Authentication Manager

AuthManager module for setting up a concise, flexible collection of available authentication possibilities to connect to multiple servers via Paramiko. Supports loading from an authentication file that can contain passwords or key files, and a way to match them to a host or hosts.

class radssh.authmgr.AuthManager(default_user, auth_file='./.radssh_authfile', include_agent=<object object>, include_userkeys=<object object>, default_password=None, try_auth_none=True)

Manage keys and passwords used for paramiko authentication

add_key(key, filter=None)

Append to a list of explicit keys to try, separate from any agent keys

add_password(password, filter=None)

Append to list of passwords to try based on filtering, but only keep at most one default

authenticate(T, sshconfig={})

Try available ways to authenticate a paramiko Transport. Attempts are made in the following progression: - Keys listed in ssh_config as IdentityFile - User keys (~/.ssh/id_rsa, id_dsa, id_ecdsa) if loaded - Explicit keys loaded from authfile (for matched hostname/IP) - Keys available via SSH Agent (if enabled) - Passwords loaded from authfile - Default password (if set)

read_auth_file(auth_file)

Read in settings from an authfile. See docs for example format.

class radssh.authmgr.PlainText(plaintext)

PlainText simply saves the string, and returns it. Nothing fancy.

class radssh.authmgr.RSAES_OAEP_Text(ciphertext)

Class to permit decryption of password encoded with user’s private key. Save the ciphertext, defer the decryption to plaintext until the plaintext is requested. Only decrypt on the initial get, save the result internally for subsequent calls.

Sample AuthFile format:

authfile:

# Lines starting with # are comments
# Non-comment lines should be 3 (or 2) fields with '|' separator
#     1st field: either 'password' or 'keyfile'
#     2nd field (optional): hostname or IP matching filter
#     last field: password plaintext, ciphertext, or keyfile name
#
# Try this password for single host 'neptune'
password|neptune|C0p3rn1cu5

# Common password for all hosts in DMZ
password|*.dmz.company.org|INSECURE

# Common password for all hosts on IP subnet (requires netaddr)
password|192.168.65.0/24|Chewbacca

# Can overlap filters, AuthMgr will attempt using any match
# Also, can use IPNetwork or IPGlob (see netaddr docs)
password|192.168.65.100-120|Wookie

# Common (default) password:  2 fields = no host filtering
password|also_insecure

# Old style 1-field entry is also default password
# should be deprecated
my_voice_is_my_password

# Keyfiles specified in a similar way
# NOTE: standard keyfiles in ~/.ssh normally will not need
# to be specified in the authfile, default keys will be available
# unless explicitly disabled during __init__ call.o

# Try a DB server key for all hosts starting with 'db'
keyfile|db*|/home/mysqldba/admin/id_rsa

# You can include passwords encrypted with your RSA public key
# with the PKCS-OAEP mechanism of the cryptography module. Use
# the radssh.pkcs module to encrypt passwords, then copy/paste
# the encrypted results into the auth file like this:
PKCSOAEP|*|nPIC8J08T7x4G1PsZPKH9bjeQd/8A1vLiOCCrH1chSvpz0hEfJqeqPMyLxhqCames5ID9eqvFmbyZBBfPPxGjoAJMHgKc+xfF68+nLjE87pc6WlbeTu9jQKeS5Xeu+oeuwTx81xFTDSyrUyW6/eo88jPxS2w0LjYqfn5RNsBEDygpD7Hah0BVbqSUhDwx4m8Qw4MI4kMzqWFS9Ev8Vo5yomQ3fSSJsun2OgK+d0DLWl4eMmVU+fmFbRSZdoSRL1/1Kadl2jBuhOu9j9nhGS2NEhxE5OZd26EX7jD8KrRq7JSsCExUbrnKgykri3RL0BS3mhXsnv1crINBh2+mamh0Q==
# See: http://radssh.readthedocs.org/en/latest/pkcs.html#pkcs for more details