The SSH server in Example 10-1 used usernames and passwords for authentication. But heavy SSH users will tell you that one of the nicest features of SSH is its support for key-based authentication. With key-based authentication, the server is given a copy of a userís private key. When the user tries to log in, the server asks her to prove her identity by signing some data with her private key. The server then checks the signed data against its copy of the userís public key.
In practice, using public keys for authentication is nice, because it saves the user from having to manage a lot of passwords. A user can use the same key for multiple servers. She can choose to password-protect her key for extra security, or she can use a key with no password for a completely transparent login process.
This lab shows you how to set up a Twisted SSH server to use public key authentication. It uses the same server code as Example 10-1, but with a new authentication backend.How Do I Do That?
Store a public key for each user. Write a credentials checker that accepts credentials implementing twisted.conch.credentials.ISSHPrivateKey. Verify the userís credentials by checking to make sure that his public key matches the key you have stored, and that his signature proves that the user possesses the matching private key. Example 10-2 shows how to do this.
Example 10-2. pubkeyssh.py
from sshserver import SSHDemoRealm, getRSAKeys
def __init__(self, authorizedKeys):
def requestAvatarId(self, credentials):
if __name__ == "__main__":
pubKeyString, privKeyString = getRSAKeys()
from twisted.internet import reactor reactor.listenTCP(2222, sshFactory) reactor.run()
To test this example, youíll need to generate a public key, if you donít have one already. The OpenSSH SSH implementation that comes with most Linux
$ ssh-keygen -t rsa
Once youíve generated a key, you can get the public key from the file ~/.ssh/id_rsa.pub. Edit Example 10-2 to use your public key for theadmin user in theauthorizedKeysdictionary. Then run pubkeyssh.py to start the server on port 2222. You should log right in without being prompted for a password:
$ ssh admin@localhost -p 2222
>>> Welcome to my test SSH server.
If you try to log in as a user who doesnít possess the matching private key, youíll be denied access:
$ ssh admin@localhost -p 2222
Example 10-2 reuses most of the SSH server classes from Example 10-1. To support public key authentication, it uses a new credentials checker class named PublicKeyCredentialsChecker. PublicKeyCredentialsCheckeraccepts credentials implementingISSHPrivateKey, which have the attributesusername,blob,signature, andsigData. To verify the key,PublicKeyCredentialsCheckergoes through three tests. First, it makes sure it has a public key on file for the userusername. Next, it verifies that the public key provided inblobmatches the public key it has on file for that user.
Itís possible that the user may have provided just the public key at this point, but not a signed token. If the public key was valid, but no signature was provided,PublicKeyCredentialsChecker.requestAvatarraises the special exceptiontwisted.conch.error. ValidPublicKey. The SSH server will understand the meaning of this exception and ask the client for the missing signature.
Finally, thePublicKeyCredentialsCheckeruses the functiontwisted.conch.ssh.keys.verifySignatureto check whether the data insignaturereally is the data insigDatasigned with the userís private key. IfverifySignaturereturns a true value, authentication is successful, andrequestAvatarIdreturnsusernameas the avatar ID.
blog comments powered by Disqus