MarketSquare · miikaoskari · Apr 25, 2024 · Aug 28, 2024 · Aug 28, 2024 · Aug 30, 2024
diff --git a/atest/login.robot b/atest/login.robot
@@ -43,6 +43,11 @@ Login With Public Key When Non-Existing Key
     Run Keyword And Expect Error    Given key file 'not_existing_key' does not exist.
     ...    Login With Public Key    ${KEY USERNAME}    not_existing_key
 
+Login With Public Key And Disabled Algorithms
+    VAR    @{pubkeys}    diffie-hellman-group16-sha512
+    VAR    &{disabled_algorithms}    pubkeys=${pubkeys}
+    Login With Public Key    ${KEY USERNAME}    ${KEY}    disabled_algorithms=${disabled_algorithms}
+
 Logging In Returns Server Output
     [Setup]    Open Connection    ${HOST}
     ${output}=    Login    ${USERNAME}    ${PASSWORD}
@@ -83,7 +88,14 @@ Login With Empty Quotes No Password
     Login    ${USERNAME_NOPASSWD}    ""
 
 Login Using Config File Proxy Command
-    [Tags]    no-gh-actions
-    [Setup]    Open Connection    ${TEST_PROXY_HOSTNAME}    prompt=${PROMPT}
-    ${output}=    Login    password=test    read_config=True
-    Should Contain    ${output}    test@
+    [Tags]  no-gh-actions
+    [Setup]  Open Connection   ${TEST_PROXY_HOSTNAME}  prompt=${PROMPT}
+    ${output}=  Login  password=test  read_config=True
+    Should Contain  ${output}  test@
+
+Login With Disabled Algorithms
+    [Setup]    Open Connection    ${HOST}    prompt=${PROMPT}
+    VAR    @{pubkeys}    rsa-sha2-512    rsa-sha2-256
+    VAR    &{disabled_algorithms}    pubkeys=${pubkeys}
+    Login    ${USERNAME}    ${PASSWORD}    disabled_algorithms=${disabled_algorithms}
+
diff --git a/src/SSHLibrary/client.py b/src/SSHLibrary/client.py
@@ -183,7 +183,7 @@ def close(self):
             pass
 
     def login(self, username=None, password=None, allow_agent=False, look_for_keys=False, delay=None, proxy_cmd=None,
-              read_config=False, jumphost_connection=None, keep_alive_interval='0 seconds'):
+              read_config=False, jumphost_connection=None, keep_alive_interval='0 seconds', disabled_algorithms=None):
         """Logs into the remote host using password authentication.
 
         This method reads the output from the remote host after logging in,
@@ -225,7 +225,7 @@ def login(self, username=None, password=None, allow_agent=False, look_for_keys=F
             password = self._encode(password)
         try:
             self._login(username, password, allow_agent, look_for_keys, proxy_cmd, read_config,
-                        jumphost_connection, keep_alive_interval)
+                        jumphost_connection, keep_alive_interval, disabled_algorithms)
         except SSHClientException:
             self.client.close()
             raise SSHClientException(f"Authentication failed for user '{self._decode(username)}'.")
@@ -250,7 +250,8 @@ def _read_login_output(self, delay):
 
     def login_with_public_key(self, username, keyfile, password, allow_agent=False,
                               look_for_keys=False, delay=None, proxy_cmd=None,
-                              jumphost_connection=None, read_config=False, keep_alive_interval='0 seconds'):
+                              jumphost_connection=None, read_config=False, keep_alive_interval='0 seconds', 
+                              disabled_algorithms=None):
         """Logs into the remote host using the public key authentication.
 
         This method reads the output from the remote host after logging in,
@@ -296,7 +297,8 @@ def login_with_public_key(self, username, keyfile, password, allow_agent=False,
             self._login_with_public_key(username, keyfile, password,
                                         allow_agent, look_for_keys,
                                         proxy_cmd, jumphost_connection,
-                                        read_config, keep_alive_interval)
+                                        read_config, keep_alive_interval, 
+                                        disabled_algorithms)
         except SSHClientException:
             self.client.close()
             raise SSHClientException(f"Login with public key failed for user '{self._decode(username)}'.")
@@ -879,7 +881,7 @@ def _get_jumphost_tunnel(self, jumphost_connection):
         return jumphost_transport.open_channel("direct-tcpip", dest_addr, jump_addr)
 
     def _login(self, username, password, allow_agent=False, look_for_keys=False, proxy_cmd=None,
-               read_config=False, jumphost_connection=None, keep_alive_interval=None):
+               read_config=False, jumphost_connection=None, keep_alive_interval=None, disabled_algorithms=None):
         if read_config:
             hostname = self.config.host
             self.config.host, username, self.config.port, proxy_cmd = \
@@ -900,7 +902,8 @@ def _login(self, username, password, allow_agent=False, look_for_keys=False, pro
                     self.client.connect(self.config.host, self.config.port, username,
                                         password, look_for_keys=look_for_keys,
                                         allow_agent=allow_agent,
-                                        timeout=float(self.config.timeout), sock=sock_tunnel)
+                                        timeout=float(self.config.timeout), sock=sock_tunnel,
+                                        disabled_algorithms=disabled_algorithms)
                 except paramiko.SSHException:
                     pass
                 transport = self.client.get_transport()
@@ -911,7 +914,8 @@ def _login(self, username, password, allow_agent=False, look_for_keys=False, pro
                     self.client.connect(self.config.host, self.config.port, username,
                                         password, look_for_keys=look_for_keys,
                                         allow_agent=allow_agent,
-                                        timeout=float(self.config.timeout), sock=sock_tunnel)
+                                        timeout=float(self.config.timeout), sock=sock_tunnel,
+                                        disabled_algorithms=disabled_algorithms)
                     transport = self.client.get_transport()
                     transport.set_keepalive(keep_alive_interval)
                 except paramiko.AuthenticationException:
@@ -929,7 +933,7 @@ def _login(self, username, password, allow_agent=False, look_for_keys=False, pro
             raise SSHClientException
 
     def _login_with_public_key(self, username, key_file, password, allow_agent, look_for_keys, proxy_cmd=None,
-                               jumphost_connection=None, read_config=False, keep_alive_interval=None):
+                               jumphost_connection=None, read_config=False, keep_alive_interval=None, disabled_algorithms=None):
         if read_config:
             hostname = self.config.host
             self.config.host, username, self.config.port, key_file, proxy_cmd = \
@@ -958,7 +962,8 @@ def _login_with_public_key(self, username, key_file, password, allow_agent, look
                                 allow_agent=allow_agent,
                                 look_for_keys=look_for_keys,
                                 timeout=float(self.config.timeout),
-                                sock=sock_tunnel)
+                                sock=sock_tunnel,
+                                disabled_algorithms=disabled_algorithms)
             transport = self.client.get_transport()
             transport.set_keepalive(keep_alive_interval)
         except paramiko.AuthenticationException:

diff --git a/src/SSHLibrary/library.py b/src/SSHLibrary/library.py
@@ -1046,6 +1046,7 @@ def login(
         read_config=False,
         jumphost_index_or_alias=None,
         keep_alive_interval="0 seconds",
+        disabled_algorithms=None,
     ):
         """Logs into the SSH server with the given ``username`` and ``password``.
 
@@ -1082,6 +1083,11 @@ def login(
 
         ``keep_alive_interval`` is new in SSHLibrary 3.7.0.
 
+        ``disabled_algorithms`` is a list of algorithms that should be disabled.
+        For example, if you need to disable diffie-hellman-group16-sha512 key exchange 
+        (perhaps because your code talks to a server which implements it differently from Paramiko), 
+        specify disabled_algorithms={"kex": ["diffie-hellman-group16-sha512"]}
+
         Example that logs in and returns the output:
 
         | `Open Connection` | linux.server.com |
@@ -1104,6 +1110,12 @@ def login(
         First, add the key to the authentication agent with: ``ssh-add /path/to/keyfile``.
         | `Open Connection` | linux.server.com |
         | `Login` | johndoe | allow_agent=True |
+
+        Example login with disabled algorithms:
+        | `Open Connection` | linux.server.com |
+        | `VAR`             | @{pubkeys}             | rsa-sha2-512    rsa-sha2-256 |
+        | `VAR`             | &{disabled_algorithms} | pubkeys=${pubkeys} |
+        | `Login`           | username=johndoe       | disabled_algorithms=${disabled_algorithms} |
         """
         jumphost_connection_conf = (
             self.get_connection(index_or_alias=jumphost_index_or_alias)
@@ -1127,6 +1139,7 @@ def login(
             is_truthy(read_config),
             jumphost_connection,
             keep_alive_interval,
+            disabled_algorithms,
         )
 
     @keyword(tags=("login",))
@@ -1142,6 +1155,7 @@ def login_with_public_key(
         jumphost_index_or_alias=None,
         read_config=False,
         keep_alive_interval="0 seconds",
+        disabled_algorithms=None,
     ):
         """Logs into the SSH server using key-based authentication.
 
@@ -1196,6 +1210,17 @@ def login_with_public_key(
         set to ``0``, which means sending the ``keepalive`` packet is disabled.
 
         ``keep_alive_interval`` is new in SSHLibrary 3.7.0.
+
+        ``disabled_algorithms`` is a list of algorithms that should be disabled.
+        For example, if you need to disable diffie-hellman-group16-sha512 key exchange 
+        (perhaps because your code talks to a server which implements it differently from Paramiko), 
+        specify disabled_algorithms={"kex": ["diffie-hellman-group16-sha512"]}
+
+        Example login with disabled algorithms:
+        | `Open Connection`       | linux.server.com |
+        | `VAR`                   | @{pubkeys}             | rsa-sha2-512    rsa-sha2-256 |
+        | `VAR`                   | &{disabled_algorithms} | pubkeys=${pubkeys} |
+        | `Login With Public Key` | username=johndoe       | keyfile=key | disabled_algorithms=${disabled_algorithms} |
         """
         if proxy_cmd and jumphost_index_or_alias:
             raise ValueError(
@@ -1223,6 +1248,7 @@ def login_with_public_key(
             jumphost_connection,
             is_truthy(read_config),
             keep_alive_interval,
+            disabled_algorithms,
         )
 
     def _login(self, login_method, username, *args):