def run(self):
# I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent
# since openssh does not seem to have an option to use only an agent we have a workaround,
# by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent.
# This is a little "racy" in that a tempfile with the same path could concievably be created between the unlink and openssh attempting to use it
# but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key.
logger_debug("testAuthThread started")
import tempfile, os
(fd, path) = tempfile.mkstemp()
os.close(fd)
os.unlink(path)
ssh_cmd = '{sshbinary} -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=yes -l {login} {host} echo "success_testauth"'.format(
sshbinary=self.keydistObject.sshpaths.sshBinary,
login=self.keydistObject.username,
host=self.keydistObject.host,
nonexistantpath=path)
logger_debug('testAuthThread: attempting: ' + ssh_cmd)
ssh = subprocess.Popen(ssh_cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
shell=True,
universal_newlines=True)
stdout, stderr = ssh.communicate()
ssh.wait()
logger_debug('testAuthThread: stdout of ssh command: ' +
str(stdout))
logger_debug('testAuthThread: stderr of ssh command: ' +
str(stderr))
if 'success_testauth' in stdout:
logger_debug(
'testAuthThread: got success_testauth in stdout :)')
self.keydistObject.authentication_success = True
newevent = KeyDist.sshKeyDistEvent(
KeyDist.EVT_KEYDIST_AUTHSUCCESS, self.keydistObject)
else:
logger_debug(
'testAuthThread: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event'
)
newevent = KeyDist.sshKeyDistEvent(
KeyDist.EVT_KEYDIST_AUTHFAIL, self.keydistObject)
if (not self.stopped()):
logger_debug(
'testAuthThread: self.stopped() == False, so posting event: '
+ str(newevent))
wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),
newevent)
def run(self):
# I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent
# since openssh does not seem to have an option to use only an agent we have a workaround,
# by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent.
# This is a little "racy" in that a tempfile with the same path could conceivably be created between the unlink and openssh attempting to use it
# but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key.
threadid = threading.currentThread().ident
logger.debug("testAuthThread %i: started"%threadid)
import tempfile
fd=tempfile.NamedTemporaryFile(delete=True)
path=fd.name
fd.close()
ssh_cmd = '{sshbinary} -o ConnectTimeout=10 -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=no -l {login} {host} echo "success_testauth"'.format(sshbinary=self.keydistObject.keyModel.sshpaths.sshBinary,
login=self.keydistObject.username,
host=self.keydistObject.host,
nonexistantpath=path)
logger.debug('testAuthThread: attempting: ' + ssh_cmd)
ssh = subprocess.Popen(ssh_cmd,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=True,universal_newlines=True, startupinfo=self.keydistObject.startupinfo, creationflags=self.keydistObject.creationflags)
stdout, stderr = ssh.communicate()
ssh.wait()
logger.debug("testAuthThread %i: stdout of ssh command: "%threadid + str(stdout))
logger.debug("testAuthThread %i: stderr of ssh command: "%threadid + str(stderr))
if 'Could not resolve hostname' in stdout:
logger.debug('Network error.')
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_NETWORK_ERROR,self.keydistObject)
elif 'success_testauth' in stdout:
logger.debug("testAuthThread %i: got success_testauth in stdout :)"%threadid)
self.keydistObject.authentication_success = True
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHSUCCESS,self.keydistObject)
elif 'Agent admitted' in stdout:
logger.debug("testAuthThread %i: the ssh agent has an error. Try rebooting the computer")
self.keydistObject.cancel("Sorry, there is a problem with the SSH agent.\nThis sort of thing usually occurs if you delete your key and create a new one.\nThe easiest solution is to reboot your computer and try again.")
return
else:
logger.debug("testAuthThread %i: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event"%threadid)
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHFAIL,self.keydistObject)
if (not self.stopped()):
logger.debug("testAuthThread %i: self.stopped() == False, so posting event: "%threadid + str(newevent))
wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),newevent)
logger.debug("testAuthThread %i: stopped"%threadid)
def run(self):
# I have a problem where I have multiple identity files in my ~/.ssh, and I want to use only identities loaded into the agent
# since openssh does not seem to have an option to use only an agent we have a workaround,
# by passing the -o IdentityFile option a path that does not exist, openssh can't use any other identities, and can only use the agent.
# This is a little "racy" in that a tempfile with the same path could concievably be created between the unlink and openssh attempting to use it
# but since the pub key is extracted from the agent not the identity file I can't see anyway an attacker could use this to trick a user into uploading the attackers key.
logger_debug("testAuthThread started")
import tempfile, os
(fd,path)=tempfile.mkstemp()
os.close(fd)
os.unlink(path)
ssh_cmd = '{sshbinary} -o IdentityFile={nonexistantpath} -o PasswordAuthentication=no -o PubkeyAuthentication=yes -o StrictHostKeyChecking=yes -l {login} {host} echo "success_testauth"'.format(sshbinary=self.keydistObject.sshpaths.sshBinary,
login=self.keydistObject.username,
host=self.keydistObject.host,
nonexistantpath=path)
logger_debug('testAuthThread: attempting: ' + ssh_cmd)
ssh = subprocess.Popen(ssh_cmd,stdout=subprocess.PIPE,stderr=subprocess.STDOUT,shell=True,universal_newlines=True)
stdout, stderr = ssh.communicate()
ssh.wait()
logger_debug('testAuthThread: stdout of ssh command: ' + str(stdout))
logger_debug('testAuthThread: stderr of ssh command: ' + str(stderr))
if 'success_testauth' in stdout:
logger_debug('testAuthThread: got success_testauth in stdout :)')
self.keydistObject.authentication_success = True
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHSUCCESS,self.keydistObject)
else:
logger_debug('testAuthThread: did not see success_testauth in stdout, posting EVT_KEYDIST_AUTHFAIL event')
newevent = KeyDist.sshKeyDistEvent(KeyDist.EVT_KEYDIST_AUTHFAIL,self.keydistObject)
if (not self.stopped()):
logger_debug('testAuthThread: self.stopped() == False, so posting event: ' + str(newevent))
wx.PostEvent(self.keydistObject.notifywindow.GetEventHandler(),newevent)