Skip to content
Snippets Groups Projects
Commit 7a0aaa57 authored by jorge.leitemac's avatar jorge.leitemac :juggling_tone5:
Browse files

Deporting ssh signature by tweaking paramiko source code

parent e7063c91
No related branches found
No related tags found
No related merge requests found
Showing
with 422 additions and 0 deletions
./ssh-keys/*
\ No newline at end of file
auth.py 0 → 100644
import socket
import sys
import json
import os
import base64
# ajouter le chemin vers le répertoire libs à PYTHONPATH
libs_path = os.path.join(os.getcwd(), 'libs')
if libs_path not in sys.path:
sys.path.append(libs_path)
# maintenant, vous pouvez importer votre bibliothèque
import paramiko
def _get_key_type_and_bits_o(key):
print("_get_key_type_and_bits")
"""
Given any key, return its type/algorithm & bits-to-sign.
Intended for input to or verification of, key signatures.
"""
# Use certificate contents, if available, plain pubkey otherwise
if key.public_blob:
return key.public_blob.key_type, key.public_blob.key_blob
else:
return key.get_name(), key
def _get_session_blob(key, service, username, algorithm, session_id, userauth_request):
print("_get_session_blob ********************************")
m = paramiko.Message()
m.add_string(session_id)
# problématique car comment avoir la session_id avant de s'authentifier ?
# print("session_id: ", self.transport.session_id)
m.add_byte(userauth_request)
# print("cMSG_USERAUTH_REQUEST", cMSG_USERAUTH_REQUEST)
m.add_string(username)
print("username: ", username)
m.add_string(service)
print("service: ", service)
m.add_string("publickey")
m.add_boolean(True)
_, bits = _get_key_type_and_bits_o(key)
m.add_string(algorithm)
m.add_string(bits)
print("*****************************")
return m.asbytes()
# Variables pour le serveur de signature
hostname = 'localhost'
port = 12340
# Variables pour la clé privée
private_key_file = 'ssh-keys/test'
password = None
# Lire la clé privée au format OpenSSH
privateKey = paramiko.RSAKey.from_private_key_file(private_key_file)
# Démarrer le serveur de signatu
signer_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
signer_server.bind((hostname, port))
signer_server.listen(1)
while True:
print("En attente d'une connexion...")
# Attendre une connexion
client, address = signer_server.accept()
print("Connexion recue !")
# print("Adresse :", address)
# print("Client :", client)
# Lire le défi
data = client.recv(1024)
info_dict = json.loads(data.decode())
# Vous pouvez maintenant accéder aux informations dans info_dict
algorithm = info_dict['algorithm']
session_id = base64.b64decode(info_dict['session_id'])
userauth_request = base64.b64decode(info_dict['userauth_request'])
username = info_dict['username']
m = paramiko.Message()
print("algorithm: ", algorithm)
print("session_id: ", session_id)
print("userauth_request: ", userauth_request)
print("username: ", username)
m.add_byte(userauth_request)
m.add_string(username)
m.add_string("ssh-connection")
m.add_string("publickey")
m.add_boolean(True)
sessionblob = _get_session_blob(privateKey, "ssh-connection", username, algorithm, session_id, userauth_request)
keyType, bits = _get_key_type_and_bits_o(privateKey)
m.add_string("rsa-sha2-512")
m.add_string(bits)
print("sessionblob: ", sessionblob)
sig = privateKey.sign_ssh_data(sessionblob, algorithm)
print("signature: ", sig)
m.add_string(sig)
# info_dict_retour = {
# 'signature': base64.b64encode(sig.asbytes()).decode(),
# 'key_type': keyType,
# 'algorithm': algorithm,
# 'bits': base64.b64encode(bits.asbytes()).decode(),
# }
# print("bits decode: ", base64.b64encode(bits).decode().encode())
# # print("Défi reçu :", challenge)
# if challenge != b'':
# print("Défi reçu :", challenge)
# Signer le défi
# Envoyer la signature au client
# sig_bytes = sig.asbytes()
try:
# Convertir le message en bytes
message_bytes = m.asbytes()
# Envoyer le message
client.sendall(message_bytes)
finally:
# Fermer la connexion
client.close()
# print(json.dumps(info_dict_retour).encode())
# client.send(json.dumps(info_dict_retour).encode())
client.close()
client.py 0 → 100644
import socket
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
import sys
import os
# ajouter le chemin vers le répertoire libs à PYTHONPATH
libs_path = os.path.join(os.getcwd(), 'libs')
if libs_path not in sys.path:
sys.path.append(libs_path)
# maintenant, vous pouvez importer votre bibliothèque
import paramiko
from paramiko.auth_handler import AuthHandler
import logging
#
# logging.basicConfig(level=logging.DEBUG)
# logging.basicConfig(level=logging.ERROR)
algorithm = "rsa-sha2-512"
# Variables pour la connexion SSH
hostname = '172.20.10.4'
username = 'parallels'
port = 22
# Variables pour la connexion au deuxième dispositif
signer_hostname = 'localhost'
signer_port = 12340
# Variables pour la clé publique
public_key_file = 'ssh-keys/test.pub'
# Lire la clé publique au format OpenSSH
with open(public_key_file, 'rb') as key_file:
public_key = serialization.load_ssh_public_key(key_file.read(), backend=default_backend())
public_key_pem = public_key.public_bytes(
encoding=serialization.Encoding.OpenSSH,
format=serialization.PublicFormat.OpenSSH
)
print("Contenu de la clé publique :\n", public_key_pem.decode())
print("Clé publique chargée :", public_key)
# Créer une nouvelle instance de transport
transport = paramiko.Transport((hostname, port))
# Créer une nouvelle instance de client de signature
clePriv = paramiko.RSAKey.from_private_key_file('ssh-keys/test')
# Essayer d'ouvrir la session SSH
def handler(title, instructions, prompt_list):
print("*" * 80)
print("Handeling interactive authentication")
print("*" * 80)
signer_client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
signer_client.connect((signer_hostname, signer_port))
resp = []
print("Prompt list :", prompt_list)
print("Instructions :", instructions)
print("Title :", title)
for pr in prompt_list:
print(pr)
if pr[0].startswith('Password'):
# Transmettre le défi au deuxième dispositif
print("Envoi du défi : ", pr[0].encode())
signer_client.sendall(pr[0].encode())
# Attendre la réponse du deuxième dispositif
signed_challenge = signer_client.recv(1024)
print("Défi signé :", signed_challenge)
# resp.append("Jdlm1209")
resp.append(signed_challenge)
else:
resp.append('')
return resp
print("Connexion au serveur SSH...")
transport.connect()
print("Connexion réussie !")
print("Authentification for username {}...".format(username))
# transport.auth_publickey(username, public_key, handler)
try:
transport.auth_publickey(username, public_key)
except paramiko.ssh_exception.AuthenticationException:
print("Échec de l'authentification")
else:
print("Authentification réussie !")
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend
# Génération de la clé privée
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
# Sauvegarde de la clé privée au format PEM
with open('private_key.pem', 'wb') as f:
f.write(private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
))
# Génération de la clé publique
public_key = private_key.public_key()
# Sauvegarde de la clé publique au format PEM
with open('public_key.pem', 'wb') as f:
f.write(public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
))
# Copyright (C) 2003-2011 Robey Pointer <robeypointer@gmail.com>
#
# This file is part of paramiko.
#
# Paramiko is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Paramiko is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
# details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with Paramiko; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# flake8: noqa
import sys
from paramiko._version import __version__, __version_info__
from paramiko.transport import SecurityOptions, Transport
from paramiko.client import (
SSHClient,
MissingHostKeyPolicy,
AutoAddPolicy,
RejectPolicy,
WarningPolicy,
)
from paramiko.auth_handler import AuthHandler
from paramiko.ssh_gss import GSSAuth, GSS_AUTH_AVAILABLE, GSS_EXCEPTIONS
from paramiko.channel import (
Channel,
ChannelFile,
ChannelStderrFile,
ChannelStdinFile,
)
from paramiko.ssh_exception import (
AuthenticationException,
BadAuthenticationType,
BadHostKeyException,
ChannelException,
ConfigParseError,
CouldNotCanonicalize,
IncompatiblePeer,
PasswordRequiredException,
ProxyCommandFailure,
SSHException,
)
from paramiko.server import ServerInterface, SubsystemHandler, InteractiveQuery
from paramiko.rsakey import RSAKey
from paramiko.dsskey import DSSKey
from paramiko.ecdsakey import ECDSAKey
from paramiko.ed25519key import Ed25519Key
from paramiko.sftp import SFTPError, BaseSFTP
from paramiko.sftp_client import SFTP, SFTPClient
from paramiko.sftp_server import SFTPServer
from paramiko.sftp_attr import SFTPAttributes
from paramiko.sftp_handle import SFTPHandle
from paramiko.sftp_si import SFTPServerInterface
from paramiko.sftp_file import SFTPFile
from paramiko.message import Message
from paramiko.packet import Packetizer
from paramiko.file import BufferedFile
from paramiko.agent import Agent, AgentKey
from paramiko.pkey import PKey, PublicBlob
from paramiko.hostkeys import HostKeys
from paramiko.config import SSHConfig, SSHConfigDict
from paramiko.proxy import ProxyCommand
from paramiko.common import (
AUTH_SUCCESSFUL,
AUTH_PARTIALLY_SUCCESSFUL,
AUTH_FAILED,
OPEN_SUCCEEDED,
OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED,
OPEN_FAILED_CONNECT_FAILED,
OPEN_FAILED_UNKNOWN_CHANNEL_TYPE,
OPEN_FAILED_RESOURCE_SHORTAGE,
)
from paramiko.sftp import (
SFTP_OK,
SFTP_EOF,
SFTP_NO_SUCH_FILE,
SFTP_PERMISSION_DENIED,
SFTP_FAILURE,
SFTP_BAD_MESSAGE,
SFTP_NO_CONNECTION,
SFTP_CONNECTION_LOST,
SFTP_OP_UNSUPPORTED,
)
from paramiko.common import io_sleep
__author__ = "Jeff Forcier <jeff@bitprophet.org>"
__license__ = "GNU Lesser General Public License (LGPL)"
__all__ = [
"Agent",
"AgentKey",
"AuthenticationException",
"AutoAddPolicy",
"BadAuthenticationType",
"BadHostKeyException",
"BufferedFile",
"Channel",
"ChannelException",
"ConfigParseError",
"CouldNotCanonicalize",
"DSSKey",
"ECDSAKey",
"Ed25519Key",
"HostKeys",
"Message",
"MissingHostKeyPolicy",
"PKey",
"PasswordRequiredException",
"ProxyCommand",
"ProxyCommandFailure",
"RSAKey",
"RejectPolicy",
"SFTP",
"SFTPAttributes",
"SFTPClient",
"SFTPError",
"SFTPFile",
"SFTPHandle",
"SFTPServer",
"SFTPServerInterface",
"SSHClient",
"SSHConfig",
"SSHConfigDict",
"SSHException",
"SecurityOptions",
"ServerInterface",
"SubsystemHandler",
"Transport",
"WarningPolicy",
"io_sleep",
"util",
]
File added
File added
File added
File added
File added
File added
File added
File added
File added
File added
File added
File added
File added
File added
File added
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment