Exemplo n.º 1
0
    def test_ed25519(self):
        key1 = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
        key2 = Ed25519Key.from_private_key_file(
            test_path('test_ed25519_password.key'), b'abc123'
        )

        self.assertNotEqual(key1.asbytes(), key2.asbytes())
Exemplo n.º 2
0
    def test_2_client_dsa(self):
        """
        verify that SSHClient works with a DSA key.
        """
        threading.Thread(target=self._run).start()
        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        self.tc = paramiko.SSHClient()
        self.tc.get_host_keys().add('[%s]:%d' % (self.addr, self.port), 'ssh-rsa', public_host_key)
        self.tc.connect(self.addr, self.port, username='******', key_filename=test_path('test_dss.key'))

        self.event.wait(1.0)
        self.assertTrue(self.event.isSet())
        self.assertTrue(self.ts.is_active())
        self.assertEqual('slowdive', self.ts.get_username())
        self.assertEqual(True, self.ts.is_authenticated())

        stdin, stdout, stderr = self.tc.exec_command('yes')
        schan = self.ts.accept(1.0)

        schan.send('Hello there.\n')
        schan.send_stderr('This is on stderr.\n')
        schan.close()

        self.assertEqual('Hello there.\n', stdout.readline())
        self.assertEqual('', stdout.readline())
        self.assertEqual('This is on stderr.\n', stderr.readline())
        self.assertEqual('', stderr.readline())

        stdin.close()
        stdout.close()
        stderr.close()
Exemplo n.º 3
0
    def test_certificates(self):
        # PKey.load_certificate
        key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
        self.assertTrue(key.public_blob is None)
        key.load_certificate(test_path('test_rsa.key-cert.pub'))
        self.assertTrue(key.public_blob is not None)
        self.assertEqual(key.public_blob.key_type, '*****@*****.**')
        self.assertEqual(key.public_blob.comment, 'test_rsa.key.pub')
        # Delve into blob contents, for test purposes
        msg = Message(key.public_blob.key_blob)
        self.assertEqual(msg.get_text(), '*****@*****.**')
        nonce = msg.get_string()
        e = msg.get_mpint()
        n = msg.get_mpint()
        self.assertEqual(e, key.public_numbers.e)
        self.assertEqual(n, key.public_numbers.n)
        # Serial number
        self.assertEqual(msg.get_int64(), 1234)

        # Prevented from loading certificate that doesn't match
        key1 = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
        self.assertRaises(
            ValueError,
            key1.load_certificate,
            test_path('test_rsa.key-cert.pub'),
        )
 def _run(self, allowed_keys=None, delay=0):
     if allowed_keys is None:
         allowed_keys = FINGERPRINTS.keys()
     self.socks, addr = self.sockl.accept()
     self.ts = paramiko.Transport(self.socks)
     keypath = test_path('test_rsa.key')
     host_key = paramiko.RSAKey.from_private_key_file(keypath)
     self.ts.add_server_key(host_key)
     keypath = test_path('test_ecdsa_256.key')
     host_key = paramiko.ECDSAKey.from_private_key_file(keypath)
     self.ts.add_server_key(host_key)
     server = NullServer(allowed_keys=allowed_keys)
     if delay:
         time.sleep(delay)
     self.ts.start_server(self.event, server)
    def setup_test_server(
        self, client_options=None, server_options=None, connect_kwargs=None,
    ):
        host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = RSAKey(data=host_key.asbytes())
        self.ts.add_server_key(host_key)

        if client_options is not None:
            client_options(self.tc.get_security_options())
        if server_options is not None:
            server_options(self.ts.get_security_options())

        event = threading.Event()
        self.server = NullServer()
        self.assertTrue(not event.is_set())
        self.ts.start_server(event, self.server)
        if connect_kwargs is None:
            connect_kwargs = dict(
                hostkey=public_host_key,
                username='******',
                password='******',
            )
        self.tc.connect(**connect_kwargs)
        event.wait(1.0)
        self.assertTrue(event.is_set())
        self.assertTrue(self.ts.is_active())
Exemplo n.º 6
0
    def test_5_save_host_keys(self):
        """
        verify that SSHClient correctly saves a known_hosts file.
        """
        warnings.filterwarnings('ignore', 'tempnam.*')

        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())
        fd, localname = mkstemp()
        os.close(fd)

        client = paramiko.SSHClient()
        self.assertEquals(0, len(client.get_host_keys()))

        host_id = '[%s]:%d' % (self.addr, self.port)

        client.get_host_keys().add(host_id, 'ssh-rsa', public_host_key)
        self.assertEquals(1, len(client.get_host_keys()))
        self.assertEquals(public_host_key, client.get_host_keys()[host_id]['ssh-rsa'])

        client.save_host_keys(localname)

        with open(localname) as fd:
            assert host_id in fd.read()

        os.unlink(localname)
Exemplo n.º 7
0
 def _run(self):
     self.socks, addr = self.sockl.accept()
     self.ts = paramiko.Transport(self.socks)
     host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
     self.ts.add_server_key(host_key)
     server = NullServer()
     self.ts.start_server(self.event, server)
Exemplo n.º 8
0
 def test_3_multiple_key_files(self):
     """
     verify that SSHClient accepts and tries multiple key files.
     """
     # This is dumb :(
     types_ = {
         'rsa': 'ssh-rsa',
         'dss': 'ssh-dss',
         'ecdsa': 'ecdsa-sha2-nistp256',
     }
     # Various combos of attempted & valid keys
     # TODO: try every possible combo using itertools functions
     for attempt, accept in (
         (['rsa', 'dss'], ['dss']), # Original test #3
         (['dss', 'rsa'], ['dss']), # Ordering matters sometimes, sadly
         (['dss', 'rsa', 'ecdsa'], ['dss']), # Try ECDSA but fail
         (['rsa', 'ecdsa'], ['ecdsa']), # ECDSA success
     ):
         try:
             self._test_connection(
                 key_filename=[
                     test_path('test_{0}.key'.format(x)) for x in attempt
                 ],
                 allowed_keys=[types_[x] for x in accept],
             )
         finally:
             # Clean up to avoid occasional gc-related deadlocks.
             # TODO: use nose test generators after nose port
             self.tearDown()
             self.setUp()
Exemplo n.º 9
0
 def test_L_handshake_timeout(self):
     """
     verify that we can get a hanshake timeout.
     """
     # Tweak client Transport instance's Packetizer instance so
     # its read_message() sleeps a bit. This helps prevent race conditions
     # where the client Transport's timeout timer thread doesn't even have
     # time to get scheduled before the main client thread finishes
     # handshaking with the server.
     # (Doing this on the server's transport *sounds* more 'correct' but
     # actually doesn't work nearly as well for whatever reason.)
     class SlowPacketizer(Packetizer):
         def read_message(self):
             time.sleep(1)
             return super(SlowPacketizer, self).read_message()
     # NOTE: prettttty sure since the replaced .packetizer Packetizer is now
     # no longer doing anything with its copy of the socket...everything'll
     # be fine. Even tho it's a bit squicky.
     self.tc.packetizer = SlowPacketizer(self.tc.sock)
     # Continue with regular test red tape.
     host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     public_host_key = RSAKey(data=host_key.asbytes())
     self.ts.add_server_key(host_key)
     event = threading.Event()
     server = NullServer()
     self.assertTrue(not event.is_set())
     self.tc.handshake_timeout = 0.000000000001
     self.ts.start_server(event, server)
     self.assertRaises(EOFError, self.tc.connect,
                       hostkey=public_host_key,
                       username='******',
                       password='******')
Exemplo n.º 10
0
 def test_3_simple(self):
     """
     verify that we can establish an ssh link with ourselves across the
     loopback sockets.  this is hardly "simple" but it's simpler than the
     later tests. :)
     """
     host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     public_host_key = RSAKey(data=host_key.asbytes())
     self.ts.add_server_key(host_key)
     event = threading.Event()
     server = NullServer()
     self.assertTrue(not event.is_set())
     self.assertEqual(None, self.tc.get_username())
     self.assertEqual(None, self.ts.get_username())
     self.assertEqual(False, self.tc.is_authenticated())
     self.assertEqual(False, self.ts.is_authenticated())
     self.ts.start_server(event, server)
     self.tc.connect(hostkey=public_host_key,
                     username='******', password='******')
     event.wait(1.0)
     self.assertTrue(event.is_set())
     self.assertTrue(self.ts.is_active())
     self.assertEqual('slowdive', self.tc.get_username())
     self.assertEqual('slowdive', self.ts.get_username())
     self.assertEqual(True, self.tc.is_authenticated())
     self.assertEqual(True, self.ts.is_authenticated())
Exemplo n.º 11
0
    def test_3_multiple_key_files(self):
        """
        verify that SSHClient accepts and tries multiple key files.
        """
        threading.Thread(target=self._run).start()
        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        self.tc = paramiko.SSHClient()
        self.tc.get_host_keys().add('[%s]:%d' % (self.addr, self.port), 'ssh-rsa', public_host_key)
        self.tc.connect(self.addr, self.port, username='******', key_filename=[test_path('test_rsa.key'), test_path('test_dss.key')])

        self.event.wait(1.0)
        self.assertTrue(self.event.isSet())
        self.assertTrue(self.ts.is_active())
        self.assertEqual('slowdive', self.ts.get_username())
        self.assertEqual(True, self.ts.is_authenticated())
Exemplo n.º 12
0
 def test_ed25519_nonbytes_password(self):
     # https://github.com/paramiko/paramiko/issues/1039
     key = Ed25519Key.from_private_key_file(
         test_path('test_ed25519_password.key'),
         # NOTE: not a bytes. Amusingly, the test above for same key DOES
         # explicitly cast to bytes...code smell!
         'abc123',
     )
Exemplo n.º 13
0
 def test_3_load_rsa_password(self):
     key = RSAKey.from_private_key_file(test_path('test_rsa_password.key'), 'television')
     self.assertEqual('ssh-rsa', key.get_name())
     exp_rsa = b(FINGER_RSA.split()[1].replace(':', ''))
     my_rsa = hexlify(key.get_fingerprint())
     self.assertEqual(exp_rsa, my_rsa)
     self.assertEqual(PUB_RSA.split()[1], key.get_base64())
     self.assertEqual(1024, key.get_bits())
Exemplo n.º 14
0
 def test_6_compare_rsa(self):
     # verify that the private & public keys compare equal
     key = RSAKey.from_private_key_file(test_path("test_rsa.key"))
     self.assertEqual(key, key)
     pub = RSAKey(data=key.asbytes())
     self.assertTrue(key.can_sign())
     self.assertTrue(not pub.can_sign())
     self.assertEqual(key, pub)
Exemplo n.º 15
0
 def test_11_load_ecdsa_password(self):
     key = ECDSAKey.from_private_key_file(test_path("test_ecdsa_password.key"), b"television")
     self.assertEqual("ecdsa-sha2-nistp256", key.get_name())
     exp_ecdsa = b(FINGER_ECDSA.split()[1].replace(":", ""))
     my_ecdsa = hexlify(key.get_fingerprint())
     self.assertEqual(exp_ecdsa, my_ecdsa)
     self.assertEqual(PUB_ECDSA.split()[1], key.get_base64())
     self.assertEqual(256, key.get_bits())
Exemplo n.º 16
0
 def test_5_load_dss_password(self):
     key = DSSKey.from_private_key_file(test_path('test_dss_password.key'), 'television')
     self.assertEqual('ssh-dss', key.get_name())
     exp_dss = b(FINGER_DSS.split()[1].replace(':', ''))
     my_dss = hexlify(key.get_fingerprint())
     self.assertEqual(exp_dss, my_dss)
     self.assertEqual(PUB_DSS.split()[1], key.get_base64())
     self.assertEqual(1024, key.get_bits())
Exemplo n.º 17
0
 def test_19_load_ecdsa_password_521(self):
     key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_password_521.key'), b'television')
     self.assertEqual('ecdsa-sha2-nistp521', key.get_name())
     exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(':', ''))
     my_ecdsa = hexlify(key.get_fingerprint())
     self.assertEqual(exp_ecdsa, my_ecdsa)
     self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
     self.assertEqual(521, key.get_bits())
Exemplo n.º 18
0
 def test_7_compare_dss(self):
     # verify that the private & public keys compare equal
     key = DSSKey.from_private_key_file(test_path('test_dss.key'))
     self.assertEqual(key, key)
     pub = DSSKey(data=key.asbytes())
     self.assertTrue(key.can_sign())
     self.assertTrue(not pub.can_sign())
     self.assertEqual(key, pub)
Exemplo n.º 19
0
 def test_20_compare_ecdsa_521(self):
     # verify that the private & public keys compare equal
     key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key'))
     self.assertEqual(key, key)
     pub = ECDSAKey(data=key.asbytes())
     self.assertTrue(key.can_sign())
     self.assertTrue(not pub.can_sign())
     self.assertEqual(key, pub)
Exemplo n.º 20
0
 def start_server(self):
     host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     self.public_host_key = RSAKey(data=host_key.asbytes())
     self.ts.add_server_key(host_key)
     self.event = threading.Event()
     self.server = NullServer()
     self.assertTrue(not self.event.is_set())
     self.ts.start_server(self.event, self.server)
Exemplo n.º 21
0
 def _run(self, allowed_keys=None):
     if allowed_keys is None:
         allowed_keys = FINGERPRINTS.keys()
     self.socks, addr = self.sockl.accept()
     self.ts = paramiko.Transport(self.socks)
     host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
     self.ts.add_server_key(host_key)
     server = NullServer(allowed_keys=allowed_keys)
     self.ts.start_server(self.event, server)
Exemplo n.º 22
0
 def test_multiple_key_files_failure(self):
     """
     Expect failure when multiple keys in play and none are accepted
     """
     # Until #387 is fixed we have to catch a high-up exception since
     # various platforms trigger different errors here >_<
     self.assertRaises(SSHException,
         self._test_connection,
         key_filename=[test_path('test_rsa.key')],
         allowed_keys=['ecdsa-sha2-nistp256'],
     )
 def test_11_auth_trickledown_gssauth(self):
     """
     Failed gssapi-with-mic auth doesn't prevent subsequent key auth from succeeding
     """
     if not paramiko.GSS_AUTH_AVAILABLE:
         return  # for python 2.6 lacks skipTest
     kwargs = dict(
         gss_auth=True,
         key_filename=[test_path('test_rsa.key')],
     )
     self._test_connection(**kwargs)
Exemplo n.º 24
0
 def test_3_multipart_auth(self):
     """
     verify that multipart auth works.
     """
     self.start_server()
     self.tc.connect(hostkey=self.public_host_key)
     remain = self.tc.auth_password(username='******', password='******')
     self.assertEqual(['publickey'], remain)
     key = DSSKey.from_private_key_file(test_path('test_dss.key'))
     remain = self.tc.auth_publickey(username='******', key=key)
     self.assertEqual([], remain)
     self.verify_finished()
Exemplo n.º 25
0
 def test_8_sign_rsa(self):
     # verify that the rsa private key can sign and verify
     key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     msg = key.sign_ssh_data(b'ice weasels')
     self.assertTrue(type(msg) is Message)
     msg.rewind()
     self.assertEqual('ssh-rsa', msg.get_text())
     sig = bytes().join([byte_chr(int(x, 16)) for x in SIGNED_RSA.split(':')])
     self.assertEqual(sig, msg.get_binary())
     msg.rewind()
     pub = RSAKey(data=key.asbytes())
     self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
Exemplo n.º 26
0
 def test_keyfile_is_actually_encrypted(self):
     # Read an existing encrypted private key
     file_ = test_path('test_rsa_password.key')
     password = '******'
     newfile = file_ + '.new'
     newpassword = '******'
     key = RSAKey(filename=file_, password=password)
     # Write out a newly re-encrypted copy with a new password.
     # When the bug under test exists, this will ValueError.
     try:
         key.write_private_key_file(newfile, password=newpassword)
         self.assert_keyfile_is_encrypted(newfile)
     finally:
         os.remove(newfile)
Exemplo n.º 27
0
 def test_9_sign_dss(self):
     # verify that the dss private key can sign and verify
     key = DSSKey.from_private_key_file(test_path('test_dss.key'))
     msg = key.sign_ssh_data(b'ice weasels')
     self.assertTrue(type(msg) is Message)
     msg.rewind()
     self.assertEqual('ssh-dss', msg.get_text())
     # can't do the same test as we do for RSA, because DSS signatures
     # are usually different each time.  but we can test verification
     # anyway so it's ok.
     self.assertEqual(40, len(msg.get_binary()))
     msg.rewind()
     pub = DSSKey(data=key.asbytes())
     self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
Exemplo n.º 28
0
    def test_14_load_ecdsa_384(self):
        key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key'))
        self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
        exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', ''))
        my_ecdsa = hexlify(key.get_fingerprint())
        self.assertEqual(exp_ecdsa, my_ecdsa)
        self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
        self.assertEqual(384, key.get_bits())

        s = StringIO()
        key.write_private_key(s)
        self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue())
        s.seek(0)
        key2 = ECDSAKey.from_private_key(s)
        self.assertEqual(key, key2)
Exemplo n.º 29
0
    def test_14_load_ecdsa_384(self):
        key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key'))
        self.assertEqual('ecdsa-sha2-nistp384', key.get_name())
        exp_ecdsa = b(FINGER_ECDSA_384.split()[1].replace(':', ''))
        my_ecdsa = hexlify(key.get_fingerprint())
        self.assertEqual(exp_ecdsa, my_ecdsa)
        self.assertEqual(PUB_ECDSA_384.split()[1], key.get_base64())
        self.assertEqual(384, key.get_bits())

        s = StringIO()
        key.write_private_key(s)
        self.assertEqual(ECDSA_PRIVATE_OUT_384, s.getvalue())
        s.seek(0)
        key2 = ECDSAKey.from_private_key(s)
        self.assertEqual(key, key2)
Exemplo n.º 30
0
    def _client_host_key_good(self, ktype, kfile):
        threading.Thread(target=self._run).start()
        hostname = '[%s]:%d' % (self.addr, self.port)

        self.tc = paramiko.SSHClient()
        self.tc.set_missing_host_key_policy(paramiko.RejectPolicy())
        host_key = ktype.from_private_key_file(test_path(kfile))
        known_hosts = self.tc.get_host_keys()
        known_hosts.add(hostname, host_key.get_name(), host_key)

        self.tc.connect(password='******', **self.connect_kwargs)
        self.event.wait(1.0)
        self.assertTrue(self.event.is_set())
        self.assertTrue(self.ts.is_active())
        self.assertEqual(True, self.ts.is_authenticated())
Exemplo n.º 31
0
    def test_4_load_dss(self):
        key = DSSKey.from_private_key_file(test_path('test_dss.key'))
        self.assertEqual('ssh-dss', key.get_name())
        exp_dss = b(FINGER_DSS.split()[1].replace(':', ''))
        my_dss = hexlify(key.get_fingerprint())
        self.assertEqual(exp_dss, my_dss)
        self.assertEqual(PUB_DSS.split()[1], key.get_base64())
        self.assertEqual(1024, key.get_bits())

        s = StringIO()
        key.write_private_key(s)
        self.assertEqual(DSS_PRIVATE_OUT, s.getvalue())
        s.seek(0)
        key2 = DSSKey.from_private_key(s)
        self.assertEqual(key, key2)
Exemplo n.º 32
0
    def test_2_load_rsa(self):
        key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
        self.assertEqual('ssh-rsa', key.get_name())
        exp_rsa = b(FINGER_RSA.split()[1].replace(':', ''))
        my_rsa = hexlify(key.get_fingerprint())
        self.assertEqual(exp_rsa, my_rsa)
        self.assertEqual(PUB_RSA.split()[1], key.get_base64())
        self.assertEqual(1024, key.get_bits())

        s = StringIO()
        key.write_private_key(s)
        self.assertEqual(RSA_PRIVATE_OUT, s.getvalue())
        s.seek(0)
        key2 = RSAKey.from_private_key(s)
        self.assertEqual(key, key2)
Exemplo n.º 33
0
 def test_certs_implicitly_loaded_alongside_key_filename_keys(self):
     # NOTE: a regular test_connection() w/ test_rsa.key would incidentally
     # test this (because test_xxx.key-cert.pub exists) but incidental tests
     # stink, so NullServer and friends were updated to allow assertions
     # about the server-side key object's public blob. Thus, we can prove
     # that a specific cert was found, along with regular authorization
     # succeeding proving that the overall flow works.
     for type_ in ('rsa', 'dss', 'ecdsa_256', 'ed25519'):
         key_path = test_path('test_{}.key'.format(type_))
         self._test_connection(
             key_filename=key_path,
             public_blob=PublicBlob.from_file(
                 '{0}-cert.pub'.format(key_path)
             ),
         )
Exemplo n.º 34
0
    def test_21_sign_ecdsa_521(self):
        # verify that the rsa private key can sign and verify
        key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key'))
        msg = key.sign_ssh_data(b'ice weasels')
        self.assertTrue(type(msg) is Message)
        msg.rewind()
        self.assertEqual('ecdsa-sha2-nistp521', msg.get_text())
        # ECDSA signatures, like DSS signatures, tend to be different
        # each time, so we can't compare against a "known correct"
        # signature.
        # Even the length of the signature can change.

        msg.rewind()
        pub = ECDSAKey(data=key.asbytes())
        self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
Exemplo n.º 35
0
    def test_4_load_dss(self):
        key = DSSKey.from_private_key_file(test_path('test_dss.key'))
        self.assertEqual('ssh-dss', key.get_name())
        exp_dss = b(FINGER_DSS.split()[1].replace(':', ''))
        my_dss = hexlify(key.get_fingerprint())
        self.assertEqual(exp_dss, my_dss)
        self.assertEqual(PUB_DSS.split()[1], key.get_base64())
        self.assertEqual(1024, key.get_bits())

        s = StringIO()
        key.write_private_key(s)
        self.assertEqual(DSS_PRIVATE_OUT, s.getvalue())
        s.seek(0)
        key2 = DSSKey.from_private_key(s)
        self.assertEqual(key, key2)
Exemplo n.º 36
0
    def test_17_sign_ecdsa_384(self):
        # verify that the rsa private key can sign and verify
        key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_384.key'))
        msg = key.sign_ssh_data(b'ice weasels')
        self.assertTrue(type(msg) is Message)
        msg.rewind()
        self.assertEqual('ecdsa-sha2-nistp384', msg.get_text())
        # ECDSA signatures, like DSS signatures, tend to be different
        # each time, so we can't compare against a "known correct"
        # signature.
        # Even the length of the signature can change.

        msg.rewind()
        pub = ECDSAKey(data=key.asbytes())
        self.assertTrue(pub.verify_ssh_sig(b'ice weasels', msg))
Exemplo n.º 37
0
    def test_7_banner_timeout(self):
        """
        verify that the SSHClient has a configurable banner timeout.
        """
        # Start the thread with a 1 second wait.
        threading.Thread(target=self._run, kwargs={'delay': 1}).start()
        host_key = paramiko.RSAKey.from_private_key_file(
            test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        self.tc = paramiko.SSHClient()
        self.tc.get_host_keys().add('[%s]:%d' % (self.addr, self.port),
                                    'ssh-rsa', public_host_key)
        # Connect with a half second banner timeout.
        kwargs = dict(self.connect_kwargs, banner_timeout=0.5)
        self.assertRaises(paramiko.SSHException, self.tc.connect, **kwargs)
Exemplo n.º 38
0
 def test_salt_size(self):
     # Read an existing encrypted private key
     file_ = test_path('test_rsa_password.key')
     password = '******'
     newfile = file_ + '.new'
     newpassword = '******'
     key = RSAKey(filename=file_, password=password)
     # Write out a newly re-encrypted copy with a new password.
     # When the bug under test exists, this will ValueError.
     try:
         key.write_private_key_file(newfile, password=newpassword)
         # Verify the inner key data still matches (when no ValueError)
         key2 = RSAKey(filename=newfile, password=newpassword)
         self.assertEqual(key, key2)
     finally:
         os.remove(newfile)
Exemplo n.º 39
0
 def test_L_handshake_timeout(self):
     """
     verify that we can get a hanshake timeout.
     """
     host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     public_host_key = RSAKey(data=host_key.asbytes())
     self.ts.add_server_key(host_key)
     event = threading.Event()
     server = NullServer()
     self.assertTrue(not event.is_set())
     self.tc.handshake_timeout = 0.000000000001
     self.ts.start_server(event, server)
     self.assertRaises(EOFError, self.tc.connect,
                       hostkey=public_host_key,
                       username='******',
                       password='******')
Exemplo n.º 40
0
    def _test_connection(self, **kwargs):
        """
        (Most) kwargs get passed directly into SSHClient.connect().

        The exception is ``allowed_keys`` which is stripped and handed to the
        ``NullServer`` used for testing.
        """
        run_kwargs = {}
        for key in ('allowed_keys', 'public_blob'):
            run_kwargs[key] = kwargs.pop(key, None)
        # Server setup
        threading.Thread(target=self._run, kwargs=run_kwargs).start()
        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        # Client setup
        self.tc = paramiko.SSHClient()
        self.tc.get_host_keys().add('[%s]:%d' % (self.addr, self.port), 'ssh-rsa', public_host_key)

        # Actual connection
        self.tc.connect(**dict(self.connect_kwargs, **kwargs))

        # Authentication successful?
        self.event.wait(1.0)
        self.assertTrue(self.event.is_set())
        self.assertTrue(self.ts.is_active())
        self.assertEqual('slowdive', self.ts.get_username())
        self.assertEqual(True, self.ts.is_authenticated())
        self.assertEqual(False, self.tc.get_transport().gss_kex_used)

        # Command execution functions?
        stdin, stdout, stderr = self.tc.exec_command('yes')
        schan = self.ts.accept(1.0)

        schan.send('Hello there.\n')
        schan.send_stderr('This is on stderr.\n')
        schan.close()

        self.assertEqual('Hello there.\n', stdout.readline())
        self.assertEqual('', stdout.readline())
        self.assertEqual('This is on stderr.\n', stderr.readline())
        self.assertEqual('', stderr.readline())

        # Cleanup
        stdin.close()
        stdout.close()
        stderr.close()
Exemplo n.º 41
0
 def test_3a_long_banner(self):
     """
     verify that a long banner doesn't mess up the handshake.
     """
     host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     public_host_key = RSAKey(data=host_key.asbytes())
     self.ts.add_server_key(host_key)
     event = threading.Event()
     server = NullServer()
     self.assertTrue(not event.is_set())
     self.socks.send(LONG_BANNER)
     self.ts.start_server(event, server)
     self.tc.connect(hostkey=public_host_key,
                     username='******', password='******')
     event.wait(1.0)
     self.assertTrue(event.is_set())
     self.assertTrue(self.ts.is_active())
Exemplo n.º 42
0
    def test_18_load_ecdsa_521(self):
        key = ECDSAKey.from_private_key_file(test_path('test_ecdsa_521.key'))
        self.assertEqual('ecdsa-sha2-nistp521', key.get_name())
        exp_ecdsa = b(FINGER_ECDSA_521.split()[1].replace(':', ''))
        my_ecdsa = hexlify(key.get_fingerprint())
        self.assertEqual(exp_ecdsa, my_ecdsa)
        self.assertEqual(PUB_ECDSA_521.split()[1], key.get_base64())
        self.assertEqual(521, key.get_bits())

        s = StringIO()
        key.write_private_key(s)
        # Different versions of OpenSSL (SSLeay versions 0x1000100f and
        # 0x1000207f for instance) use different apparently valid (as far as
        # ssh-keygen is concerned) padding. So we can't check the actual value
        # of the pem encoded key.
        s.seek(0)
        key2 = ECDSAKey.from_private_key(s)
        self.assertEqual(key, key2)
Exemplo n.º 43
0
    def test_9_auth_timeout(self):
        """
        verify that the SSHClient has a configurable auth timeout
        """
        threading.Thread(target=self._run).start()
        host_key = paramiko.RSAKey.from_private_key_file(
            test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        self.tc = paramiko.SSHClient()
        self.tc.get_host_keys().add('[%s]:%d' % (self.addr, self.port),
                                    'ssh-rsa', public_host_key)
        # Connect with a half second auth timeout
        kwargs = dict(self.connect_kwargs,
                      password='******',
                      auth_timeout=0.5)
        self.assertRaises(paramiko.AuthenticationException, self.tc.connect,
                          **kwargs)
Exemplo n.º 44
0
    def test_6_cleanup(self):
        """
        verify that when an SSHClient is collected, its transport (and the
        transport's packetizer) is closed.
        """
        # Unclear why this is borked on Py3, but it is, and does not seem worth
        # pursuing at the moment.
        # XXX: It's the release of the references to e.g packetizer that fails
        # in py3...
        if not PY2:
            return
        threading.Thread(target=self._run).start()
        host_key = paramiko.RSAKey.from_private_key_file(
            test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        self.tc = paramiko.SSHClient()
        self.tc.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        self.assertEqual(0, len(self.tc.get_host_keys()))
        self.tc.connect(self.addr,
                        self.port,
                        username='******',
                        password='******')

        self.event.wait(1.0)
        self.assertTrue(self.event.isSet())
        self.assertTrue(self.ts.is_active())

        p = weakref.ref(self.tc._transport.packetizer)
        self.assertTrue(p() is not None)
        self.tc.close()
        del self.tc

        # hrm, sometimes p isn't cleared right away.  why is that?
        #st = time.time()
        #while (time.time() - st < 5.0) and (p() is not None):
        #    time.sleep(0.1)

        # instead of dumbly waiting for the GC to collect, force a collection
        # to see whether the SSHClient object is deallocated correctly
        import gc
        gc.collect()

        self.assertTrue(p() is None)
Exemplo n.º 45
0
    def setup_test_server(self, client_options=None, server_options=None):
        host_key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = RSAKey(data=host_key.asbytes())
        self.ts.add_server_key(host_key)

        if client_options is not None:
            client_options(self.tc.get_security_options())
        if server_options is not None:
            server_options(self.ts.get_security_options())

        event = threading.Event()
        self.server = NullServer()
        self.assertTrue(not event.is_set())
        self.ts.start_server(event, self.server)
        self.tc.connect(hostkey=public_host_key,
                        username='******', password='******')
        event.wait(1.0)
        self.assertTrue(event.is_set())
        self.assertTrue(self.ts.is_active())
Exemplo n.º 46
0
    def init_loopback():
        global sftp, tc

        socks = LoopSocket()
        sockc = LoopSocket()
        sockc.link(socks)
        tc = paramiko.Transport(sockc)
        ts = paramiko.Transport(socks)

        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        ts.add_server_key(host_key)
        event = threading.Event()
        server = StubServer()
        ts.set_subsystem_handler('sftp', paramiko.SFTPServer, StubSFTPServer)
        ts.start_server(event, server)
        tc.connect(username='******', password='******')
        event.wait(1.0)

        sftp = paramiko.SFTP.from_transport(tc)
Exemplo n.º 47
0
 def test_8_auth_trickledown(self):
     """
     Failed key auth doesn't prevent subsequent pw auth from succeeding
     """
     # NOTE: re #387, re #394
     # If pkey module used within Client._auth isn't correctly handling auth
     # errors (e.g. if it allows things like ValueError to bubble up as per
     # midway thru #394) client.connect() will fail (at key load step)
     # instead of succeeding (at password step)
     kwargs = dict(
         # Password-protected key whose passphrase is not 'pygmalion' (it's
         # 'television' as per tests/test_pkey.py). NOTE: must use
         # key_filename, loading the actual key here with PKey will except
         # immediately; we're testing the try/except crap within Client.
         key_filename=[test_path('test_rsa_password.key')],
         # Actual password for default 'slowdive' user
         password='******',
     )
     self._test_connection(**kwargs)
Exemplo n.º 48
0
    def test_4_auto_add_policy(self):
        """
        verify that SSHClient's AutoAddPolicy works.
        """
        threading.Thread(target=self._run).start()
        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        self.tc = paramiko.SSHClient()
        self.tc.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        self.assertEqual(0, len(self.tc.get_host_keys()))
        self.tc.connect(password='******', **self.connect_kwargs)

        self.event.wait(1.0)
        self.assertTrue(self.event.is_set())
        self.assertTrue(self.ts.is_active())
        self.assertEqual('slowdive', self.ts.get_username())
        self.assertEqual(True, self.ts.is_authenticated())
        self.assertEqual(1, len(self.tc.get_host_keys()))
        self.assertEqual(public_host_key, self.tc.get_host_keys()['[%s]:%d' % (self.addr, self.port)]['ssh-rsa'])
Exemplo n.º 49
0
    def test_client_can_be_used_as_context_manager(self):
        """
        verify that an SSHClient can be used a context manager
        """
        threading.Thread(target=self._run).start()
        host_key = paramiko.RSAKey.from_private_key_file(test_path('test_rsa.key'))
        public_host_key = paramiko.RSAKey(data=host_key.asbytes())

        with paramiko.SSHClient() as tc:
            self.tc = tc
            self.tc.set_missing_host_key_policy(paramiko.AutoAddPolicy())
            self.assertEquals(0, len(self.tc.get_host_keys()))
            self.tc.connect(**dict(self.connect_kwargs, password='******'))

            self.event.wait(1.0)
            self.assertTrue(self.event.is_set())
            self.assertTrue(self.ts.is_active())

            self.assertTrue(self.tc._transport is not None)

        self.assertTrue(self.tc._transport is None)
Exemplo n.º 50
0
    def test_4_auto_add_policy(self):
        """
        verify that SSHClient's AutoAddPolicy works.
        """
        threading.Thread(target=self._run).start()
        hostname = '[%s]:%d' % (self.addr, self.port)
        key_file = test_path('test_ecdsa_256.key')
        public_host_key = paramiko.ECDSAKey.from_private_key_file(key_file)

        self.tc = paramiko.SSHClient()
        self.tc.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        self.assertEqual(0, len(self.tc.get_host_keys()))
        self.tc.connect(password='******', **self.connect_kwargs)

        self.event.wait(1.0)
        self.assertTrue(self.event.is_set())
        self.assertTrue(self.ts.is_active())
        self.assertEqual('slowdive', self.ts.get_username())
        self.assertEqual(True, self.ts.is_authenticated())
        self.assertEqual(1, len(self.tc.get_host_keys()))
        new_host_key = list(self.tc.get_host_keys()[hostname].values())[0]
        self.assertEqual(public_host_key, new_host_key)
Exemplo n.º 51
0
 def test_3_multiple_key_files(self):
     """
     verify that SSHClient accepts and tries multiple key files.
     """
     # This is dumb :(
     types_ = {
         'rsa': 'ssh-rsa',
         'dss': 'ssh-dss',
         'ecdsa': 'ecdsa-sha2-nistp256',
     }
     # Various combos of attempted & valid keys
     # TODO: try every possible combo using itertools functions
     for attempt, accept in (
         (['rsa', 'dss'], ['dss']),  # Original test #3
         (['dss', 'rsa'], ['dss']),  # Ordering matters sometimes, sadly
         (['dss', 'rsa', 'ecdsa'], ['dss']),  # Try ECDSA but fail
         (['rsa', 'ecdsa'], ['ecdsa']),  # ECDSA success
     ):
         self._test_connection(
             key_filename=[
                 test_path('test_{0}.key'.format(x)) for x in attempt
             ],
             allowed_keys=[types_[x] for x in accept],
         )
Exemplo n.º 52
0
 def test_client_ed25519(self):
     self._test_connection(key_filename=test_path('test_ed25519.key'))
Exemplo n.º 53
0
 def test_2_5_client_ecdsa(self):
     """
     verify that SSHClient works with an ECDSA key.
     """
     self._test_connection(key_filename=test_path('test_ecdsa.key'))
Exemplo n.º 54
0
 def test_ed25519_load_from_file_obj(self):
     with open(test_path('test_ed25519.key')) as pkey_fileobj:
         key = Ed25519Key.from_private_key(pkey_fileobj)
     self.assertEqual(key, key)
     self.assertTrue(key.can_sign())
Exemplo n.º 55
0
class NullServer(ServerInterface):
    paranoid_did_password = False
    paranoid_did_public_key = False
    paranoid_key = DSSKey.from_private_key_file(test_path('test_dss.key'))

    def get_allowed_auths(self, username):
        if username == 'slowdive':
            return 'publickey,password'
        if username == 'paranoid':
            if not self.paranoid_did_password and not self.paranoid_did_public_key:
                return 'publickey,password'
            elif self.paranoid_did_password:
                return 'publickey'
            else:
                return 'password'
        if username == 'commie':
            return 'keyboard-interactive'
        if username == 'utf8':
            return 'password'
        if username == 'non-utf8':
            return 'password'
        return 'publickey'

    def check_auth_password(self, username, password):
        if (username == 'slowdive') and (password == 'pygmalion'):
            return AUTH_SUCCESSFUL
        if (username == 'paranoid') and (password == 'paranoid'):
            # 2-part auth (even openssh doesn't support this)
            self.paranoid_did_password = True
            if self.paranoid_did_public_key:
                return AUTH_SUCCESSFUL
            return AUTH_PARTIALLY_SUCCESSFUL
        if (username == 'utf8') and (password == _pwd):
            return AUTH_SUCCESSFUL
        if (username == 'non-utf8') and (password == '\xff'):
            return AUTH_SUCCESSFUL
        if username == 'bad-server':
            raise Exception("Ack!")
        return AUTH_FAILED

    def check_auth_publickey(self, username, key):
        if (username == 'paranoid') and (key == self.paranoid_key):
            # 2-part auth
            self.paranoid_did_public_key = True
            if self.paranoid_did_password:
                return AUTH_SUCCESSFUL
            return AUTH_PARTIALLY_SUCCESSFUL
        return AUTH_FAILED

    def check_auth_interactive(self, username, submethods):
        if username == 'commie':
            self.username = username
            return InteractiveQuery('password', 'Please enter a password.',
                                    ('Password', False))
        return AUTH_FAILED

    def check_auth_interactive_response(self, responses):
        if self.username == 'commie':
            if (len(responses) == 1) and (responses[0] == 'cat'):
                return AUTH_SUCCESSFUL
        return AUTH_FAILED
Exemplo n.º 56
0
    def test_ed25519(self):
        key1 = Ed25519Key.from_private_key_file(test_path('test_ed25519.key'))
        key2 = Ed25519Key.from_private_key_file(
            test_path('test_ed25519_password.key'), b'abc123')

        self.assertNotEqual(key1.asbytes(), key2.asbytes())
Exemplo n.º 57
0
 def test_stringification(self):
     key = RSAKey.from_private_key_file(test_path('test_rsa.key'))
     comparable = TEST_KEY_BYTESTR_2 if PY2 else TEST_KEY_BYTESTR_3
     self.assertEqual(str(key), comparable)