[Twisted-Python] How to switch users in SSH session.

Ross.McKerchar at sophos.com Ross.McKerchar at sophos.com
Tue Oct 9 12:41:47 EDT 2007

Paul_S_Johnson at mnb.uscourts.gov Paul_S_Johnson at mnb.uscourts.gov 
Thu Sep 27 16:00:14 EDT 200:

> After much wrangling and a small miracle I have managed to write an 
> that fetches the output of three commands in the order given through an 
> SSH connection. How come I cannot switch users? Some of the information 
> need can only be fetched through a root account and security is such 
> I cannot log in remotely from a root account but must switch once logged 

> in from an account with less than root privileges.

I've been trying something similar. As you've probably found out you cant 
just write in the password to su - you'll get an error "Standard in must 
be a tty". Basically I think su needs a shell to work.

Consequently, before sending your password, you'll need to request a 
shell. I would've been utterly clueless about this if it wasn't for the 
post @
from which I managed to extract the crucial code:

term = 'ansi'
winsz = struct.pack('4H', 80, 100, 80, 100)
winSize = struct.unpack('4H', winsz)
ptyReqData = session.packRequest_pty_req(term, winSize, '')
self.conn.sendRequest(self, 'pty-req', ptyReqData)
self.conn.sendRequest(self, 'shell', '')

Sticking this in your SSHChannel.channelOpen method will allow you to get 
a shell. Unfortunately you then have to interact with the session in an 
expect-like manner which turns the whole procedure into one big easily 
broken hack. Basically I just write "su -" and wait for my method 
dataReceived to return "password:" at which point I write in the password.

Another point to mention is that the ssh session is still not root, the 
root functionality is being provided by the shell instance. Consequently 
any new channels opened up will not be root so you cant easily use this 
method to scp file's that are only readable for root. You can of course 
cat from the shell session but then you have issues with line wrapping and 
reliably figuring out when the file ends and your shell prompt begins.

I looked into trying to do some setreuid/setuid magic in the hope that I 
could issue a command from my root shell prompt that would elevate the 
whole ssh process to root allowing all my channels root priviliges. 
However I soon got well out of my depth and decided it wasn't possible, at 
least by me :)

So, as far as I can see, it's not possible, if your server doesn't allow 
root access to open up a channel that has root priviliges. The only way to 
do it is in the aformentioned messy way via a shell & su (which I gave up 
on when my regular expression took up two lines on my screen and still 
didn't reliable match half the shell prompts it needed to).

I would love somebody to prove me wrong and let me know of a nice way 
round this.

Of course - these problems are nothing to do with twisted and all to do 
with the way ssh works.


Ross McKerchar
Systems Analyst, Sophos

Tel: 01235 559933
Web: http://www.sophos.com
Sophos - security and control

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20071009/6d11204a/attachment.htm 

More information about the Twisted-Python mailing list