twisted.conch.ssh.userauth.SSHUserAuthServer(service.SSHService) class documentationtwisted.conch.ssh.userauth
View Source
(View In Hierarchy)
A service implementing the server side of the 'ssh-userauth' service. It is used to authenticate the user on the other side as being able to access this server.
| Instance Variable | name | the name of this service: 'ssh-userauth' (type: bytes) |
| Instance Variable | authenticatedWith | a list of authentication methods that have already been used. (type: list) |
| Instance Variable | loginTimeout | the number of seconds we wait before disconnecting the user for taking too
long to authenticate (type: int) |
| Instance Variable | attemptsBeforeDisconnect | the number of failed login attempts we allow before disconnecting. (type: int) |
| Instance Variable | loginAttempts | the number of login attempts that have been made (type: int) |
| Instance Variable | passwordDelay | the number of seconds to delay when the user gives an incorrect password (type: int) |
| Instance Variable | interfaceToMethod | a dict
mapping credential interfaces to authentication methods. The server checks
to see which of the cred interfaces have checkers and tells the client that
those methods are valid for authentication. (type: dict) |
| Instance Variable | supportedAuthentications | A list of the supported authentication methods. (type: list
of bytes) |
| Instance Variable | user | the last username the client tried to authenticate with (type: bytes) |
| Instance Variable | method | the current authentication method (type: bytes) |
| Instance Variable | nextService | the service the user wants started after authentication has been completed. (type: bytes) |
| Instance Variable | portal | the twisted.cred.portal.Portal
we are using for authentication (type: twisted.cred.portal.Portal) |
| Instance Variable | clock | an object with a callLater method. Stubbed out for testing. |
| Method | serviceStarted | No summary |
| Method | serviceStopped | Called when the userauth service is stopped. Cancel the login timeout if it's still going. |
| Method | timeoutAuthentication | Called when the user has timed out on authentication. Disconnect with a DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE message. |
| Method | tryAuth | Try to authenticate the user with the given method. Dispatches to a auth_* method. |
| Method | ssh_USERAUTH_REQUEST | No summary |
| Method | auth_publickey | No summary |
| Method | auth_password | Password authentication. Payload:: string password |
| Method | _cbFinishedAuth | The callback when user has successfully been authenticated. For a
description of the arguments, see twisted.cred.portal.Portal.login.
We start the service requested by the user. |
| Method | _ebMaybeBadAuth | An intermediate errback. If the reason is error.NotEnoughAuthentication, we send a MSG_USERAUTH_FAILURE, but with the partial success indicator set. |
| Method | _ebBadAuth | No summary |
| Method | _ebCheckKey | Called back if the user did not sent a signature. If reason is error.ValidPublicKey then this key is valid for the user to authenticate with. Send MSG_USERAUTH_PK_OK. |
| Method | _ebPassword | If the password is invalid, wait before sending the failure in order to delay brute-force password guessing. |
Inherited from SSHService:
| Method | logPrefix | Override this method to insert custom logging behavior. Its return value will be inserted in front of every line. It may be called more times than the number of output lines. |
| Method | packetReceived | called when we receive a packet on the transport |
int)
int)
int)
bytes)
twisted.cred.portal.Portal
we are using for authentication (type: twisted.cred.portal.Portal)
Called when the userauth service is started. Set up instance variables, check if we should allow password authentication (only allow if the outgoing connection is encrypted) and set up a login timeout.
Called when the userauth service is stopped. Cancel the login timeout if it's still going.
Called when the user has timed out on authentication. Disconnect with a DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE message.
Try to authenticate the user with the given method. Dispatches to a auth_* method.
| Parameters | kind | the authentication method to try. (type: bytes) |
| user | the username the client is authenticating with. (type: bytes) | |
| data | authentication specific data sent by the client. (type: bytes) | |
| Returns | A Deferred called back if the method succeeded, or erred back if it failed. (type: defer.Deferred) | |
The client has requested authentication. Payload:
string user string next service string method <authentication specific data>
The callback when user has successfully been authenticated. For a
description of the arguments, see twisted.cred.portal.Portal.login.
We start the service requested by the user.
An intermediate errback. If the reason is error.NotEnoughAuthentication, we send a MSG_USERAUTH_FAILURE, but with the partial success indicator set.
The final errback in the authentication chain. If the reason is error.IgnoreAuthentication, we simply return; the authentication method has sent its own response. Otherwise, send a failure message and (if the method is not 'none') increment the number of login attempts.
Public key authentication. Payload:
byte has signature string algorithm name string key blob [string signature] (if has signature is True)
Create a SSHPublicKey credential and verify it using our portal.
Called back if the user did not sent a signature. If reason is error.ValidPublicKey then this key is valid for the user to authenticate with. Send MSG_USERAUTH_PK_OK.
Password authentication. Payload:
string password
Make a UsernamePassword credential and verify it with our portal.
If the password is invalid, wait before sending the failure in order to delay brute-force password guessing.