Using Kerberos authentication with Paramiko

Question

I'm struggling to figure out how to use kerberos authentication with python and paramiko. I've found the documentation for paramiko but don't know how to implement it and there seems to be a lack of tutorials specifically for kerberos and paramiko since its so new.

When I ssh outside of python for normal usage, I insert a smart card and type the following from the command line in OSX Mavericks...

$ kshell
$ pkinit

...which then prompts me for my pin number associated with the card. From there I get a kerberos ticket and can ssh to the server.

I've used paramiko in the past but without kerberos... The following code is an example of what I've tried, but I get errors and can't connect.

import paramiko
import gssapi

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect(hostname = 'my.server.name',
        username = 'user.name',
        gss_auth = True,
        gss_kex = True)

Answer 1

As How does Kerberos work with SSH? says, Kerberos authentication in SSH is essentially some custom data transfer instead of regular authentication (that includes getting a ticket from KDC) if the server reports gssapi-with-mic in available authentication mechanisms.

Support for it paramiko has been committed in 09.2014 in pull request 267 and is available from v1.15 onwards.

To use it,

1. See Installing docs for additional requirements
2. use gss_auth parameter of SSHClient.connect. gss_kex is optional to authenticate the server using Kerberos as well rather than its SSH key.