From shonencd86 at gmail.com Wed Jan 2 12:58:31 2008 From: shonencd86 at gmail.com (Shonen) Date: Wed, 2 Jan 2008 15:58:31 -0500 Subject: [paramiko] A progress bar for Paramiko SFTP Message-ID: <6e41b62d0801021258q3abf2a88s49300c5cdd5bc588@mail.gmail.com> I was wondering if anyone has actually created a progress bar for the put and get methods of paramiko. I have a GTK GUI that I've been working on and would really like to be able to update the GUI's progress bar when using those methods. Thanks very much!! -- John aka "Shonen" \m/ >_< \m/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20080102/ebd4f063/attachment.htm From dwayne at oscl.ca Thu Jan 3 08:03:16 2008 From: dwayne at oscl.ca (Dwayne Litzenberger) Date: Thu, 3 Jan 2008 10:03:16 -0600 Subject: [paramiko] [PATCH] SSHClient, win_pageant and missing MFC71.DLL: Disallowing the use of ssh-agent In-Reply-To: <200801030954.42462.dwayne@oscl.ca> References: <200712190941.22135.dwayne@oscl.ca> <200801030954.42462.dwayne@oscl.ca> Message-ID: <200801031003.16719.dwayne@oscl.ca> On January 3, 2008 09:54:42 am Dwayne Litzenberger wrote: > > I've attached a patch that adds an "allow_agent" parameter to > > SSHClient.connect(). > > And here's a bzr bundle against http://www.lag.net/paramiko/bzr/paramiko/ > (revision 460), if you prefer that. Oops! The bundle I sent was generated with SUBMIT_BRANCH and PUBLIC_BRANCH swapped, so it won't merge cleanly. Here's an updated one. -- Dwayne Litzenberger, B.A.Sc. Information Technology Analyst Open Systems Canada Limited #210 - 2332 11th Ave Regina, SK S4P0K1 Office: (306) 359-OSCL (6725) http://www.oscl.ca/ -------------- next part -------------- A non-text attachment was scrubbed... Name: paramiko-allow_agent2.bundle Type: text/x-diff Size: 4456 bytes Desc: not available Url : http://www.lag.net/pipermail/paramiko/attachments/20080103/8048afc1/attachment.diff From dwayne at oscl.ca Thu Jan 3 07:54:42 2008 From: dwayne at oscl.ca (Dwayne Litzenberger) Date: Thu, 3 Jan 2008 09:54:42 -0600 Subject: [paramiko] [PATCH] SSHClient, win_pageant and missing MFC71.DLL: Disallowing the use of ssh-agent In-Reply-To: <200712190941.22135.dwayne@oscl.ca> References: <200712190941.22135.dwayne@oscl.ca> Message-ID: <200801030954.42462.dwayne@oscl.ca> > I've attached a patch that adds an "allow_agent" parameter to > SSHClient.connect(). And here's a bzr bundle against http://www.lag.net/paramiko/bzr/paramiko/ (revision 460), if you prefer that. -- Dwayne Litzenberger, B.A.Sc. Information Technology Analyst Open Systems Canada Limited #210 - 2332 11th Ave Regina, SK S4P0K1 Office: (306) 359-OSCL (6725) http://www.oscl.ca/ -------------- next part -------------- A non-text attachment was scrubbed... Name: paramiko-allow_agent.bundle Type: text/x-diff Size: 3113 bytes Desc: not available Url : http://www.lag.net/pipermail/paramiko/attachments/20080103/118bf9bb/attachment.diff From jacobidiego at gmail.com Fri Jan 4 18:14:25 2008 From: jacobidiego at gmail.com (Diego Jacobi) Date: Sat, 5 Jan 2008 00:14:25 -0200 Subject: [paramiko] Hostkeys acception Policy Message-ID: <5de034af0801041814m48f32c67jadea8d85df6dbafc@mail.gmail.com> Hello. I was going to write a log mail to ask for help, but i have already resolved it with lots and increible lots of hours, so i send what the problem was and how i have solved it for any other who haves the same problem. I have a method called tryconnect which is called from a thread in python: self._connect_thread = DepThread( target=self.tryConnect, args=() ) self._connect_thread.start() inside the tryconnect i call connect and manage its exceptions. When an exception occurs i call a callback which shows the info to the user. I got on the need to ask the user to accept a new hostkey when it is not on the hostkeys list. So i made my own Policy: class HostkeyUserRejectedException(paramiko.AuthenticationException): """ Exception raised when the hostkey is rejected by the user. """ pass class Policy_with_callback(paramiko.AutoAddPolicy, paramiko.RejectPolicy): def __init__(self,callback): self.callback = callback def missing_host_key(self, client, hostname, key): """ Called when an SSHClient receives a server key for a server that isn't in either the system or local HostKeys object. To accept the key, simply return. To reject, raise an exception (which will be passed to the calling application). """ if not self.callback: raise Exception("No callback specified. When using method -1 to validate hostkeys you should use a callback.") try: ret = self.callback(client, hostname, key) except Exception, error: raise Exception("An error ocurred when calling the policy_callback: "+error) if ret: try: paramiko.AutoAddPolicy.missing_host_key (self,client,hostname,key) except IOError,error: os.mkdir( os.path.expanduser('~/.ssh') ) return try: paramiko.RejectPolicy.missing_host_key(self,client,hostname,key) except paramiko.SSHException,error: raise HostkeyUserRejectedException('The user rejected to accept the hostkey for %s' % hostname) This policy uses a callback to make another code ask the user in different ways, like only in the console or with gtk. The problem was when i reject intentionally the key, even with RejectPolicy the raised exception goes to my tryconnect method and is wrapped there, but the transport is still alive and waiting for a response to happen, which never occurs becouse i have wrapped the exception. This makes the tryconnect-thread eternal. Never ends. To fix this i call a single method on every exception handler called self.selfdestruct: except HostkeyUserRejectedException, error: self.selfdestruct("HostkeyUserRejectedException",error) except HostkeyAutoRejectedException, error: self.selfdestruct("HostkeyAutoRejectedException",error) except paramiko.PasswordRequiredException, error: self.selfdestruct("PasswordRequiredException",error) def selfdestruct(self,errtype,error): self.error_calls(errtype+": "+error[0]) self.onconnect_callback(self,errtype) if not self._isconnected: self.client.close() del self.client -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20080105/1b801e42/attachment.htm From jacobidiego at gmail.com Fri Jan 4 18:19:05 2008 From: jacobidiego at gmail.com (Diego Jacobi) Date: Sat, 5 Jan 2008 00:19:05 -0200 Subject: [paramiko] Hostkeys acception Policy In-Reply-To: <5de034af0801041814m48f32c67jadea8d85df6dbafc@mail.gmail.com> References: <5de034af0801041814m48f32c67jadea8d85df6dbafc@mail.gmail.com> Message-ID: <5de034af0801041819v5f022c8dh295e16b6d92f19d2@mail.gmail.com> Hello. I was going to write a log mail to ask for help, but i have already resolved it with lots and increible lots of hours, so i send what the problem was and how i have solved it for any other who haves the same problem. I have a method called tryconnect which is called from a thread in python: self._connect_thread = DepThread( target=self.tryConnect, args=() ) self._connect_thread.start() inside the tryconnect i call connect and manage its exceptions. When an exception occurs i call a callback which shows the info to the user. I got on the need to ask the user to accept a new hostkey when it is not on the hostkeys list. So i made my own Policy: class HostkeyUserRejectedException( paramiko.AuthenticationException): """ Exception raised when the hostkey is rejected by the user. """ pass class Policy_with_callback(paramiko.AutoAddPolicy, paramiko.RejectPolicy ): def __init__(self,callback): self.callback = callback def missing_host_key(self, client, hostname, key): """ Called when an SSHClient receives a server key for a server that isn't in either the system or local HostKeys object. To accept the key, simply return. To reject, raise an exception (which will be passed to the calling application). """ if not self.callback: raise Exception("No callback specified. When using method -1 to validate hostkeys you should use a callback.") try: ret = self.callback (client, hostname, key) except Exception, error: raise Exception("An error ocurred when calling the policy_callback: "+error) if ret: try: paramiko.AutoAddPolicy.missing_host_key (self,client,hostname,key) except IOError,error: os.mkdir( os.path.expanduser('~/.ssh') ) return try: paramiko.RejectPolicy.missing_host_key(self,client,hostname,key) except paramiko.SSHException,error: raise HostkeyUserRejectedException('The user rejected to accept the hostkey for %s' % hostname) This policy uses a callback to make another code ask the user in different ways, like only in the console or with gtk. The problem was when i reject intentionally the key, even with RejectPolicy the raised exception goes to my tryconnect method and is wrapped there, but the transport is still alive and waiting for a response to happen, which never occurs becouse i have wrapped the exception. This makes the tryconnect-thread eternal. Never ends. To fix this i call a single method on every exception handler called self.selfdestruct: except HostkeyUserRejectedException, error: self.selfdestruct("HostkeyUserRejectedException",error) except HostkeyAutoRejectedException, error: self.selfdestruct("HostkeyAutoRejectedException",error) except paramiko.PasswordRequiredException , error: self.selfdestruct("PasswordRequiredException",error) and so on def selfdestruct(self,errtype,error): self.error_calls(errtype+": "+error[0]) self.onconnect_callback (self,errtype) if not self._isconnected: self.client.close() del self.client The key of the fix is call client.close() only when an exception has ocurred and not when connect has correctly connected. also de RejectPolicy doesnt raises a very detailed exception so i have made my own one. And AutoAddPolicy doesn't make the .ssh directory when it creates de hostkeys file, so i have to make my own one. Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20080105/f6bea0ad/attachment.htm From karmazilla at gmail.com Sat Jan 5 07:45:33 2008 From: karmazilla at gmail.com (Christian Vest Hansen) Date: Sat, 5 Jan 2008 16:45:33 +0100 Subject: [paramiko] Problem using channels Message-ID: <90622e530801050745k6ae04a37t44e27c90633ccd25@mail.gmail.com> Saw this mail in the archive: http://www.lag.net/pipermail/paramiko/2007-December/000573.html Use the getpass module to read passwords: import getpass password = getpass.getpass() print "My big secret: '%s'" % password -- Venlig hilsen / Kind regards, Christian Vest Hansen. From karmazilla at gmail.com Sat Jan 5 15:03:05 2008 From: karmazilla at gmail.com (Christian Vest Hansen) Date: Sun, 6 Jan 2008 00:03:05 +0100 Subject: [paramiko] ctrl-c issue. Message-ID: <90622e530801051503y2a6508d7s234c7bd9a33de04e@mail.gmail.com> Hi, I have this issue, that when I connect to a server and exec_command on something that'll take a long time to finish, if ever (like tail -f), my script will only be able to respond to my local ctrl-c commands when the remote program produces output. This is the example program I use: ================================================= import sys import getpass import paramiko client = paramiko.SSHClient() try: client.load_system_host_keys() hostname = raw_input("Hostname: ") port = 22 username = raw_input("Username: ") password = getpass.getpass() client.connect(hostname, port, username, password) cmd = raw_input("[%s@%s]$ " % (username, hostname)) stdin, stdout, stderr = client.exec_command(cmd) for line in stdout: print line, except: sys.excepthook(*sys.exc_info()) finally: client.close() ================================================= Steps to reproduce: * connect to some server with normal ssh and $echo a >> my_file * then use above program to connect to the same server and run $tail -f my_file * then $echo b >> my_file and see the tail working * then, in the shell with above program still running, press ctrl-c * notice that pressing ctrl-c dosn't stop above program, regardless of how long you wait * now, in the normal ssh, do $echo c >> my_file * only then will above program notice the term request and halt operation What I want is for the program to terminate immediately when I press ctrl-c, so the question is how I can I make this so? -- Venlig hilsen / Kind regards, Christian Vest Hansen. From jbardin at bu.edu Mon Jan 7 06:22:47 2008 From: jbardin at bu.edu (James Bardin) Date: Mon, 07 Jan 2008 09:22:47 -0500 Subject: [paramiko] ctrl-c issue. In-Reply-To: <90622e530801051503y2a6508d7s234c7bd9a33de04e@mail.gmail.com> References: <90622e530801051503y2a6508d7s234c7bd9a33de04e@mail.gmail.com> Message-ID: <478235B7.9000907@bu.edu> Christian Vest Hansen wrote: > > Steps to reproduce: > * connect to some server with normal ssh and $echo a >> my_file > * then use above program to connect to the same server and run $tail -f my_file > * then $echo b >> my_file and see the tail working > * then, in the shell with above program still running, press ctrl-c > * notice that pressing ctrl-c dosn't stop above program, regardless of > how long you wait > * now, in the normal ssh, do $echo c >> my_file > * only then will above program notice the term request and halt operation > > What I want is for the program to terminate immediately when I press > ctrl-c, so the question is how I can I make this so? > > > Your crtl-c is being sent to the local process, not the remote. The local process say "ok, I'll quit when I'm done reading." The remote process doesn't see any of this, so you're sort of in a deadlock. Ctrl-c is just a SIGINT, so you could send a `kill -2 $PID` along another channel to kill the remote process, or use an interactive session so the term can send the signals. You can also catch the interrupt locally, and call close() on the transport (or SSHClient, which in turn calls the transport), which will just disconnect you, and the remote program will "probably" just quit. -jim From karmazilla at gmail.com Mon Jan 7 09:56:23 2008 From: karmazilla at gmail.com (Christian Vest Hansen) Date: Mon, 7 Jan 2008 18:56:23 +0100 Subject: [paramiko] ctrl-c issue. In-Reply-To: <478235B7.9000907@bu.edu> References: <90622e530801051503y2a6508d7s234c7bd9a33de04e@mail.gmail.com> <478235B7.9000907@bu.edu> Message-ID: <90622e530801070956l1600e76duff296b639eb0fa7c@mail.gmail.com> Hi James, thank you for the reply. > You can also catch the interrupt locally, and call close() on the > transport (or SSHClient, which in turn calls the transport), which will > just disconnect you, and the remote program will "probably" just quit. This apparently dosn't work. We will see no difference if we add the lines: =========================================== import signal signal.signal(signal.SIGINT, lambda sig, frame: client.close()) =========================================== To right after where the client obj is instensiated. I'm thinking the GIL may be blocking us from entering the lambda when we press ctrl-c. So, it looks like I'll try dropping to a lower level with the interactive shell and see if that works - I'm also interrested in the return codes of my commands so I guess I had to do that anyway. And then there's the setblocking() which looks handy. On 1/7/08, James Bardin wrote: > > > Christian Vest Hansen wrote: > > > > Steps to reproduce: > > * connect to some server with normal ssh and $echo a >> my_file > > * then use above program to connect to the same server and run $tail -f my_file > > * then $echo b >> my_file and see the tail working > > * then, in the shell with above program still running, press ctrl-c > > * notice that pressing ctrl-c dosn't stop above program, regardless of > > how long you wait > > * now, in the normal ssh, do $echo c >> my_file > > * only then will above program notice the term request and halt operation > > > > What I want is for the program to terminate immediately when I press > > ctrl-c, so the question is how I can I make this so? > > > > > > > Your crtl-c is being sent to the local process, not the remote. The > local process say "ok, I'll quit when I'm done reading." The remote > process doesn't see any of this, so you're sort of in a deadlock. > > Ctrl-c is just a SIGINT, so you could send a `kill -2 $PID` along > another channel to kill the remote process, or use an interactive > session so the term can send the signals. > > You can also catch the interrupt locally, and call close() on the > transport (or SSHClient, which in turn calls the transport), which will > just disconnect you, and the remote program will "probably" just quit. > > > -jim > > > > -- Venlig hilsen / Kind regards, Christian Vest Hansen. From david at guerizec.net Sat Jan 12 07:17:58 2008 From: david at guerizec.net (David Guerizec) Date: Sat, 12 Jan 2008 16:17:58 +0100 Subject: [paramiko] paramiko handling UTF-8 Message-ID: <200801121617.59040.david@guerizec.net> Hello, Does anybody know what's the reason why paramiko is converting passwords to UTF-8 before sending them on the network ? I have seen that sometimes this is not what servers want, since passwords can be in any charsets. Cheers -- David Guerizec http://sshproxy-project.org/ From dlitz at dlitz.net Sun Jan 13 20:48:12 2008 From: dlitz at dlitz.net (Dwayne C. Litzenberger) Date: Sun, 13 Jan 2008 22:48:12 -0600 Subject: [paramiko] [MERGE] insecure use of RandomPool Message-ID: <20080114044812.GA14355@rivest.dlitz.net> Programs using paramiko that meet _either_ (or both) of the following criteria may be vulnerable to attacks on paramiko's random number generator: 1. The program maintains multiple simultaneous paramiko connections (Transport instances) via forking or threading; or 2. The program uses certain Win32 builds of PyCrypto, where the Crypt.Util.winrandom module is missing, thus preventing the RandomPool instance from being initialized with sufficient entropy. This message deals with primarily with the first criterion. paramiko generates random numbers using a single instance of PyCrypto's RandomPool class. Unfortunately, neither paramiko nor PyCrypto ensure that: 1. after fork(), that the output of randpool.get_bytes() in the parent cannot be used to predict the output of randpool.get_bytes() in the child, or vice versa; or 2. that the state of the RandomPool instance is not corrupted by multiple threads accessing it at the same time. Consider the following Python program, which generates three separate RSA keys in three different child processes, and outputs the keys' fingerprints: # -------[ snip here ]------------------------ from paramiko import RSAKey import os import time # time.time() and time.clock() are predictable from a cryptographic standpoint, # but make them REALLY predictable for the purposes of this demonstration. class PredictableTime(object): def __init__(self): self.n = 0 def __call__(self): self.n += 1 return self.n time.time = PredictableTime() time.clock = PredictableTime() def fork_and_generate_key(): pid = os.fork() if pid != 0: # parent process os.waitpid(pid, 0) return else: # Child process k = RSAKey.generate(512) print "[PID %d] %s" % (os.getpid(), k.get_fingerprint().encode('hex')) os._exit(0) fork_and_generate_key() fork_and_generate_key() fork_and_generate_key() # -------[ snip here ]------------------------ Theoretically, each key generated using this program should be independent, regardless of whether the outputs of time.clock() and time.time() are predictable. In reality, the program's output looks something like this: [PID 18872] bff46933095489d81af86493e4e9ba2f [PID 18873] bff46933095489d81af86493e4e9ba2f [PID 18874] bff46933095489d81af86493e4e9ba2f This means that if you're using (for example) Python's SocketServer.ForkingTCPServer class to build an SSH server using paramiko, then supposedly "random" data from one session can be used to predict "random" data in another session. We could try to make a thread-safe wrapper around RandomPool, and we could provide some API to let users randomize the pool after a fork(), but that's error-prone. Also, because of a bug in PyCrypto 2.0.1 (where winrandom is not built), this would not be sufficient to fix the problem on Win32. A better thing to do would be to let the operating system generate our random numbers for us, since it is in a far better position than we are to guarantee that RNG state is not leaked or reused. The attached patch creates a new OSRandomPool class that provides a RandomPool-like interface, but gets its random numbers directly from the operating system. It also works around the recently-published Windows CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419). -- Dwayne C. Litzenberger -------------- next part -------------- # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: dlitz at dlitz.net-20080114035622-x9sdxlxwtehg6ey8 # target_branch: http://www.lag.net/paramiko/bzr/paramiko/ # testament_sha1: bca5d7f128ed9233a12e6f0c556445cbd19e5f7c # timestamp: 2008-01-13 22:15:39 -0600 # base_revision_id: robey at lag.net-20071231052950-8h599bnez3sgbf2e # # Begin patch === added file 'paramiko/osrandom.py' --- paramiko/osrandom.py 1970-01-01 00:00:00 +0000 +++ paramiko/osrandom.py 2008-01-14 03:56:22 +0000 @@ -0,0 +1,93 @@ +#!/usr/bin/python +# -*- coding: ascii -*- +# Copyright (C) 2008 Dwayne C. Litzenberger +# +# This file is part of paramiko. +# +# Paramiko is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +# A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more +# details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with Paramiko; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +import sys + +# Detect an OS random number source +osrandom_source = None + +# Try os.urandom +if osrandom_source is None: + try: + from os import urandom + osrandom_source = "os.urandom" + except ImportError: + pass + +# Try winrandom +if osrandom_source is None: + try: + from Crypto.Util import winrandom + osrandom_source = "winrandom" + except ImportError: + pass + +# Try /dev/urandom +if osrandom_source is None: + try: + _dev_urandom = open("/dev/urandom", "rb", 0) + def urandom(bytes): + return _def_urandom.read(bytes) + osrandom_source = "/dev/urandom" + except (OSError, IOError): + pass + +# Give up +if osrandom_source is None: + raise ImportError("Cannot find OS entropy source") + +class BaseOSRandomPool(object): + def __init__(self, numbytes=160, cipher=None, hash=None): + pass + + def stir(self, s=''): + # According to "Cryptanalysis of the Random Number Generator of the + # Windows Operating System", by Leo Dorrendorf and Zvi Gutterman + # and Benny Pinkas , + # CryptGenRandom only updates its internal state using kernel-provided + # random data every 128KiB of output. + if osrandom_source == 'winrandom' or sys.platform == 'win32': + self.get_bytes(128*1024) # discard 128 KiB of output + + def randomize(self, N=0): + self.stir() + + def add_event(self, s=None): + pass + +class WinrandomOSRandomPool(BaseOSRandomPool): + def __init__(self, numbytes=160, cipher=None, hash=None): + self._wr = winrandom.new() + self.get_bytes = self._wr.get_bytes + self.randomize() + +class UrandomOSRandomPool(BaseOSRandomPool): + def __init__(self, numbytes=160, cipher=None, hash=None): + self.get_bytes = urandom + self.randomize() + +if osrandom_source in ("urandom", "os.urandom"): + OSRandomPool = UrandomOSRandomPool +elif osrandom_source == "winrandom": + OSRandomPool = WinrandomOSRandomPool +else: + raise AssertionError("Unrecognized osrandom_source %r" % (osrandom_source,)) + +# vim:set ts=4 sw=4 sts=4 expandtab: === modified file 'paramiko/common.py' --- paramiko/common.py 2007-11-19 03:12:09 +0000 +++ paramiko/common.py 2008-01-14 03:56:22 +0000 @@ -95,22 +95,10 @@ DISCONNECT_SERVICE_NOT_AVAILABLE, DISCONNECT_AUTH_CANCELLED_BY_USER, \ DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE = 7, 13, 14 - -from Crypto.Util.randpool import PersistentRandomPool, RandomPool +from osrandom import OSRandomPool # keep a crypto-strong PRNG nearby -import os -try: - randpool = PersistentRandomPool(os.path.join(os.path.expanduser('~'), '/.randpool')) -except: - # the above will likely fail on Windows - fall back to non-persistent random pool - randpool = RandomPool() - -try: - randpool.randomize() -except: - # earlier versions of pyCrypto (pre-2.0) don't have randomize() - pass +randpool = OSRandomPool() import sys if sys.version_info < (2, 3): # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWcJefa4AA7xfgERQe/f//3/v 3rC////wYAmO+3vOt5u3t0DrmVhl7u6goYrJtmooEkSGgJMmnop5poKeSntUbNKfpIeoD9KZD1H6 o/VABokPRTaYgQymmQ0A0AAAAA0ABopk2k1J+pqPRqepppkyHpNDBMBBoyAANGEiJGiYlNNppo1P UnplNpPEanqeoPUeobU8ptQ9Iep6jQ4BhGE0xDAIBkAMI0yZMIwENBJIJpoATTRNGpmjQmJqTyPI p5qn6o9TymmgBppEhFfToHo0MurTtkY9XJucpdoZ5bqEYljTiz4OfxknZdHxJFDzzCobTrf18GRr MnC7InJlOLHThktxNWtqeMIQEqCBDt2x7XOP8Zp0rbp+3egALpCEbtnhvbMMaKukDJqIYN3O6hf7 +u1gZrKuM6K5qsj7qcdFsSbgNPGqguuck8oFgqygtaji1HOpkkqhCEPfrO1J8NFIyEIDaEjsCr9n gWAkzgnsefWBVXhcqlExZKRJPmFAW2KR2VQFjnRQOKJUKSYpUSGpSrmR1QX9KKEuW7KHcmGmC8aT iM/nUvx6MFlK1r6NT4ubGFUQ4DFdscH2jSNLC5Q9Ccnz5GlbIzd45GHRMQCzoeGiz9tSpawIniGB GvvLtFcj2gMSNsygsw8mCZcQNIHosRB0jAiPi3ts2Npk63gel/nqxiA9tOU6c0VvxXi9HH1wlNcf nstthpQMbiCF0pdTbENjZ1RCoboPxWFePdsODeIezbP+9kli4MIl24q7KjhPGYuzKfe0u3GyWArg 8yc7ZE3NvtJjTgNV0jSmKMjMLd68o2hSSoDrGAm9dPwo7/mc4HlPCOn23HxmWlTNLMemFh8uhNpo HxWZZ5VRuV1W+7UtF8bpm1aztv7vo9UKLf8vhJs42AOsz99y4zKUlk+U8tIhmSIvSIkIxlfjADxH hBD2HIZgVO4yIqPMVwPoeu88LlNgsOhVUk7k13E8XB0QoexwIS4paghJuG18aYrk7xfEQIXVcaGB tTdpiMaOOE9rqlsKcM7XPAfunUHRkEWEQpYdigcpFZGi8mUEG0UnI1nmbjBONuNGp27bD661dRjw ovKCA+gFgZjykoMy47VC9tyosKRGDK3ax1lw2s5jesiocVutytNuStvK60xtJgPW/xWZylI42FtT j4mCqJCxOXQCQ7WECJ2AapU5jA6ZP2FJfWDjM9gdVXaMW3vCTnEBEJENxQVFkjgwpZBaMxOFa820 8b5mnCZlA3cWKpWqgzGrVYegGryiyyQ2pMcRkfl4bs+g5jmNWo1J8OAODWQ77lnRHu4ffb4ge9b2 1sMwfQx3QXuTARyMTlpdAew1kGRn6MHm1K9zsULZ4Fbe2aSpyvS8Iy8EiKXSvl3fHup/fl5Sax/Y ebY02zsp+B2QQzDx0SN5hkPav8+zTveVslVxMWYali7dR1zu+O9KOXw0SCwHfqP8TnkSZE1LmjM5 wPUccvWqBewbm6gmSTrNgm1dcCW65LWxSZgi8q0ldYidmjBkUBr0aJu4IO1ot3yDsVy/E+B5HmPG PUiUaztP0Oxu4P4BuUi5OBv0+FRwaI6xMh/4e+JWxwQvz+vIWx+xSL3HoXm0Np9Tym8+fz5dcz1L 3hQlrORFTI2Tk4HihpDe+D0yXawMwgZJMILW7Ghp2EU1PzTwGb70HyW5QRirn/i414ZXbAONNUUQ 7TkF5i0B1WK05JHove/MOS8dlF8rm8PYVrkKZWbD0GPE1GMgVbe084mcCLJYZ6w4LsLn12Kb71wh Nu/R2NMVdWcGedLBF/cc5bX95FAQBkCgYjInWA8UZ2iZresFgrshbZJbw4rMqQJCf2RDDScbgM8M hAHsHm2ARzYznnSBNhQoiWUsn0DoSIhf5TY2hC9749yrSqhSUcXfYcTURnDC1JvXzHlS17Uqwiie polxrP+ECf69ek844cfAsNCsPXaQfYhmMI0DHUB7bMsglvJcWj4dZY6ytxqCM8w6rugJ/j57aVWX rgtW612Dnpg1LJiglBeeJ8ZEWHxEcxqMU1FQcGErwv5+Gjw08Gegl4p9yPMDNIiru24J4gPT0yGt EmOo7Sa4nicTIiS4r2Dixdxq4jLJuGtwfgRlqU/c+aMEtbukBt6glXE94Sq2Ez/oXrLxVicwq1Bm SLnu6lgB7j0hKhx1bMNYuuJ/41mtjWvkB83alPLOYHuqRqX5NTl3Co1pfbrskLCpgsZdsZ+9H5yp fyXrJeExUmPELfTltfWWphmTMGacZQRxaLX5mdCCMCK2q7A6GhsmJG499G6KrKpbqzE/+Rs5ERfz i2palU972S+ky99qbj+9K5XPpqRJj/MxLBUO537BIulN2b5dwY+gGqWSWbJKTAUsADwqFYrfdwVK C3rhbkD005laj4LGlxQcRMkS8m5FA0QxUpcqFslrGjJQJJUmFXtGCusRyJBpVUWM3muZ30HXbysA 76IhpoabAsoiVNkO7rhyjmGYuS+Qe3TSFiD6HRDwDFAdCUmEwyAVFy37aM7hi8Bh3gvx4vNhkHG0 h0nCyAeMfCTbl6oSrEygiOHFpnR92ACKpPQZq2fyXF0s34ajFu5295C9JQoMnZb3cImOSPf+jhb4 eAQyIqnXWerBtW/TLiGlsu7y3PnHzytRi/NoJMgdecKVo/uiENY88y1/sG2NW8e/aUGBtkI/UlXi 6cOFjZ572RLBjb074PGehZEevX08LF2VpK28ZVdVdzVHt2edswP134zNDKGAxFY1VV/sz6yciybs Y9Vk3FlfYtOCwJLRPbZzFktZNGKU2V7ImByn9K9OlhbVkZBpghVus46FZXRfVV37FBEQN3l13eB8 0jWai3+gXNgz1NZlrZvsqU5cispq5HswGTomAUDgTM8oyQEwMkczrfm9c1xRQmGr/XswZjTkui+2 wxshuZDdrFrBVh3hsCREpVVFSgDjxCjjDSTfeycqZQ3gSI7KwbJ2tQYTwvf02EATRZ2VmJ3QKTFi FpAg6DIsVt53/KMRvcrnvqcVsEKdt2KooagBYHksIbJRb40oeYrKIOf08EQe2KUsSWmSmWmyIIPf thq0EGdXkfKs0gIvsUPkN/tjAc4MBp84FniBJZWLQBhc4G0zxdtdiaQaND3g0gGUXJDtZgOUcyW+ aCE0iaZInliJ40P2F3JFOFCQwl59rg== From david at guerizec.net Mon Jan 14 02:44:31 2008 From: david at guerizec.net (David Guerizec) Date: Mon, 14 Jan 2008 11:44:31 +0100 Subject: [paramiko] [MERGE] insecure use of RandomPool In-Reply-To: <20080114044812.GA14355@rivest.dlitz.net> References: <20080114044812.GA14355@rivest.dlitz.net> Message-ID: <200801141144.31653.david@guerizec.net> Hi Dwayne, I noticed a small typo in the patch you've send. > + ? ? ? ?osrandom_source = "/dev/urandom" should be: osrandom_source = "urandom" Regards, -- David Guerizec http://sshproxy-project.org/ From dwayne at oscl.ca Mon Jan 14 07:31:57 2008 From: dwayne at oscl.ca (Dwayne Litzenberger) Date: Mon, 14 Jan 2008 09:31:57 -0600 Subject: [paramiko] [MERGE] insecure use of RandomPool In-Reply-To: <20080114044812.GA14355@rivest.dlitz.net> References: <20080114044812.GA14355@rivest.dlitz.net> Message-ID: <200801140931.57843.dwayne@oscl.ca> On January 13, 2008 10:48:12 pm Dwayne C. Litzenberger wrote: > The attached patch creates a new OSRandomPool class that provides a > RandomPool-like interface, but gets its random numbers directly from the > operating system. It also works around the recently-published Windows > CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419). Here's an updated bundle, which handles /dev/urandom properly in the event that os.urandom is not available. (Thanks to David Guerizec for pointing out the bug.) The difference between the previous fix and this fix is: === modified file 'paramiko/osrandom.py' --- paramiko/osrandom.py 2008-01-14 03:56:22 +0000 +++ paramiko/osrandom.py 2008-01-14 15:27:12 +0000 @@ -83,7 +83,7 @@ self.get_bytes = urandom self.randomize() -if osrandom_source in ("urandom", "os.urandom"): +if osrandom_source in ("/dev/urandom", "os.urandom"): OSRandomPool = UrandomOSRandomPool elif osrandom_source == "winrandom": OSRandomPool = WinrandomOSRandomPool -- Dwayne Litzenberger -------------- next part -------------- A non-text attachment was scrubbed... Name: paramiko-osrandompool-fixed.bundle Type: text/x-diff Size: 8199 bytes Desc: not available Url : http://www.lag.net/pipermail/paramiko/attachments/20080114/d56d85dd/attachment.diff From robey at lag.net Sun Jan 20 13:41:10 2008 From: robey at lag.net (Robey Pointer) Date: Sun, 20 Jan 2008 13:41:10 -0800 Subject: [paramiko] paramiko handling UTF-8 In-Reply-To: <200801121617.59040.david@guerizec.net> References: <200801121617.59040.david@guerizec.net> Message-ID: On 12 Jan 2008, at 7:17, David Guerizec wrote: > Hello, > > Does anybody know what's the reason why paramiko is converting > passwords to > UTF-8 before sending them on the network ? > > I have seen that sometimes this is not what servers want, since > passwords can > be in any charsets. It looks like this is part of the SSH standard. RFC 4252 says, on page 10: Note that the ?plaintext password? value is encoded in ISO-10646 UTF-8. It is up to the server how to interpret the password and validate it against the password database. However, if the client reads the password in some other encoding (e.g., ISO 8859-1 - ISO Latin1), it MUST convert the password to ISO-10646 UTF-8 before transmitting, and the server MUST convert the password to the encoding used on that system for passwords. So it looks like at least I didn't make it up. :) If some servers are expecting a different encoding, we could make auth_handler only do UTF-8 encoding on unicode strings. So if you passed in a string pre-encoded into a str (=bytes), it wouldn't change the encoding. Would that work? robey From robey at lag.net Mon Jan 21 11:44:36 2008 From: robey at lag.net (Robey Pointer) Date: Mon, 21 Jan 2008 11:44:36 -0800 Subject: [paramiko] [MERGE] insecure use of RandomPool In-Reply-To: <200801140931.57843.dwayne@oscl.ca> References: <20080114044812.GA14355@rivest.dlitz.net> <200801140931.57843.dwayne@oscl.ca> Message-ID: On 14 Jan 2008, at 7:31, Dwayne Litzenberger wrote: > On January 13, 2008 10:48:12 pm Dwayne C. Litzenberger wrote: >> The attached patch creates a new OSRandomPool class that provides a >> RandomPool-like interface, but gets its random numbers directly >> from the >> operating system. It also works around the recently-published >> Windows >> CryptGenRandom vulnerabilities (see http://eprint.iacr.org/2007/419). > > Here's an updated bundle, which handles /dev/urandom properly in the > event > that os.urandom is not available. (Thanks to David Guerizec > for pointing out the bug.) Looks good, and passes the unit tests on my mac, so I merged it -- thanks! I will probably make a new paramiko release later today; it's been a while. robey From robey at lag.net Mon Jan 21 19:15:32 2008 From: robey at lag.net (Robey Pointer) Date: Mon, 21 Jan 2008 19:15:32 -0800 Subject: [paramiko] release: paramiko 1.7.2 Message-ID: Okay, I slacked for long enough. :) Paramiko 1.7.2 "Basil" is released: http://www.lag.net/paramiko/ This is mostly bug fixes and a few tiny new features. v1.7.2 (Basil) 21jan08 ---------------------- * (bug 137219) catch EINTR and handle correctly * (bug 157205) fix select() to trigger on stderr for a channel too * added SSHClient.get_transport() * added Channel.send_ready() * added direct-tcpip forwarding [patch from david guerizec] * fixed the PRNG to be more secure on windows and in cases where fork() is called [patch from dwayne litzenberger] Basil was assaulted by bears. robey From david at guerizec.net Tue Jan 22 01:12:33 2008 From: david at guerizec.net (David Guerizec) Date: Tue, 22 Jan 2008 10:12:33 +0100 Subject: [paramiko] paramiko handling UTF-8 In-Reply-To: References: <200801121617.59040.david@guerizec.net> Message-ID: <200801221012.33439.david@guerizec.net> Le Sunday 20 January 2008 22:41:10 Robey Pointer, vous avez ?crit?: > On 12 Jan 2008, at 7:17, David Guerizec wrote: > > Hello, > > > > Does anybody know what's the reason why paramiko is converting > > passwords to > > UTF-8 before sending them on the network ? > > > > I have seen that sometimes this is not what servers want, since > > passwords can > > be in any charsets. > > It looks like this is part of the SSH standard. RFC 4252 says, on page > 10: > > Note that the ?plaintext password? value is encoded in ISO-10646 > UTF-8. It is up to the server how to interpret the password and > validate it against the password database. However, if the client > reads the password in some other encoding (e.g., ISO 8859-1 - ISO > Latin1), it MUST convert the password to ISO-10646 UTF-8 before > transmitting, and the server MUST convert the password to the > encoding used on that system for passwords. > > So it looks like at least I didn't make it up. :) OK, I didn't see that. Well, in that case it seems that openssh doesn't follow exactly the RFC, as I cannot login with an accentuated password if my term is not in the right encoding... > If some servers are expecting a different encoding, we could make > auth_handler only do UTF-8 encoding on unicode strings. So if you > passed in a string pre-encoded into a str (=bytes), it wouldn't change > the encoding. Would that work? I didn't have time to try this, but I guess that would work. Regards, -- David Guerizec http://sshproxy-project.org/ From jv.goff at gmail.com Sat Jan 26 10:05:32 2008 From: jv.goff at gmail.com (Jeff) Date: Sat, 26 Jan 2008 13:05:32 -0500 Subject: [paramiko] Trying to use SSH like telnet Message-ID: hi i am struggling with trying to get paramiko to do what i have done with telnet using telnet with perl,ruby and even python before hope someone on the list can help me out. I have read through the archives and seen a few related posts - including the migrate from Telnet to SSH thread - but the suggestions in that thread still don't solve my issue, or at least i cannot see it yet :( Here is the scenario - i am building a threaded (but just need it to even work for a single device right now) script that will open an ssh session to the device CLI, then enter a debug shell on that device, sit there, running commands as i need them run, and returning me the output - but not disconnecting after each command. Ultimately i am trying to have multiple "devices" with 2 ssh sessions to device, one in the CLI one in the debug shell, and wrap it all in a big select - but thats getting ahead of myself, for now, i just need it to work with one device and one ssh session. I have looked at exec_cmd with SSHClient (but it closes the channel after each command) and have tried the hack of a dummy_chan idea, but it didn't work. The closest thing i have right now that i think might work is with SSHClient invoke_shell - but if i go down that path, seems i need to re-write / port the entire concept of telnetlib read_until for handling prompts and waiting/gathering of all the output from a command. after messing with the paramiko demos, the snippets from the mailing list and rolling-my-own for 2 days, i am at a loss, any pointers greatly appreciated ! Surely i am not the first person who doesn't just want to exec one command and exit, but have a script controlled interactive shell which looks similar to telnetlib with goodies like read_until, but is not hooked to the stdin/out of the script (i.e. like demo_simple.py) ps. i am pretty green at python - if i have grossly mis-stated something here, apologies in advance. thanks -jeff here is the basic skeleton i have so far client = paramiko.SSHClient() client.connect("1.2.3.4",22,"test","test") chan = client.invoke_shell() chan.setblocking(0) chan.send("ls -la\n") read_until style ?????> From washakie at gmail.com Sun Jan 27 02:03:32 2008 From: washakie at gmail.com (John) Date: Sun, 27 Jan 2008 11:03:32 +0100 Subject: [paramiko] ssh -r , dynamic set up Message-ID: Hello, I'm trying to write a script which will allow me to initiate (spawn?) a reverse tunnel from a remote machine (outside a firewall) to an internal machine using SSH -R I posted to another list and was pointed in the direction of paramiko. I've read the tutorials, but cannot seem to figure out exactly how I can do this... I'm hoping someone can look at what I'm trying to do below and provide an example... #!/usr/bin/python import os, time, subprocess REMOTE_HOME='../' #mounted drive to REMOTE_HOME from LOCAL_MACHINE cmd = 'while true; do ssh -R 8022:localhost:22 MyUserName at RemoteHost ; sleep 60; done' while 1: while os.path.exists(os.path.join(REMOTE_HOME,'mySecretFile'): proc= subprocess.call(cmd,shell='True') if proc: os.kill(proc.pid) if os.path.exists(os.path.join(REMOTE_HOME,'KillScript'): break -- Note, I know the reverse tunnel script works on it's own run from the shell, but I don't want to leave it open always... furthermore it seems to be a rather 'brute force' method. It seems paramiko might provide a more elegant solution! Does anyone have any ideas on how to make this work? Configuration `````````````````````````` Plone 2.5.3-final, CMF-1.6.4, Zope (Zope 2.9.7-final, python 2.4.4, linux2), Five 1.4.1, Python 2.4.4 (#1, Jul 3 2007, 22:58:17) [GCC 4.1.1 20070105 (Red Hat 4.1.1-51)], PIL 1.1.6 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.lag.net/pipermail/paramiko/attachments/20080127/31ac329b/attachment.html From karmazilla at gmail.com Mon Jan 28 12:57:47 2008 From: karmazilla at gmail.com (Christian Vest Hansen) Date: Mon, 28 Jan 2008 21:57:47 +0100 Subject: [paramiko] Exit status on shells Message-ID: <90622e530801281257i3d71b7eds17227880fe5443b9@mail.gmail.com> Hi, If I create a channel with SSHClient.invoke_shell(), will it then ever make sense to read the exit_status or inspect the status_event? I'm trying to simulate shell access to a server and would like to know when I can print the input prompt to the users console. -- Venlig hilsen / Kind regards, Christian Vest Hansen.