Ying Li (cyli) wrote,

Shelless SSH Server with Twisted

I needed a shelless SSH server that would not honor shell requests or exec commands, because I wanted to provide SFTP access without allowing shell access. I'm only posting this because this may be useful to people - I don't know Twisted very well, and there may be a better way to do it, but this works:
from zope import interface
from twisted.cred import portal
from twisted.python import log
from twisted.conch.avatar import ConchUser
from twisted.conch.ssh import session


class ShelllessSSHRealm:
    interface.implements(portal.IRealm)

    def requestAvatar(self, avatarID, mind, *interfaces):
        user = ShelllessUser()
        return interfaces[0], user, user.logout


class ShelllessUser(ConchUser):
    """
    A shell-less user that does not answer any global requests.
    """
    def __init__(self, root=None):
        ConchUser.__init__(self)
        self.channelLookup["session"] = ShelllessSession

    def logout(self):
        pass   # nothing to do


class ShelllessSession(session.SSHSession):
    
    name = 'shellessSession'

    def __init__(self, *args, **kw):
        session.SSHSession.__init__(self, *args, **kw)
        
    def _noshell(self):
        if not self.closing:
            self.write("This server does not provide shells "
                       "or allow command execution.\n")
            self.loseConnection()
        return 0

    def request_shell(self, data):
        log.msg("shell request rejected")
        return self._noshell()

    def request_exec(self, data):
        log.msg("execution request rejected")
        return self._noshell()

    def request_pty_req(self, data):
        log.msg("pty request rejected")
        return self._noshell()

    def request_window_change(self, data):
        log.msg("window change request rejected")
        return 0


I have tests for it and everything - I can post those if someone wants them.
Tags: python, twisted
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded  

  • 2 comments