Re: [Twisted-Python] How to switch users in SSH session.
After much wrangling and a small miracle I have managed to write an object that fetches the output of three commands in the order given through an SSH connection. How come I cannot switch users? Some of the information I need can only be fetched through a root account and security is such
Paul_S_Johnson at mnb.uscourts.gov Paul_S_Johnson at mnb.uscourts.gov Thu Sep 27 16:00:14 EDT 200: that
I cannot log in remotely from a root account but must switch once logged
in from an account with less than root privileges.
I've been trying something similar. As you've probably found out you cant just write in the password to su - you'll get an error "Standard in must be a tty". Basically I think su needs a shell to work. Consequently, before sending your password, you'll need to request a shell. I would've been utterly clueless about this if it wasn't for the post @ http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html, from which I managed to extract the crucial code: term = 'ansi' winsz = struct.pack('4H', 80, 100, 80, 100) winSize = struct.unpack('4H', winsz) ptyReqData = session.packRequest_pty_req(term, winSize, '') self.conn.sendRequest(self, 'pty-req', ptyReqData) self.conn.sendRequest(self, 'shell', '') Sticking this in your SSHChannel.channelOpen method will allow you to get a shell. Unfortunately you then have to interact with the session in an expect-like manner which turns the whole procedure into one big easily broken hack. Basically I just write "su -" and wait for my method dataReceived to return "password:" at which point I write in the password. Another point to mention is that the ssh session is still not root, the root functionality is being provided by the shell instance. Consequently any new channels opened up will not be root so you cant easily use this method to scp file's that are only readable for root. You can of course cat from the shell session but then you have issues with line wrapping and reliably figuring out when the file ends and your shell prompt begins. I looked into trying to do some setreuid/setuid magic in the hope that I could issue a command from my root shell prompt that would elevate the whole ssh process to root allowing all my channels root priviliges. However I soon got well out of my depth and decided it wasn't possible, at least by me :) So, as far as I can see, it's not possible, if your server doesn't allow root access to open up a channel that has root priviliges. The only way to do it is in the aformentioned messy way via a shell & su (which I gave up on when my regular expression took up two lines on my screen and still didn't reliable match half the shell prompts it needed to). I would love somebody to prove me wrong and let me know of a nice way round this. Of course - these problems are nothing to do with twisted and all to do with the way ssh works. -ross -- Ross McKerchar Systems Analyst, Sophos Tel: 01235 559933 Web: http://www.sophos.com Sophos - security and control Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 348 3873 20.
participants (1)
-
Ross.McKerchar@sophos.com