Rev 4556: Fix bug #375867, check if password is a supported auth type in http://bazaar.launchpad.net/~jameinel/bzr/1.18-ssh-auth-375867
John Arbash Meinel
john at arbash-meinel.com
Mon Jul 20 22:21:24 BST 2009
At http://bazaar.launchpad.net/~jameinel/bzr/1.18-ssh-auth-375867
------------------------------------------------------------
revno: 4556
revision-id: john at arbash-meinel.com-20090720212110-1yy7q5hnfglxsodh
parent: pqm at pqm.ubuntu.com-20090720145231-zntxtpyaoujmkrsz
committer: John Arbash Meinel <john at arbash-meinel.com>
branch nick: 1.18-ssh-auth-375867
timestamp: Mon 2009-07-20 16:21:10 -0500
message:
Fix bug #375867, check if password is a supported auth type
before we actually try to authenticate with a password.
Also, avoid asking for a password if the user supplied a password already.
(Arguably we want to do that, but as we don't prompt for a password multiple times...)
-------------- next part --------------
=== modified file 'NEWS'
--- a/NEWS 2009-07-20 11:27:05 +0000
+++ b/NEWS 2009-07-20 21:21:10 +0000
@@ -22,6 +22,11 @@
Bug Fixes
*********
+* Authenticating against an ssh server now uses ``auth_none`` to determine
+ if password authentication is even supported. This fixes a bug where
+ users would be prompted for a launchpad password, even though launchpad
+ only supports publickey authentication. (John Arbash Meinel, #375867)
+
* BranchBuilder now accepts timezone to avoid test failures in countries far
from GMT. (Vincent Ladeuil, #397716)
=== modified file 'bzrlib/transport/ssh.py'
--- a/bzrlib/transport/ssh.py 2009-04-27 16:10:10 +0000
+++ b/bzrlib/transport/ssh.py 2009-07-20 21:21:10 +0000
@@ -19,6 +19,7 @@
import errno
import getpass
+import logging
import os
import socket
import subprocess
@@ -53,6 +54,7 @@
# so we get an AttributeError exception. So we will not try to
# connect to an agent if we are on win32 and using Paramiko older than 1.6
_use_ssh_agent = (sys.platform != 'win32' or _paramiko_version >= (1, 6, 0))
+_use_ssh_agent = False
class SSHVendorManager(object):
@@ -481,6 +483,30 @@
if _try_pkey_auth(paramiko_transport, paramiko.DSSKey, username, 'id_dsa'):
return
+ # If we have gotten this far, we are about to try for passwords, do an
+ # auth_none check to see if it is even supported.
+ supported_auth_types = []
+ try:
+ # Note that with paramiko <1.7.5 this logs an INFO message:
+ # Authentication type (none) not permitted.
+ # So we explicitly disable the logging level for this action
+ old_level = paramiko_transport.logger.level
+ paramiko_transport.logger.setLevel(logging.WARNING)
+ try:
+ paramiko_transport.auth_none(username)
+ finally:
+ paramiko_transport.logger.setLevel(old_level)
+ except paramiko.BadAuthenticationType, e:
+ # Supported methods are in the exception
+ supported_auth_types = e.allowed_types
+ except paramiko.SSHException, e:
+ # Don't know what happened, but just ignore it
+ pass
+ if 'password' not in supported_auth_types:
+ raise errors.ConnectionError('Unable to authenticate to SSH host as'
+ ' %s@%s (supported auth types: %s)'
+ % (username, host, supported_auth_types))
+
if password:
try:
paramiko_transport.auth_password(username, password)
@@ -490,11 +516,16 @@
# give up and ask for a password
password = auth.get_password('ssh', host, username, port=port)
- try:
- paramiko_transport.auth_password(username, password)
- except paramiko.SSHException, e:
- raise errors.ConnectionError(
- 'Unable to authenticate to SSH host as %s@%s' % (username, host), e)
+ # get_password can still return None, which means we should not prompt
+ if password is not None:
+ try:
+ paramiko_transport.auth_password(username, password)
+ except paramiko.SSHException, e:
+ raise errors.ConnectionError('Failed to authenticate to SSH host'
+ ' as %s@%s' % (username, host), e)
+ else:
+ raise errors.ConnectionError('Failed to authenticate to SSH host'
+ ' as %s@%s' % (username, host))
def _try_pkey_auth(paramiko_transport, pkey_class, username, filename):
More information about the bazaar-commits
mailing list