In the original days of computing, rsh/rlogin were used to connect to remote computers and execute commands. These commands had the problem that the passwords and commands were sent in the clear. To solve this problem, the SSH protocol was created. Twisted.Conch implements the second version of this protocol.
Writing a client with Conch involves sub-classing 4 classes: twisted.conch.ssh.transport.SSHClientTransport , twisted.conch.ssh.userauth.SSHUserAuthClient , twisted.conch.ssh.connection.SSHConnection , and twisted.conch.ssh.channel.SSHChannel . We’ll start out with SSHClientTransport because it’s the base of the client.
from twisted.conch import error from twisted.conch.ssh import transport from twisted.internet import defer class ClientTransport(transport.SSHClientTransport): def verifyHostKey(self, pubKey, fingerprint): if fingerprint != 'b1:94:6a:c9:24:92:d2:34:7c:62:35:b4:d2:61:11:84': return defer.fail(error.ConchError('bad key')) else: return defer.succeed(1) def connectionSecure(self): self.requestService(ClientUserAuth('user', ClientConnection()))
See how easy it is? SSHClientTransport handles the negotiation of encryption and the verification of keys for you. The one security element that you as a client writer need to implement is verifyHostKey() . This method is called with two strings: the public key sent by the server and its fingerprint. You should verify the host key the server sends, either by checking against a hard-coded value as in the example, or by asking the user. verifyHostKey returns a twisted.internet.defer.Deferred which gets a callback if the host key is valid, or an errback if it is not. Note that in the above, replace ‘user’ with the username you’re attempting to ssh with, for instance a call to os.getlogin() for the current user.
The second method you need to implement is connectionSecure() . It is called when the encryption is set up and other services can be run. The example requests that the ClientUserAuth service be started. This service will be discussed next.
from twisted.conch.ssh import connection class ClientConnection(connection.SSHConnection): def serviceStarted(self): self.openChannel(CatChannel(conn = self))
SSHConnection is the easiest, as it’s only responsible for starting the channels. It has other methods, those will be examined when we look at SSHChannel .
from twisted.conch.ssh import channel, common class CatChannel(channel.SSHChannel): name = 'session' def channelOpen(self, data): d = self.conn.sendRequest(self, 'exec', common.NS('cat'), wantReply = 1) d.addCallback(self._cbSendRequest) self.catData = '' def _cbSendRequest(self, ignored): self.write('This data will be echoed back to us by "cat."\r\n') self.conn.sendEOF(self) self.loseConnection() def dataReceived(self, data): self.catData += data def closed(self): print 'We got this from "cat":', self.catData
Now that we’ve spent all this time getting the server and client connected, here is where that work pays off. SSHChannel is the interface between you and the other side. This particular channel opens a session and plays with the ‘cat’ program, but your channel can implement anything, so long as the server supports it.
The channelOpen() method is where everything gets started. It gets passed a chunk of data; however, this chunk is usually nothing and can be ignored. Our channelOpen() initializes our channel, and sends a request to the other side, using the``sendRequest()`` method of the SSHConnection object. Requests are used to send events to the other side. We pass the method self so that it knows to send the request for this channel. The 2nd argument of ‘exec’ tells the server that we want to execute a command. The third argument is the data that accompanies the request. common.NS encodes the data as a length-prefixed string, which is how the server expects the data. We also say that we want a reply saying that the process has a been started. sendRequest() then returns a``Deferred`` which we add a callback for.
Once the callback fires, we send the data. SSHChannel supports the :api:` twisted.internet.interface.Transport < twisted.internet.interface.Transport>` interface, so it can be given to Protocols to run them over the secure connection. In our case, we just write the data directly. sendEOF() does not follow the interface, but Conch uses it to tell the other side that we will write no more data. loseConnection() shuts down our side of the connection, but we will still receive data through dataReceived() . The closed() method is called when both sides of the connection are closed, and we use it to display the data we received (which should be the same as the data we sent.)
Finally, let’s actually invoke the code we’ve set up.
from twisted.internet import protocol, reactor def main(): factory = protocol.ClientFactory() factory.protocol = ClientTransport reactor.connectTCP('localhost', 22, factory) reactor.run() if __name__ == "__main__": main()
We call connectTCP() to connect to localhost, port 22 (the standard port for ssh), and pass it an instance of twisted.internet.protocol.ClientFactory . This instance has the attribute protocol set to our earlier ClientTransport class. Note that the protocol attribute is set to the class ClientTransport , not an instance of``ClientTransport`` ! When the connectTCP call completes, the protocol will be called to create a ClientTransport() object - this then invokes all our previous work.
It’s worth noting that in the example main() routine, the reactor.run() call never returns. If you want to make the program exit, call reactor.stop() in the earlier closed() method.
If you wish to observe the interactions in more detail, adding a call to log.startLogging(sys.stdout, setStdout=0) before the reactor.run() call will send all logging to stdout.