-
Notifications
You must be signed in to change notification settings - Fork 24k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create gss_auth option for paramiko_ssh connection plugin #71190
base: devel
Are you sure you want to change the base?
Conversation
- Add a new gss_auth option for the paramiko_ssh connection plugin that will be passed to the upstream paramiko library connect method. This will enable GSS-API authentication for paramiko ssh connections which is required for Kerberos authentication. - Set the default for the gss_auth option in the paramiko_connection section to false to ensure backwards compatibility
7307eb7
to
4099c6a
Compare
4099c6a
to
8add567
Compare
8add567
to
69a9a4d
Compare
- Only pass the gss_auth option to paramiko.SSHClient().connect() if the paramiko version supports it (paramiko added support for GSS-API in 1.15.0)
69a9a4d
to
bb79a18
Compare
This seems like the first of several GSS-API related options that can be added. |
I couldn't see how to set up a test for it without having a kerberos auth environment configured. It might be possible to test that enabling the option means the ssh client attempts gss-api (but then continues to other options). Do you have any pointers for other auth type option tests I could look at? |
That's why I suggested that unit tests might be easier. Setting up kerberos just for a test is probably quite difficult. Just run You can take a look at |
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
@@ -340,6 +350,10 @@ def _connect_uncached(self): | |||
if LooseVersion(paramiko.__version__) >= LooseVersion('2.2.0'): | |||
ssh_connect_kwargs['auth_timeout'] = self._play_context.timeout | |||
|
|||
# paramiko 1.15.0 introduced gss_auth parameter | |||
if LooseVersion(paramiko.__version__) >= LooseVersion('1.15.0'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should give a warning if this is not True and gss_auth is set.
SUMMARY
Add a new
gss_auth
option for theparamiko_ssh
connection plugin that will be passed to the upstreamparamiko
libraryconnect()
method. This will enable GSS-API authentication for paramiko ssh connections, which is required forKerberos authentication to succeed.
Set the default for the
gss_auth
option in the[paramiko_connection]
section toFalse
to ensure backwards compatibility.Fixes #71201
ISSUE TYPE
COMPONENT NAME
paramiko_ssh
ADDITIONAL INFORMATION
Without gss_auth enabled for paramiko_ssh against a kerberos authenticated host:
With gss_auth enabled for paramiko_ssh against a kerberos authenticated host: