Twisted ssh server authentication using keys

Question

Here is a simple twisted application:

from twisted.cred import checkers, portal
from twisted.conch import manhole, manhole_ssh
from twisted.conch.insults import insults

from twisted.application import service, internet
from twisted.internet import endpoints, reactor


def makeManholeService(namespace):
    checker = checkers.InMemoryUsernamePasswordDatabaseDontUse(
        username="password")

    realm = manhole_ssh.TerminalRealm()
    realm.chainedProtocolFactory = lambda: insults.ServerProtocol(
                                        manhole.ColoredManhole, namespace)
    prt = portal.Portal(realm, [checker])
    factory = manhole_ssh.ConchFactory(prt)

    endp = endpoints.serverFromString(reactor, 'tcp:6022')

    manholeService = internet.StreamServerEndpointService(endp, factory)
    return manholeService


application = service.Application("my app")
manholeService = makeManholeService({'foo': 'bar'})
manholeService.setServiceParent(application)

We can connect to it with ssh:

$ ssh username@localhost -p 6022
username@localhost's password:

>>> foo
'bar'
>>>

Now I want to replace InMemoryUsernamePasswordDatabaseDontUse such that the server can authenticate users, who identify themselves using rsa/dsa keys.

Do I have to implement a checker?

For example, I have some public keys listed in ~/.ssh/authorized_keys. The SSH server should reject all connections, except those that can be verified using public keys in that file.

Answer 1

Yes, you need to make a checker. But there are building blocks you can use within Conch that should make it pretty easy. Ying Li has an example project, "ess" ("SSH" without the "SH") that implements some checkers that you might be interested in checking out.