def agent_auth(transport, username):
"""
Attempt to authenticate to the given transport using any of the private
keys available from an SSH agent or from a local private RSA key file (assumes no pass phrase).
"""
try:
ki = paramiko.RSAKey.from_private_key_file(rsa_private_key)
except Exception as e:
print('Failed loading' % (rsa_private_key, e))
agent = paramiko.Agent()
agent_keys = agent.get_keys() + (ki, )
if len(agent_keys) == 0:
return
for key in agent_keys:
My_Key = key.get_fingerprint()
print('Trying ssh-agent key %s' % key.get_fingerprint()),
try:
transport.auth_publickey(username, key)
print('... success!')
return
except paramiko.SSHException:
print('... failed! SSH')
def get_ssh_key(self):
if self.auth is None or 'ssh_key' not in self.auth:
return None
key_path = self.auth['ssh_key']
if key_path.startswith('@agent'):
agent = paramiko.Agent()
keys = agent.get_keys()
key_no = int(
key_path.replace('@agent', '').replace('.', '').replace(
'[', '').replace(']', '') or 0)
return keys[key_no] if key_no < len(keys) else None
password = self.auth.get('ssh_key_password')
for pkey_class in (RSAKey, DSSKey, ECDSAKey, Ed25519Key):
try:
key = pkey_class.from_private_key_file(key_path, password)
except SSHException as e:
continue
else:
return key
return key_path # If cannot be treated as any key type, try pass filename to paramiko, maybe it will figure out
def pkey_connect(transport, user):
for pkey in paramiko.Agent().get_keys():
try:
transport.auth_publickey(user, pkey)
break
except paramiko.SSHException:
pass
def authenticate(self, transport, username):
"""
Attempt to authenticate to the given transport using any of the private
keys available from an SSH agent or from a local private RSA key file (assumes no pass phrase).
"""
agent = paramiko.Agent()
agent_keys = agent.get_keys()
rsa_private_key = join(self.riaps_Folder,
"keys/" + str(const.ctrlPrivateKey))
agent_keys = self.addKeyToAgent(agent_keys, rsa_private_key)
rsa_private_key = os.path.expanduser(
os.path.join('~', '.ssh', str(const.ctrlPrivateKey)))
agent_keys = self.addKeyToAgent(agent_keys, rsa_private_key)
if len(agent_keys) == 0:
self.logger.error('no suitable key found.')
return
for key in agent_keys:
self.logger.info('trying user %s ssh-agent key %s' %
(username, key.get_fingerprint().hex()))
try:
transport.auth_publickey(username, key)
self.logger.info('... success!')
return
except paramiko.SSHException as e:
self.logger.info('... failed! - %s' % str(e))
def do_authenticateWithAgent(self):
"""Authenticate with a SSH agent"""
# Currently paramiko supports the openSSH key-agent and Komodo
# adds putty/pageant support for windows
try:
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if len(agent_keys) > 0:
for key in agent_keys:
from binascii import hexlify
self.log.debug('Trying ssh-agent key %s',
hexlify(key.get_fingerprint()))
try:
self._connection.auth_publickey(self.username, key)
#self._connection.auth_publickey(self.username, key, event)
except paramiko.SSHException, e:
# the authentication failed (raised when no event passed in)
pass
if self._connection.is_authenticated():
self.log.debug('Agent authentication was successful!')
return 1
except paramiko.BadAuthenticationType, e:
# Likely if public-key authentication isn't allowed by the server
self._lasterror = e.args[-1]
self.log.error("SSH AGENT AUTH ERROR: %s", self._lasterror)
def main():
bastionAddr = (BASTION_IP, SSH_PORT)
destAddr = (DESTINATION_IP, SSH_PORT)
bastionHost = paramiko.SSHClient()
bastionHost.set_missing_host_key_policy(paramiko.AutoAddPolicy())
agent = paramiko.Agent()
agent_keys = agent.get_keys()
# Assumes you only have one key loaded on your SSH agent, easy to configure with Jenkins
# but you would need to test each key if you had more than one
bastionHost.connect(BASTION_IP, username=SSH_USERNAME, pkey=agent_keys[0])
bastionTransport = bastionHost.get_transport()
bastionChannel = bastionTransport.open_channel("direct-tcpip", destAddr, bastionAddr)
destHost = paramiko.SSHClient()
destHost.set_missing_host_key_policy(paramiko.AutoAddPolicy())
destHost.connect(DESTINATION_IP, username=SSH_USERNAME, pkey=agent_keys[0], sock=bastionChannel)
stdin, stdout, stderr = destHost.exec_command('ls -ltr /usr/bin')
print(stderr.read())
print(stdout.read())
destHost.close()
bastionHost.close()
def agent_auth(transport, username):
"""
Attempt to authenticate to the given transport using any of the private
keys available from an SSH agent.
"""
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if len(agent_keys) == 0:
return
for key in agent_keys:
print('Trying ssh-agent key %s' % hexlify(key.get_fingerprint()))
try:
transport.auth_publickey(username, key)
print('... success!')
return
except paramiko.SSHException:
print('... nope.')
def __init__(self,
server,
username,
password,
remote_server,
local_port=0,
private_key=None,
missing_host_key_policy=None):
"""
:param tuple server: The SSH server to connect to.
:param str username: The username to authenticate with.
:param str password: The password to authenticate with.
:param tuple remote_server: The remote server to connect to through the specified SSH server.
:param int local_port: The local port to forward, if not set a random one will be used.
:param str private_key: An RSA key to prefer for authentication.
:param missing_host_key_policy: The policy to use for missing host keys.
"""
super(SSHTCPForwarder, self).__init__()
self.logger = logging.getLogger('KingPhisher.' +
self.__class__.__name__)
self.server = (server[0], int(server[1]))
self.remote_server = (remote_server[0], int(remote_server[1]))
client = paramiko.SSHClient()
if missing_host_key_policy is None:
missing_host_key_policy = paramiko.AutoAddPolicy()
elif isinstance(missing_host_key_policy, paramiko.RejectPolicy):
self.logger.info(
'reject policy in place, loading system host keys')
client.load_system_host_keys()
client.set_missing_host_key_policy(missing_host_key_policy)
self.client = client
self.username = username
self.__connected = False
# an issue seems to exist in paramiko when multiple keys are present through the ssh-agent
agent_keys = paramiko.Agent().get_keys()
if not self.__connected and private_key:
private_key = self.__resolve_private_key(private_key, agent_keys)
if private_key:
self.logger.debug(
'attempting ssh authentication with user specified key')
self.__try_connect(look_for_keys=False, pkey=private_key)
else:
self.logger.warning(
'failed to identify the user specified key for ssh authentication'
)
if not self.__connected and len(agent_keys) == 1:
self.__try_connect(look_for_keys=False, pkey=agent_keys[0])
if not self.__connected:
self.__try_connect(password=password,
look_for_keys=True,
raise_error=True)
transport = self.client.get_transport()
self._forward_server = ForwardServer(self.remote_server, transport,
('127.0.0.1', local_port),
ForwardHandler)
def __send_key(self, original_pwd):
# This is very specific to the Raspberry PI, where SSH using a password for root is not possible.
# Therefore we try to log using the 'pi' account to add our public key and copy it to the root account
a = paramiko.Agent()
ks = a.get_keys()
k = ks[0].get_base64()
for pwd in {'default_password', original_pwd}:
if pwd is not None:
print(
"Trying to add the tester public key to /root/.ssh/authorized_keys using \'"
+ pwd + "\'")
try:
tmp_dut = SshTarget(self.host,
name='tmp_dut',
port=self.port,
user='******',
password=pwd)
print(type(tmp_dut))
tmp_dut.write('sudo mkdir -p /root/.ssh')
tmp_dut.write('echo ' + 'ssh-rsa ' + str(k) +
'> ~/.ssh/authorized_keys2')
tmp_dut.write(
'sudo tee -a /root/.ssh/authorized_keys < ~/.ssh/authorized_keys2'
)
except paramiko.ssh_exception.SSHException:
pass
def _agent_auth(self, transport):
"""Attempt to authenticate to the given transport using any of the private
keys available from an SSH agent ... or from a local private RSA key file
(assumes no pass phrase).
PFE: http://code.activestate.com/recipes/576810-copy-files-over-ssh-using-paramiko/
"""
import paramiko
agent = paramiko.Agent()
private_key_file = self.attrs.get("ssh_private_key_file", None)
if private_key_file:
private_key_file = os.path.expanduser(private_key_file)
LOGGER.info("Loading keys from local file %s", private_key_file)
agent_keys = (paramiko.RSAKey.from_private_key_file(private_key_file),)
else:
LOGGER.info("Loading keys from SSH agent")
agent_keys = agent.get_keys()
if len(agent_keys) == 0:
raise IOError("No available keys")
for key in agent_keys:
LOGGER.debug('Trying ssh key %s',
key.get_fingerprint().encode('hex'))
try:
transport.auth_publickey(self.destination.username, key)
LOGGER.debug('... ssh key success!')
return
except paramiko.SSHException:
continue
# We found no valid key
raise IOError("RSA key auth failed!")
def __init__(self, host, user, password):
try:
self._transport = paramiko.Transport((host, 22))
if password is not None:
self._transport.connect(username=user, password=password)
else:
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if len(agent_keys) == 0:
raise DataSourceError(
"Error performing passwordless login")
success = False
for key in agent_keys:
try:
self._transport.connect(username=user, pkey=key)
success = True
break
except paramiko.SSHException:
pass
if not success:
raise DataSourceError(
"Error performing passwordless login")
self._sftp = paramiko.SFTPClient.from_transport(self._transport)
except Exception, e:
raise DataSourceError(e.__str__())
def agent_auth(cls, transport, username):
"""
Attempt to authenticate to the given transport using any of the private
keys available from an SSH agent.
return True, if the transport is authenticated
raises: AuthenticationException when network errro
"""
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if len(agent_keys) == 0:
#print "Warning: No keys found loaded in ssh-agent. Forgot to use ssh-add ?"
return
for key in agent_keys:
#print 'Trying ssh-agent key %s' % \
# paramiko.util.hexify(key.get_fingerprint()),
try:
transport.auth_publickey(username, key)
if not transport.is_authenticated():
continue
else:
break
except paramiko.AuthenticationException, e:
print "Used key from agent. Auth failed. Will skip it."
pass
except SSHException, ex:
raise CommunicationException(0, "[agent_auth]:" + to_str(ex))
def __init__(self,
default_user,
auth_file='./.radssh_authfile',
include_agent=UNUSED_PARAMETER,
include_userkeys=UNUSED_PARAMETER,
default_password=None,
try_auth_none=True):
if include_agent != UNUSED_PARAMETER:
warnings.warn(FutureWarning(
'AuthManager will no longer support include_agent starting with 2.0: passed value (%s) ignored'
% include_agent),
stacklevel=2)
if include_userkeys != UNUSED_PARAMETER:
warnings.warn(FutureWarning(
'AuthManager will no longer support include_userkeys starting with 2.0: passed value (%s) ignored'
% include_userkeys),
stacklevel=2)
self.keys = []
self.passwords = []
self.default_passwords = {}
self.try_auth_none = try_auth_none
self.logger = logging.getLogger('radssh.auth')
self.import_lock = threading.Lock()
if default_password:
self.add_password(PlainText(default_password))
self.deferred_keys = dict()
if default_user:
self.default_user = default_user
else:
self.default_user = os.environ.get('SSH_USER', os.environ['USER'])
self.agent_connection = paramiko.Agent()
if auth_file:
self.read_auth_file(auth_file)
def _get_rsa_key_from_ssh_agent(self):
try:
ssh_agent = paramiko.Agent()
ssh_keys = ssh_agent.get_keys()
except paramiko.ssh_exception.SSHException:
print('Incompatible protocol')
return ssh_keys
def list_keys():
"""List keys from SSH agent"""
agent = paramiko.Agent()
keys = agent.get_keys()
for key in agent.get_keys():
# paramiko doesn't expose key comments (yet?)
keystr = "[{}] {}".format(key.get_name(), to_hex(key.get_fingerprint()))
click.echo(keystr)
agent.close()
def sign_via_agent(data, fingerprint=None):
"""Attempt to sign 'data' via ssh-agent.
Args:
data (str):
The data to sign
Kwargs:
fingerprint (str, optional):
The fingerprint of an SSH public key associated with the private key
to be used for signing data.
Returns:
A dict containing the following keys:
key_fingerprint:
The SSH public key fingerprint associated with the private key
used for signing 'data'.
key_type: The SSH key type used for signing.
signature: The data signature returned from ssh-agent.
Raises:
AgentKeyError: An error occured while signing.
"""
agent = paramiko.Agent()
keys = agent.get_keys()
sign_key = None
key_fp = None
if not keys:
raise AgentKeyError(AgentKeyError.E_NO_KEYS)
if fingerprint is not None:
for key in keys:
key_fp = key.get_fingerprint()
if fingerprint == key_fp:
sign_key = key
break
if sign_key is None:
raise AgentKeyError(AgentKeyError.E_MISSING_KEY,
fingerprint=to_hex(fingerprint))
else:
sign_key = keys[0]
key_fp = sign_key.get_fingerprint()
if PARAMIKO_VER >= (1, 14, 0):
sig = sign_key.sign_ssh_data(data)
else:
sig = sign_key.sign_ssh_data(None, data)
sig = paramiko.message.Message(sig)
return {
'key_fingerprint': key_fp,
'key_type': sig.get_string(),
'signature': sig.get_string()
}
def check_keys_from_ssh_agent():
"""
Check if private keys are available from an SSH agent.
:return:
"""
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if len(agent_keys) == 0:
return False
return True
def _test_local_agent(self):
"""
try to connect to the local ssh-agent
return True if local agent is running, False if not
"""
agent = paramiko.Agent()
if len(agent.get_keys()) == 0:
return False
else:
return True
def get_ssh_to_remote_by_key(ip, keyfile):
warnings.warn('LEGACY, for fuel-qa compatibility', DeprecationWarning)
try:
with open(keyfile) as f:
keys = [paramiko.RSAKey.from_private_key(f)]
except IOError:
logger.warning('Loading of SSH key from file failed. Trying to use'
' SSH agent ...')
keys = paramiko.Agent().get_keys()
return ssh_client.SSHClient(ip, auth=ssh_client.SSHAuth(keys=keys))
def __init__(self,
host,
port=22,
username=username,
password=None,
key=None,
passphrase=None,
timeout=TIMEOUT):
self.username = username
self.password = password
self.client = paramiko.SSHClient()
self.client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if 'http_proxy' in os.environ:
if re.match(r'socks5', os.environ['http_proxy']):
# For production use socks5 proxy
proxy_host, proxy_port = (re.sub(
r'^socks5://', "", os.environ['http_proxy'])).split(':')
socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, proxy_host,
int(proxy_port), False)
paramiko.client.socket.socket = socks.socksocket
logging.info("Using Socks5 Proxy")
conn = False
if len(agent_keys) > 0:
for mykey in agent_keys:
try:
self.client.connect(host,
port,
username=username,
password=password,
pkey=mykey,
timeout=timeout,
allow_agent=False)
conn = True
break
except:
pass
if conn is False:
if key is not None:
key = paramiko.RSAKey.from_private_key(io.StringIO(key),
password=passphrase)
logging.info("Making connection to host " + host)
self.client.connect(host,
port,
username=username,
password=password,
pkey=key,
timeout=timeout,
allow_agent=False)
def _get_key(self):
try:
import paramiko as ssh
except ImportError:
import ssh
keys = ssh.Agent().get_keys()
self._keys = filter(is_rsa, keys)
if self._keys:
self._agent_key = self._keys[0]
self._keys = self._keys[1:]
self.sign_algorithm, self.hash_algorithm = ('rsa', 'sha1')
def test_server_connection(server):
agent = paramiko.Agent()
keys = agent.get_keys()
assert len(keys) == 1
assert keys[0].get_name() == 'ssh-rsa'
for key in keys:
print('Trying ssh-agent key %s' % hexlify(key.get_fingerprint()))
agent.close()
def get_keys(key=None, allow_agent=False, logger=None):
agent_keys = []
if allow_agent:
agent = paramiko.Agent()
agent_keys.extend(agent.get_keys())
if logger:
logger.debug('{0} keys loaded from agent'.format(
len(agent_keys)))
if key: # last one to try
agent_keys.append(key)
return agent_keys
def __agent_auth(self, transport, username):
agent = paramiko.Agent()
agent_keys = agent.get_keys()
if len(agent_keys) == 0:
return
for key in agent_keys:
try:
transport.auth_publickey(username, key)
return
except paramiko.SSHException:
pass
def open(self):
self.ssh_agent = paramiko.Agent()
keys = self.ssh_agent.get_keys()
if len(keys) != 1:
raise ShifterError("Failed to get a private key from ssh-agent")
try:
self.transport = paramiko.Transport((self.host, self.port))
self.transport.connect(username=self.user, pkey=keys[0])
self.sftp_client = paramiko.SFTPClient.from_transport(
self.transport)
except paramiko.SSHException as e:
raise ShifterError(str(e))
def requires_password():
"""Check ssh key password requirement
Checks to see if a passphrase/password is needed by the private ssh key.
If it is needed and the user has not yet entered the passphrase for this
key, it will return True. If the user has already successfully entered the
passphrase previously (by way of checking to see if there's already a key
in the ssh-agent process) OR the private ssh key is not secured with a
passphrase, then it will return False.
Note: The ardana-service does not remember credentials across restarts.
(i.e. ssh-agent will be reset when ardana-service restarts)
.. :quickref: SSH Agent; does ssh key require password?
**Example Request**:
.. sourcecode:: http
GET /api/v2/sshagent/requires_password HTTP/1.1
Content-Type: application/json
**Example Response**:
.. sourcecode:: http
HTTP/1.1 200 OK
{
"requires_password": false
}
"""
if not instance:
response = jsonify({"error_msg": "ssh-agent instance not running"})
response.status_code = 400
return response
# If there's already a key in ssh-agent, assume there is no need to add
# any keys because user already entered a passphrased key
agent = paramiko.Agent()
if len(agent.get_keys()):
return jsonify({"requires_password": False})
agent.close()
try:
paramiko.RSAKey.from_private_key_file(instance.key_path)
return jsonify({"requires_password": False})
except paramiko.ssh_exception.PasswordRequiredException:
return jsonify({"requires_password": True})
except FileNotFoundError:
return jsonify({"requires_password": True})
def _auth(self, transport, username):
# TODO: known hosts
# paramiko.RSAKey.from_private_key_file(key_path)
agent = paramiko.Agent()
agent_keys = agent.get_keys()
for key in agent_keys:
try:
transport.auth_publickey(username, key)
return
except paramiko.SSHException:
pass
def __init__(self,
server,
username,
password,
local_port,
remote_server,
preferred_private_key=None):
"""
:param tuple server: The server to connect to.
:param str username: The username to authenticate with.
:param str password: The password to authenticate with.
:param int local_port: The local port to forward.
:param tuple remote_server: The remote server to connect to through the SSH server.
:param str preferred_private_key: An RSA key to prefer for authentication.
"""
super(SSHTCPForwarder, self).__init__()
self.local_port = local_port
self.server = server
self.remote_server = remote_server
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
self.client = client
self.username = username
self.__connected = False
# an issue seems to exist in paramiko when multiple keys are present through the ssh-agent
ssh_agent = paramiko.Agent()
ssh_keys = ssh_agent.get_keys()
if len(ssh_keys) == 1:
self.__try_connect(look_for_keys=False,
allow_agent=False,
pkey=ssh_keys[0])
if not self.__connected and preferred_private_key:
preferred_private_key = preferred_private_key.strip()
preferred_private_key = preferred_private_key.replace(':', '')
preferred_private_key = preferred_private_key.lower()
preferred_private_key = filter(
lambda k: binascii.b2a_hex(k.get_fingerprint()).lower() ==
preferred_private_key, ssh_keys)
if len(preferred_private_key) == 1:
self.__try_connect(look_for_keys=False,
allow_agent=False,
pkey=preferred_private_key[0])
if not self.__connected:
self.__try_connect(password=password,
allow_agent=False,
look_for_keys=True,
raise_error=True)
def get_ssh_keys():
agent = paramiko.Agent()
if len(agent.get_keys()) > 0:
return agent.get_keys()
try:
return [paramiko.RSAKey.from_private_key_file(SSH_KEY)]
except paramiko.PasswordRequiredException:
passwd = getpass.getpass("Enter passphrase for %s: " % SSH_KEY)
try:
return [paramiko.RSAKey.from_private_key_file(filename=SSH_KEY,
password=passwd)]
except paramiko.SSHException:
print "Could not read private key; bad password?"
raise SystemExit(1)
def agent_auth(transport,username):
agent=paramiko.Agent()
agent_keys=agent.get_keys()
if len(agent_keys)==0:
return
#对key认证方式处理
for key in agent_keys:
print('Trying ssh-agent key %s'%hexlify(key.get_fingerpint()))
try:
transport.auth_publickey(username,key)
print('....success!')
return
except paramiko.SSHException:
print('...nope.')
