paramiko.transport

+ 1 # Copyright (C) 2003-2007 Robey Pointer <robey@lag.net> + 2 # + 3 # This file is part of paramiko. + 4 # + 5 # Paramiko is free software; you can redistribute it and/or modify it under the + 6 # terms of the GNU Lesser General Public License as published by the Free + 7 # Software Foundation; either version 2.1 of the License, or (at your option) + 8 # any later version. + 9 # + 10 # Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY + 11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + 12 # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more + 13 # details. + 14 # + 15 # You should have received a copy of the GNU Lesser General Public License + 16 # along with Paramiko; if not, write to the Free Software Foundation, Inc., + 17 # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + 18 + 19 """ + 20 L{Transport} handles the core SSH2 protocol. + 21 """ + 22 + 23 import os + 24 import socket + 25 import string + 26 import struct + 27 import sys + 28 import threading + 29 import time + 30 import weakref + 31 + 32 from paramiko import util + 33 from paramiko.auth_handler import AuthHandler + 34 from paramiko.channel import Channel + 35 from paramiko.common import * + 36 from paramiko.compress import ZlibCompressor, ZlibDecompressor + 37 from paramiko.dsskey import DSSKey + 38 from paramiko.kex_gex import KexGex + 39 from paramiko.kex_group1 import KexGroup1 + 40 from paramiko.message import Message + 41 from paramiko.packet import Packetizer, NeedRekeyException + 42 from paramiko.primes import ModulusPack + 43 from paramiko.rsakey import RSAKey + 44 from paramiko.server import ServerInterface + 45 from paramiko.sftp_client import SFTPClient + 46 from paramiko.ssh_exception import SSHException, BadAuthenticationType, ChannelException + 47 + 48 # these come from PyCrypt + 49 # http://www.amk.ca/python/writing/pycrypt/ + 50 # i believe this on the standards track. + 51 # PyCrypt compiled for Win32 can be downloaded from the HashTar homepage: + 52 # http://nitace.bsd.uchicago.edu:8080/hashtar + 53 from Crypto.Cipher import Blowfish, AES, DES3 + 54 from Crypto.Hash import SHA, MD5 + 55 + 56 + 57 # for thread cleanup + 58 _active_threads = [] +

59 -def _join_lingering_threads(): +

60 for thr in _active_threads: + 61 thr.stop_thread() +

62 import atexit + 63 atexit.register(_join_lingering_threads) + 64 + 65 +

66 -class SecurityOptions (object): +

67 """ + 68 Simple object containing the security preferences of an ssh transport. + 69 These are tuples of acceptable ciphers, digests, key types, and key + 70 exchange algorithms, listed in order of preference. + 71 + 72 Changing the contents and/or order of these fields affects the underlying + 73 L{Transport} (but only if you change them before starting the session). + 74 If you try to add an algorithm that paramiko doesn't recognize, + 75 C{ValueError} will be raised. If you try to assign something besides a + 76 tuple to one of the fields, C{TypeError} will be raised. + 77 """ + 78 __slots__ = [ 'ciphers', 'digests', 'key_types', 'kex', 'compression', '_transport' ] + 79 +

80 - def __init__(self, transport): +

81 self._transport = transport +

82 +

83 - def __repr__(self): +

84 """ + 85 Returns a string representation of this object, for debugging. + 86 + 87 @rtype: str + 88 """ + 89 return '<paramiko.SecurityOptions for %s>' % repr(self._transport) +

90 +

91 - def _get_ciphers(self): +

92 return self._transport._preferred_ciphers +

93 +

94 - def _get_digests(self): +

95 return self._transport._preferred_macs +

96 +

97 - def _get_key_types(self): +

98 return self._transport._preferred_keys +

99 +

100 - def _get_kex(self): +

101 return self._transport._preferred_kex +

102 +

103 - def _get_compression(self): +

104 return self._transport._preferred_compression +

105 +

106 - def _set(self, name, orig, x): +

107 if type(x) is list: + 108 x = tuple(x) + 109 if type(x) is not tuple: + 110 raise TypeError('expected tuple or list') + 111 possible = getattr(self._transport, orig).keys() + 112 forbidden = filter(lambda n: n not in possible, x) + 113 if len(forbidden) > 0: + 114 raise ValueError('unknown cipher') + 115 setattr(self._transport, name, x) +

116 +

117 - def _set_ciphers(self, x): +

118 self._set('_preferred_ciphers', '_cipher_info', x) +

119 +

120 - def _set_digests(self, x): +

121 self._set('_preferred_macs', '_mac_info', x) +

122 +

123 - def _set_key_types(self, x): +

124 self._set('_preferred_keys', '_key_info', x) +

125 +

126 - def _set_kex(self, x): +

127 self._set('_preferred_kex', '_kex_info', x) +

128 +

129 - def _set_compression(self, x): +

130 self._set('_preferred_compression', '_compression_info', x) +

131 + 132 ciphers = property(_get_ciphers, _set_ciphers, None, + 133 "Symmetric encryption ciphers") + 134 digests = property(_get_digests, _set_digests, None, + 135 "Digest (one-way hash) algorithms") + 136 key_types = property(_get_key_types, _set_key_types, None, + 137 "Public-key algorithms") + 138 kex = property(_get_kex, _set_kex, None, "Key exchange algorithms") + 139 compression = property(_get_compression, _set_compression, None, + 140 "Compression algorithms") +

141 + 142 +

143 -class ChannelMap (object): +

144 - def __init__(self): +

145 # (id -> Channel) + 146 self._map = weakref.WeakValueDictionary() + 147 self._lock = threading.Lock() +

148 +

149 - def put(self, chanid, chan): +

150 self._lock.acquire() + 151 try: + 152 self._map[chanid] = chan + 153 finally: + 154 self._lock.release() +

155 +

156 - def get(self, chanid): +

157 self._lock.acquire() + 158 try: + 159 return self._map.get(chanid, None) + 160 finally: + 161 self._lock.release() +

162 +

163 - def delete(self, chanid): +

164 self._lock.acquire() + 165 try: + 166 try: + 167 del self._map[chanid] + 168 except KeyError: + 169 pass + 170 finally: + 171 self._lock.release() +

172 +

173 - def values(self): +

174 self._lock.acquire() + 175 try: + 176 return self._map.values() + 177 finally: + 178 self._lock.release() +

179 +

180 - def __len__(self): +

181 self._lock.acquire() + 182 try: + 183 return len(self._map) + 184 finally: + 185 self._lock.release() +

186 + 187 +

188 -class Transport (threading.Thread): +

189 """ + 190 An SSH Transport attaches to a stream (usually a socket), negotiates an + 191 encrypted session, authenticates, and then creates stream tunnels, called + 192 L{Channel}s, across the session. Multiple channels can be multiplexed + 193 across a single session (and often are, in the case of port forwardings). + 194 """ + 195 + 196 _PROTO_ID = '2.0' + 197 _CLIENT_ID = 'paramiko_1.7.4' + 198 + 199 _preferred_ciphers = ( 'aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc' ) + 200 _preferred_macs = ( 'hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96' ) + 201 _preferred_keys = ( 'ssh-rsa', 'ssh-dss' ) + 202 _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' ) + 203 _preferred_compression = ( 'none', ) + 204 + 205 _cipher_info = { + 206 'blowfish-cbc': { 'class': Blowfish, 'mode': Blowfish.MODE_CBC, 'block-size': 8, 'key-size': 16 }, + 207 'aes128-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 16 }, + 208 'aes256-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 32 }, + 209 '3des-cbc': { 'class': DES3, 'mode': DES3.MODE_CBC, 'block-size': 8, 'key-size': 24 }, + 210 } + 211 + 212 _mac_info = { + 213 'hmac-sha1': { 'class': SHA, 'size': 20 }, + 214 'hmac-sha1-96': { 'class': SHA, 'size': 12 }, + 215 'hmac-md5': { 'class': MD5, 'size': 16 }, + 216 'hmac-md5-96': { 'class': MD5, 'size': 12 }, + 217 } + 218 + 219 _key_info = { + 220 'ssh-rsa': RSAKey, + 221 'ssh-dss': DSSKey, + 222 } + 223 + 224 _kex_info = { + 225 'diffie-hellman-group1-sha1': KexGroup1, + 226 'diffie-hellman-group-exchange-sha1': KexGex, + 227 } + 228 + 229 _compression_info = { + 230 # zlib@openssh.com is just zlib, but only turned on after a successful + 231 # authentication. openssh servers may only offer this type because + 232 # they've had troubles with security holes in zlib in the past. + 233 'zlib@openssh.com': ( ZlibCompressor, ZlibDecompressor ), + 234 'zlib': ( ZlibCompressor, ZlibDecompressor ), + 235 'none': ( None, None ), + 236 } + 237 + 238 + 239 _modulus_pack = None + 240 +

241 - def __init__(self, sock): +

242 """ + 243 Create a new SSH session over an existing socket, or socket-like + 244 object. This only creates the Transport object; it doesn't begin the + 245 SSH session yet. Use L{connect} or L{start_client} to begin a client + 246 session, or L{start_server} to begin a server session. + 247 + 248 If the object is not actually a socket, it must have the following + 249 methods: + 250 - C{send(str)}: Writes from 1 to C{len(str)} bytes, and + 251 returns an int representing the number of bytes written. Returns + 252 0 or raises C{EOFError} if the stream has been closed. + 253 - C{recv(int)}: Reads from 1 to C{int} bytes and returns them as a + 254 string. Returns 0 or raises C{EOFError} if the stream has been + 255 closed. + 256 - C{close()}: Closes the socket. + 257 - C{settimeout(n)}: Sets a (float) timeout on I/O operations. + 258 + 259 For ease of use, you may also pass in an address (as a tuple) or a host + 260 string as the C{sock} argument. (A host string is a hostname with an + 261 optional port (separated by C{":"}) which will be converted into a + 262 tuple of C{(hostname, port)}.) A socket will be connected to this + 263 address and used for communication. Exceptions from the C{socket} call + 264 may be thrown in this case. + 265 + 266 @param sock: a socket or socket-like object to create the session over. + 267 @type sock: socket + 268 """ + 269 if type(sock) is str: + 270 # convert "host:port" into (host, port) + 271 hl = sock.split(':', 1) + 272 if len(hl) == 1: + 273 sock = (hl[0], 22) + 274 else: + 275 sock = (hl[0], int(hl[1])) + 276 if type(sock) is tuple: + 277 # connect to the given (host, port) + 278 hostname, port = sock + 279 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + 280 sock.connect((hostname, port)) + 281 # okay, normal socket-ish flow here... + 282 threading.Thread.__init__(self) + 283 self.randpool = randpool + 284 self.sock = sock + 285 # Python < 2.3 doesn't have the settimeout method - RogerB + 286 try: + 287 # we set the timeout so we can check self.active periodically to + 288 # see if we should bail. socket.timeout exception is never + 289 # propagated. + 290 self.sock.settimeout(0.1) + 291 except AttributeError: + 292 pass + 293 + 294 # negotiated crypto parameters + 295 self.packetizer = Packetizer(sock) + 296 self.local_version = 'SSH-' + self._PROTO_ID + '-' + self._CLIENT_ID + 297 self.remote_version = '' + 298 self.local_cipher = self.remote_cipher = '' + 299 self.local_kex_init = self.remote_kex_init = None + 300 self.local_mac = self.remote_mac = None + 301 self.local_compression = self.remote_compression = None + 302 self.session_id = None + 303 self.host_key_type = None + 304 self.host_key = None + 305 + 306 # state used during negotiation + 307 self.kex_engine = None + 308 self.H = None + 309 self.K = None + 310 + 311 self.active = False + 312 self.initial_kex_done = False + 313 self.in_kex = False + 314 self.authenticated = False + 315 self._expected_packet = tuple() + 316 self.lock = threading.Lock() # synchronization (always higher level than write_lock) + 317 + 318 # tracking open channels + 319 self._channels = ChannelMap() + 320 self.channel_events = { } # (id -> Event) + 321 self.channels_seen = { } # (id -> True) + 322 self._channel_counter = 1 + 323 self.window_size = 65536 + 324 self.max_packet_size = 34816 + 325 self._x11_handler = None + 326 self._tcp_handler = None + 327 + 328 self.saved_exception = None + 329 self.clear_to_send = threading.Event() + 330 self.clear_to_send_lock = threading.Lock() + 331 self.log_name = 'paramiko.transport' + 332 self.logger = util.get_logger(self.log_name) + 333 self.packetizer.set_log(self.logger) + 334 self.auth_handler = None + 335 self.global_response = None # response Message from an arbitrary global request + 336 self.completion_event = None # user-defined event callbacks + 337 self.banner_timeout = 15 # how long (seconds) to wait for the SSH banner + 338 + 339 # server mode: + 340 self.server_mode = False + 341 self.server_object = None + 342 self.server_key_dict = { } + 343 self.server_accepts = [ ] + 344 self.server_accept_cv = threading.Condition(self.lock) + 345 self.subsystem_table = { } +

346 +

347 - def __repr__(self): +

348 """ + 349 Returns a string representation of this object, for debugging. + 350 + 351 @rtype: str + 352 """ + 353 out = '<paramiko.Transport at %s' % hex(long(id(self)) & 0xffffffffL) + 354 if not self.active: + 355 out += ' (unconnected)' + 356 else: + 357 if self.local_cipher != '': + 358 out += ' (cipher %s, %d bits)' % (self.local_cipher, + 359 self._cipher_info[self.local_cipher]['key-size'] * 8) + 360 if self.is_authenticated(): + 361 out += ' (active; %d open channel(s))' % len(self._channels) + 362 elif self.initial_kex_done: + 363 out += ' (connected; awaiting auth)' + 364 else: + 365 out += ' (connecting)' + 366 out += '>' + 367 return out +

368 +

369 - def atfork(self): +

370 """ + 371 Terminate this Transport without closing the session. On posix + 372 systems, if a Transport is open during process forking, both parent + 373 and child will share the underlying socket, but only one process can + 374 use the connection (without corrupting the session). Use this method + 375 to clean up a Transport object without disrupting the other process. + 376 + 377 @since: 1.5.3 + 378 """ + 379 self.sock.close() + 380 self.close() +

381 +

382 - def get_security_options(self): +

383 """ + 384 Return a L{SecurityOptions} object which can be used to tweak the + 385 encryption algorithms this transport will permit, and the order of + 386 preference for them. + 387 + 388 @return: an object that can be used to change the preferred algorithms + 389 for encryption, digest (hash), public key, and key exchange. + 390 @rtype: L{SecurityOptions} + 391 """ + 392 return SecurityOptions(self) +

393 +

394 - def start_client(self, event=None): +

395 """ + 396 Negotiate a new SSH2 session as a client. This is the first step after + 397 creating a new L{Transport}. A separate thread is created for protocol + 398 negotiation. + 399 + 400 If an event is passed in, this method returns immediately. When + 401 negotiation is done (successful or not), the given C{Event} will + 402 be triggered. On failure, L{is_active} will return C{False}. + 403 + 404 (Since 1.4) If C{event} is C{None}, this method will not return until + 405 negotation is done. On success, the method returns normally. + 406 Otherwise an SSHException is raised. + 407 + 408 After a successful negotiation, you will usually want to authenticate, + 409 calling L{auth_password <Transport.auth_password>} or + 410 L{auth_publickey <Transport.auth_publickey>}. + 411 + 412 @note: L{connect} is a simpler method for connecting as a client. + 413 + 414 @note: After calling this method (or L{start_server} or L{connect}), + 415 you should no longer directly read from or write to the original + 416 socket object. + 417 + 418 @param event: an event to trigger when negotiation is complete + 419 (optional) + 420 @type event: threading.Event + 421 + 422 @raise SSHException: if negotiation fails (and no C{event} was passed + 423 in) + 424 """ + 425 self.active = True + 426 if event is not None: + 427 # async, return immediately and let the app poll for completion + 428 self.completion_event = event + 429 self.start() + 430 return + 431 + 432 # synchronous, wait for a result + 433 self.completion_event = event = threading.Event() + 434 self.start() + 435 while True: + 436 event.wait(0.1) + 437 if not self.active: + 438 e = self.get_exception() + 439 if e is not None: + 440 raise e + 441 raise SSHException('Negotiation failed.') + 442 if event.isSet(): + 443 break +

444 +

445 - def start_server(self, event=None, server=None): +

446 """ + 447 Negotiate a new SSH2 session as a server. This is the first step after + 448 creating a new L{Transport} and setting up your server host key(s). A + 449 separate thread is created for protocol negotiation. + 450 + 451 If an event is passed in, this method returns immediately. When + 452 negotiation is done (successful or not), the given C{Event} will + 453 be triggered. On failure, L{is_active} will return C{False}. + 454 + 455 (Since 1.4) If C{event} is C{None}, this method will not return until + 456 negotation is done. On success, the method returns normally. + 457 Otherwise an SSHException is raised. + 458 + 459 After a successful negotiation, the client will need to authenticate. + 460 Override the methods + 461 L{get_allowed_auths <ServerInterface.get_allowed_auths>}, + 462 L{check_auth_none <ServerInterface.check_auth_none>}, + 463 L{check_auth_password <ServerInterface.check_auth_password>}, and + 464 L{check_auth_publickey <ServerInterface.check_auth_publickey>} in the + 465 given C{server} object to control the authentication process. + 466 + 467 After a successful authentication, the client should request to open + 468 a channel. Override + 469 L{check_channel_request <ServerInterface.check_channel_request>} in the + 470 given C{server} object to allow channels to be opened. + 471 + 472 @note: After calling this method (or L{start_client} or L{connect}), + 473 you should no longer directly read from or write to the original + 474 socket object. + 475 + 476 @param event: an event to trigger when negotiation is complete. + 477 @type event: threading.Event + 478 @param server: an object used to perform authentication and create + 479 L{Channel}s. + 480 @type server: L{server.ServerInterface} + 481 + 482 @raise SSHException: if negotiation fails (and no C{event} was passed + 483 in) + 484 """ + 485 if server is None: + 486 server = ServerInterface() + 487 self.server_mode = True + 488 self.server_object = server + 489 self.active = True + 490 if event is not None: + 491 # async, return immediately and let the app poll for completion + 492 self.completion_event = event + 493 self.start() + 494 return + 495 + 496 # synchronous, wait for a result + 497 self.completion_event = event = threading.Event() + 498 self.start() + 499 while True: + 500 event.wait(0.1) + 501 if not self.active: + 502 e = self.get_exception() + 503 if e is not None: + 504 raise e + 505 raise SSHException('Negotiation failed.') + 506 if event.isSet(): + 507 break +

508 +

509 - def add_server_key(self, key): +

510 """ + 511 Add a host key to the list of keys used for server mode. When behaving + 512 as a server, the host key is used to sign certain packets during the + 513 SSH2 negotiation, so that the client can trust that we are who we say + 514 we are. Because this is used for signing, the key must contain private + 515 key info, not just the public half. Only one key of each type (RSA or + 516 DSS) is kept. + 517 + 518 @param key: the host key to add, usually an L{RSAKey <rsakey.RSAKey>} or + 519 L{DSSKey <dsskey.DSSKey>}. + 520 @type key: L{PKey <pkey.PKey>} + 521 """ + 522 self.server_key_dict[key.get_name()] = key +

523 +

524 - def get_server_key(self): +

525 """ + 526 Return the active host key, in server mode. After negotiating with the + 527 client, this method will return the negotiated host key. If only one + 528 type of host key was set with L{add_server_key}, that's the only key + 529 that will ever be returned. But in cases where you have set more than + 530 one type of host key (for example, an RSA key and a DSS key), the key + 531 type will be negotiated by the client, and this method will return the + 532 key of the type agreed on. If the host key has not been negotiated + 533 yet, C{None} is returned. In client mode, the behavior is undefined. + 534 + 535 @return: host key of the type negotiated by the client, or C{None}. + 536 @rtype: L{PKey <pkey.PKey>} + 537 """ + 538 try: + 539 return self.server_key_dict[self.host_key_type] + 540 except KeyError: + 541 pass + 542 return None +

543 +

544 - def load_server_moduli(filename=None): +

545 """ + 546 I{(optional)} + 547 Load a file of prime moduli for use in doing group-exchange key + 548 negotiation in server mode. It's a rather obscure option and can be + 549 safely ignored. + 550 + 551 In server mode, the remote client may request "group-exchange" key + 552 negotiation, which asks the server to send a random prime number that + 553 fits certain criteria. These primes are pretty difficult to compute, + 554 so they can't be generated on demand. But many systems contain a file + 555 of suitable primes (usually named something like C{/etc/ssh/moduli}). + 556 If you call C{load_server_moduli} and it returns C{True}, then this + 557 file of primes has been loaded and we will support "group-exchange" in + 558 server mode. Otherwise server mode will just claim that it doesn't + 559 support that method of key negotiation. + 560 + 561 @param filename: optional path to the moduli file, if you happen to + 562 know that it's not in a standard location. + 563 @type filename: str + 564 @return: True if a moduli file was successfully loaded; False + 565 otherwise. + 566 @rtype: bool + 567 + 568 @note: This has no effect when used in client mode. + 569 """ + 570 Transport._modulus_pack = ModulusPack(randpool) + 571 # places to look for the openssh "moduli" file + 572 file_list = [ '/etc/ssh/moduli', '/usr/local/etc/moduli' ] + 573 if filename is not None: + 574 file_list.insert(0, filename) + 575 for fn in file_list: + 576 try: + 577 Transport._modulus_pack.read_file(fn) + 578 return True + 579 except IOError: + 580 pass + 581 # none succeeded + 582 Transport._modulus_pack = None + 583 return False +

584 load_server_moduli = staticmethod(load_server_moduli) + 585 +

586 - def close(self): +

587 """ + 588 Close this session, and any open channels that are tied to it. + 589 """ + 590 if not self.active: + 591 return + 592 self.active = False + 593 self.packetizer.close() + 594 self.join() + 595 for chan in self._channels.values(): + 596 chan._unlink() +

597 +

598 - def get_remote_server_key(self): +

599 """ + 600 Return the host key of the server (in client mode). + 601 + 602 @note: Previously this call returned a tuple of (key type, key string). + 603 You can get the same effect by calling + 604 L{PKey.get_name <pkey.PKey.get_name>} for the key type, and + 605 C{str(key)} for the key string. + 606 + 607 @raise SSHException: if no session is currently active. + 608 + 609 @return: public key of the remote server + 610 @rtype: L{PKey <pkey.PKey>} + 611 """ + 612 if (not self.active) or (not self.initial_kex_done): + 613 raise SSHException('No existing session') + 614 return self.host_key +

615 +

616 - def is_active(self): +

617 """ + 618 Return true if this session is active (open). + 619 + 620 @return: True if the session is still active (open); False if the + 621 session is closed + 622 @rtype: bool + 623 """ + 624 return self.active +

625 +

626 - def open_session(self): +

627 """ + 628 Request a new channel to the server, of type C{"session"}. This + 629 is just an alias for C{open_channel('session')}. + 630 + 631 @return: a new L{Channel} + 632 @rtype: L{Channel} + 633 + 634 @raise SSHException: if the request is rejected or the session ends + 635 prematurely + 636 """ + 637 return self.open_channel('session') +

638 +

639 - def open_x11_channel(self, src_addr=None): +

640 """ + 641 Request a new channel to the client, of type C{"x11"}. This + 642 is just an alias for C{open_channel('x11', src_addr=src_addr)}. + 643 + 644 @param src_addr: the source address of the x11 server (port is the + 645 x11 port, ie. 6010) + 646 @type src_addr: (str, int) + 647 @return: a new L{Channel} + 648 @rtype: L{Channel} + 649 + 650 @raise SSHException: if the request is rejected or the session ends + 651 prematurely + 652 """ + 653 return self.open_channel('x11', src_addr=src_addr) +

654 +

655 - def open_forwarded_tcpip_channel(self, (src_addr, src_port), (dest_addr, dest_port)): +

656 """ + 657 Request a new channel back to the client, of type C{"forwarded-tcpip"}. + 658 This is used after a client has requested port forwarding, for sending + 659 incoming connections back to the client. + 660 + 661 @param src_addr: originator's address + 662 @param src_port: originator's port + 663 @param dest_addr: local (server) connected address + 664 @param dest_port: local (server) connected port + 665 """ + 666 return self.open_channel('forwarded-tcpip', (dest_addr, dest_port), (src_addr, src_port)) +

667 +

668 - def open_channel(self, kind, dest_addr=None, src_addr=None): +

669 """ + 670 Request a new channel to the server. L{Channel}s are socket-like + 671 objects used for the actual transfer of data across the session. + 672 You may only request a channel after negotiating encryption (using + 673 L{connect} or L{start_client}) and authenticating. + 674 + 675 @param kind: the kind of channel requested (usually C{"session"}, + 676 C{"forwarded-tcpip"}, C{"direct-tcpip"}, or C{"x11"}) + 677 @type kind: str + 678 @param dest_addr: the destination address of this port forwarding, + 679 if C{kind} is C{"forwarded-tcpip"} or C{"direct-tcpip"} (ignored + 680 for other channel types) + 681 @type dest_addr: (str, int) + 682 @param src_addr: the source address of this port forwarding, if + 683 C{kind} is C{"forwarded-tcpip"}, C{"direct-tcpip"}, or C{"x11"} + 684 @type src_addr: (str, int) + 685 @return: a new L{Channel} on success + 686 @rtype: L{Channel} + 687 + 688 @raise SSHException: if the request is rejected or the session ends + 689 prematurely + 690 """ + 691 chan = None + 692 if not self.active: + 693 # don't bother trying to allocate a channel + 694 return None + 695 self.lock.acquire() + 696 try: + 697 chanid = self._next_channel() + 698 m = Message() + 699 m.add_byte(chr(MSG_CHANNEL_OPEN)) + 700 m.add_string(kind) + 701 m.add_int(chanid) + 702 m.add_int(self.window_size) + 703 m.add_int(self.max_packet_size) + 704 if (kind == 'forwarded-tcpip') or (kind == 'direct-tcpip'): + 705 m.add_string(dest_addr[0]) + 706 m.add_int(dest_addr[1]) + 707 m.add_string(src_addr[0]) + 708 m.add_int(src_addr[1]) + 709 elif kind == 'x11': + 710 m.add_string(src_addr[0]) + 711 m.add_int(src_addr[1]) + 712 chan = Channel(chanid) + 713 self._channels.put(chanid, chan) + 714 self.channel_events[chanid] = event = threading.Event() + 715 self.channels_seen[chanid] = True + 716 chan._set_transport(self) + 717 chan._set_window(self.window_size, self.max_packet_size) + 718 finally: + 719 self.lock.release() + 720 self._send_user_message(m) + 721 while True: + 722 event.wait(0.1); + 723 if not self.active: + 724 e = self.get_exception() + 725 if e is None: + 726 e = SSHException('Unable to open channel.') + 727 raise e + 728 if event.isSet(): + 729 break + 730 chan = self._channels.get(chanid) + 731 if chan is not None: + 732 return chan + 733 e = self.get_exception() + 734 if e is None: + 735 e = SSHException('Unable to open channel.') + 736 raise e +

737 +

738 - def request_port_forward(self, address, port, handler=None): +

739 """ + 740 Ask the server to forward TCP connections from a listening port on + 741 the server, across this SSH session. + 742 + 743 If a handler is given, that handler is called from a different thread + 744 whenever a forwarded connection arrives. The handler parameters are:: + 745 + 746 handler(channel, (origin_addr, origin_port), (server_addr, server_port)) + 747 + 748 where C{server_addr} and C{server_port} are the address and port that + 749 the server was listening on. + 750 + 751 If no handler is set, the default behavior is to send new incoming + 752 forwarded connections into the accept queue, to be picked up via + 753 L{accept}. + 754 + 755 @param address: the address to bind when forwarding + 756 @type address: str + 757 @param port: the port to forward, or 0 to ask the server to allocate + 758 any port + 759 @type port: int + 760 @param handler: optional handler for incoming forwarded connections + 761 @type handler: function(Channel, (str, int), (str, int)) + 762 @return: the port # allocated by the server + 763 @rtype: int + 764 + 765 @raise SSHException: if the server refused the TCP forward request + 766 """ + 767 if not self.active: + 768 raise SSHException('SSH session not active') + 769 address = str(address) + 770 port = int(port) + 771 response = self.global_request('tcpip-forward', (address, port), wait=True) + 772 if response is None: + 773 raise SSHException('TCP forwarding request denied') + 774 if port == 0: + 775 port = response.get_int() + 776 if handler is None: + 777 def default_handler(channel, (src_addr, src_port), (dest_addr, dest_port)): + 778 self._queue_incoming_channel(channel) +

779 handler = default_handler + 780 self._tcp_handler = handler + 781 return port +

782 +

783 - def cancel_port_forward(self, address, port): +

784 """ + 785 Ask the server to cancel a previous port-forwarding request. No more + 786 connections to the given address & port will be forwarded across this + 787 ssh connection. + 788 + 789 @param address: the address to stop forwarding + 790 @type address: str + 791 @param port: the port to stop forwarding + 792 @type port: int + 793 """ + 794 if not self.active: + 795 return + 796 self._tcp_handler = None + 797 self.global_request('cancel-tcpip-forward', (address, port), wait=True) +

798 +

799 - def open_sftp_client(self): +

800 """ + 801 Create an SFTP client channel from an open transport. On success, + 802 an SFTP session will be opened with the remote host, and a new + 803 SFTPClient object will be returned. + 804 + 805 @return: a new L{SFTPClient} object, referring to an sftp session + 806 (channel) across this transport + 807 @rtype: L{SFTPClient} + 808 """ + 809 return SFTPClient.from_transport(self) +

810 +

811 - def send_ignore(self, bytes=None): +

812 """ + 813 Send a junk packet across the encrypted link. This is sometimes used + 814 to add "noise" to a connection to confuse would-be attackers. It can + 815 also be used as a keep-alive for long lived connections traversing + 816 firewalls. + 817 + 818 @param bytes: the number of random bytes to send in the payload of the + 819 ignored packet -- defaults to a random number from 10 to 41. + 820 @type bytes: int + 821 """ + 822 m = Message() + 823 m.add_byte(chr(MSG_IGNORE)) + 824 randpool.stir() + 825 if bytes is None: + 826 bytes = (ord(randpool.get_bytes(1)) % 32) + 10 + 827 m.add_bytes(randpool.get_bytes(bytes)) + 828 self._send_user_message(m) +

829 +

830 - def renegotiate_keys(self): +

831 """ + 832 Force this session to switch to new keys. Normally this is done + 833 automatically after the session hits a certain number of packets or + 834 bytes sent or received, but this method gives you the option of forcing + 835 new keys whenever you want. Negotiating new keys causes a pause in + 836 traffic both ways as the two sides swap keys and do computations. This + 837 method returns when the session has switched to new keys. + 838 + 839 @raise SSHException: if the key renegotiation failed (which causes the + 840 session to end) + 841 """ + 842 self.completion_event = threading.Event() + 843 self._send_kex_init() + 844 while True: + 845 self.completion_event.wait(0.1) + 846 if not self.active: + 847 e = self.get_exception() + 848 if e is not None: + 849 raise e + 850 raise SSHException('Negotiation failed.') + 851 if self.completion_event.isSet(): + 852 break + 853 return +

854 +

855 - def set_keepalive(self, interval): +

856 """ + 857 Turn on/off keepalive packets (default is off). If this is set, after + 858 C{interval} seconds without sending any data over the connection, a + 859 "keepalive" packet will be sent (and ignored by the remote host). This + 860 can be useful to keep connections alive over a NAT, for example. + 861 + 862 @param interval: seconds to wait before sending a keepalive packet (or + 863 0 to disable keepalives). + 864 @type interval: int + 865 """ + 866 self.packetizer.set_keepalive(interval, + 867 lambda x=weakref.proxy(self): x.global_request('keepalive@lag.net', wait=False)) +

868 +

869 - def global_request(self, kind, data=None, wait=True): +

870 """ + 871 Make a global request to the remote host. These are normally + 872 extensions to the SSH2 protocol. + 873 + 874 @param kind: name of the request. + 875 @type kind: str + 876 @param data: an optional tuple containing additional data to attach + 877 to the request. + 878 @type data: tuple + 879 @param wait: C{True} if this method should not return until a response + 880 is received; C{False} otherwise. + 881 @type wait: bool + 882 @return: a L{Message} containing possible additional data if the + 883 request was successful (or an empty L{Message} if C{wait} was + 884 C{False}); C{None} if the request was denied. + 885 @rtype: L{Message} + 886 """ + 887 if wait: + 888 self.completion_event = threading.Event() + 889 m = Message() + 890 m.add_byte(chr(MSG_GLOBAL_REQUEST)) + 891 m.add_string(kind) + 892 m.add_boolean(wait) + 893 if data is not None: + 894 m.add(*data) + 895 self._log(DEBUG, 'Sending global request "%s"' % kind) + 896 self._send_user_message(m) + 897 if not wait: + 898 return None + 899 while True: + 900 self.completion_event.wait(0.1) + 901 if not self.active: + 902 return None + 903 if self.completion_event.isSet(): + 904 break + 905 return self.global_response +

906 +

907 - def accept(self, timeout=None): +

908 """ + 909 Return the next channel opened by the client over this transport, in + 910 server mode. If no channel is opened before the given timeout, C{None} + 911 is returned. + 912 + 913 @param timeout: seconds to wait for a channel, or C{None} to wait + 914 forever + 915 @type timeout: int + 916 @return: a new Channel opened by the client + 917 @rtype: L{Channel} + 918 """ + 919 self.lock.acquire() + 920 try: + 921 if len(self.server_accepts) > 0: + 922 chan = self.server_accepts.pop(0) + 923 else: + 924 self.server_accept_cv.wait(timeout) + 925 if len(self.server_accepts) > 0: + 926 chan = self.server_accepts.pop(0) + 927 else: + 928 # timeout + 929 chan = None + 930 finally: + 931 self.lock.release() + 932 return chan +

933 +

934 - def connect(self, hostkey=None, username='', password=None, pkey=None): +

935 """ + 936 Negotiate an SSH2 session, and optionally verify the server's host key + 937 and authenticate using a password or private key. This is a shortcut + 938 for L{start_client}, L{get_remote_server_key}, and + 939 L{Transport.auth_password} or L{Transport.auth_publickey}. Use those + 940 methods if you want more control. + 941 + 942 You can use this method immediately after creating a Transport to + 943 negotiate encryption with a server. If it fails, an exception will be + 944 thrown. On success, the method will return cleanly, and an encrypted + 945 session exists. You may immediately call L{open_channel} or + 946 L{open_session} to get a L{Channel} object, which is used for data + 947 transfer. + 948 + 949 @note: If you fail to supply a password or private key, this method may + 950 succeed, but a subsequent L{open_channel} or L{open_session} call may + 951 fail because you haven't authenticated yet. + 952 + 953 @param hostkey: the host key expected from the server, or C{None} if + 954 you don't want to do host key verification. + 955 @type hostkey: L{PKey<pkey.PKey>} + 956 @param username: the username to authenticate as. + 957 @type username: str + 958 @param password: a password to use for authentication, if you want to + 959 use password authentication; otherwise C{None}. + 960 @type password: str + 961 @param pkey: a private key to use for authentication, if you want to + 962 use private key authentication; otherwise C{None}. + 963 @type pkey: L{PKey<pkey.PKey>} + 964 + 965 @raise SSHException: if the SSH2 negotiation fails, the host key + 966 supplied by the server is incorrect, or authentication fails. + 967 """ + 968 if hostkey is not None: + 969 self._preferred_keys = [ hostkey.get_name() ] + 970 + 971 self.start_client() + 972 + 973 # check host key if we were given one + 974 if (hostkey is not None): + 975 key = self.get_remote_server_key() + 976 if (key.get_name() != hostkey.get_name()) or (str(key) != str(hostkey)): + 977 self._log(DEBUG, 'Bad host key from server') + 978 self._log(DEBUG, 'Expected: %s: %s' % (hostkey.get_name(), repr(str(hostkey)))) + 979 self._log(DEBUG, 'Got : %s: %s' % (key.get_name(), repr(str(key)))) + 980 raise SSHException('Bad host key from server') + 981 self._log(DEBUG, 'Host key verified (%s)' % hostkey.get_name()) + 982 + 983 if (pkey is not None) or (password is not None): + 984 if password is not None: + 985 self._log(DEBUG, 'Attempting password auth...') + 986 self.auth_password(username, password) + 987 else: + 988 self._log(DEBUG, 'Attempting public-key auth...') + 989 self.auth_publickey(username, pkey) + 990 + 991 return +

992 +

993 - def get_exception(self): +

994 """ + 995 Return any exception that happened during the last server request. + 996 This can be used to fetch more specific error information after using + 997 calls like L{start_client}. The exception (if any) is cleared after + 998 this call. + 999 +1000 @return: an exception, or C{None} if there is no stored exception. +1001 @rtype: Exception +1002 +1003 @since: 1.1 +1004 """ +1005 self.lock.acquire() +1006 try: +1007 e = self.saved_exception +1008 self.saved_exception = None +1009 return e +1010 finally: +1011 self.lock.release() +

1012 +

1013 - def set_subsystem_handler(self, name, handler, *larg, **kwarg): +

1014 """ +1015 Set the handler class for a subsystem in server mode. If a request +1016 for this subsystem is made on an open ssh channel later, this handler +1017 will be constructed and called -- see L{SubsystemHandler} for more +1018 detailed documentation. +1019 +1020 Any extra parameters (including keyword arguments) are saved and +1021 passed to the L{SubsystemHandler} constructor later. +1022 +1023 @param name: name of the subsystem. +1024 @type name: str +1025 @param handler: subclass of L{SubsystemHandler} that handles this +1026 subsystem. +1027 @type handler: class +1028 """ +1029 try: +1030 self.lock.acquire() +1031 self.subsystem_table[name] = (handler, larg, kwarg) +1032 finally: +1033 self.lock.release() +

1034 +

1035 - def is_authenticated(self): +

1036 """ +1037 Return true if this session is active and authenticated. +1038 +1039 @return: True if the session is still open and has been authenticated +1040 successfully; False if authentication failed and/or the session is +1041 closed. +1042 @rtype: bool +1043 """ +1044 return self.active and (self.auth_handler is not None) and self.auth_handler.is_authenticated() +

1045 +

1046 - def get_username(self): +

1047 """ +1048 Return the username this connection is authenticated for. If the +1049 session is not authenticated (or authentication failed), this method +1050 returns C{None}. +1051 +1052 @return: username that was authenticated, or C{None}. +1053 @rtype: string +1054 """ +1055 if not self.active or (self.auth_handler is None): +1056 return None +1057 return self.auth_handler.get_username() +

1058 +

1059 - def auth_none(self, username): +

1060 """ +1061 Try to authenticate to the server using no authentication at all. +1062 This will almost always fail. It may be useful for determining the +1063 list of authentication types supported by the server, by catching the +1064 L{BadAuthenticationType} exception raised. +1065 +1066 @param username: the username to authenticate as +1067 @type username: string +1068 @return: list of auth types permissible for the next stage of +1069 authentication (normally empty) +1070 @rtype: list +1071 +1072 @raise BadAuthenticationType: if "none" authentication isn't allowed +1073 by the server for this user +1074 @raise SSHException: if the authentication failed due to a network +1075 error +1076 +1077 @since: 1.5 +1078 """ +1079 if (not self.active) or (not self.initial_kex_done): +1080 raise SSHException('No existing session') +1081 my_event = threading.Event() +1082 self.auth_handler = AuthHandler(self) +1083 self.auth_handler.auth_none(username, my_event) +1084 return self.auth_handler.wait_for_response(my_event) +

1085 +

1086 - def auth_password(self, username, password, event=None, fallback=True): +

1087 """ +1088 Authenticate to the server using a password. The username and password +1089 are sent over an encrypted link. +1090 +1091 If an C{event} is passed in, this method will return immediately, and +1092 the event will be triggered once authentication succeeds or fails. On +1093 success, L{is_authenticated} will return C{True}. On failure, you may +1094 use L{get_exception} to get more detailed error information. +1095 +1096 Since 1.1, if no event is passed, this method will block until the +1097 authentication succeeds or fails. On failure, an exception is raised. +1098 Otherwise, the method simply returns. +1099 +1100 Since 1.5, if no event is passed and C{fallback} is C{True} (the +1101 default), if the server doesn't support plain password authentication +1102 but does support so-called "keyboard-interactive" mode, an attempt +1103 will be made to authenticate using this interactive mode. If it fails, +1104 the normal exception will be thrown as if the attempt had never been +1105 made. This is useful for some recent Gentoo and Debian distributions, +1106 which turn off plain password authentication in a misguided belief +1107 that interactive authentication is "more secure". (It's not.) +1108 +1109 If the server requires multi-step authentication (which is very rare), +1110 this method will return a list of auth types permissible for the next +1111 step. Otherwise, in the normal case, an empty list is returned. +1112 +1113 @param username: the username to authenticate as +1114 @type username: str +1115 @param password: the password to authenticate with +1116 @type password: str or unicode +1117 @param event: an event to trigger when the authentication attempt is +1118 complete (whether it was successful or not) +1119 @type event: threading.Event +1120 @param fallback: C{True} if an attempt at an automated "interactive" +1121 password auth should be made if the server doesn't support normal +1122 password auth +1123 @type fallback: bool +1124 @return: list of auth types permissible for the next stage of +1125 authentication (normally empty) +1126 @rtype: list +1127 +1128 @raise BadAuthenticationType: if password authentication isn't +1129 allowed by the server for this user (and no event was passed in) +1130 @raise AuthenticationException: if the authentication failed (and no +1131 event was passed in) +1132 @raise SSHException: if there was a network error +1133 """ +1134 if (not self.active) or (not self.initial_kex_done): +1135 # we should never try to send the password unless we're on a secure link +1136 raise SSHException('No existing session') +1137 if event is None: +1138 my_event = threading.Event() +1139 else: +1140 my_event = event +1141 self.auth_handler = AuthHandler(self) +1142 self.auth_handler.auth_password(username, password, my_event) +1143 if event is not None: +1144 # caller wants to wait for event themselves +1145 return [] +1146 try: +1147 return self.auth_handler.wait_for_response(my_event) +1148 except BadAuthenticationType, x: +1149 # if password auth isn't allowed, but keyboard-interactive *is*, try to fudge it +1150 if not fallback or ('keyboard-interactive' not in x.allowed_types): +1151 raise +1152 try: +1153 def handler(title, instructions, fields): +1154 if len(fields) > 1: +1155 raise SSHException('Fallback authentication failed.') +1156 if len(fields) == 0: +1157 # for some reason, at least on os x, a 2nd request will +1158 # be made with zero fields requested. maybe it's just +1159 # to try to fake out automated scripting of the exact +1160 # type we're doing here. *shrug* :) +1161 return [] +1162 return [ password ] +

1163 return self.auth_interactive(username, handler) +1164 except SSHException, ignored: +1165 # attempt failed; just raise the original exception +1166 raise x +1167 return None +1168 +

1169 - def auth_publickey(self, username, key, event=None): +

1170 """ +1171 Authenticate to the server using a private key. The key is used to +1172 sign data from the server, so it must include the private part. +1173 +1174 If an C{event} is passed in, this method will return immediately, and +1175 the event will be triggered once authentication succeeds or fails. On +1176 success, L{is_authenticated} will return C{True}. On failure, you may +1177 use L{get_exception} to get more detailed error information. +1178 +1179 Since 1.1, if no event is passed, this method will block until the +1180 authentication succeeds or fails. On failure, an exception is raised. +1181 Otherwise, the method simply returns. +1182 +1183 If the server requires multi-step authentication (which is very rare), +1184 this method will return a list of auth types permissible for the next +1185 step. Otherwise, in the normal case, an empty list is returned. +1186 +1187 @param username: the username to authenticate as +1188 @type username: string +1189 @param key: the private key to authenticate with +1190 @type key: L{PKey <pkey.PKey>} +1191 @param event: an event to trigger when the authentication attempt is +1192 complete (whether it was successful or not) +1193 @type event: threading.Event +1194 @return: list of auth types permissible for the next stage of +1195 authentication (normally empty) +1196 @rtype: list +1197 +1198 @raise BadAuthenticationType: if public-key authentication isn't +1199 allowed by the server for this user (and no event was passed in) +1200 @raise AuthenticationException: if the authentication failed (and no +1201 event was passed in) +1202 @raise SSHException: if there was a network error +1203 """ +1204 if (not self.active) or (not self.initial_kex_done): +1205 # we should never try to authenticate unless we're on a secure link +1206 raise SSHException('No existing session') +1207 if event is None: +1208 my_event = threading.Event() +1209 else: +1210 my_event = event +1211 self.auth_handler = AuthHandler(self) +1212 self.auth_handler.auth_publickey(username, key, my_event) +1213 if event is not None: +1214 # caller wants to wait for event themselves +1215 return [] +1216 return self.auth_handler.wait_for_response(my_event) +

1217 +

1218 - def auth_interactive(self, username, handler, submethods=''): +

1219 """ +1220 Authenticate to the server interactively. A handler is used to answer +1221 arbitrary questions from the server. On many servers, this is just a +1222 dumb wrapper around PAM. +1223 +1224 This method will block until the authentication succeeds or fails, +1225 peroidically calling the handler asynchronously to get answers to +1226 authentication questions. The handler may be called more than once +1227 if the server continues to ask questions. +1228 +1229 The handler is expected to be a callable that will handle calls of the +1230 form: C{handler(title, instructions, prompt_list)}. The C{title} is +1231 meant to be a dialog-window title, and the C{instructions} are user +1232 instructions (both are strings). C{prompt_list} will be a list of +1233 prompts, each prompt being a tuple of C{(str, bool)}. The string is +1234 the prompt and the boolean indicates whether the user text should be +1235 echoed. +1236 +1237 A sample call would thus be: +1238 C{handler('title', 'instructions', [('Password:', False)])}. +1239 +1240 The handler should return a list or tuple of answers to the server's +1241 questions. +1242 +1243 If the server requires multi-step authentication (which is very rare), +1244 this method will return a list of auth types permissible for the next +1245 step. Otherwise, in the normal case, an empty list is returned. +1246 +1247 @param username: the username to authenticate as +1248 @type username: string +1249 @param handler: a handler for responding to server questions +1250 @type handler: callable +1251 @param submethods: a string list of desired submethods (optional) +1252 @type submethods: str +1253 @return: list of auth types permissible for the next stage of +1254 authentication (normally empty). +1255 @rtype: list +1256 +1257 @raise BadAuthenticationType: if public-key authentication isn't +1258 allowed by the server for this user +1259 @raise AuthenticationException: if the authentication failed +1260 @raise SSHException: if there was a network error +1261 +1262 @since: 1.5 +1263 """ +1264 if (not self.active) or (not self.initial_kex_done): +1265 # we should never try to authenticate unless we're on a secure link +1266 raise SSHException('No existing session') +1267 my_event = threading.Event() +1268 self.auth_handler = AuthHandler(self) +1269 self.auth_handler.auth_interactive(username, handler, my_event, submethods) +1270 return self.auth_handler.wait_for_response(my_event) +

1271 +

1272 - def set_log_channel(self, name): +

1273 """ +1274 Set the channel for this transport's logging. The default is +1275 C{"paramiko.transport"} but it can be set to anything you want. +1276 (See the C{logging} module for more info.) SSH Channels will log +1277 to a sub-channel of the one specified. +1278 +1279 @param name: new channel name for logging +1280 @type name: str +1281 +1282 @since: 1.1 +1283 """ +1284 self.log_name = name +1285 self.logger = util.get_logger(name) +1286 self.packetizer.set_log(self.logger) +

1287 +

1288 - def get_log_channel(self): +

1289 """ +1290 Return the channel name used for this transport's logging. +1291 +1292 @return: channel name. +1293 @rtype: str +1294 +1295 @since: 1.2 +1296 """ +1297 return self.log_name +

1298 +

1299 - def set_hexdump(self, hexdump): +

1300 """ +1301 Turn on/off logging a hex dump of protocol traffic at DEBUG level in +1302 the logs. Normally you would want this off (which is the default), +1303 but if you are debugging something, it may be useful. +1304 +1305 @param hexdump: C{True} to log protocol traffix (in hex) to the log; +1306 C{False} otherwise. +1307 @type hexdump: bool +1308 """ +1309 self.packetizer.set_hexdump(hexdump) +

1310 +

1311 - def get_hexdump(self): +

1312 """ +1313 Return C{True} if the transport is currently logging hex dumps of +1314 protocol traffic. +1315 +1316 @return: C{True} if hex dumps are being logged +1317 @rtype: bool +1318 +1319 @since: 1.4 +1320 """ +1321 return self.packetizer.get_hexdump() +

1322 +

1323 - def use_compression(self, compress=True): +

1324 """ +1325 Turn on/off compression. This will only have an affect before starting +1326 the transport (ie before calling L{connect}, etc). By default, +1327 compression is off since it negatively affects interactive sessions. +1328 +1329 @param compress: C{True} to ask the remote client/server to compress +1330 traffic; C{False} to refuse compression +1331 @type compress: bool +1332 +1333 @since: 1.5.2 +1334 """ +1335 if compress: +1336 self._preferred_compression = ( 'zlib@openssh.com', 'zlib', 'none' ) +1337 else: +1338 self._preferred_compression = ( 'none', ) +

1339 +

1340 - def getpeername(self): +

1341 """ +1342 Return the address of the remote side of this Transport, if possible. +1343 This is effectively a wrapper around C{'getpeername'} on the underlying +1344 socket. If the socket-like object has no C{'getpeername'} method, +1345 then C{("unknown", 0)} is returned. +1346 +1347 @return: the address if the remote host, if known +1348 @rtype: tuple(str, int) +1349 """ +1350 gp = getattr(self.sock, 'getpeername', None) +1351 if gp is None: +1352 return ('unknown', 0) +1353 return gp() +

1354 +

1355 - def stop_thread(self): +

1356 self.active = False +1357 self.packetizer.close() +

1358 +1359 +1360 ### internals... +1361 +1362 +

1363 - def _log(self, level, msg, *args): +

1364 if issubclass(type(msg), list): +1365 for m in msg: +1366 self.logger.log(level, m) +1367 else: +1368 self.logger.log(level, msg, *args) +

1369 +

1370 - def _get_modulus_pack(self): +

1371 "used by KexGex to find primes for group exchange" +1372 return self._modulus_pack +

1373 +

1374 - def _next_channel(self): +

1375 "you are holding the lock" +1376 chanid = self._channel_counter +1377 while self._channels.get(chanid) is not None: +1378 self._channel_counter = (self._channel_counter + 1) & 0xffffff +1379 chanid = self._channel_counter +1380 self._channel_counter = (self._channel_counter + 1) & 0xffffff +1381 return chanid +

1382 +

1383 - def _unlink_channel(self, chanid): +

1384 "used by a Channel to remove itself from the active channel list" +1385 self._channels.delete(chanid) +

1386 +

1387 - def _send_message(self, data): +

1388 self.packetizer.send_message(data) +

1389 +

1390 - def _send_user_message(self, data): +

1391 """ +1392 send a message, but block if we're in key negotiation. this is used +1393 for user-initiated requests. +1394 """ +1395 while True: +1396 self.clear_to_send.wait(0.1) +1397 if not self.active: +1398 self._log(DEBUG, 'Dropping user packet because connection is dead.') +1399 return +1400 self.clear_to_send_lock.acquire() +1401 if self.clear_to_send.isSet(): +1402 break +1403 self.clear_to_send_lock.release() +1404 try: +1405 self._send_message(data) +1406 finally: +1407 self.clear_to_send_lock.release() +

1408 +

1409 - def _set_K_H(self, k, h): +

1410 "used by a kex object to set the K (root key) and H (exchange hash)" +1411 self.K = k +1412 self.H = h +1413 if self.session_id == None: +1414 self.session_id = h +

1415 +

1416 - def _expect_packet(self, *ptypes): +

1417 "used by a kex object to register the next packet type it expects to see" +1418 self._expected_packet = tuple(ptypes) +

1419 +

1420 - def _verify_key(self, host_key, sig): +

1421 key = self._key_info[self.host_key_type](Message(host_key)) +1422 if key is None: +1423 raise SSHException('Unknown host key type') +1424 if not key.verify_ssh_sig(self.H, Message(sig)): +1425 raise SSHException('Signature verification (%s) failed. Boo. Robey should debug this.' % self.host_key_type) +1426 self.host_key = key +

1427 +

1428 - def _compute_key(self, id, nbytes): +

1429 "id is 'A' - 'F' for the various keys used by ssh" +1430 m = Message() +1431 m.add_mpint(self.K) +1432 m.add_bytes(self.H) +1433 m.add_byte(id) +1434 m.add_bytes(self.session_id) +1435 out = sofar = SHA.new(str(m)).digest() +1436 while len(out) < nbytes: +1437 m = Message() +1438 m.add_mpint(self.K) +1439 m.add_bytes(self.H) +1440 m.add_bytes(sofar) +1441 digest = SHA.new(str(m)).digest() +1442 out += digest +1443 sofar += digest +1444 return out[:nbytes] +

1445 +

1446 - def _get_cipher(self, name, key, iv): +

1447 if name not in self._cipher_info: +1448 raise SSHException('Unknown client cipher ' + name) +1449 return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv) +

1450 +

1451 - def _set_x11_handler(self, handler): +

1452 # only called if a channel has turned on x11 forwarding +1453 if handler is None: +1454 # by default, use the same mechanism as accept() +1455 def default_handler(channel, (src_addr, src_port)): +1456 self._queue_incoming_channel(channel) +

1457 self._x11_handler = default_handler +1458 else: +1459 self._x11_handler = handler +1460 +

1461 - def _queue_incoming_channel(self, channel): +

1462 self.lock.acquire() +1463 try: +1464 self.server_accepts.append(channel) +1465 self.server_accept_cv.notify() +1466 finally: +1467 self.lock.release() +

1468 +

1469 - def run(self): +

1470 # (use the exposed "run" method, because if we specify a thread target +1471 # of a private method, threading.Thread will keep a reference to it +1472 # indefinitely, creating a GC cycle and not letting Transport ever be +1473 # GC'd. it's a bug in Thread.) +1474 +1475 # active=True occurs before the thread is launched, to avoid a race +1476 _active_threads.append(self) +1477 if self.server_mode: +1478 self._log(DEBUG, 'starting thread (server mode): %s' % hex(long(id(self)) & 0xffffffffL)) +1479 else: +1480 self._log(DEBUG, 'starting thread (client mode): %s' % hex(long(id(self)) & 0xffffffffL)) +1481 try: +1482 self.packetizer.write_all(self.local_version + '\r\n') +1483 self._check_banner() +1484 self._send_kex_init() +1485 self._expect_packet(MSG_KEXINIT) +1486 +1487 while self.active: +1488 if self.packetizer.need_rekey() and not self.in_kex: +1489 self._send_kex_init() +1490 try: +1491 ptype, m = self.packetizer.read_message() +1492 except NeedRekeyException: +1493 continue +1494 if ptype == MSG_IGNORE: +1495 continue +1496 elif ptype == MSG_DISCONNECT: +1497 self._parse_disconnect(m) +1498 self.active = False +1499 self.packetizer.close() +1500 break +1501 elif ptype == MSG_DEBUG: +1502 self._parse_debug(m) +1503 continue +1504 if len(self._expected_packet) > 0: +1505 if ptype not in self._expected_packet: +1506 raise SSHException('Expecting packet from %r, got %d' % (self._expected_packet, ptype)) +1507 self._expected_packet = tuple() +1508 if (ptype >= 30) and (ptype <= 39): +1509 self.kex_engine.parse_next(ptype, m) +1510 continue +1511 +1512 if ptype in self._handler_table: +1513 self._handler_table[ptype](self, m) +1514 elif ptype in self._channel_handler_table: +1515 chanid = m.get_int() +1516 chan = self._channels.get(chanid) +1517 if chan is not None: +1518 self._channel_handler_table[ptype](chan, m) +1519 elif chanid in self.channels_seen: +1520 self._log(DEBUG, 'Ignoring message for dead channel %d' % chanid) +1521 else: +1522 self._log(ERROR, 'Channel request for unknown channel %d' % chanid) +1523 self.active = False +1524 self.packetizer.close() +1525 elif (self.auth_handler is not None) and (ptype in self.auth_handler._handler_table): +1526 self.auth_handler._handler_table[ptype](self.auth_handler, m) +1527 else: +1528 self._log(WARNING, 'Oops, unhandled type %d' % ptype) +1529 msg = Message() +1530 msg.add_byte(chr(MSG_UNIMPLEMENTED)) +1531 msg.add_int(m.seqno) +1532 self._send_message(msg) +1533 except SSHException, e: +1534 self._log(ERROR, 'Exception: ' + str(e)) +1535 self._log(ERROR, util.tb_strings()) +1536 self.saved_exception = e +1537 except EOFError, e: +1538 self._log(DEBUG, 'EOF in transport thread') +1539 #self._log(DEBUG, util.tb_strings()) +1540 self.saved_exception = e +1541 except socket.error, e: +1542 if type(e.args) is tuple: +1543 emsg = '%s (%d)' % (e.args[1], e.args[0]) +1544 else: +1545 emsg = e.args +1546 self._log(ERROR, 'Socket exception: ' + emsg) +1547 self.saved_exception = e +1548 except Exception, e: +1549 self._log(ERROR, 'Unknown exception: ' + str(e)) +1550 self._log(ERROR, util.tb_strings()) +1551 self.saved_exception = e +1552 _active_threads.remove(self) +1553 for chan in self._channels.values(): +1554 chan._unlink() +1555 if self.active: +1556 self.active = False +1557 self.packetizer.close() +1558 if self.completion_event != None: +1559 self.completion_event.set() +1560 if self.auth_handler is not None: +1561 self.auth_handler.abort() +1562 for event in self.channel_events.values(): +1563 event.set() +1564 try: +1565 self.lock.acquire() +1566 self.server_accept_cv.notify() +1567 finally: +1568 self.lock.release() +1569 self.sock.close() +

1570 +1571 +1572 ### protocol stages +1573 +1574 +

1575 - def _negotiate_keys(self, m): +

1576 # throws SSHException on anything unusual +1577 self.clear_to_send_lock.acquire() +1578 try: +1579 self.clear_to_send.clear() +1580 finally: +1581 self.clear_to_send_lock.release() +1582 if self.local_kex_init == None: +1583 # remote side wants to renegotiate +1584 self._send_kex_init() +1585 self._parse_kex_init(m) +1586 self.kex_engine.start_kex() +

1587 +

1588 - def _check_banner(self): +

1589 # this is slow, but we only have to do it once +1590 for i in range(5): +1591 # give them 15 seconds for the first line, then just 2 seconds +1592 # each additional line. (some sites have very high latency.) +1593 if i == 0: +1594 timeout = self.banner_timeout +1595 else: +1596 timeout = 2 +1597 try: +1598 buf = self.packetizer.readline(timeout) +1599 except Exception, x: +1600 raise SSHException('Error reading SSH protocol banner' + str(x)) +1601 if buf[:4] == 'SSH-': +1602 break +1603 self._log(DEBUG, 'Banner: ' + buf) +1604 if buf[:4] != 'SSH-': +1605 raise SSHException('Indecipherable protocol version "' + buf + '"') +1606 # save this server version string for later +1607 self.remote_version = buf +1608 # pull off any attached comment +1609 comment = '' +1610 i = string.find(buf, ' ') +1611 if i >= 0: +1612 comment = buf[i+1:] +1613 buf = buf[:i] +1614 # parse out version string and make sure it matches +1615 segs = buf.split('-', 2) +1616 if len(segs) < 3: +1617 raise SSHException('Invalid SSH banner') +1618 version = segs[1] +1619 client = segs[2] +1620 if version != '1.99' and version != '2.0': +1621 raise SSHException('Incompatible version (%s instead of 2.0)' % (version,)) +1622 self._log(INFO, 'Connected (version %s, client %s)' % (version, client)) +

1623 +

1624 - def _send_kex_init(self): +

1625 """ +1626 announce to the other side that we'd like to negotiate keys, and what +1627 kind of key negotiation we support. +1628 """ +1629 self.clear_to_send_lock.acquire() +1630 try: +1631 self.clear_to_send.clear() +1632 finally: +1633 self.clear_to_send_lock.release() +1634 self.in_kex = True +1635 if self.server_mode: +1636 if (self._modulus_pack is None) and ('diffie-hellman-group-exchange-sha1' in self._preferred_kex): +1637 # can't do group-exchange if we don't have a pack of potential primes +1638 pkex = list(self.get_security_options().kex) +1639 pkex.remove('diffie-hellman-group-exchange-sha1') +1640 self.get_security_options().kex = pkex +1641 available_server_keys = filter(self.server_key_dict.keys().__contains__, +1642 self._preferred_keys) +1643 else: +1644 available_server_keys = self._preferred_keys +1645 +1646 randpool.stir() +1647 m = Message() +1648 m.add_byte(chr(MSG_KEXINIT)) +1649 m.add_bytes(randpool.get_bytes(16)) +1650 m.add_list(self._preferred_kex) +1651 m.add_list(available_server_keys) +1652 m.add_list(self._preferred_ciphers) +1653 m.add_list(self._preferred_ciphers) +1654 m.add_list(self._preferred_macs) +1655 m.add_list(self._preferred_macs) +1656 m.add_list(self._preferred_compression) +1657 m.add_list(self._preferred_compression) +1658 m.add_string('') +1659 m.add_string('') +1660 m.add_boolean(False) +1661 m.add_int(0) +1662 # save a copy for later (needed to compute a hash) +1663 self.local_kex_init = str(m) +1664 self._send_message(m) +

1665 +

1666 - def _parse_kex_init(self, m): +

1667 cookie = m.get_bytes(16) +1668 kex_algo_list = m.get_list() +1669 server_key_algo_list = m.get_list() +1670 client_encrypt_algo_list = m.get_list() +1671 server_encrypt_algo_list = m.get_list() +1672 client_mac_algo_list = m.get_list() +1673 server_mac_algo_list = m.get_list() +1674 client_compress_algo_list = m.get_list() +1675 server_compress_algo_list = m.get_list() +1676 client_lang_list = m.get_list() +1677 server_lang_list = m.get_list() +1678 kex_follows = m.get_boolean() +1679 unused = m.get_int() +1680 +1681 self._log(DEBUG, 'kex algos:' + str(kex_algo_list) + ' server key:' + str(server_key_algo_list) + \ +1682 ' client encrypt:' + str(client_encrypt_algo_list) + \ +1683 ' server encrypt:' + str(server_encrypt_algo_list) + \ +1684 ' client mac:' + str(client_mac_algo_list) + \ +1685 ' server mac:' + str(server_mac_algo_list) + \ +1686 ' client compress:' + str(client_compress_algo_list) + \ +1687 ' server compress:' + str(server_compress_algo_list) + \ +1688 ' client lang:' + str(client_lang_list) + \ +1689 ' server lang:' + str(server_lang_list) + \ +1690 ' kex follows?' + str(kex_follows)) +1691 +1692 # as a server, we pick the first item in the client's list that we support. +1693 # as a client, we pick the first item in our list that the server supports. +1694 if self.server_mode: +1695 agreed_kex = filter(self._preferred_kex.__contains__, kex_algo_list) +1696 else: +1697 agreed_kex = filter(kex_algo_list.__contains__, self._preferred_kex) +1698 if len(agreed_kex) == 0: +1699 raise SSHException('Incompatible ssh peer (no acceptable kex algorithm)') +1700 self.kex_engine = self._kex_info[agreed_kex[0]](self) +1701 +1702 if self.server_mode: +1703 available_server_keys = filter(self.server_key_dict.keys().__contains__, +1704 self._preferred_keys) +1705 agreed_keys = filter(available_server_keys.__contains__, server_key_algo_list) +1706 else: +1707 agreed_keys = filter(server_key_algo_list.__contains__, self._preferred_keys) +1708 if len(agreed_keys) == 0: +1709 raise SSHException('Incompatible ssh peer (no acceptable host key)') +1710 self.host_key_type = agreed_keys[0] +1711 if self.server_mode and (self.get_server_key() is None): +1712 raise SSHException('Incompatible ssh peer (can\'t match requested host key type)') +1713 +1714 if self.server_mode: +1715 agreed_local_ciphers = filter(self._preferred_ciphers.__contains__, +1716 server_encrypt_algo_list) +1717 agreed_remote_ciphers = filter(self._preferred_ciphers.__contains__, +1718 client_encrypt_algo_list) +1719 else: +1720 agreed_local_ciphers = filter(client_encrypt_algo_list.__contains__, +1721 self._preferred_ciphers) +1722 agreed_remote_ciphers = filter(server_encrypt_algo_list.__contains__, +1723 self._preferred_ciphers) +1724 if (len(agreed_local_ciphers) == 0) or (len(agreed_remote_ciphers) == 0): +1725 raise SSHException('Incompatible ssh server (no acceptable ciphers)') +1726 self.local_cipher = agreed_local_ciphers[0] +1727 self.remote_cipher = agreed_remote_ciphers[0] +1728 self._log(DEBUG, 'Ciphers agreed: local=%s, remote=%s' % (self.local_cipher, self.remote_cipher)) +1729 +1730 if self.server_mode: +1731 agreed_remote_macs = filter(self._preferred_macs.__contains__, client_mac_algo_list) +1732 agreed_local_macs = filter(self._preferred_macs.__contains__, server_mac_algo_list) +1733 else: +1734 agreed_local_macs = filter(client_mac_algo_list.__contains__, self._preferred_macs) +1735 agreed_remote_macs = filter(server_mac_algo_list.__contains__, self._preferred_macs) +1736 if (len(agreed_local_macs) == 0) or (len(agreed_remote_macs) == 0): +1737 raise SSHException('Incompatible ssh server (no acceptable macs)') +1738 self.local_mac = agreed_local_macs[0] +1739 self.remote_mac = agreed_remote_macs[0] +1740 +1741 if self.server_mode: +1742 agreed_remote_compression = filter(self._preferred_compression.__contains__, client_compress_algo_list) +1743 agreed_local_compression = filter(self._preferred_compression.__contains__, server_compress_algo_list) +1744 else: +1745 agreed_local_compression = filter(client_compress_algo_list.__contains__, self._preferred_compression) +1746 agreed_remote_compression = filter(server_compress_algo_list.__contains__, self._preferred_compression) +1747 if (len(agreed_local_compression) == 0) or (len(agreed_remote_compression) == 0): +1748 raise SSHException('Incompatible ssh server (no acceptable compression) %r %r %r' % (agreed_local_compression, agreed_remote_compression, self._preferred_compression)) +1749 self.local_compression = agreed_local_compression[0] +1750 self.remote_compression = agreed_remote_compression[0] +1751 +1752 self._log(DEBUG, 'using kex %s; server key type %s; cipher: local %s, remote %s; mac: local %s, remote %s; compression: local %s, remote %s' % +1753 (agreed_kex[0], self.host_key_type, self.local_cipher, self.remote_cipher, self.local_mac, +1754 self.remote_mac, self.local_compression, self.remote_compression)) +1755 +1756 # save for computing hash later... +1757 # now wait! openssh has a bug (and others might too) where there are +1758 # actually some extra bytes (one NUL byte in openssh's case) added to +1759 # the end of the packet but not parsed. turns out we need to throw +1760 # away those bytes because they aren't part of the hash. +1761 self.remote_kex_init = chr(MSG_KEXINIT) + m.get_so_far() +

1762 +

1763 - def _activate_inbound(self): +

1764 "switch on newly negotiated encryption parameters for inbound traffic" +1765 block_size = self._cipher_info[self.remote_cipher]['block-size'] +1766 if self.server_mode: +1767 IV_in = self._compute_key('A', block_size) +1768 key_in = self._compute_key('C', self._cipher_info[self.remote_cipher]['key-size']) +1769 else: +1770 IV_in = self._compute_key('B', block_size) +1771 key_in = self._compute_key('D', self._cipher_info[self.remote_cipher]['key-size']) +1772 engine = self._get_cipher(self.remote_cipher, key_in, IV_in) +1773 mac_size = self._mac_info[self.remote_mac]['size'] +1774 mac_engine = self._mac_info[self.remote_mac]['class'] +1775 # initial mac keys are done in the hash's natural size (not the potentially truncated +1776 # transmission size) +1777 if self.server_mode: +1778 mac_key = self._compute_key('E', mac_engine.digest_size) +1779 else: +1780 mac_key = self._compute_key('F', mac_engine.digest_size) +1781 self.packetizer.set_inbound_cipher(engine, block_size, mac_engine, mac_size, mac_key) +1782 compress_in = self._compression_info[self.remote_compression][1] +1783 if (compress_in is not None) and ((self.remote_compression != 'zlib@openssh.com') or self.authenticated): +1784 self._log(DEBUG, 'Switching on inbound compression ...') +1785 self.packetizer.set_inbound_compressor(compress_in()) +

1786 +

1787 - def _activate_outbound(self): +

1788 "switch on newly negotiated encryption parameters for outbound traffic" +1789 m = Message() +1790 m.add_byte(chr(MSG_NEWKEYS)) +1791 self._send_message(m) +1792 block_size = self._cipher_info[self.local_cipher]['block-size'] +1793 if self.server_mode: +1794 IV_out = self._compute_key('B', block_size) +1795 key_out = self._compute_key('D', self._cipher_info[self.local_cipher]['key-size']) +1796 else: +1797 IV_out = self._compute_key('A', block_size) +1798 key_out = self._compute_key('C', self._cipher_info[self.local_cipher]['key-size']) +1799 engine = self._get_cipher(self.local_cipher, key_out, IV_out) +1800 mac_size = self._mac_info[self.local_mac]['size'] +1801 mac_engine = self._mac_info[self.local_mac]['class'] +1802 # initial mac keys are done in the hash's natural size (not the potentially truncated +1803 # transmission size) +1804 if self.server_mode: +1805 mac_key = self._compute_key('F', mac_engine.digest_size) +1806 else: +1807 mac_key = self._compute_key('E', mac_engine.digest_size) +1808 self.packetizer.set_outbound_cipher(engine, block_size, mac_engine, mac_size, mac_key) +1809 compress_out = self._compression_info[self.local_compression][0] +1810 if (compress_out is not None) and ((self.local_compression != 'zlib@openssh.com') or self.authenticated): +1811 self._log(DEBUG, 'Switching on outbound compression ...') +1812 self.packetizer.set_outbound_compressor(compress_out()) +1813 if not self.packetizer.need_rekey(): +1814 self.in_kex = False +1815 # we always expect to receive NEWKEYS now +1816 self._expect_packet(MSG_NEWKEYS) +

1817 +

1818 - def _auth_trigger(self): +

1819 self.authenticated = True +1820 # delayed initiation of compression +1821 if self.local_compression == 'zlib@openssh.com': +1822 compress_out = self._compression_info[self.local_compression][0] +1823 self._log(DEBUG, 'Switching on outbound compression ...') +1824 self.packetizer.set_outbound_compressor(compress_out()) +1825 if self.remote_compression == 'zlib@openssh.com': +1826 compress_in = self._compression_info[self.remote_compression][1] +1827 self._log(DEBUG, 'Switching on inbound compression ...') +1828 self.packetizer.set_inbound_compressor(compress_in()) +

1829 +

1830 - def _parse_newkeys(self, m): +

1831 self._log(DEBUG, 'Switch to new keys ...') +1832 self._activate_inbound() +1833 # can also free a bunch of stuff here +1834 self.local_kex_init = self.remote_kex_init = None +1835 self.K = None +1836 self.kex_engine = None +1837 if self.server_mode and (self.auth_handler is None): +1838 # create auth handler for server mode +1839 self.auth_handler = AuthHandler(self) +1840 if not self.initial_kex_done: +1841 # this was the first key exchange +1842 self.initial_kex_done = True +1843 # send an event? +1844 if self.completion_event != None: +1845 self.completion_event.set() +1846 # it's now okay to send data again (if this was a re-key) +1847 if not self.packetizer.need_rekey(): +1848 self.in_kex = False +1849 self.clear_to_send_lock.acquire() +1850 try: +1851 self.clear_to_send.set() +1852 finally: +1853 self.clear_to_send_lock.release() +1854 return +

1855 +

1856 - def _parse_disconnect(self, m): +

1857 code = m.get_int() +1858 desc = m.get_string() +1859 self._log(INFO, 'Disconnect (code %d): %s' % (code, desc)) +

1860 +

1861 - def _parse_global_request(self, m): +

1862 kind = m.get_string() +1863 self._log(DEBUG, 'Received global request "%s"' % kind) +1864 want_reply = m.get_boolean() +1865 if not self.server_mode: +1866 self._log(DEBUG, 'Rejecting "%s" global request from server.' % kind) +1867 ok = False +1868 elif kind == 'tcpip-forward': +1869 address = m.get_string() +1870 port = m.get_int() +1871 ok = self.server_object.check_port_forward_request(address, port) +1872 if ok != False: +1873 ok = (ok,) +1874 elif kind == 'cancel-tcpip-forward': +1875 address = m.get_string() +1876 port = m.get_int() +1877 self.server_object.cancel_port_forward_request(address, port) +1878 ok = True +1879 else: +1880 ok = self.server_object.check_global_request(kind, m) +1881 extra = () +1882 if type(ok) is tuple: +1883 extra = ok +1884 ok = True +1885 if want_reply: +1886 msg = Message() +1887 if ok: +1888 msg.add_byte(chr(MSG_REQUEST_SUCCESS)) +1889 msg.add(*extra) +1890 else: +1891 msg.add_byte(chr(MSG_REQUEST_FAILURE)) +1892 self._send_message(msg) +

1893 +

1894 - def _parse_request_success(self, m): +

1895 self._log(DEBUG, 'Global request successful.') +1896 self.global_response = m +1897 if self.completion_event is not None: +1898 self.completion_event.set() +

1899 +

1900 - def _parse_request_failure(self, m): +

1901 self._log(DEBUG, 'Global request denied.') +1902 self.global_response = None +1903 if self.completion_event is not None: +1904 self.completion_event.set() +

1905 +

1906 - def _parse_channel_open_success(self, m): +

1907 chanid = m.get_int() +1908 server_chanid = m.get_int() +1909 server_window_size = m.get_int() +1910 server_max_packet_size = m.get_int() +1911 chan = self._channels.get(chanid) +1912 if chan is None: +1913 self._log(WARNING, 'Success for unrequested channel! [??]') +1914 return +1915 self.lock.acquire() +1916 try: +1917 chan._set_remote_channel(server_chanid, server_window_size, server_max_packet_size) +1918 self._log(INFO, 'Secsh channel %d opened.' % chanid) +1919 if chanid in self.channel_events: +1920 self.channel_events[chanid].set() +1921 del self.channel_events[chanid] +1922 finally: +1923 self.lock.release() +1924 return +

1925 +

1926 - def _parse_channel_open_failure(self, m): +

1927 chanid = m.get_int() +1928 reason = m.get_int() +1929 reason_str = m.get_string() +1930 lang = m.get_string() +1931 reason_text = CONNECTION_FAILED_CODE.get(reason, '(unknown code)') +1932 self._log(INFO, 'Secsh channel %d open FAILED: %s: %s' % (chanid, reason_str, reason_text)) +1933 self.lock.acquire() +1934 try: +1935 self.saved_exception = ChannelException(reason, reason_text) +1936 if chanid in self.channel_events: +1937 self._channels.delete(chanid) +1938 if chanid in self.channel_events: +1939 self.channel_events[chanid].set() +1940 del self.channel_events[chanid] +1941 finally: +1942 self.lock.release() +1943 return +

1944 +

1945 - def _parse_channel_open(self, m): +

1946 kind = m.get_string() +1947 chanid = m.get_int() +1948 initial_window_size = m.get_int() +1949 max_packet_size = m.get_int() +1950 reject = False +1951 if (kind == 'x11') and (self._x11_handler is not None): +1952 origin_addr = m.get_string() +1953 origin_port = m.get_int() +1954 self._log(DEBUG, 'Incoming x11 connection from %s:%d' % (origin_addr, origin_port)) +1955 self.lock.acquire() +1956 try: +1957 my_chanid = self._next_channel() +1958 finally: +1959 self.lock.release() +1960 elif (kind == 'forwarded-tcpip') and (self._tcp_handler is not None): +1961 server_addr = m.get_string() +1962 server_port = m.get_int() +1963 origin_addr = m.get_string() +1964 origin_port = m.get_int() +1965 self._log(DEBUG, 'Incoming tcp forwarded connection from %s:%d' % (origin_addr, origin_port)) +1966 self.lock.acquire() +1967 try: +1968 my_chanid = self._next_channel() +1969 finally: +1970 self.lock.release() +1971 elif not self.server_mode: +1972 self._log(DEBUG, 'Rejecting "%s" channel request from server.' % kind) +1973 reject = True +1974 reason = OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED +1975 else: +1976 self.lock.acquire() +1977 try: +1978 my_chanid = self._next_channel() +1979 finally: +1980 self.lock.release() +1981 if kind == 'direct-tcpip': +1982 # handle direct-tcpip requests comming from the client +1983 dest_addr = m.get_string() +1984 dest_port = m.get_int() +1985 origin_addr = m.get_string() +1986 origin_port = m.get_int() +1987 reason = self.server_object.check_channel_direct_tcpip_request( +1988 my_chanid, (origin_addr, origin_port), +1989 (dest_addr, dest_port)) +1990 else: +1991 reason = self.server_object.check_channel_request(kind, my_chanid) +1992 if reason != OPEN_SUCCEEDED: +1993 self._log(DEBUG, 'Rejecting "%s" channel request from client.' % kind) +1994 reject = True +1995 if reject: +1996 msg = Message() +1997 msg.add_byte(chr(MSG_CHANNEL_OPEN_FAILURE)) +1998 msg.add_int(chanid) +1999 msg.add_int(reason) +2000 msg.add_string('') +2001 msg.add_string('en') +2002 self._send_message(msg) +2003 return +2004 +2005 chan = Channel(my_chanid) +2006 self.lock.acquire() +2007 try: +2008 self._channels.put(my_chanid, chan) +2009 self.channels_seen[my_chanid] = True +2010 chan._set_transport(self) +2011 chan._set_window(self.window_size, self.max_packet_size) +2012 chan._set_remote_channel(chanid, initial_window_size, max_packet_size) +2013 finally: +2014 self.lock.release() +2015 m = Message() +2016 m.add_byte(chr(MSG_CHANNEL_OPEN_SUCCESS)) +2017 m.add_int(chanid) +2018 m.add_int(my_chanid) +2019 m.add_int(self.window_size) +2020 m.add_int(self.max_packet_size) +2021 self._send_message(m) +2022 self._log(INFO, 'Secsh channel %d (%s) opened.', my_chanid, kind) +2023 if kind == 'x11': +2024 self._x11_handler(chan, (origin_addr, origin_port)) +2025 elif kind == 'forwarded-tcpip': +2026 chan.origin_addr = (origin_addr, origin_port) +2027 self._tcp_handler(chan, (origin_addr, origin_port), (server_addr, server_port)) +2028 else: +2029 self._queue_incoming_channel(chan) +

2030 +

2031 - def _parse_debug(self, m): +

2032 always_display = m.get_boolean() +2033 msg = m.get_string() +2034 lang = m.get_string() +2035 self._log(DEBUG, 'Debug msg: ' + util.safe_string(msg)) +

2036 +

2037 - def _get_subsystem_handler(self, name): +

2038 try: +2039 self.lock.acquire() +2040 if name not in self.subsystem_table: +2041 return (None, [], {}) +2042 return self.subsystem_table[name] +2043 finally: +2044 self.lock.release() +

2045 +2046 _handler_table = { +2047 MSG_NEWKEYS: _parse_newkeys, +2048 MSG_GLOBAL_REQUEST: _parse_global_request, +2049 MSG_REQUEST_SUCCESS: _parse_request_success, +2050 MSG_REQUEST_FAILURE: _parse_request_failure, +2051 MSG_CHANNEL_OPEN_SUCCESS: _parse_channel_open_success, +2052 MSG_CHANNEL_OPEN_FAILURE: _parse_channel_open_failure, +2053 MSG_CHANNEL_OPEN: _parse_channel_open, +2054 MSG_KEXINIT: _negotiate_keys, +2055 } +2056 +2057 _channel_handler_table = { +2058 MSG_CHANNEL_SUCCESS: Channel._request_success, +2059 MSG_CHANNEL_FAILURE: Channel._request_failed, +2060 MSG_CHANNEL_DATA: Channel._feed, +2061 MSG_CHANNEL_EXTENDED_DATA: Channel._feed_extended, +2062 MSG_CHANNEL_WINDOW_ADJUST: Channel._window_adjust, +2063 MSG_CHANNEL_REQUEST: Channel._handle_request, +2064 MSG_CHANNEL_EOF: Channel._handle_eof, +2065 MSG_CHANNEL_CLOSE: Channel._handle_close, +2066 } +2067 +

Source Code for Module paramiko.transport