paramiko · bitprophet · Jun 6, 2017 · Dec 22, 2016 · Dec 22, 2016 · Dec 22, 2016
diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py
@@ -21,6 +21,7 @@
 """
 
 import weakref
+import time
 from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_DISCONNECT, \
     DISCONNECT_SERVICE_NOT_AVAILABLE, DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE, \
     cMSG_USERAUTH_REQUEST, cMSG_SERVICE_ACCEPT, DEBUG, AUTH_SUCCESSFUL, INFO, \
@@ -188,6 +189,7 @@ def _get_session_blob(self, key, service, username):
         return m.asbytes()
 
     def wait_for_response(self, event):
+        max_ts = time.time() + self.transport.auth_timeout if self.transport.auth_timeout is not None else None
         while True:
             event.wait(0.1)
             if not self.transport.is_active():
@@ -197,6 +199,9 @@ def wait_for_response(self, event):
                 raise e
             if event.is_set():
                 break
+            if max_ts is not None and max_ts <= time.time():
+                raise AuthenticationException('Authentication timeout.')
+
         if not self.is_authenticated():
             e = self.transport.get_exception()
             if e is None:

diff --git a/paramiko/client.py b/paramiko/client.py
@@ -226,7 +226,8 @@ def connect(
         gss_kex=False,
         gss_deleg_creds=True,
         gss_host=None,
-        banner_timeout=None
+        banner_timeout=None,
+        auth_timeout=None
     ):
         """
         Connect to an SSH server and authenticate to it.  The server's host key
@@ -278,7 +279,8 @@ def connect(
             The targets name in the kerberos database. default: hostname
         :param float banner_timeout: an optional timeout (in seconds) to wait
             for the SSH banner to be presented.
-
+        :param float auth_timeout: an optional timeout (in seconds) to wait for
+            an authentication response.
         :raises BadHostKeyException: if the server's host key could not be
             verified
         :raises AuthenticationException: if authentication failed
@@ -335,6 +337,8 @@ def connect(
             t.set_log_channel(self._log_channel)
         if banner_timeout is not None:
             t.banner_timeout = banner_timeout
+        if auth_timeout is not None:
+            t.auth_timeout = auth_timeout
         t.start_client(timeout=timeout)
         ResourceManager.register(self, t)
 

diff --git a/paramiko/transport.py b/paramiko/transport.py
@@ -383,7 +383,7 @@ def __init__(self,
         self.completion_event = None    # user-defined event callbacks
         self.banner_timeout = 15        # how long (seconds) to wait for the SSH banner
         self.handshake_timeout = 15     # how long (seconds) to wait for the handshake to finish after SSH banner sent.
-
+        self.auth_timeout = 30          # how long (seconds) to wait for the auth response.
 
         # server mode:
         self.server_mode = False

diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
@@ -2,6 +2,9 @@
 Changelog
 =========
 
+* :feature:`add-auth-timeout` Adds a timeout for the authentication process.
+  This is a fix to prevent the client getting stuck if an SSH server becomes
+  un-responsive during the authentication. Credit to ``@timsavage``.
 * :support:`866 backported` (also :issue:`838`) Remove an old test-related file
   we don't support, and add PyPy to Travis-CI config. Thanks to Pierce Lopez
   for the final patch and Pedro Rodrigues for an earlier edition.

diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -23,6 +23,7 @@
 import sys
 import threading
 import unittest
+from time import sleep
 
 from paramiko import Transport, ServerInterface, RSAKey, DSSKey, \
     BadAuthenticationType, InteractiveQuery, \
@@ -73,6 +74,9 @@ def check_auth_password(self, username, password):
             return AUTH_SUCCESSFUL
         if username == 'bad-server':
             raise Exception("Ack!")
+        if username == 'unresponsive-server':
+            sleep(5)
+            return AUTH_SUCCESSFUL
         return AUTH_FAILED
 
     def check_auth_publickey(self, username, key):
@@ -232,3 +236,24 @@ def test_8_auth_gets_disconnected(self):
         except:
             etype, evalue, etb = sys.exc_info()
             self.assertTrue(issubclass(etype, AuthenticationException))
+
+    def test_9_auth_non_responsive(self):
+        """
+        verify that authentication times out if server takes to long to
+        respond (or never responds).
+        """
+        auth_timeout = self.tc.auth_timeout
+        self.tc.auth_timeout = 2  # Reduce to 2 seconds to speed up test
+
+        try:
+            self.start_server()
+            self.tc.connect()
+            try:
+                remain = self.tc.auth_password('unresponsive-server', 'hello')
+            except:
+                etype, evalue, etb = sys.exc_info()
+                self.assertTrue(issubclass(etype, AuthenticationException))
+                self.assertTrue('Authentication timeout' in str(evalue))
+        finally:
+            # Restore value
+            self.tc.auth_timeout = auth_timeout
diff --git a/tests/test_client.py b/tests/test_client.py
@@ -60,6 +60,9 @@ def get_allowed_auths(self, username):
     def check_auth_password(self, username, password):
         if (username == 'slowdive') and (password == 'pygmalion'):
             return paramiko.AUTH_SUCCESSFUL
+        if (username == 'slowdive') and (password == 'unresponsive-server'):
+            time.sleep(5)
+            return paramiko.AUTH_SUCCESSFUL
         return paramiko.AUTH_FAILED
 
     def check_auth_publickey(self, username, key):
@@ -380,6 +383,24 @@ def test_8_auth_trickledown(self):
         )
         self._test_connection(**kwargs)
 
+    def test_9_auth_timeout(self):
+        """
+        verify that the SSHClient has a configurable auth timeout
+        """
+        threading.Thread(target=self._run).start()
+        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
+        public_host_key = paramiko.RSAKey(data=host_key.asbytes())
+
+        self.tc = paramiko.SSHClient()
+        self.tc.get_host_keys().add('[%s]:%d' % (self.addr, self.port), 'ssh-rsa', public_host_key)
+        # Connect with a half second auth timeout
+        kwargs = dict(self.connect_kwargs, password='unresponsive-server', auth_timeout=0.5)
+        self.assertRaises(
+            paramiko.AuthenticationException,
+            self.tc.connect,
+            **kwargs
+        )
+
     def test_update_environment(self):
         """
         Verify that environment variables can be set by the client.