[Twisted-Python] using conch to create a "chrooted" sftp server

Paul Swartz paulswartz at gmail.com
Tue Feb 12 17:46:06 EST 2008


On Mon, Feb 4, 2008 at 10:19 PM,  <glyph at divmod.com> wrote:
>
>  I'd like to provide file-server access on my home network to a machine
>  which hosts a variety of media, without exposing its entire filesystem.
>  OpenSSH's sftp-server doesn't allow this, so of course I thought, I
>  should use conch.
>
>  Completely replacing OpenSSH with Conch is inconvenient, however, and it
>  is my only means to administer these machines, so both for the sake of
>  easy packaging and making sure I don't make a mistake, I'd really like
>  to keep the main SSH daemon in place but replace the sftp channel.
>
>  I *think* that means I'd need to do something with sshd_config,
>  twisted.conch.ssh.filetransfer, and twisted.internet.stdio.  However,
>  I'm a bit at a loss what that thing would be.

On the OpenSSH side, you'll want to change the 'Subsystem sftp
/usr/lib/openssh/sftp-server' line in /etc/ssh/sshd_config (on
Debian/Ubuntu) to some script that you write.

On the Twisted side, you'll want to connect
twisted.conch.ssh.filetransfer.FileTransferServer to
twisted.internet.stdio.StandardIO.  You'll have to create your own
avatar based on the current user and pass that to the constructor.

>  Can someone with stronger conch-fu than I give a brief description of
>  how this could be done?  Ideally, I'd like some users (myself) to be
>  able to access the entire filesystem, but others (the "storage" user,
>  who has no shell) to only be able to access /public.  Finally I'd like
>  the "guest" user to be able to access /public, but read-only, and
>  /public/drop-box read-write.  I don't mind setting up UNIX permissions
>  to enforce that last bit.

You'll probably want to hack up
twisted.conch.unix.SFTPServerForUnixConchUser to do that.  It's an
adapter for whatever the avatar passed to FileTransferServer is to
ISFTPServer, and FileTransferServer calls the methods on that to
implement the actual file mechanics.

hth,
-p
-- 
Paul Swartz
paulswartz at gmail dot com
http://z3p.jot.com/
AIM: z3penguin




More information about the Twisted-Python mailing list