def run(self): # I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent # since openssh does not seem to have an option to use only an agent we have a workaround, # by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent. # This is a little "racy" in that a tempfile with the same path could concievably be created between the unlink and openssh attempting to use it # but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key. logger_debug("testAuthThread started") import tempfile, os (fd, path) = tempfile.mkstemp() os.close(fd) os.unlink(path) ssh_cmd = '{sshbinary} -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=yes -l {login} {host} echo "success_testauth"'.format( sshbinary=self.keydistObject.sshpaths.sshBinary, login=self.keydistObject.username, host=self.keydistObject.host, nonexistantpath=path) logger_debug('testAuthThread: attempting: ' + ssh_cmd) ssh = subprocess.Popen(ssh_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True, universal_newlines=True) stdout, stderr = ssh.communicate() ssh.wait() logger_debug('testAuthThread: stdout of ssh command: ' + str(stdout)) logger_debug('testAuthThread: stderr of ssh command: ' + str(stderr)) if 'success_testauth' in stdout: logger_debug( 'testAuthThread: got success_testauth in stdout :)') self.keydistObject.authentication_success = True newevent = KeyDist.sshKeyDistEvent( KeyDist.EVT_KEYDIST_AUTHSUCCESS, self.keydistObject) else: logger_debug( 'testAuthThread: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event' ) newevent = KeyDist.sshKeyDistEvent( KeyDist.EVT_KEYDIST_AUTHFAIL, self.keydistObject) if (not self.stopped()): logger_debug( 'testAuthThread: self.stopped() == False, so posting event: ' + str(newevent)) wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(), newevent)
def run(self): # I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent # since openssh does not seem to have an option to use only an agent we have a workaround, # by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent. # This is a little "racy" in that a tempfile with the same path could conceivably be created between the unlink and openssh attempting to use it # but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key. threadid = threading.currentThread().ident logger.debug("testAuthThread %i: started"%threadid) import tempfile fd=tempfile.NamedTemporaryFile(delete=True) path=fd.name fd.close() ssh_cmd = '{sshbinary} -o ConnectTimeout=10 -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=no -l {login} {host} echo "success_testauth"'.format(sshbinary=self.keydistObject.keyModel.sshpaths.sshBinary, login=self.keydistObject.username, host=self.keydistObject.host, nonexistantpath=path) logger.debug('testAuthThread: attempting: ' + ssh_cmd) ssh = subprocess.Popen(ssh_cmd,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=True,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags) stdout, stderr = ssh.communicate() ssh.wait() logger.debug("testAuthThread %i: stdout of ssh command: "%threadid + str(stdout)) logger.debug("testAuthThread %i: stderr of ssh command: "%threadid + str(stderr)) if 'Could not resolve hostname' in stdout: logger.debug('Network error.') newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_NETWORK_ERROR,self.keydistObject) elif 'success_testauth' in stdout: logger.debug("testAuthThread %i: got success_testauth in stdout :)"%threadid) self.keydistObject.authentication_success = True newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHSUCCESS,self.keydistObject) elif 'Agent admitted' in stdout: logger.debug("testAuthThread %i: the ssh agent has an error. Try rebooting the computer") self.keydistObject.cancel("Sorry, there is a problem with the SSH agent.\nThis sort of thing usually occurs if you delete your key and create a new one.\nThe easiest solution is to reboot your computer and try again.") return else: logger.debug("testAuthThread %i: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event"%threadid) newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHFAIL,self.keydistObject) if (not self.stopped()): logger.debug("testAuthThread %i: self.stopped() == False, so posting event: "%threadid + str(newevent)) wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),newevent) logger.debug("testAuthThread %i: stopped"%threadid)
def testAuth(self,keyModel,username=None,host=None): if username!=None: self.username=username if host!=None: self.host=host if self.username==None: raise Exception("I don't know what username you are tring to login with") from logger.Logger import logger logger.debug("in passwordAuth.testAuth") import tempfile import sys from logger.Logger import logger import subprocess fd=tempfile.NamedTemporaryFile(delete=True) path=fd.name fd.close() auth=False try: ssh_cmd = ['{sftpBinary}','-o','ConnectTimeout=10','-o','IdentityFile="{nonexistantpath}"','-o','PasswordAuthentication=no','-o','ChallengeResponseAuthentication=no','-o','KbdInteractiveAuthentication=no','-o','PubkeyAuthentication=yes','-o','StrictHostKeyChecking=no','-P','{port}','{login}@{host}'] cmd=[] for s in ssh_cmd: cmd.append(s.format(sftpBinary=self.keydistObject.keyModel.sshpaths.sftpBinary,login=self.username, host=self.host, nonexistantpath=path,port=self.port)) logger.debug('testAuthThread: attempting: %s'%cmd) if sys.platform.startswith("win"): ssh = subprocess.Popen(" ".join(cmd),shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags) else: ssh = subprocess.Popen(cmd,shell=False,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,stdin=subprocess.PIPE,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags) stdout, stderr = ssh.communicate('quit\n\n') logger.debug("passwordAuth.testAuth: stdout of ssh command: " + str(stdout)) logger.debug("passwordAuth.testAuth: stderr of ssh command: " + str(stderr)) if ssh.returncode==0: auth=True else: auth=False except Exception as e: import traceback logger.debug("passwordAuth.testAuth raised an exception %s"%e) logger.debug(traceback.format_exc()) raise e return auth
def run(self): # I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent # since openssh does not seem to have an option to use only an agent we have a workaround, # by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent. # This is a little "racy" in that a tempfile with the same path could concievably be created between the unlink and openssh attempting to use it # but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key. logger_debug("testAuthThread started") import tempfile, os (fd,path)=tempfile.mkstemp() os.close(fd) os.unlink(path) ssh_cmd = '{sshbinary} -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=yes -l {login} {host} echo "success_testauth"'.format(sshbinary=self.keydistObject.sshpaths.sshBinary, login=self.keydistObject.username, host=self.keydistObject.host, nonexistantpath=path) logger_debug('testAuthThread: attempting: ' + ssh_cmd) ssh = subprocess.Popen(ssh_cmd,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=True,universal_newlines=True) stdout, stderr = ssh.communicate() ssh.wait() logger_debug('testAuthThread: stdout of ssh command: ' + str(stdout)) logger_debug('testAuthThread: stderr of ssh command: ' + str(stderr)) if 'success_testauth' in stdout: logger_debug('testAuthThread: got success_testauth in stdout :)') self.keydistObject.authentication_success = True newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHSUCCESS,self.keydistObject) else: logger_debug('testAuthThread: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event') newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHFAIL,self.keydistObject) if (not self.stopped()): logger_debug('testAuthThread: self.stopped() == False, so posting event: ' + str(newevent)) wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),newevent)
def testAuth(self, keyModel, username=None, host=None): if username != None: self.username = username if host != None: self.host = host if self.username == None: raise Exception("I don't know what username you are tring to login with") from logger.Logger import logger logger.debug("in passwordAuth.testAuth") import tempfile import sys from logger.Logger import logger import subprocess fd = tempfile.NamedTemporaryFile(delete=True) path = fd.name fd.close() auth = False try: ssh_cmd = [ "{sftpBinary}", "-o", "ConnectTimeout=10", "-o", 'IdentityFile="{nonexistantpath}"', "-o", "PasswordAuthentication=no", "-o", "ChallengeResponseAuthentication=no", "-o", "KbdInteractiveAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "StrictHostKeyChecking=no", "-P", "{port}", "{login}@{host}", ] cmd = [] for s in ssh_cmd: cmd.append( s.format( sftpBinary=self.keydistObject.keyModel.sshpaths.sftpBinary, login=self.username, host=self.host, nonexistantpath=path, port=self.port, ) ) logger.debug("testAuthThread: attempting: %s" % cmd) if sys.platform.startswith("win"): ssh = subprocess.Popen( " ".join(cmd), shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags, ) else: ssh = subprocess.Popen( cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags, ) stdout, stderr = ssh.communicate("quit\n\n") logger.debug("passwordAuth.testAuth: stdout of ssh command: " + str(stdout)) logger.debug("passwordAuth.testAuth: stderr of ssh command: " + str(stderr)) if ssh.returncode == 0: auth = True else: auth = False except Exception as e: import traceback logger.debug("passwordAuth.testAuth raised an exception %s" % e) logger.debug(traceback.format_exc()) raise e return auth