-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathssh_coupler.py
executable file
·206 lines (183 loc) · 8.42 KB
/
ssh_coupler.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#!/usr/bin/env python2
"""
Daemon for administratively coupling two ssh channels together.
"""
import ConfigParser
import argparse
import logging
import os
import pam
import socket
import sys
import traceback
import paramiko
from paramiko.common import DEBUG, INFO
from collections import deque
from threading import Thread
HOST, PORT = '0.0.0.0', 2222
BACKLOG = 10
PAM_AUTH = pam.pam()
_CONFIG = {}
log_name = 'ssh_coupler.main'
root_logger = paramiko.util.get_logger(log_name)
class Server(paramiko.ServerInterface):
def check_auth_password(self, username, password):
if PAM_AUTH.authenticate(username, password):
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
def check_auth_publickey(self, username, key):
# Testing: all are allowed
return paramiko.AUTH_SUCCESSFUL
def check_channel_request(self, kind, chanid):
return paramiko.OPEN_SUCCEEDED
def check_channel_shell_request(self, channel):
# Todo: figure out packet exchange for shell mode
return False
# Actor decorator
def actor(func):
def register_gen(*args, **kwargs):
args[0]._registry[func.__name__] = func(*args, **kwargs)
args[0]._registry[func.__name__].next()
return register_gen
# overridden paramiko.SFTPServer __init__ and start_subsystem to enable packet interchange
# between outer client and inner sshd.
class MiddleManSFTPServer(paramiko.SFTPServer):
def __init__(self, channel, name, server, *largs, **kwargs):
self.client_addr = kwargs.pop('client_addr')
self.transport = channel.get_transport()
super(MiddleManSFTPServer, self).__init__(channel, name, server, *largs, **kwargs)
# start sftp client and authenticate as the user to end target sshd as specified in ssh_coupler.conf
self.dest_username = self.transport.get_username()
self.dest_hostname = _CONFIG[self.dest_username][0]
self.dest_port = _CONFIG[self.dest_username][1]
self.privkey = paramiko.rsakey.RSAKey(filename=_CONFIG[self.dest_username][2])
self.hostkeytype = None
self.hostkey = None
# coroutine actors' registry and queue
self._registry = {}
self._msg_queue = deque()
try:
self.host_keys = paramiko.util.load_host_keys(os.path.expanduser('/home/%s/.ssh/known_hosts' % self.transport.get_username()))
except IOError:
root_logger.log(INFO, '*** Unable to open host keys file')
self.host_keys = {}
if self.dest_hostname in self.host_keys:
self.hostkeytype = self.host_keys[self.dest_hostname].keys()[0]
self.hostkey = self.host_keys[self.dest_hostname][self.hostkeytype]
root_logger.log(INFO, 'Using host key of type %s' % self.hostkeytype)
try:
self.client_transport = paramiko.Transport((self.dest_hostname, self.dest_port))
self.client_transport.connect(self.hostkey, self.dest_username, pkey=self.privkey)
self.inner_SFTPClient = paramiko.SFTPClient.from_transport(self.client_transport)
except Exception as e:
root_logger.log(INFO, '*** Caught exception: %s: %s' % (e.__class__, e))
traceback.print_exc()
try:
self.client_transport.close()
except:
pass
sys.exit(1)
def cleanup(self):
self._log(DEBUG, '%s: Closing associated SFTPClient connection.' % self.client_addr)
self.inner_SFTPClient.close()
self.inner_SFTPClient.sock.get_transport().close()
self.finish_subsystem()
self.transport.close()
@actor
def client_broker(self):
''' client_t, client_data is data from user client to the paramiko sftp server'''
while True:
try:
client_t, client_data = self._read_packet()
except EOFError:
self._log(INFO, '%s: Server received EOF -- end of session' % self.client_addr)
self.cleanup()
return
except Exception as e:
self._log(DEBUG, 'Exception on channel: ' + str(e))
self._log(DEBUG, paramiko.util.tb_strings())
self.cleanup()
return
self._msg_queue.append(('daemon_broker', (client_t, client_data)))
dest_t, dest_data = yield
self._send_packet(dest_t, dest_data)
@actor
def daemon_broker(self):
''' dest_t, dest_data is data from end target sshd to the paramiko client. '''
while True:
client_t, client_data = yield
try:
self.inner_SFTPClient._send_packet(client_t, client_data)
dest_t, dest_data = self.inner_SFTPClient._read_packet()
self._msg_queue.append(('client_broker', (dest_t, dest_data)))
except Exception as e:
self._log(DEBUG, 'Exception in server processing: ' + str(e))
self._log(DEBUG, paramiko.util.tb_strings())
try:
self._send_status(request_number, paramiko.sftp.SFTP_FAILURE)
except:
pass
def start_subsystem(self, name, transport, channel):
self.sock = channel
self._log(INFO, '%s: Starting channel coupling' % (self.client_addr))
self._send_server_version()
self.client_broker()
self.daemon_broker()
while True:
if self._msg_queue:
try:
'''pop messages off the deque and send to respective generator.'''
broker, payload = self._msg_queue.popleft()
self._registry[broker].send(payload)
except StopIteration:
self._log(INFO, '%s: disconnected' % (self.client_addr))
def start_server(host, port, HOST_KEY, level):
# Listen on socket
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, True)
try:
server_socket.bind((host, port))
except socket.error, msg:
root_logger.log(INFO, ' *** Socket bind failed. Error: ' + str(msg[0]) + ' Message: ' + msg[1])
sys.exit(1)
server_socket.listen(BACKLOG)
root_logger.log(INFO, ' *** ssh_coupler.py listening on ' + host + ':' + str(port))
while True:
conn, addr = server_socket.accept()
client_addr = addr[0] + ':' + str(addr[1])
root_logger.log(INFO, 'Connection Received from: ' + str(client_addr))
serv_transport = paramiko.Transport(conn)
serv_transport.add_server_key(HOST_KEY)
serv_transport.set_subsystem_handler('sftp', MiddleManSFTPServer, client_addr=client_addr)
server = Server()
try:
serv_transport.start_server(server=server)
except paramiko.SSHException:
root_logger.log(INFO, ' *** SSH negotiation failed with %s' % addr[0])
serv_transport.close()
continue
def main():
parser = argparse.ArgumentParser(description="Couples two ssh channels together.")
parser.add_argument('--host', '-H', default=HOST, help='listen on HOST [default: {}]'.format(HOST))
parser.add_argument('--port', '-p', type=int, default=PORT, help='listen on PORT [default: {}]'.format(PORT))
parser.add_argument('--file', '-f', default='/etc/ssh_coupler.conf', help='Full path of config file.')
parser.add_argument('--key', '-k', default='/etc/ssh/ssh_host_rsa_key', help='Full path of host key file')
parser.add_argument('--level', '-l', default='INFO', help='Debug level: WARNING, INFO, DEBUG [default: INFO]')
args = parser.parse_args()
paramiko_level = getattr(paramiko.common, args.level)
paramiko.common.logging.basicConfig(level=paramiko_level)
# Read config into active configuration
if os.path.isfile(args.file):
root_logger.log(INFO, 'Loading config from ' + args.file)
config = ConfigParser.ConfigParser()
config.read(args.file)
for sec in config.sections():
dest_username = config.get(sec, 'user')
_CONFIG[dest_username] = [config.get(sec, 'hostname'), int(config.get(sec, 'port')), config.get(sec, 'identityfile')]
else:
root_logger.log(INFO, 'Configuration file ' + args.file + ' not found. Exiting.')
sys.exit(1)
HOST_KEY = paramiko.RSAKey(filename=args.key)
start_server(args.host, args.port, HOST_KEY, args.level)
if __name__ == '__main__':
main()