def setupManhole(application, config):
"""Setup an SSH manhole for the API service.
The manhole port is taken from the C{manhole-port} option in the config
file. If this option is not provided the api port plus 100 is used.
@param application: The fluidinfo API L{Application} object.
@param config: The configuration object.
"""
servicePort = config.getint('service', 'port')
if config.has_option('service', 'manhole-port'):
manholePort = config.getint('service', 'manhole-port')
else:
manholePort = servicePort + 100
def getManhole(_):
manhole = Manhole(globals())
ps1 = 'fluidinfo-api [%d] > ' % servicePort
ps2 = '... '.rjust(len(ps1))
manhole.ps = (ps1, ps2)
return manhole
realm = TerminalRealm()
realm.chainedProtocolFactory.protocolFactory = getManhole
portal = Portal(realm)
portal.registerChecker(SSHPublicKeyDatabase())
factory = ConchFactory(portal)
manholeService = TCPServer(manholePort, factory, interface='127.0.0.1')
manholeService.setServiceParent(application)
def generateChecker(self, argstring=''):
"""
This checker factory ignores the argument string. Everything
needed to authenticate users is pulled out of the public keys
listed in user .ssh/ directories.
"""
return SSHPublicKeyDatabase()
def getShellFactory(interpreterType, **namespace):
realm = ShellTerminalRealm(namespace, CommandAPI)
sshPortal = portal.Portal(realm)
factory = manhole_ssh.ConchFactory(sshPortal)
factory.privateKeys = {'ssh-rsa': dreamssh_util.getPrivKey()}
factory.publicKeys = {'ssh-rsa': dreamssh_util.getPubKey()}
factory.portal.registerChecker(SSHPublicKeyDatabase())
return factory
def getGameShellFactory(**namespace):
game = None
sshRealm = gameshell.TerminalRealm(namespace, game)
sshPortal = portal.Portal(sshRealm)
factory = manhole_ssh.ConchFactory(sshPortal)
factory.privateKeys = {'ssh-rsa': util.getPrivKey()}
factory.publicKeys = {'ssh-rsa': util.getPubKey()}
factory.portal.registerChecker(SSHPublicKeyDatabase())
return factory
def test_registerChecker(self):
"""
L{SSHProcotolChecker.registerChecker} should add the given checker to
the list of registered checkers.
"""
checker = SSHProtocolChecker()
self.assertEquals(checker.credentialInterfaces, [])
checker.registerChecker(SSHPublicKeyDatabase(), )
self.assertEquals(checker.credentialInterfaces, [ISSHPrivateKey])
self.assertIsInstance(checker.checkers[ISSHPrivateKey],
SSHPublicKeyDatabase)
def test_registerCheckerWithInterface(self):
"""
If a apecific interface is passed into
L{SSHProtocolChecker.registerChecker}, that interface should be
registered instead of what the checker specifies in
credentialIntefaces.
"""
checker = SSHProtocolChecker()
self.assertEquals(checker.credentialInterfaces, [])
checker.registerChecker(SSHPublicKeyDatabase(), IUsernamePassword)
self.assertEquals(checker.credentialInterfaces, [IUsernamePassword])
self.assertIsInstance(checker.checkers[IUsernamePassword],
SSHPublicKeyDatabase)
def setUp(self):
self.checker = SSHPublicKeyDatabase()
self.sshDir = FilePath(self.mktemp())
self.sshDir.makedirs()
self.key1 = base64.encodestring("foobar")
self.key2 = base64.encodestring("eggspam")
self.content = "t1 %s foo\nt2 %s egg\n" % (self.key1, self.key2)
self.mockos = MockOS()
self.mockos.path = self.sshDir.path
self.patch(os.path, "expanduser", self.mockos.expanduser)
self.patch(pwd, "getpwnam", self.mockos.getpwnam)
self.patch(os, "seteuid", self.mockos.seteuid)
self.patch(os, "setegid", self.mockos.setegid)
def setUp(self):
self.checker = SSHPublicKeyDatabase()
self.key1 = base64.encodestring("foobar")
self.key2 = base64.encodestring("eggspam")
self.content = "t1 %s foo\nt2 %s egg\n" % (self.key1, self.key2)
self.mockos = MockOS()
self.mockos.path = FilePath(self.mktemp())
self.mockos.path.makedirs()
self.sshDir = self.mockos.path.child('.ssh')
self.sshDir.makedirs()
userdb = UserDatabase()
userdb.addUser('user', 'password', 1, 2, 'first last',
self.mockos.path.path, '/bin/shell')
self.patch(pwd, "getpwnam", userdb.getpwnam)
self.patch(os, "seteuid", self.mockos.seteuid)
self.patch(os, "setegid", self.mockos.setegid)
"""Authentication/authorization backend using the 'login' PAM service"""
credentialInterfaces = IUsernamePassword,
implements(ICredentialsChecker)
def requestAvatarId(self, credentials):
if pam.authenticate(credentials.username, credentials.password):
return defer.succeed(credentials.username)
return defer.fail(UnauthorizedLogin("invalid password"))
class UnixSSHdFactory(factory.SSHFactory):
publicKeys = {'ssh-rsa': keys.Key.fromString(data=publicKey)}
privateKeys = {'ssh-rsa': keys.Key.fromString(data=privateKey)}
services = {
'ssh-userauth': userauth.SSHUserAuthServer,
'ssh-connection': connection.SSHConnection
}
# Components have already been registered in twisted.conch.unix
portal = portal.Portal(UnixSSHRealm())
portal.registerChecker(PamPasswordDatabase()) # Supports PAM
portal.registerChecker(SSHPublicKeyDatabase()) # Supports PKI
UnixSSHdFactory.portal = portal
if __name__ == '__main__':
reactor.listenTCP(5022, UnixSSHdFactory())
reactor.run()
