lxd-project/sshim_patch.py

from sshim import *
import paramiko
import os
import uuid
import lxd_interface
import threading
import logging
import select
import time
import inspect

logger = logging.getLogger(__name__)


def check_channel_request(self, kind, channel_id):
    logger.debug(f"Client requested {kind}")
    if kind in ('session', 'sftp'):
        return paramiko.OPEN_SUCCEEDED
    return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED


def check_channel_shell_request(self, channel):
    logger.debug("Check channel shell request: %s" % channel.get_id())
    self.runner.set_shell_channel(channel)

    return True


def check_channel_subsystem_request(self, channel, name):
    if name == 'sftp':
        self.runner.set_sftp_channel(channel)
        return True
    else:
        return False


def check_auth_none(self, username):
    if username == os.environ["SSH_USERNAME"]:
        return paramiko.AUTH_PARTIALLY_SUCCESSFUL
    return paramiko.AUTH_FAILED


def check_auth_password(self, username, password):
    logger.debug(f"{username} just tried to connect")
    if username == os.environ["SSH_USERNAME"] and password == os.environ["SSH_PASSWORD"]:
        self.runner = Runner(self, self.transport)
        self.runner.start()
        return paramiko.AUTH_SUCCESSFUL
    return paramiko.AUTH_FAILED


def check_auth_publickey(self, username, key):
    return paramiko.AUTH_FAILED


class Runner(threading.Thread):
    def __init__(self, client, transport: paramiko.Transport):
        self.instance_name = "instance-" + str(uuid.uuid4())
        threading.Thread.__init__(self, name=f'sshim.Runner {self.instance_name}')
        self.instance_password = str(uuid.uuid4())  # TODO: secure password generation
        self.daemon = True
        self.client = client
        self.transport = transport
        # self.transport.set_subsystem_handler('sftp', handler=paramiko.SFTPServer)
        self.shell_channel = None
        self.sftp_channel = None

    def run(self) -> None:
        vm_ip = lxd_interface.create_instance(self.instance_name, self.instance_password)['address']

        with paramiko.SSHClient() as ssh_client:
            ssh_client.set_missing_host_key_policy(paramiko.WarningPolicy)
            ssh_client.connect(vm_ip, username='root', password=self.instance_password)
            client_shell_channel = ssh_client.invoke_shell()
            client_sftp_channel = ssh_client.open_sftp().get_channel()

            while True:
                if self.shell_channel is not None:
                    r, w, e = select.select([client_shell_channel, self.shell_channel], [], [])
                    if self.shell_channel in r:
                        x = self.shell_channel.recv(1024)
                        if len(x) == 0:
                            self.shell_channel.close()
                            self.shell_channel = None
                            continue
                        client_shell_channel.send(x)
                    if client_shell_channel in r:
                        x = client_shell_channel.recv(1024)
                        if len(x) == 0:
                            self.shell_channel.close()
                            self.shell_channel = None
                            continue
                        self.shell_channel.send(x)

                if self.sftp_channel is not None:  # TODO: move this to function
                    r, w, e = select.select([client_sftp_channel, self.sftp_channel], [], [])
                    if self.sftp_channel in r:
                        x = self.sftp_channel.recv(1024)
                        if len(x) == 0:
                            self.sftp_channel.close()
                            self.sftp_channel = None
                            continue
                        client_sftp_channel.send(x)
                    if client_sftp_channel in r:
                        x = client_sftp_channel.recv(1024)
                        if len(x) == 0:
                            self.sftp_channel.close()
                            self.sftp_channel = None
                            continue
                        self.sftp_channel.send(x)

                if self.transport.is_active() is False:
                    break

            lxd_interface.destroy_instance(self.instance_name)

    def set_shell_channel(self, channel):
        self.shell_channel = channel
        self.shell_channel.settimeout(None)

    def set_sftp_channel(self, channel):
        self.sftp_channel = channel
        self.sftp_channel.settimeout(None)


Handler.check_channel_request = check_channel_request
Handler.check_channel_shell_request = check_channel_shell_request
Handler.check_channel_subsystem_request = check_channel_subsystem_request
Handler.check_auth_none = check_auth_none
Handler.check_auth_password = check_auth_password
Handler.check_auth_publickey = check_auth_publickey
Handler.enable_auth_gssapi = paramiko.server.ServerInterface.enable_auth_gssapi
Handler.get_allowed_auths = paramiko.server.ServerInterface.get_allowed_auths
Move monkey-patching to dedicated file 2022-11-23 19:18:40 +00:00			`from sshim import *`
			`import paramiko`
			`import os`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`import uuid`
			`import lxd_interface`
			`import threading`
			`import logging`
Get connection forwarding to work 2022-11-28 19:25:39 +00:00			`import select`
Some more Runner logic 2022-11-26 23:06:01 +00:00			`import time`
Implement getattr behaviour 2022-11-26 23:48:22 +00:00			`import inspect`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00
Implement lxc container ssh logic 2022-11-26 22:24:31 +00:00			`logger = logging.getLogger(__name__)`
Monkeypatch sshim.expect, implement basic connect_handler, set default to localhost only 2022-11-24 19:59:21 +00:00

Add sftp logic 2022-11-29 18:23:11 +00:00			`def check_channel_request(self, kind, channel_id):`
			`logger.debug(f"Client requested {kind}")`
			`if kind in ('session', 'sftp'):`
			`return paramiko.OPEN_SUCCEEDED`
			`return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED`


Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`def check_channel_shell_request(self, channel):`
Get connection forwarding to work 2022-11-28 19:25:39 +00:00			`logger.debug("Check channel shell request: %s" % channel.get_id())`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.runner.set_shell_channel(channel)`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00
			`return True`


Fix sftp logic 2022-11-29 18:54:09 +00:00			`def check_channel_subsystem_request(self, channel, name):`
			`if name == 'sftp':`
			`self.runner.set_sftp_channel(channel)`
			`return True`
			`else:`
			`return False`


Move monkey-patching to dedicated file 2022-11-23 19:18:40 +00:00			`def check_auth_none(self, username):`
Fix typo 2022-11-28 19:56:50 +00:00			`if username == os.environ["SSH_USERNAME"]:`
Monkeypatch sshim.expect, implement basic connect_handler, set default to localhost only 2022-11-24 19:59:21 +00:00			`return paramiko.AUTH_PARTIALLY_SUCCESSFUL`
			`return paramiko.AUTH_FAILED`
Move monkey-patching to dedicated file 2022-11-23 19:18:40 +00:00

			`def check_auth_password(self, username, password):`
Update environment variable casing 2022-11-28 19:55:27 +00:00			`logger.debug(f"{username} just tried to connect")`
			`if username == os.environ["SSH_USERNAME"] and password == os.environ["SSH_PASSWORD"]:`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.runner = Runner(self, self.transport)`
			`self.runner.start()`
Move monkey-patching to dedicated file 2022-11-23 19:18:40 +00:00			`return paramiko.AUTH_SUCCESSFUL`
			`return paramiko.AUTH_FAILED`


			`def check_auth_publickey(self, username, key):`
			`return paramiko.AUTH_FAILED`


Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`class Runner(threading.Thread):`
Add sftp logic 2022-11-29 18:23:11 +00:00			`def __init__(self, client, transport: paramiko.Transport):`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`self.instance_name = "instance-" + str(uuid.uuid4())`
Fix exit handling 2022-11-29 19:53:08 +00:00			`threading.Thread.__init__(self, name=f'sshim.Runner {self.instance_name}')`
Add MITM ssh logic 2022-11-25 16:08:10 +00:00			`self.instance_password = str(uuid.uuid4()) # TODO: secure password generation`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`self.daemon = True`
			`self.client = client`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.transport = transport`
Fix sftp logic 2022-11-29 18:54:09 +00:00			`# self.transport.set_subsystem_handler('sftp', handler=paramiko.SFTPServer)`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.shell_channel = None`
			`self.sftp_channel = None`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00
			`def run(self) -> None:`
Some more Runner logic 2022-11-26 23:06:01 +00:00			`vm_ip = lxd_interface.create_instance(self.instance_name, self.instance_password)['address']`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00
Add MITM ssh logic 2022-11-25 16:08:10 +00:00			`with paramiko.SSHClient() as ssh_client:`
Some more Runner logic 2022-11-26 23:06:01 +00:00			`ssh_client.set_missing_host_key_policy(paramiko.WarningPolicy)`
			`ssh_client.connect(vm_ip, username='root', password=self.instance_password)`
Add sftp logic 2022-11-29 18:23:11 +00:00			`client_shell_channel = ssh_client.invoke_shell()`
			`client_sftp_channel = ssh_client.open_sftp().get_channel()`
Some more Runner logic 2022-11-26 23:06:01 +00:00
			`while True:`
Add sftp logic 2022-11-29 18:23:11 +00:00			`if self.shell_channel is not None:`
			`r, w, e = select.select([client_shell_channel, self.shell_channel], [], [])`
			`if self.shell_channel in r:`
			`x = self.shell_channel.recv(1024)`
			`if len(x) == 0:`
Fix exit handling 2022-11-29 19:53:08 +00:00			`self.shell_channel.close()`
Add exit handling 2022-11-29 19:22:27 +00:00			`self.shell_channel = None`
Fix exit handling 2022-11-29 19:53:08 +00:00			`continue`
Add sftp logic 2022-11-29 18:23:11 +00:00			`client_shell_channel.send(x)`
			`if client_shell_channel in r:`
			`x = client_shell_channel.recv(1024)`
			`if len(x) == 0:`
Fix exit handling 2022-11-29 19:53:08 +00:00			`self.shell_channel.close()`
Add exit handling 2022-11-29 19:22:27 +00:00			`self.shell_channel = None`
Fix exit handling 2022-11-29 19:53:08 +00:00			`continue`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.shell_channel.send(x)`

Add exit handling 2022-11-29 19:22:27 +00:00			`if self.sftp_channel is not None: # TODO: move this to function`
Add sftp logic 2022-11-29 18:23:11 +00:00			`r, w, e = select.select([client_sftp_channel, self.sftp_channel], [], [])`
			`if self.sftp_channel in r:`
			`x = self.sftp_channel.recv(1024)`
			`if len(x) == 0:`
Fix exit handling 2022-11-29 19:53:08 +00:00			`self.sftp_channel.close()`
Add exit handling 2022-11-29 19:22:27 +00:00			`self.sftp_channel = None`
Fix exit handling 2022-11-29 19:53:08 +00:00			`continue`
Add sftp logic 2022-11-29 18:23:11 +00:00			`client_sftp_channel.send(x)`
			`if client_sftp_channel in r:`
			`x = client_sftp_channel.recv(1024)`
			`if len(x) == 0:`
Fix exit handling 2022-11-29 19:53:08 +00:00			`self.sftp_channel.close()`
Add exit handling 2022-11-29 19:22:27 +00:00			`self.sftp_channel = None`
Fix exit handling 2022-11-29 19:53:08 +00:00			`continue`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.sftp_channel.send(x)`

			`if self.transport.is_active() is False:`
			`break`

Add logic to prevent hanging instances 2022-11-28 19:38:07 +00:00			`lxd_interface.destroy_instance(self.instance_name)`

Add sftp logic 2022-11-29 18:23:11 +00:00			`def set_shell_channel(self, channel):`
			`self.shell_channel = channel`
			`self.shell_channel.settimeout(None)`

Fix sftp logic 2022-11-29 18:54:09 +00:00			`def set_sftp_channel(self, channel):`
Add sftp logic 2022-11-29 18:23:11 +00:00			`self.sftp_channel = channel`
			`self.sftp_channel.settimeout(None)`

Move monkey-patching to dedicated file 2022-11-23 19:18:40 +00:00
Fix sftp logic 2022-11-29 18:54:09 +00:00			`Handler.check_channel_request = check_channel_request`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`Handler.check_channel_shell_request = check_channel_shell_request`
Fix sftp logic 2022-11-29 18:54:09 +00:00			`Handler.check_channel_subsystem_request = check_channel_subsystem_request`
Move monkey-patching to dedicated file 2022-11-23 19:18:40 +00:00			`Handler.check_auth_none = check_auth_none`
			`Handler.check_auth_password = check_auth_password`
			`Handler.check_auth_publickey = check_auth_publickey`
Monkeypatch sshim.expect, implement basic connect_handler, set default to localhost only 2022-11-24 19:59:21 +00:00			`Handler.enable_auth_gssapi = paramiko.server.ServerInterface.enable_auth_gssapi`
Move connect_handler logic to sshim_patch 2022-11-25 15:41:02 +00:00			`Handler.get_allowed_auths = paramiko.server.ServerInterface.get_allowed_auths`