mirror of
https://github.com/tahoe-lafs/tahoe-lafs.git
synced 2024-12-27 00:21:07 +00:00
259 lines
9.4 KiB
Python
259 lines
9.4 KiB
Python
|
|
||
|
# this is adapted from my code in Buildbot -warner
|
||
|
|
||
|
import os.path
|
||
|
import binascii, base64
|
||
|
from twisted.python import log
|
||
|
from twisted.application import service, strports
|
||
|
from twisted.cred import checkers, portal
|
||
|
from twisted.conch import manhole, telnet, manhole_ssh, checkers as conchc
|
||
|
from twisted.conch.insults import insults
|
||
|
from twisted.internet import protocol
|
||
|
|
||
|
from zope.interface import implements
|
||
|
|
||
|
# makeTelnetProtocol and _TelnetRealm are for the TelnetManhole
|
||
|
|
||
|
class makeTelnetProtocol:
|
||
|
# this curries the 'portal' argument into a later call to
|
||
|
# TelnetTransport()
|
||
|
def __init__(self, portal):
|
||
|
self.portal = portal
|
||
|
|
||
|
def __call__(self):
|
||
|
auth = telnet.AuthenticatingTelnetProtocol
|
||
|
return telnet.TelnetTransport(auth, self.portal)
|
||
|
|
||
|
class _TelnetRealm:
|
||
|
implements(portal.IRealm)
|
||
|
|
||
|
def __init__(self, namespace_maker):
|
||
|
self.namespace_maker = namespace_maker
|
||
|
|
||
|
def requestAvatar(self, avatarId, *interfaces):
|
||
|
if telnet.ITelnetProtocol in interfaces:
|
||
|
namespace = self.namespace_maker()
|
||
|
p = telnet.TelnetBootstrapProtocol(insults.ServerProtocol,
|
||
|
manhole.ColoredManhole,
|
||
|
namespace)
|
||
|
return (telnet.ITelnetProtocol, p, lambda: None)
|
||
|
raise NotImplementedError()
|
||
|
|
||
|
|
||
|
class chainedProtocolFactory:
|
||
|
# this curries the 'namespace' argument into a later call to
|
||
|
# chainedProtocolFactory()
|
||
|
def __init__(self, namespace):
|
||
|
self.namespace = namespace
|
||
|
|
||
|
def __call__(self):
|
||
|
return insults.ServerProtocol(manhole.ColoredManhole, self.namespace)
|
||
|
|
||
|
class AuthorizedKeysChecker(conchc.SSHPublicKeyDatabase):
|
||
|
"""Accept connections using SSH keys from a given file.
|
||
|
|
||
|
SSHPublicKeyDatabase takes the username that the prospective client has
|
||
|
requested and attempts to get a ~/.ssh/authorized_keys file for that
|
||
|
username. This requires root access, so it isn't as useful as you'd
|
||
|
like.
|
||
|
|
||
|
Instead, this subclass looks for keys in a single file, given as an
|
||
|
argument. This file is typically kept in the buildmaster's basedir. The
|
||
|
file should have 'ssh-dss ....' lines in it, just like authorized_keys.
|
||
|
"""
|
||
|
|
||
|
def __init__(self, authorized_keys_file):
|
||
|
self.authorized_keys_file = os.path.expanduser(authorized_keys_file)
|
||
|
|
||
|
def checkKey(self, credentials):
|
||
|
f = open(self.authorized_keys_file)
|
||
|
for l in f.readlines():
|
||
|
l2 = l.split()
|
||
|
if len(l2) < 2:
|
||
|
continue
|
||
|
try:
|
||
|
if base64.decodestring(l2[1]) == credentials.blob:
|
||
|
return 1
|
||
|
except binascii.Error:
|
||
|
continue
|
||
|
return 0
|
||
|
|
||
|
|
||
|
class _BaseManhole(service.MultiService):
|
||
|
"""This provides remote access to a python interpreter (a read/exec/print
|
||
|
loop) embedded in the buildmaster via an internal SSH server. This allows
|
||
|
detailed inspection of the buildmaster state. It is of most use to
|
||
|
buildbot developers. Connect to this by running an ssh client.
|
||
|
"""
|
||
|
|
||
|
def __init__(self, port, checker, using_ssh=True):
|
||
|
"""
|
||
|
@type port: string or int
|
||
|
@param port: what port should the Manhole listen on? This is a
|
||
|
strports specification string, like 'tcp:12345' or
|
||
|
'tcp:12345:interface=127.0.0.1'. Bare integers are treated as a
|
||
|
simple tcp port.
|
||
|
|
||
|
@type checker: an object providing the
|
||
|
L{twisted.cred.checkers.ICredentialsChecker} interface
|
||
|
@param checker: if provided, this checker is used to authenticate the
|
||
|
client instead of using the username/password scheme. You must either
|
||
|
provide a username/password or a Checker. Some useful values are::
|
||
|
import twisted.cred.checkers as credc
|
||
|
import twisted.conch.checkers as conchc
|
||
|
c = credc.AllowAnonymousAccess # completely open
|
||
|
c = credc.FilePasswordDB(passwd_filename) # file of name:passwd
|
||
|
c = conchc.UNIXPasswordDatabase # getpwnam() (probably /etc/passwd)
|
||
|
|
||
|
@type using_ssh: bool
|
||
|
@param using_ssh: If True, accept SSH connections. If False, accept
|
||
|
regular unencrypted telnet connections.
|
||
|
"""
|
||
|
|
||
|
# unfortunately, these don't work unless we're running as root
|
||
|
#c = credc.PluggableAuthenticationModulesChecker: PAM
|
||
|
#c = conchc.SSHPublicKeyDatabase() # ~/.ssh/authorized_keys
|
||
|
# and I can't get UNIXPasswordDatabase to work
|
||
|
|
||
|
service.MultiService.__init__(self)
|
||
|
if type(port) is int:
|
||
|
port = "tcp:%d" % port
|
||
|
self.port = port # for comparison later
|
||
|
self.checker = checker # to maybe compare later
|
||
|
|
||
|
def makeNamespace():
|
||
|
# close over 'self' so we can get access to .parent later
|
||
|
client = self.parent
|
||
|
namespace = {
|
||
|
'client': client,
|
||
|
}
|
||
|
return namespace
|
||
|
|
||
|
def makeProtocol():
|
||
|
namespace = makeNamespace()
|
||
|
p = insults.ServerProtocol(manhole.ColoredManhole, namespace)
|
||
|
return p
|
||
|
|
||
|
self.using_ssh = using_ssh
|
||
|
if using_ssh:
|
||
|
r = manhole_ssh.TerminalRealm()
|
||
|
r.chainedProtocolFactory = makeProtocol
|
||
|
p = portal.Portal(r, [self.checker])
|
||
|
f = manhole_ssh.ConchFactory(p)
|
||
|
else:
|
||
|
r = _TelnetRealm(makeNamespace)
|
||
|
p = portal.Portal(r, [self.checker])
|
||
|
f = protocol.ServerFactory()
|
||
|
f.protocol = makeTelnetProtocol(p)
|
||
|
s = strports.service(self.port, f)
|
||
|
s.setServiceParent(self)
|
||
|
|
||
|
|
||
|
def startService(self):
|
||
|
service.MultiService.startService(self)
|
||
|
if self.using_ssh:
|
||
|
via = "via SSH"
|
||
|
else:
|
||
|
via = "via telnet"
|
||
|
log.msg("Manhole listening %s on port %s" % (via, self.port))
|
||
|
|
||
|
|
||
|
class TelnetManhole(_BaseManhole):
|
||
|
"""This Manhole accepts unencrypted (telnet) connections, and requires a
|
||
|
username and password authorize access. You are encouraged to use the
|
||
|
encrypted ssh-based manhole classes instead."""
|
||
|
|
||
|
def __init__(self, port, username, password):
|
||
|
"""
|
||
|
@type port: string or int
|
||
|
@param port: what port should the Manhole listen on? This is a
|
||
|
strports specification string, like 'tcp:12345' or
|
||
|
'tcp:12345:interface=127.0.0.1'. Bare integers are treated as a
|
||
|
simple tcp port.
|
||
|
|
||
|
@param username:
|
||
|
@param password: username= and password= form a pair of strings to
|
||
|
use when authenticating the remote user.
|
||
|
"""
|
||
|
|
||
|
self.username = username
|
||
|
self.password = password
|
||
|
|
||
|
c = checkers.InMemoryUsernamePasswordDatabaseDontUse()
|
||
|
c.addUser(username, password)
|
||
|
|
||
|
_BaseManhole.__init__(self, port, c, using_ssh=False)
|
||
|
|
||
|
class PasswordManhole(_BaseManhole):
|
||
|
"""This Manhole accepts encrypted (ssh) connections, and requires a
|
||
|
username and password to authorize access.
|
||
|
"""
|
||
|
|
||
|
def __init__(self, port, username, password):
|
||
|
"""
|
||
|
@type port: string or int
|
||
|
@param port: what port should the Manhole listen on? This is a
|
||
|
strports specification string, like 'tcp:12345' or
|
||
|
'tcp:12345:interface=127.0.0.1'. Bare integers are treated as a
|
||
|
simple tcp port.
|
||
|
|
||
|
@param username:
|
||
|
@param password: username= and password= form a pair of strings to
|
||
|
use when authenticating the remote user.
|
||
|
"""
|
||
|
|
||
|
self.username = username
|
||
|
self.password = password
|
||
|
|
||
|
c = checkers.InMemoryUsernamePasswordDatabaseDontUse()
|
||
|
c.addUser(username, password)
|
||
|
|
||
|
_BaseManhole.__init__(self, port, c)
|
||
|
|
||
|
class AuthorizedKeysManhole(_BaseManhole):
|
||
|
"""This Manhole accepts ssh connections, and requires that the
|
||
|
prospective client have an ssh private key that matches one of the public
|
||
|
keys in our authorized_keys file. It is created with the name of a file
|
||
|
that contains the public keys that we will accept."""
|
||
|
|
||
|
def __init__(self, port, keyfile):
|
||
|
"""
|
||
|
@type port: string or int
|
||
|
@param port: what port should the Manhole listen on? This is a
|
||
|
strports specification string, like 'tcp:12345' or
|
||
|
'tcp:12345:interface=127.0.0.1'. Bare integers are treated as a
|
||
|
simple tcp port.
|
||
|
|
||
|
@param keyfile: the name of a file (relative to the buildmaster's
|
||
|
basedir) that contains SSH public keys of authorized
|
||
|
users, one per line. This is the exact same format
|
||
|
as used by sshd in ~/.ssh/authorized_keys .
|
||
|
"""
|
||
|
|
||
|
# TODO: expanduser this, and make it relative to the buildmaster's
|
||
|
# basedir
|
||
|
self.keyfile = keyfile
|
||
|
c = AuthorizedKeysChecker(keyfile)
|
||
|
_BaseManhole.__init__(self, port, c)
|
||
|
|
||
|
class ArbitraryCheckerManhole(_BaseManhole):
|
||
|
"""This Manhole accepts ssh connections, but uses an arbitrary
|
||
|
user-supplied 'checker' object to perform authentication."""
|
||
|
|
||
|
def __init__(self, port, checker):
|
||
|
"""
|
||
|
@type port: string or int
|
||
|
@param port: what port should the Manhole listen on? This is a
|
||
|
strports specification string, like 'tcp:12345' or
|
||
|
'tcp:12345:interface=127.0.0.1'. Bare integers are treated as a
|
||
|
simple tcp port.
|
||
|
|
||
|
@param checker: an instance of a twisted.cred 'checker' which will
|
||
|
perform authentication
|
||
|
"""
|
||
|
|
||
|
_BaseManhole.__init__(self, port, checker)
|
||
|
|
||
|
|
||
|
|