sshuttle/ssh.py

import sys, os, re, subprocess, socket
import helpers
from helpers import *

def connect(rhost):
    main_exe = sys.argv[0]
    nicedir = os.path.split(os.path.abspath(main_exe))[0]
    nicedir = re.sub(r':', "_", nicedir)
    myhome = os.path.expanduser('~') + '/'
    if nicedir.startswith(myhome):
        nicedir2 = nicedir[len(myhome):]
    else:
        nicedir2 = nicedir
    if rhost == '-':
        rhost = None
    if not rhost:
        argv = ['sshuttle', '--server'] + ['-v']*(helpers.verbose or 0)
    else:
        # WARNING: shell quoting security holes are possible here, so we
        # have to be super careful.  We have to use 'sh -c' because
        # csh-derived shells can't handle PATH= notation.  We can't
        # set PATH in advance, because ssh probably replaces it.  We
        # can't exec *safely* using argv, because *both* ssh and 'sh -c'
        # allow shellquoting.  So we end up having to double-shellquote
        # stuff here.
        escapedir  = re.sub(r'([^\w/])', r'\\\\\\\1', nicedir)
        escapedir2 = re.sub(r'([^\w/])', r'\\\\\\\1', nicedir2)
        cmd = r"""
                   sh -c PATH=%s:'$HOME'/%s:'$PATH exec sshuttle --server%s'
               """ % (escapedir, escapedir2,
                      ' -v' * (helpers.verbose or 0))
        argv = ['ssh', rhost, '--', cmd.strip()]
        debug2('executing: %r\n' % argv)
    (s1,s2) = socket.socketpair()
    def setup():
        # runs in the child process
        s2.close()
        if not rhost:
            os.environ['PATH'] = ':'.join([nicedir,
                                           os.environ.get('PATH', '')])
        os.setsid()
    s1a,s1b = os.dup(s1.fileno()), os.dup(s1.fileno())
    s1.close()
    p = subprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,
                         close_fds=True)
    os.close(s1a)
    os.close(s1b)
    return p, s2
Basic implementation of a multiplex protocol - client side only. Currently the 'server' is just a pipe to run 'hd' (hexdump) for looking at the client-side results. Lame, but true. 2010-05-02 05:14:42 +02:00			`import sys, os, re, subprocess, socket`
Add a -v (and -vv) flag and decrease default message verbosity. 2010-05-02 08:14:20 +02:00			`import helpers`
ssh.py: support finding sshuttle in "$HOME/.../sshuttle" If you ran sshuttle from /home/apenwarr/sshuttle/sshuttle, we would automatically add /home/apenwarr/sshuttle to the PATH before trying to execute sshuttle on the remote machine. That way, if you install it in the same place on two computers, the client would still be able to start the server. Someone reported, though, that if they installed the client in /home/apenwarr/sshuttle/shuttle, and the server in /root/sshuttle/sshuttle, then used "-r root@servername", it wasn't able to find the program. Similar problems would happen if you're apenwarr at home and averyp at work. So what we now do is add two directories to the PATH: /home/apenwarr/sshuttle and $HOME/sshuttle, where $HOME is the value of $HOME on the server, not the client. So it'll find it in either place. 2010-05-03 03:24:31 +02:00			`from helpers import *`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00
Basic implementation of a multiplex protocol - client side only. Currently the 'server' is just a pipe to run 'hd' (hexdump) for looking at the client-side results. Lame, but true. 2010-05-02 05:14:42 +02:00			`def connect(rhost):`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00			`main_exe = sys.argv[0]`
			`nicedir = os.path.split(os.path.abspath(main_exe))[0]`
			`nicedir = re.sub(r':', "_", nicedir)`
ssh.py: support finding sshuttle in "$HOME/.../sshuttle" If you ran sshuttle from /home/apenwarr/sshuttle/sshuttle, we would automatically add /home/apenwarr/sshuttle to the PATH before trying to execute sshuttle on the remote machine. That way, if you install it in the same place on two computers, the client would still be able to start the server. Someone reported, though, that if they installed the client in /home/apenwarr/sshuttle/shuttle, and the server in /root/sshuttle/sshuttle, then used "-r root@servername", it wasn't able to find the program. Similar problems would happen if you're apenwarr at home and averyp at work. So what we now do is add two directories to the PATH: /home/apenwarr/sshuttle and $HOME/sshuttle, where $HOME is the value of $HOME on the server, not the client. So it'll find it in either place. 2010-05-03 03:24:31 +02:00			`myhome = os.path.expanduser('~') + '/'`
			`if nicedir.startswith(myhome):`
			`nicedir2 = nicedir[len(myhome):]`
			`else:`
			`nicedir2 = nicedir`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00			`if rhost == '-':`
			`rhost = None`
			`if not rhost:`
Add a -v (and -vv) flag and decrease default message verbosity. 2010-05-02 08:14:20 +02:00			`argv = ['sshuttle', '--server'] + ['-v']*(helpers.verbose or 0)`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00			`else:`
			`# WARNING: shell quoting security holes are possible here, so we`
			`# have to be super careful. We have to use 'sh -c' because`
			`# csh-derived shells can't handle PATH= notation. We can't`
			`# set PATH in advance, because ssh probably replaces it. We`
			`# can't exec safely using argv, because both ssh and 'sh -c'`
			`# allow shellquoting. So we end up having to double-shellquote`
			`# stuff here.`
ssh.py: support finding sshuttle in "$HOME/.../sshuttle" If you ran sshuttle from /home/apenwarr/sshuttle/sshuttle, we would automatically add /home/apenwarr/sshuttle to the PATH before trying to execute sshuttle on the remote machine. That way, if you install it in the same place on two computers, the client would still be able to start the server. Someone reported, though, that if they installed the client in /home/apenwarr/sshuttle/shuttle, and the server in /root/sshuttle/sshuttle, then used "-r root@servername", it wasn't able to find the program. Similar problems would happen if you're apenwarr at home and averyp at work. So what we now do is add two directories to the PATH: /home/apenwarr/sshuttle and $HOME/sshuttle, where $HOME is the value of $HOME on the server, not the client. So it'll find it in either place. 2010-05-03 03:24:31 +02:00			`escapedir = re.sub(r'([^\w/])', r'\\\\\\\1', nicedir)`
			`escapedir2 = re.sub(r'([^\w/])', r'\\\\\\\1', nicedir2)`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00			`cmd = r"""`
ssh.py: support finding sshuttle in "$HOME/.../sshuttle" If you ran sshuttle from /home/apenwarr/sshuttle/sshuttle, we would automatically add /home/apenwarr/sshuttle to the PATH before trying to execute sshuttle on the remote machine. That way, if you install it in the same place on two computers, the client would still be able to start the server. Someone reported, though, that if they installed the client in /home/apenwarr/sshuttle/shuttle, and the server in /root/sshuttle/sshuttle, then used "-r root@servername", it wasn't able to find the program. Similar problems would happen if you're apenwarr at home and averyp at work. So what we now do is add two directories to the PATH: /home/apenwarr/sshuttle and $HOME/sshuttle, where $HOME is the value of $HOME on the server, not the client. So it'll find it in either place. 2010-05-03 03:24:31 +02:00			`sh -c PATH=%s:'$HOME'/%s:'$PATH exec sshuttle --server%s'`
			`""" % (escapedir, escapedir2,`
			`' -v' * (helpers.verbose or 0))`
Clean up SockWrapper.peername stuff. Some fds don't have peernames, and sometimes the peername isn't very helpful, so let's fill it in by hand when appropriate. 2010-05-02 07:52:05 +02:00			`argv = ['ssh', rhost, '--', cmd.strip()]`
ssh.py: support finding sshuttle in "$HOME/.../sshuttle" If you ran sshuttle from /home/apenwarr/sshuttle/sshuttle, we would automatically add /home/apenwarr/sshuttle to the PATH before trying to execute sshuttle on the remote machine. That way, if you install it in the same place on two computers, the client would still be able to start the server. Someone reported, though, that if they installed the client in /home/apenwarr/sshuttle/shuttle, and the server in /root/sshuttle/sshuttle, then used "-r root@servername", it wasn't able to find the program. Similar problems would happen if you're apenwarr at home and averyp at work. So what we now do is add two directories to the PATH: /home/apenwarr/sshuttle and $HOME/sshuttle, where $HOME is the value of $HOME on the server, not the client. So it'll find it in either place. 2010-05-03 03:24:31 +02:00			`debug2('executing: %r\n' % argv)`
Basic implementation of a multiplex protocol - client side only. Currently the 'server' is just a pipe to run 'hd' (hexdump) for looking at the client-side results. Lame, but true. 2010-05-02 05:14:42 +02:00			`(s1,s2) = socket.socketpair()`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00			`def setup():`
			`# runs in the child process`
Basic implementation of a multiplex protocol - client side only. Currently the 'server' is just a pipe to run 'hd' (hexdump) for looking at the client-side results. Lame, but true. 2010-05-02 05:14:42 +02:00			`s2.close()`
Initial commit. Importing options.py, ssh.py, and LICENSE from the bup project. 2010-05-01 22:15:37 +02:00			`if not rhost:`
			`os.environ['PATH'] = ':'.join([nicedir,`
			`os.environ.get('PATH', '')])`
			`os.setsid()`
Basic implementation of a multiplex protocol - client side only. Currently the 'server' is just a pipe to run 'hd' (hexdump) for looking at the client-side results. Lame, but true. 2010-05-02 05:14:42 +02:00			`s1a,s1b = os.dup(s1.fileno()), os.dup(s1.fileno())`
			`s1.close()`
iptables: more resilient startup/cleanup. Now the sudo iptables subprocess persists for the entire life of sshuttle. The benefits of this are: - no need to authenticate again at shutdown (failure of which could cause us to not clean up iptables) - if the main process dies unexpectedly, iptables still gets cleaned up - the password prompt can happen before starting the ssh/server process, which means it'll stand out and the password prompt won't be overwritten. 2010-05-03 01:29:03 +02:00			`p = subprocess.Popen(argv, stdin=s1a, stdout=s1b, preexec_fn=setup,`
			`close_fds=True)`
Basic implementation of a multiplex protocol - client side only. Currently the 'server' is just a pipe to run 'hd' (hexdump) for looking at the client-side results. Lame, but true. 2010-05-02 05:14:42 +02:00			`os.close(s1a)`
			`os.close(s1b)`
			`return p, s2`