[Twisted-Python] How to switch users in SSH session.
Ross.McKerchar at sophos.com
Ross.McKerchar at sophos.com
Tue Oct 9 10:41:47 MDT 2007
Paul_S_Johnson at mnb.uscourts.gov Paul_S_Johnson at mnb.uscourts.gov
Thu Sep 27 16:00:14 EDT 200:
> After much wrangling and a small miracle I have managed to write an
object
> that fetches the output of three commands in the order given through an
> SSH connection. How come I cannot switch users? Some of the information
I
> need can only be fetched through a root account and security is such
that
> I cannot log in remotely from a root account but must switch once logged
> in from an account with less than root privileges.
I've been trying something similar. As you've probably found out you cant
just write in the password to su - you'll get an error "Standard in must
be a tty". Basically I think su needs a shell to work.
Consequently, before sending your password, you'll need to request a
shell. I would've been utterly clueless about this if it wasn't for the
post @
http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html,
from which I managed to extract the crucial code:
term = 'ansi'
winsz = struct.pack('4H', 80, 100, 80, 100)
winSize = struct.unpack('4H', winsz)
ptyReqData = session.packRequest_pty_req(term, winSize, '')
self.conn.sendRequest(self, 'pty-req', ptyReqData)
self.conn.sendRequest(self, 'shell', '')
Sticking this in your SSHChannel.channelOpen method will allow you to get
a shell. Unfortunately you then have to interact with the session in an
expect-like manner which turns the whole procedure into one big easily
broken hack. Basically I just write "su -" and wait for my method
dataReceived to return "password:" at which point I write in the password.
Another point to mention is that the ssh session is still not root, the
root functionality is being provided by the shell instance. Consequently
any new channels opened up will not be root so you cant easily use this
method to scp file's that are only readable for root. You can of course
cat from the shell session but then you have issues with line wrapping and
reliably figuring out when the file ends and your shell prompt begins.
I looked into trying to do some setreuid/setuid magic in the hope that I
could issue a command from my root shell prompt that would elevate the
whole ssh process to root allowing all my channels root priviliges.
However I soon got well out of my depth and decided it wasn't possible, at
least by me :)
So, as far as I can see, it's not possible, if your server doesn't allow
root access to open up a channel that has root priviliges. The only way to
do it is in the aformentioned messy way via a shell & su (which I gave up
on when my regular expression took up two lines on my screen and still
didn't reliable match half the shell prompts it needed to).
I would love somebody to prove me wrong and let me know of a nice way
round this.
Of course - these problems are nothing to do with twisted and all to do
with the way ssh works.
-ross
--
Ross McKerchar
Systems Analyst, Sophos
Tel: 01235 559933
Web: http://www.sophos.com
Sophos - security and control
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20071009/6d11204a/attachment.html>
More information about the Twisted-Python
mailing list