Opened 3 years ago

Last modified 3 years ago

#5237 enhancement new

Add SFTP example

Reported by: thijs Owned by: exarkun
Priority: normal Milestone:
Component: conch Keywords: documentation
Cc: thijs, z3p Branch: branches/sftp-example-5237
(diff, github, buildbot, log)
Author: specnazzz, thijs Launchpad Bug:

Description

Michael Mach posted the following example on the mailinglist that could be useful for others:

from zope.interface import implements

from twisted.application import service, internet
from twisted.conch.ssh.keys import Key
from twisted.conch.ssh.factory import SSHFactory
from twisted.conch.unix import UnixSSHRealm
from twisted.cred.checkers import ICredentialsChecker
from twisted.cred.credentials import IUsernamePassword
from twisted.cred.portal import Portal


def get_key(path):
    return Key.fromString(data=open(path).read())


class DummyChecker(object):
    credentialInterfaces = (IUsernamePassword,)
    implements(ICredentialsChecker)

    def requestAvatarId(self, credentials):
        return credentials.username


def makeService():
    public_key = get_key('id_rsa.pub')
    private_key = get_key('id_rsa')

    factory = SSHFactory()
    factory.privateKeys = {'ssh-rsa': private_key}
    factory.publicKeys = {'ssh-rsa': public_key}
    factory.portal = Portal(UnixSSHRealm())
    factory.portal.registerChecker(DummyChecker())

    return internet.TCPServer(2200, factory)


application = service.Application("sftp server")
sftp_server = makeService()
sftp_server.setServiceParent(application)

Put this content into a file like sftp.tac
The keys can be generated by ckeygen utility which is part of Twisted (e.g. ckeygen -b 2048 -t rsa -f id_rsa)
and run with twistd -ny sftp.tac

Change History (13)

comment:1 Changed 3 years ago by DefaultCC Plugin

  • Cc z3p added

comment:2 follow-up: Changed 3 years ago by itamar

We should get explicit permission from Michael Mach to include this, before we use it.

comment:3 in reply to: ↑ 2 Changed 3 years ago by thijs

Replying to itamar:

We should get explicit permission from Michael Mach to include this, before we use it.

He posts it on a public mailinglist to help out the Twisted community, what more permission do you need? I don't see the problem. The only problem I see is missing documentation or examples for sftp.

comment:4 Changed 3 years ago by exarkun

It has to be licensed appropriately, otherwise we have no right to distribute it.

comment:5 Changed 3 years ago by specnazzz

I hereby give permission to use my SFTP example by anyone at will.

comment:6 Changed 3 years ago by thijs

  • Author set to thijs
  • Branch set to branches/sftp-example-5237

(In [32514]) Branching to 'sftp-example-5237'

comment:7 Changed 3 years ago by thijs

(In [32515]) add example and news file, refs #5237

comment:8 Changed 3 years ago by thijs

  • Author changed from thijs to specnazzz, thijs
  • Keywords documentation review added

comment:9 follow-up: Changed 3 years ago by exarkun

  • Keywords review removed
  • Owner set to thijs

Thanks.

  1. It's an sftp example, so it belongs in conch's documentation directory, and the news fragment should go in conch's topfiles directory.
  2. Some of the names in the example use under_scores, they should use camelCase instead.
  3. get_key will be simpler if you use Key.fromFile instead of Key.fromString.
  4. The example only works on POSIX, this should probably be mentioned inside it somewhere.
  5. The example will fail unless run as root, because it uses UnixSSHRealm which always tries to seteuid to get the proper filesystem access rights.
    1. Also, if run as root, the example grants access to the entire filesystem with no authentication required. It's only an example, but this is still a little bit crazy. It would be better to use a real credentials checker as long as root access is going to be required to run it anyway. Alternatively, replace UnixSSHRealm with something that only allows access to a subset of the filesystem and doesn't require root.

comment:10 in reply to: ↑ 9 Changed 3 years ago by thijs

  • Keywords review added
  • Owner thijs deleted

I covered points 1-4 in r32530.

Replying to exarkun:

  1. The example will fail unless run as root, because it uses UnixSSHRealm which always tries to seteuid to get the proper filesystem access rights.
    1. Also, if run as root, the example grants access to the entire filesystem with no authentication required. It's only an example, but this is still a little bit crazy. It would be better to use a real credentials checker as long as root access is going to be required to run it anyway. Alternatively, replace UnixSSHRealm with something that only allows access to a subset of the filesystem and doesn't require root.

I could add this info to the docstring of the example, but not sure how to implement this.. So putting it back up for review so someone else can judge on that.

comment:11 Changed 3 years ago by exarkun

  • Keywords review removed
  • Owner set to exarkun

comment:12 Changed 3 years ago by exarkun

(In [32564]) Some changes to try to get the example into better shape - incomplete.

refs #5237

comment:13 Changed 3 years ago by exarkun

It seems very difficult to formulate a reasonable example given the current state of Conch. I filed #5265 which should produce an SFTP backend which is usable in an example like this. After #5265 is resolved, the features it adds should be used to complete this example.

Note: See TracTickets for help on using tickets.