def paramiko_run_remote_xpra(transport,
xpra_proxy_command=None,
remote_xpra=None,
socket_dir=None,
display_as_args=None):
from paramiko import SSHException
assert len(remote_xpra) > 0
log("will try to run xpra from: %s", remote_xpra)
for xpra_cmd in remote_xpra:
try:
chan = transport.open_session(window_size=None,
max_packet_size=0,
timeout=60)
chan.set_name("find %s" % xpra_cmd)
except SSHException as e:
log("open_session", exc_info=True)
raise InitException("failed to open SSH session: %s" % e)
cmd = "which %s" % xpra_cmd
log("exec_command('%s')", cmd)
chan.exec_command(cmd)
#poll until the command terminates:
start = monotonic_time()
while not chan.exit_status_ready():
if monotonic_time() - start > 10:
chan.close()
raise InitException("SSH test command '%s' timed out" % cmd)
log("exit status is not ready yet, sleeping")
time.sleep(0.01)
r = chan.recv_exit_status()
log("exec_command('%s')=%s", cmd, r)
chan.close()
if r != 0:
continue
cmd = xpra_cmd + " " + " ".join(
shellquote(x) for x in xpra_proxy_command)
if socket_dir:
cmd += " \"--socket-dir=%s\"" % socket_dir
if display_as_args:
cmd += " "
cmd += " ".join(shellquote(x) for x in display_as_args)
log("cmd(%s, %s)=%s", xpra_proxy_command, display_as_args, cmd)
#see https://github.com/paramiko/paramiko/issues/175
#WINDOW_SIZE = 2097152
log("trying to open SSH session, window-size=%i, timeout=%i",
WINDOW_SIZE, TIMEOUT)
try:
chan = transport.open_session(window_size=WINDOW_SIZE,
max_packet_size=0,
timeout=TIMEOUT)
chan.set_name("run-xpra")
except SSHException as e:
log("open_session", exc_info=True)
raise InitException("failed to open SSH session: %s" % e)
else:
log("channel exec_command(%s)" % cmd)
chan.exec_command(cmd)
return chan
raise Exception("all SSH remote proxy commands have failed")
def paramiko_run_test_command(transport, cmd):
from paramiko import SSHException
log("paramiko_run_test_command(transport, %r)", cmd)
try:
chan = transport.open_session(window_size=None, max_packet_size=0, timeout=60)
chan.set_name("find %s" % cmd)
except SSHException as e:
log("open_session", exc_info=True)
raise InitExit(EXIT_SSH_FAILURE, "failed to open SSH session: %s" % e) from None
chan.exec_command(cmd)
log("exec_command returned")
start = monotonic_time()
while not chan.exit_status_ready():
if monotonic_time()-start>TEST_COMMAND_TIMEOUT:
chan.close()
raise InitException("SSH test command '%s' timed out" % cmd)
log("exit status is not ready yet, sleeping")
sleep(0.01)
code = chan.recv_exit_status()
log("exec_command('%s')=%s", cmd, code)
def chan_read(read_fn):
try:
return read_fn()
except socket.error:
log("chan_read(%s)", read_fn, exc_info=True)
return b""
#don't wait too long for the data:
chan.settimeout(EXEC_STDOUT_TIMEOUT)
out = chan_read(chan.makefile().readline)
log("exec_command out=%r", out)
chan.settimeout(EXEC_STDERR_TIMEOUT)
err = chan_read(chan.makefile_stderr().readline)
log("exec_command err=%r", err)
chan.close()
return out, err, code
def websocket_client_connection(host, port, conn, dtype="ws"):
url = "%s://%s/" % (dtype, host)
if port > 0:
host += ":%i" % port
subprotocols = ["binary", "base64"]
sock = conn._socket
try:
ws = websocket.create_connection(url,
SOCKET_TIMEOUT,
subprotocols=subprotocols,
socket=sock)
except (IndexError, ValueError) as e:
log("websocket.create_connection%s",
(url, SOCKET_TIMEOUT, subprotocols, sock),
exc_info=True)
raise InitException(
"websocket connection failed, not a websocket capable server port: %s"
% e)
return WebSocketClientConnection(ws, conn.target, {
"ws": "websocket",
"wss": "secure websocket"
}.get(dtype, dtype))
def ssh_exec_connect_to(display_desc, opts=None, debug_cb=None, ssh_fail_cb=ssh_connect_failed):
if not ssh_fail_cb:
ssh_fail_cb = ssh_connect_failed
sshpass_command = None
try:
cmd = list(display_desc["full_ssh"])
kwargs = {}
env = display_desc.get("env")
kwargs["stderr"] = sys.stderr
if WIN32:
from subprocess import CREATE_NEW_PROCESS_GROUP, CREATE_NEW_CONSOLE, STARTUPINFO, STARTF_USESHOWWINDOW
startupinfo = STARTUPINFO()
startupinfo.dwFlags |= STARTF_USESHOWWINDOW
startupinfo.wShowWindow = 0 #aka win32.con.SW_HIDE
flags = CREATE_NEW_PROCESS_GROUP | CREATE_NEW_CONSOLE
kwargs.update({
"startupinfo" : startupinfo,
"creationflags" : flags,
"stderr" : PIPE,
})
elif not display_desc.get("exit_ssh", False) and not OSX:
kwargs["start_new_session"] = True
remote_xpra = display_desc["remote_xpra"]
assert remote_xpra
socket_dir = display_desc.get("socket_dir")
proxy_command = display_desc["proxy_command"] #ie: "_proxy_start"
display_as_args = display_desc["display_as_args"] #ie: "--start=xterm :10"
remote_cmd = ""
for x in remote_xpra:
if not remote_cmd:
check = "if"
else:
check = "elif"
if x=="xpra":
#no absolute path, so use "which" to check that the command exists:
pc = ['%s which "%s" > /dev/null 2>&1; then' % (check, x)]
else:
pc = ['%s [ -x %s ]; then' % (check, x)]
pc += [x] + proxy_command + [shellquote(x) for x in display_as_args]
if socket_dir:
pc.append("--socket-dir=%s" % socket_dir)
remote_cmd += " ".join(pc)+";"
remote_cmd += "else echo \"no run-xpra command found\"; exit 1; fi"
if INITENV_COMMAND:
remote_cmd = INITENV_COMMAND + ";" + remote_cmd
#how many times we need to escape the remote command string
#depends on how many times the ssh command is parsed
nssh = sum(int(x=="ssh") for x in cmd)
if nssh>=2 and MAGIC_QUOTES:
for _ in range(nssh):
remote_cmd = shlex.quote(remote_cmd)
else:
remote_cmd = "'%s'" % remote_cmd
cmd.append("sh -c %s" % remote_cmd)
if debug_cb:
debug_cb("starting %s tunnel" % str(cmd[0]))
#non-string arguments can make Popen choke,
#instead of lazily converting everything to a string, we validate the command:
for x in cmd:
if not isinstance(x, str):
raise InitException("argument is not a string: %s (%s), found in command: %s" % (x, type(x), cmd))
password = display_desc.get("password")
if password and not display_desc.get("is_putty", False):
from xpra.platform.paths import get_sshpass_command
sshpass_command = get_sshpass_command()
if sshpass_command:
#sshpass -e ssh ...
cmd.insert(0, sshpass_command)
cmd.insert(1, "-e")
if env is None:
env = os.environ.copy()
env["SSHPASS"] = password
#the password will be used by ssh via sshpass,
#don't try to authenticate again over the ssh-proxy connection,
#which would trigger warnings if the server does not require
#authentication over unix-domain-sockets:
opts.password = None
del display_desc["password"]
if env:
kwargs["env"] = env
if is_debug_enabled("ssh"):
log.info("executing ssh command: %s" % (" ".join("\"%s\"" % x for x in cmd)))
child = Popen(cmd, stdin=PIPE, stdout=PIPE, **kwargs)
except OSError as e:
raise InitExit(EXIT_SSH_FAILURE,
"Error running ssh command '%s': %s" % (" ".join("\"%s\"" % x for x in cmd), e))
def abort_test(action):
""" if ssh dies, we don't need to try to read/write from its sockets """
e = child.poll()
if e is not None:
had_connected = conn.input_bytecount>0 or conn.output_bytecount>0
if had_connected:
error_message = "cannot %s using SSH" % action
else:
error_message = "SSH connection failure"
sshpass_error = None
if sshpass_command:
sshpass_error = {
1 : "Invalid command line argument",
2 : "Conflicting arguments given",
3 : "General runtime error",
4 : "Unrecognized response from ssh (parse error)",
5 : "Invalid/incorrect password",
6 : "Host public key is unknown. sshpass exits without confirming the new key.",
}.get(e)
if sshpass_error:
error_message += ": %s" % sshpass_error
if debug_cb:
debug_cb(error_message)
if ssh_fail_cb:
ssh_fail_cb(error_message)
if "ssh_abort" not in display_desc:
display_desc["ssh_abort"] = True
if not had_connected:
log.error("Error: SSH connection to the xpra server failed")
if sshpass_error:
log.error(" %s", sshpass_error)
else:
log.error(" check your username, hostname, display number, firewall, etc")
display_name = display_desc["display_name"]
log.error(" for server: %s", display_name)
else:
log.error("The SSH process has terminated with exit code %s", e)
cmd_info = " ".join(display_desc["full_ssh"])
log.error(" the command line used was:")
log.error(" %s", cmd_info)
raise ConnectionClosedException(error_message) from None
def stop_tunnel():
if POSIX:
#on posix, the tunnel may be shared with other processes
#so don't kill it... which may leave it behind after use.
#but at least make sure we close all the pipes:
for name,fd in {
"stdin" : child.stdin,
"stdout" : child.stdout,
"stderr" : child.stderr,
}.items():
try:
if fd:
fd.close()
except Exception as e:
print("error closing ssh tunnel %s: %s" % (name, e))
if not display_desc.get("exit_ssh", False):
#leave it running
return
try:
if child.poll() is None:
child.terminate()
except Exception as e:
print("error trying to stop ssh tunnel process: %s" % e)
host = display_desc["host"]
port = display_desc.get("ssh-port", 22)
username = display_desc.get("username")
display = display_desc.get("display")
info = {
"host" : host,
"port" : port,
}
from xpra.net.bytestreams import TwoFileConnection
conn = TwoFileConnection(child.stdin, child.stdout,
abort_test, target=(host, port),
socktype="ssh", close_cb=stop_tunnel, info=info)
conn.endpoint = host_target_string("ssh", username, host, port, display)
conn.timeout = 0 #taken care of by abort_test
conn.process = (child, "ssh", cmd)
if kwargs.get("stderr")==PIPE:
def stderr_reader():
errs = []
while child.poll() is None:
try:
v = child.stderr.readline()
except OSError:
log("stderr_reader()", exc_info=True)
break
if not v:
log("SSH EOF on stderr of %s", cmd)
break
s = bytestostr(v.rstrip(b"\n\r"))
if s:
errs.append(s)
if errs:
log.warn("remote SSH stderr:")
for e in errs:
log.warn(" %s", e)
start_thread(stderr_reader, "ssh-stderr-reader", daemon=True)
return conn
# coding=utf8
# This file is part of Xpra.
# Copyright (C) 2011 Serviware (Arthur Huillet, <*****@*****.**>)
# Copyright (C) 2010-2016 Antoine Martin <*****@*****.**>
# Copyright (C) 2008 Nathaniel Smith <*****@*****.**>
# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
# later version. See the file COPYING for details.
import os
import time
try:
from gtk import gdk
except Exception as e:
from xpra.scripts.main import InitException
raise InitException(e)
#ensure that we use gtk as display source:
from xpra.gtk_common.gobject_compat import want_gtk3
want_gtk3(False)
from xpra.x11.gtk2 import gdk_display_source
assert gdk_display_source
from xpra.x11.bindings.randr_bindings import RandRBindings #@UnresolvedImport
RandR = RandRBindings()
from xpra.x11.bindings.keyboard_bindings import X11KeyboardBindings #@UnresolvedImport
X11Keyboard = X11KeyboardBindings()
from xpra.x11.bindings.core_bindings import X11CoreBindings #@UnresolvedImport
X11Core = X11CoreBindings()
from xpra.gtk_common.error import XError, xswallow, xsync, trap
from xpra.gtk_common.gtk_util import get_xwindow
def do_ssh_paramiko_connect_to(transport,
host,
username,
password,
host_config=None):
from paramiko import SSHException, RSAKey, PasswordRequiredException
from paramiko.agent import Agent
from paramiko.hostkeys import HostKeys
log("do_ssh_paramiko_connect_to%s",
(transport, host, username, password, host_config))
log("SSH transport %s", transport)
host_key = transport.get_remote_server_key()
assert host_key, "no remote server key"
log("remote_server_key=%s", keymd5(host_key))
if VERIFY_HOSTKEY:
host_keys = HostKeys()
host_keys_filename = None
KNOWN_HOSTS = get_ssh_known_hosts_files()
for known_hosts in KNOWN_HOSTS:
host_keys.clear()
try:
path = os.path.expanduser(known_hosts)
if os.path.exists(path):
host_keys.load(path)
log("HostKeys.load(%s) successful", path)
host_keys_filename = path
break
except IOError:
log("HostKeys.load(%s)", known_hosts, exc_info=True)
log("host keys=%s", host_keys)
keys = host_keys.lookup(host)
known_host_key = (keys or {}).get(host_key.get_name())
def keyname():
return host_key.get_name().replace("ssh-", "")
if host_key == known_host_key:
assert host_key
log("%s host key '%s' OK for host '%s'", keyname(),
keymd5(host_key), host)
else:
dnscheck = ""
if host_config:
verifyhostkeydns = host_config.get("verifyhostkeydns")
if verifyhostkeydns and verifyhostkeydns.lower(
) in TRUE_OPTIONS:
try:
from xpra.net.sshfp import check_host_key
dnscheck = check_host_key(host, host_key)
except ImportError as e:
log("verifyhostkeydns failed", exc_info=True)
log.warn("Warning: cannot check SSHFP DNS records")
log.warn(" %s", e)
log.info("dnscheck=%s", dnscheck)
def adddnscheckinfo(q):
if dnscheck is not True:
q += ["SSHFP validation failed:", dnscheck]
if dnscheck is True:
#DNSSEC provided a matching record
log.info("found a valid SSHFP record for host %s", host)
elif known_host_key:
log.warn("Warning: SSH server key mismatch")
qinfo = [
"WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!",
"IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!",
"Someone could be eavesdropping on you right now (man-in-the-middle attack)!",
"It is also possible that a host key has just been changed.",
"The fingerprint for the %s key sent by the remote host is"
% keyname(),
keymd5(host_key),
]
adddnscheckinfo(qinfo)
if VERIFY_STRICT:
log.warn("Host key verification failed.")
#TODO: show alert with no option to accept key
qinfo += [
"Please contact your system administrator.",
"Add correct host key in %s to get rid of this message.",
"Offending %s key in %s" %
(keyname(), host_keys_filename),
"ECDSA host key for %s has changed and you have requested strict checking."
% keyname(),
]
sys.stderr.write(os.linesep.join(qinfo))
transport.close()
raise InitExit(EXIT_SSH_KEY_FAILURE,
"SSH Host key has changed")
if not confirm_key(qinfo):
transport.close()
raise InitExit(EXIT_SSH_KEY_FAILURE,
"SSH Host key has changed")
else:
assert (not keys) or (host_key.get_name() not in keys)
if not keys:
log.warn("Warning: unknown SSH host")
else:
log.warn("Warning: unknown %s SSH host key", keyname())
qinfo = [
"The authenticity of host '%s' can't be established." %
(host, ),
"%s key fingerprint is" % keyname(),
keymd5(host_key),
]
adddnscheckinfo(qinfo)
if not confirm_key(qinfo):
transport.close()
raise InitExit(EXIT_SSH_KEY_FAILURE,
"Unknown SSH host '%s'" % host)
if ADD_KEY:
try:
if not host_keys_filename:
#the first one is the default,
#ie: ~/.ssh/known_hosts on posix
host_keys_filename = os.path.expanduser(KNOWN_HOSTS[0])
log("adding %s key for host '%s' to '%s'", keyname(), host,
host_keys_filename)
if not os.path.exists(host_keys_filename):
keys_dir = os.path.dirname(host_keys_filename)
if not os.path.exists(keys_dir):
log("creating keys directory '%s'", keys_dir)
os.mkdir(keys_dir, 0o700)
elif not os.path.isdir(keys_dir):
log.warn("Warning: '%s' is not a directory")
log.warn(" key not saved")
if os.path.exists(keys_dir) and os.path.isdir(
keys_dir):
log("creating known host file '%s'",
host_keys_filename)
with umask_context(0o133):
with open(host_keys_filename, 'a+'):
pass
host_keys.add(host, host_key.get_name(), host_key)
host_keys.save(host_keys_filename)
except OSError as e:
log("failed to add key to '%s'", host_keys_filename)
log.error("Error adding key to '%s'", host_keys_filename)
log.error(" %s", e)
except Exception as e:
log.error("cannot add key", exc_info=True)
def auth_agent():
agent = Agent()
agent_keys = agent.get_keys()
log("agent keys: %s", agent_keys)
if agent_keys:
for agent_key in agent_keys:
log("trying ssh-agent key '%s'", keymd5(agent_key))
try:
transport.auth_publickey(username, agent_key)
if transport.is_authenticated():
log("authenticated using agent and key '%s'",
keymd5(agent_key))
break
except SSHException:
log("agent key '%s' rejected",
keymd5(agent_key),
exc_info=True)
if not transport.is_authenticated():
log.info("agent authentication failed, tried %i key%s",
len(agent_keys), engs(agent_keys))
def auth_publickey():
log("trying public key authentication")
for keyfile in ("id_rsa", "id_dsa"):
keyfile_path = osexpand(os.path.join("~/", ".ssh", keyfile))
if not os.path.exists(keyfile_path):
log("no keyfile at '%s'", keyfile_path)
continue
key = None
try:
key = RSAKey.from_private_key_file(keyfile_path)
except PasswordRequiredException:
log("%s keyfile requires a passphrase", keyfile_path)
passphrase = input_pass("please enter the passphrase for %s:" %
(keyfile_path, ))
if passphrase:
try:
key = RSAKey.from_private_key_file(
keyfile_path, passphrase)
except SSHException as e:
log("from_private_key_file", exc_info=True)
log.info("cannot load key from file '%s':",
keyfile_path)
log.info(" %s", e)
if key:
log("auth_publickey using %s: %s", keyfile_path, keymd5(key))
try:
transport.auth_publickey(username, key)
except SSHException as e:
log("key '%s' rejected", keyfile_path, exc_info=True)
log.info("SSH authentication using key '%s' failed:",
keyfile_path)
log.info(" %s", e)
else:
if transport.is_authenticated():
break
def auth_none():
log("trying none authentication")
try:
transport.auth_none(username)
except SSHException as e:
log("auth_none()", exc_info=True)
def auth_password():
log("trying password authentication")
try:
transport.auth_password(username, password)
except SSHException as e:
log("auth_password(..)", exc_info=True)
log.info("SSH password authentication failed: %s", e)
def auth_interactive():
log("trying interactive authentication")
class iauthhandler:
def __init__(self):
self.authcount = 0
def handlestuff(self, title, instructions, prompt_list):
p = []
for pent in prompt_list:
if self.authcount == 0 and password:
p.append(password)
else:
p.append(input_pass(pent[0]))
self.authcount += 1
return p
try:
myiauthhandler = iauthhandler()
transport.auth_interactive(username, myiauthhandler.handlestuff,
"")
except SSHException as e:
log("auth_interactive(..)", exc_info=True)
log.info("SSH password authentication failed: %s", e)
banner = transport.get_banner()
if banner:
log.info("SSH server banner:")
for x in banner.splitlines():
log.info(" %s", x)
log("starting authentication")
# per the RFC we probably should do none first always and read off the supported
# methods, however, the current code seems to work fine with OpenSSH
if not transport.is_authenticated() and NONE_AUTH:
auth_none()
# Some people do two-factor using KEY_AUTH to kick things off, so this happens first
if not transport.is_authenticated() and KEY_AUTH:
auth_publickey()
if not transport.is_authenticated() and PASSWORD_AUTH:
auth_interactive()
if not transport.is_authenticated() and PASSWORD_AUTH and password:
auth_password()
if not transport.is_authenticated() and AGENT_AUTH:
auth_agent()
if not transport.is_authenticated() and PASSWORD_AUTH and not password:
for _ in range(1 + PASSWORD_RETRY):
password = input_pass("please enter the SSH password for %s@%s" %
(username, host))
if not password:
break
auth_password()
if transport.is_authenticated():
break
if not transport.is_authenticated():
transport.close()
raise InitException("SSH Authentication on %s failed" % host)
def ssh_paramiko_connect_to(display_desc):
#plain socket attributes:
dtype = display_desc["type"]
host = display_desc["host"]
port = display_desc.get("ssh-port", 22)
#ssh and command attributes:
username = display_desc.get("username") or get_username()
if "proxy_host" in display_desc:
display_desc.setdefault("proxy_username", get_username())
password = display_desc.get("password")
target = ssh_target_string(display_desc)
remote_xpra = display_desc["remote_xpra"]
proxy_command = display_desc["proxy_command"] #ie: "_proxy_start"
socket_dir = display_desc.get("socket_dir")
display_as_args = display_desc["display_as_args"] #ie: "--start=xterm :10"
socket_info = {
"host": host,
"port": port,
}
with nogssapi_context():
from paramiko import SSHConfig, ProxyCommand
ssh_config = SSHConfig()
user_config_file = os.path.expanduser("~/.ssh/config")
sock = None
host_config = None
if os.path.exists(user_config_file):
with open(user_config_file) as f:
ssh_config.parse(f)
host_config = ssh_config.lookup(host)
if host_config:
host = host_config.get("hostname", host)
username = host_config.get("username", username)
port = host_config.get("port", port)
proxycommand = host_config.get("proxycommand")
if proxycommand:
sock = ProxyCommand(proxycommand)
from xpra.child_reaper import getChildReaper
cmd = getattr(sock, "cmd", [])
getChildReaper().add_process(sock.process,
"paramiko-ssh-client", cmd,
True, True)
log("found proxycommand='%s' for host '%s'", proxycommand,
host)
from paramiko.client import SSHClient
ssh_client = SSHClient()
ssh_client.load_system_host_keys()
ssh_client.connect(host, port, sock=sock)
transport = ssh_client.get_transport()
do_ssh_paramiko_connect_to(
transport, host, username, password, host_config
or ssh_config.lookup("*"))
chan = paramiko_run_remote_xpra(transport, proxy_command,
remote_xpra, socket_dir,
display_as_args)
peername = (host, port)
conn = SSHProxyCommandConnection(chan, peername, target,
socket_info)
conn.timeout = SOCKET_TIMEOUT
conn.start_stderr_reader()
conn.process = (sock.process, "ssh", cmd)
from xpra.net import bytestreams
from paramiko.ssh_exception import ProxyCommandFailure
bytestreams.CLOSED_EXCEPTIONS = tuple(
list(bytestreams.CLOSED_EXCEPTIONS) +
[ProxyCommandFailure])
return conn
from xpra.scripts.main import socket_connect
from paramiko.transport import Transport
from paramiko import SSHException
if "proxy_host" in display_desc:
proxy_host = display_desc["proxy_host"]
proxy_port = display_desc.get("proxy_port", 22)
proxy_username = display_desc.get("proxy_username", username)
proxy_password = display_desc.get("proxy_password", password)
sock = socket_connect(dtype, proxy_host, proxy_port)
middle_transport = Transport(sock)
middle_transport.use_compression(False)
try:
middle_transport.start_client()
except SSHException as e:
log("start_client()", exc_info=True)
raise InitException("SSH negotiation failed: %s" % e)
proxy_host_config = ssh_config.lookup(host)
do_ssh_paramiko_connect_to(
middle_transport, proxy_host, proxy_username, proxy_password,
proxy_host_config or ssh_config.lookup("*"))
log("Opening proxy channel")
chan_to_middle = middle_transport.open_channel(
"direct-tcpip", (host, port), ('localhost', 0))
transport = Transport(chan_to_middle)
transport.use_compression(False)
try:
transport.start_client()
except SSHException as e:
log("start_client()", exc_info=True)
raise InitException("SSH negotiation failed: %s" % e)
do_ssh_paramiko_connect_to(transport, host, username, password,
host_config or ssh_config.lookup("*"))
chan = paramiko_run_remote_xpra(transport, proxy_command,
remote_xpra, socket_dir,
display_as_args)
peername = (host, port)
conn = SSHProxyCommandConnection(chan, peername, target,
socket_info)
conn.timeout = SOCKET_TIMEOUT
conn.start_stderr_reader()
return conn
#plain TCP connection to the server,
#we open it then give the socket to paramiko:
sock = socket_connect(dtype, host, port)
sockname = sock.getsockname()
peername = sock.getpeername()
log("paramiko socket_connect: sockname=%s, peername=%s", sockname,
peername)
transport = Transport(sock)
transport.use_compression(False)
try:
transport.start_client()
except SSHException as e:
log("start_client()", exc_info=True)
raise InitException("SSH negotiation failed: %s" % e)
do_ssh_paramiko_connect_to(transport, host, username, password,
host_config or ssh_config.lookup("*"))
chan = paramiko_run_remote_xpra(transport, proxy_command, remote_xpra,
socket_dir, display_as_args)
conn = SSHSocketConnection(chan, sock, sockname, peername, target,
socket_info)
conn.timeout = SOCKET_TIMEOUT
conn.start_stderr_reader()
return conn
def do_ssh_paramiko_connect_to(sock, host, port, username, password, proxy_command, remote_xpra, socket_dir, display_as_args, target):
from paramiko import SSHException, Transport, Agent, RSAKey, PasswordRequiredException
from paramiko.hostkeys import HostKeys
transport = Transport(sock)
transport.use_compression(False)
log("SSH transport %s", transport)
try:
transport.start_client()
except SSHException as e:
log("start_client()", exc_info=True)
raise InitException("SSH negotiation failed: %s" % e)
host_key = transport.get_remote_server_key()
assert host_key, "no remote server key"
log("remote_server_key=%s", keymd5(host_key))
if VERIFY_HOSTKEY:
host_keys = HostKeys()
host_keys_filename = None
KNOWN_HOSTS = get_ssh_known_hosts_files()
for known_hosts in KNOWN_HOSTS:
host_keys.clear()
try:
path = os.path.expanduser(known_hosts)
if os.path.exists(path):
host_keys.load(path)
log("HostKeys.load(%s) successful", path)
host_keys_filename = path
break
except IOError:
log("HostKeys.load(%s)", known_hosts, exc_info=True)
log("host keys=%s", host_keys)
keys = host_keys.lookup(host)
known_host_key = (keys or {}).get(host_key.get_name())
def keyname():
return host_key.get_name().replace("ssh-", "")
if host_key==known_host_key:
assert host_key
log("%s host key '%s' OK for host '%s'", keyname(), keymd5(host_key), host)
else:
if known_host_key:
log.warn("Warning: SSH server key mismatch")
qinfo = [
"WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!",
"IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!",
"Someone could be eavesdropping on you right now (man-in-the-middle attack)!",
"It is also possible that a host key has just been changed.",
"The fingerprint for the %s key sent by the remote host is" % keyname(),
keymd5(host_key),
]
if VERIFY_STRICT:
log.warn("Host key verification failed.")
#TODO: show alert with no option to accept key
qinfo += [
"Please contact your system administrator.",
"Add correct host key in %s to get rid of this message.",
"Offending %s key in %s" % (keyname(), host_keys_filename),
"ECDSA host key for %s has changed and you have requested strict checking." % keyname(),
]
sys.stderr.write(os.linesep.join(qinfo))
transport.close()
raise InitExit(EXIT_SSH_KEY_FAILURE, "SSH Host key has changed")
if not confirm_key(qinfo):
transport.close()
raise InitExit(EXIT_SSH_KEY_FAILURE, "SSH Host key has changed")
else:
assert (not keys) or (host_key.get_name() not in keys)
if not keys:
log.warn("Warning: unknown SSH host")
else:
log.warn("Warning: unknown %s SSH host key", keyname())
qinfo = [
"The authenticity of host '%s' can't be established." % (host,),
"%s key fingerprint is" % keyname(),
keymd5(host_key),
]
if not confirm_key(qinfo):
transport.close()
raise InitExit(EXIT_SSH_KEY_FAILURE, "Unknown SSH host '%s'" % host)
if ADD_KEY:
try:
if not host_keys_filename:
#the first one is the default,
#ie: ~/.ssh/known_hosts on posix
host_keys_filename = os.path.expanduser(KNOWN_HOSTS[0])
log("adding %s key for host '%s' to '%s'", keyname(), host, host_keys_filename)
if not os.path.exists(host_keys_filename):
keys_dir = os.path.dirname(host_keys_filename)
if not os.path.exists(keys_dir):
log("creating keys directory '%s'", keys_dir)
os.mkdir(keys_dir, 0o700)
elif not os.path.isdir(keys_dir):
log.warn("Warning: '%s' is not a directory")
log.warn(" key not saved")
if os.path.exists(keys_dir) and os.path.isdir(keys_dir):
log("creating known host file '%s'", host_keys_filename)
with umask_context(0o133):
with open(host_keys_filename, 'a+'):
pass
host_keys.add(host, host_key.get_name(), host_key)
host_keys.save(host_keys_filename)
except OSError as e:
log("failed to add key to '%s'", host_keys_filename)
log.error("Error adding key to '%s'", host_keys_filename)
log.error(" %s", e)
except Exception as e:
log.error("cannot add key", exc_info=True)
def auth_agent():
agent = Agent()
agent_keys = agent.get_keys()
log("agent keys: %s", agent_keys)
if agent_keys:
for agent_key in agent_keys:
log("trying ssh-agent key '%s'", keymd5(agent_key))
try:
transport.auth_publickey(username, agent_key)
if transport.is_authenticated():
log("authenticated using agent and key '%s'", keymd5(agent_key))
break
except SSHException:
log("agent key '%s' rejected", keymd5(agent_key), exc_info=True)
if not transport.is_authenticated():
log.info("agent authentication failed, tried %i key%s", len(agent_keys), engs(agent_keys))
def auth_publickey():
log("trying public key authentication")
for keyfile in ("id_rsa", "id_dsa"):
keyfile_path = osexpand(os.path.join("~/", ".ssh", keyfile))
if not os.path.exists(keyfile_path):
log("no keyfile at '%s'", keyfile_path)
continue
key = None
try:
key = RSAKey.from_private_key_file(keyfile_path)
except PasswordRequiredException:
log("%s keyfile requires a passphrase", keyfile_path)
passphrase = input_pass("please enter the passphrase for %s:" % (keyfile_path,))
if passphrase:
try:
key = RSAKey.from_private_key_file(keyfile_path, passphrase)
except SSHException as e:
log("from_private_key_file", exc_info=True)
log.info("cannot load key from file '%s':", keyfile_path)
log.info(" %s", e)
if key:
log("auth_publickey using %s: %s", keyfile_path, keymd5(key))
try:
transport.auth_publickey(username, key)
except SSHException as e:
log("key '%s' rejected", keyfile_path, exc_info=True)
log.info("SSH authentication using key '%s' failed:", keyfile_path)
log.info(" %s", e)
else:
if transport.is_authenticated():
break
def auth_none():
log("trying none authentication")
try:
transport.auth_none(username)
except SSHException as e:
log("auth_none()", exc_info=True)
def auth_password():
log("trying password authentication")
try:
transport.auth_password(username, password)
except SSHException as e:
log("auth_password(..)", exc_info=True)
log.info("SSH password authentication failed: %s", e)
banner = transport.get_banner()
if banner:
log.info("SSH server banner:")
for x in banner.splitlines():
log.info(" %s", x)
log("starting authentication")
if not transport.is_authenticated() and NONE_AUTH:
auth_none()
if not transport.is_authenticated() and PASSWORD_AUTH and password:
auth_password()
if not transport.is_authenticated() and AGENT_AUTH:
auth_agent()
if not transport.is_authenticated() and KEY_AUTH:
auth_publickey()
if not transport.is_authenticated() and PASSWORD_AUTH and not password:
for _ in range(1+PASSWORD_RETRY):
password = input_pass("please enter the SSH password for %s@%s" % (username, host))
if not password:
break
auth_password()
if transport.is_authenticated():
break
if not transport.is_authenticated():
transport.close()
raise InitException("SSH Authentication failed")
assert len(remote_xpra)>0
log("will try to run xpra from: %s", remote_xpra)
for xpra_cmd in remote_xpra:
try:
chan = transport.open_session(window_size=None, max_packet_size=0, timeout=60)
chan.set_name("find %s" % xpra_cmd)
except SSHException as e:
log("open_session", exc_info=True)
raise InitException("failed to open SSH session: %s" % e)
cmd = "which %s" % xpra_cmd
log("exec_command('%s')", cmd)
chan.exec_command(cmd)
#poll until the command terminates:
start = monotonic_time()
while not chan.exit_status_ready():
if monotonic_time()-start>10:
chan.close()
raise InitException("SSH test command '%s' timed out" % cmd)
log("exit status is not ready yet, sleeping")
time.sleep(0.01)
r = chan.recv_exit_status()
log("exec_command('%s')=%s", cmd, r)
chan.close()
if r!=0:
continue
cmd = xpra_cmd + " " + " ".join(shellquote(x) for x in proxy_command)
if socket_dir:
cmd += " \"--socket-dir=%s\"" % socket_dir
if display_as_args:
cmd += " "
cmd += " ".join(shellquote(x) for x in display_as_args)
log("cmd(%s, %s)=%s", proxy_command, display_as_args, cmd)
#see https://github.com/paramiko/paramiko/issues/175
#WINDOW_SIZE = 2097152
log("trying to open SSH session, window-size=%i, timeout=%i", WINDOW_SIZE, TIMEOUT)
try:
chan = transport.open_session(window_size=WINDOW_SIZE, max_packet_size=0, timeout=TIMEOUT)
chan.set_name("run-xpra")
except SSHException as e:
log("open_session", exc_info=True)
raise InitException("failed to open SSH session: %s" % e)
else:
log("channel exec_command(%s)" % cmd)
chan.exec_command(cmd)
info = {
"host" : host,
"port" : port,
}
conn = SSHSocketConnection(chan, sock, target, info)
conn.timeout = SOCKET_TIMEOUT
conn.start_stderr_reader()
child = None
conn.process = (child, "ssh", cmd)
return conn
raise Exception("all SSH remote proxy commands have failed")
