def run(self):
# I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent
# since openssh does not seem to have an option to use only an agent we have a workaround,
# by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent.
# This is a little "racy" in that a tempfile with the same path could concievably be created between the unlink and openssh attempting to use it
# but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key.
logger_debug("testAuthThread started")
import tempfile, os
(fd, path) = tempfile.mkstemp()
os.close(fd)
os.unlink(path)
ssh_cmd = '{sshbinary} -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=yes -l {login} {host} echo "success_testauth"'.format(
sshbinary=self.keydistObject.sshpaths.sshBinary,
login=self.keydistObject.username,
host=self.keydistObject.host,
nonexistantpath=path)
logger_debug('testAuthThread: attempting: ' + ssh_cmd)
ssh = subprocess.Popen(ssh_cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
shell=True,
universal_newlines=True)
stdout, stderr = ssh.communicate()
ssh.wait()
logger_debug('testAuthThread: stdout of ssh command: ' +
str(stdout))
logger_debug('testAuthThread: stderr of ssh command: ' +
str(stderr))
if 'success_testauth' in stdout:
logger_debug(
'testAuthThread: got success_testauth in stdout :)')
self.keydistObject.authentication_success = True
newevent = KeyDist.sshKeyDistEvent(
KeyDist.EVT_KEYDIST_AUTHSUCCESS, self.keydistObject)
else:
logger_debug(
'testAuthThread: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event'
)
newevent = KeyDist.sshKeyDistEvent(
KeyDist.EVT_KEYDIST_AUTHFAIL, self.keydistObject)
if (not self.stopped()):
logger_debug(
'testAuthThread: self.stopped() == False, so posting event: '
+ str(newevent))
wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),
newevent)
def run(self):
# I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent
# since openssh does not seem to have an option to use only an agent we have a workaround,
# by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent.
# This is a little "racy" in that a tempfile with the same path could conceivably be created between the unlink and openssh attempting to use it
# but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key.
threadid = threading.currentThread().ident
logger.debug("testAuthThread %i: started"%threadid)
import tempfile
fd=tempfile.NamedTemporaryFile(delete=True)
path=fd.name
fd.close()
ssh_cmd = '{sshbinary} -o ConnectTimeout=10 -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=no -l {login} {host} echo "success_testauth"'.format(sshbinary=self.keydistObject.keyModel.sshpaths.sshBinary,
login=self.keydistObject.username,
host=self.keydistObject.host,
nonexistantpath=path)
logger.debug('testAuthThread: attempting: ' + ssh_cmd)
ssh = subprocess.Popen(ssh_cmd,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=True,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags)
stdout, stderr = ssh.communicate()
ssh.wait()
logger.debug("testAuthThread %i: stdout of ssh command: "%threadid + str(stdout))
logger.debug("testAuthThread %i: stderr of ssh command: "%threadid + str(stderr))
if 'Could not resolve hostname' in stdout:
logger.debug('Network error.')
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_NETWORK_ERROR,self.keydistObject)
elif 'success_testauth' in stdout:
logger.debug("testAuthThread %i: got success_testauth in stdout :)"%threadid)
self.keydistObject.authentication_success = True
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHSUCCESS,self.keydistObject)
elif 'Agent admitted' in stdout:
logger.debug("testAuthThread %i: the ssh agent has an error. Try rebooting the computer")
self.keydistObject.cancel("Sorry, there is a problem with the SSH agent.\nThis sort of thing usually occurs if you delete your key and create a new one.\nThe easiest solution is to reboot your computer and try again.")
return
else:
logger.debug("testAuthThread %i: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event"%threadid)
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHFAIL,self.keydistObject)
if (not self.stopped()):
logger.debug("testAuthThread %i: self.stopped() == False, so posting event: "%threadid + str(newevent))
wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),newevent)
logger.debug("testAuthThread %i: stopped"%threadid)
def testAuth(self,keyModel,username=None,host=None):
if username!=None:
self.username=username
if host!=None:
self.host=host
if self.username==None:
raise Exception("I don't know what username you are tring to login with")
from logger.Logger import logger
logger.debug("in passwordAuth.testAuth")
import tempfile
import sys
from logger.Logger import logger
import subprocess
fd=tempfile.NamedTemporaryFile(delete=True)
path=fd.name
fd.close()
auth=False
try:
ssh_cmd = ['{sftpBinary}','-o','ConnectTimeout=10','-o','IdentityFile="{nonexistantpath}"','-o','PasswordAuthentication=no','-o','ChallengeResponseAuthentication=no','-o','KbdInteractiveAuthentication=no','-o','PubkeyAuthentication=yes','-o','StrictHostKeyChecking=no','-P','{port}','{login}@{host}']
cmd=[]
for s in ssh_cmd:
cmd.append(s.format(sftpBinary=self.keydistObject.keyModel.sshpaths.sftpBinary,login=self.username, host=self.host, nonexistantpath=path,port=self.port))
logger.debug('testAuthThread: attempting: %s'%cmd)
if sys.platform.startswith("win"):
ssh = subprocess.Popen(" ".join(cmd),shell=True,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags)
else:
ssh = subprocess.Popen(cmd,shell=False,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,stdin=subprocess.PIPE,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags)
stdout, stderr = ssh.communicate('quit\n\n')
logger.debug("passwordAuth.testAuth: stdout of ssh command: " + str(stdout))
logger.debug("passwordAuth.testAuth: stderr of ssh command: " + str(stderr))
if ssh.returncode==0:
auth=True
else:
auth=False
except Exception as e:
import traceback
logger.debug("passwordAuth.testAuth raised an exception %s"%e)
logger.debug(traceback.format_exc())
raise e
return auth
def run(self):
# I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent
# since openssh does not seem to have an option to use only an agent we have a workaround,
# by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent.
# This is a little "racy" in that a tempfile with the same path could concievably be created between the unlink and openssh attempting to use it
# but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key.
logger_debug("testAuthThread started")
import tempfile, os
(fd,path)=tempfile.mkstemp()
os.close(fd)
os.unlink(path)
ssh_cmd = '{sshbinary} -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=yes -l {login} {host} echo "success_testauth"'.format(sshbinary=self.keydistObject.sshpaths.sshBinary,
login=self.keydistObject.username,
host=self.keydistObject.host,
nonexistantpath=path)
logger_debug('testAuthThread: attempting: ' + ssh_cmd)
ssh = subprocess.Popen(ssh_cmd,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=True,universal_newlines=True)
stdout, stderr = ssh.communicate()
ssh.wait()
logger_debug('testAuthThread: stdout of ssh command: ' + str(stdout))
logger_debug('testAuthThread: stderr of ssh command: ' + str(stderr))
if 'success_testauth' in stdout:
logger_debug('testAuthThread: got success_testauth in stdout :)')
self.keydistObject.authentication_success = True
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHSUCCESS,self.keydistObject)
else:
logger_debug('testAuthThread: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event')
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHFAIL,self.keydistObject)
if (not self.stopped()):
logger_debug('testAuthThread: self.stopped() == False, so posting event: ' + str(newevent))
wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),newevent)
def testAuth(self, keyModel, username=None, host=None):
if username != None:
self.username = username
if host != None:
self.host = host
if self.username == None:
raise Exception("I don't know what username you are tring to login with")
from logger.Logger import logger
logger.debug("in passwordAuth.testAuth")
import tempfile
import sys
from logger.Logger import logger
import subprocess
fd = tempfile.NamedTemporaryFile(delete=True)
path = fd.name
fd.close()
auth = False
try:
ssh_cmd = [
"{sftpBinary}",
"-o",
"ConnectTimeout=10",
"-o",
'IdentityFile="{nonexistantpath}"',
"-o",
"PasswordAuthentication=no",
"-o",
"ChallengeResponseAuthentication=no",
"-o",
"KbdInteractiveAuthentication=no",
"-o",
"PubkeyAuthentication=yes",
"-o",
"StrictHostKeyChecking=no",
"-P",
"{port}",
"{login}@{host}",
]
cmd = []
for s in ssh_cmd:
cmd.append(
s.format(
sftpBinary=self.keydistObject.keyModel.sshpaths.sftpBinary,
login=self.username,
host=self.host,
nonexistantpath=path,
port=self.port,
)
)
logger.debug("testAuthThread: attempting: %s" % cmd)
if sys.platform.startswith("win"):
ssh = subprocess.Popen(
" ".join(cmd),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
universal_newlines=True,
startupinfo=self.keydistObject.startupinfo,
creationflags=self.keydistObject.creationflags,
)
else:
ssh = subprocess.Popen(
cmd,
shell=False,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
stdin=subprocess.PIPE,
universal_newlines=True,
startupinfo=self.keydistObject.startupinfo,
creationflags=self.keydistObject.creationflags,
)
stdout, stderr = ssh.communicate("quit\n\n")
logger.debug("passwordAuth.testAuth: stdout of ssh command: " + str(stdout))
logger.debug("passwordAuth.testAuth: stderr of ssh command: " + str(stderr))
if ssh.returncode == 0:
auth = True
else:
auth = False
except Exception as e:
import traceback
logger.debug("passwordAuth.testAuth raised an exception %s" % e)
logger.debug(traceback.format_exc())
raise e
return auth
