I would like to make HTTP requests over SSH tunnels using Twisted. I have seen examples of using Twisted to set up SSH local port forwarding, but that's not what I am after.
Instead, it seems to me it should be possible using Twisted to wrap the HTTP traffic inside SSH tunnel directly - ie. without having to set up Twisted to listen on a local port for forwarding traffic.
I've checked how Twisted Conch command-line script does the local port forwarding, in conch.ssh.forwarding. Should that be somehow integrated with a HTTP client? Or, on the other hand, I've read that SSHChannel supports twisted.internet.interfaces.ITransport interface, so it could be given to Protocols to run them over the secure connection? Then there's the new-ish endpoints API in Twisted: I wonder if an endpoint for tunneling traffic from the ssh server onwards would make sense?
Or something else?
I wonder if an endpoint for tunneling traffic from the ssh server onwards would make sense?
It would make a lot of sense.
There is an endpoint that connects a protocol to the stdio of a command running remotely using Conch - twisted.conch.endpoints.SSHCommandClientEndpoint. And development has started (but stalled, it seems) on an endpoint for connecting a protocol to a remote subsystem (eg sftp) using Conch. An endpoint for connecting to a remote address over a tunneled connection using Conch would make a great addition.
The branch which begins to implement SSHSubsystemClientEndpoint might be a useful thing to look at to get an idea of what is involved in writing this new endpoint. There may also be useful refactorings started in that branch that make it easier to add new endpoints like this (since the branch adds exactly the 2nd conch endpoint and probably had to do some work to make some code from the 1st conch endpoint more easily re-usable).
Related
Can you advise me on the analogs of the socket library on Python? The task is this, I need to write a very simple script with which I could execute remote commands in cmd windows. I know how this can be implemented using the socket library, but I would like to know if there are any other libraries for such a case.
Sockets is a low level mechanism by which two systems can communicate each other. Your OS provides this mechanism, there's no analogs.
Next examples come from the application layer and they work with sockets in their lower communication layers: a socket open by your http server, usually 80 or 443 or a websocket open by your browser to communicate with your server. Or the DNS query that your browser executes when tries to resolve a domain name, also works with sockets between your PC and the DNS server.
I'm creating a python flask api on remote desktop and running it on localhost of remote desktop.
Is there anyway I can access this api from my local machine?
We are working in a team and I want to share this with my team members, but this is confidential and not to be deployed on open server.
We want to post and get the result with every member's local machine from api runnnig on remote desktop.
Both of our local machines and remote desktop are windows10.
Sorry for being abstract but I'm searching for any way out. Thanks.
Well, you should open your way to this API. You'll have to set up a VPN or IP address filter in the server so you can access the server from your network while still have it secured on the Internet. You can also setup a simpler proxy if you prefer it. I'll not cover the details on how to setup a VPN or proxy since it can get pretty extensive, but a Google search will help you out find the best alternative for you.
AFAIK, the Remote Desktop Protocol does not allow for any kind of VPN. However, if you can switch to TeamViewer, it does have an easy to setup VPN system that will allow you to get into the network with few configuration. Once a VPN is configured, it will work like if you were in the same network as the server, so from there you can access your API from your host machine by just going to the IP address of the server.
Do notice the security policies of whoever owns the server, since you can get into trouble if you don't have permission to enable some access from the outside. Security goes always in front of comfort.
Short term solution:
Firstly download ngrok for your operating system.
For debugging and testing purposes you can expose a secure tunnel connection to your API by running this command in your command prompt / terminal.
ngrok http <PORT_NUMBER>-host-header="localhost:<PORT_NUMBER>"
Where PORT_NUMBER is the port number in which your flask application is running.
Example if your flask application is running at port 5000 then simply execute this command:
ngrok http 5000 -host-header="localhost:5000"
Running this will give you two hostnames one with HTTP and other a secure HTTPS connected by a tunnel like this for a duration of 8 hours after which the command needs to again re-run.
Which you can call remotely
Long term solution:
Deploy flask application using FastCGI
or
To a cloud infrastructure provider like Microsoft Azure which gives readymade templates for flask applications.
My requirement is to communicate socketio with nodejs server to Raspberry Pi running a local Python app. Please help me. I can find ways of communication with web app on google but is there any way to communicate with Python local app with above mentioned requirements.
It's unclear exactly which part you need help with. To make a socket.io connection work, you do the following:
Run a socket.io server on one of your two computers. Make sure it is listening on a known port (it can share a port with a web server if desired).
On the other computer, get a socket.io client library and use that to make a socket.io connection to the other computer.
Register message handlers on both computers for whatever custom messages you intend to send each way and write the code to process those incoming messages.
Write the code to send messages to the other computer at the appropriate time.
Socket.io client and server libraries exist for both node.js and python so you can either type of library for either type of system.
The important things to understand are that you must have a socket.io server up and running. The other endpoint then must connect to that server. Once the connection is up and running, you can then send message from either end to the other end.
For example, you could set up a socket.io server on node.js. Then, use a socket.io client library for python to make a socket.io connection to the node.js server. Then, once the connection is up and running, you are free to send messages from either end to the other and, if you have, message handlers listening for those specific messages, they will be received by the other end.
I'm writing a Python script which connects to remote hosts over a (super complicated) SOCKS/SSL tunnel. I am able to establish connections to IPs in a remote intranet on any port.
What I'm hoping to do is set up this python script to use IP addresses in the local loopback range (127.0.x.x) to become (maybe with the help of the hosts file) a 'replica' of the remote systems, and hence enable me to use applications which don't support proxies. The problem is that I don't always know what ports they're trying to connect to. It seems the only way to work this out is to bind sockets to all 65536 ports, which seems a little crazy. So two questions:
Is it crazy? Can I just set up a python list of sockets from 1-65536?
Or is there a better way I should be doing this? Can I monitor connections to an IP somehow and bind the ports just before they're needed?
I want to avoid using too much platform-dependent or non-python code if possible.
EDIT: To clarify, I'm only writing the client here - I have no control over the server. Believe me, if I had control over the server side of it I would not be doing it with SOCKS/SSL/CRAM :)
What about going lower level and interfacing a library designed for network analyzers like pycap?
This way you could detect all connection attempts and find the ports that you need to expose or may be you can just route the packets directly assuming the library in addition to packet detection can also do packet injection (pypcap page says this feature is experimental).
This would IMO make sense in python only for slow applications however...
Pycap seems to be developed for linux, but the core capturing is done by libpcap and for windows there is a similar library winpcap.
Matt,
If using windows your best shot is something like OpenVPN over the tunnel. OpenVPN requires only one TCP port/stream and gives you a pair of virtual interfaces with full connectivity.
[updated]
It may be possible using a TUN/TAP driver on the client side. See this unix version for ideas.
I write a python telnet client to communicate with a server through telnet. However, many people tell me that it's no secure. How can I convert it to ssh? Should I need to totally rewrite my program?
Just create a TCP tunnel via SSH and relay all the data through there, no need to reinvent the wheel. You can find examples in SSH docs under TCP tunneling (man ssh for instance).
But if you really want to rewrite it, then check out paramiko project.
While Telnet is insecure, it's essentially just a serial console over a network, which makes it easy to code for. SSH is much, much more complex. There's encryption, authentication, negotiation, etc to do. And it's very easy to get wrong in spectacular fashion.
There's nothing wrong with Telnet per se, but if you can change things over the network - and it's not a private network - you're opening yourself up for trouble.
Assuming this is running on a computer, why not restrict the server to localhost? Then ssh into the computer and telnet to localhost? All the security with minimal hassle.
Use one of these libraries in your Python application to talk to the SSHD daemon on the server:
http://wiki.python.org/moin/SecureShell
You'll want to look at something that will help you set up SSHD in a secure manner like this:
http://www.linuxjournal.com/article/8759
You will also need to ensure that you update the SSHD daemon regularly and make use of keys and strong, rotating passwords. All this should be standard for a telnet application too, but due to the lack of transport level encryption, you really shouldn't be using telnet for anything.