[Twisted-Python] twisted.conch.ssh.session.SSHSession.request_subsystem

Tzury Bar Yochay tzury.by at gmail.com
Mon Dec 22 14:10:23 EST 2008

Glyph, thanks for your attention and time. I am afraid I was not clear
wit hmy question so please allow me to elaborate.

> The way you control which paths a user can access in this scenario is by
> setting the filesystem permissions on those directories.  Sorry, but Twisted
> cannot magically change your UNIX filesystem so that arbitrary commands see
> a different view of it.

I don't want to create a UNIX user per client. I want to design the
system in a way that all the clients will access using one single
'public' account.
In fact, each client is already pushing its files to it associated
'home' folder.
However, I want to be able to control it in case someone is hacking
with the system, so to ensure it cannot access any other paths but the
one which is associated with its rsa_key

I've investigated jailkit and gitosis and other approaches and was not
satisfied with the final result. That's the reason why I am not using
OpenSSH server and trying to make it possible with Twisted. I think it
will make a much more scalable and flexible system.
I strongly believe that others will find this project useful.

> If you want to write an SSH application server that does *not* allow running
> UNIX commands, you are going to have to write a lot more code; in effect,
> emulating a shell (or denying access to one entirely, as described in
> http://cyli.livejournal.com/38382.html )

I don't want to supply shell or any other interactive mode for a user.
This is all to be done at the client side 'automatically' using custom
sftp/ssh client

e.g. bzr branch sftp://user@server:port/allowed_path_only

> This code could definitely be better documented, but I don't think your
> question is related to subsystems.

when running the command mentioned above (bzr branch
sftp://user@server:port/allowed_path_only)  only
SSHSession.request_subsystem is called (neither request_shell nor
request_exec) - that's why I brought it up.

More information about the Twisted-Python mailing list