Authentication Guide¶
SpindleX supports multiple authentication methods to provide secure access to remote systems. This guide covers all supported authentication methods and best practices.
Supported Authentication Methods¶
Public Key Authentication (Recommended)
Password Authentication
GSSAPI/Kerberos Authentication
Keyboard-Interactive Authentication
Public Key Authentication¶
Public key authentication is the most secure method and is recommended for production use.
Key Generation¶
SpindleX includes a dedicated CLI tool, spindlex-keygen, for generating modern cryptographic keys:
Loading Existing Keys¶
Load private keys from files using the utility functions in spindlex.crypto.pkey:
from spindlex.crypto import PKey
# Load key with passphrase
private_key = PKey.from_private_key_file(
'/path/to/private_key',
password='passphrase'
)
Using Keys for Authentication¶
Password Authentication¶
Basic Password Authentication¶
from spindlex import SSHClient
import getpass
# Get password securely
password = getpass.getpass("Enter SSH password: ")
with SSHClient() as client:
client.connect(
hostname='server.example.com',
username='user',
password=password
)
GSSAPI/Kerberos Authentication¶
GSSAPI authentication provides single sign-on capabilities in Kerberos environments.
Sync GSSAPI Authentication¶
from spindlex import SSHClient
with SSHClient() as client:
client.connect(
hostname='server.example.com',
username='user',
gss_auth=True, # Enable GSSAPI authentication
gss_host='server.example.com', # Target service name
gss_deleg_creds=True # Delegate credentials if needed
)
Async GSSAPI Authentication¶
from spindlex import AsyncSSHClient
async def connect_gssapi():
async with AsyncSSHClient() as client:
await client.connect(
hostname='server.example.com',
username='user',
gss_auth=True,
gss_host='server.example.com',
gss_deleg_creds=True
)
Keyboard-Interactive Authentication¶
Keyboard-interactive authentication is used when the server requires the user to respond to one or more prompts. This is common for multi-factor authentication (MFA).
from spindlex import SSHClient
with SSHClient() as client:
client.connect(
hostname="server.example.com",
username="user"
)
# If handler is omitted, SpindleX uses a default terminal-based handler
client.auth_keyboard_interactive("user")
You can also provide a custom handler for more complex scenarios:
Security Best Practices¶
Key Management¶
- Use Ed25519 keys for new deployments.
- Use strong passphrases for private keys.
- Rotate keys regularly (annually or bi-annually).
- Store keys securely with proper file permissions (
600). - Use different keys for different purposes/environments.
Password Security¶
- Avoid password authentication when possible.
- Use strong passwords (12+ characters, mixed case, numbers, symbols).
- Never hardcode passwords in source code.
- Clear passwords from memory after use.
Troubleshooting Authentication¶
Common Issues¶
- Permission denied (publickey): Check private key file permissions (should be
600) and verify public key is in server'sauthorized_keys. - Host key verification failed: Server's host key has changed. Use proper host key policy.
- Connection timeout: Network connectivity issues or firewall blocking SSH port.
Debug Authentication¶
Enable debug logging to see detailed authentication info: