paramiko.transport

1 # Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> 2 # 3 # This file is part of paramiko. 4 # 5 # Paramiko is free software; you can redistribute it and/or modify it under the 6 # terms of the GNU Lesser General Public License as published by the Free 7 # Software Foundation; either version 2.1 of the License, or (at your option) 8 # any later version. 9 # 10 # Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY 11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR 12 # A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more 13 # details. 14 # 15 # You should have received a copy of the GNU Lesser General Public License 16 # along with Paramiko; if not, write to the Free Software Foundation, Inc., 17 # 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. 18 19 """ 20 L{Transport} handles the core SSH2 protocol. 21 """ 22 23 import os 24 import socket 25 import string 26 import struct 27 import sys 28 import threading 29 import time 30 import weakref 31 32 from paramiko import util 33 from paramiko.auth_handler import AuthHandler 34 from paramiko.channel import Channel 35 from paramiko.common import * 36 from paramiko.compress import ZlibCompressor, ZlibDecompressor 37 from paramiko.dsskey import DSSKey 38 from paramiko.kex_gex import KexGex 39 from paramiko.kex_group1 import KexGroup1 40 from paramiko.message import Message 41 from paramiko.packet import Packetizer, NeedRekeyException 42 from paramiko.primes import ModulusPack 43 from paramiko.rsakey import RSAKey 44 from paramiko.server import ServerInterface 45 from paramiko.sftp_client import SFTPClient 46 from paramiko.ssh_exception import SSHException, BadAuthenticationType, ChannelException 47 48 from Crypto import Random 49 from Crypto.Cipher import Blowfish, AES, DES3, ARC4 50 from Crypto.Hash import SHA, MD5 51 try: 52 from Crypto.Util import Counter 53 except ImportError: 54 from paramiko.util import Counter 55 56 57 # for thread cleanup 58 _active_threads = []

59 -def _join_lingering_threads():

60 for thr in _active_threads: 61 thr.stop_thread()

62 import atexit 63 atexit.register(_join_lingering_threads) 64 65

66 -class SecurityOptions (object):

67 """ 68 Simple object containing the security preferences of an ssh transport. 69 These are tuples of acceptable ciphers, digests, key types, and key 70 exchange algorithms, listed in order of preference. 71 72 Changing the contents and/or order of these fields affects the underlying 73 L{Transport} (but only if you change them before starting the session). 74 If you try to add an algorithm that paramiko doesn't recognize, 75 C{ValueError} will be raised. If you try to assign something besides a 76 tuple to one of the fields, C{TypeError} will be raised. 77 """ 78 __slots__ = [ 'ciphers', 'digests', 'key_types', 'kex', 'compression', '_transport' ] 79

80 - def __init__(self, transport):

81 self._transport = transport

82

83 - def __repr__(self):

84 """ 85 Returns a string representation of this object, for debugging. 86 87 @rtype: str 88 """ 89 return '<paramiko.SecurityOptions for %s>' % repr(self._transport)

90

91 - def _get_ciphers(self):

92 return self._transport._preferred_ciphers

93

94 - def _get_digests(self):

95 return self._transport._preferred_macs

96

97 - def _get_key_types(self):

98 return self._transport._preferred_keys

99

100 - def _get_kex(self):

101 return self._transport._preferred_kex

102

103 - def _get_compression(self):

104 return self._transport._preferred_compression

105

106 - def _set(self, name, orig, x):

107 if type(x) is list: 108 x = tuple(x) 109 if type(x) is not tuple: 110 raise TypeError('expected tuple or list') 111 possible = getattr(self._transport, orig).keys() 112 forbidden = filter(lambda n: n not in possible, x) 113 if len(forbidden) > 0: 114 raise ValueError('unknown cipher') 115 setattr(self._transport, name, x)

116

117 - def _set_ciphers(self, x):

118 self._set('_preferred_ciphers', '_cipher_info', x)

119

120 - def _set_digests(self, x):

121 self._set('_preferred_macs', '_mac_info', x)

122

123 - def _set_key_types(self, x):

124 self._set('_preferred_keys', '_key_info', x)

125

126 - def _set_kex(self, x):

127 self._set('_preferred_kex', '_kex_info', x)

128

129 - def _set_compression(self, x):

130 self._set('_preferred_compression', '_compression_info', x)

131 132 ciphers = property(_get_ciphers, _set_ciphers, None, 133 "Symmetric encryption ciphers") 134 digests = property(_get_digests, _set_digests, None, 135 "Digest (one-way hash) algorithms") 136 key_types = property(_get_key_types, _set_key_types, None, 137 "Public-key algorithms") 138 kex = property(_get_kex, _set_kex, None, "Key exchange algorithms") 139 compression = property(_get_compression, _set_compression, None, 140 "Compression algorithms")

141 142

143 -class ChannelMap (object):

144 - def __init__(self):

145 # (id -> Channel) 146 self._map = weakref.WeakValueDictionary() 147 self._lock = threading.Lock()

148

149 - def put(self, chanid, chan):

150 self._lock.acquire() 151 try: 152 self._map[chanid] = chan 153 finally: 154 self._lock.release()

155

156 - def get(self, chanid):

157 self._lock.acquire() 158 try: 159 return self._map.get(chanid, None) 160 finally: 161 self._lock.release()

162

163 - def delete(self, chanid):

164 self._lock.acquire() 165 try: 166 try: 167 del self._map[chanid] 168 except KeyError: 169 pass 170 finally: 171 self._lock.release()

172

173 - def values(self):

174 self._lock.acquire() 175 try: 176 return self._map.values() 177 finally: 178 self._lock.release()

179

180 - def __len__(self):

181 self._lock.acquire() 182 try: 183 return len(self._map) 184 finally: 185 self._lock.release()

186 187

188 -class Transport (threading.Thread):

189 """ 190 An SSH Transport attaches to a stream (usually a socket), negotiates an 191 encrypted session, authenticates, and then creates stream tunnels, called 192 L{Channel}s, across the session. Multiple channels can be multiplexed 193 across a single session (and often are, in the case of port forwardings). 194 """ 195 196 _PROTO_ID = '2.0' 197 _CLIENT_ID = 'paramiko_1.7.7.1' 198 199 _preferred_ciphers = ( 'aes128-ctr', 'aes256-ctr', 'aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc', 200 'arcfour128', 'arcfour256' ) 201 _preferred_macs = ( 'hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96' ) 202 _preferred_keys = ( 'ssh-rsa', 'ssh-dss' ) 203 _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' ) 204 _preferred_compression = ( 'none', ) 205 206 _cipher_info = { 207 'aes128-ctr': { 'class': AES, 'mode': AES.MODE_CTR, 'block-size': 16, 'key-size': 16 }, 208 'aes256-ctr': { 'class': AES, 'mode': AES.MODE_CTR, 'block-size': 16, 'key-size': 32 }, 209 'blowfish-cbc': { 'class': Blowfish, 'mode': Blowfish.MODE_CBC, 'block-size': 8, 'key-size': 16 }, 210 'aes128-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 16 }, 211 'aes256-cbc': { 'class': AES, 'mode': AES.MODE_CBC, 'block-size': 16, 'key-size': 32 }, 212 '3des-cbc': { 'class': DES3, 'mode': DES3.MODE_CBC, 'block-size': 8, 'key-size': 24 }, 213 'arcfour128': { 'class': ARC4, 'mode': None, 'block-size': 8, 'key-size': 16 }, 214 'arcfour256': { 'class': ARC4, 'mode': None, 'block-size': 8, 'key-size': 32 }, 215 } 216 217 _mac_info = { 218 'hmac-sha1': { 'class': SHA, 'size': 20 }, 219 'hmac-sha1-96': { 'class': SHA, 'size': 12 }, 220 'hmac-md5': { 'class': MD5, 'size': 16 }, 221 'hmac-md5-96': { 'class': MD5, 'size': 12 }, 222 } 223 224 _key_info = { 225 'ssh-rsa': RSAKey, 226 'ssh-dss': DSSKey, 227 } 228 229 _kex_info = { 230 'diffie-hellman-group1-sha1': KexGroup1, 231 'diffie-hellman-group-exchange-sha1': KexGex, 232 } 233 234 _compression_info = { 235 # zlib@openssh.com is just zlib, but only turned on after a successful 236 # authentication. openssh servers may only offer this type because 237 # they've had troubles with security holes in zlib in the past. 238 'zlib@openssh.com': ( ZlibCompressor, ZlibDecompressor ), 239 'zlib': ( ZlibCompressor, ZlibDecompressor ), 240 'none': ( None, None ), 241 } 242 243 244 _modulus_pack = None 245

246 - def __init__(self, sock):

247 """ 248 Create a new SSH session over an existing socket, or socket-like 249 object. This only creates the Transport object; it doesn't begin the 250 SSH session yet. Use L{connect} or L{start_client} to begin a client 251 session, or L{start_server} to begin a server session. 252 253 If the object is not actually a socket, it must have the following 254 methods: 255 - C{send(str)}: Writes from 1 to C{len(str)} bytes, and 256 returns an int representing the number of bytes written. Returns 257 0 or raises C{EOFError} if the stream has been closed. 258 - C{recv(int)}: Reads from 1 to C{int} bytes and returns them as a 259 string. Returns 0 or raises C{EOFError} if the stream has been 260 closed. 261 - C{close()}: Closes the socket. 262 - C{settimeout(n)}: Sets a (float) timeout on I/O operations. 263 264 For ease of use, you may also pass in an address (as a tuple) or a host 265 string as the C{sock} argument. (A host string is a hostname with an 266 optional port (separated by C{":"}) which will be converted into a 267 tuple of C{(hostname, port)}.) A socket will be connected to this 268 address and used for communication. Exceptions from the C{socket} call 269 may be thrown in this case. 270 271 @param sock: a socket or socket-like object to create the session over. 272 @type sock: socket 273 """ 274 if isinstance(sock, (str, unicode)): 275 # convert "host:port" into (host, port) 276 hl = sock.split(':', 1) 277 if len(hl) == 1: 278 sock = (hl[0], 22) 279 else: 280 sock = (hl[0], int(hl[1])) 281 if type(sock) is tuple: 282 # connect to the given (host, port) 283 hostname, port = sock 284 reason = 'No suitable address family' 285 for (family, socktype, proto, canonname, sockaddr) in socket.getaddrinfo(hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM): 286 if socktype == socket.SOCK_STREAM: 287 af = family 288 addr = sockaddr 289 sock = socket.socket(af, socket.SOCK_STREAM) 290 try: 291 sock.connect((hostname, port)) 292 except socket.error, e: 293 reason = str(e) 294 else: 295 break 296 else: 297 raise SSHException( 298 'Unable to connect to %s: %s' % (hostname, reason)) 299 # okay, normal socket-ish flow here... 300 threading.Thread.__init__(self) 301 self.setDaemon(True) 302 self.rng = rng 303 self.sock = sock 304 # Python < 2.3 doesn't have the settimeout method - RogerB 305 try: 306 # we set the timeout so we can check self.active periodically to 307 # see if we should bail. socket.timeout exception is never 308 # propagated. 309 self.sock.settimeout(0.1) 310 except AttributeError: 311 pass 312 313 # negotiated crypto parameters 314 self.packetizer = Packetizer(sock) 315 self.local_version = 'SSH-' + self._PROTO_ID + '-' + self._CLIENT_ID 316 self.remote_version = '' 317 self.local_cipher = self.remote_cipher = '' 318 self.local_kex_init = self.remote_kex_init = None 319 self.local_mac = self.remote_mac = None 320 self.local_compression = self.remote_compression = None 321 self.session_id = None 322 self.host_key_type = None 323 self.host_key = None 324 325 # state used during negotiation 326 self.kex_engine = None 327 self.H = None 328 self.K = None 329 330 self.active = False 331 self.initial_kex_done = False 332 self.in_kex = False 333 self.authenticated = False 334 self._expected_packet = tuple() 335 self.lock = threading.Lock() # synchronization (always higher level than write_lock) 336 337 # tracking open channels 338 self._channels = ChannelMap() 339 self.channel_events = { } # (id -> Event) 340 self.channels_seen = { } # (id -> True) 341 self._channel_counter = 1 342 self.window_size = 65536 343 self.max_packet_size = 34816 344 self._x11_handler = None 345 self._tcp_handler = None 346 347 self.saved_exception = None 348 self.clear_to_send = threading.Event() 349 self.clear_to_send_lock = threading.Lock() 350 self.clear_to_send_timeout = 30.0 351 self.log_name = 'paramiko.transport' 352 self.logger = util.get_logger(self.log_name) 353 self.packetizer.set_log(self.logger) 354 self.auth_handler = None 355 self.global_response = None # response Message from an arbitrary global request 356 self.completion_event = None # user-defined event callbacks 357 self.banner_timeout = 15 # how long (seconds) to wait for the SSH banner 358 359 # server mode: 360 self.server_mode = False 361 self.server_object = None 362 self.server_key_dict = { } 363 self.server_accepts = [ ] 364 self.server_accept_cv = threading.Condition(self.lock) 365 self.subsystem_table = { }

366

367 - def __repr__(self):

368 """ 369 Returns a string representation of this object, for debugging. 370 371 @rtype: str 372 """ 373 out = '<paramiko.Transport at %s' % hex(long(id(self)) & 0xffffffffL) 374 if not self.active: 375 out += ' (unconnected)' 376 else: 377 if self.local_cipher != '': 378 out += ' (cipher %s, %d bits)' % (self.local_cipher, 379 self._cipher_info[self.local_cipher]['key-size'] * 8) 380 if self.is_authenticated(): 381 out += ' (active; %d open channel(s))' % len(self._channels) 382 elif self.initial_kex_done: 383 out += ' (connected; awaiting auth)' 384 else: 385 out += ' (connecting)' 386 out += '>' 387 return out

388

389 - def atfork(self):

390 """ 391 Terminate this Transport without closing the session. On posix 392 systems, if a Transport is open during process forking, both parent 393 and child will share the underlying socket, but only one process can 394 use the connection (without corrupting the session). Use this method 395 to clean up a Transport object without disrupting the other process. 396 397 @since: 1.5.3 398 """ 399 self.sock.close() 400 self.close()

401

402 - def get_security_options(self):

403 """ 404 Return a L{SecurityOptions} object which can be used to tweak the 405 encryption algorithms this transport will permit, and the order of 406 preference for them. 407 408 @return: an object that can be used to change the preferred algorithms 409 for encryption, digest (hash), public key, and key exchange. 410 @rtype: L{SecurityOptions} 411 """ 412 return SecurityOptions(self)

413

414 - def start_client(self, event=None):

415 """ 416 Negotiate a new SSH2 session as a client. This is the first step after 417 creating a new L{Transport}. A separate thread is created for protocol 418 negotiation. 419 420 If an event is passed in, this method returns immediately. When 421 negotiation is done (successful or not), the given C{Event} will 422 be triggered. On failure, L{is_active} will return C{False}. 423 424 (Since 1.4) If C{event} is C{None}, this method will not return until 425 negotation is done. On success, the method returns normally. 426 Otherwise an SSHException is raised. 427 428 After a successful negotiation, you will usually want to authenticate, 429 calling L{auth_password <Transport.auth_password>} or 430 L{auth_publickey <Transport.auth_publickey>}. 431 432 @note: L{connect} is a simpler method for connecting as a client. 433 434 @note: After calling this method (or L{start_server} or L{connect}), 435 you should no longer directly read from or write to the original 436 socket object. 437 438 @param event: an event to trigger when negotiation is complete 439 (optional) 440 @type event: threading.Event 441 442 @raise SSHException: if negotiation fails (and no C{event} was passed 443 in) 444 """ 445 self.active = True 446 if event is not None: 447 # async, return immediately and let the app poll for completion 448 self.completion_event = event 449 self.start() 450 return 451 452 # synchronous, wait for a result 453 self.completion_event = event = threading.Event() 454 self.start() 455 Random.atfork() 456 while True: 457 event.wait(0.1) 458 if not self.active: 459 e = self.get_exception() 460 if e is not None: 461 raise e 462 raise SSHException('Negotiation failed.') 463 if event.isSet(): 464 break

465

466 - def start_server(self, event=None, server=None):

467 """ 468 Negotiate a new SSH2 session as a server. This is the first step after 469 creating a new L{Transport} and setting up your server host key(s). A 470 separate thread is created for protocol negotiation. 471 472 If an event is passed in, this method returns immediately. When 473 negotiation is done (successful or not), the given C{Event} will 474 be triggered. On failure, L{is_active} will return C{False}. 475 476 (Since 1.4) If C{event} is C{None}, this method will not return until 477 negotation is done. On success, the method returns normally. 478 Otherwise an SSHException is raised. 479 480 After a successful negotiation, the client will need to authenticate. 481 Override the methods 482 L{get_allowed_auths <ServerInterface.get_allowed_auths>}, 483 L{check_auth_none <ServerInterface.check_auth_none>}, 484 L{check_auth_password <ServerInterface.check_auth_password>}, and 485 L{check_auth_publickey <ServerInterface.check_auth_publickey>} in the 486 given C{server} object to control the authentication process. 487 488 After a successful authentication, the client should request to open 489 a channel. Override 490 L{check_channel_request <ServerInterface.check_channel_request>} in the 491 given C{server} object to allow channels to be opened. 492 493 @note: After calling this method (or L{start_client} or L{connect}), 494 you should no longer directly read from or write to the original 495 socket object. 496 497 @param event: an event to trigger when negotiation is complete. 498 @type event: threading.Event 499 @param server: an object used to perform authentication and create 500 L{Channel}s. 501 @type server: L{server.ServerInterface} 502 503 @raise SSHException: if negotiation fails (and no C{event} was passed 504 in) 505 """ 506 if server is None: 507 server = ServerInterface() 508 self.server_mode = True 509 self.server_object = server 510 self.active = True 511 if event is not None: 512 # async, return immediately and let the app poll for completion 513 self.completion_event = event 514 self.start() 515 return 516 517 # synchronous, wait for a result 518 self.completion_event = event = threading.Event() 519 self.start() 520 while True: 521 event.wait(0.1) 522 if not self.active: 523 e = self.get_exception() 524 if e is not None: 525 raise e 526 raise SSHException('Negotiation failed.') 527 if event.isSet(): 528 break

529

530 - def add_server_key(self, key):

531 """ 532 Add a host key to the list of keys used for server mode. When behaving 533 as a server, the host key is used to sign certain packets during the 534 SSH2 negotiation, so that the client can trust that we are who we say 535 we are. Because this is used for signing, the key must contain private 536 key info, not just the public half. Only one key of each type (RSA or 537 DSS) is kept. 538 539 @param key: the host key to add, usually an L{RSAKey <rsakey.RSAKey>} or 540 L{DSSKey <dsskey.DSSKey>}. 541 @type key: L{PKey <pkey.PKey>} 542 """ 543 self.server_key_dict[key.get_name()] = key

544

545 - def get_server_key(self):

546 """ 547 Return the active host key, in server mode. After negotiating with the 548 client, this method will return the negotiated host key. If only one 549 type of host key was set with L{add_server_key}, that's the only key 550 that will ever be returned. But in cases where you have set more than 551 one type of host key (for example, an RSA key and a DSS key), the key 552 type will be negotiated by the client, and this method will return the 553 key of the type agreed on. If the host key has not been negotiated 554 yet, C{None} is returned. In client mode, the behavior is undefined. 555 556 @return: host key of the type negotiated by the client, or C{None}. 557 @rtype: L{PKey <pkey.PKey>} 558 """ 559 try: 560 return self.server_key_dict[self.host_key_type] 561 except KeyError: 562 pass 563 return None

564

565 - def load_server_moduli(filename=None):

566 """ 567 I{(optional)} 568 Load a file of prime moduli for use in doing group-exchange key 569 negotiation in server mode. It's a rather obscure option and can be 570 safely ignored. 571 572 In server mode, the remote client may request "group-exchange" key 573 negotiation, which asks the server to send a random prime number that 574 fits certain criteria. These primes are pretty difficult to compute, 575 so they can't be generated on demand. But many systems contain a file 576 of suitable primes (usually named something like C{/etc/ssh/moduli}). 577 If you call C{load_server_moduli} and it returns C{True}, then this 578 file of primes has been loaded and we will support "group-exchange" in 579 server mode. Otherwise server mode will just claim that it doesn't 580 support that method of key negotiation. 581 582 @param filename: optional path to the moduli file, if you happen to 583 know that it's not in a standard location. 584 @type filename: str 585 @return: True if a moduli file was successfully loaded; False 586 otherwise. 587 @rtype: bool 588 589 @note: This has no effect when used in client mode. 590 """ 591 Transport._modulus_pack = ModulusPack(rng) 592 # places to look for the openssh "moduli" file 593 file_list = [ '/etc/ssh/moduli', '/usr/local/etc/moduli' ] 594 if filename is not None: 595 file_list.insert(0, filename) 596 for fn in file_list: 597 try: 598 Transport._modulus_pack.read_file(fn) 599 return True 600 except IOError: 601 pass 602 # none succeeded 603 Transport._modulus_pack = None 604 return False

605 load_server_moduli = staticmethod(load_server_moduli) 606

607 - def close(self):

608 """ 609 Close this session, and any open channels that are tied to it. 610 """ 611 if not self.active: 612 return 613 self.active = False 614 self.packetizer.close() 615 self.join() 616 for chan in self._channels.values(): 617 chan._unlink()

618

619 - def get_remote_server_key(self):

620 """ 621 Return the host key of the server (in client mode). 622 623 @note: Previously this call returned a tuple of (key type, key string). 624 You can get the same effect by calling 625 L{PKey.get_name <pkey.PKey.get_name>} for the key type, and 626 C{str(key)} for the key string. 627 628 @raise SSHException: if no session is currently active. 629 630 @return: public key of the remote server 631 @rtype: L{PKey <pkey.PKey>} 632 """ 633 if (not self.active) or (not self.initial_kex_done): 634 raise SSHException('No existing session') 635 return self.host_key

636

637 - def is_active(self):

638 """ 639 Return true if this session is active (open). 640 641 @return: True if the session is still active (open); False if the 642 session is closed 643 @rtype: bool 644 """ 645 return self.active

646

647 - def open_session(self):

648 """ 649 Request a new channel to the server, of type C{"session"}. This 650 is just an alias for C{open_channel('session')}. 651 652 @return: a new L{Channel} 653 @rtype: L{Channel} 654 655 @raise SSHException: if the request is rejected or the session ends 656 prematurely 657 """ 658 return self.open_channel('session')

659

660 - def open_x11_channel(self, src_addr=None):

661 """ 662 Request a new channel to the client, of type C{"x11"}. This 663 is just an alias for C{open_channel('x11', src_addr=src_addr)}. 664 665 @param src_addr: the source address of the x11 server (port is the 666 x11 port, ie. 6010) 667 @type src_addr: (str, int) 668 @return: a new L{Channel} 669 @rtype: L{Channel} 670 671 @raise SSHException: if the request is rejected or the session ends 672 prematurely 673 """ 674 return self.open_channel('x11', src_addr=src_addr)

675

676 - def open_forwarded_tcpip_channel(self, (src_addr, src_port), (dest_addr, dest_port)):

677 """ 678 Request a new channel back to the client, of type C{"forwarded-tcpip"}. 679 This is used after a client has requested port forwarding, for sending 680 incoming connections back to the client. 681 682 @param src_addr: originator's address 683 @param src_port: originator's port 684 @param dest_addr: local (server) connected address 685 @param dest_port: local (server) connected port 686 """ 687 return self.open_channel('forwarded-tcpip', (dest_addr, dest_port), (src_addr, src_port))

688

689 - def open_channel(self, kind, dest_addr=None, src_addr=None):

690 """ 691 Request a new channel to the server. L{Channel}s are socket-like 692 objects used for the actual transfer of data across the session. 693 You may only request a channel after negotiating encryption (using 694 L{connect} or L{start_client}) and authenticating. 695 696 @param kind: the kind of channel requested (usually C{"session"}, 697 C{"forwarded-tcpip"}, C{"direct-tcpip"}, or C{"x11"}) 698 @type kind: str 699 @param dest_addr: the destination address of this port forwarding, 700 if C{kind} is C{"forwarded-tcpip"} or C{"direct-tcpip"} (ignored 701 for other channel types) 702 @type dest_addr: (str, int) 703 @param src_addr: the source address of this port forwarding, if 704 C{kind} is C{"forwarded-tcpip"}, C{"direct-tcpip"}, or C{"x11"} 705 @type src_addr: (str, int) 706 @return: a new L{Channel} on success 707 @rtype: L{Channel} 708 709 @raise SSHException: if the request is rejected or the session ends 710 prematurely 711 """ 712 if not self.active: 713 raise SSHException('SSH session not active') 714 self.lock.acquire() 715 try: 716 chanid = self._next_channel() 717 m = Message() 718 m.add_byte(chr(MSG_CHANNEL_OPEN)) 719 m.add_string(kind) 720 m.add_int(chanid) 721 m.add_int(self.window_size) 722 m.add_int(self.max_packet_size) 723 if (kind == 'forwarded-tcpip') or (kind == 'direct-tcpip'): 724 m.add_string(dest_addr[0]) 725 m.add_int(dest_addr[1]) 726 m.add_string(src_addr[0]) 727 m.add_int(src_addr[1]) 728 elif kind == 'x11': 729 m.add_string(src_addr[0]) 730 m.add_int(src_addr[1]) 731 chan = Channel(chanid) 732 self._channels.put(chanid, chan) 733 self.channel_events[chanid] = event = threading.Event() 734 self.channels_seen[chanid] = True 735 chan._set_transport(self) 736 chan._set_window(self.window_size, self.max_packet_size) 737 finally: 738 self.lock.release() 739 self._send_user_message(m) 740 while True: 741 event.wait(0.1); 742 if not self.active: 743 e = self.get_exception() 744 if e is None: 745 e = SSHException('Unable to open channel.') 746 raise e 747 if event.isSet(): 748 break 749 chan = self._channels.get(chanid) 750 if chan is not None: 751 return chan 752 e = self.get_exception() 753 if e is None: 754 e = SSHException('Unable to open channel.') 755 raise e

756

757 - def request_port_forward(self, address, port, handler=None):

758 """ 759 Ask the server to forward TCP connections from a listening port on 760 the server, across this SSH session. 761 762 If a handler is given, that handler is called from a different thread 763 whenever a forwarded connection arrives. The handler parameters are:: 764 765 handler(channel, (origin_addr, origin_port), (server_addr, server_port)) 766 767 where C{server_addr} and C{server_port} are the address and port that 768 the server was listening on. 769 770 If no handler is set, the default behavior is to send new incoming 771 forwarded connections into the accept queue, to be picked up via 772 L{accept}. 773 774 @param address: the address to bind when forwarding 775 @type address: str 776 @param port: the port to forward, or 0 to ask the server to allocate 777 any port 778 @type port: int 779 @param handler: optional handler for incoming forwarded connections 780 @type handler: function(Channel, (str, int), (str, int)) 781 @return: the port # allocated by the server 782 @rtype: int 783 784 @raise SSHException: if the server refused the TCP forward request 785 """ 786 if not self.active: 787 raise SSHException('SSH session not active') 788 address = str(address) 789 port = int(port) 790 response = self.global_request('tcpip-forward', (address, port), wait=True) 791 if response is None: 792 raise SSHException('TCP forwarding request denied') 793 if port == 0: 794 port = response.get_int() 795 if handler is None: 796 def default_handler(channel, (src_addr, src_port), (dest_addr, dest_port)): 797 self._queue_incoming_channel(channel)

798 handler = default_handler 799 self._tcp_handler = handler 800 return port

801

802 - def cancel_port_forward(self, address, port):

803 """ 804 Ask the server to cancel a previous port-forwarding request. No more 805 connections to the given address & port will be forwarded across this 806 ssh connection. 807 808 @param address: the address to stop forwarding 809 @type address: str 810 @param port: the port to stop forwarding 811 @type port: int 812 """ 813 if not self.active: 814 return 815 self._tcp_handler = None 816 self.global_request('cancel-tcpip-forward', (address, port), wait=True)

817

818 - def open_sftp_client(self):

819 """ 820 Create an SFTP client channel from an open transport. On success, 821 an SFTP session will be opened with the remote host, and a new 822 SFTPClient object will be returned. 823 824 @return: a new L{SFTPClient} object, referring to an sftp session 825 (channel) across this transport 826 @rtype: L{SFTPClient} 827 """ 828 return SFTPClient.from_transport(self)

829

830 - def send_ignore(self, bytes=None):

831 """ 832 Send a junk packet across the encrypted link. This is sometimes used 833 to add "noise" to a connection to confuse would-be attackers. It can 834 also be used as a keep-alive for long lived connections traversing 835 firewalls. 836 837 @param bytes: the number of random bytes to send in the payload of the 838 ignored packet -- defaults to a random number from 10 to 41. 839 @type bytes: int 840 """ 841 m = Message() 842 m.add_byte(chr(MSG_IGNORE)) 843 if bytes is None: 844 bytes = (ord(rng.read(1)) % 32) + 10 845 m.add_bytes(rng.read(bytes)) 846 self._send_user_message(m)

847

848 - def renegotiate_keys(self):

849 """ 850 Force this session to switch to new keys. Normally this is done 851 automatically after the session hits a certain number of packets or 852 bytes sent or received, but this method gives you the option of forcing 853 new keys whenever you want. Negotiating new keys causes a pause in 854 traffic both ways as the two sides swap keys and do computations. This 855 method returns when the session has switched to new keys. 856 857 @raise SSHException: if the key renegotiation failed (which causes the 858 session to end) 859 """ 860 self.completion_event = threading.Event() 861 self._send_kex_init() 862 while True: 863 self.completion_event.wait(0.1) 864 if not self.active: 865 e = self.get_exception() 866 if e is not None: 867 raise e 868 raise SSHException('Negotiation failed.') 869 if self.completion_event.isSet(): 870 break 871 return

872

873 - def set_keepalive(self, interval):

874 """ 875 Turn on/off keepalive packets (default is off). If this is set, after 876 C{interval} seconds without sending any data over the connection, a 877 "keepalive" packet will be sent (and ignored by the remote host). This 878 can be useful to keep connections alive over a NAT, for example. 879 880 @param interval: seconds to wait before sending a keepalive packet (or 881 0 to disable keepalives). 882 @type interval: int 883 """ 884 self.packetizer.set_keepalive(interval, 885 lambda x=weakref.proxy(self): x.global_request('keepalive@lag.net', wait=False))

886

887 - def global_request(self, kind, data=None, wait=True):

888 """ 889 Make a global request to the remote host. These are normally 890 extensions to the SSH2 protocol. 891 892 @param kind: name of the request. 893 @type kind: str 894 @param data: an optional tuple containing additional data to attach 895 to the request. 896 @type data: tuple 897 @param wait: C{True} if this method should not return until a response 898 is received; C{False} otherwise. 899 @type wait: bool 900 @return: a L{Message} containing possible additional data if the 901 request was successful (or an empty L{Message} if C{wait} was 902 C{False}); C{None} if the request was denied. 903 @rtype: L{Message} 904 """ 905 if wait: 906 self.completion_event = threading.Event() 907 m = Message() 908 m.add_byte(chr(MSG_GLOBAL_REQUEST)) 909 m.add_string(kind) 910 m.add_boolean(wait) 911 if data is not None: 912 m.add(*data) 913 self._log(DEBUG, 'Sending global request "%s"' % kind) 914 self._send_user_message(m) 915 if not wait: 916 return None 917 while True: 918 self.completion_event.wait(0.1) 919 if not self.active: 920 return None 921 if self.completion_event.isSet(): 922 break 923 return self.global_response

924

925 - def accept(self, timeout=None):

926 """ 927 Return the next channel opened by the client over this transport, in 928 server mode. If no channel is opened before the given timeout, C{None} 929 is returned. 930 931 @param timeout: seconds to wait for a channel, or C{None} to wait 932 forever 933 @type timeout: int 934 @return: a new Channel opened by the client 935 @rtype: L{Channel} 936 """ 937 self.lock.acquire() 938 try: 939 if len(self.server_accepts) > 0: 940 chan = self.server_accepts.pop(0) 941 else: 942 self.server_accept_cv.wait(timeout) 943 if len(self.server_accepts) > 0: 944 chan = self.server_accepts.pop(0) 945 else: 946 # timeout 947 chan = None 948 finally: 949 self.lock.release() 950 return chan

951

952 - def connect(self, hostkey=None, username='', password=None, pkey=None):

953 """ 954 Negotiate an SSH2 session, and optionally verify the server's host key 955 and authenticate using a password or private key. This is a shortcut 956 for L{start_client}, L{get_remote_server_key}, and 957 L{Transport.auth_password} or L{Transport.auth_publickey}. Use those 958 methods if you want more control. 959 960 You can use this method immediately after creating a Transport to 961 negotiate encryption with a server. If it fails, an exception will be 962 thrown. On success, the method will return cleanly, and an encrypted 963 session exists. You may immediately call L{open_channel} or 964 L{open_session} to get a L{Channel} object, which is used for data 965 transfer. 966 967 @note: If you fail to supply a password or private key, this method may 968 succeed, but a subsequent L{open_channel} or L{open_session} call may 969 fail because you haven't authenticated yet. 970 971 @param hostkey: the host key expected from the server, or C{None} if 972 you don't want to do host key verification. 973 @type hostkey: L{PKey<pkey.PKey>} 974 @param username: the username to authenticate as. 975 @type username: str 976 @param password: a password to use for authentication, if you want to 977 use password authentication; otherwise C{None}. 978 @type password: str 979 @param pkey: a private key to use for authentication, if you want to 980 use private key authentication; otherwise C{None}. 981 @type pkey: L{PKey<pkey.PKey>} 982 983 @raise SSHException: if the SSH2 negotiation fails, the host key 984 supplied by the server is incorrect, or authentication fails. 985 """ 986 if hostkey is not None: 987 self._preferred_keys = [ hostkey.get_name() ] 988 989 self.start_client() 990 991 # check host key if we were given one 992 if (hostkey is not None): 993 key = self.get_remote_server_key() 994 if (key.get_name() != hostkey.get_name()) or (str(key) != str(hostkey)): 995 self._log(DEBUG, 'Bad host key from server') 996 self._log(DEBUG, 'Expected: %s: %s' % (hostkey.get_name(), repr(str(hostkey)))) 997 self._log(DEBUG, 'Got : %s: %s' % (key.get_name(), repr(str(key)))) 998 raise SSHException('Bad host key from server') 999 self._log(DEBUG, 'Host key verified (%s)' % hostkey.get_name()) 1000 1001 if (pkey is not None) or (password is not None): 1002 if password is not None: 1003 self._log(DEBUG, 'Attempting password auth...') 1004 self.auth_password(username, password) 1005 else: 1006 self._log(DEBUG, 'Attempting public-key auth...') 1007 self.auth_publickey(username, pkey) 1008 1009 return

1010

1011 - def get_exception(self):

1012 """ 1013 Return any exception that happened during the last server request. 1014 This can be used to fetch more specific error information after using 1015 calls like L{start_client}. The exception (if any) is cleared after 1016 this call. 1017 1018 @return: an exception, or C{None} if there is no stored exception. 1019 @rtype: Exception 1020 1021 @since: 1.1 1022 """ 1023 self.lock.acquire() 1024 try: 1025 e = self.saved_exception 1026 self.saved_exception = None 1027 return e 1028 finally: 1029 self.lock.release()

1030

1031 - def set_subsystem_handler(self, name, handler, *larg, **kwarg):

1032 """ 1033 Set the handler class for a subsystem in server mode. If a request 1034 for this subsystem is made on an open ssh channel later, this handler 1035 will be constructed and called -- see L{SubsystemHandler} for more 1036 detailed documentation. 1037 1038 Any extra parameters (including keyword arguments) are saved and 1039 passed to the L{SubsystemHandler} constructor later. 1040 1041 @param name: name of the subsystem. 1042 @type name: str 1043 @param handler: subclass of L{SubsystemHandler} that handles this 1044 subsystem. 1045 @type handler: class 1046 """ 1047 try: 1048 self.lock.acquire() 1049 self.subsystem_table[name] = (handler, larg, kwarg) 1050 finally: 1051 self.lock.release()

1052

1053 - def is_authenticated(self):

1054 """ 1055 Return true if this session is active and authenticated. 1056 1057 @return: True if the session is still open and has been authenticated 1058 successfully; False if authentication failed and/or the session is 1059 closed. 1060 @rtype: bool 1061 """ 1062 return self.active and (self.auth_handler is not None) and self.auth_handler.is_authenticated()

1063

1064 - def get_username(self):

1065 """ 1066 Return the username this connection is authenticated for. If the 1067 session is not authenticated (or authentication failed), this method 1068 returns C{None}. 1069 1070 @return: username that was authenticated, or C{None}. 1071 @rtype: string 1072 """ 1073 if not self.active or (self.auth_handler is None): 1074 return None 1075 return self.auth_handler.get_username()

1076

1077 - def auth_none(self, username):

1078 """ 1079 Try to authenticate to the server using no authentication at all. 1080 This will almost always fail. It may be useful for determining the 1081 list of authentication types supported by the server, by catching the 1082 L{BadAuthenticationType} exception raised. 1083 1084 @param username: the username to authenticate as 1085 @type username: string 1086 @return: list of auth types permissible for the next stage of 1087 authentication (normally empty) 1088 @rtype: list 1089 1090 @raise BadAuthenticationType: if "none" authentication isn't allowed 1091 by the server for this user 1092 @raise SSHException: if the authentication failed due to a network 1093 error 1094 1095 @since: 1.5 1096 """ 1097 if (not self.active) or (not self.initial_kex_done): 1098 raise SSHException('No existing session') 1099 my_event = threading.Event() 1100 self.auth_handler = AuthHandler(self) 1101 self.auth_handler.auth_none(username, my_event) 1102 return self.auth_handler.wait_for_response(my_event)

1103

1104 - def auth_password(self, username, password, event=None, fallback=True):

1105 """ 1106 Authenticate to the server using a password. The username and password 1107 are sent over an encrypted link. 1108 1109 If an C{event} is passed in, this method will return immediately, and 1110 the event will be triggered once authentication succeeds or fails. On 1111 success, L{is_authenticated} will return C{True}. On failure, you may 1112 use L{get_exception} to get more detailed error information. 1113 1114 Since 1.1, if no event is passed, this method will block until the 1115 authentication succeeds or fails. On failure, an exception is raised. 1116 Otherwise, the method simply returns. 1117 1118 Since 1.5, if no event is passed and C{fallback} is C{True} (the 1119 default), if the server doesn't support plain password authentication 1120 but does support so-called "keyboard-interactive" mode, an attempt 1121 will be made to authenticate using this interactive mode. If it fails, 1122 the normal exception will be thrown as if the attempt had never been 1123 made. This is useful for some recent Gentoo and Debian distributions, 1124 which turn off plain password authentication in a misguided belief 1125 that interactive authentication is "more secure". (It's not.) 1126 1127 If the server requires multi-step authentication (which is very rare), 1128 this method will return a list of auth types permissible for the next 1129 step. Otherwise, in the normal case, an empty list is returned. 1130 1131 @param username: the username to authenticate as 1132 @type username: str 1133 @param password: the password to authenticate with 1134 @type password: str or unicode 1135 @param event: an event to trigger when the authentication attempt is 1136 complete (whether it was successful or not) 1137 @type event: threading.Event 1138 @param fallback: C{True} if an attempt at an automated "interactive" 1139 password auth should be made if the server doesn't support normal 1140 password auth 1141 @type fallback: bool 1142 @return: list of auth types permissible for the next stage of 1143 authentication (normally empty) 1144 @rtype: list 1145 1146 @raise BadAuthenticationType: if password authentication isn't 1147 allowed by the server for this user (and no event was passed in) 1148 @raise AuthenticationException: if the authentication failed (and no 1149 event was passed in) 1150 @raise SSHException: if there was a network error 1151 """ 1152 if (not self.active) or (not self.initial_kex_done): 1153 # we should never try to send the password unless we're on a secure link 1154 raise SSHException('No existing session') 1155 if event is None: 1156 my_event = threading.Event() 1157 else: 1158 my_event = event 1159 self.auth_handler = AuthHandler(self) 1160 self.auth_handler.auth_password(username, password, my_event) 1161 if event is not None: 1162 # caller wants to wait for event themselves 1163 return [] 1164 try: 1165 return self.auth_handler.wait_for_response(my_event) 1166 except BadAuthenticationType, x: 1167 # if password auth isn't allowed, but keyboard-interactive *is*, try to fudge it 1168 if not fallback or ('keyboard-interactive' not in x.allowed_types): 1169 raise 1170 try: 1171 def handler(title, instructions, fields): 1172 if len(fields) > 1: 1173 raise SSHException('Fallback authentication failed.') 1174 if len(fields) == 0: 1175 # for some reason, at least on os x, a 2nd request will 1176 # be made with zero fields requested. maybe it's just 1177 # to try to fake out automated scripting of the exact 1178 # type we're doing here. *shrug* :) 1179 return [] 1180 return [ password ]

1181 return self.auth_interactive(username, handler) 1182 except SSHException, ignored: 1183 # attempt failed; just raise the original exception 1184 raise x 1185 return None 1186

1187 - def auth_publickey(self, username, key, event=None):

1188 """ 1189 Authenticate to the server using a private key. The key is used to 1190 sign data from the server, so it must include the private part. 1191 1192 If an C{event} is passed in, this method will return immediately, and 1193 the event will be triggered once authentication succeeds or fails. On 1194 success, L{is_authenticated} will return C{True}. On failure, you may 1195 use L{get_exception} to get more detailed error information. 1196 1197 Since 1.1, if no event is passed, this method will block until the 1198 authentication succeeds or fails. On failure, an exception is raised. 1199 Otherwise, the method simply returns. 1200 1201 If the server requires multi-step authentication (which is very rare), 1202 this method will return a list of auth types permissible for the next 1203 step. Otherwise, in the normal case, an empty list is returned. 1204 1205 @param username: the username to authenticate as 1206 @type username: string 1207 @param key: the private key to authenticate with 1208 @type key: L{PKey <pkey.PKey>} 1209 @param event: an event to trigger when the authentication attempt is 1210 complete (whether it was successful or not) 1211 @type event: threading.Event 1212 @return: list of auth types permissible for the next stage of 1213 authentication (normally empty) 1214 @rtype: list 1215 1216 @raise BadAuthenticationType: if public-key authentication isn't 1217 allowed by the server for this user (and no event was passed in) 1218 @raise AuthenticationException: if the authentication failed (and no 1219 event was passed in) 1220 @raise SSHException: if there was a network error 1221 """ 1222 if (not self.active) or (not self.initial_kex_done): 1223 # we should never try to authenticate unless we're on a secure link 1224 raise SSHException('No existing session') 1225 if event is None: 1226 my_event = threading.Event() 1227 else: 1228 my_event = event 1229 self.auth_handler = AuthHandler(self) 1230 self.auth_handler.auth_publickey(username, key, my_event) 1231 if event is not None: 1232 # caller wants to wait for event themselves 1233 return [] 1234 return self.auth_handler.wait_for_response(my_event)

1235

1236 - def auth_interactive(self, username, handler, submethods=''):

1237 """ 1238 Authenticate to the server interactively. A handler is used to answer 1239 arbitrary questions from the server. On many servers, this is just a 1240 dumb wrapper around PAM. 1241 1242 This method will block until the authentication succeeds or fails, 1243 peroidically calling the handler asynchronously to get answers to 1244 authentication questions. The handler may be called more than once 1245 if the server continues to ask questions. 1246 1247 The handler is expected to be a callable that will handle calls of the 1248 form: C{handler(title, instructions, prompt_list)}. The C{title} is 1249 meant to be a dialog-window title, and the C{instructions} are user 1250 instructions (both are strings). C{prompt_list} will be a list of 1251 prompts, each prompt being a tuple of C{(str, bool)}. The string is 1252 the prompt and the boolean indicates whether the user text should be 1253 echoed. 1254 1255 A sample call would thus be: 1256 C{handler('title', 'instructions', [('Password:', False)])}. 1257 1258 The handler should return a list or tuple of answers to the server's 1259 questions. 1260 1261 If the server requires multi-step authentication (which is very rare), 1262 this method will return a list of auth types permissible for the next 1263 step. Otherwise, in the normal case, an empty list is returned. 1264 1265 @param username: the username to authenticate as 1266 @type username: string 1267 @param handler: a handler for responding to server questions 1268 @type handler: callable 1269 @param submethods: a string list of desired submethods (optional) 1270 @type submethods: str 1271 @return: list of auth types permissible for the next stage of 1272 authentication (normally empty). 1273 @rtype: list 1274 1275 @raise BadAuthenticationType: if public-key authentication isn't 1276 allowed by the server for this user 1277 @raise AuthenticationException: if the authentication failed 1278 @raise SSHException: if there was a network error 1279 1280 @since: 1.5 1281 """ 1282 if (not self.active) or (not self.initial_kex_done): 1283 # we should never try to authenticate unless we're on a secure link 1284 raise SSHException('No existing session') 1285 my_event = threading.Event() 1286 self.auth_handler = AuthHandler(self) 1287 self.auth_handler.auth_interactive(username, handler, my_event, submethods) 1288 return self.auth_handler.wait_for_response(my_event)

1289

1290 - def set_log_channel(self, name):

1291 """ 1292 Set the channel for this transport's logging. The default is 1293 C{"paramiko.transport"} but it can be set to anything you want. 1294 (See the C{logging} module for more info.) SSH Channels will log 1295 to a sub-channel of the one specified. 1296 1297 @param name: new channel name for logging 1298 @type name: str 1299 1300 @since: 1.1 1301 """ 1302 self.log_name = name 1303 self.logger = util.get_logger(name) 1304 self.packetizer.set_log(self.logger)

1305

1306 - def get_log_channel(self):

1307 """ 1308 Return the channel name used for this transport's logging. 1309 1310 @return: channel name. 1311 @rtype: str 1312 1313 @since: 1.2 1314 """ 1315 return self.log_name

1316

1317 - def set_hexdump(self, hexdump):

1318 """ 1319 Turn on/off logging a hex dump of protocol traffic at DEBUG level in 1320 the logs. Normally you would want this off (which is the default), 1321 but if you are debugging something, it may be useful. 1322 1323 @param hexdump: C{True} to log protocol traffix (in hex) to the log; 1324 C{False} otherwise. 1325 @type hexdump: bool 1326 """ 1327 self.packetizer.set_hexdump(hexdump)

1328

1329 - def get_hexdump(self):

1330 """ 1331 Return C{True} if the transport is currently logging hex dumps of 1332 protocol traffic. 1333 1334 @return: C{True} if hex dumps are being logged 1335 @rtype: bool 1336 1337 @since: 1.4 1338 """ 1339 return self.packetizer.get_hexdump()

1340

1341 - def use_compression(self, compress=True):

1342 """ 1343 Turn on/off compression. This will only have an affect before starting 1344 the transport (ie before calling L{connect}, etc). By default, 1345 compression is off since it negatively affects interactive sessions. 1346 1347 @param compress: C{True} to ask the remote client/server to compress 1348 traffic; C{False} to refuse compression 1349 @type compress: bool 1350 1351 @since: 1.5.2 1352 """ 1353 if compress: 1354 self._preferred_compression = ( 'zlib@openssh.com', 'zlib', 'none' ) 1355 else: 1356 self._preferred_compression = ( 'none', )

1357

1358 - def getpeername(self):

1359 """ 1360 Return the address of the remote side of this Transport, if possible. 1361 This is effectively a wrapper around C{'getpeername'} on the underlying 1362 socket. If the socket-like object has no C{'getpeername'} method, 1363 then C{("unknown", 0)} is returned. 1364 1365 @return: the address if the remote host, if known 1366 @rtype: tuple(str, int) 1367 """ 1368 gp = getattr(self.sock, 'getpeername', None) 1369 if gp is None: 1370 return ('unknown', 0) 1371 return gp()

1372

1373 - def stop_thread(self):

1374 self.active = False 1375 self.packetizer.close()

1376 1377 1378 ### internals... 1379 1380

1381 - def _log(self, level, msg, *args):

1382 if issubclass(type(msg), list): 1383 for m in msg: 1384 self.logger.log(level, m) 1385 else: 1386 self.logger.log(level, msg, *args)

1387

1388 - def _get_modulus_pack(self):

1389 "used by KexGex to find primes for group exchange" 1390 return self._modulus_pack

1391

1392 - def _next_channel(self):

1393 "you are holding the lock" 1394 chanid = self._channel_counter 1395 while self._channels.get(chanid) is not None: 1396 self._channel_counter = (self._channel_counter + 1) & 0xffffff 1397 chanid = self._channel_counter 1398 self._channel_counter = (self._channel_counter + 1) & 0xffffff 1399 return chanid

1400

1401 - def _unlink_channel(self, chanid):

1402 "used by a Channel to remove itself from the active channel list" 1403 self._channels.delete(chanid)

1404

1405 - def _send_message(self, data):

1406 self.packetizer.send_message(data)

1407

1408 - def _send_user_message(self, data):

1409 """ 1410 send a message, but block if we're in key negotiation. this is used 1411 for user-initiated requests. 1412 """ 1413 start = time.time() 1414 while True: 1415 self.clear_to_send.wait(0.1) 1416 if not self.active: 1417 self._log(DEBUG, 'Dropping user packet because connection is dead.') 1418 return 1419 self.clear_to_send_lock.acquire() 1420 if self.clear_to_send.isSet(): 1421 break 1422 self.clear_to_send_lock.release() 1423 if time.time() > start + self.clear_to_send_timeout: 1424 raise SSHException('Key-exchange timed out waiting for key negotiation') 1425 try: 1426 self._send_message(data) 1427 finally: 1428 self.clear_to_send_lock.release()

1429

1430 - def _set_K_H(self, k, h):

1431 "used by a kex object to set the K (root key) and H (exchange hash)" 1432 self.K = k 1433 self.H = h 1434 if self.session_id == None: 1435 self.session_id = h

1436

1437 - def _expect_packet(self, *ptypes):

1438 "used by a kex object to register the next packet type it expects to see" 1439 self._expected_packet = tuple(ptypes)

1440

1441 - def _verify_key(self, host_key, sig):

1442 key = self._key_info[self.host_key_type](Message(host_key)) 1443 if key is None: 1444 raise SSHException('Unknown host key type') 1445 if not key.verify_ssh_sig(self.H, Message(sig)): 1446 raise SSHException('Signature verification (%s) failed.' % self.host_key_type) 1447 self.host_key = key

1448

1449 - def _compute_key(self, id, nbytes):

1450 "id is 'A' - 'F' for the various keys used by ssh" 1451 m = Message() 1452 m.add_mpint(self.K) 1453 m.add_bytes(self.H) 1454 m.add_byte(id) 1455 m.add_bytes(self.session_id) 1456 out = sofar = SHA.new(str(m)).digest() 1457 while len(out) < nbytes: 1458 m = Message() 1459 m.add_mpint(self.K) 1460 m.add_bytes(self.H) 1461 m.add_bytes(sofar) 1462 digest = SHA.new(str(m)).digest() 1463 out += digest 1464 sofar += digest 1465 return out[:nbytes]

1466

1467 - def _get_cipher(self, name, key, iv):

1468 if name not in self._cipher_info: 1469 raise SSHException('Unknown client cipher ' + name) 1470 if name in ('arcfour128', 'arcfour256'): 1471 # arcfour cipher 1472 cipher = self._cipher_info[name]['class'].new(key) 1473 # as per RFC 4345, the first 1536 bytes of keystream 1474 # generated by the cipher MUST be discarded 1475 cipher.encrypt(" " * 1536) 1476 return cipher 1477 elif name.endswith("-ctr"): 1478 # CTR modes, we need a counter 1479 counter = Counter.new(nbits=self._cipher_info[name]['block-size'] * 8, initial_value=util.inflate_long(iv, True)) 1480 return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv, counter) 1481 else: 1482 return self._cipher_info[name]['class'].new(key, self._cipher_info[name]['mode'], iv)

1483

1484 - def _set_x11_handler(self, handler):

1485 # only called if a channel has turned on x11 forwarding 1486 if handler is None: 1487 # by default, use the same mechanism as accept() 1488 def default_handler(channel, (src_addr, src_port)): 1489 self._queue_incoming_channel(channel)

1490 self._x11_handler = default_handler 1491 else: 1492 self._x11_handler = handler 1493

1494 - def _queue_incoming_channel(self, channel):

1495 self.lock.acquire() 1496 try: 1497 self.server_accepts.append(channel) 1498 self.server_accept_cv.notify() 1499 finally: 1500 self.lock.release()

1501

1502 - def run(self):

1503 # (use the exposed "run" method, because if we specify a thread target 1504 # of a private method, threading.Thread will keep a reference to it 1505 # indefinitely, creating a GC cycle and not letting Transport ever be 1506 # GC'd. it's a bug in Thread.) 1507 1508 # active=True occurs before the thread is launched, to avoid a race 1509 _active_threads.append(self) 1510 if self.server_mode: 1511 self._log(DEBUG, 'starting thread (server mode): %s' % hex(long(id(self)) & 0xffffffffL)) 1512 else: 1513 self._log(DEBUG, 'starting thread (client mode): %s' % hex(long(id(self)) & 0xffffffffL)) 1514 try: 1515 self.packetizer.write_all(self.local_version + '\r\n') 1516 self._check_banner() 1517 self._send_kex_init() 1518 self._expect_packet(MSG_KEXINIT) 1519 1520 while self.active: 1521 if self.packetizer.need_rekey() and not self.in_kex: 1522 self._send_kex_init() 1523 try: 1524 ptype, m = self.packetizer.read_message() 1525 except NeedRekeyException: 1526 continue 1527 if ptype == MSG_IGNORE: 1528 continue 1529 elif ptype == MSG_DISCONNECT: 1530 self._parse_disconnect(m) 1531 self.active = False 1532 self.packetizer.close() 1533 break 1534 elif ptype == MSG_DEBUG: 1535 self._parse_debug(m) 1536 continue 1537 if len(self._expected_packet) > 0: 1538 if ptype not in self._expected_packet: 1539 raise SSHException('Expecting packet from %r, got %d' % (self._expected_packet, ptype)) 1540 self._expected_packet = tuple() 1541 if (ptype >= 30) and (ptype <= 39): 1542 self.kex_engine.parse_next(ptype, m) 1543 continue 1544 1545 if ptype in self._handler_table: 1546 self._handler_table[ptype](self, m) 1547 elif ptype in self._channel_handler_table: 1548 chanid = m.get_int() 1549 chan = self._channels.get(chanid) 1550 if chan is not None: 1551 self._channel_handler_table[ptype](chan, m) 1552 elif chanid in self.channels_seen: 1553 self._log(DEBUG, 'Ignoring message for dead channel %d' % chanid) 1554 else: 1555 self._log(ERROR, 'Channel request for unknown channel %d' % chanid) 1556 self.active = False 1557 self.packetizer.close() 1558 elif (self.auth_handler is not None) and (ptype in self.auth_handler._handler_table): 1559 self.auth_handler._handler_table[ptype](self.auth_handler, m) 1560 else: 1561 self._log(WARNING, 'Oops, unhandled type %d' % ptype) 1562 msg = Message() 1563 msg.add_byte(chr(MSG_UNIMPLEMENTED)) 1564 msg.add_int(m.seqno) 1565 self._send_message(msg) 1566 except SSHException, e: 1567 self._log(ERROR, 'Exception: ' + str(e)) 1568 self._log(ERROR, util.tb_strings()) 1569 self.saved_exception = e 1570 except EOFError, e: 1571 self._log(DEBUG, 'EOF in transport thread') 1572 #self._log(DEBUG, util.tb_strings()) 1573 self.saved_exception = e 1574 except socket.error, e: 1575 if type(e.args) is tuple: 1576 emsg = '%s (%d)' % (e.args[1], e.args[0]) 1577 else: 1578 emsg = e.args 1579 self._log(ERROR, 'Socket exception: ' + emsg) 1580 self.saved_exception = e 1581 except Exception, e: 1582 self._log(ERROR, 'Unknown exception: ' + str(e)) 1583 self._log(ERROR, util.tb_strings()) 1584 self.saved_exception = e 1585 _active_threads.remove(self) 1586 for chan in self._channels.values(): 1587 chan._unlink() 1588 if self.active: 1589 self.active = False 1590 self.packetizer.close() 1591 if self.completion_event != None: 1592 self.completion_event.set() 1593 if self.auth_handler is not None: 1594 self.auth_handler.abort() 1595 for event in self.channel_events.values(): 1596 event.set() 1597 try: 1598 self.lock.acquire() 1599 self.server_accept_cv.notify() 1600 finally: 1601 self.lock.release() 1602 self.sock.close()

1603 1604 1605 ### protocol stages 1606 1607

1608 - def _negotiate_keys(self, m):

1609 # throws SSHException on anything unusual 1610 self.clear_to_send_lock.acquire() 1611 try: 1612 self.clear_to_send.clear() 1613 finally: 1614 self.clear_to_send_lock.release() 1615 if self.local_kex_init == None: 1616 # remote side wants to renegotiate 1617 self._send_kex_init() 1618 self._parse_kex_init(m) 1619 self.kex_engine.start_kex()

1620

1621 - def _check_banner(self):

1622 # this is slow, but we only have to do it once 1623 for i in range(100): 1624 # give them 15 seconds for the first line, then just 2 seconds 1625 # each additional line. (some sites have very high latency.) 1626 if i == 0: 1627 timeout = self.banner_timeout 1628 else: 1629 timeout = 2 1630 try: 1631 buf = self.packetizer.readline(timeout) 1632 except Exception, x: 1633 raise SSHException('Error reading SSH protocol banner' + str(x)) 1634 if buf[:4] == 'SSH-': 1635 break 1636 self._log(DEBUG, 'Banner: ' + buf) 1637 if buf[:4] != 'SSH-': 1638 raise SSHException('Indecipherable protocol version "' + buf + '"') 1639 # save this server version string for later 1640 self.remote_version = buf 1641 # pull off any attached comment 1642 comment = '' 1643 i = string.find(buf, ' ') 1644 if i >= 0: 1645 comment = buf[i+1:] 1646 buf = buf[:i] 1647 # parse out version string and make sure it matches 1648 segs = buf.split('-', 2) 1649 if len(segs) < 3: 1650 raise SSHException('Invalid SSH banner') 1651 version = segs[1] 1652 client = segs[2] 1653 if version != '1.99' and version != '2.0': 1654 raise SSHException('Incompatible version (%s instead of 2.0)' % (version,)) 1655 self._log(INFO, 'Connected (version %s, client %s)' % (version, client))

1656

1657 - def _send_kex_init(self):

1658 """ 1659 announce to the other side that we'd like to negotiate keys, and what 1660 kind of key negotiation we support. 1661 """ 1662 self.clear_to_send_lock.acquire() 1663 try: 1664 self.clear_to_send.clear() 1665 finally: 1666 self.clear_to_send_lock.release() 1667 self.in_kex = True 1668 if self.server_mode: 1669 if (self._modulus_pack is None) and ('diffie-hellman-group-exchange-sha1' in self._preferred_kex): 1670 # can't do group-exchange if we don't have a pack of potential primes 1671 pkex = list(self.get_security_options().kex) 1672 pkex.remove('diffie-hellman-group-exchange-sha1') 1673 self.get_security_options().kex = pkex 1674 available_server_keys = filter(self.server_key_dict.keys().__contains__, 1675 self._preferred_keys) 1676 else: 1677 available_server_keys = self._preferred_keys 1678 1679 m = Message() 1680 m.add_byte(chr(MSG_KEXINIT)) 1681 m.add_bytes(rng.read(16)) 1682 m.add_list(self._preferred_kex) 1683 m.add_list(available_server_keys) 1684 m.add_list(self._preferred_ciphers) 1685 m.add_list(self._preferred_ciphers) 1686 m.add_list(self._preferred_macs) 1687 m.add_list(self._preferred_macs) 1688 m.add_list(self._preferred_compression) 1689 m.add_list(self._preferred_compression) 1690 m.add_string('') 1691 m.add_string('') 1692 m.add_boolean(False) 1693 m.add_int(0) 1694 # save a copy for later (needed to compute a hash) 1695 self.local_kex_init = str(m) 1696 self._send_message(m)

1697

1698 - def _parse_kex_init(self, m):

1699 cookie = m.get_bytes(16) 1700 kex_algo_list = m.get_list() 1701 server_key_algo_list = m.get_list() 1702 client_encrypt_algo_list = m.get_list() 1703 server_encrypt_algo_list = m.get_list() 1704 client_mac_algo_list = m.get_list() 1705 server_mac_algo_list = m.get_list() 1706 client_compress_algo_list = m.get_list() 1707 server_compress_algo_list = m.get_list() 1708 client_lang_list = m.get_list() 1709 server_lang_list = m.get_list() 1710 kex_follows = m.get_boolean() 1711 unused = m.get_int() 1712 1713 self._log(DEBUG, 'kex algos:' + str(kex_algo_list) + ' server key:' + str(server_key_algo_list) + \ 1714 ' client encrypt:' + str(client_encrypt_algo_list) + \ 1715 ' server encrypt:' + str(server_encrypt_algo_list) + \ 1716 ' client mac:' + str(client_mac_algo_list) + \ 1717 ' server mac:' + str(server_mac_algo_list) + \ 1718 ' client compress:' + str(client_compress_algo_list) + \ 1719 ' server compress:' + str(server_compress_algo_list) + \ 1720 ' client lang:' + str(client_lang_list) + \ 1721 ' server lang:' + str(server_lang_list) + \ 1722 ' kex follows?' + str(kex_follows)) 1723 1724 # as a server, we pick the first item in the client's list that we support. 1725 # as a client, we pick the first item in our list that the server supports. 1726 if self.server_mode: 1727 agreed_kex = filter(self._preferred_kex.__contains__, kex_algo_list) 1728 else: 1729 agreed_kex = filter(kex_algo_list.__contains__, self._preferred_kex) 1730 if len(agreed_kex) == 0: 1731 raise SSHException('Incompatible ssh peer (no acceptable kex algorithm)') 1732 self.kex_engine = self._kex_info[agreed_kex[0]](self) 1733 1734 if self.server_mode: 1735 available_server_keys = filter(self.server_key_dict.keys().__contains__, 1736 self._preferred_keys) 1737 agreed_keys = filter(available_server_keys.__contains__, server_key_algo_list) 1738 else: 1739 agreed_keys = filter(server_key_algo_list.__contains__, self._preferred_keys) 1740 if len(agreed_keys) == 0: 1741 raise SSHException('Incompatible ssh peer (no acceptable host key)') 1742 self.host_key_type = agreed_keys[0] 1743 if self.server_mode and (self.get_server_key() is None): 1744 raise SSHException('Incompatible ssh peer (can\'t match requested host key type)') 1745 1746 if self.server_mode: 1747 agreed_local_ciphers = filter(self._preferred_ciphers.__contains__, 1748 server_encrypt_algo_list) 1749 agreed_remote_ciphers = filter(self._preferred_ciphers.__contains__, 1750 client_encrypt_algo_list) 1751 else: 1752 agreed_local_ciphers = filter(client_encrypt_algo_list.__contains__, 1753 self._preferred_ciphers) 1754 agreed_remote_ciphers = filter(server_encrypt_algo_list.__contains__, 1755 self._preferred_ciphers) 1756 if (len(agreed_local_ciphers) == 0) or (len(agreed_remote_ciphers) == 0): 1757 raise SSHException('Incompatible ssh server (no acceptable ciphers)') 1758 self.local_cipher = agreed_local_ciphers[0] 1759 self.remote_cipher = agreed_remote_ciphers[0] 1760 self._log(DEBUG, 'Ciphers agreed: local=%s, remote=%s' % (self.local_cipher, self.remote_cipher)) 1761 1762 if self.server_mode: 1763 agreed_remote_macs = filter(self._preferred_macs.__contains__, client_mac_algo_list) 1764 agreed_local_macs = filter(self._preferred_macs.__contains__, server_mac_algo_list) 1765 else: 1766 agreed_local_macs = filter(client_mac_algo_list.__contains__, self._preferred_macs) 1767 agreed_remote_macs = filter(server_mac_algo_list.__contains__, self._preferred_macs) 1768 if (len(agreed_local_macs) == 0) or (len(agreed_remote_macs) == 0): 1769 raise SSHException('Incompatible ssh server (no acceptable macs)') 1770 self.local_mac = agreed_local_macs[0] 1771 self.remote_mac = agreed_remote_macs[0] 1772 1773 if self.server_mode: 1774 agreed_remote_compression = filter(self._preferred_compression.__contains__, client_compress_algo_list) 1775 agreed_local_compression = filter(self._preferred_compression.__contains__, server_compress_algo_list) 1776 else: 1777 agreed_local_compression = filter(client_compress_algo_list.__contains__, self._preferred_compression) 1778 agreed_remote_compression = filter(server_compress_algo_list.__contains__, self._preferred_compression) 1779 if (len(agreed_local_compression) == 0) or (len(agreed_remote_compression) == 0): 1780 raise SSHException('Incompatible ssh server (no acceptable compression) %r %r %r' % (agreed_local_compression, agreed_remote_compression, self._preferred_compression)) 1781 self.local_compression = agreed_local_compression[0] 1782 self.remote_compression = agreed_remote_compression[0] 1783 1784 self._log(DEBUG, 'using kex %s; server key type %s; cipher: local %s, remote %s; mac: local %s, remote %s; compression: local %s, remote %s' % 1785 (agreed_kex[0], self.host_key_type, self.local_cipher, self.remote_cipher, self.local_mac, 1786 self.remote_mac, self.local_compression, self.remote_compression)) 1787 1788 # save for computing hash later... 1789 # now wait! openssh has a bug (and others might too) where there are 1790 # actually some extra bytes (one NUL byte in openssh's case) added to 1791 # the end of the packet but not parsed. turns out we need to throw 1792 # away those bytes because they aren't part of the hash. 1793 self.remote_kex_init = chr(MSG_KEXINIT) + m.get_so_far()

1794

1795 - def _activate_inbound(self):

1796 "switch on newly negotiated encryption parameters for inbound traffic" 1797 block_size = self._cipher_info[self.remote_cipher]['block-size'] 1798 if self.server_mode: 1799 IV_in = self._compute_key('A', block_size) 1800 key_in = self._compute_key('C', self._cipher_info[self.remote_cipher]['key-size']) 1801 else: 1802 IV_in = self._compute_key('B', block_size) 1803 key_in = self._compute_key('D', self._cipher_info[self.remote_cipher]['key-size']) 1804 engine = self._get_cipher(self.remote_cipher, key_in, IV_in) 1805 mac_size = self._mac_info[self.remote_mac]['size'] 1806 mac_engine = self._mac_info[self.remote_mac]['class'] 1807 # initial mac keys are done in the hash's natural size (not the potentially truncated 1808 # transmission size) 1809 if self.server_mode: 1810 mac_key = self._compute_key('E', mac_engine.digest_size) 1811 else: 1812 mac_key = self._compute_key('F', mac_engine.digest_size) 1813 self.packetizer.set_inbound_cipher(engine, block_size, mac_engine, mac_size, mac_key) 1814 compress_in = self._compression_info[self.remote_compression][1] 1815 if (compress_in is not None) and ((self.remote_compression != 'zlib@openssh.com') or self.authenticated): 1816 self._log(DEBUG, 'Switching on inbound compression ...') 1817 self.packetizer.set_inbound_compressor(compress_in())

1818

1819 - def _activate_outbound(self):

1820 "switch on newly negotiated encryption parameters for outbound traffic" 1821 m = Message() 1822 m.add_byte(chr(MSG_NEWKEYS)) 1823 self._send_message(m) 1824 block_size = self._cipher_info[self.local_cipher]['block-size'] 1825 if self.server_mode: 1826 IV_out = self._compute_key('B', block_size) 1827 key_out = self._compute_key('D', self._cipher_info[self.local_cipher]['key-size']) 1828 else: 1829 IV_out = self._compute_key('A', block_size) 1830 key_out = self._compute_key('C', self._cipher_info[self.local_cipher]['key-size']) 1831 engine = self._get_cipher(self.local_cipher, key_out, IV_out) 1832 mac_size = self._mac_info[self.local_mac]['size'] 1833 mac_engine = self._mac_info[self.local_mac]['class'] 1834 # initial mac keys are done in the hash's natural size (not the potentially truncated 1835 # transmission size) 1836 if self.server_mode: 1837 mac_key = self._compute_key('F', mac_engine.digest_size) 1838 else: 1839 mac_key = self._compute_key('E', mac_engine.digest_size) 1840 self.packetizer.set_outbound_cipher(engine, block_size, mac_engine, mac_size, mac_key) 1841 compress_out = self._compression_info[self.local_compression][0] 1842 if (compress_out is not None) and ((self.local_compression != 'zlib@openssh.com') or self.authenticated): 1843 self._log(DEBUG, 'Switching on outbound compression ...') 1844 self.packetizer.set_outbound_compressor(compress_out()) 1845 if not self.packetizer.need_rekey(): 1846 self.in_kex = False 1847 # we always expect to receive NEWKEYS now 1848 self._expect_packet(MSG_NEWKEYS)

1849

1850 - def _auth_trigger(self):

1851 self.authenticated = True 1852 # delayed initiation of compression 1853 if self.local_compression == 'zlib@openssh.com': 1854 compress_out = self._compression_info[self.local_compression][0] 1855 self._log(DEBUG, 'Switching on outbound compression ...') 1856 self.packetizer.set_outbound_compressor(compress_out()) 1857 if self.remote_compression == 'zlib@openssh.com': 1858 compress_in = self._compression_info[self.remote_compression][1] 1859 self._log(DEBUG, 'Switching on inbound compression ...') 1860 self.packetizer.set_inbound_compressor(compress_in())

1861

1862 - def _parse_newkeys(self, m):

1863 self._log(DEBUG, 'Switch to new keys ...') 1864 self._activate_inbound() 1865 # can also free a bunch of stuff here 1866 self.local_kex_init = self.remote_kex_init = None 1867 self.K = None 1868 self.kex_engine = None 1869 if self.server_mode and (self.auth_handler is None): 1870 # create auth handler for server mode 1871 self.auth_handler = AuthHandler(self) 1872 if not self.initial_kex_done: 1873 # this was the first key exchange 1874 self.initial_kex_done = True 1875 # send an event? 1876 if self.completion_event != None: 1877 self.completion_event.set() 1878 # it's now okay to send data again (if this was a re-key) 1879 if not self.packetizer.need_rekey(): 1880 self.in_kex = False 1881 self.clear_to_send_lock.acquire() 1882 try: 1883 self.clear_to_send.set() 1884 finally: 1885 self.clear_to_send_lock.release() 1886 return

1887

1888 - def _parse_disconnect(self, m):

1889 code = m.get_int() 1890 desc = m.get_string() 1891 self._log(INFO, 'Disconnect (code %d): %s' % (code, desc))

1892

1893 - def _parse_global_request(self, m):

1894 kind = m.get_string() 1895 self._log(DEBUG, 'Received global request "%s"' % kind) 1896 want_reply = m.get_boolean() 1897 if not self.server_mode: 1898 self._log(DEBUG, 'Rejecting "%s" global request from server.' % kind) 1899 ok = False 1900 elif kind == 'tcpip-forward': 1901 address = m.get_string() 1902 port = m.get_int() 1903 ok = self.server_object.check_port_forward_request(address, port) 1904 if ok != False: 1905 ok = (ok,) 1906 elif kind == 'cancel-tcpip-forward': 1907 address = m.get_string() 1908 port = m.get_int() 1909 self.server_object.cancel_port_forward_request(address, port) 1910 ok = True 1911 else: 1912 ok = self.server_object.check_global_request(kind, m) 1913 extra = () 1914 if type(ok) is tuple: 1915 extra = ok 1916 ok = True 1917 if want_reply: 1918 msg = Message() 1919 if ok: 1920 msg.add_byte(chr(MSG_REQUEST_SUCCESS)) 1921 msg.add(*extra) 1922 else: 1923 msg.add_byte(chr(MSG_REQUEST_FAILURE)) 1924 self._send_message(msg)

1925

1926 - def _parse_request_success(self, m):

1927 self._log(DEBUG, 'Global request successful.') 1928 self.global_response = m 1929 if self.completion_event is not None: 1930 self.completion_event.set()

1931

1932 - def _parse_request_failure(self, m):

1933 self._log(DEBUG, 'Global request denied.') 1934 self.global_response = None 1935 if self.completion_event is not None: 1936 self.completion_event.set()

1937

1938 - def _parse_channel_open_success(self, m):

1939 chanid = m.get_int() 1940 server_chanid = m.get_int() 1941 server_window_size = m.get_int() 1942 server_max_packet_size = m.get_int() 1943 chan = self._channels.get(chanid) 1944 if chan is None: 1945 self._log(WARNING, 'Success for unrequested channel! [??]') 1946 return 1947 self.lock.acquire() 1948 try: 1949 chan._set_remote_channel(server_chanid, server_window_size, server_max_packet_size) 1950 self._log(INFO, 'Secsh channel %d opened.' % chanid) 1951 if chanid in self.channel_events: 1952 self.channel_events[chanid].set() 1953 del self.channel_events[chanid] 1954 finally: 1955 self.lock.release() 1956 return

1957

1958 - def _parse_channel_open_failure(self, m):

1959 chanid = m.get_int() 1960 reason = m.get_int() 1961 reason_str = m.get_string() 1962 lang = m.get_string() 1963 reason_text = CONNECTION_FAILED_CODE.get(reason, '(unknown code)') 1964 self._log(INFO, 'Secsh channel %d open FAILED: %s: %s' % (chanid, reason_str, reason_text)) 1965 self.lock.acquire() 1966 try: 1967 self.saved_exception = ChannelException(reason, reason_text) 1968 if chanid in self.channel_events: 1969 self._channels.delete(chanid) 1970 if chanid in self.channel_events: 1971 self.channel_events[chanid].set() 1972 del self.channel_events[chanid] 1973 finally: 1974 self.lock.release() 1975 return

1976

1977 - def _parse_channel_open(self, m):

1978 kind = m.get_string() 1979 chanid = m.get_int() 1980 initial_window_size = m.get_int() 1981 max_packet_size = m.get_int() 1982 reject = False 1983 if (kind == 'x11') and (self._x11_handler is not None): 1984 origin_addr = m.get_string() 1985 origin_port = m.get_int() 1986 self._log(DEBUG, 'Incoming x11 connection from %s:%d' % (origin_addr, origin_port)) 1987 self.lock.acquire() 1988 try: 1989 my_chanid = self._next_channel() 1990 finally: 1991 self.lock.release() 1992 elif (kind == 'forwarded-tcpip') and (self._tcp_handler is not None): 1993 server_addr = m.get_string() 1994 server_port = m.get_int() 1995 origin_addr = m.get_string() 1996 origin_port = m.get_int() 1997 self._log(DEBUG, 'Incoming tcp forwarded connection from %s:%d' % (origin_addr, origin_port)) 1998 self.lock.acquire() 1999 try: 2000 my_chanid = self._next_channel() 2001 finally: 2002 self.lock.release() 2003 elif not self.server_mode: 2004 self._log(DEBUG, 'Rejecting "%s" channel request from server.' % kind) 2005 reject = True 2006 reason = OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED 2007 else: 2008 self.lock.acquire() 2009 try: 2010 my_chanid = self._next_channel() 2011 finally: 2012 self.lock.release() 2013 if kind == 'direct-tcpip': 2014 # handle direct-tcpip requests comming from the client 2015 dest_addr = m.get_string() 2016 dest_port = m.get_int() 2017 origin_addr = m.get_string() 2018 origin_port = m.get_int() 2019 reason = self.server_object.check_channel_direct_tcpip_request( 2020 my_chanid, (origin_addr, origin_port), 2021 (dest_addr, dest_port)) 2022 else: 2023 reason = self.server_object.check_channel_request(kind, my_chanid) 2024 if reason != OPEN_SUCCEEDED: 2025 self._log(DEBUG, 'Rejecting "%s" channel request from client.' % kind) 2026 reject = True 2027 if reject: 2028 msg = Message() 2029 msg.add_byte(chr(MSG_CHANNEL_OPEN_FAILURE)) 2030 msg.add_int(chanid) 2031 msg.add_int(reason) 2032 msg.add_string('') 2033 msg.add_string('en') 2034 self._send_message(msg) 2035 return 2036 2037 chan = Channel(my_chanid) 2038 self.lock.acquire() 2039 try: 2040 self._channels.put(my_chanid, chan) 2041 self.channels_seen[my_chanid] = True 2042 chan._set_transport(self) 2043 chan._set_window(self.window_size, self.max_packet_size) 2044 chan._set_remote_channel(chanid, initial_window_size, max_packet_size) 2045 finally: 2046 self.lock.release() 2047 m = Message() 2048 m.add_byte(chr(MSG_CHANNEL_OPEN_SUCCESS)) 2049 m.add_int(chanid) 2050 m.add_int(my_chanid) 2051 m.add_int(self.window_size) 2052 m.add_int(self.max_packet_size) 2053 self._send_message(m) 2054 self._log(INFO, 'Secsh channel %d (%s) opened.', my_chanid, kind) 2055 if kind == 'x11': 2056 self._x11_handler(chan, (origin_addr, origin_port)) 2057 elif kind == 'forwarded-tcpip': 2058 chan.origin_addr = (origin_addr, origin_port) 2059 self._tcp_handler(chan, (origin_addr, origin_port), (server_addr, server_port)) 2060 else: 2061 self._queue_incoming_channel(chan)

2062

2063 - def _parse_debug(self, m):

2064 always_display = m.get_boolean() 2065 msg = m.get_string() 2066 lang = m.get_string() 2067 self._log(DEBUG, 'Debug msg: ' + util.safe_string(msg))

2068

2069 - def _get_subsystem_handler(self, name):

2070 try: 2071 self.lock.acquire() 2072 if name not in self.subsystem_table: 2073 return (None, [], {}) 2074 return self.subsystem_table[name] 2075 finally: 2076 self.lock.release()

2077 2078 _handler_table = { 2079 MSG_NEWKEYS: _parse_newkeys, 2080 MSG_GLOBAL_REQUEST: _parse_global_request, 2081 MSG_REQUEST_SUCCESS: _parse_request_success, 2082 MSG_REQUEST_FAILURE: _parse_request_failure, 2083 MSG_CHANNEL_OPEN_SUCCESS: _parse_channel_open_success, 2084 MSG_CHANNEL_OPEN_FAILURE: _parse_channel_open_failure, 2085 MSG_CHANNEL_OPEN: _parse_channel_open, 2086 MSG_KEXINIT: _negotiate_keys, 2087 } 2088 2089 _channel_handler_table = { 2090 MSG_CHANNEL_SUCCESS: Channel._request_success, 2091 MSG_CHANNEL_FAILURE: Channel._request_failed, 2092 MSG_CHANNEL_DATA: Channel._feed, 2093 MSG_CHANNEL_EXTENDED_DATA: Channel._feed_extended, 2094 MSG_CHANNEL_WINDOW_ADJUST: Channel._window_adjust, 2095 MSG_CHANNEL_REQUEST: Channel._handle_request, 2096 MSG_CHANNEL_EOF: Channel._handle_eof, 2097 MSG_CHANNEL_CLOSE: Channel._handle_close, 2098 } 2099

Source Code for Module paramiko.transport