<br><tt><font size=2>Paul_S_Johnson at mnb.uscourts.gov Paul_S_Johnson
at mnb.uscourts.gov </font></tt>
<br><tt><font size=2>Thu Sep 27 16:00:14 EDT 200:<br>
<br>
> After much wrangling and a small miracle I have managed to write an
object <br>
> that fetches the output of three commands in the order given through
an <br>
> SSH connection. How come I cannot switch users? Some of the information
I <br>
> need can only be fetched through a root account and security is such
that <br>
> I cannot log in remotely from a root account but must switch once
logged <br>
> in from an account with less than root privileges.<br>
</font></tt>
<br><tt><font size=2>I've been trying something similar. As you've probably
found out you cant just write in the password to su - you'll get an error
"Standard in must be a tty". Basically I think su needs a shell
to work.</font></tt>
<br>
<br><tt><font size=2>Consequently, before sending your password, you'll
need to request a shell. I would've been utterly clueless about this if
it wasn't for the post @</font></tt>
<br><tt><font size=2>http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html,
from which I managed to extract the crucial code:</font></tt>
<br>
<br><tt><font size=2>term = 'ansi'</font></tt>
<br><tt><font size=2>winsz = struct.pack('4H', 80, 100, 80, 100)</font></tt>
<br><tt><font size=2>winSize = struct.unpack('4H', winsz)</font></tt>
<br><tt><font size=2>ptyReqData = session.packRequest_pty_req(term, winSize,
'')</font></tt>
<br><tt><font size=2>self.conn.sendRequest(self, 'pty-req', ptyReqData)</font></tt>
<br><tt><font size=2>self.conn.sendRequest(self, 'shell', '')</font></tt>
<br>
<br><tt><font size=2>Sticking this in your SSHChannel.channelOpen method
will allow you to get a shell. Unfortunately you then have to interact
with the session in an expect-like manner which turns the whole procedure
into one big easily broken hack. Basically I just write "su -"
and wait for my method dataReceived to return "password:" at
which point I write in the password.</font></tt>
<br>
<br><tt><font size=2>Another point to mention is that the ssh session is
still not root, the root functionality is being provided by the shell instance.
Consequently any new channels opened up will not be root so you cant easily
use this method to scp file's that are only readable for root. You can
of course cat from the shell session but then you have issues with line
wrapping and reliably figuring out when the file ends and your shell prompt
begins.</font></tt>
<br>
<br><tt><font size=2>I looked into trying to do some setreuid/setuid magic
in the hope that I could issue a command from my root shell prompt that
would elevate the whole ssh process to root allowing all my channels root
priviliges. However I soon got well out of my depth and decided it wasn't
possible, at least by me :)</font></tt>
<br>
<br><tt><font size=2>So, as far as I can see, it's not possible, if your
server doesn't allow root access to open up a channel that has root priviliges.
The only way to do it is in the aformentioned messy way via a shell &
su (which I gave up on when my regular expression took up two lines on
my screen and still didn't reliable match half the shell prompts it needed
to).</font></tt>
<br>
<br><tt><font size=2>I would love somebody to prove me wrong and let me
know of a nice way round this.</font></tt>
<br>
<br><tt><font size=2>Of course - these problems are nothing to do with
twisted and all to do with the way ssh works.</font></tt>
<br>
<br><tt><font size=2>-ross<br>
<br>
-- <br>
Ross McKerchar<br>
Systems Analyst, Sophos<br>
<br>
Tel: 01235 559933<br>
Web: http://www.sophos.com<br>
Sophos - security and control<br>
</font></tt>Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.