twisted.conch.ssh.userauth.SSHUserAuthServer

class documentation

class SSHUserAuthServer(service.SSHService): (source)

A service implementing the server side of the 'ssh-userauth' service. It is used to authenticate the user on the other side as being able to access this server.

Method	`auth_password`	Password authentication. Payload:
Method	`auth_publickey`	Public key authentication. Payload:
Method	`serviceStarted`	Called when the userauth service is started. Set up instance variables, check if we should allow password authentication (only allow if the outgoing connection is encrypted) and set up a login timeout.
Method	`serviceStopped`	Called when the userauth service is stopped. Cancel the login timeout if it's still going.
Method	`ssh_USERAUTH_REQUEST`	The client has requested authentication. Payload:
Method	`timeoutAuthentication`	Called when the user has timed out on authentication. Disconnect with a DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE message.
Method	`tryAuth`	Try to authenticate the user with the given method. Dispatches to a auth_* method.
Instance Variable	`attemptsBeforeDisconnect`	the number of failed login attempts we allow before disconnecting.
Instance Variable	`authenticatedWith`	a list of authentication methods that have already been used.
Instance Variable	`clock`	an object with a callLater method. Stubbed out for testing.
Instance Variable	`interfaceToMethod`	a `dict` mapping credential interfaces to authentication methods. The server checks to see which of the cred interfaces have checkers and tells the client that those methods are valid for authentication.
Instance Variable	`loginAttempts`	the number of login attempts that have been made
Instance Variable	`loginTimeout`	the number of seconds we wait before disconnecting the user for taking too long to authenticate
Instance Variable	`method`	the current authentication method
Instance Variable	`name`	the name of this service: 'ssh-userauth'
Instance Variable	`nextService`	the service the user wants started after authentication has been completed.
Instance Variable	`passwordDelay`	the number of seconds to delay when the user gives an incorrect password
Instance Variable	`portal`	the `twisted.cred.portal.Portal` we are using for authentication
Instance Variable	`supportedAuthentications`	A list of the supported authentication methods.
Instance Variable	`user`	the last username the client tried to authenticate with
Static Method	`_wrapMessageWithSKMetadata`	Wraps the SSH user auth message request with security key information. This blob will be verified against the signature. See https://github.com/openssh/openssh-portable/blob/a4aa090a3d40dddb07d5ebebc501f6457541a501/PROTOCOL.u2f#L176...
Method	`_cbFinishedAuth`	The callback when user has successfully been authenticated. For a description of the arguments, see `twisted.cred.portal.Portal.login`. We start the service requested by the user.
Method	`_ebBadAuth`	The final errback in the authentication chain. If the reason is error.IgnoreAuthentication, we simply return; the authentication method has sent its own response. Otherwise, send a failure message and (if the method is not 'none') increment the number of login attempts.
Method	`_ebCheckKey`	Called back if the user did not sent a signature. If reason is error.ValidPublicKey then this key is valid for the user to authenticate with. Send MSG_USERAUTH_PK_OK.
Method	`_ebMaybeBadAuth`	An intermediate errback. If the reason is error.NotEnoughAuthentication, we send a MSG_USERAUTH_FAILURE, but with the partial success indicator set.
Method	`_ebPassword`	If the password is invalid, wait before sending the failure in order to delay brute-force password guessing.
Class Variable	`_log`	Undocumented
Instance Variable	`_cancelLoginTimeout`	Undocumented

Inherited from SSHService:

Method	`logPrefix`	Undocumented
Method	`packetReceived`	called when we receive a packet on the transport
Class Variable	`protocolMessages`	Undocumented
Class Variable	`transport`	Undocumented

def auth_password(self, packet): (source) ¶

Password authentication. Payload:

    string password

Make a UsernamePassword credential and verify it with our portal.

def auth_publickey(self, packet: bytes) -> Deferred[_ConchPortalTuple]: (source) ¶

Public key authentication. Payload:

    byte has signature
    string algorithm name
    string key blob
    [string signature] (if has signature is True)

Create a SSHPublicKey credential and verify it using our portal.

def serviceStarted(self): (source) ¶

overrides twisted.conch.ssh.service.SSHService.serviceStarted

Called when the userauth service is started. Set up instance variables, check if we should allow password authentication (only allow if the outgoing connection is encrypted) and set up a login timeout.

def serviceStopped(self): (source) ¶

overrides twisted.conch.ssh.service.SSHService.serviceStopped

Called when the userauth service is stopped. Cancel the login timeout if it's still going.

def ssh_USERAUTH_REQUEST(self, packet: bytes) -> Deferred[_ConchPortalTuple] | None: (source) ¶

The client has requested authentication. Payload:

    string user
    string next service
    string method
    <authentication specific data>

Parameters
packet:`bytes`	Undocumented

Returns
`Deferred[_ConchPortalTuple] \| None`	Undocumented

def timeoutAuthentication(self): (source) ¶

Called when the user has timed out on authentication. Disconnect with a DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE message.

def tryAuth(self, kind: bytes, user: bytes, data: bytes) -> Deferred[_ConchPortalTuple]: (source) ¶

Try to authenticate the user with the given method. Dispatches to a auth_* method.

Parameters
kind:`bytes`	the authentication method to try.
user:`bytes`	the username the client is authenticating with.
data:`bytes`	authentication specific data sent by the client.

Returns
`Deferred[_ConchPortalTuple]`	A Deferred called back if the method succeeded, or erred back if it failed.

attemptsBeforeDisconnect: int = (source) ¶

the number of failed login attempts we allow before disconnecting.

authenticatedWith: list = (source) ¶

a list of authentication methods that have already been used.

clock: IReactorTime = (source) ¶

an object with a callLater method. Stubbed out for testing.

interfaceToMethod: dict = (source) ¶

a dict mapping credential interfaces to authentication methods. The server checks to see which of the cred interfaces have checkers and tells the client that those methods are valid for authentication.

loginAttempts: int = (source) ¶

the number of login attempts that have been made

loginTimeout: int = (source) ¶

the number of seconds we wait before disconnecting the user for taking too long to authenticate

method: bytes = (source) ¶

the current authentication method

name: bytes = (source) ¶

overrides twisted.conch.ssh.service.SSHService.name

the name of this service: 'ssh-userauth'

nextService: bytes = (source) ¶

the service the user wants started after authentication has been completed.

passwordDelay: int = (source) ¶

the number of seconds to delay when the user gives an incorrect password

portal: twisted.cred.portal.Portal = (source) ¶

the twisted.cred.portal.Portal we are using for authentication

supportedAuthentications: list of bytes = (source) ¶

A list of the supported authentication methods.

user: bytes = (source) ¶

the last username the client tried to authenticate with

@staticmethod

def _wrapMessageWithSKMetadata(signature, messageToBeValidated, application): (source) ¶

Wraps the SSH user auth message request with security key information. This blob will be verified against the signature. See https://github.com/openssh/openssh-portable/blob/a4aa090a3d40dddb07d5ebebc501f6457541a501/PROTOCOL.u2f#L176

In addition to the message to be signed, the U2F signature operation requires the key handle and a few additional parameters. The signature is signed over a blob that consists of:

    byte[32]    SHA256(application)
    byte                flags (including "user present", extensions present)
    uint32              counter
    byte[]              extensions
    byte[32]    SHA256(message)

The signature format used on the wire in SSH2_USERAUTH_REQUEST:

    string              "sk-ecdsa-sha2-nistp256@openssh.com" or "sk-ssh-ed25519@openssh.com"
    string              signature
    byte                flags
    uint32              counter

def _cbFinishedAuth(self, result: _ConchPortalTuple): (source) ¶

The callback when user has successfully been authenticated. For a description of the arguments, see twisted.cred.portal.Portal.login. We start the service requested by the user.

def _ebBadAuth(self, reason): (source) ¶

The final errback in the authentication chain. If the reason is error.IgnoreAuthentication, we simply return; the authentication method has sent its own response. Otherwise, send a failure message and (if the method is not 'none') increment the number of login attempts.

Parameters
reason:`twisted.python.failure.Failure`	Undocumented

def _ebCheckKey(self, reason: failure.Failure, packet: bytes) -> failure.Failure: (source) ¶

Called back if the user did not sent a signature. If reason is error.ValidPublicKey then this key is valid for the user to authenticate with. Send MSG_USERAUTH_PK_OK.

def _ebMaybeBadAuth(self, reason): (source) ¶

An intermediate errback. If the reason is error.NotEnoughAuthentication, we send a MSG_USERAUTH_FAILURE, but with the partial success indicator set.

Parameters
reason:`twisted.python.failure.Failure`	Undocumented

def _ebPassword(self, f): (source) ¶

If the password is invalid, wait before sending the failure in order to delay brute-force password guessing.

_log = (source) ¶

overrides twisted.conch.ssh.service.SSHService._log

Undocumented

_cancelLoginTimeout = (source) ¶

Undocumented