""" SSH-agent protocol implementation library. See https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.agent and http://ptspts.blogspot.co.il/2010/06/how-to-use-ssh-agent-programmatically.html for more details. The server's source code can be found here: https://github.com/openssh/openssh-portable/blob/master/authfd.c """ import io import logging from . import formats, util log = logging.getLogger(__name__) # Taken from https://github.com/openssh/openssh-portable/blob/master/authfd.h COMMANDS = dict( SSH_AGENTC_REQUEST_RSA_IDENTITIES=1, SSH_AGENT_RSA_IDENTITIES_ANSWER=2, SSH_AGENTC_RSA_CHALLENGE=3, SSH_AGENT_RSA_RESPONSE=4, SSH_AGENT_FAILURE=5, SSH_AGENT_SUCCESS=6, SSH_AGENTC_ADD_RSA_IDENTITY=7, SSH_AGENTC_REMOVE_RSA_IDENTITY=8, SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES=9, SSH2_AGENTC_REQUEST_IDENTITIES=11, SSH2_AGENT_IDENTITIES_ANSWER=12, SSH2_AGENTC_SIGN_REQUEST=13, SSH2_AGENT_SIGN_RESPONSE=14, SSH2_AGENTC_ADD_IDENTITY=17, SSH2_AGENTC_REMOVE_IDENTITY=18, SSH2_AGENTC_REMOVE_ALL_IDENTITIES=19, SSH_AGENTC_ADD_SMARTCARD_KEY=20, SSH_AGENTC_REMOVE_SMARTCARD_KEY=21, SSH_AGENTC_LOCK=22, SSH_AGENTC_UNLOCK=23, SSH_AGENTC_ADD_RSA_ID_CONSTRAINED=24, SSH2_AGENTC_ADD_ID_CONSTRAINED=25, SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED=26, ) def msg_code(name): """Convert string name into a integer message code.""" return COMMANDS[name] def msg_name(code): """Convert integer message code into a string name.""" ids = {v: k for k, v in COMMANDS.items()} return ids[code] def failure(): """Return error code to SSH binary.""" error_msg = util.pack('B', msg_code('SSH_AGENT_FAILURE')) return util.frame(error_msg) def _legacy_pubs(buf): """SSH v1 public keys are not supported.""" leftover = buf.read() if leftover: log.warning('skipping leftover: %r', leftover) code = util.pack('B', msg_code('SSH_AGENT_RSA_IDENTITIES_ANSWER')) num = util.pack('L', 0) # no SSH v1 keys return util.frame(code, num) class Handler(object): """ssh-agent protocol handler.""" def __init__(self, conn, debug=False): """ Create a protocol handler with specified public keys. Use specified signer function to sign SSH authentication requests. """ self.conn = conn self.debug = debug self.methods = { msg_code('SSH_AGENTC_REQUEST_RSA_IDENTITIES'): _legacy_pubs, msg_code('SSH2_AGENTC_REQUEST_IDENTITIES'): self.list_pubs, msg_code('SSH2_AGENTC_SIGN_REQUEST'): self.sign_message, } def handle(self, msg): """Handle SSH message from the SSH client and return the response.""" debug_msg = ': {!r}'.format(msg) if self.debug else '' log.debug('request: %d bytes%s', len(msg), debug_msg) buf = io.BytesIO(msg) code, = util.recv(buf, '>B') if code not in self.methods: log.warning('Unsupported command: %s (%d)', msg_name(code), code) return failure() method = self.methods[code] log.debug('calling %s()', method.__name__) reply = method(buf=buf) debug_reply = ': {!r}'.format(reply) if self.debug else '' log.debug('reply: %d bytes%s', len(reply), debug_reply) return reply def list_pubs(self, buf): """SSH v2 public keys are serialized and returned.""" assert not buf.read() keys = self.conn.parse_public_keys() code = util.pack('B', msg_code('SSH2_AGENT_IDENTITIES_ANSWER')) num = util.pack('L', len(keys)) log.debug('available keys: %s', [k['name'] for k in keys]) for i, k in enumerate(keys): log.debug('%2d) %s', i+1, k['fingerprint']) pubs = [util.frame(k['blob']) + util.frame(k['name']) for k in keys] return util.frame(code, num, *pubs) def sign_message(self, buf): """ SSH v2 public key authentication is performed. If the required key is not supported, raise KeyError If the signature is invalid, raise ValueError """ key = formats.parse_pubkey(util.read_frame(buf)) log.debug('looking for %s', key['fingerprint']) blob = util.read_frame(buf) assert util.read_frame(buf) == b'' assert not buf.read() for k in self.conn.parse_public_keys(): if (k['fingerprint']) == (key['fingerprint']): log.debug('using key %r (%s)', k['name'], k['fingerprint']) key = k break else: raise KeyError('key not found') label = key['name'].decode('utf-8') log.debug('signing %d-byte blob with "%s" key', len(blob), label) try: signature = self.conn.sign(blob=blob, identity=key['identity']) except IOError: return failure() log.debug('signature: %r', signature) try: sig_bytes = key['verifier'](sig=signature, msg=blob) log.info('signature status: OK') except formats.ecdsa.BadSignatureError: log.exception('signature status: ERROR') raise ValueError('invalid ECDSA signature') log.debug('signature size: %d bytes', len(sig_bytes)) data = util.frame(util.frame(key['type']), util.frame(sig_bytes)) code = util.pack('B', msg_code('SSH2_AGENT_SIGN_RESPONSE')) return util.frame(code, data)