Add SFTP example

[thijs]

Michael Mach posted the following example on the mailinglist that could be useful for others:

from zope.interface import implements

from twisted.application import service, internet
from twisted.conch.ssh.keys import Key
from twisted.conch.ssh.factory import SSHFactory
from twisted.conch.unix import UnixSSHRealm
from twisted.cred.checkers import ICredentialsChecker
from twisted.cred.credentials import IUsernamePassword
from twisted.cred.portal import Portal


def get_key(path):
    return Key.fromString(data=open(path).read())


class DummyChecker(object):
    credentialInterfaces = (IUsernamePassword,)
    implements(ICredentialsChecker)

    def requestAvatarId(self, credentials):
        return credentials.username


def makeService():
    public_key = get_key('id_rsa.pub')
    private_key = get_key('id_rsa')

    factory = SSHFactory()
    factory.privateKeys = {'ssh-rsa': private_key}
    factory.publicKeys = {'ssh-rsa': public_key}
    factory.portal = Portal(UnixSSHRealm())
    factory.portal.registerChecker(DummyChecker())

    return internet.TCPServer(2200, factory)


application = service.Application("sftp server")
sftp_server = makeService()
sftp_server.setServiceParent(application)

Put this content into a file like sftp.tac The keys can be generated by ckeygen utility which is part of Twisted (e.g. ckeygen -b 2048 -t rsa -f id_rsa) and run with twistd -ny sftp.tac

[itamar]

We should get explicit permission from Michael Mach to include this, before we use it.

[thijs]

Replying to itamar:

We should get explicit permission from Michael Mach to include this, before we use it.

He posts it on a public mailinglist to help out the Twisted community, what more permission do you need? I don't see the problem. The only problem I see is missing documentation or examples for sftp.

[exarkun]

It has to be licensed appropriately, otherwise we have no right to distribute it.

[specnazzz]

I hereby give permission to use my SFTP example by anyone at will.

[thijs]

(In [32514]) Branching to 'sftp-example-5237'

[thijs]

(In [32515]) add example and news file, refs #5237

[exarkun]

Thanks.

1. It's an sftp example, so it belongs in conch's documentation directory, and the news fragment should go in conch's topfiles directory.
2. Some of the names in the example use under_scores, they should use camelCase instead.
3. get_key will be simpler if you use Key.fromFile instead of Key.fromString.
4. The example only works on POSIX, this should probably be mentioned inside it somewhere.
5. The example will fail unless run as root, because it uses UnixSSHRealm which always tries to seteuid to get the proper filesystem access rights.
   1. Also, if run as root, the example grants access to the entire filesystem with no authentication required. It's only an example, but this is still a little bit crazy. It would be better to use a real credentials checker as long as root access is going to be required to run it anyway. Alternatively, replace UnixSSHRealm with something that only allows access to a subset of the filesystem and doesn't require root.

[thijs]

I covered points 1-4 in r32530.

Replying to exarkun:

1. The example will fail unless run as root, because it uses UnixSSHRealm which always tries to seteuid to get the proper filesystem access rights. 1. Also, if run as root, the example grants access to the entire filesystem with no authentication required. It's only an example, but this is still a little bit crazy. It would be better to use a real credentials checker as long as root access is going to be required to run it anyway. Alternatively, replace UnixSSHRealm with something that only allows access to a subset of the filesystem and doesn't require root.

I could add this info to the docstring of the example, but not sure how to implement this.. So putting it back up for review so someone else can judge on that.

[exarkun]

(In [32564]) Some changes to try to get the example into better shape - incomplete.

refs #5237

[exarkun]

It seems very difficult to formulate a reasonable example given the current state of Conch. I filed #5265 which should produce an SFTP backend which is usable in an example like this. After #5265 is resolved, the features it adds should be used to complete this example.