4

Here is a simple twisted application:

from twisted.cred import checkers, portal
from twisted.conch import manhole, manhole_ssh
from twisted.conch.insults import insults

from twisted.application import service, internet
from twisted.internet import endpoints, reactor


def makeManholeService(namespace):
    checker = checkers.InMemoryUsernamePasswordDatabaseDontUse(
        username="password")

    realm = manhole_ssh.TerminalRealm()
    realm.chainedProtocolFactory = lambda: insults.ServerProtocol(
                                        manhole.ColoredManhole, namespace)
    prt = portal.Portal(realm, [checker])
    factory = manhole_ssh.ConchFactory(prt)

    endp = endpoints.serverFromString(reactor, 'tcp:6022')

    manholeService = internet.StreamServerEndpointService(endp, factory)
    return manholeService


application = service.Application("my app")
manholeService = makeManholeService({'foo': 'bar'})
manholeService.setServiceParent(application)

We can connect to it with ssh:

$ ssh username@localhost -p 6022
username@localhost's password:

>>> foo
'bar'
>>>

Now I want to replace InMemoryUsernamePasswordDatabaseDontUse such that the server can authenticate users, who identify themselves using rsa/dsa keys.

Do I have to implement a checker?

For example, I have some public keys listed in ~/.ssh/authorized_keys. The SSH server should reject all connections, except those that can be verified using public keys in that file.

Maxim
  • 1,783
  • 2
  • 14
  • 24

1 Answers1

3

Yes, you need to make a checker. But there are building blocks you can use within Conch that should make it pretty easy. Ying Li has an example project, "ess" ("SSH" without the "SH") that implements some checkers that you might be interested in checking out.

Glyph
  • 31,152
  • 11
  • 87
  • 129
  • 1
    Thanks for the answer. At first I looked at `twisted.cred.checkers`. Now I found that there is also `twisted.conch.checkers`, that contains `SSHPublicKeyDatabase`. It looks like what I need. You re – Maxim Jul 27 '14 at 15:53
  • `twisted.conch.checkers.SSHPublicKeyDatabase` looks very similar to `ess.checkers.SSHPublicKeyChecker`, which you pointed me to. Now I am confused. Isn't `twisted.conch.checkers.SSHPublicKeyDatabase` sufficient? – Maxim Jul 27 '14 at 16:08
  • The difference is that in Ess there is an explicit mapping object for separating out the `getpwnam` API call which locates a user's UNIX home directory. You can see Ess has separate classes, `AuthorizedKeysFilesMapping` and `UNIXAuthorizedKeysFiles`, which look up authorized keys from a mapping in memory and from the UNIX account database API, respectively. – Glyph Jul 28 '14 at 22:59
  • In fact, this useful functionality in ess was contributed by cyli back to Twisted, so in the upcoming release of Twisted (14.1, which is not out yet) you'll be able to use `twisted.conch.checkers.SSHPublicKeyChecker` instead, and `SSHPublicKeyDatabase` will be deprecated. – Glyph Jul 28 '14 at 23:00