Exemple #1
0
    def test_key(self):
        """Check key import and export"""

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_keypair('priv', 'pub', keytype)
                self.make_keypair('privca', 'pubca', keytype)

                run('chmod 600 priv privca')

                if self.base_format == 'openssh':
                    run('cp -p pub sshpub')
                else:
                    run('ssh-keygen -i -f pub -m %s > sshpub' %
                        self.base_format)

                self.privkey = read_private_key('priv')
                self.pubkey = read_public_key('pub')
                self.privca = read_private_key('privca')
                self.pubca = read_public_key('pubca')

                self.check_encode_errors()
                self.check_decode_errors()
                self.check_sshkey_base_errors()
                self.check_sign_and_verify()

                if 'pkcs1' in self.private_formats:
                    self.check_pkcs1_private()

                if 'pkcs1' in self.public_formats:
                    self.check_pkcs1_public()

                if 'pkcs8' in self.private_formats:
                    self.check_pkcs8_private()

                if 'pkcs8' in self.public_formats:
                    self.check_pkcs8_public()

                if 'openssh' in self.private_formats: # pragma: no branch
                    self.check_openssh_private()

                if 'openssh' in self.public_formats: # pragma: no branch
                    self.check_openssh_public()

                if 'rfc4716' in self.public_formats: # pragma: no branch
                    self.check_rfc4716_public()

                for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST):
                    for version in self.cert_versions:
                        for fmt in ('openssh', 'rfc4716'):
                            with self.subTest(cert_type=cert_type,
                                              version=version, fmt=fmt):
                                self.check_certificate(cert_type, version, fmt)

                    self.check_certificate_errors(cert_type)
    def test_key(self):
        """Check key import and export"""

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_keypair('priv', 'pub', keytype)
                self.make_keypair('privca', 'pubca', keytype)

                run('chmod 600 priv privca')

                if self.base_format == 'openssh':
                    run('cp -p pub sshpub')
                else:
                    run('ssh-keygen -i -f pub -m %s > sshpub' %
                        self.base_format)

                self.privkey = read_private_key('priv')
                self.pubkey = read_public_key('pub')
                self.privca = read_private_key('privca')
                self.pubca = read_public_key('pubca')

                self.check_encode_errors()
                self.check_decode_errors()
                self.check_sshkey_base_errors()
                self.check_sign_and_verify()

                if 'pkcs1' in self.private_formats:
                    self.check_pkcs1_private()

                if 'pkcs1' in self.public_formats and _pkcs1_public_supported:
                    self.check_pkcs1_public()

                if 'pkcs8' in self.private_formats:
                    self.check_pkcs8_private()

                if 'pkcs8' in self.public_formats:
                    self.check_pkcs8_public()

                if 'openssh' in self.private_formats:  # pragma: no branch
                    self.check_openssh_private()

                if 'openssh' in self.public_formats:  # pragma: no branch
                    self.check_openssh_public()

                if 'rfc4716' in self.public_formats:  # pragma: no branch
                    self.check_rfc4716_public()

                for cert_type in (CERT_TYPE_USER, CERT_TYPE_HOST):
                    for fmt in ('openssh', 'rfc4716'):
                        with self.subTest(cert_type=cert_type, fmt=fmt):
                            self.check_certificate(cert_type, fmt)

                    self.check_certificate_errors(cert_type)
Exemple #3
0
    def test_disallowed_address(self):
        """Test disallowed address in certificate"""

        ckey = asyncssh.read_private_key('ckey')
        skey = asyncssh.read_private_key('skey')

        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, skey, ckey, ['ckey'],
                                options={'source-address': String('0.0.0.0')})

        with self.assertRaises(asyncssh.DisconnectError):
            yield from self.connect(username='******',
                                    client_keys=[(skey, cert)])
Exemple #4
0
    def test_ec_explicit(self):
        """Test EC certificate with explcit parameters"""

        with self.subTest('Import EC key with explicit parameters'):
            run('openssl ecparam -out priv -noout -genkey -name secp256r1 '
                '-param_enc explicit')
            read_private_key('priv')

        with self.subTest('Import EC key with unknown explicit parameters'):
            run('openssl ecparam -out priv -noout -genkey -name secp112r1 '
                '-param_enc explicit')
            with self.assertRaises(KeyImportError):
                read_private_key('priv')
Exemple #5
0
    def test_expired_cert(self):
        """Test expired certificate"""

        ckey = asyncssh.read_private_key('ckey')
        skey = asyncssh.read_private_key('skey')

        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, skey, ckey, ['ckey'],
                                valid_before=1)

        with self.assertRaises(asyncssh.DisconnectError):
            yield from self.connect(username='******',
                                    client_keys=[(skey, cert)])
    def check_private(self, passphrase=None):
        """Check for a private key match"""

        newkey = read_private_key('new', passphrase)
        self.assertEqual(newkey, self.privkey)
        self.assertEqual(hash(newkey), hash(self.privkey))

        if passphrase:
            with self.assertRaises((KeyEncryptionError, KeyImportError)):
                read_private_key('new', 'xxx')
        else:
            run('cat new new > list')
            keylist = read_private_key_list('list', passphrase)
            self.assertEqual(keylist[0], newkey)
            self.assertEqual(keylist[1], newkey)
    def check_private(self, passphrase=None):
        """Check for a private key match"""

        newkey = read_private_key('new', passphrase)
        self.assertEqual(newkey, self.privkey)
        self.assertEqual(hash(newkey), hash(self.privkey))

        if passphrase:
            with self.assertRaises((KeyEncryptionError, KeyImportError)):
                read_private_key('new', 'xxx')
        else:
            run('cat new new > list')
            keylist = read_private_key_list('list', passphrase)
            self.assertEqual(keylist[0], newkey)
            self.assertEqual(keylist[1], newkey)
    def test_ec_explicit(self):
        """Test EC certificate with explcit parameters"""

        for curve in ('secp256r1', 'secp384r1', 'secp521r1'):
            with self.subTest('Import EC key with explicit parameters',
                              curve=curve):
                run('openssl ecparam -out priv -noout -genkey -name %s '
                    '-param_enc explicit' % curve)
                read_private_key('priv')

        with self.subTest('Import EC key with unknown explicit parameters'):
            run('openssl ecparam -out priv -noout -genkey -name secp112r1 '
                '-param_enc explicit')
            with self.assertRaises(KeyImportError):
                read_private_key('priv')
Exemple #9
0
    def test_allowed_address(self):
        """Test allowed address in certificate"""

        ckey = asyncssh.read_private_key('ckey')
        skey = asyncssh.read_private_key('skey')

        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, skey, ckey, ['ckey'],
                                options={'source-address':
                                         String('0.0.0.0/0,::/0')})

        with (yield from self.connect(username='******',
                                      client_keys=[(skey, cert)])) as conn:
            pass

        yield from conn.wait_closed()
Exemple #10
0
    async def remote_random_port(self):
        """Select unoccupied port on the remote host and return it. 
        
        If this fails for some reason return `None`."""

        username = self.get_remote_user(self.user.name)
        kf = self.ssh_keyfile.format(username=username)
        cf = kf + "-cert.pub"
        k = asyncssh.read_private_key(kf)
        c = asyncssh.read_certificate(cf)

        # this needs to be done against remote_host, first time we're calling up
        async with asyncssh.connect(self.remote_host,
                                    username=username,
                                    client_keys=[(k, c)],
                                    known_hosts=None) as conn:
            result = await conn.run(self.remote_port_command)
            stdout = result.stdout
            stderr = result.stderr
            retcode = result.exit_status

        if stdout != b"":
            ip, port = stdout.split()
            port = int(port)
            self.log.debug("ip={} port={}".format(ip, port))
        else:
            ip, port = None, None
            self.log.error("Failed to get a remote port")
            self.log.error("STDERR={}".format(stderr))
            self.log.debug("EXITSTATUS={}".format(retcode))
        return (ip, port)
async def setup(spawner):
    username = spawner.user.name
    remote_host = "corijupyter.nersc.gov"
    keyfile = "/certs/{username}.key".format(
        username=username)  # NEED to have in NERSCSpawner now
    certfile = keyfile + "-cert.pub"
    k = asyncssh.read_private_key(keyfile)
    c = asyncssh.read_certificate(certfile)
    try:
        async with asyncssh.connect(remote_host,
                                    username=username,
                                    client_keys=[(k, c)],
                                    known_hosts=None) as conn:
            result = await conn.run("myquota -c $HOME")
            retcode = result.exit_status
    except:
        spawner.log.warning(
            f"Problem connecting to {remote_host} to check quota oh well")
        retcode = 0
    if retcode:
        from jinja2 import Markup
        e = web.HTTPError(507, reason="Insufficient Storage")
        e.jupyterhub_message = Markup(
            "<br>Your home directory is over quota! " +
            "Try moving or archiving and deleting some files from there, " +
            "then come back and try again.<br>")
        raise e
Exemple #12
0
    async def start_server(cls):
        """Start an SSH server which supports security key authentication"""

        cls.addClassCleanup(unstub_pkcs11, *stub_pkcs11(cls._pkcs11_tokens))

        pubkeys = get_pkcs11_public_keys()
        certs = get_pkcs11_certs()
        cls._certs_available = bool(certs)

        for cert in certs:
            cert.append_certificate('auth_keys')

        for key in pubkeys:
            key.append_public_key('auth_keys')

        if pubkeys:
            ca_key = asyncssh.read_private_key('ckey')

            cert = ca_key.generate_user_certificate(pubkeys[0],
                                                    'name',
                                                    principals=['ckey'])

            with open('auth_keys', 'a') as auth_keys:
                auth_keys.write('cert-authority ')

            ca_key.append_public_key('auth_keys')
            cert.write_certificate('pkcs11_cert.pub')

        auth_keys = 'auth_keys' if cls._pkcs11_tokens else ()

        return await cls.create_server(authorized_client_keys=auth_keys,
                                       x509_trusted_certs=certs)
Exemple #13
0
async def run_server(loop: asyncio.AbstractEventLoop, logger: logging.Logger, port=22):
    config_dir = "config"
    host_key: Optional[SSHKey] = None

    if not os.path.isdir(config_dir):
        os.mkdir(config_dir)

    host_key_file = os.path.join(config_dir, "host_key")
    if os.path.isfile(host_key_file):
        logger.info("Loading host key (%s)...", host_key_file)
        host_key = asyncssh.read_private_key(host_key_file)
    else:
        logger.info("Generating host key (%s)...", host_key_file)
        host_key = asyncssh.generate_private_key("ssh-rsa", key_size=1024)
        host_key.write_private_key(host_key_file)
        host_key.write_public_key("%s.pub" % host_key_file)

    assert host_key

    def server_factory():
        return HoneypotServer(logger)

    logger.info("Running Honeypot on port %s", port)

    process_factory = functools.partial(handle_client, logger)
    server: asyncio.AbstractServer = await asyncssh.create_server(server_factory, port=port,
                                                                  server_host_keys=[host_key],
                                                                  process_factory=process_factory)

    async with server:
        await server.wait_closed()
    def test_key(self):
        tmpdir = tempfile.TemporaryDirectory()
        os.chdir(tmpdir.name)

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_keypair(keytype)

                run('chmod 600 priv pub')

                self.key = read_private_key('priv')
                self.sshpub = self.key.encode_ssh_public()

                if 'pkcs1' in self.formats:
                    self.check_pkcs1()

                if 'pkcs8' in self.formats:
                    self.check_pkcs8()

                if 'openssh' in self.formats:
                    self.check_openssh()

                if 'rfc4716' in self.formats:
                    self.check_rfc4716()

        tmpdir.cleanup()
Exemple #15
0
    def test_key(self):
        tmpdir = tempfile.TemporaryDirectory()
        os.chdir(tmpdir.name)

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_keypair(keytype)

                run('chmod 600 priv pub')

                self.key = read_private_key('priv')
                self.sshpub = self.key.encode_ssh_public()

                if 'pkcs1' in self.formats:
                    self.check_pkcs1()

                if 'pkcs8' in self.formats:
                    self.check_pkcs8()

                if 'openssh' in self.formats:
                    self.check_openssh()

                if 'rfc4716' in self.formats:
                    self.check_rfc4716()

        tmpdir.cleanup()
Exemple #16
0
 def get_keys(self):
     if not self.keys:
         try:
             self.keys = [asyncssh.read_private_key(os.path.expanduser(f)) for f in self.key_files if
                          os.path.exists(os.path.expanduser(f))]
         except BaseException:
             return ()
     return self.keys
Exemple #17
0
 def load_private_key(f, pwd):
     try:
         k = asyncssh.read_private_key(f, pwd)
         if k and pwd:
             log.debug(f"Decrypted with {pwd} - {f}")
         return k
     except Exception as ex:
         log.debug(f"{str(ex)} - {f}")
         return None
    def test_client_key_sshkey(self):
        """Test client key passed in as an SSHKey"""

        ckey = asyncssh.read_private_key('ckey')

        with (yield from self.connect(username='******',
                                      client_keys=[ckey])) as conn:
            pass

        yield from conn.wait_closed()
    def test_client_key_sshkey(self):
        """Test client key passed in as an SSHKey"""

        ckey = asyncssh.read_private_key('ckey')

        with (yield from self.connect(username='******',
                                      client_keys=[ckey])) as conn:
            pass

        yield from conn.wait_closed()
Exemple #20
0
def get_private_key():
    key_filename = relative(config.PRIVATE_KEY)

    if not exists(key_filename):
        private_key = asyncssh.generate_private_key('ssh-rsa')
        private_key.write_private_key(key_filename)
    else:
        private_key = asyncssh.read_private_key(key_filename)

    return private_key
Exemple #21
0
    def test_forwarding_not_allowed(self):
        """Test an X11 request from a non-authorized user"""

        ckey = asyncssh.read_private_key("ckey")
        cert = ckey.generate_user_certificate(ckey, "name", principals=["ckey"], permit_x11_forwarding=False)

        with (yield from self.connect(username="******", client_keys=[(ckey, cert)])) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                yield from _create_x11_process(conn, "connect l")

        yield from conn.wait_closed()
    def test_untrusted_ca(self):
        """Test untrusted CA"""

        skey = asyncssh.read_private_key('skey')

        cert = make_certificate('*****@*****.**', CERT_TYPE_USER,
                                skey, skey, ['skey'])

        with self.assertRaises(ValueError):
            yield from self.connect(username='******',
                                    client_keys=[('ckey', cert)])
    def test_untrusted_ca(self):
        """Test untrusted CA"""

        skey = asyncssh.read_private_key('skey')

        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, skey, skey, ['skey'])

        with self.assertRaises(ValueError):
            yield from self.connect(username='******',
                                    client_keys=[('ckey', cert)])
Exemple #24
0
 async def get_connection(self):
     if self.conn is None:
         config = self.config
         key = asyncssh.read_private_key(config['identityfile'])
         self.conn = await asyncssh.connect(
             config['hostname'],
             username=config['user'],
             port=int(config['port']),
             known_hosts=None,
             client_keys=(key,))
     return self.conn
Exemple #25
0
    async def test_unix_connection_not_permitted(self):
        """Test permission denied in opening a remote UNIX connection"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-port-forwarding': ''})

        async with self.connect(username='******',
                                client_keys=[(ckey, cert)]) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                await conn.open_unix_connection('/echo')
Exemple #26
0
    async def test_forward_remote_path_not_permitted(self):
        """Test permission denied in forwarding a remote UNIX domain path"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-port-forwarding': ''})

        async with self.connect(username='******', client_keys=[(ckey, cert)],
                                agent_path=None) as conn:
            with self.assertRaises(asyncssh.ChannelListenError):
                await conn.forward_remote_path('', 'local')
Exemple #27
0
    async def test_forced_exec(self):
        """Test execution of a forced remote command"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER,
                                ckey,
                                ckey, ['ckey'],
                                options={'force-command': String('echo')})

        async with self.connect(username='******',
                                client_keys=[(ckey, cert)]) as conn:
            await self._check_session(conn)
Exemple #28
0
    async def test_forwarding_not_allowed(self):
        """Test an X11 request from a non-authorized user"""

        ckey = asyncssh.read_private_key('ckey')
        cert = ckey.generate_user_certificate(ckey,
                                              'name',
                                              principals=['ckey'],
                                              permit_x11_forwarding=False)

        async with self.connect(username='******',
                                client_keys=[(ckey, cert)]) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                await _create_x11_process(conn, 'connect l')
    def test_cert_principals(self):
        """Test certificate principals check"""

        ckey = asyncssh.read_private_key('ckey')

        cert = make_certificate('*****@*****.**', CERT_TYPE_USER,
                                ckey, ckey, ['ckey'])

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            pass

        yield from conn.wait_closed()
Exemple #30
0
    def test_forced_exec(self):
        """Test execution of a forced remote command"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                options={'force-command': String('echo')})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            yield from self._check_session(conn)

        yield from conn.wait_closed()
Exemple #31
0
    def test_unix_connection_not_permitted(self):
        """Test permission denied in opening a remote UNIX connection"""

        ckey = asyncssh.read_private_key("ckey")
        cert = make_certificate(
            "*****@*****.**", CERT_TYPE_USER, ckey, ckey, ["ckey"], extensions={"no-port-forwarding": ""}
        )

        with (yield from self.connect(username="******", client_keys=[(ckey, cert)])) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                yield from conn.open_unix_connection("/echo")

        yield from conn.wait_closed()
    def test_cert_principals(self):
        """Test certificate principals check"""

        ckey = asyncssh.read_private_key('ckey')

        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'])

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            pass

        yield from conn.wait_closed()
Exemple #33
0
    async def start_ssh_remote_forward_session(self):
        env = super(CloudSSHSpawner, self).get_env()
        env["JUPYTERHUB_API_URL"] = self.hub_api_url
        env["JUPYTERHUB_ACTIVITY_URL"] = self.hub_activity_url
        env["JUPYTERHUB_HOST"] = self.hub_public_host
        env["PATH"] = self.path
        kf = self.ssh_keyfile.format(username=self.user.name)
        cf = kf + "-cert.pub"
        k = asyncssh.read_private_key(kf)
        c = asyncssh.read_certificate(cf)

        # ssh -v -fNT -R 8081:multiplespawner.workers.vcn.oraclevcn.com:8081 -R 8000:127.0.0.1:8000 [email protected] -i ~/.corc/ssh/ras6_id_rsa
        self.log.debug("ssh remote forward target: {}".format(
            self.hub_public_host))
        # -R remote_port,local_host:local_port -R remote_port,local_host:local_port remote_user@remoteip -i path_to_rsa_key
        ssh_backtunnel_command = "ssh -fNT -R {}:{}:{} -R {}:{}:{} {}@{} -i {}".format(
            self.hub_api_port,
            self.hub_api_interface,
            self.hub_api_port,
            self.hub.port,
            self.hub.ip,
            self.hub.port,
            self.user.name,
            self.remote_host,
            self.ssh_forward_credentials_paths["private_key_file"],
        )

        username = self.get_remote_user(self.user.name)
        bash_script_str = "#!/bin/bash\n"
        bash_script_str += (
            "%s < /dev/null >> .{}_ssh_remote_forward.log 2>&1 & pid=$!\n".
            format(self.user.name) % ssh_backtunnel_command)
        run_script = "/tmp/{}_ssh_remote_forward_run.sh".format(self.user.name)
        with open(run_script, "w") as f:
            f.write(bash_script_str)
        if not os.path.isfile(run_script):
            raise Exception("The file " + run_script + "was not created.")
        else:
            with open(run_script, "r") as f:
                self.log.debug(run_script + " was written as:\n" + f.read())

        # Set the executable permission
        if not chmod(run_script, 0o755):
            raise Exception(
                "Failed to set executable permissions on: {}".format(
                    run_script))

        launched = await self.launch_detach_process(run_script)
        if not launched:
            raise Exception("Failed to execute: {}".format(run_script))
        return True
Exemple #34
0
    async def test_pty_disallowed_by_cert(self):
        """Test rejection of pty request by certificate"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER,
                                ckey,
                                ckey, ['ckey'],
                                extensions={'no-pty': ''})

        async with self.connect(username='******',
                                client_keys=[(ckey, cert)]) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                await _create_session(conn, 'term', term_type='ansi')
Exemple #35
0
    def test_pty_disallowed_by_cert(self):
        """Test rejection of pty request by certificate"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-pty': ''})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                yield from _create_session(conn, 'term', term_type='ansi')

        yield from conn.wait_closed()
Exemple #36
0
    async def test_forward_remote_port_not_permitted(self):
        """Test permission denied in forwarding of a remote port"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER,
                                ckey,
                                ckey, ['ckey'],
                                extensions={'no-port-forwarding': ''})

        async with self.connect(username='******',
                                client_keys=[(ckey, cert)]) as conn:
            listener = await conn.forward_remote_port('', 0, '', 0)
            self.assertIsNone(listener)
Exemple #37
0
    def test_connection_not_permitted(self):
        """Test permission denied in opening a remote connection"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-port-forwarding': ''})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                yield from conn.open_connection('', 7)

        yield from conn.wait_closed()
Exemple #38
0
    def test_forward_remote_path_not_permitted(self):
        """Test permission denied in forwarding a remote UNIX domain path"""

        ckey = asyncssh.read_private_key("ckey")
        cert = make_certificate(
            "*****@*****.**", CERT_TYPE_USER, ckey, ckey, ["ckey"], extensions={"no-port-forwarding": ""}
        )

        with (yield from self.connect(username="******", client_keys=[(ckey, cert)])) as conn:
            listener = yield from conn.forward_remote_path("", "local")

            self.assertIsNone(listener)

        yield from conn.wait_closed()
Exemple #39
0
    async def exec_notebook(self, command):
        """TBD"""

        env = super(CloudSSHSpawner, self).get_env()
        env["JUPYTERHUB_API_URL"] = self.hub_api_url
        env["JUPYTERHUB_ACTIVITY_URL"] = self.hub_activity_url
        env["PATH"] = self.path
        username = self.get_remote_user(self.user.name)
        kf = self.ssh_keyfile.format(username=username)
        cf = kf + "-cert.pub"
        k = asyncssh.read_private_key(kf)
        c = asyncssh.read_certificate(cf)
        bash_script_str = "#!/bin/bash\n"

        for item in env.items():
            # item is a (key, value) tuple
            # command = ('export %s=%s;' % item) + command
            bash_script_str += "export %s=%s\n" % item
        bash_script_str += "unset XDG_RUNTIME_DIR\n"

        bash_script_str += "touch .jupyter.log\n"
        bash_script_str += "chmod 600 .jupyter.log\n"
        bash_script_str += "%s < /dev/null >> .jupyter.log 2>&1 & pid=$!\n" % command
        bash_script_str += "echo $pid\n"

        run_script = "/tmp/{}_run.sh".format(self.user.name)
        with open(run_script, "w") as f:
            f.write(bash_script_str)
        if not os.path.isfile(run_script):
            raise Exception("The file " + run_script + "was not created.")
        else:
            with open(run_script, "r") as f:
                self.log.debug(run_script + " was written as:\n" + f.read())

        async with asyncssh.connect(self.remote_host,
                                    username=username,
                                    client_keys=[(k, c)],
                                    known_hosts=None) as conn:
            result = await conn.run("bash -s", stdin=run_script)
            stdout = result.stdout
            _ = result.stderr
            retcode = result.exit_status

        self.log.debug("exec_notebook status={}".format(retcode))
        if stdout != b"":
            pid = int(stdout)
        else:
            return -1

        return pid
Exemple #40
0
    def test_forward_remote_path_not_permitted(self):
        """Test permission denied in forwarding a remote UNIX domain path"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-port-forwarding': ''})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            listener = yield from conn.forward_remote_path('', 'local')

            self.assertIsNone(listener)

        yield from conn.wait_closed()
Exemple #41
0
    def test_forward_remote_path_not_permitted(self):
        """Test permission denied in forwarding a remote UNIX domain path"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-port-forwarding': ''})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)])) as conn:
            listener = yield from conn.forward_remote_path('', 'local')

            self.assertIsNone(listener)

        yield from conn.wait_closed()
 async def start(self):
     ssh_endpoint = self.get_config('app.contact.tunnel.ssh.socket')
     addr, port = ssh_endpoint.split(':')
     host_key_filename = self.get_config('app.contact.tunnel.ssh.host_key_file')
     host_key_filepath = os.path.join('conf', 'ssh_keys', host_key_filename)
     host_key_passphrase = self.get_config('app.contact.tunnel.ssh.host_key_passphrase')
     try:
         host_key = asyncssh.read_private_key(host_key_filepath, passphrase=host_key_passphrase)
     except Exception as e:
         self.log.warning('Generating temporary SSH private key. Was unable to use provided SSH private key: %s' % e)
         host_key = asyncssh.generate_private_key('ssh-rsa', comment='temporary key')
     try:
         await asyncssh.create_server(self.server_factory, addr, int(port),
                                      server_host_keys=[host_key])
     except Exception as e:
         self.log.error('Error starting SSH server: %s' % e)
Exemple #43
0
def load_all_keys():
    key_files = glob.glob(
        os.path.join(os.path.dirname(__file__), '..') + "/keys/*")
    user_key_files = [
        os.path.expanduser(file_) for file_ in [
            '~/.ssh/id_ed25519', '~/.ssh/id_ecdsa', '~/.ssh/id_rsa',
            '~/.ssh/id_dsa'
        ]
    ]
    keys = []
    for file_ in key_files + user_key_files:
        try:
            keys.append(asyncssh.read_private_key(file_))
        except Exception:
            pass
    return keys
Exemple #44
0
    def test_pty_disallowed(self):
        """Test rejection of pty request"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER,
                                ckey,
                                ckey, ['ckey'],
                                extensions={'no-pty': ''})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)],
                                      agent_forwarding=True)) as conn:
            with self.assertRaises(asyncssh.ChannelOpenError):
                yield from _create_session(conn, 'term', term_type='ansi')

        yield from conn.wait_closed()
Exemple #45
0
    async def exec_notebook(self, command):
        """TBD"""

        env = self.user_env()
        username = self.get_remote_user(self.user.name)
        kf = self.ssh_keyfile.format(username=username)
        cf = kf + "-cert.pub"
        k = asyncssh.read_private_key(kf)
        c = asyncssh.read_certificate(cf)
        bash_script_str = "#!/bin/bash\n"

        for item in env.items():
            # item is a (key, value) tuple
            # command = ('export %s=%s;' % item) + command
            bash_script_str += 'export %s=%s\n' % item
        bash_script_str += 'unset XDG_RUNTIME_DIR\n'

        bash_script_str += '%s < /dev/null >> jupyter.log 2>&1 & pid=$!\n' % command
        bash_script_str += 'echo $pid\n'

        run_script = "/tmp/{}_run.sh".format(self.user.name)
        with open(run_script, "w") as f:
            f.write(bash_script_str)
        if not os.path.isfile(run_script):
            raise Exception("The file " + run_script + "was not created.")
        else:
            with open(run_script, "r") as f:
                self.log.debug(run_script + " was written as:\n" + f.read())

        async with asyncssh.connect(self.remote_host,
                                    username=username,
                                    client_keys=[(k, c)],
                                    known_hosts=None) as conn:
            result = await conn.run("bash -s", stdin=run_script)
            stdout = result.stdout
            stderr = result.stderr
            retcode = result.exit_status

        self.log.debug("exec_notebook status={}".format(retcode))
        if stdout != b'':
            pid = int(stdout)
        else:
            return -1

        return pid
Exemple #46
0
    async def test_agent_forwarding_failure(self):
        """Test failure of SSH agent forwarding"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER,
                                ckey,
                                ckey, ['ckey'],
                                extensions={'no-agent-forwarding': ''})

        async with self.connect(username='******',
                                client_keys=[(ckey, cert)],
                                agent_forwarding=True) as conn:
            chan, session = await _create_session(conn, 'agent')

            await chan.wait_closed()

            self.assertEqual(session.exit_status, 1)
Exemple #47
0
    def test_agent_forwarding_failure(self):
        """Test failure of SSH agent forwarding"""

        ckey = asyncssh.read_private_key('ckey')
        cert = make_certificate('*****@*****.**',
                                CERT_TYPE_USER, ckey, ckey, ['ckey'],
                                extensions={'no-agent-forwarding': ''})

        with (yield from self.connect(username='******',
                                      client_keys=[(ckey, cert)],
                                      agent_forwarding=True)) as conn:
            chan, session = yield from _create_session(conn, 'agent')

            yield from chan.wait_closed()

            self.assertEqual(session.exit_status, 1)

        yield from conn.wait_closed()
Exemple #48
0
    def test_key(self):
        tmpdir = tempfile.TemporaryDirectory()
        os.chdir(tmpdir.name)

        for keytype in self.keytypes:
            with self.subTest(keytype=keytype):
                self.make_private(keytype)

                run('openssl %s -pubout -in priv -out pub' % self.keyclass)
                run('chmod 600 priv pub')

                with self.subTest('Import PKCS#1 PEM private'):
                    self.key = read_private_key('priv')
                    self.sshpub = self.key.encode_ssh_public()
                    self.assertTrue(self.sshpub)

                with self.subTest('Export PKCS#1 PEM private'):
                    self.export_pkcs1_private('pem')

                with self.subTest('Import PKCS#1 DER private'):
                    self.import_pkcs1_private('der')

                with self.subTest('Export PKCS#1 DER private'):
                    self.export_pkcs1_private('der')

                for cipher in pkcs1_ciphers:
                    with self.subTest('Import PKCS#1 PEM private (%s)' %
                            cipher):
                        self.import_pkcs1_private('pem', cipher)
                        
                    with self.subTest('Export PKCS#1 PEM private (%s)' %
                            cipher):
                        self.export_pkcs1_private('pem', cipher)

                with self.subTest('Import PKCS#8 PEM private'):
                    self.import_pkcs8_private('pem')

                with self.subTest('Export PKCS#8 PEM private'):
                    self.export_pkcs8_private('pem')

                with self.subTest('Import PKCS#8 DER private'):
                    self.import_pkcs8_private('der')

                with self.subTest('Export PKCS#8 DER private'):
                    self.export_pkcs8_private('der')

                for cipher, hash, pbe_version, args in pkcs8_ciphers:
                    with self.subTest('Import PKCS#8 PEM private '
                                      '(%s-%s-v%s)' % (cipher, hash,
                                      pbe_version)):
                        self.import_pkcs8_private('pem', cipher, args)
                        
                    with self.subTest('Export PKCS#8 PEM private '
                                      '(%s-%s-v%s)' % (cipher, hash,
                                      pbe_version)):
                        self.export_pkcs8_private('pem', cipher, hash,
                                                  pbe_version)

                    with self.subTest('Import PKCS#8 DER private '
                                      '(%s-%s-v%s)' % (cipher, hash,
                                      pbe_version)):
                        self.import_pkcs8_private('der', cipher, args)
                        
                    with self.subTest('Export PKCS#8 DER private '
                                      '(%s-%s-v%s)' % (cipher, hash,
                                      pbe_version)):
                        self.export_pkcs8_private('der', cipher, hash,
                                                  pbe_version)

                with self.subTest('Import PKCS#8 PEM public'):
                    self.import_pkcs8_public('pem')

                with self.subTest('Export PKCS#8 PEM public'):
                    self.export_pkcs8_public('pem')

                with self.subTest('Import PKCS#8 DER public'):
                    self.import_pkcs8_public('der')

                with self.subTest('Export PKCS#8 DER public'):
                    self.export_pkcs8_public('der')

                with self.subTest('Import OpenSSH public'):
                    self.import_openssh_public()

                with self.subTest('Export OpenSSH public'):
                    self.export_openssh_public()

                with self.subTest('Import RFC4716 public'):
                    self.import_rfc4716_public()

                with self.subTest('Export RFC4716 public'):
                    self.export_rfc4716_public()

        tmpdir.cleanup()
 def check_private(self, passphrase):
     newkey = read_private_key('new', passphrase)
     self.assertEqual(newkey.encode_ssh_public(), self.sshpub)