diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | paramiko/__init__.py | 3 | ||||
-rw-r--r-- | paramiko/channel.py | 7 | ||||
-rw-r--r-- | paramiko/ecdsakey.py | 181 | ||||
-rw-r--r-- | paramiko/hostkeys.py | 4 | ||||
-rw-r--r-- | paramiko/server.py | 21 | ||||
-rw-r--r-- | paramiko/transport.py | 4 | ||||
-rw-r--r-- | setup.py | 6 | ||||
-rw-r--r-- | sites/www/changelog.rst | 16 | ||||
-rw-r--r-- | tests/test_ecdsa.key | 5 | ||||
-rw-r--r-- | tests/test_ecdsa_password.key | 8 | ||||
-rw-r--r-- | tests/test_pkey.py | 64 |
12 files changed, 314 insertions, 6 deletions
@@ -36,6 +36,7 @@ Requirements - python 2.5 or better <http://www.python.org/> - pycrypto 2.1 or better <https://www.dlitz.net/software/pycrypto/> + - ecdsa 0.9 or better <https://pypi.python.org/pypi/ecdsa> If you have setuptools, you can build and install paramiko and all its dependencies with this command (as root):: diff --git a/paramiko/__init__.py b/paramiko/__init__.py index de89e08d..c996302a 100644 --- a/paramiko/__init__.py +++ b/paramiko/__init__.py @@ -57,7 +57,7 @@ if sys.version_info < (2, 5): __author__ = "Jeff Forcier <jeff@bitprophet.org>" -__version__ = "1.11.3" +__version__ = "1.12.1" __version_info__ = tuple([ int(d) for d in __version__.split(".") ]) __license__ = "GNU Lesser General Public License (LGPL)" @@ -72,6 +72,7 @@ from ssh_exception import SSHException, PasswordRequiredException, \ from server import ServerInterface, SubsystemHandler, InteractiveQuery from rsakey import RSAKey from dsskey import DSSKey +from ecdsakey import ECDSAKey from sftp import SFTPError, BaseSFTP from sftp_client import SFTP, SFTPClient from sftp_server import SFTPServer diff --git a/paramiko/channel.py b/paramiko/channel.py index c680e44b..d1e6333c 100644 --- a/paramiko/channel.py +++ b/paramiko/channel.py @@ -1027,6 +1027,13 @@ class Channel (object): ok = False else: ok = server.check_channel_shell_request(self) + elif key == 'env': + name = m.get_string() + value = m.get_string() + if server is None: + ok = False + else: + ok = server.check_channel_env_request(self, name, value) elif key == 'exec': cmd = m.get_string() if server is None: diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py new file mode 100644 index 00000000..ac840ab7 --- /dev/null +++ b/paramiko/ecdsakey.py @@ -0,0 +1,181 @@ +# Copyright (C) 2003-2007 Robey Pointer <robeypointer@gmail.com> +# +# This file is part of paramiko. +# +# Paramiko is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Paramiko is distrubuted in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +# A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more +# details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with Paramiko; if not, write to the Free Software Foundation, Inc., +# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +""" +L{ECDSAKey} +""" + +import binascii +from ecdsa import SigningKey, VerifyingKey, der, curves +from ecdsa.util import number_to_string, sigencode_string, sigencode_strings, sigdecode_strings +from Crypto.Hash import SHA256, MD5 +from Crypto.Cipher import DES3 + +from paramiko.common import * +from paramiko import util +from paramiko.message import Message +from paramiko.ber import BER, BERException +from paramiko.pkey import PKey +from paramiko.ssh_exception import SSHException + + +class ECDSAKey (PKey): + """ + Representation of an ECDSA key which can be used to sign and verify SSH2 + data. + """ + + def __init__(self, msg=None, data=None, filename=None, password=None, vals=None, file_obj=None): + self.verifying_key = None + self.signing_key = None + if file_obj is not None: + self._from_private_key(file_obj, password) + return + if filename is not None: + self._from_private_key_file(filename, password) + return + if (msg is None) and (data is not None): + msg = Message(data) + if vals is not None: + self.verifying_key, self.signing_key = vals + else: + if msg is None: + raise SSHException('Key object may not be empty') + if msg.get_string() != 'ecdsa-sha2-nistp256': + raise SSHException('Invalid key') + curvename = msg.get_string() + if curvename != 'nistp256': + raise SSHException("Can't handle curve of type %s" % curvename) + + pointinfo = msg.get_string() + if pointinfo[0] != "\x04": + raise SSHException('Point compression is being used: %s'% + binascii.hexlify(pointinfo)) + self.verifying_key = VerifyingKey.from_string(pointinfo[1:], + curve=curves.NIST256p) + self.size = 256 + + def __str__(self): + key = self.verifying_key + m = Message() + m.add_string('ecdsa-sha2-nistp256') + m.add_string('nistp256') + + point_str = "\x04" + key.to_string() + + m.add_string(point_str) + return str(m) + + def __hash__(self): + h = hash(self.get_name()) + h = h * 37 + hash(self.verifying_key.pubkey.point.x()) + h = h * 37 + hash(self.verifying_key.pubkey.point.y()) + return hash(h) + + def get_name(self): + return 'ecdsa-sha2-nistp256' + + def get_bits(self): + return self.size + + def can_sign(self): + return self.signing_key is not None + + def sign_ssh_data(self, rpool, data): + digest = SHA256.new(data).digest() + sig = self.signing_key.sign_digest(digest, entropy=rpool.read, + sigencode=self._sigencode) + m = Message() + m.add_string('ecdsa-sha2-nistp256') + m.add_string(sig) + return m + + def verify_ssh_sig(self, data, msg): + if msg.get_string() != 'ecdsa-sha2-nistp256': + return False + sig = msg.get_string() + + # verify the signature by SHA'ing the data and encrypting it + # using the public key. + hash_obj = SHA256.new(data).digest() + return self.verifying_key.verify_digest(sig, hash_obj, + sigdecode=self._sigdecode) + + def write_private_key_file(self, filename, password=None): + key = self.signing_key or self.verifying_key + self._write_private_key_file('EC', filename, key.to_der(), password) + + def write_private_key(self, file_obj, password=None): + key = self.signing_key or self.verifying_key + self._write_private_key('EC', file_obj, key.to_der(), password) + + def generate(bits, progress_func=None): + """ + Generate a new private RSA key. This factory function can be used to + generate a new host key or authentication key. + + @param bits: number of bits the generated key should be. + @type bits: int + @param progress_func: an optional function to call at key points in + key generation (used by C{pyCrypto.PublicKey}). + @type progress_func: function + @return: new private key + @rtype: L{RSAKey} + """ + signing_key = ECDSA.generate() + key = ECDSAKey(vals=(signing_key, signing_key.get_verifying_key())) + return key + generate = staticmethod(generate) + + + ### internals... + + + def _from_private_key_file(self, filename, password): + data = self._read_private_key_file('EC', filename, password) + self._decode_key(data) + + def _from_private_key(self, file_obj, password): + data = self._read_private_key('EC', file_obj, password) + self._decode_key(data) + + ALLOWED_PADDINGS = ['\x01', '\x02\x02', '\x03\x03\x03', '\x04\x04\x04\x04', + '\x05\x05\x05\x05\x05', '\x06\x06\x06\x06\x06\x06', + '\x07\x07\x07\x07\x07\x07\x07'] + def _decode_key(self, data): + s, padding = der.remove_sequence(data) + if padding: + if padding not in self.ALLOWED_PADDINGS: + raise ValueError, "weird padding: %s" % (binascii.hexlify(empty)) + data = data[:-len(padding)] + key = SigningKey.from_der(data) + self.signing_key = key + self.verifying_key = key.get_verifying_key() + self.size = 256 + + def _sigencode(self, r, s, order): + msg = Message() + msg.add_mpint(r) + msg.add_mpint(s) + return str(msg) + + def _sigdecode(self, sig, order): + msg = Message(sig) + r = msg.get_mpint() + s = msg.get_mpint() + return (r, s) diff --git a/paramiko/hostkeys.py b/paramiko/hostkeys.py index f967a3da..9bcf0d55 100644 --- a/paramiko/hostkeys.py +++ b/paramiko/hostkeys.py @@ -29,6 +29,7 @@ from paramiko.common import * from paramiko.dsskey import DSSKey from paramiko.rsakey import RSAKey from paramiko.util import get_logger +from paramiko.ecdsakey import ECDSAKey class InvalidHostKey(Exception): @@ -81,9 +82,12 @@ class HostKeyEntry: key = RSAKey(data=base64.decodestring(key)) elif keytype == 'ssh-dss': key = DSSKey(data=base64.decodestring(key)) + elif keytype == 'ecdsa-sha2-nistp256': + key = ECDSAKey(data=base64.decodestring(key)) else: log.info("Unable to handle key of type %s" % (keytype,)) return None + except binascii.Error, e: raise InvalidHostKey(line, e) diff --git a/paramiko/server.py b/paramiko/server.py index d737e056..fdb40942 100644 --- a/paramiko/server.py +++ b/paramiko/server.py @@ -550,6 +550,27 @@ class ServerInterface (object): """ return OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED + def check_channel_env_request(self, channel, name, value): + """ + Check whether a given environment variable can be specified for the + given channel. This method should return C{True} if the server + is willing to set the specified environment variable. Note that + some environment variables (e.g., PATH) can be exceedingly + dangerous, so blindly allowing the client to set the environment + is almost certainly not a good idea. + + The default implementation always returns C{False}. + + @param channel: the L{Channel} the env request arrived on + @type channel: L{Channel} + @param name: foo bar baz + @type name: str + @param value: flklj + @type value: str + @rtype: bool + """ + return False + class SubsystemHandler (threading.Thread): """ diff --git a/paramiko/transport.py b/paramiko/transport.py index 6fb37970..3155d3f8 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -42,6 +42,7 @@ from paramiko.message import Message from paramiko.packet import Packetizer, NeedRekeyException from paramiko.primes import ModulusPack from paramiko.rsakey import RSAKey +from paramiko.ecdsakey import ECDSAKey from paramiko.server import ServerInterface from paramiko.sftp_client import SFTPClient from paramiko.ssh_exception import (SSHException, BadAuthenticationType, @@ -202,7 +203,7 @@ class Transport (threading.Thread): _preferred_ciphers = ( 'aes128-ctr', 'aes256-ctr', 'aes128-cbc', 'blowfish-cbc', 'aes256-cbc', '3des-cbc', 'arcfour128', 'arcfour256' ) _preferred_macs = ( 'hmac-sha1', 'hmac-md5', 'hmac-sha1-96', 'hmac-md5-96' ) - _preferred_keys = ( 'ssh-rsa', 'ssh-dss' ) + _preferred_keys = ( 'ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256' ) _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group-exchange-sha1' ) _preferred_compression = ( 'none', ) @@ -227,6 +228,7 @@ class Transport (threading.Thread): _key_info = { 'ssh-rsa': RSAKey, 'ssh-dss': DSSKey, + 'ecdsa-sha2-nistp256': ECDSAKey, } _kex_info = { @@ -40,7 +40,9 @@ import sys try: from setuptools import setup kw = { - 'install_requires': 'pycrypto >= 2.1, != 2.4', + 'install_requires': ['pycrypto >= 2.1, != 2.4', + 'ecdsa', + ], } except ImportError: from distutils.core import setup @@ -52,7 +54,7 @@ if sys.platform == 'darwin': setup(name = "paramiko", - version = "1.11.3", + version = "1.12.1", description = "SSH2 protocol library", author = "Jeff Forcier", author_email = "jeff@bitprophet.org", diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 1c533f95..47946a27 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -8,13 +8,29 @@ Changelog * :bug:`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH agent problems present on Windows. Thanks to David Hobbs for initial report and to Aarni Koskela & Olle Lundberg for the patches. +* :release:`1.12.1 <2014-01-08>` * :release:`1.11.3 <2014-01-08>` * :release:`1.10.5 <2014-01-08>` +* :bug:`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury + Rodriguez for the catch. * :bug:`176` Fix AttributeError bugs in known_hosts file (re)loading. Thanks to Nathan Scowcroft for the patch & Martin Blumenstingl for the initial test case. +* :release:`1.12.0 <2013-09-27>` * :release:`1.11.2 <2013-09-27>` * :release:`1.10.4 <2013-09-27>` +* :feature:`152` Add tentative support for ECDSA keys. *This adds the ecdsa + module as a new dependency of Paramiko.* The module is available at + [warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and + [ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa). + + * Note that you might still run into problems with key negotiation -- + Paramiko picks the first key that the server offers, which might not be + what you have in your known_hosts file. + * Mega thanks to Ethan Glasser-Camp for the patch. + +* :feature:`136` Add server-side support for the SSH protocol's 'env' command. + Thanks to Benjamin Pollack for the patch. * :bug:`156 (1.11+)` Fix potential deadlock condition when using Channel objects as sockets (e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold for catch & patch. diff --git a/tests/test_ecdsa.key b/tests/test_ecdsa.key new file mode 100644 index 00000000..42d44734 --- /dev/null +++ b/tests/test_ecdsa.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKB6ty3yVyKEnfF/zprx0qwC76MsMlHY4HXCnqho2eKioAoGCCqGSM49 +AwEHoUQDQgAElI9mbdlaS+T9nHxY/59lFnn80EEecZDBHq4gLpccY8Mge5ZTMiMD +ADRvOqQ5R98Sxst765CAqXmRtz8vwoD96g== +-----END EC PRIVATE KEY----- diff --git a/tests/test_ecdsa_password.key b/tests/test_ecdsa_password.key new file mode 100644 index 00000000..eb7910ed --- /dev/null +++ b/tests/test_ecdsa_password.key @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,EEB56BC745EDB2DE04FC3FE1F8DA387E + +wdt7QTCa6ahTJLaEPH7NhHyBcxhzrzf93d4UwQOuAhkM6//jKD4lF9fErHBW0f3B +ExberCU3UxfEF3xX2thXiLw47JgeOCeQUlqRFx92p36k6YmfNGX6W8CsZ3d+XodF +Z+pb6m285CiSX+W95NenFMexXFsIpntiCvTifTKJ8os= +-----END EC PRIVATE KEY----- diff --git a/tests/test_pkey.py b/tests/test_pkey.py index 5e143373..8e8c4aa7 100644 --- a/tests/test_pkey.py +++ b/tests/test_pkey.py @@ -23,14 +23,17 @@ Some unit tests for public/private key objects. from binascii import hexlify, unhexlify import StringIO import unittest -from paramiko import RSAKey, DSSKey, Message, util +from paramiko import RSAKey, DSSKey, ECDSAKey, Message, util from paramiko.common import rng # from openssh's ssh-keygen PUB_RSA = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA049W6geFpmsljTwfvI1UmKWWJPNFI74+vNKTk4dmzkQY2yAMs6FhlvhlI8ysU4oj71ZsRYMecHbBbxdN79+JRFVYTKaLqjwGENeTd+yv4q+V2PvZv3fLnzApI3l7EJCqhWwJUHJ1jAkZzqDx0tyOL4uoZpww3nmE0kb3y21tH4c=' PUB_DSS = 'ssh-dss AAAAB3NzaC1kc3MAAACBAOeBpgNnfRzr/twmAQRu2XwWAp3CFtrVnug6s6fgwj/oLjYbVtjAy6pl/h0EKCWx2rf1IetyNsTxWrniA9I6HeDj65X1FyDkg6g8tvCnaNB8Xp/UUhuzHuGsMIipRxBxw9LF608EqZcj1E3ytktoW5B5OcjrkEoz3xG7C+rpIjYvAAAAFQDwz4UnmsGiSNu5iqjn3uTzwUpshwAAAIEAkxfFeY8P2wZpDjX0MimZl5wkoFQDL25cPzGBuB4OnB8NoUk/yjAHIIpEShw8V+LzouMK5CTJQo5+Ngw3qIch/WgRmMHy4kBq1SsXMjQCte1So6HBMvBPIW5SiMTmjCfZZiw4AYHK+B/JaOwaG9yRg2Ejg4Ok10+XFDxlqZo8Y+wAAACARmR7CCPjodxASvRbIyzaVpZoJ/Z6x7dAumV+ysrV1BVYd0lYukmnjO1kKBWApqpH1ve9XDQYN8zgxM4b16L21kpoWQnZtXrY3GZ4/it9kUgyB7+NwacIBlXa8cMDL7Q/69o0d54U0X/NeX5QxuYR6OMJlrkQB7oiW/P/1mwjQgE=' +PUB_ECDSA = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJSPZm3ZWkvk/Zx8WP+fZRZ5/NBBHnGQwR6uIC6XHGPDIHuWUzIjAwA0bzqkOUffEsbLe+uQgKl5kbc/L8KA/eo=' + FINGER_RSA = '1024 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5' FINGER_DSS = '1024 44:78:f0:b9:a2:3c:c5:18:20:09:ff:75:5b:c1:d2:6c' +FINGER_ECDSA = '256 25:19:eb:55:e6:a1:47:ff:4f:38:d2:75:6f:a5:d5:60' SIGNED_RSA = '20:d7:8a:31:21:cb:f7:92:12:f2:a4:89:37:f5:78:af:e6:16:b6:25:b9:97:3d:a2:cd:5f:ca:20:21:73:4c:ad:34:73:8f:20:77:28:e2:94:15:08:d8:91:40:7a:85:83:bf:18:37:95:dc:54:1a:9b:88:29:6c:73:ca:38:b4:04:f1:56:b9:f2:42:9d:52:1b:29:29:b4:4f:fd:c9:2d:af:47:d2:40:76:30:f3:63:45:0c:d9:1d:43:86:0f:1c:70:e2:93:12:34:f3:ac:c5:0a:2f:14:50:66:59:f1:88:ee:c1:4a:e9:d1:9c:4e:46:f0:0e:47:6f:38:74:f1:44:a8' RSA_PRIVATE_OUT = """\ @@ -66,6 +69,13 @@ QPSch9pT9XHqn+1rZ4bK+QGA -----END DSA PRIVATE KEY----- """ +ECDSA_PRIVATE_OUT = """\ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIKB6ty3yVyKEnfF/zprx0qwC76MsMlHY4HXCnqho2eKioAoGCCqGSM49 +AwEHoUQDQgAElI9mbdlaS+T9nHxY/59lFnn80EEecZDBHq4gLpccY8Mge5ZTMiMD +ADRvOqQ5R98Sxst765CAqXmRtz8vwoD96g== +-----END EC PRIVATE KEY----- +""" class KeyTest (unittest.TestCase): @@ -176,7 +186,7 @@ class KeyTest (unittest.TestCase): msg.rewind() pub = DSSKey(data=str(key)) self.assert_(pub.verify_ssh_sig('ice weasels', msg)) - + def test_A_generate_rsa(self): key = RSAKey.generate(1024) msg = key.sign_ssh_data(rng, 'jerri blank') @@ -188,3 +198,53 @@ class KeyTest (unittest.TestCase): msg = key.sign_ssh_data(rng, 'jerri blank') msg.rewind() self.assert_(key.verify_ssh_sig('jerri blank', msg)) + + def test_10_load_ecdsa(self): + key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') + self.assertEquals('ecdsa-sha2-nistp256', key.get_name()) + exp_ecdsa = FINGER_ECDSA.split()[1].replace(':', '') + my_ecdsa = hexlify(key.get_fingerprint()) + self.assertEquals(exp_ecdsa, my_ecdsa) + self.assertEquals(PUB_ECDSA.split()[1], key.get_base64()) + self.assertEquals(256, key.get_bits()) + + s = StringIO.StringIO() + key.write_private_key(s) + self.assertEquals(ECDSA_PRIVATE_OUT, s.getvalue()) + s.seek(0) + key2 = ECDSAKey.from_private_key(s) + self.assertEquals(key, key2) + + def test_11_load_ecdsa_password(self): + key = ECDSAKey.from_private_key_file('tests/test_ecdsa_password.key', 'television') + self.assertEquals('ecdsa-sha2-nistp256', key.get_name()) + exp_ecdsa = FINGER_ECDSA.split()[1].replace(':', '') + my_ecdsa = hexlify(key.get_fingerprint()) + self.assertEquals(exp_ecdsa, my_ecdsa) + self.assertEquals(PUB_ECDSA.split()[1], key.get_base64()) + self.assertEquals(256, key.get_bits()) + + def test_12_compare_ecdsa(self): + # verify that the private & public keys compare equal + key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') + self.assertEquals(key, key) + pub = ECDSAKey(data=str(key)) + self.assert_(key.can_sign()) + self.assert_(not pub.can_sign()) + self.assertEquals(key, pub) + + def test_13_sign_ecdsa(self): + # verify that the rsa private key can sign and verify + key = ECDSAKey.from_private_key_file('tests/test_ecdsa.key') + msg = key.sign_ssh_data(rng, 'ice weasels') + self.assert_(type(msg) is Message) + msg.rewind() + self.assertEquals('ecdsa-sha2-nistp256', msg.get_string()) + # ECDSA signatures, like DSS signatures, tend to be different + # each time, so we can't compare against a "known correct" + # signature. + # Even the length of the signature can change. + + msg.rewind() + pub = ECDSAKey(data=str(key)) + self.assert_(pub.verify_ssh_sig('ice weasels', msg)) |