[Twisted-Python] twistd and passphrase

Jean-Paul Calderone exarkun at divmod.com
Thu Sep 7 17:40:02 EDT 2006 

On Thu, 07 Sep 2006 22:39:05 +0200, Lorenzo Allegrucci <l.allegrucci at gmail.com> wrote:
>On Tue, 2006-09-05 at 13:18 -0400, Mike Pelletier wrote:
>> On Tuesday 05 September 2006 12:21, Lorenzo Allegrucci wrote:
>> > Hi,
>> >
>> > I'm using twistd to run my server as a daemon but I couldn't find a way
>> > to prompt the user for a passphrase (such passphrase is used by the
>> > server to read its SSL key).  I tried getpass() but it doesn't work
>> > because /dev/stdin is already redirected to /dev/null.  How can I ask
>> > for a passphrase using twistd?
>> > Thank you
>>
>> Hi, Lorenzo.  I'm going to assume you are completely new to Twisted.
>
>Yes, I'm new to Twisted and I'm using it for a project of my degree
>thesis :)
>Your explanations have been very helpful and gave me some ideas, in the
>meantime I post my actual code.  (non important parts taken away)
>
>---myserver.py---
>class SCF(ssl.ContextFactory):
>    """Server context factory."""
>    def __init__(self, passphraseCB, cacert, cert, key):
>        self.passphraseCB = passphraseCB
>        self.cacert = cacert
>        self.cert = cert
>        self.key = key
>
>    def verify(self, conn, cert, errnum, depth, ok):
>        """Check the certificate of an incoming connection."""
>        # snip...
>        return ok
>
>    def getContext(self):
>        """Return an SSL context."""
>        context = SSL.Context(SSL.TLSv1_METHOD)
>        context.set_passwd_cb(self.passphraseCB)
>        # snip...
>        return context
>
>class MyService(internet.SSLServer):
>    def __init__(self):
>        root = XMLRPCServer()
>
>        key = config.getOption("SSL", "key")
>        cert = config.getOption("SSL", "cert")
>        cacert = config.getOption("SSL", "cacert")
>        port = config.getOption("daemon", "port")
>        host = config.getOption("daemon", "host")
>
>        context = SCF(self.getPassphraseCB, cacert, cert, key)
>        internet.SSLServer.__init__(self, port, server.Site(root),
>context,
>                                     interface=host)
>
>    def getPassphraseCB(self, repeat=False, *data):
>        return "secret"

    def getPassphraseCB(self, repeat=False, *data):
        return passphrase

import getpass
passphrase = getpass.getpass()

>
>application = service.Application("MyApp")
>myService = MyService()
>myService.setServiceParent(application)
>---myserver.py--
>
>
>To start my daemon I use 'twistd -y myserver.py' and everything works
>fine except for the fact that I have to "hardwire" the passphrase in
>'getPassphraseCB'.
>Of course this in not what I want and I would like to rewrite
>getPassphraseCB as:
>
>   def getPassphraseCB(self, repeat=False, *data):
>        return self.passphrase
>
>where self.passphrase should be set (somehow) _before_ twistd makes my
>application a daemon, but I couldn't find a way to do it yet.
>
>> You are never going to be able to read a password from stdin if twisted is
>> starting up in daemon mode.  As you noticed, in daemon mode stdin has been
>> closed before you have a chance to do anything with it.  You would instead
>> have to start it in "foreground" mode, then read the password with your
>> Protocol, and once the password has been validated ask twistd to switch to
>> daemon mode.
>
>Exactly.
>
>> (If indeed there even exists an interface for daemonizing after
>> the fact; I've never looked.)
>
>Looking at the twistd.py source I would say no..
>

Jean-Paul

More information about the Twisted-Python mailing list