Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gssauth trickledown fix (2.0) #1061

merged 4 commits into from Sep 12, 2017


Copy link

@akruis akruis commented Sep 12, 2017

AuthHandler: handle "gssapi-with-mic" errors

Paramiko now tries other authentication methods, if "gssapi-with-mic" authentication fails (i.e. no kerberos ticket). Before this change, any failure of GSSAPI token exchange caused the transport to be closed.

Anselm Kruis added 4 commits Aug 1, 2017
This new constant is a tuple of the exception types used by the
underlying GSSAPI/SSPI implementation.
A paramiko server is now able to handle a restart of the user
authentication during the GSS-API token exchange. This may occur, if
the client detects a local GSSAPI problem (e.g. a missing kerberos
ticket) and continues with another authentication method.

The added test case test_2_auth_trickledown still fails, because the
paramiko client contains a bug too.
Paramiko now tries other authentication methods, if "gssapi-with-mic"
authentication may fails for a local reason (i.e. no kerberos ticket).

Befor this change, any exception from the GSSAPI/SSPI caused the
transport to be closed.
bitprophet added a commit that referenced this pull request Sep 12, 2017
@bitprophet bitprophet merged commit 85996f5 into paramiko:2.0 Sep 12, 2017
1 of 3 checks passed
1 of 3 checks passed
codecov/patch 23.15% of diff hit (target 74.58%)
codecov/project 74.23% (-0.36%) compared to 853a37f
continuous-integration/travis-ci/pr The Travis CI build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants