SSH with Twisted

Twisted is a framework for networked applications. In this article, you’ll learn how to use the Secure Shell (SSH) with Twisted to accomplish a variety of useful tasks. This article is excerpted from chapter 10 of the book Twisted Network Programming Essentials, written by Abe Fettig (O’Reilly, 2007; ISBN: 0596100329). Copyright © 2007 O’Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O’Reilly Media.

SSH, the Secure SHell, is an essential tool for many developers and administrators. SSH provides a way to establish encrypted, authenticated connections. The most common use of an SSH connection is to get a remote shell, but it’s possible to do many other things through SSH as well, including transferring files and tunneling other connections.

The twisted.conch package adds SSH support to Twisted. This chapter shows how you can use the modules in twisted.conch to build SSH servers and clients.

Setting Up a Custom SSH Server

The command line is an incredibly efficient interface for certain tasks. System administrators love the ability to manage applications by typing commands without having to click through a graphical user interface. An SSH shell is even better, as it’s accessible from anywhere on the Internet.

You can use twisted.conch to create an SSH server that provides access to a custom shell with commands you define. This shell will even support some extra features like command history, so that you can scroll through the commands you’ve already typed.

How Do I Do That?

Write a subclass of  twisted.conch.recvline.HistoricRecvLine that implements your shell protocol. HistoricRecvLine is similar to twisted.protocols.basic.LineReceiver , but with higher-level features for controlling the terminal.

Write a subclass of twisted.conch.recvline.HistoricRecvLine that implements your shell protocol. HistoricRecvLine is similar to twisted.protocols.basic.LineReceiver, but with higher-level features for controlling the terminal.

To make your shell available through SSH, you need to implement a few different classes that twisted.conch needs to build an SSH server. First, you need the twisted.cred authentication classes: a portal, credentials checkers, and a realm that returns avatars. Use twisted.conch.avatar.ConchUser as the base class for your avatar. Your avatar class should also implement twisted.conch.interfaces.ISession , which includes an openShell method in which you create a Protocol to manage the user’s interactive session. Finally, create a twisted.conch.ssh.factory.SSHFactory object and set its portal attribute to an instance of your portal.

Example 10-1 demonstrates a custom SSH server that authenticates users by their username and password. It gives each user a shell that provides several commands.

Example 10-1. sshserver.py

from twisted.cred import portal, checkers, credentials
from twisted.conch import error, avatar, recvline, interfaces as conchinterfaces
from twisted.conch.ssh import factory, userauth, connection, keys, session, common from twisted.conch.insults import insults from twisted.application import service, internet
from zope.interface import implements
import os

class SSHDemoProtocol(recvline.HistoricRecvLine):
    def __init__(self, user):
        self.user = user

    def connectionMade(self) : 
     recvline.HistoricRecvLine.connectionMade(self)
        self.terminal.write("Welcome to my test SSH server.")
        self.terminal.nextLine()
        self.do_help()
        self.showPrompt()

    def showPrompt(self):
        self.terminal.write("$ ")

    def getCommandFunc(self, cmd):
        return getattr(self, ‘do_’ + cmd, None)

    def lineReceived(self, line):
        line = line.strip()
        if line:
           
cmdAndArgs = line.split()
            cmd = cmdAndArgs[0]
            args = cmdAndArgs[1:]
            func = self.getCommandFunc(cmd)
            if func:
              
try:
                   func(*args)
               except Exception, e:
                   self.terminal.write("Error: %s" % e)
                   self.terminal.nextLine()
            else:
               self.terminal.write("No such command.")
               self.terminal.nextLine()
        self.showPrompt()

    def do_help(self, cmd=”):
        "Get help on a command. Usage: help command"
        if cmd:
           
func = self.getCommandFunc(cmd)
            if func:
                self.terminal.write(func.__doc__)
                self.terminal.nextLine()
                return

        publicMethods = filter(
           
lambda funcname: funcname.startswith(‘do_’), dir(self))
        commands = [cmd.replace('do_', '', 1) for cmd in publicMethods]
        self.terminal.write("Commands: " + " ".join(commands))
        self.terminal.nextLine()

    def do_echo(self, *args):
        "Echo a string. Usage: echo my line of text"
        self.terminal.write(" ".join(args))
        self.terminal.nextLine()

    def do_whoami(self):
        "Prints your user name. Usage: whoami"
        self.terminal.write(self.user.username)
        self.terminal.nextLine()

    def do_quit(self):
        "Ends your session. Usage: quit"
        self.terminal.write("Thanks for playing!")
        self.terminal.nextLine()
        self.terminal.loseConnection()

    def do_clear(self):
        "Clears the screen. Usage: clear"
        self.terminal.reset()

class SSHDemoAvatar(avatar.ConchUser):
    implements(conchinterfaces.ISession)

    def __init__(self, username):
        avatar.ConchUser.__init__(self)
        self.username = username
        self.channelLookup.update({‘session':session.SSHSession})

    def openShell(self, protocol):
        serverProtocol = insults.ServerProtocol(SSHDemoProtocol, self)
        serverProtocol.makeConnection(protocol)
        protocol.makeConnection(session.wrapProtocol(serverProtocol))

    def getPty(self, terminal, windowSize, attrs):
        return None

    def execCommand(self, protocol, cmd):
        raise NotImplementedError

    def closed(self):
        pass

class SSHDemoRealm:
    implements(portal.IRealm)

    def requestAvatar(self, avatarId, mind, *interfaces):
        if conchinterfaces.IConchUser in interfaces:
            return interfaces[0], SSHDemoAvatar(avatarId), lambda: None
        else:
            raise Exception, "No supported interfaces found."

def getRSAKeys():
   
if not (os.path.exists(‘public.key’) and os.path.exists(‘private.key’)):
        # generate a RSA keypair
        print "Generating RSA keypair…"
        from Crypto.PublicKey import RSA
        KEY_LENGTH = 1024
        rsaKey = RSA.generate(KEY_LENGTH, common.entropy.get_bytes)
        publicKeyString = keys.makePublicKeyString(rsaKey)
        privateKeyString = keys.makePrivateKeyString(rsaKey)
        # save keys for next time
        file(‘public.key’, ‘w+b’).write(publicKeyString)
        file(‘private.key’, ‘w+b’).write(privateKeyString)
        print "done."
   
else:
        publicKeyString = file(‘public.key’).read()
        privateKeyString = file(‘private.key’).read()
   
return publicKeyString, privateKeyString

if __name__ == "__main__":
    sshFactory = factory.SSHFactory()
    sshFactory.portal = portal.Portal(SSHDemoRealm())
    users = {‘admin': ‘aaa’, ‘guest': ‘bbb’}
    sshFactory.portal.registerChecker(
 
checkers.InMemoryUsernamePasswordDatabaseDontUse(**users))

    pubKeyString, privKeyString =
getRSAKeys()
    sshFactory.publicKeys = {
        ‘ssh-rsa': keys.getPublicKeyString(data=pubKeyString)}
    sshFactory.privateKeys = {
        ‘ssh-rsa': keys.getPrivateKeyObject(data=privKeyString)}

    from twisted.internet import reactor
    reactor.listenTCP(2222, sshFactory)
    reactor.run()

{mospagebreak title=Setting Up a Custom SSH Server continued}

sshserver.py will run an SSH server on port 2222. Connect to this server with an SSH client using the username admin and password aaa, and try typing some commands:

  $ ssh admin@localhost -p 2222
  admin@localhost’s password: aaa

  >>> Welcome to my test SSH server. 
  Commands: clear echo help quit whoami
  $ whoami
 
admin
  $ help echo
  Echo a string. Usage: echo my line of text
  $ echo hello SSH world!
  hello SSH world!
  $ quit

  Connection to localhost closed.

If you’ve already been using an SSH server on your local machine, you might get an error when you try to connect to the server in this example. You’ll get a message saying something like “Remote host identification has changed” or “Host key verification failed,” and your SSH client will refuse to connect.

The reason you get this error message is that your SSH client is remembering the public key used by your regular localhost SSH server. The server in Example 10-1 has its own key, and when the client sees that the keys are different, it gets suspicious that this new server may be an impostor pretending to be your regular localhost SSH server. To fix this problem, edit your ~/.ssh/known_hosts file (or wherever your SSH client keeps its list of recognized servers) and remove the localhost entry.

How Does That Work?

The SSHDemoProtocol class in Example 10-1 inherits from twisted.conch.recvline.HistoricRecvline . HistoricRecvLine is a protocol with built-in features for building command-line shells. It gives your shell features that most people take for granted in a modern shell, including backspacing, the ability to use the arrow keys to move the cursor forwards and backwards on the current line, and a command history that can be accessed using the up and down arrows. twisted.conch.recvline also provides a plain RecvLine class that works the same way, but without the command history.

The lineReceived method in HistoricRecvLine is called whenever a user enters a line. Example 10-1 shows how you might override this method to parse and execute commands. There are a couple of differences between HistoricRecvLine and a regular Protocol , which come from the fact that with HistoricRecvLine you’re actually manipulating the current contents of a user’s terminal window, rather than just printing out text. To print a line of output, use self.terminal.write ; to go to the next line, use self.nextLine .

The twisted.conch.avatar.ConchUser class represents the actions available to an authenticated SSH user. By default, ConchUser doesn’t allow the client to do anything. To make it possible for the user to get a shell, make his avatar implement twisted.conch.interfaces.ISession . The SSHDemoAvatar class in Example 10-1 doesn’t actually implement all of ISession ; it only implements enough for the user to get a shell. The openShell method will be called with a twisted.conch.ssh.session. SSHSessionProcessProtocol object that represents the encrypted client’s end of the encrypted channel. You have to perform a few steps to connect the client’s protocol to your shell protocol so they can communicate with each other. First, wrap your protocol class in a twisted.conch.insults.insults.ServerProtocol object. You can pass extra arguments to insults.ServerProtocol , and it will use them to initialize your protocol object. This sets up your protocol to use a virtual terminal. Then use makeConnection to connect the two protocols to each other. The client’s protocol actually expects makeConnection to be called with a an object implementing the lower-level twisted.internet.interfaces.ITransport interface, not a Protocol ; the twisted.conch.session.wrapProtocol function wraps a Protocol in a minimal ITransport interface.

The library traditionally used for manipulating a Unix terminal is called curses. So the Twisted developers, never willing to pass up the chance to use a pun in a module name, chose the name insults for this library of classes for terminal programming.

To make a realm for your SSH server, write a class that has a requestAvatar method. The SSH server will call requestAvatar with the username as avatarId and twisted.conch.interfaces.IAvatar as one of the interfaces. Return your subclass of twisted.conch. avatar.ConchUser .

There’s only one more thing you’ll need to have a complete SSH server: a unique set of public and private keys. Example 10-1 demonstrates how you can use the Crypto.PublicKey.RSA module to generate these keys. RSA.generate takes a key length as the first argument and an entropy-generating function as the second argument; the twisted.conch.ssh.common module provides the entropy.get_bytes function for this purpose. RSA.generate returns a Crypto.PublicKey.RSA.RSAobj object. You extract public and private key strings from the RSAobj by passing it to the getPublicKeyString and getPrivateKeyString functions from the twisted.conch.ssh.keys module. Example 10-1 saves its keys to disk after generating them the first time it runs: you need to keep these keys preserved between clients so clients can identify and trust your sever.

Note that you wouldn’t want to call RSA.generate after your program has entered the Twisted event loop. RSA.generate is a blocking function that can take quite some time to complete.

To run the SSH server, create a twisted.conch.ssh.factory.SSHFactory object. Set its portal attribute to a portal using your realm, and register a credentials checker that can handle twisted.cred.credentials.IUsernamePassword credentials. Set the SSHFactory ’s publicKeys attribute to a dictionary that matches encryption algorithms to key string objects. To get the RSA key string object, pass your public key as the data keyword to keys.getPublicKeyString . Then set the privateKeys attribute to a dictionary that matches protocols to key objects. To get the RSA private key object, pass your private key as the data keyword to keys.getPrivateKey . Both getPublicKeyString and getPrivateKey can take a filename keyword instead, to load a key directly from a file. Once the SSHFactory has the keys, it’s ready to go. Call reactor.listenTCP to have it start listening on a port and you’ve got an SSH server.

{mospagebreak title=Using Public Keys for Authentication}

The SSH server in Example 10-1 used usernames and passwords for authentication. But heavy SSH users will tell you that one of the nicest features of SSH is its support for key-based authentication. With key-based authentication, the server is given a copy of a user’s private key. When the user tries to log in, the server asks her to prove her identity by signing some data with her private key. The server then checks the signed data against its copy of the user’s public key.

In practice, using public keys for authentication is nice, because it saves the user from having to manage a lot of passwords. A user can use the same key for multiple servers. She can choose to password-protect her key for extra security, or she can use a key with no password for a completely transparent login process.

This lab shows you how to set up a Twisted SSH server to use public key authentication. It uses the same server code as Example 10-1, but with a new authentication backend.

How Do I Do That?

Store a public key for each user. Write a credentials checker that accepts credentials implementing twisted.conch.credentials.ISSHPrivateKey. Verify the user’s credentials by checking to make sure that his public key matches the key you have stored, and that his signature proves that the user possesses the matching private key. Example 10-2 shows how to do this.

Example 10-2. pubkeyssh.py

from sshserver import SSHDemoRealm, getRSAKeys
from twisted.conch import credentials, error from twisted.conch.ssh import keys, factory from twisted.cred import checkers, portal from twisted.python import failure
from zope.interface import implements
import base64

class PublicKeyCredentialsChecker:
    implements(checkers.ICredentialsChecker)
    credentialInterfaces = (credentials.ISSHPrivateKey,)

    def __init__(self, authorizedKeys) :
        self.authorizedKeys = authorizedKeys

    def requestAvatarId(self, credentials):
       
if self.authorizedKeys.has_key(credentials.username):
            userKey = self.authorizedKeys[credentials.username]
            if not credentials.blob == base64.decodestring(userKey):
               
raise failure.failure(
                   error.ConchError("I don’t recognize that key"))
            if not credentials.signature:
               
return failure.Failure(error.ValidPublicKey())
            pubKey = keys.getPublicKeyObject(data=credentials.blob)
            if keys.verifySignature(pubKey, credentials.signature,
                      
credentials.sigData):
                return credentials.username
            else:
                return failure.Failure(
                    error.ConchError("Incorrect signature"))
        else:
            return failure.Failure(error.ConchError("No such user"))

if __name__ == "__main__":
    sshFactory = factory.SSHFactory()
    sshFactory.portal = portal.Portal(SSHDemoRealm())
    authorizedKeys = {
    "admin":

"AAAAB3NzaC1yc2EAAAABIwAAAIEAxIfv4ICpuKFaGA/ r2cJsQjUZsZ4VAsA1c9TXPYEc2Ue1lp78lq0rm/ nQTlK9lg+YEbRxCPcgymaz60cjGspqqoQ35qPiwJ4xg VUeYKfxs+ZSl3YGIODVfsqLYxLl33b6yCnE0bfBjEPmb9P OkL2TA1owlBfTL2+t+Hbx+clDCwE="
   
}
    sshFactory.portal.registerChecker(
        PublicKeyCredentialsChecker(authorizedKeys))

    pubKeyString, privKeyString = getRSAKeys()
    sshFactory.publicKeys = {
        ‘ssh-rsa': keys.getPublicKeyString(data=pubKeyString)}
    sshFactory.privateKeys = {
        ‘ssh-rsa': keys.getPrivateKeyObject(data=privKeyString)}

from twisted.internet import reactor reactor.listenTCP(2222, sshFactory) reactor.run()

To test this example, you’ll need to generate a public key, if you don’t have one already. The OpenSSH SSH implementation that comes with most Linux
distribu tions (and also with Mac OS X) includes a command-line utility named ssh-keygen that you can use to generate a new private/public key pair:

  $ ssh-keygen -t rsa
  Generating public/private rsa key pair.
  Enter file in which to save the key (/home/abe/.ssh/id_rsa):
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  Your identification has been saved in /home/abe/.ssh/id_rsa.
  Your public key has been saved in /home/abe/.ssh/id_rsa.pub.
  The key fingerprint is: 
 6b:13:3a:6e:c3:76:50:c7:39:c2:e0:8b:06:68:b4:11 abe@sparky

Windows users can generate keys with PuTTYgen, which is distrib uted along with the popular free PuTTY SSH client (http://www. chiark.greenend.org.uk/~sgtatham/putty/download.html).

Once you’ve generated a key, you can get the public key from the file ~/.ssh/id_rsa.pub. Edit Example 10-2 to use your public key for the admin user in the authorizedKeys dictionary. Then run pubkeyssh.py to start the server on port 2222. You should log right in without being prompted for a password:

  $ ssh admin@localhost -p 2222

  >>> Welcome to my test SSH server.
  Commands: clear echo help quit whoami
  $

If you try to log in as a user who doesn’t possess the matching private key, you’ll be denied access:

  $ ssh admin@localhost -p 2222
  Permission denied (publickey).

How Does That Work?

Example 10-2 reuses most of the SSH server classes from Example 10-1. To support public key authentication, it uses a new credentials checker class named PublicKeyCredentialsChecker. PublicKeyCredentialsChecker accepts credentials imple menting ISSHPrivateKey , which have the attributes username , blob , signature , and sigData . To verify the key, PublicKeyCredentialsChecker goes through three tests. First, it makes sure it has a public key on file for the user username . Next, it verifies that the public key provided in blob matches the public key it has on file for that user.

It’s possible that the user may have provided just the public key at this point, but not a signed token. If the public key was valid, but no signature was provided, PublicKeyCredentialsChecker.requestAvatar raises the special exception twisted.conch.error. ValidPublicKey . The SSH server will understand the meaning of this exception and ask the client for the missing signature.

Finally, the PublicKeyCredentialsChecker uses the function twisted.conch.ssh.keys.verifySignature to check whether the data in signature really is the data in sigData signed with the user’s private key. If verifySignature returns a true value, authentication is successful, and requestAvatarId returns username as the avatar ID.

You can support both username/password and key-based authentication in an SSH server. Just register both credentials checkers with your portal.

{mospagebreak title=Providing an Administrative Python Shell}

Example 10-1 demonstrated how to provide an interactive shell through SSH. That example implemented its own language with a small set of commands. But there’s another kind of shell that you can run over SSH: the same interactive Python prompt you know and love from the command line.

How Do I Do That?

The twisted.conch.manhole and twisted.conch.manhole_ssh modules have classes designed to provide a remote interactive Python shell inside your running server. Create a manhole_ssh.TerminalRealm object and set its chainedProtocolFactory.protocolFactory attribute to a function that will return manhole.Manhole objects. Example 10-3 demonstrates a web server that can be modified on the fly using SSH and twisted.conch.manhole .

Example 10-3. manholeserver.py

from twisted.internet import reactor
from twisted.web import server, resource from twisted.cred import portal, checkers from twisted.conch import manhole, manhole_ssh

class LinksPage(resource.Resource):
    isLeaf = 1

    def __init__(self, links) :
        resource.Resource.__init__(self)
        self.links = links

    def render(self, request):
       
return "<ul>" + "".join([
           
"<li><a href='%s'>%s</a></li>" % (link, title)
           
for title, link in self.links.items()]) + "</ul>"

links = {‘Twisted': ‘http://twistedmatrix.com/’,
        
‘Python': ‘http://python.org’}
site = server.Site(LinksPage(links)) reactor.listenTCP(8000, site)

    def getManholeFactory(namespace, **passwords):
        realm = manhole_ssh.TerminalRealm()
        def getManhole(_): return manhole.Manhole(namespace) 
  realm.chainedProtocolFactory.protocolFactory = getManhole
        p = portal.Portal(realm)
        p.registerChecker(
           
checkers.InMemoryUsernamePassword DatabaseDontUse(**passwords))
        f = manhole_ssh.ConchFactory(p)
        return f

reactor.listenTCP(2222, getManholeFactory(globals(), admin=’aaa’))
reactor.run()

manholeserver.py will start up a web server on port 8000 and an SSH server on port 2222. Figure 10-1 shows what the home page looks like when the server starts.


Figure 10-1.  The default manholeserver.py web page

Now log in using SSH. You’ll get a Python prompt, with full access to all the objects in the server. Try modifying the links dictionary:

  $ ssh admin@localhost -p 2222
  admin@localhost’s password:
aaa

  >>> dir()
  ['LinksPage', '__builtins__', '__doc__', '__file__', '__name_ _', 'checkers',
  'getManholeFactory', 'links', 'manhole', 'manhole_ssh', 'portal', 'reactor',
  'resource', 'server', 'site']
  >>> links
 
{‘Python': ‘http://python.org’, ‘Twisted': ‘http://twistedmatrix.com/’}
  >>> links["Abe Fettig"] = http://fettig.net
  >>> links["O'Reilly"] = http://oreilly.com
  >>> links
  {‘Python': ‘http://python.org’, "O’Reilly": ‘http://oreilly.com’, ‘Twisted': ‘http:// twistedmatrix.com/’, ‘Abe Fettig': ‘http://fettig.net’}
  >>>

Then refresh the home page of the web server. Figure 10-2 shows how your changes will be reflected on the web site.


Figure 10-2.  The modified manholeserver.py web page

How Does That Work?

Example 10-3 defines a function called getManholeFactory that makes running a manhole SSH server trivially easy. getManholeFactory takes an argument called namespace , which is a dictionary defining which Python objects to make available, and then a number of keyword arguments representing usernames and passwords. It constructs a manhole_ssh.TerminalRealm and sets its chainedProtocolFactory.protocolFactory attribute to an anonymous function that returns manhole.Manhole objects for the requested namespace. It then sets up a portal using the realm and a dictionary of usernames and passwords, attaches the portal to a
manhole_ssh.ConchFactory , and returns the factory.

Like its name implies, manhole provides a portal to something that is off-limits to the she is allowed in, she can do anything she wants. You can pass a dictionary of Python objects as namespace only for the sake of convenience (to limit the set of objects the user has to look through), not for security. Only administrative users should have permission to use the manhole server.

Example 10-3 creates a manhole factory using the built-in globals() function, which returns a dictionary of all the objects in the current global namespace. When you log in through SSH, you can see all the global objects in manholeserver.py, including the links dictionary. Because this dictionary is also being used to generate the home page of the web site, any changes you make through SSH are instantly reflected on the Web.

The manhole_ssh.ConchFactory class includes its own default public/private key pair. For your own projects you shouldn’t rely on these built-in keys. Instead, generate your own and set the publicKeys and privateKeys attributes of the ConchFactory . See Example 10-1, earlier in this chapter, for an example of how to do this.

{mospagebreak title=Running Commands on a Remote Server}

This lab demonstrates how to write an SSH client. You can use twisted.conch to communicate with a server using SSH: logging in, executing commands, and
capturing the output.

How Do I Do That?

There are several classes that work together to make up a twisted.conch.ssh SSH client. The transport.SSHClientTransport class sets up the connection and verifies the identity of the server. The userauth.SSHUserAuthClient logs in using your authentication credentials. The connection.SSHConnection class takes over once you’ve logged in, and creates one or more channel.SSHChannel objects, which you then use to communicate with the server over a secure channel. Example 10-4 shows how you can use these classes to make an SSH client that logs into a server, runs a command, and prints the output.

Example 10-4. sshclient.py

from twisted.conch import error
from twisted.conch.ssh import transport, connection, keys, userauth, channel, common from twisted.internet import defer, protocol, reactor

class ClientCommandTransport(transport.SSHClientTransport):
   
def __init__(self, username, password, command) :
        self.username = username
        self.password = password  
        self.command = command

    def verifyHostKey(self, pubKey, fingerprint):
        # in a real app, you should verify that the fingerprint matches
        # the one you expected to get from this server
        return defer.succeed(True)

    def connectionSecure(self):
        self.requestService(
            PasswordAuth(self.username, self.password,
                         ClientConnection(self.command)))

class PasswordAuth(userauth.SSHUserAuthClient):
   
def __init__(self, user, password, connection):
        userauth.SSHUserAuthClient.__init__(self, user, connection)
        self.password = password

    def getPassword(self, prompt=None):
        return defer.succeed(self.password)

class ClientConnection(connection.SSHConnection):
   
def __init__(self, cmd, *args, **kwargs):
        connection.SSHConnection.__init__(self)
        self.command = cmd

    def serviceStarted(self):
        self.openChannel(CommandChannel(self.command, conn=self))

class CommandChannel(channel.SSHChannel):
    name = ‘session’

    def __init__(self, command, *args, **kwargs):
        channel.SSHChannel.__init__(self, *args, **kwargs)
        self.command = command

    def channelOpen(self, data):
       
self.conn.sendRequest(
            self, ‘exec’, common.NS(self.command), wantReply=True).addCallback(
            self._gotResponse)

    def _gotResponse(self, _):
        self.conn.sendEOF(self)

    def dataReceived(self, data):
        print data

    def closed(self):
        reactor.stop()

class ClientCommandFactory(protocol.ClientFactory):
   
def __init__(self, username, password, command):
        self.username = username
        self.password = password
        self.command = command

    def buildProtocol(self, addr):
        protocol = ClientCommandTransport(
            self.username, self.password, self.command)
        return protocol

if __name__ == "__main__":
    import sys, getpass
    server = sys.argv[1]
    command = sys.argv[2]
    username = raw_input("Username: ")
    password = getpass.getpass("Password: ")
    factory = ClientCommandFactory(username, password, command)
    reactor.connectTCP(server, 22, factory)
    reactor.run()

Run sshclient.py with two arguments: a hostname and a command. It will ask for your username and password, log into the server, execute the command, and print the output. For example, you could run the who command to get a list of who’s currently logged in to the server:

  $ python sshclient.py myserver.example.com who
 
Username: abe
 
Password: password

  root     pts/0       Jun 11 21:35 (192.168.0.13)
  phil     pts/2       Jun 22 13:58 (192.168.0.1)
  phil     pts/3       Jun 22 13:58 (192.168.0.1)

How Does That Work?

The ClientCommandTransport in Example 10-4 handles the initial connection to the SSH server. Its verifyHostKey method checks to make sure the server’s public key matches your expectations. Typically, you’d remember each server the first time you connected, and then check on subsequent connections to make sure that another server wasn’t maliciously trying to pass itself off as the server you expected. Here, it just returns a True value without bothering to check the key. The connectionSecure method is called as soon as the initial encrypted connection has been established. This is the appropriate time to send your login credentials, by passing a
userauth.SSHUserAuthClient to self.requestService, along with a connection.SSHConnection object that should manage the connection after authentication succeeds.

The PasswordAuth inherits from userauth.SSHUserAuthClient . It has to implement only a single method, getPassword , which returns the password it will use to log in. If you wanted to use public key authentication, you’d implement the methods getPublicKey and getPrivateKey instead, returning the appropriate key as a string in each case.

The ClientConnection class in Example 10-4 will have its serviceStarted method called as soon as the client has successfully logged in. It calls self.openChannel with a CommandChannel object, which is a subclass of channel.SSHChannel . This object is used to work with an authenticated channel to the SSH server. Its channelOpen method is called when the channel is ready. At this point, you can call self.conn.sendRequest to send a command to the server. You have to encode data sent over SSH as a spe cially formatted network string; to get a string in this format, pass it to the twisted.conch.common.NS function. Set the keyword argument wantReply to True if you’re interested in getting a response from the command; this setting will cause sendRequest to return a Deferred that will be called back when the command is completed. (If you don’t set wantReply to True , sendRequest will return None .) As data is received from the server, it will be passed to dataReceived . Once you’re done using the channel, close it by calling self.conn.sendEOF . The closed method will be called to let you know when the channel has been successfully closed.

[gp-comments width="770" linklove="off" ]

antalya escort bayan antalya escort bayan Antalya escort diyarbakir escort