress_engine_in is not None: payload = self.__compress_engine_in(payload) msg = Message(payload[1:]) msg.seqno = self.__sequence_number_in next_seq = (self.__sequence_number_in + 1) & xffffffff if next_seq == 0 and not self._initial_kex_done: raise SSHException( "Sequence number rolled over during initial kex!" ) self.__sequence_number_in = next_seq # check for rekey raw_packet_size = packet_size + self.__mac_size_in + 4 self.__received_bytes += raw_packet_size self.__received_packets += 1 if self.__need_rekey: # we've asked to rekey -- give them some packets to comply before # dropping the connection self.__received_bytes_overflow += raw_packet_size self.__received_packets_overflow += 1 if ( self.__received_packets_overflow >= self.REKEY_PACKETS_OVERFLOW_MAX ) or ( self.__received_bytes_overflow >= self.REKEY_BYTES_OVERFLOW_MAX ): raise SSHException( "Remote transport is ignoring rekey requests" ) elif (self.__received_packets >= self.REKEY_PACKETS) or ( self.__received_bytes >= self.REKEY_BYTES ): # only ask once for rekeying err = "Rekeying (hit {} packets, {} bytes received)" self._log( DEBUG, err.format(self.__received_packets, self.__received_bytes), ) self.__received_bytes_overflow = 0 self.__received_packets_overflow = 0 self._trigger_rekey() cmd = byte_ord(payload[0]) if cmd in MSG_NAMES: cmd_name = MSG_NAMES[cmd] else: cmd_name = "${:x}".format(cmd) if self.__dump_packets: self._log( DEBUG, "Read packet <{}>, length {}".format(cmd_name, len(payload)), ) return cmd, msg # ...protected... def _log(self, level, msg): if self.__logger is None: return if issubclass(type(msg), list): for m in msg: self.__logger.log(level, m) else: self.__logger.log(level, msg) def _check_keepalive(self): if ( not self.__keepalive_interval or not self.__block_engine_out or self.__need_rekey ): # wait till we're encrypting, and not in the middle of rekeying return now = time.time() if now > self.__keepalive_last + self.__keepalive_interval: self.__keepalive_callback() self.__keepalive_last = now def _read_timeout(self, timeout): start = time.time() while True: try: x = self.__socket.recv(128) if len(x) == 0: raise EOFError() break except socket.timeout: pass if self.__closed: raise EOFError() now = time.time() if now - start >= timeout: raise socket.timeout() return x def _build_packet(self, payload): # pad up at least 4 bytes, to nearest block-size (usually 8) bsize = self.__block_size_out # do not include payload length in computations for padding in EtM mode # (payload length won't be encrypted) addlen = 4 if self.__etm_out else 8 padding = 3 + bsize - ((len(payload) + addlen) % bsize) packet = struct.pack(">IB", len(payload) + padding + 1, padding) packet += payload if self.__sdctr_out or self.__block_engine_out is None: # cute trick i caught openssh doing: if we're not encrypting or # SDCTR mode (RFC4344), # don't waste random bytes for the padding packet += zero_byte * padding else: packet += os.urandom(padding) return packet def _trigger_rekey(self): # outside code should check for this flag self.__need_rekey = True ��kex_group14.py��0000644��00000003451�15030210772�0007266 0��ustar�00��# Copyright (C) 2013 Torsten Landschoff <torsten@debian.org> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 2048 bit key halves, using a known "p" prime and "g" generator. """ from paramiko.kex_group1 import KexGroup1 from hashlib import sha1, sha256 class KexGroup14(KexGroup1): # http://tools.ietf.org/html/rfc3526#section-3 P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF # noqa G = 2 name = "diffie-hellman-group14-sha1" hash_algo = sha1 class KexGroup14SHA256(KexGroup14): name = "diffie-hellman-group14-sha256" hash_algo = sha256 ��dsskey.py��0000644��00000020070�15030210772�0006414 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ DSS keys. """ from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa from cryptography.hazmat.primitives.asymmetric.utils import ( decode_dss_signature, encode_dss_signature, ) from paramiko import util from paramiko.common import zero_byte from paramiko.ssh_exception import SSHException from paramiko.message import Message from paramiko.ber import BER, BERException from paramiko.pkey import PKey class DSSKey(PKey): """ Representation of a DSS key which can be used to sign an verify SSH2 data. """ name = "ssh-dss" def __init__( self, msg=None, data=None, filename=None, password=None, vals=None, file_obj=None, ): self.p = None self.q = None self.g = None self.y = None self.x = None self.public_blob = None if file_obj is not None: self._from_private_key(file_obj, password) return if filename is not None: self._from_private_key_file(filename, password) return if (msg is None) and (data is not None): msg = Message(data) if vals is not None: self.p, self.q, self.g, self.y = vals else: self._check_type_and_load_cert( msg=msg, key_type=self.name, cert_type=f"{self.name}-cert-v01@openssh.com", ) self.p = msg.get_mpint() self.q = msg.get_mpint() self.g = msg.get_mpint() self.y = msg.get_mpint() self.size = util.bit_length(self.p) def asbytes(self): m = Message() m.add_string(self.name) m.add_mpint(self.p) m.add_mpint(self.q) m.add_mpint(self.g) m.add_mpint(self.y) return m.asbytes() def __str__(self): return self.asbytes() @property def _fields(self): return (self.get_name(), self.p, self.q, self.g, self.y) # TODO 4.0: remove def get_name(self): return self.name def get_bits(self): return self.size def can_sign(self): return self.x is not None def sign_ssh_data(self, data, algorithm=None): key = dsa.DSAPrivateNumbers( x=self.x, public_numbers=dsa.DSAPublicNumbers( y=self.y, parameter_numbers=dsa.DSAParameterNumbers( p=self.p, q=self.q, g=self.g ), ), ).private_key(backend=default_backend()) sig = key.sign(data, hashes.SHA1()) r, s = decode_dss_signature(sig) m = Message() m.add_string(self.name) # apparently, in rare cases, r or s may be shorter than 20 bytes! rstr = util.deflate_long(r, 0) sstr = util.deflate_long(s, 0) if len(rstr) < 20: rstr = zero_byte * (20 - len(rstr)) + rstr if len(sstr) < 20: sstr = zero_byte * (20 - len(sstr)) + sstr m.add_string(rstr + sstr) return m def verify_ssh_sig(self, data, msg): if len(msg.asbytes()) == 40: # spies.com bug: signature has no header sig = msg.asbytes() else: kind = msg.get_text() if kind != self.name: return 0 sig = msg.get_binary() # pull out (r, s) which are NOT encoded as mpints sigR = util.inflate_long(sig[:20], 1) sigS = util.inflate_long(sig[20:], 1) signature = encode_dss_signature(sigR, sigS) key = dsa.DSAPublicNumbers( y=self.y, parameter_numbers=dsa.DSAParameterNumbers( p=self.p, q=self.q, g=self.g ), ).public_key(backend=default_backend()) try: key.verify(signature, data, hashes.SHA1()) except InvalidSignature: return False else: return True def write_private_key_file(self, filename, password=None): key = dsa.DSAPrivateNumbers( x=self.x, public_numbers=dsa.DSAPublicNumbers( y=self.y, parameter_numbers=dsa.DSAParameterNumbers( p=self.p, q=self.q, g=self.g ), ), ).private_key(backend=default_backend()) self._write_private_key_file( filename, key, serialization.PrivateFormat.TraditionalOpenSSL, password=password, ) def write_private_key(self, file_obj, password=None): key = dsa.DSAPrivateNumbers( x=self.x, public_numbers=dsa.DSAPublicNumbers( y=self.y, parameter_numbers=dsa.DSAParameterNumbers( p=self.p, q=self.q, g=self.g ), ), ).private_key(backend=default_backend()) self._write_private_key( file_obj, key, serialization.PrivateFormat.TraditionalOpenSSL, password=password, ) @staticmethod def generate(bits=1024, progress_func=None): """ Generate a new private DSS key. This factory function can be used to generate a new host key or authentication key. :param int bits: number of bits the generated key should be. :param progress_func: Unused :return: new `.DSSKey` private key """ numbers = dsa.generate_private_key( bits, backend=default_backend() ).private_numbers() key = DSSKey( vals=( numbers.public_numbers.parameter_numbers.p, numbers.public_numbers.parameter_numbers.q, numbers.public_numbers.parameter_numbers.g, numbers.public_numbers.y, ) ) key.x = numbers.x return key # ...internals... def _from_private_key_file(self, filename, password): data = self._read_private_key_file("DSA", filename, password) self._decode_key(data) def _from_private_key(self, file_obj, password): data = self._read_private_key("DSA", file_obj, password) self._decode_key(data) def _decode_key(self, data): pkformat, data = data # private key file contains: # DSAPrivateKey = { version = 0, p, q, g, y, x } if pkformat == self._PRIVATE_KEY_FORMAT_ORIGINAL: try: keylist = BER(data).decode() except BERException as e: raise SSHException("Unable to parse key file: {}".format(e)) elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH: keylist = self._uint32_cstruct_unpack(data, "iiiii") keylist = [0] + list(keylist) else: self._got_bad_key_format_id(pkformat) if type(keylist) is not list or len(keylist) < 6 or keylist[0] != 0: raise SSHException( "not a valid DSA private key file (bad ber encoding)" ) self.p = keylist[1] self.q = keylist[2] self.g = keylist[3] self.y = keylist[4] self.x = keylist[5] self.size = util.bit_length(self.p) ��kex_group1.py��0000644��00000013154�15030210772�0007203 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Standard SSH key exchange ("kex" if you wanna sound cool). Diffie-Hellman of 1024 bit key halves, using a known "p" prime and "g" generator. """ import os from hashlib import sha1 from paramiko import util from paramiko.common import max_byte, zero_byte, byte_chr, byte_mask from paramiko.message import Message from paramiko.ssh_exception import SSHException _MSG_KEXDH_INIT, _MSG_KEXDH_REPLY = range(30, 32) c_MSG_KEXDH_INIT, c_MSG_KEXDH_REPLY = [byte_chr(c) for c in range(30, 32)] b7fffffffffffffff = byte_chr(0x7F) + max_byte * 7 b0000000000000000 = zero_byte * 8 class KexGroup1: # draft-ietf-secsh-transport-09.txt, page 17 P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF # noqa G = 2 name = "diffie-hellman-group1-sha1" hash_algo = sha1 def __init__(self, transport): self.transport = transport self.x = 0 self.e = 0 self.f = 0 def start_kex(self): self._generate_x() if self.transport.server_mode: # compute f = g^x mod p, but don't send it yet self.f = pow(self.G, self.x, self.P) self.transport._expect_packet(_MSG_KEXDH_INIT) return # compute e = g^x mod p (where g=2), and send it self.e = pow(self.G, self.x, self.P) m = Message() m.add_byte(c_MSG_KEXDH_INIT) m.add_mpint(self.e) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXDH_REPLY) def parse_next(self, ptype, m): if self.transport.server_mode and (ptype == _MSG_KEXDH_INIT): return self._parse_kexdh_init(m) elif not self.transport.server_mode and (ptype == _MSG_KEXDH_REPLY): return self._parse_kexdh_reply(m) msg = "KexGroup1 asked to handle packet type {:d}" raise SSHException(msg.format(ptype)) # ...internals... def _generate_x(self): # generate an "x" (1 < x < q), where q is (p-1)/2. # p is a 128-byte (1024-bit) number, where the first 64 bits are 1. # therefore q can be approximated as a 2^1023. we drop the subset of # potential x where the first 63 bits are 1, because some of those # will be larger than q (but this is a tiny tiny subset of # potential x). while 1: x_bytes = os.urandom(128) x_bytes = byte_mask(x_bytes[0], 0x7F) + x_bytes[1:] if ( x_bytes[:8] != b7fffffffffffffff and x_bytes[:8] != b0000000000000000 ): break self.x = util.inflate_long(x_bytes) def _parse_kexdh_reply(self, m): # client mode host_key = m.get_string() self.f = m.get_mpint() if (self.f < 1) or (self.f > self.P - 1): raise SSHException('Server kex "f" is out of range') sig = m.get_binary() K = pow(self.f, self.x, self.P) # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| e \|\| f \|\| K) hm = Message() hm.add( self.transport.local_version, self.transport.remote_version, self.transport.local_kex_init, self.transport.remote_kex_init, ) hm.add_string(host_key) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) self.transport._set_K_H(K, self.hash_algo(hm.asbytes()).digest()) self.transport._verify_key(host_key, sig) self.transport._activate_outbound() def _parse_kexdh_init(self, m): # server mode self.e = m.get_mpint() if (self.e < 1) or (self.e > self.P - 1): raise SSHException('Client kex "e" is out of range') K = pow(self.e, self.x, self.P) key = self.transport.get_server_key().asbytes() # okay, build up the hash H of # (V_C \|\| V_S \|\| I_C \|\| I_S \|\| K_S \|\| e \|\| f \|\| K) hm = Message() hm.add( self.transport.remote_version, self.transport.local_version, self.transport.remote_kex_init, self.transport.local_kex_init, ) hm.add_string(key) hm.add_mpint(self.e) hm.add_mpint(self.f) hm.add_mpint(K) H = self.hash_algo(hm.asbytes()).digest() self.transport._set_K_H(K, H) # sign it sig = self.transport.get_server_key().sign_ssh_data( H, self.transport.host_key_type ) # send reply m = Message() m.add_byte(c_MSG_KEXDH_REPLY) m.add_string(key) m.add_mpint(self.f) m.add_string(sig) self.transport._send_message(m) self.transport._activate_outbound() ��client.py��0000644��00000103274�15030210772�0006400 0��ustar�00��# Copyright (C) 2006-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ SSH client & key policies """ from binascii import hexlify import getpass import inspect import os import socket import warnings from errno import ECONNREFUSED, EHOSTUNREACH from paramiko.agent import Agent from paramiko.common import DEBUG from paramiko.config import SSH_PORT from paramiko.dsskey import DSSKey from paramiko.ecdsakey import ECDSAKey from paramiko.ed25519key import Ed25519Key from paramiko.hostkeys import HostKeys from paramiko.rsakey import RSAKey from paramiko.ssh_exception import ( SSHException, BadHostKeyException, NoValidConnectionsError, ) from paramiko.transport import Transport from paramiko.util import ClosingContextManager class SSHClient(ClosingContextManager): """ A high-level representation of a session with an SSH server. This class wraps `.Transport`, `.Channel`, and `.SFTPClient` to take care of most aspects of authenticating and opening channels. A typical use case is:: client = SSHClient() client.load_system_host_keys() client.connect('ssh.example.com') stdin, stdout, stderr = client.exec_command('ls -l') You may pass in explicit overrides for authentication and server host key checking. The default mechanism is to try to use local key files or an SSH agent (if one is running). Instances of this class may be used as context managers. .. versionadded:: 1.6 """ def __init__(self): """ Create a new SSHClient. """ self._system_host_keys = HostKeys() self._host_keys = HostKeys() self._host_keys_filename = None self._log_channel = None self._policy = RejectPolicy() self._transport = None self._agent = None def load_system_host_keys(self, filename=None): """ Load host keys from a system (read-only) file. Host keys read with this method will not be saved back by `save_host_keys`. This method can be called multiple times. Each new set of host keys will be merged with the existing set (new replacing old if there are conflicts). If ``filename`` is left as ``None``, an attempt will be made to read keys from the user's local "known hosts" file, as used by OpenSSH, and no exception will be raised if the file can't be read. This is probably only useful on posix. :param str filename: the filename to read, or ``None`` :raises: ``IOError`` -- if a filename was provided and the file could not be read """ if filename is None: # try the user's .ssh key file, and mask exceptions filename = os.path.expanduser("~/.ssh/known_hosts") try: self._system_host_keys.load(filename) except IOError: pass return self._system_host_keys.load(filename) def load_host_keys(self, filename): """ Load host keys from a local host-key file. Host keys read with this method will be checked after keys loaded via `load_system_host_keys`, but will be saved back by `save_host_keys` (so they can be modified). The missing host key policy `.AutoAddPolicy` adds keys to this set and saves them, when connecting to a previously-unknown server. This method can be called multiple times. Each new set of host keys will be merged with the existing set (new replacing old if there are conflicts). When automatically saving, the last hostname is used. :param str filename: the filename to read :raises: ``IOError`` -- if the filename could not be read """ self._host_keys_filename = filename self._host_keys.load(filename) def save_host_keys(self, filename): """ Save the host keys back to a file. Only the host keys loaded with `load_host_keys` (plus any added directly) will be saved -- not any host keys loaded with `load_system_host_keys`. :param str filename: the filename to save to :raises: ``IOError`` -- if the file could not be written """ # update local host keys from file (in case other SSH clients # have written to the known_hosts file meanwhile. if self._host_keys_filename is not None: self.load_host_keys(self._host_keys_filename) with open(filename, "w") as f: for hostname, keys in self._host_keys.items(): for keytype, key in keys.items(): f.write( "{} {} {}\n".format( hostname, keytype, key.get_base64() ) ) def get_host_keys(self): """ Get the local `.HostKeys` object. This can be used to examine the local host keys or change them. :return: the local host keys as a `.HostKeys` object. """ return self._host_keys def set_log_channel(self, name): """ Set the channel for logging. The default is ``"paramiko.transport"`` but it can be set to anything you want. :param str name: new channel name for logging """ self._log_channel = name def set_missing_host_key_policy(self, policy): """ Set policy to use when connecting to servers without a known host key. Specifically: * A policy is a "policy class" (or instance thereof), namely some subclass of `.MissingHostKeyPolicy` such as `.RejectPolicy` (the default), `.AutoAddPolicy`, `.WarningPolicy`, or a user-created subclass. * A host key is known when it appears in the client object's cached host keys structures (those manipulated by `load_system_host_keys` and/or `load_host_keys`). :param .MissingHostKeyPolicy policy: the policy to use when receiving a host key from a previously-unknown server """ if inspect.isclass(policy): policy = policy() self._policy = policy def _families_and_addresses(self, hostname, port): """ Yield pairs of address families and addresses to try for connecting. :param str hostname: the server to connect to :param int port: the server port to connect to :returns: Yields an iterable of ``(family, address)`` tuples """ guess = True addrinfos = socket.getaddrinfo( hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM ) for (family, socktype, proto, canonname, sockaddr) in addrinfos: if socktype == socket.SOCK_STREAM: yield family, sockaddr guess = False # some OS like AIX don't indicate SOCK_STREAM support, so just # guess. :( We only do this if we did not get a single result marked # as socktype == SOCK_STREAM. if guess: for family, _, _, _, sockaddr in addrinfos: yield family, sockaddr def connect( self, hostname, port=SSH_PORT, username=None, password=None, pkey=None, key_filename=None, timeout=None, allow_agent=True, look_for_keys=True, compress=False, sock=None, gss_auth=False, gss_kex=False, gss_deleg_creds=True, gss_host=None, banner_timeout=None, auth_timeout=None, channel_timeout=None, gss_trust_dns=True, passphrase=None, disabled_algorithms=None, transport_factory=None, auth_strategy=None, ): """ Connect to an SSH server and authenticate to it. The server's host key is checked against the system host keys (see `load_system_host_keys`) and any local host keys (`load_host_keys`). If the server's hostname is not found in either set of host keys, the missing host key policy is used (see `set_missing_host_key_policy`). The default policy is to reject the key and raise an `.SSHException`. Authentication is attempted in the following order of priority: - The ``pkey`` or ``key_filename`` passed in (if any) - ``key_filename`` may contain OpenSSH public certificate paths as well as regular private-key paths; when files ending in ``-cert.pub`` are found, they are assumed to match a private key, and both components will be loaded. (The private key itself does not need to be listed in ``key_filename`` for this to occur - just the certificate.) - Any key we can find through an SSH agent - Any "id_rsa", "id_dsa" or "id_ecdsa" key discoverable in ``~/.ssh/`` - When OpenSSH-style public certificates exist that match an existing such private key (so e.g. one has ``id_rsa`` and ``id_rsa-cert.pub``) the certificate will be loaded alongside the private key and used for authentication. - Plain username/password auth, if a password was given If a private key requires a password to unlock it, and a password is passed in, that password will be used to attempt to unlock the key. :param str hostname: the server to connect to :param int port: the server port to connect to :param str username: the username to authenticate as (defaults to the current local username) :param str password: Used for password authentication; is also used for private key decryption if ``passphrase`` is not given. :param str passphrase: Used for decrypting private keys. :param .PKey pkey: an optional private key to use for authentication :param str key_filename: the filename, or list of filenames, of optional private key(s) and/or certs to try for authentication :param float timeout: an optional timeout (in seconds) for the TCP connect :param bool allow_agent: set to False to disable connecting to the SSH agent :param bool look_for_keys: set to False to disable searching for discoverable private key files in ``~/.ssh/`` :param bool compress: set to True to turn on compression :param socket sock: an open socket or socket-like object (such as a `.Channel`) to use for communication to the target host :param bool gss_auth: ``True`` if you want to use GSS-API authentication :param bool gss_kex: Perform GSS-API Key Exchange and user authentication :param bool gss_deleg_creds: Delegate GSS-API client credentials or not :param str gss_host: The targets name in the kerberos database. default: hostname :param bool gss_trust_dns: Indicates whether or not the DNS is trusted to securely canonicalize the name of the host being connected to (default ``True``). :param float banner_timeout: an optional timeout (in seconds) to wait for the SSH banner to be presented. :param float auth_timeout: an optional timeout (in seconds) to wait for an authentication response. :param float channel_timeout: an optional timeout (in seconds) to wait for a channel open response. :param dict disabled_algorithms: an optional dict passed directly to `.Transport` and its keyword argument of the same name. :param transport_factory: an optional callable which is handed a subset of the constructor arguments (primarily those related to the socket, GSS functionality, and algorithm selection) and generates a `.Transport` instance to be used by this client. Defaults to `.Transport.__init__`. :param auth_strategy: an optional instance of `.AuthStrategy`, triggering use of this newer authentication mechanism instead of SSHClient's legacy auth method. .. warning:: This parameter is incompatible with all other authentication-related parameters (such as, but not limited to, ``password``, ``key_filename`` and ``allow_agent``) and will trigger an exception if given alongside them. :returns: `.AuthResult` if ``auth_strategy`` is non-``None``; otherwise, returns ``None``. :raises BadHostKeyException: if the server's host key could not be verified. :raises AuthenticationException: if authentication failed. :raises UnableToAuthenticate: if authentication failed (when ``auth_strategy`` is non-``None``; and note that this is a subclass of ``AuthenticationException``). :raises socket.error: if a socket error (other than connection-refused or host-unreachable) occurred while connecting. :raises NoValidConnectionsError: if all valid connection targets for the requested hostname (eg IPv4 and IPv6) yielded connection-refused or host-unreachable socket errors. :raises SSHException: if there was any other error connecting or establishing an SSH session. .. versionchanged:: 1.15 Added the ``banner_timeout``, ``gss_auth``, ``gss_kex``, ``gss_deleg_creds`` and ``gss_host`` arguments. .. versionchanged:: 2.3 Added the ``gss_trust_dns`` argument. .. versionchanged:: 2.4 Added the ``passphrase`` argument. .. versionchanged:: 2.6 Added the ``disabled_algorithms`` argument. .. versionchanged:: 2.12 Added the ``transport_factory`` argument. .. versionchanged:: 3.2 Added the ``auth_strategy`` argument. """ if not sock: errors = {} # Try multiple possible address families (e.g. IPv4 vs IPv6) to_try = list(self._families_and_addresses(hostname, port)) for af, addr in to_try: try: sock = socket.socket(af, socket.SOCK_STREAM) if timeout is not None: try: sock.settimeout(timeout) except: pass sock.connect(addr) # Break out of the loop on success break except socket.error as e: # As mentioned in socket docs it is better # to close sockets explicitly if sock: sock.close() # Raise anything that isn't a straight up connection error # (such as a resolution error) if e.errno not in (ECONNREFUSED, EHOSTUNREACH): raise # Capture anything else so we know how the run looks once # iteration is complete. Retain info about which attempt # this was. errors[addr] = e # Make sure we explode usefully if no address family attempts # succeeded. We've no way of knowing which error is the "right" # one, so we construct a hybrid exception containing all the real # ones, of a subclass that client code should still be watching for # (socket.error) if len(errors) == len(to_try): raise NoValidConnectionsError(errors) if transport_factory is None: transport_factory = Transport t = self._transport = transport_factory( sock, gss_kex=gss_kex, gss_deleg_creds=gss_deleg_creds, disabled_algorithms=disabled_algorithms, ) t.use_compression(compress=compress) t.set_gss_host( # t.hostname may be None, but GSS-API requires a target name. # Therefore use hostname as fallback. gss_host=gss_host or hostname, trust_dns=gss_trust_dns, gssapi_requested=gss_auth or gss_kex, ) if self._log_channel is not None: t.set_log_channel(self._log_channel) if banner_timeout is not None: t.banner_timeout = banner_timeout if auth_timeout is not None: t.auth_timeout = auth_timeout if channel_timeout is not None: t.channel_timeout = channel_timeout if port == SSH_PORT: server_hostkey_name = hostname else: server_hostkey_name = "[{}]:{}".format(hostname, port) our_server_keys = None our_server_keys = self._system_host_keys.get(server_hostkey_name) if our_server_keys is None: our_server_keys = self._host_keys.get(server_hostkey_name) if our_server_keys is not None: keytype = our_server_keys.keys()[0] sec_opts = t.get_security_options() other_types = [x for x in sec_opts.key_types if x != keytype] sec_opts.key_types = [keytype] + other_types t.start_client(timeout=timeout) # If GSS-API Key Exchange is performed we are not required to check the # host key, because the host is authenticated via GSS-API / SSPI as # well as our client. if not self._transport.gss_kex_used: server_key = t.get_remote_server_key() if our_server_keys is None: # will raise exception if the key is rejected self._policy.missing_host_key( self, server_hostkey_name, server_key ) else: our_key = our_server_keys.get(server_key.get_name()) if our_key != server_key: if our_key is None: our_key = list(our_server_keys.values())[0] raise BadHostKeyException(hostname, server_key, our_key) if username is None: username = getpass.getuser() # New auth flow! if auth_strategy is not None: return auth_strategy.authenticate(transport=t) # Old auth flow! if key_filename is None: key_filenames = [] elif isinstance(key_filename, str): key_filenames = [key_filename] else: key_filenames = key_filename self._auth( username, password, pkey, key_filenames, allow_agent, look_for_keys, gss_auth, gss_kex, gss_deleg_creds, t.gss_host, passphrase, ) def close(self): """ Close this SSHClient and its underlying `.Transport`. This should be called anytime you are done using the client object. .. warning:: Paramiko registers garbage collection hooks that will try to automatically close connections for you, but this is not presently reliable. Failure to explicitly close your client after use may lead to end-of-process hangs! """ if self._transport is None: return self._transport.close() self._transport = None if self._agent is not None: self._agent.close() self._agent = None def exec_command( self, command, bufsize=-1, timeout=None, get_pty=False, environment=None, ): """ Execute a command on the SSH server. A new `.Channel` is opened and the requested command is executed. The command's input and output streams are returned as Python ``file``-like objects representing stdin, stdout, and stderr. :param str command: the command to execute :param int bufsize: interpreted the same way as by the built-in ``file()`` function in Python :param int timeout: set command's channel timeout. See `.Channel.settimeout` :param bool get_pty: Request a pseudo-terminal from the server (default ``False``). See `.Channel.get_pty` :param dict environment: a dict of shell environment variables, to be merged into the default environment that the remote command executes within. .. warning:: Servers may silently reject some environment variables; see the warning in `.Channel.set_environment_variable` for details. :return: the stdin, stdout, and stderr of the executing command, as a 3-tuple :raises: `.SSHException` -- if the server fails to execute the command .. versionchanged:: 1.10 Added the ``get_pty`` kwarg. """ chan = self._transport.open_session(timeout=timeout) if get_pty: chan.get_pty() chan.settimeout(timeout) if environment: chan.update_environment(environment) chan.exec_command(command) stdin = chan.makefile_stdin("wb", bufsize) stdout = chan.makefile("r", bufsize) stderr = chan.makefile_stderr("r", bufsize) return stdin, stdout, stderr def invoke_shell( self, term="vt100", width=80, height=24, width_pixels=0, height_pixels=0, environment=None, ): """ Start an interactive shell session on the SSH server. A new `.Channel` is opened and connected to a pseudo-terminal using the requested terminal type and size. :param str term: the terminal type to emulate (for example, ``"vt100"``) :param int width: the width (in characters) of the terminal window :param int height: the height (in characters) of the terminal window :param int width_pixels: the width (in pixels) of the terminal window :param int height_pixels: the height (in pixels) of the terminal window :param dict environment: the command's environment :return: a new `.Channel` connected to the remote shell :raises: `.SSHException` -- if the server fails to invoke a shell """ chan = self._transport.open_session() chan.get_pty(term, width, height, width_pixels, height_pixels) chan.invoke_shell() return chan def open_sftp(self): """ Open an SFTP session on the SSH server. :return: a new `.SFTPClient` session object """ return self._transport.open_sftp_client() def get_transport(self): """ Return the underlying `.Transport` object for this SSH connection. This can be used to perform lower-level tasks, like opening specific kinds of channels. :return: the `.Transport` for this connection """ return self._transport def _key_from_filepath(self, filename, klass, password): """ Attempt to derive a `.PKey` from given string path ``filename``: - If ``filename`` appears to be a cert, the matching private key is loaded. - Otherwise, the filename is assumed to be a private key, and the matching public cert will be loaded if it exists. """ cert_suffix = "-cert.pub" # Assume privkey, not cert, by default if filename.endswith(cert_suffix): key_path = filename[: -len(cert_suffix)] cert_path = filename else: key_path = filename cert_path = filename + cert_suffix # Blindly try the key path; if no private key, nothing will work. key = klass.from_private_key_file(key_path, password) # TODO: change this to 'Loading' instead of 'Trying' sometime; probably # when #387 is released, since this is a critical log message users are # likely testing/filtering for (bah.) msg = "Trying discovered key {} in {}".format( hexlify(key.get_fingerprint()), key_path ) self._log(DEBUG, msg) # Attempt to load cert if it exists. if os.path.isfile(cert_path): key.load_certificate(cert_path) self._log(DEBUG, "Adding public certificate {}".format(cert_path)) return key def _auth( self, username, password, pkey, key_filenames, allow_agent, look_for_keys, gss_auth, gss_kex, gss_deleg_creds, gss_host, passphrase, ): """ Try, in order: - The key(s) passed in, if one was passed in. - Any key we can find through an SSH agent (if allowed). - Any "id_rsa", "id_dsa" or "id_ecdsa" key discoverable in ~/.ssh/ (if allowed). - Plain username/password auth, if a password was given. (The password might be needed to unlock a private key [if 'passphrase' isn't also given], or for two-factor authentication [for which it is required].) """ saved_exception = None two_factor = False allowed_types = set() two_factor_types = {"keyboard-interactive", "password"} if passphrase is None and password is not None: passphrase = password # If GSS-API support and GSS-PI Key Exchange was performed, we attempt # authentication with gssapi-keyex. if gss_kex and self._transport.gss_kex_used: try: self._transport.auth_gssapi_keyex(username) return except Exception as e: saved_exception = e # Try GSS-API authentication (gssapi-with-mic) only if GSS-API Key # Exchange is not performed, because if we use GSS-API for the key # exchange, there is already a fully established GSS-API context, so # why should we do that again? if gss_auth: try: return self._transport.auth_gssapi_with_mic( username, gss_host, gss_deleg_creds ) except Exception as e: saved_exception = e if pkey is not None: try: self._log( DEBUG, "Trying SSH key {}".format( hexlify(pkey.get_fingerprint()) ), ) allowed_types = set( self._transport.auth_publickey(username, pkey) ) two_factor = allowed_types & two_factor_types if not two_factor: return except SSHException as e: saved_exception = e if not two_factor: for key_filename in key_filenames: # TODO 4.0: leverage PKey.from_path() if we don't end up just # killing SSHClient entirely for pkey_class in (RSAKey, DSSKey, ECDSAKey, Ed25519Key): try: key = self._key_from_filepath( key_filename, pkey_class, passphrase ) allowed_types = set( self._transport.auth_publickey(username, key) ) two_factor = allowed_types & two_factor_types if not two_factor: return break except SSHException as e: saved_exception = e if not two_factor and allow_agent: if self._agent is None: self._agent = Agent() for key in self._agent.get_keys(): try: id_ = hexlify(key.get_fingerprint()) self._log(DEBUG, "Trying SSH agent key {}".format(id_)) # for 2-factor auth a successfully auth'd key password # will return an allowed 2fac auth method allowed_types = set( self._transport.auth_publickey(username, key) ) two_factor = allowed_types & two_factor_types if not two_factor: return break except SSHException as e: saved_exception = e if not two_factor: keyfiles = [] for keytype, name in [ (RSAKey, "rsa"), (DSSKey, "dsa"), (ECDSAKey, "ecdsa"), (Ed25519Key, "ed25519"), ]: # ~/ssh/ is for windows for directory in [".ssh", "ssh"]: full_path = os.path.expanduser( "~/{}/id_{}".format(directory, name) ) if os.path.isfile(full_path): # TODO: only do this append if below did not run keyfiles.append((keytype, full_path)) if os.path.isfile(full_path + "-cert.pub"): keyfiles.append((keytype, full_path + "-cert.pub")) if not look_for_keys: keyfiles = [] for pkey_class, filename in keyfiles: try: key = self._key_from_filepath( filename, pkey_class, passphrase ) # for 2-factor auth a successfully auth'd key will result # in ['password'] allowed_types = set( self._transport.auth_publickey(username, key) ) two_factor = allowed_types & two_factor_types if not two_factor: return break except (SSHException, IOError) as e: saved_exception = e if password is not None: try: self._transport.auth_password(username, password) return except SSHException as e: saved_exception = e elif two_factor: try: self._transport.auth_interactive_dumb(username) return except SSHException as e: saved_exception = e # if we got an auth-failed exception earlier, re-raise it if saved_exception is not None: raise saved_exception raise SSHException("No authentication methods available") def _log(self, level, msg): self._transport._log(level, msg) class MissingHostKeyPolicy: """ Interface for defining the policy that `.SSHClient` should use when the SSH server's hostname is not in either the system host keys or the application's keys. Pre-made classes implement policies for automatically adding the key to the application's `.HostKeys` object (`.AutoAddPolicy`), and for automatically rejecting the key (`.RejectPolicy`). This function may be used to ask the user to verify the key, for example. """ def missing_host_key(self, client, hostname, key): """ Called when an `.SSHClient` receives a server key for a server that isn't in either the system or local `.HostKeys` object. To accept the key, simply return. To reject, raised an exception (which will be passed to the calling application). """ pass class AutoAddPolicy(MissingHostKeyPolicy): """ Policy for automatically adding the hostname and new host key to the local `.HostKeys` object, and saving it. This is used by `.SSHClient`. """ def missing_host_key(self, client, hostname, key): client._host_keys.add(hostname, key.get_name(), key) if client._host_keys_filename is not None: client.save_host_keys(client._host_keys_filename) client._log( DEBUG, "Adding {} host key for {}: {}".format( key.get_name(), hostname, hexlify(key.get_fingerprint()) ), ) class RejectPolicy(MissingHostKeyPolicy): """ Policy for automatically rejecting the unknown hostname & key. This is used by `.SSHClient`. """ def missing_host_key(self, client, hostname, key): client._log( DEBUG, "Rejecting {} host key for {}: {}".format( key.get_name(), hostname, hexlify(key.get_fingerprint()) ), ) raise SSHException( "Server {!r} not found in known_hosts".format(hostname) ) class WarningPolicy(MissingHostKeyPolicy): """ Policy for logging a Python-style warning for an unknown host key, but accepting it. This is used by `.SSHClient`. """ def missing_host_key(self, client, hostname, key): warnings.warn( "Unknown {} host key for {}: {}".format( key.get_name(), hostname, hexlify(key.get_fingerprint()) ) ) ��sftp_client.py��0000644��00000106017�15030210772�0007432 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of Paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. from binascii import hexlify import errno import os import stat import threading import time import weakref from paramiko import util from paramiko.channel import Channel from paramiko.message import Message from paramiko.common import INFO, DEBUG, o777 from paramiko.sftp import ( BaseSFTP, CMD_OPENDIR, CMD_HANDLE, SFTPError, CMD_READDIR, CMD_NAME, CMD_CLOSE, SFTP_FLAG_READ, SFTP_FLAG_WRITE, SFTP_FLAG_CREATE, SFTP_FLAG_TRUNC, SFTP_FLAG_APPEND, SFTP_FLAG_EXCL, CMD_OPEN, CMD_REMOVE, CMD_RENAME, CMD_MKDIR, CMD_RMDIR, CMD_STAT, CMD_ATTRS, CMD_LSTAT, CMD_SYMLINK, CMD_SETSTAT, CMD_READLINK, CMD_REALPATH, CMD_STATUS, CMD_EXTENDED, SFTP_OK, SFTP_EOF, SFTP_NO_SUCH_FILE, SFTP_PERMISSION_DENIED, int64, ) from paramiko.sftp_attr import SFTPAttributes from paramiko.ssh_exception import SSHException from paramiko.sftp_file import SFTPFile from paramiko.util import ClosingContextManager, b, u def _to_unicode(s): """ decode a string as ascii or utf8 if possible (as required by the sftp protocol). if neither works, just return a byte string because the server probably doesn't know the filename's encoding. """ try: return s.encode("ascii") except (UnicodeError, AttributeError): try: return s.decode("utf-8") except UnicodeError: return s b_slash = b"/" class SFTPClient(BaseSFTP, ClosingContextManager): """ SFTP client object. Used to open an SFTP session across an open SSH `.Transport` and perform remote file operations. Instances of this class may be used as context managers. """ def __init__(self, sock): """ Create an SFTP client from an existing `.Channel`. The channel should already have requested the ``"sftp"`` subsystem. An alternate way to create an SFTP client context is by using `from_transport`. :param .Channel sock: an open `.Channel` using the ``"sftp"`` subsystem :raises: `.SSHException` -- if there's an exception while negotiating sftp """ BaseSFTP.__init__(self) self.sock = sock self.ultra_debug = False self.request_number = 1 # lock for request_number self._lock = threading.Lock() self._cwd = None # request # -> SFTPFile self._expecting = weakref.WeakValueDictionary() if type(sock) is Channel: # override default logger transport = self.sock.get_transport() self.logger = util.get_logger( transport.get_log_channel() + ".sftp" ) self.ultra_debug = transport.get_hexdump() try: server_version = self._send_version() except EOFError: raise SSHException("EOF during negotiation") self._log( INFO, "Opened sftp connection (server version {})".format( server_version ), ) @classmethod def from_transport(cls, t, window_size=None, max_packet_size=None): """ Create an SFTP client channel from an open `.Transport`. Setting the window and packet sizes might affect the transfer speed. The default settings in the `.Transport` class are the same as in OpenSSH and should work adequately for both files transfers and interactive sessions. :param .Transport t: an open `.Transport` which is already authenticated :param int window_size: optional window size for the `.SFTPClient` session. :param int max_packet_size: optional max packet size for the `.SFTPClient` session.. :return: a new `.SFTPClient` object, referring to an sftp session (channel) across the transport .. versionchanged:: 1.15 Added the ``window_size`` and ``max_packet_size`` arguments. """ chan = t.open_session( window_size=window_size, max_packet_size=max_packet_size ) if chan is None: return None chan.invoke_subsystem("sftp") return cls(chan) def _log(self, level, msg, args): if isinstance(msg, list): for m in msg: self._log(level, m, args) else: # NOTE: these bits MUST continue using %-style format junk because # logging.Logger.log() explicitly requires it. Grump. # escape '%' in msg (they could come from file or directory names) # before logging msg = msg.replace("%", "%%") super()._log( level, "[chan %s] " + msg, ([self.sock.get_name()] + list(args)) ) def close(self): """ Close the SFTP session and its underlying channel. .. versionadded:: 1.4 """ self._log(INFO, "sftp session closed.") self.sock.close() def get_channel(self): """ Return the underlying `.Channel` object for this SFTP session. This might be useful for doing things like setting a timeout on the channel. .. versionadded:: 1.7.1 """ return self.sock def listdir(self, path="."): """ Return a list containing the names of the entries in the given ``path``. The list is in arbitrary order. It does not include the special entries ``'.'`` and ``'..'`` even if they are present in the folder. This method is meant to mirror ``os.listdir`` as closely as possible. For a list of full `.SFTPAttributes` objects, see `listdir_attr`. :param str path: path to list (defaults to ``'.'``) """ return [f.filename for f in self.listdir_attr(path)] def listdir_attr(self, path="."): """ Return a list containing `.SFTPAttributes` objects corresponding to files in the given ``path``. The list is in arbitrary order. It does not include the special entries ``'.'`` and ``'..'`` even if they are present in the folder. The returned `.SFTPAttributes` objects will each have an additional field: ``longname``, which may contain a formatted string of the file's attributes, in unix format. The content of this string will probably depend on the SFTP server implementation. :param str path: path to list (defaults to ``'.'``) :return: list of `.SFTPAttributes` objects .. versionadded:: 1.2 """ path = self._adjust_cwd(path) self._log(DEBUG, "listdir({!r})".format(path)) t, msg = self._request(CMD_OPENDIR, path) if t != CMD_HANDLE: raise SFTPError("Expected handle") handle = msg.get_binary() filelist = [] while True: try: t, msg = self._request(CMD_READDIR, handle) except EOFError: # done with handle break if t != CMD_NAME: raise SFTPError("Expected name response") count = msg.get_int() for i in range(count): filename = msg.get_text() longname = msg.get_text() attr = SFTPAttributes._from_msg(msg, filename, longname) if (filename != ".") and (filename != ".."): filelist.append(attr) self._request(CMD_CLOSE, handle) return filelist def listdir_iter(self, path=".", read_aheads=50): """ Generator version of `.listdir_attr`. See the API docs for `.listdir_attr` for overall details. This function adds one more kwarg on top of `.listdir_attr`: ``read_aheads``, an integer controlling how many ``SSH_FXP_READDIR`` requests are made to the server. The default of 50 should suffice for most file listings as each request/response cycle may contain multiple files (dependent on server implementation.) .. versionadded:: 1.15 """ path = self._adjust_cwd(path) self._log(DEBUG, "listdir({!r})".format(path)) t, msg = self._request(CMD_OPENDIR, path) if t != CMD_HANDLE: raise SFTPError("Expected handle") handle = msg.get_string() nums = list() while True: try: # Send out a bunch of readdir requests so that we can read the # responses later on Section 6.7 of the SSH file transfer RFC # explains this # http://filezilla-project.org/specs/draft-ietf-secsh-filexfer-02.txt for i in range(read_aheads): num = self._async_request(type(None), CMD_READDIR, handle) nums.append(num) # For each of our sent requests # Read and parse the corresponding packets # If we're at the end of our queued requests, then fire off # some more requests # Exit the loop when we've reached the end of the directory # handle for num in nums: t, pkt_data = self._read_packet() msg = Message(pkt_data) new_num = msg.get_int() if num == new_num: if t == CMD_STATUS: self._convert_status(msg) count = msg.get_int() for i in range(count): filename = msg.get_text() longname = msg.get_text() attr = SFTPAttributes._from_msg( msg, filename, longname ) if (filename != ".") and (filename != ".."): yield attr # If we've hit the end of our queued requests, reset nums. nums = list() except EOFError: self._request(CMD_CLOSE, handle) return def open(self, filename, mode="r", bufsize=-1): """ Open a file on the remote server. The arguments are the same as for Python's built-in `python:file` (aka `python:open`). A file-like object is returned, which closely mimics the behavior of a normal Python file object, including the ability to be used as a context manager. The mode indicates how the file is to be opened: ``'r'`` for reading, ``'w'`` for writing (truncating an existing file), ``'a'`` for appending, ``'r+'`` for reading/writing, ``'w+'`` for reading/writing (truncating an existing file), ``'a+'`` for reading/appending. The Python ``'b'`` flag is ignored, since SSH treats all files as binary. The ``'U'`` flag is supported in a compatible way. Since 1.5.2, an ``'x'`` flag indicates that the operation should only succeed if the file was created and did not previously exist. This has no direct mapping to Python's file flags, but is commonly known as the ``O_EXCL`` flag in posix. The file will be buffered in standard Python style by default, but can be altered with the ``bufsize`` parameter. ``<=0`` turns off buffering, ``1`` uses line buffering, and any number greater than 1 (``>1``) uses that specific buffer size. :param str filename: name of the file to open :param str mode: mode (Python-style) to open in :param int bufsize: desired buffering (default: ``-1``) :return: an `.SFTPFile` object representing the open file :raises: ``IOError`` -- if the file could not be opened. """ filename = self._adjust_cwd(filename) self._log(DEBUG, "open({!r}, {!r})".format(filename, mode)) imode = 0 if ("r" in mode) or ("+" in mode): imode \|= SFTP_FLAG_READ if ("w" in mode) or ("+" in mode) or ("a" in mode): imode \|= SFTP_FLAG_WRITE if "w" in mode: imode \|= SFTP_FLAG_CREATE \| SFTP_FLAG_TRUNC if "a" in mode: imode \|= SFTP_FLAG_CREATE \| SFTP_FLAG_APPEND if "x" in mode: imode \|= SFTP_FLAG_CREATE \| SFTP_FLAG_EXCL attrblock = SFTPAttributes() t, msg = self._request(CMD_OPEN, filename, imode, attrblock) if t != CMD_HANDLE: raise SFTPError("Expected handle") handle = msg.get_binary() self._log( DEBUG, "open({!r}, {!r}) -> {}".format( filename, mode, u(hexlify(handle)) ), ) return SFTPFile(self, handle, mode, bufsize) # Python continues to vacillate about "open" vs "file"... file = open def remove(self, path): """ Remove the file at the given path. This only works on files; for removing folders (directories), use `rmdir`. :param str path: path (absolute or relative) of the file to remove :raises: ``IOError`` -- if the path refers to a folder (directory) """ path = self._adjust_cwd(path) self._log(DEBUG, "remove({!r})".format(path)) self._request(CMD_REMOVE, path) unlink = remove def rename(self, oldpath, newpath): """ Rename a file or folder from ``oldpath`` to ``newpath``. .. note:: This method implements 'standard' SFTP ``RENAME`` behavior; those seeking the OpenSSH "POSIX rename" extension behavior should use `posix_rename`. :param str oldpath: existing name of the file or folder :param str newpath: new name for the file or folder, must not exist already :raises: ``IOError`` -- if ``newpath`` is a folder, or something else goes wrong """ oldpath = self._adjust_cwd(oldpath) newpath = self._adjust_cwd(newpath) self._log(DEBUG, "rename({!r}, {!r})".format(oldpath, newpath)) self._request(CMD_RENAME, oldpath, newpath) def posix_rename(self, oldpath, newpath): """ Rename a file or folder from ``oldpath`` to ``newpath``, following posix conventions. :param str oldpath: existing name of the file or folder :param str newpath: new name for the file or folder, will be overwritten if it already exists :raises: ``IOError`` -- if ``newpath`` is a folder, posix-rename is not supported by the server or something else goes wrong :versionadded: 2.2 """ oldpath = self._adjust_cwd(oldpath) newpath = self._adjust_cwd(newpath) self._log(DEBUG, "posix_rename({!r}, {!r})".format(oldpath, newpath)) self._request( CMD_EXTENDED, "posix-rename@openssh.com", oldpath, newpath ) def mkdir(self, path, mode=o777): """ Create a folder (directory) named ``path`` with numeric mode ``mode``. The default mode is 0777 (octal). On some systems, mode is ignored. Where it is used, the current umask value is first masked out. :param str path: name of the folder to create :param int mode: permissions (posix-style) for the newly-created folder """ path = self._adjust_cwd(path) self._log(DEBUG, "mkdir({!r}, {!r})".format(path, mode)) attr = SFTPAttributes() attr.st_mode = mode self._request(CMD_MKDIR, path, attr) def rmdir(self, path): """ Remove the folder named ``path``. :param str path: name of the folder to remove """ path = self._adjust_cwd(path) self._log(DEBUG, "rmdir({!r})".format(path)) self._request(CMD_RMDIR, path) def stat(self, path): """ Retrieve information about a file on the remote system. The return value is an object whose attributes correspond to the attributes of Python's ``stat`` structure as returned by ``os.stat``, except that it contains fewer fields. An SFTP server may return as much or as little info as it wants, so the results may vary from server to server. Unlike a Python `python:stat` object, the result may not be accessed as a tuple. This is mostly due to the author's slack factor. The fields supported are: ``st_mode``, ``st_size``, ``st_uid``, ``st_gid``, ``st_atime``, and ``st_mtime``. :param str path: the filename to stat :return: an `.SFTPAttributes` object containing attributes about the given file """ path = self._adjust_cwd(path) self._log(DEBUG, "stat({!r})".format(path)) t, msg = self._request(CMD_STAT, path) if t != CMD_ATTRS: raise SFTPError("Expected attributes") return SFTPAttributes._from_msg(msg) def lstat(self, path): """ Retrieve information about a file on the remote system, without following symbolic links (shortcuts). This otherwise behaves exactly the same as `stat`. :param str path: the filename to stat :return: an `.SFTPAttributes` object containing attributes about the given file """ path = self._adjust_cwd(path) self._log(DEBUG, "lstat({!r})".format(path)) t, msg = self._request(CMD_LSTAT, path) if t != CMD_ATTRS: raise SFTPError("Expected attributes") return SFTPAttributes._from_msg(msg) def symlink(self, source, dest): """ Create a symbolic link to the ``source`` path at ``destination``. :param str source: path of the original file :param str dest: path of the newly created symlink """ dest = self._adjust_cwd(dest) self._log(DEBUG, "symlink({!r}, {!r})".format(source, dest)) source = b(source) self._request(CMD_SYMLINK, source, dest) def chmod(self, path, mode): """ Change the mode (permissions) of a file. The permissions are unix-style and identical to those used by Python's `os.chmod` function. :param str path: path of the file to change the permissions of :param int mode: new permissions """ path = self._adjust_cwd(path) self._log(DEBUG, "chmod({!r}, {!r})".format(path, mode)) attr = SFTPAttributes() attr.st_mode = mode self._request(CMD_SETSTAT, path, attr) def chown(self, path, uid, gid): """ Change the owner (``uid``) and group (``gid``) of a file. As with Python's `os.chown` function, you must pass both arguments, so if you only want to change one, use `stat` first to retrieve the current owner and group. :param str path: path of the file to change the owner and group of :param int uid: new owner's uid :param int gid: new group id """ path = self._adjust_cwd(path) self._log(DEBUG, "chown({!r}, {!r}, {!r})".format(path, uid, gid)) attr = SFTPAttributes() attr.st_uid, attr.st_gid = uid, gid self._request(CMD_SETSTAT, path, attr) def utime(self, path, times): """ Set the access and modified times of the file specified by ``path``. If ``times`` is ``None``, then the file's access and modified times are set to the current time. Otherwise, ``times`` must be a 2-tuple of numbers, of the form ``(atime, mtime)``, which is used to set the access and modified times, respectively. This bizarre API is mimicked from Python for the sake of consistency -- I apologize. :param str path: path of the file to modify :param tuple times: ``None`` or a tuple of (access time, modified time) in standard internet epoch time (seconds since 01 January 1970 GMT) """ path = self._adjust_cwd(path) if times is None: times = (time.time(), time.time()) self._log(DEBUG, "utime({!r}, {!r})".format(path, times)) attr = SFTPAttributes() attr.st_atime, attr.st_mtime = times self._request(CMD_SETSTAT, path, attr) def truncate(self, path, size): """ Change the size of the file specified by ``path``. This usually extends or shrinks the size of the file, just like the `~file.truncate` method on Python file objects. :param str path: path of the file to modify :param int size: the new size of the file """ path = self._adjust_cwd(path) self._log(DEBUG, "truncate({!r}, {!r})".format(path, size)) attr = SFTPAttributes() attr.st_size = size self._request(CMD_SETSTAT, path, attr) def readlink(self, path): """ Return the target of a symbolic link (shortcut). You can use `symlink` to create these. The result may be either an absolute or relative pathname. :param str path: path of the symbolic link file :return: target path, as a `str` """ path = self._adjust_cwd(path) self._log(DEBUG, "readlink({!r})".format(path)) t, msg = self._request(CMD_READLINK, path) if t != CMD_NAME: raise SFTPError("Expected name response") count = msg.get_int() if count == 0: return None if count != 1: raise SFTPError("Readlink returned {} results".format(count)) return _to_unicode(msg.get_string()) def normalize(self, path): """ Return the normalized path (on the server) of a given path. This can be used to quickly resolve symbolic links or determine what the server is considering to be the "current folder" (by passing ``'.'`` as ``path``). :param str path: path to be normalized :return: normalized form of the given path (as a `str`) :raises: ``IOError`` -- if the path can't be resolved on the server """ path = self._adjust_cwd(path) self._log(DEBUG, "normalize({!r})".format(path)) t, msg = self._request(CMD_REALPATH, path) if t != CMD_NAME: raise SFTPError("Expected name response") count = msg.get_int() if count != 1: raise SFTPError("Realpath returned {} results".format(count)) return msg.get_text() def chdir(self, path=None): """ Change the "current directory" of this SFTP session. Since SFTP doesn't really have the concept of a current working directory, this is emulated by Paramiko. Once you use this method to set a working directory, all operations on this `.SFTPClient` object will be relative to that path. You can pass in ``None`` to stop using a current working directory. :param str path: new current working directory :raises: ``IOError`` -- if the requested path doesn't exist on the server .. versionadded:: 1.4 """ if path is None: self._cwd = None return if not stat.S_ISDIR(self.stat(path).st_mode): code = errno.ENOTDIR raise SFTPError(code, "{}: {}".format(os.strerror(code), path)) self._cwd = b(self.normalize(path)) def getcwd(self): """ Return the "current working directory" for this SFTP session, as emulated by Paramiko. If no directory has been set with `chdir`, this method will return ``None``. .. versionadded:: 1.4 """ # TODO: make class initialize with self._cwd set to self.normalize('.') return self._cwd and u(self._cwd) def _transfer_with_callback(self, reader, writer, file_size, callback): size = 0 while True: data = reader.read(32768) writer.write(data) size += len(data) if len(data) == 0: break if callback is not None: callback(size, file_size) return size def putfo(self, fl, remotepath, file_size=0, callback=None, confirm=True): """ Copy the contents of an open file object (``fl``) to the SFTP server as ``remotepath``. Any exception raised by operations will be passed through. The SFTP operations use pipelining for speed. :param fl: opened file or file-like object to copy :param str remotepath: the destination path on the SFTP server :param int file_size: optional size parameter passed to callback. If none is specified, size defaults to 0 :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred (since 1.7.4) :param bool confirm: whether to do a stat() on the file afterwards to confirm the file size (since 1.7.7) :return: an `.SFTPAttributes` object containing attributes about the given file. .. versionadded:: 1.10 """ with self.file(remotepath, "wb") as fr: fr.set_pipelined(True) size = self._transfer_with_callback( reader=fl, writer=fr, file_size=file_size, callback=callback ) if confirm: s = self.stat(remotepath) if s.st_size != size: raise IOError( "size mismatch in put! {} != {}".format(s.st_size, size) ) else: s = SFTPAttributes() return s def put(self, localpath, remotepath, callback=None, confirm=True): """ Copy a local file (``localpath``) to the SFTP server as ``remotepath``. Any exception raised by operations will be passed through. This method is primarily provided as a convenience. The SFTP operations use pipelining for speed. :param str localpath: the local file to copy :param str remotepath: the destination path on the SFTP server. Note that the filename should be included. Only specifying a directory may result in an error. :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred :param bool confirm: whether to do a stat() on the file afterwards to confirm the file size :return: an `.SFTPAttributes` object containing attributes about the given file .. versionadded:: 1.4 .. versionchanged:: 1.7.4 ``callback`` and rich attribute return value added. .. versionchanged:: 1.7.7 ``confirm`` param added. """ file_size = os.stat(localpath).st_size with open(localpath, "rb") as fl: return self.putfo(fl, remotepath, file_size, callback, confirm) def getfo( self, remotepath, fl, callback=None, prefetch=True, max_concurrent_prefetch_requests=None, ): """ Copy a remote file (``remotepath``) from the SFTP server and write to an open file or file-like object, ``fl``. Any exception raised by operations will be passed through. This method is primarily provided as a convenience. :param object remotepath: opened file or file-like object to copy to :param str fl: the destination path on the local host or open file object :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred :param bool prefetch: controls whether prefetching is performed (default: True) :param int max_concurrent_prefetch_requests: The maximum number of concurrent read requests to prefetch. See `.SFTPClient.get` (its ``max_concurrent_prefetch_requests`` param) for details. :return: the `number <int>` of bytes written to the opened file object .. versionadded:: 1.10 .. versionchanged:: 2.8 Added the ``prefetch`` keyword argument. .. versionchanged:: 3.3 Added ``max_concurrent_prefetch_requests``. """ file_size = self.stat(remotepath).st_size with self.open(remotepath, "rb") as fr: if prefetch: fr.prefetch(file_size, max_concurrent_prefetch_requests) return self._transfer_with_callback( reader=fr, writer=fl, file_size=file_size, callback=callback ) def get( self, remotepath, localpath, callback=None, prefetch=True, max_concurrent_prefetch_requests=None, ): """ Copy a remote file (``remotepath``) from the SFTP server to the local host as ``localpath``. Any exception raised by operations will be passed through. This method is primarily provided as a convenience. :param str remotepath: the remote file to copy :param str localpath: the destination path on the local host :param callable callback: optional callback function (form: ``func(int, int)``) that accepts the bytes transferred so far and the total bytes to be transferred :param bool prefetch: controls whether prefetching is performed (default: True) :param int max_concurrent_prefetch_requests: The maximum number of concurrent read requests to prefetch. When this is ``None`` (the default), do not limit the number of concurrent prefetch requests. Note: OpenSSH's sftp internally imposes a limit of 64 concurrent requests, while Paramiko imposes no limit by default; consider setting a limit if a file can be successfully received with sftp but hangs with Paramiko. .. versionadded:: 1.4 .. versionchanged:: 1.7.4 Added the ``callback`` param .. versionchanged:: 2.8 Added the ``prefetch`` keyword argument. .. versionchanged:: 3.3 Added ``max_concurrent_prefetch_requests``. """ with open(localpath, "wb") as fl: size = self.getfo( remotepath, fl, callback, prefetch, max_concurrent_prefetch_requests, ) s = os.stat(localpath) if s.st_size != size: raise IOError( "size mismatch in get! {} != {}".format(s.st_size, size) ) # ...internals... def _request(self, t, args): num = self._async_request(type(None), t, args) return self._read_response(num) def _async_request(self, fileobj, t, args): # this method may be called from other threads (prefetch) self._lock.acquire() try: msg = Message() msg.add_int(self.request_number) for item in args: if isinstance(item, int64): msg.add_int64(item) elif isinstance(item, int): msg.add_int(item) elif isinstance(item, SFTPAttributes): item._pack(msg) else: # For all other types, rely on as_string() to either coerce # to bytes before writing or raise a suitable exception. msg.add_string(item) num = self.request_number self._expecting[num] = fileobj self.request_number += 1 finally: self._lock.release() self._send_packet(t, msg) return num def _read_response(self, waitfor=None): while True: try: t, data = self._read_packet() except EOFError as e: raise SSHException("Server connection dropped: {}".format(e)) msg = Message(data) num = msg.get_int() self._lock.acquire() try: if num not in self._expecting: # might be response for a file that was closed before # responses came back self._log(DEBUG, "Unexpected response #{}".format(num)) if waitfor is None: # just doing a single check break continue fileobj = self._expecting[num] del self._expecting[num] finally: self._lock.release() if num == waitfor: # synchronous if t == CMD_STATUS: self._convert_status(msg) return t, msg # can not rewrite this to deal with E721, either as a None check # nor as not an instance of None or NoneType if fileobj is not type(None): # noqa fileobj._async_response(t, msg, num) if waitfor is None: # just doing a single check break return None, None def _finish_responses(self, fileobj): while fileobj in self._expecting.values(): self._read_response() fileobj._check_exception() def _convert_status(self, msg): """ Raises EOFError or IOError on error status; otherwise does nothing. """ code = msg.get_int() text = msg.get_text() if code == SFTP_OK: return elif code == SFTP_EOF: raise EOFError(text) elif code == SFTP_NO_SUCH_FILE: # clever idea from john a. meinel: map the error codes to errno raise IOError(errno.ENOENT, text) elif code == SFTP_PERMISSION_DENIED: raise IOError(errno.EACCES, text) else: raise IOError(text) def _adjust_cwd(self, path): """ Return an adjusted path if we're emulating a "current working directory" for the server. """ path = b(path) if self._cwd is None: return path if len(path) and path[0:1] == b_slash: # absolute path return path if self._cwd == b_slash: return self._cwd + path return self._cwd + b_slash + path class SFTP(SFTPClient): """ An alias for `.SFTPClient` for backwards compatibility. """ pass ��common.py��0000644��00000017114�15030210772�0006407 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Common constants and global variables. """ import logging import struct # # Formerly of py3compat.py. May be fully delete'able with a deeper look? # def byte_chr(c): assert isinstance(c, int) return struct.pack("B", c) def byte_mask(c, mask): assert isinstance(c, int) return struct.pack("B", c & mask) def byte_ord(c): # In case we're handed a string instead of an int. if not isinstance(c, int): c = ord(c) return c ( MSG_DISCONNECT, MSG_IGNORE, MSG_UNIMPLEMENTED, MSG_DEBUG, MSG_SERVICE_REQUEST, MSG_SERVICE_ACCEPT, MSG_EXT_INFO, ) = range(1, 8) (MSG_KEXINIT, MSG_NEWKEYS) = range(20, 22) ( MSG_USERAUTH_REQUEST, MSG_USERAUTH_FAILURE, MSG_USERAUTH_SUCCESS, MSG_USERAUTH_BANNER, ) = range(50, 54) MSG_USERAUTH_PK_OK = 60 (MSG_USERAUTH_INFO_REQUEST, MSG_USERAUTH_INFO_RESPONSE) = range(60, 62) (MSG_USERAUTH_GSSAPI_RESPONSE, MSG_USERAUTH_GSSAPI_TOKEN) = range(60, 62) ( MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, MSG_USERAUTH_GSSAPI_ERROR, MSG_USERAUTH_GSSAPI_ERRTOK, MSG_USERAUTH_GSSAPI_MIC, ) = range(63, 67) HIGHEST_USERAUTH_MESSAGE_ID = 79 (MSG_GLOBAL_REQUEST, MSG_REQUEST_SUCCESS, MSG_REQUEST_FAILURE) = range(80, 83) ( MSG_CHANNEL_OPEN, MSG_CHANNEL_OPEN_SUCCESS, MSG_CHANNEL_OPEN_FAILURE, MSG_CHANNEL_WINDOW_ADJUST, MSG_CHANNEL_DATA, MSG_CHANNEL_EXTENDED_DATA, MSG_CHANNEL_EOF, MSG_CHANNEL_CLOSE, MSG_CHANNEL_REQUEST, MSG_CHANNEL_SUCCESS, MSG_CHANNEL_FAILURE, ) = range(90, 101) cMSG_DISCONNECT = byte_chr(MSG_DISCONNECT) cMSG_IGNORE = byte_chr(MSG_IGNORE) cMSG_UNIMPLEMENTED = byte_chr(MSG_UNIMPLEMENTED) cMSG_DEBUG = byte_chr(MSG_DEBUG) cMSG_SERVICE_REQUEST = byte_chr(MSG_SERVICE_REQUEST) cMSG_SERVICE_ACCEPT = byte_chr(MSG_SERVICE_ACCEPT) cMSG_EXT_INFO = byte_chr(MSG_EXT_INFO) cMSG_KEXINIT = byte_chr(MSG_KEXINIT) cMSG_NEWKEYS = byte_chr(MSG_NEWKEYS) cMSG_USERAUTH_REQUEST = byte_chr(MSG_USERAUTH_REQUEST) cMSG_USERAUTH_FAILURE = byte_chr(MSG_USERAUTH_FAILURE) cMSG_USERAUTH_SUCCESS = byte_chr(MSG_USERAUTH_SUCCESS) cMSG_USERAUTH_BANNER = byte_chr(MSG_USERAUTH_BANNER) cMSG_USERAUTH_PK_OK = byte_chr(MSG_USERAUTH_PK_OK) cMSG_USERAUTH_INFO_REQUEST = byte_chr(MSG_USERAUTH_INFO_REQUEST) cMSG_USERAUTH_INFO_RESPONSE = byte_chr(MSG_USERAUTH_INFO_RESPONSE) cMSG_USERAUTH_GSSAPI_RESPONSE = byte_chr(MSG_USERAUTH_GSSAPI_RESPONSE) cMSG_USERAUTH_GSSAPI_TOKEN = byte_chr(MSG_USERAUTH_GSSAPI_TOKEN) cMSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE = byte_chr( MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE ) cMSG_USERAUTH_GSSAPI_ERROR = byte_chr(MSG_USERAUTH_GSSAPI_ERROR) cMSG_USERAUTH_GSSAPI_ERRTOK = byte_chr(MSG_USERAUTH_GSSAPI_ERRTOK) cMSG_USERAUTH_GSSAPI_MIC = byte_chr(MSG_USERAUTH_GSSAPI_MIC) cMSG_GLOBAL_REQUEST = byte_chr(MSG_GLOBAL_REQUEST) cMSG_REQUEST_SUCCESS = byte_chr(MSG_REQUEST_SUCCESS) cMSG_REQUEST_FAILURE = byte_chr(MSG_REQUEST_FAILURE) cMSG_CHANNEL_OPEN = byte_chr(MSG_CHANNEL_OPEN) cMSG_CHANNEL_OPEN_SUCCESS = byte_chr(MSG_CHANNEL_OPEN_SUCCESS) cMSG_CHANNEL_OPEN_FAILURE = byte_chr(MSG_CHANNEL_OPEN_FAILURE) cMSG_CHANNEL_WINDOW_ADJUST = byte_chr(MSG_CHANNEL_WINDOW_ADJUST) cMSG_CHANNEL_DATA = byte_chr(MSG_CHANNEL_DATA) cMSG_CHANNEL_EXTENDED_DATA = byte_chr(MSG_CHANNEL_EXTENDED_DATA) cMSG_CHANNEL_EOF = byte_chr(MSG_CHANNEL_EOF) cMSG_CHANNEL_CLOSE = byte_chr(MSG_CHANNEL_CLOSE) cMSG_CHANNEL_REQUEST = byte_chr(MSG_CHANNEL_REQUEST) cMSG_CHANNEL_SUCCESS = byte_chr(MSG_CHANNEL_SUCCESS) cMSG_CHANNEL_FAILURE = byte_chr(MSG_CHANNEL_FAILURE) # for debugging: MSG_NAMES = { MSG_DISCONNECT: "disconnect", MSG_IGNORE: "ignore", MSG_UNIMPLEMENTED: "unimplemented", MSG_DEBUG: "debug", MSG_SERVICE_REQUEST: "service-request", MSG_SERVICE_ACCEPT: "service-accept", MSG_KEXINIT: "kexinit", MSG_EXT_INFO: "ext-info", MSG_NEWKEYS: "newkeys", 30: "kex30", 31: "kex31", 32: "kex32", 33: "kex33", 34: "kex34", 40: "kex40", 41: "kex41", MSG_USERAUTH_REQUEST: "userauth-request", MSG_USERAUTH_FAILURE: "userauth-failure", MSG_USERAUTH_SUCCESS: "userauth-success", MSG_USERAUTH_BANNER: "userauth--banner", MSG_USERAUTH_PK_OK: "userauth-60(pk-ok/info-request)", MSG_USERAUTH_INFO_RESPONSE: "userauth-info-response", MSG_GLOBAL_REQUEST: "global-request", MSG_REQUEST_SUCCESS: "request-success", MSG_REQUEST_FAILURE: "request-failure", MSG_CHANNEL_OPEN: "channel-open", MSG_CHANNEL_OPEN_SUCCESS: "channel-open-success", MSG_CHANNEL_OPEN_FAILURE: "channel-open-failure", MSG_CHANNEL_WINDOW_ADJUST: "channel-window-adjust", MSG_CHANNEL_DATA: "channel-data", MSG_CHANNEL_EXTENDED_DATA: "channel-extended-data", MSG_CHANNEL_EOF: "channel-eof", MSG_CHANNEL_CLOSE: "channel-close", MSG_CHANNEL_REQUEST: "channel-request", MSG_CHANNEL_SUCCESS: "channel-success", MSG_CHANNEL_FAILURE: "channel-failure", MSG_USERAUTH_GSSAPI_RESPONSE: "userauth-gssapi-response", MSG_USERAUTH_GSSAPI_TOKEN: "userauth-gssapi-token", MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE: "userauth-gssapi-exchange-complete", MSG_USERAUTH_GSSAPI_ERROR: "userauth-gssapi-error", MSG_USERAUTH_GSSAPI_ERRTOK: "userauth-gssapi-error-token", MSG_USERAUTH_GSSAPI_MIC: "userauth-gssapi-mic", } # authentication request return codes: AUTH_SUCCESSFUL, AUTH_PARTIALLY_SUCCESSFUL, AUTH_FAILED = range(3) # channel request failed reasons: ( OPEN_SUCCEEDED, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED, OPEN_FAILED_CONNECT_FAILED, OPEN_FAILED_UNKNOWN_CHANNEL_TYPE, OPEN_FAILED_RESOURCE_SHORTAGE, ) = range(0, 5) CONNECTION_FAILED_CODE = { 1: "Administratively prohibited", 2: "Connect failed", 3: "Unknown channel type", 4: "Resource shortage", } ( DISCONNECT_SERVICE_NOT_AVAILABLE, DISCONNECT_AUTH_CANCELLED_BY_USER, DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, ) = (7, 13, 14) zero_byte = byte_chr(0) one_byte = byte_chr(1) four_byte = byte_chr(4) max_byte = byte_chr(0xFF) cr_byte = byte_chr(13) linefeed_byte = byte_chr(10) crlf = cr_byte + linefeed_byte cr_byte_value = 13 linefeed_byte_value = 10 xffffffff = 0xFFFFFFFF x80000000 = 0x80000000 o666 = 438 o660 = 432 o644 = 420 o600 = 384 o777 = 511 o700 = 448 o70 = 56 DEBUG = logging.DEBUG INFO = logging.INFO WARNING = logging.WARNING ERROR = logging.ERROR CRITICAL = logging.CRITICAL # Common IO/select/etc sleep period, in seconds io_sleep = 0.01 DEFAULT_WINDOW_SIZE = 64 * 215 DEFAULT_MAX_PACKET_SIZE = 215 # lower bound on the max packet size we'll accept from the remote host # Minimum packet size is 32768 bytes according to # http://www.ietf.org/rfc/rfc4254.txt MIN_WINDOW_SIZE = 215 # However, according to http://www.ietf.org/rfc/rfc4253.txt it is perfectly # legal to accept a size much smaller, as OpenSSH client does as size 16384. MIN_PACKET_SIZE = 212 # Max windows size according to http://www.ietf.org/rfc/rfc4254.txt MAX_WINDOW_SIZE = 2*32 - 1 ��_version.py��0000644��00000000120�15030210772�0006730 0��ustar�00��__version_info__ = (3, 4, 1) __version__ = ".".join(map(str, __version_info__)) ��server.py��0000644��00000073371�15030210772�0006434 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ `.ServerInterface` is an interface to override for server support. """ import threading from paramiko import util from paramiko.common import ( DEBUG, ERROR, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED, AUTH_FAILED, AUTH_SUCCESSFUL, ) class ServerInterface: """ This class defines an interface for controlling the behavior of Paramiko in server mode. Methods on this class are called from Paramiko's primary thread, so you shouldn't do too much work in them. (Certainly nothing that blocks or sleeps.) """ def check_channel_request(self, kind, chanid): """ Determine if a channel request of a given type will be granted, and return ``OPEN_SUCCEEDED`` or an error code. This method is called in server mode when the client requests a channel, after authentication is complete. If you allow channel requests (and an ssh server that didn't would be useless), you should also override some of the channel request methods below, which are used to determine which services will be allowed on a given channel: - `check_channel_pty_request` - `check_channel_shell_request` - `check_channel_subsystem_request` - `check_channel_window_change_request` - `check_channel_x11_request` - `check_channel_forward_agent_request` The ``chanid`` parameter is a small number that uniquely identifies the channel within a `.Transport`. A `.Channel` object is not created unless this method returns ``OPEN_SUCCEEDED`` -- once a `.Channel` object is created, you can call `.Channel.get_id` to retrieve the channel ID. The return value should either be ``OPEN_SUCCEEDED`` (or ``0``) to allow the channel request, or one of the following error codes to reject it: - ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED`` - ``OPEN_FAILED_CONNECT_FAILED`` - ``OPEN_FAILED_UNKNOWN_CHANNEL_TYPE`` - ``OPEN_FAILED_RESOURCE_SHORTAGE`` The default implementation always returns ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED``. :param str kind: the kind of channel the client would like to open (usually ``"session"``). :param int chanid: ID of the channel :return: an `int` success or failure code (listed above) """ return OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED def get_allowed_auths(self, username): """ Return a list of authentication methods supported by the server. This list is sent to clients attempting to authenticate, to inform them of authentication methods that might be successful. The "list" is actually a string of comma-separated names of types of authentication. Possible values are ``"password"``, ``"publickey"``, and ``"none"``. The default implementation always returns ``"password"``. :param str username: the username requesting authentication. :return: a comma-separated `str` of authentication types """ return "password" def check_auth_none(self, username): """ Determine if a client may open channels with no (further) authentication. Return ``AUTH_FAILED`` if the client must authenticate, or ``AUTH_SUCCESSFUL`` if it's okay for the client to not authenticate. The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the client. :return: ``AUTH_FAILED`` if the authentication fails; ``AUTH_SUCCESSFUL`` if it succeeds. :rtype: int """ return AUTH_FAILED def check_auth_password(self, username, password): """ Determine if a given username and password supplied by the client is acceptable for use in authentication. Return ``AUTH_FAILED`` if the password is not accepted, ``AUTH_SUCCESSFUL`` if the password is accepted and completes the authentication, or ``AUTH_PARTIALLY_SUCCESSFUL`` if your authentication is stateful, and this key is accepted for authentication, but more authentication is required. (In this latter case, `get_allowed_auths` will be called to report to the client what options it has for continuing the authentication.) The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the authenticating client. :param str password: the password given by the client. :return: ``AUTH_FAILED`` if the authentication fails; ``AUTH_SUCCESSFUL`` if it succeeds; ``AUTH_PARTIALLY_SUCCESSFUL`` if the password auth is successful, but authentication must continue. :rtype: int """ return AUTH_FAILED def check_auth_publickey(self, username, key): """ Determine if a given key supplied by the client is acceptable for use in authentication. You should override this method in server mode to check the username and key and decide if you would accept a signature made using this key. Return ``AUTH_FAILED`` if the key is not accepted, ``AUTH_SUCCESSFUL`` if the key is accepted and completes the authentication, or ``AUTH_PARTIALLY_SUCCESSFUL`` if your authentication is stateful, and this password is accepted for authentication, but more authentication is required. (In this latter case, `get_allowed_auths` will be called to report to the client what options it has for continuing the authentication.) Note that you don't have to actually verify any key signtature here. If you're willing to accept the key, Paramiko will do the work of verifying the client's signature. The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the authenticating client :param .PKey key: the key object provided by the client :return: ``AUTH_FAILED`` if the client can't authenticate with this key; ``AUTH_SUCCESSFUL`` if it can; ``AUTH_PARTIALLY_SUCCESSFUL`` if it can authenticate with this key but must continue with authentication :rtype: int """ return AUTH_FAILED def check_auth_interactive(self, username, submethods): """ Begin an interactive authentication challenge, if supported. You should override this method in server mode if you want to support the ``"keyboard-interactive"`` auth type, which requires you to send a series of questions for the client to answer. Return ``AUTH_FAILED`` if this auth method isn't supported. Otherwise, you should return an `.InteractiveQuery` object containing the prompts and instructions for the user. The response will be sent via a call to `check_auth_interactive_response`. The default implementation always returns ``AUTH_FAILED``. :param str username: the username of the authenticating client :param str submethods: a comma-separated list of methods preferred by the client (usually empty) :return: ``AUTH_FAILED`` if this auth method isn't supported; otherwise an object containing queries for the user :rtype: int or `.InteractiveQuery` """ return AUTH_FAILED def check_auth_interactive_response(self, responses): """ Continue or finish an interactive authentication challenge, if supported. You should override this method in server mode if you want to support the ``"keyboard-interactive"`` auth type. Return ``AUTH_FAILED`` if the responses are not accepted, ``AUTH_SUCCESSFUL`` if the responses are accepted and complete the authentication, or ``AUTH_PARTIALLY_SUCCESSFUL`` if your authentication is stateful, and this set of responses is accepted for authentication, but more authentication is required. (In this latter case, `get_allowed_auths` will be called to report to the client what options it has for continuing the authentication.) If you wish to continue interactive authentication with more questions, you may return an `.InteractiveQuery` object, which should cause the client to respond with more answers, calling this method again. This cycle can continue indefinitely. The default implementation always returns ``AUTH_FAILED``. :param responses: list of `str` responses from the client :return: ``AUTH_FAILED`` if the authentication fails; ``AUTH_SUCCESSFUL`` if it succeeds; ``AUTH_PARTIALLY_SUCCESSFUL`` if the interactive auth is successful, but authentication must continue; otherwise an object containing queries for the user :rtype: int or `.InteractiveQuery` """ return AUTH_FAILED def check_auth_gssapi_with_mic( self, username, gss_authenticated=AUTH_FAILED, cc_file=None ): """ Authenticate the given user to the server if he is a valid krb5 principal. :param str username: The username of the authenticating client :param int gss_authenticated: The result of the krb5 authentication :param str cc_filename: The krb5 client credentials cache filename :return: ``AUTH_FAILED`` if the user is not authenticated otherwise ``AUTH_SUCCESSFUL`` :rtype: int :note: Kerberos credential delegation is not supported. :see: `.ssh_gss` :note: : We are just checking in L{AuthHandler} that the given user is a valid krb5 principal! We don't check if the krb5 principal is allowed to log in on the server, because there is no way to do that in python. So if you develop your own SSH server with paramiko for a certain platform like Linux, you should call C{krb5_kuserok()} in your local kerberos library to make sure that the krb5_principal has an account on the server and is allowed to log in as a user. :see: http://www.unix.com/man-page/all/3/krb5_kuserok/ """ if gss_authenticated == AUTH_SUCCESSFUL: return AUTH_SUCCESSFUL return AUTH_FAILED def check_auth_gssapi_keyex( self, username, gss_authenticated=AUTH_FAILED, cc_file=None ): """ Authenticate the given user to the server if he is a valid krb5 principal and GSS-API Key Exchange was performed. If GSS-API Key Exchange was not performed, this authentication method won't be available. :param str username: The username of the authenticating client :param int gss_authenticated: The result of the krb5 authentication :param str cc_filename: The krb5 client credentials cache filename :return: ``AUTH_FAILED`` if the user is not authenticated otherwise ``AUTH_SUCCESSFUL`` :rtype: int :note: Kerberos credential delegation is not supported. :see: `.ssh_gss` `.kex_gss` :note: : We are just checking in L{AuthHandler} that the given user is a valid krb5 principal! We don't check if the krb5 principal is allowed to log in on the server, because there is no way to do that in python. So if you develop your own SSH server with paramiko for a certain platform like Linux, you should call C{krb5_kuserok()} in your local kerberos library to make sure that the krb5_principal has an account on the server and is allowed to log in as a user. :see: http://www.unix.com/man-page/all/3/krb5_kuserok/ """ if gss_authenticated == AUTH_SUCCESSFUL: return AUTH_SUCCESSFUL return AUTH_FAILED def enable_auth_gssapi(self): """ Overwrite this function in your SSH server to enable GSSAPI authentication. The default implementation always returns false. :returns bool: Whether GSSAPI authentication is enabled. :see: `.ssh_gss` """ UseGSSAPI = False return UseGSSAPI def check_port_forward_request(self, address, port): """ Handle a request for port forwarding. The client is asking that connections to the given address and port be forwarded back across this ssh connection. An address of ``"0.0.0.0"`` indicates a global address (any address associated with this server) and a port of ``0`` indicates that no specific port is requested (usually the OS will pick a port). The default implementation always returns ``False``, rejecting the port forwarding request. If the request is accepted, you should return the port opened for listening. :param str address: the requested address :param int port: the requested port :return: the port number (`int`) that was opened for listening, or ``False`` to reject """ return False def cancel_port_forward_request(self, address, port): """ The client would like to cancel a previous port-forwarding request. If the given address and port is being forwarded across this ssh connection, the port should be closed. :param str address: the forwarded address :param int port: the forwarded port """ pass def check_global_request(self, kind, msg): """ Handle a global request of the given ``kind``. This method is called in server mode and client mode, whenever the remote host makes a global request. If there are any arguments to the request, they will be in ``msg``. There aren't any useful global requests defined, aside from port forwarding, so usually this type of request is an extension to the protocol. If the request was successful and you would like to return contextual data to the remote host, return a tuple. Items in the tuple will be sent back with the successful result. (Note that the items in the tuple can only be strings, ints, or bools.) The default implementation always returns ``False``, indicating that it does not support any global requests. .. note:: Port forwarding requests are handled separately, in `check_port_forward_request`. :param str kind: the kind of global request being made. :param .Message msg: any extra arguments to the request. :return: ``True`` or a `tuple` of data if the request was granted; ``False`` otherwise. """ return False # ...Channel requests... def check_channel_pty_request( self, channel, term, width, height, pixelwidth, pixelheight, modes ): """ Determine if a pseudo-terminal of the given dimensions (usually requested for shell access) can be provided on the given channel. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the pty request arrived on. :param str term: type of terminal requested (for example, ``"vt100"``). :param int width: width of screen in characters. :param int height: height of screen in characters. :param int pixelwidth: width of screen in pixels, if known (may be ``0`` if unknown). :param int pixelheight: height of screen in pixels, if known (may be ``0`` if unknown). :return: ``True`` if the pseudo-terminal has been allocated; ``False`` otherwise. """ return False def check_channel_shell_request(self, channel): """ Determine if a shell will be provided to the client on the given channel. If this method returns ``True``, the channel should be connected to the stdin/stdout of a shell (or something that acts like a shell). The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the request arrived on. :return: ``True`` if this channel is now hooked up to a shell; ``False`` if a shell can't or won't be provided. """ return False def check_channel_exec_request(self, channel, command): """ Determine if a shell command will be executed for the client. If this method returns ``True``, the channel should be connected to the stdin, stdout, and stderr of the shell command. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the request arrived on. :param str command: the command to execute. :return: ``True`` if this channel is now hooked up to the stdin, stdout, and stderr of the executing command; ``False`` if the command will not be executed. .. versionadded:: 1.1 """ return False def check_channel_subsystem_request(self, channel, name): """ Determine if a requested subsystem will be provided to the client on the given channel. If this method returns ``True``, all future I/O through this channel will be assumed to be connected to the requested subsystem. An example of a subsystem is ``sftp``. The default implementation checks for a subsystem handler assigned via `.Transport.set_subsystem_handler`. If one has been set, the handler is invoked and this method returns ``True``. Otherwise it returns ``False``. .. note:: Because the default implementation uses the `.Transport` to identify valid subsystems, you probably won't need to override this method. :param .Channel channel: the `.Channel` the pty request arrived on. :param str name: name of the requested subsystem. :return: ``True`` if this channel is now hooked up to the requested subsystem; ``False`` if that subsystem can't or won't be provided. """ transport = channel.get_transport() handler_class, args, kwargs = transport._get_subsystem_handler(name) if handler_class is None: return False handler = handler_class(channel, name, self, args, *kwargs) handler.start() return True def check_channel_window_change_request( self, channel, width, height, pixelwidth, pixelheight ): """ Determine if the pseudo-terminal on the given channel can be resized. This only makes sense if a pty was previously allocated on it. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the pty request arrived on. :param int width: width of screen in characters. :param int height: height of screen in characters. :param int pixelwidth: width of screen in pixels, if known (may be ``0`` if unknown). :param int pixelheight: height of screen in pixels, if known (may be ``0`` if unknown). :return: ``True`` if the terminal was resized; ``False`` if not. """ return False def check_channel_x11_request( self, channel, single_connection, auth_protocol, auth_cookie, screen_number, ): """ Determine if the client will be provided with an X11 session. If this method returns ``True``, X11 applications should be routed through new SSH channels, using `.Transport.open_x11_channel`. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the X11 request arrived on :param bool single_connection: ``True`` if only a single X11 channel should be opened, else ``False``. :param str auth_protocol: the protocol used for X11 authentication :param str auth_cookie: the cookie used to authenticate to X11 :param int screen_number: the number of the X11 screen to connect to :return: ``True`` if the X11 session was opened; ``False`` if not """ return False def check_channel_forward_agent_request(self, channel): """ Determine if the client will be provided with an forward agent session. If this method returns ``True``, the server will allow SSH Agent forwarding. The default implementation always returns ``False``. :param .Channel channel: the `.Channel` the request arrived on :return: ``True`` if the AgentForward was loaded; ``False`` if not If ``True`` is returned, the server should create an :class:`AgentServerProxy` to access the agent. """ return False def check_channel_direct_tcpip_request(self, chanid, origin, destination): """ Determine if a local port forwarding channel will be granted, and return ``OPEN_SUCCEEDED`` or an error code. This method is called in server mode when the client requests a channel, after authentication is complete. The ``chanid`` parameter is a small number that uniquely identifies the channel within a `.Transport`. A `.Channel` object is not created unless this method returns ``OPEN_SUCCEEDED`` -- once a `.Channel` object is created, you can call `.Channel.get_id` to retrieve the channel ID. The origin and destination parameters are (ip_address, port) tuples that correspond to both ends of the TCP connection in the forwarding tunnel. The return value should either be ``OPEN_SUCCEEDED`` (or ``0``) to allow the channel request, or one of the following error codes to reject it: - ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED`` - ``OPEN_FAILED_CONNECT_FAILED`` - ``OPEN_FAILED_UNKNOWN_CHANNEL_TYPE`` - ``OPEN_FAILED_RESOURCE_SHORTAGE`` The default implementation always returns ``OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED``. :param int chanid: ID of the channel :param tuple origin: 2-tuple containing the IP address and port of the originator (client side) :param tuple destination: 2-tuple containing the IP address and port of the destination (server side) :return: an `int` success or failure code (listed above) """ return OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED def check_channel_env_request(self, channel, name, value): """ Check whether a given environment variable can be specified for the given channel. This method should return ``True`` if the server is willing to set the specified environment variable. Note that some environment variables (e.g., PATH) can be exceedingly dangerous, so blindly allowing the client to set the environment is almost certainly not a good idea. The default implementation always returns ``False``. :param channel: the `.Channel` the env request arrived on :param str name: name :param str value: Channel value :returns: A boolean """ return False def get_banner(self): """ A pre-login banner to display to the user. The message may span multiple lines separated by crlf pairs. The language should be in rfc3066 style, for example: en-US The default implementation always returns ``(None, None)``. :returns: A tuple containing the banner and language code. .. versionadded:: 2.3 """ return (None, None) class InteractiveQuery: """ A query (set of prompts) for a user during interactive authentication. """ def __init__(self, name="", instructions="", prompts): """ Create a new interactive query to send to the client. The name and instructions are optional, but are generally displayed to the end user. A list of prompts may be included, or they may be added via the `add_prompt` method. :param str name: name of this query :param str instructions: user instructions (usually short) about this query :param str prompts: one or more authentication prompts """ self.name = name self.instructions = instructions self.prompts = [] for x in prompts: if isinstance(x, str): self.add_prompt(x) else: self.add_prompt(x[0], x[1]) def add_prompt(self, prompt, echo=True): """ Add a prompt to this query. The prompt should be a (reasonably short) string. Multiple prompts can be added to the same query. :param str prompt: the user prompt :param bool echo: ``True`` (default) if the user's response should be echoed; ``False`` if not (for a password or similar) """ self.prompts.append((prompt, echo)) class SubsystemHandler(threading.Thread): """ Handler for a subsystem in server mode. If you create a subclass of this class and pass it to `.Transport.set_subsystem_handler`, an object of this class will be created for each request for this subsystem. Each new object will be executed within its own new thread by calling `start_subsystem`. When that method completes, the channel is closed. For example, if you made a subclass ``MP3Handler`` and registered it as the handler for subsystem ``"mp3"``, then whenever a client has successfully authenticated and requests subsystem ``"mp3"``, an object of class ``MP3Handler`` will be created, and `start_subsystem` will be called on it from a new thread. """ def __init__(self, channel, name, server): """ Create a new handler for a channel. This is used by `.ServerInterface` to start up a new handler when a channel requests this subsystem. You don't need to override this method, but if you do, be sure to pass the ``channel`` and ``name`` parameters through to the original ``__init__`` method here. :param .Channel channel: the channel associated with this subsystem request. :param str name: name of the requested subsystem. :param .ServerInterface server: the server object for the session that started this subsystem """ threading.Thread.__init__(self, target=self._run) self.__channel = channel self.__transport = channel.get_transport() self.__name = name self.__server = server def get_server(self): """ Return the `.ServerInterface` object associated with this channel and subsystem. """ return self.__server def _run(self): try: self.__transport._log( DEBUG, "Starting handler for subsystem {}".format(self.__name) ) self.start_subsystem(self.__name, self.__transport, self.__channel) except Exception as e: self.__transport._log( ERROR, 'Exception in subsystem handler for "{}": {}'.format( self.__name, e ), ) self.__transport._log(ERROR, util.tb_strings()) try: self.finish_subsystem() except: pass def start_subsystem(self, name, transport, channel): """ Process an ssh subsystem in server mode. This method is called on a new object (and in a new thread) for each subsystem request. It is assumed that all subsystem logic will take place here, and when the subsystem is finished, this method will return. After this method returns, the channel is closed. The combination of ``transport`` and ``channel`` are unique; this handler corresponds to exactly one `.Channel` on one `.Transport`. .. note:: It is the responsibility of this method to exit if the underlying `.Transport` is closed. This can be done by checking `.Transport.is_active` or noticing an EOF on the `.Channel`. If this method loops forever without checking for this case, your Python interpreter may refuse to exit because this thread will still be running. :param str name: name of the requested subsystem. :param .Transport transport: the server-mode `.Transport`. :param .Channel channel: the channel associated with this subsystem request. """ pass def finish_subsystem(self): """ Perform any cleanup at the end of a subsystem. The default implementation just closes the channel. .. versionadded:: 1.1 """ self.__channel.close() ��kex_ecdh_nist.py��0000644��00000011624�15030210772�0007726 0��ustar�00��""" Ephemeral Elliptic Curve Diffie-Hellman (ECDH) key exchange RFC 5656, Section 4 """ from hashlib import sha256, sha384, sha512 from paramiko.common import byte_chr from paramiko.message import Message from paramiko.ssh_exception import SSHException from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives import serialization from binascii import hexlify _MSG_KEXECDH_INIT, _MSG_KEXECDH_REPLY = range(30, 32) c_MSG_KEXECDH_INIT, c_MSG_KEXECDH_REPLY = [byte_chr(c) for c in range(30, 32)] class KexNistp256: name = "ecdh-sha2-nistp256" hash_algo = sha256 curve = ec.SECP256R1() def __init__(self, transport): self.transport = transport # private key, client public and server public keys self.P = 0 self.Q_C = None self.Q_S = None def start_kex(self): self._generate_key_pair() if self.transport.server_mode: self.transport._expect_packet(_MSG_KEXECDH_INIT) return m = Message() m.add_byte(c_MSG_KEXECDH_INIT) # SEC1: V2.0 2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion m.add_string( self.Q_C.public_bytes( serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint, ) ) self.transport._send_message(m) self.transport._expect_packet(_MSG_KEXECDH_REPLY) def parse_next(self, ptype, m): if self.transport.server_mode and (ptype == _MSG_KEXECDH_INIT): return self._parse_kexecdh_init(m) elif not self.transport.server_mode and (ptype == _MSG_KEXECDH_REPLY): return self._parse_kexecdh_reply(m) raise SSHException( "KexECDH asked to handle packet type {:d}".format(ptype) ) def _generate_key_pair(self): self.P = ec.generate_private_key(self.curve, default_backend()) if self.transport.server_mode: self.Q_S = self.P.public_key() return self.Q_C = self.P.public_key() def _parse_kexecdh_init(self, m): Q_C_bytes = m.get_string() self.Q_C = ec.EllipticCurvePublicKey.from_encoded_point( self.curve, Q_C_bytes ) K_S = self.transport.get_server_key().asbytes() K = self.P.exchange(ec.ECDH(), self.Q_C) K = int(hexlify(K), 16) # compute exchange hash hm = Message() hm.add( self.transport.remote_version, self.transport.local_version, self.transport.remote_kex_init, self.transport.local_kex_init, ) hm.add_string(K_S) hm.add_string(Q_C_bytes) # SEC1: V2.0 2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion hm.add_string( self.Q_S.public_bytes( serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint, ) ) hm.add_mpint(int(K)) H = self.hash_algo(hm.asbytes()).digest() self.transport._set_K_H(K, H) sig = self.transport.get_server_key().sign_ssh_data( H, self.transport.host_key_type ) # construct reply m = Message() m.add_byte(c_MSG_KEXECDH_REPLY) m.add_string(K_S) m.add_string( self.Q_S.public_bytes( serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint, ) ) m.add_string(sig) self.transport._send_message(m) self.transport._activate_outbound() def _parse_kexecdh_reply(self, m): K_S = m.get_string() Q_S_bytes = m.get_string() self.Q_S = ec.EllipticCurvePublicKey.from_encoded_point( self.curve, Q_S_bytes ) sig = m.get_binary() K = self.P.exchange(ec.ECDH(), self.Q_S) K = int(hexlify(K), 16) # compute exchange hash and verify signature hm = Message() hm.add( self.transport.local_version, self.transport.remote_version, self.transport.local_kex_init, self.transport.remote_kex_init, ) hm.add_string(K_S) # SEC1: V2.0 2.3.3 Elliptic-Curve-Point-to-Octet-String Conversion hm.add_string( self.Q_C.public_bytes( serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint, ) ) hm.add_string(Q_S_bytes) hm.add_mpint(K) self.transport._set_K_H(K, self.hash_algo(hm.asbytes()).digest()) self.transport._verify_key(K_S, sig) self.transport._activate_outbound() class KexNistp384(KexNistp256): name = "ecdh-sha2-nistp384" hash_algo = sha384 curve = ec.SECP384R1() class KexNistp521(KexNistp256): name = "ecdh-sha2-nistp521" hash_algo = sha512 curve = ec.SECP521R1() ��sftp_handle.py��0000644��00000016400�15030210772�0007403 0��ustar�00��# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. """ Abstraction of an SFTP file handle (for server mode). """ import os from paramiko.sftp import SFTP_OP_UNSUPPORTED, SFTP_OK from paramiko.util import ClosingContextManager class SFTPHandle(ClosingContextManager): """ Abstract object representing a handle to an open file (or folder) in an SFTP server implementation. Each handle has a string representation used by the client to refer to the underlying file. Server implementations can (and should) subclass SFTPHandle to implement features of a file handle, like `stat` or `chattr`. Instances of this class may be used as context managers. """ def __init__(self, flags=0): """ Create a new file handle representing a local file being served over SFTP. If ``flags`` is passed in, it's used to determine if the file is open in append mode. :param int flags: optional flags as passed to `.SFTPServerInterface.open` """ self.__flags = flags self.__name = None # only for handles to folders: self.__files = {} self.__tell = None def close(self): """ When a client closes a file, this method is called on the handle. Normally you would use this method to close the underlying OS level file object(s). The default implementation checks for attributes on ``self`` named ``readfile`` and/or ``writefile``, and if either or both are present, their ``close()`` methods are called. This means that if you are using the default implementations of `read` and `write`, this method's default implementation should be fine also. """ readfile = getattr(self, "readfile", None) if readfile is not None: readfile.close() writefile = getattr(self, "writefile", None) if writefile is not None: writefile.close() def read(self, offset, length): """ Read up to ``length`` bytes from this file, starting at position ``offset``. The offset may be a Python long, since SFTP allows it to be 64 bits. If the end of the file has been reached, this method may return an empty string to signify EOF, or it may also return ``SFTP_EOF``. The default implementation checks for an attribute on ``self`` named ``readfile``, and if present, performs the read operation on the Python file-like object found there. (This is meant as a time saver for the common case where you are wrapping a Python file object.) :param offset: position in the file to start reading from. :param int length: number of bytes to attempt to read. :return: the `bytes` read, or an error code `int`. """ readfile = getattr(self, "readfile", None) if readfile is None: return SFTP_OP_UNSUPPORTED try: if self.__tell is None: self.__tell = readfile.tell() if offset != self.__tell: readfile.seek(offset) self.__tell = offset data = readfile.read(length) except IOError as e: self.__tell = None return SFTPServer.convert_errno(e.errno) self.__tell += len(data) return data def write(self, offset, data): """ Write ``data`` into this file at position ``offset``. Extending the file past its original end is expected. Unlike Python's normal ``write()`` methods, this method cannot do a partial write: it must write all of ``data`` or else return an error. The default implementation checks for an attribute on ``self`` named ``writefile``, and if present, performs the write operation on the Python file-like object found there. The attribute is named differently from ``readfile`` to make it easy to implement read-only (or write-only) files, but if both attributes are present, they should refer to the same file. :param offset: position in the file to start reading from. :param bytes data: data to write into the file. :return: an SFTP error code like ``SFTP_OK``. """ writefile = getattr(self, "writefile", None) if writefile is None: return SFTP_OP_UNSUPPORTED try: # in append mode, don't care about seeking if (self.__flags & os.O_APPEND) == 0: if self.__tell is None: self.__tell = writefile.tell() if offset != self.__tell: writefile.seek(offset) self.__tell = offset writefile.write(data) writefile.flush() except IOError as e: self.__tell = None return SFTPServer.convert_errno(e.errno) if self.__tell is not None: self.__tell += len(data) return SFTP_OK def stat(self): """ Return an `.SFTPAttributes` object referring to this open file, or an error code. This is equivalent to `.SFTPServerInterface.stat`, except it's called on an open file instead of a path. :return: an attributes object for the given file, or an SFTP error code (like ``SFTP_PERMISSION_DENIED``). :rtype: `.SFTPAttributes` or error code """ return SFTP_OP_UNSUPPORTED def chattr(self, attr): """ Change the attributes of this file. The ``attr`` object will contain only those fields provided by the client in its request, so you should check for the presence of fields before using them. :param .SFTPAttributes attr: the attributes to change on this file. :return: an `int` error code like ``SFTP_OK``. """ return SFTP_OP_UNSUPPORTED # ...internals... def _set_files(self, files): """ Used by the SFTP server code to cache a directory listing. (In the SFTP protocol, listing a directory is a multi-stage process requiring a temporary handle.) """ self.__files = files def _get_next_files(self): """ Used by the SFTP server code to retrieve a cached directory listing. """ fnlist = self.__files[:16] self.__files = self.__files[16:] return fnlist def _get_name(self): return self.__name def _set_name(self, name): self.__name = name from paramiko.sftp_server import SFTPServer ��__init__.py��0000644��00000010536�15030210772�0006657 0��ustar�00��# Copyright (C) 2003-2011 Robey Pointer <robeypointer@gmail.com> # # This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # flake8: noqa import sys from paramiko._version import __version__, __version_info__ from paramiko.transport import ( SecurityOptions, ServiceRequestingTransport, Transport, ) from paramiko.client import ( AutoAddPolicy, MissingHostKeyPolicy, RejectPolicy, SSHClient, WarningPolicy, ) from paramiko.auth_handler import AuthHandler from paramiko.auth_strategy import ( AuthFailure, AuthStrategy, AuthResult, AuthSource, InMemoryPrivateKey, NoneAuth, OnDiskPrivateKey, Password, PrivateKey, SourceResult, ) from paramiko.ssh_gss import GSSAuth, GSS_AUTH_AVAILABLE, GSS_EXCEPTIONS from paramiko.channel import ( Channel, ChannelFile, ChannelStderrFile, ChannelStdinFile, ) from paramiko.ssh_exception import ( AuthenticationException, BadAuthenticationType, BadHostKeyException, ChannelException, ConfigParseError, CouldNotCanonicalize, IncompatiblePeer, MessageOrderError, PasswordRequiredException, ProxyCommandFailure, SSHException, ) from paramiko.server import ServerInterface, SubsystemHandler, InteractiveQuery from paramiko.rsakey import RSAKey from paramiko.dsskey import DSSKey from paramiko.ecdsakey import ECDSAKey from paramiko.ed25519key import Ed25519Key from paramiko.sftp import SFTPError, BaseSFTP from paramiko.sftp_client import SFTP, SFTPClient from paramiko.sftp_server import SFTPServer from paramiko.sftp_attr import SFTPAttributes from paramiko.sftp_handle import SFTPHandle from paramiko.sftp_si import SFTPServerInterface from paramiko.sftp_file import SFTPFile from paramiko.message import Message from paramiko.packet import Packetizer from paramiko.file import BufferedFile from paramiko.agent import Agent, AgentKey from paramiko.pkey import PKey, PublicBlob, UnknownKeyType from paramiko.hostkeys import HostKeys from paramiko.config import SSHConfig, SSHConfigDict from paramiko.proxy import ProxyCommand from paramiko.common import ( AUTH_SUCCESSFUL, AUTH_PARTIALLY_SUCCESSFUL, AUTH_FAILED, OPEN_SUCCEEDED, OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED, OPEN_FAILED_CONNECT_FAILED, OPEN_FAILED_UNKNOWN_CHANNEL_TYPE, OPEN_FAILED_RESOURCE_SHORTAGE, ) from paramiko.sftp import ( SFTP_OK, SFTP_EOF, SFTP_NO_SUCH_FILE, SFTP_PERMISSION_DENIED, SFTP_FAILURE, SFTP_BAD_MESSAGE, SFTP_NO_CONNECTION, SFTP_CONNECTION_LOST, SFTP_OP_UNSUPPORTED, ) from paramiko.common import io_sleep # TODO: I guess a real plugin system might be nice for future expansion... key_classes = [DSSKey, RSAKey, Ed25519Key, ECDSAKey] __author__ = "Jeff Forcier <jeff@bitprophet.org>" __license__ = "GNU Lesser General Public License (LGPL)" # TODO 4.0: remove this, jeez __all__ = [ "Agent", "AgentKey", "AuthenticationException", "AutoAddPolicy", "BadAuthenticationType", "BadHostKeyException", "BufferedFile", "Channel", "ChannelException", "ConfigParseError", "CouldNotCanonicalize", "DSSKey", "ECDSAKey", "Ed25519Key", "HostKeys", "Message", "MissingHostKeyPolicy", "PKey", "PasswordRequiredException", "ProxyCommand", "ProxyCommandFailure", "RSAKey", "RejectPolicy", "SFTP", "SFTPAttributes", "SFTPClient", "SFTPError", "SFTPFile", "SFTPHandle", "SFTPServer", "SFTPServerInterface", "SSHClient", "SSHConfig", "SSHConfigDict", "SSHException", "SecurityOptions", "ServerInterface", "SubsystemHandler", "Transport", "WarningPolicy", "io_sleep", "util", ] ��ed25519key.py��0000644��00000016441�15030210772�0006630 0��ustar�00��# This file is part of paramiko. # # Paramiko is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more # details. # # You should have received a copy of the GNU Lesser General Public License # along with Paramiko; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. import bcrypt from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.ciphers import Cipher import nacl.signing from paramiko.message import Message from paramiko.pkey import PKey, OPENSSH_AUTH_MAGIC, _unpad_openssh from paramiko.util import b from paramiko.ssh_exception import SSHException, PasswordRequiredException class Ed25519Key(PKey): """ Representation of an `Ed25519 <https://ed25519.cr.yp.to/>`_ key. .. note:: Ed25519 key support was added to OpenSSH in version 6.5. .. versionadded:: 2.2 .. versionchanged:: 2.3 Added a ``file_obj`` parameter to match other key classes. """ name = "ssh-ed25519" def __init__( self, msg=None, data=None, filename=None, password=None, file_obj=None ): self.public_blob = None verifying_key = signing_key = None if msg is None and data is not None: msg = Message(data) if msg is not None: self._check_type_and_load_cert( msg=msg, key_type=self.name, cert_type="ssh-ed25519-cert-v01@openssh.com", ) verifying_key = nacl.signing.VerifyKey(msg.get_binary()) elif filename is not None: with open(filename, "r") as f: pkformat, data = self._read_private_key("OPENSSH", f) elif file_obj is not None: pkformat, data = self._read_private_key("OPENSSH", file_obj) if filename or file_obj: signing_key = self._parse_signing_key_data(data, password) if signing_key is None and verifying_key is None: raise ValueError("need a key") self._signing_key = signing_key self._verifying_key = verifying_key def _parse_signing_key_data(self, data, password): from paramiko.transport import Transport # We may eventually want this to be usable for other key types, as # OpenSSH moves to it, but for now this is just for Ed25519 keys. # This format is described here: # https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key # The description isn't totally complete, and I had to refer to the # source for a full implementation. message = Message(data) if message.get_bytes(len(OPENSSH_AUTH_MAGIC)) != OPENSSH_AUTH_MAGIC: raise SSHException("Invalid key") ciphername = message.get_text() kdfname = message.get_text() kdfoptions = message.get_binary() num_keys = message.get_int() if kdfname == "none": # kdfname of "none" must have an empty kdfoptions, the ciphername # must be "none" if kdfoptions or ciphername != "none": raise SSHException("Invalid key") elif kdfname == "bcrypt": if not password: raise PasswordRequiredException( "Private key file is encrypted" ) kdf = Message(kdfoptions) bcrypt_salt = kdf.get_binary() bcrypt_rounds = kdf.get_int() else: raise SSHException("Invalid key") if ciphername != "none" and ciphername not in Transport._cipher_info: raise SSHException("Invalid key") public_keys = [] for _ in range(num_keys): pubkey = Message(message.get_binary()) if pubkey.get_text() != self.name: raise SSHException("Invalid key") public_keys.append(pubkey.get_binary()) private_ciphertext = message.get_binary() if ciphername == "none": private_data = private_ciphertext else: cipher = Transport._cipher_info[ciphername] key = bcrypt.kdf( password=b(password), salt=bcrypt_salt, desired_key_bytes=cipher["key-size"] + cipher["block-size"], rounds=bcrypt_rounds, # We can't control how many rounds are on disk, so no sense # warning about it. ignore_few_rounds=True, ) decryptor = Cipher( cipher["class"](key[: cipher["key-size"]]), cipher["mode"](key[cipher["key-size"] :]), backend=default_backend(), ).decryptor() private_data = ( decryptor.update(private_ciphertext) + decryptor.finalize() ) message = Message(_unpad_openssh(private_data)) if message.get_int() != message.get_int(): raise SSHException("Invalid key") signing_keys = [] for i in range(num_keys): if message.get_text() != self.name: raise SSHException("Invalid key") # A copy of the public key, again, ignore. public = message.get_binary() key_data = message.get_binary() # The second half of the key data is yet another copy of the public # key... signing_key = nacl.signing.SigningKey(key_data[:32]) # Verify that all the public keys are the same... assert ( signing_key.verify_key.encode() == public == public_keys[i] == key_data[32:] ) signing_keys.append(signing_key) # Comment, ignore. message.get_binary() if len(signing_keys) != 1: raise SSHException("Invalid key") return signing_keys[0] def asbytes(self): if self.can_sign(): v = self._signing_key.verify_key else: v = self._verifying_key m = Message() m.add_string(self.name) m.add_string(v.encode()) return m.asbytes() @property def _fields(self): if self.can_sign(): v = self._signing_key.verify_key else: v = self._verifying_key return (self.get_name(), v) # TODO 4.0: remove def get_name(self): return self.name def get_bits(self): return 256 def can_sign(self): return self._signing_key is not None def sign_ssh_data(self, data, algorithm=None): m = Message() m.add_string(self.name) m.add_string(self._signing_key.sign(data).signature) return m def verify_ssh_sig(self, data, msg): if msg.get_text() != self.name: return False try: self._verifying_key.verify(data, msg.get_binary()) except nacl.exceptions.BadSignatureError: return False else: return True ��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.06 | proxy | phpinfo | Settings