def __patch_it__():
import paramiko
from sshproxy import log
if paramiko.__version_info__ <= (1, 7, 2):
import p_paramiko_passwdenc
log.info("Runtime patch to paramiko password encoding applied")
def _sock_accept(self):
if self.sock_type == socket.AF_UNIX and self.sock_addr[0] == '\x00':
return IPCServer._sock_accept(self)
real_sock, address = self.sock.accept()
log.info("IPC: Accepting new secure client %s", address)
host_key = paramiko.DSSKey(filename="/etc/sshproxy/id_dsa")
transport = paramiko.Transport(real_sock)
transport.load_server_moduli()
transport.add_server_key(host_key)
# start the server interface
negotiation_ev = threading.Event()
transport.start_server(negotiation_ev, SSHServer(self.sock_addr))
while not negotiation_ev.isSet():
negotiation_ev.wait(0.5)
if not transport.is_active():
log.error("SIPC: SSH negotiation failed")
raise 'SSH negotiation failed'
sock = transport.accept(5)
self.real_sock = real_sock
self.transport = transport
return sock, address
def do_shell_session(self):
site = self.args[0]
if not self.authorize(site, need_login=True):
self.chan.send(chanfmt(_(u"ERROR: %s does not exist in "
"your scope\n") % site))
return False
kind = self.get_ns_tag('site', 'kind', '')
if not kind == 'telnet':
return Server.do_shell_session(self)
else:
site = self.args.pop(0)
if not self.check_acl('telnet_session'):
self.chan.send(chanfmt("ERROR: You are not allowed to"
" open a telnet session on %s"
"\n" % site))
return False
self.update_ns('client', {
'type': 'telnet_session'
})
log.info("Connecting to %s (telnet)", site)
conn = TelnetProxy(self.chan, self.connect_telnet(), self.monitor)
try:
self.exit_status = conn.loop()
except KeyboardInterrupt:
return True
except Exception, e:
self.chan.send("\r\n ERROR: It seems you found a bug."
"\r\n Please report this error "
"to your administrator.\r\n"
"Exception class: <%s>\r\n\r\n"
% e.__class__.__name__)
log.exception("An unknown exception occured")
raise
def _sock_accept(self):
if self.sock_type == socket.AF_UNIX and self.sock_addr[0] == '\x00':
return IPCServer._sock_accept(self)
real_sock, address = self.sock.accept()
log.info("IPC: Accepting new secure client %s", address)
host_key = paramiko.DSSKey(filename="/etc/sshproxy/id_dsa")
transport = paramiko.Transport(real_sock)
transport.load_server_moduli()
transport.add_server_key(host_key)
# start the server interface
negotiation_ev = threading.Event()
transport.start_server(negotiation_ev, SSHServer(self.sock_addr))
while not negotiation_ev.isSet():
negotiation_ev.wait(0.5)
if not transport.is_active():
log.error("SIPC: SSH negotiation failed")
raise 'SSH negotiation failed'
sock = transport.accept(5)
self.real_sock = real_sock
self.transport = transport
return sock, address
def __patch_it__():
import paramiko
from sshproxy import log
if paramiko.__version_info__ <= (1, 7, 2):
import p_paramiko_passwdenc
log.info("Runtime patch to paramiko password encoding applied")
def __patch_it__():
import paramiko.common
from sshproxy import log
if paramiko.__version_info__ >= (1, 7, 2):
return
import p_paramiko_osrandom
randpool = p_paramiko_osrandom.OSRandomPool()
impacted_modules = [
'common',
'dsskey',
'hostkeys',
'packet',
'pkey',
'rsakey',
'transport',
# the following modules do not seem to use the
# randpool object, although they import it from common
# so let's patch them too, just in case
'auth_handler',
'channel',
'client',
'kex_gex',
'kex_group1',
'server',
'sftp',
'sftp_attr',
'sftp_file',
'sftp_handle',
'sftp_server',
'sftp_si',
'util',
]
for name in impacted_modules:
modname = 'paramiko.%s' % name
module = __import__(modname, fromlist=[name])
module.randpool = randpool
paramiko.randpool = randpool
if 'Crypto.Util.randpool.' not in repr(paramiko.common.randpool):
log.info("Runtime patch to paramiko random generator applied")
def _sock_connect(self, real_sock, sock_addr):
if self.sock_type == socket.AF_UNIX and self.sock_addr[0] == '\x00':
return IPCClient._sock_connect(self, real_sock, sock_addr)
real_sock.connect(sock_addr)
log.info("IPC: Connecting to secure server %s", sock_addr)
transport = paramiko.Transport(real_sock)
ev = threading.Event()
transport.start_client(ev)
while not ev.isSet():
ev.wait(0.5)
if not transport.is_active():
log.error("SIPC: SSH negotiation failed")
raise 'SSH negotiation failed'
ev = threading.Event()
key_file = get_config("sipc").get("key_file")
if not os.path.isfile(key_file):
key_file = get_config("sshproxy").get("hostkey_file")
key = paramiko.DSSKey(filename=key_file)
transport.auth_publickey('sshproxy-IPC', key, ev)
while not ev.isSet():
ev.wait(0.5)
if not transport.is_authenticated():
log.error("SIPC: SSH authentication failed")
raise 'SSH authentication failed'
sock = transport.open_channel('sshproxy-IPC')
self.real_sock = real_sock
self.transport = transport
return sock
def _sock_connect(self, real_sock, sock_addr):
if self.sock_type == socket.AF_UNIX and self.sock_addr[0] == '\x00':
return IPCClient._sock_connect(self, real_sock, sock_addr)
real_sock.connect(sock_addr)
log.info("IPC: Connecting to secure server %s", sock_addr)
transport = paramiko.Transport(real_sock)
ev = threading.Event()
transport.start_client(ev)
while not ev.isSet():
ev.wait(0.5)
if not transport.is_active():
log.error("SIPC: SSH negotiation failed")
raise 'SSH negotiation failed'
ev = threading.Event()
key_file = get_config("sipc").get("key_file")
if not os.path.isfile(key_file):
key_file = get_config("sshproxy").get("hostkey_file")
key = paramiko.DSSKey(filename=key_file)
transport.auth_publickey('sshproxy-IPC', key, ev)
while not ev.isSet():
ev.wait(0.5)
if not transport.is_authenticated():
log.error("SIPC: SSH authentication failed")
raise 'SSH authentication failed'
sock = transport.open_channel('sshproxy-IPC')
self.real_sock = real_sock
self.transport = transport
return sock
def do_shell_session(self):
site = self.args[0]
if not self.authorize(site, need_login=True):
self.chan.send(
chanfmt(
_(u"ERROR: %s does not exist in "
"your scope\n") % site))
return False
kind = self.get_ns_tag('site', 'kind', '')
if not kind == 'telnet':
return Server.do_shell_session(self)
else:
site = self.args.pop(0)
if not self.check_acl('telnet_session'):
self.chan.send(
chanfmt("ERROR: You are not allowed to"
" open a telnet session on %s"
"\n" % site))
return False
self.update_ns('client', {'type': 'telnet_session'})
log.info("Connecting to %s (telnet)", site)
conn = TelnetProxy(self.chan, self.connect_telnet(), self.monitor)
try:
self.exit_status = conn.loop()
except KeyboardInterrupt:
return True
except Exception, e:
self.chan.send("\r\n ERROR: It seems you found a bug."
"\r\n Please report this error "
"to your administrator.\r\n"
"Exception class: <%s>\r\n\r\n" %
e.__class__.__name__)
log.exception("An unknown exception occured")
raise
