So I've recently stumbled upon python fabric api and have been really happy with how it can help me with day-to-day sysadmin tasks. I would like to start using it at work but it is a very security-conscious environment. I was wondering how fabric handles the ssh password you provide to it while it runs it's tasks? I'm assuming it plonks it in memory somewhere and pulls it out when required to login to the next host in env.hosts? How does it protect this password while in memory?
I can see I'm going to be asked lots of questions along these lines so I'm looking for a nice way to explain to security-minded type of people that fabric is nice and friendly and doesn't pose a risk or at least no more of a risk than anything else we already have :)
I looked briefly through the source #dm03514 referenced and I believe you are correct in that if and when fabric needs to prompt interactively for a password, it will read it into memory and store it for the duration of the fabric python process. The way to address your concern is not with fabric itself but with ensuring your ssh infrastructure is using keys instead of passphrases and ssh agent forwarding where appropriate. Use enrypted ssh keys and ssh-agent to unlock them and fabric will be able to utilize that same mechanism and thus avoid ssh passwords getting involved at all. For sudo passwords, you'll either have to allow passwordless sudo or accept the risk of fabric having the sudo password in memory while it is working.
Related
I have a Solaris 10 system, with Python 2.6.4, and I have to retrieve the files via the SFTP protocol, from the server, which does not allow the SSH logging in, i.e. only SFTP with RSA key is allowed. Could anyone please tell me:
is this possible at all?
is this possible with the above version of Python, or I need to upgrade it to 2.7.* work with the latest version of Twisted?
I have found this treat with the relevant information: twisted conch filetransfer
And this one: Python Twisted: twisted conch filetransfer verifyHostKey
But it is said there that Twisted first creates the SSH channel, and then establishes SFTP on top of it (forgive me for my possible misunderstanding and/or illiteracy), from the Twisted documentation:
Conch also provides an endpoint that is initialized with an already established SSH connection. This endpoint just opens a new channel on the existing connection and launches a command in that.
Will the same approach work in case you can not logging in via SSH? I.e. might it be possible to create an SSH channel if terminal SSH logging in is forbidden?
Are there any other approaches except Paramico, any other libraries that can help me in case of "No" to the above questions?
I know nothing about "Twisted". But I believe that you just have a terminology problem.
which does not allow the SSH logging in, i.e. only SFTP with RSA key is allowed
The above is nonsense. You cannot allow SFTP, but disallow SSH, because as you have already found in Twisted documentation, SFTP runs on top of SSH (this is true in general, that's nothing Twisted-specific).
What your server most probably really "does not allow" is "shell" access. That's not the same as as SSH. So the server allows SSH, allows SFTP, but does not allow shell.
I am new to scripting, so please forgive this question. Having done extensive research am not able to find a suitable solution.
Currently I have a Python script which is required to SSH from CentOS into Cisco (and other) firewall appliances. Once logged in, certain actions are carried out.
Currently, we are storing our username and password in a plaintext file and calling that file when the Python script requires it.
However, if the CentOS server is compromised, the attacker now has access to the plaintext credentials to the firewall and would be able to get the IP address from the Python script.
I have looked at using SSH-Agent as a means of bypassing passwords, however, if the CentOS server is compromised won't the attacker still be able to access the firewall through the Python script?
Really, I am looking for a way to protect the firewall from unauthorized access, should the CentOS server be compromised. I have also considered using obfuscation but doesn't seem suitable. Wondering what options I have here.
Sorry for my bad english.
I need to make a python script that will do these steps in order, but I'm not sure how to go about setting this up.
SSH into a server
Copy a folder from point A to point B (cp /foo/bar/folder1 /foo/folder2)
mysql -u root -pfoobar (This database is accessible from localhost only)
create a database, do some other mysql stuff in the mysql console
Replaces instances of Foo with Bar in file foobar
Copy and edit a file
Restart a service
The fact that I have to ssh into a server, and THEN do all of this is really confusing me. I looked into the Fabric library, but that seems to do only do 1 command at a time and doesn't keep context from previous commands.
I looked into the Fabric library, but that seems to do only do 1 command at a time and doesn't keep context from previous commands.
Look into Fabric more. It is still probably what you want.
This page has a lot of good examples.
By "context" I'm assuming you want to be able to cd into another directory and run commands from there. That's what fabric.context_managers.cd is for -- search for it on that page.
Sounds like you are doing some sort of remote deployment/configuring. There's a whole world of tools out there to professionally set this up, look into Chef and Puppet.
Alternatively if you're just looking for a quick and easy way of scripting some remote commands, maybe pexpect can do what you need.
Pexpect is a pure Python module for spawning child applications; controlling them; and responding to expected patterns in their output.
I haven't used it myself but a quick glance at its manual suggests it can work with an SSH session fine: https://pexpect.readthedocs.org/en/latest/api/pxssh.html
I have never used Fabric.
My way to solve those kind of issues (before starting to use saltstack) it was using pyexpect, to run the ssh connection, and all the commands that were needed.
maybe the use of a series of sql scripts to work with the database (just to make it easier) would help.
Another way, since you need to access the remote server using ssh, it would be using paramiko to connect and execute commands remotely. It's a bit more complicated when you want to see what's happening on stdout (while with pexpect you will see exactly what's going on).
but it all depends from what you really need.
I am writing a script in python, and part of it needs to connect to a remote computer using rdp. Is there a script or an api that I could use to create this function? Also, if there is not, is there a way to package a rdp application along side python and then use a python script to run it? Any help would be much appreciated. Thanks in advance, Nate
If you need an interactive window, use the subprocess module to start your rdesktop.exe (or whatever).
If you need to run some command automatically, you're probably better off forgetting about RDP and using ssh (with passwordless, passphraseless authentication via RSA or similar), psexec (note that some antivirus programs may dislike psexec, not because it's bad, but because it's infrequently been used by malware for bad purposes) or WinRM (this is what you use in PowerShell; it's like ssh or psexec, except it serializes objects on the sender, transmits, and deserializes back to an object on the recipient).
Given a choice among the 3, I'd choose ssh. Cygwin ssh works fine, but there are several other implementations available for Windows.
HTH
As per this GitHub comment, you can try to use libfreerdp via ctypes in Python.
See: FreeRDP library at GitHub which is a free remote desktop protocol library and clients.
Home page: www.freerdp.com
Related: Programmatically manipulating active RDP session.
I'm writing a Python script to access all computers on the network, log in to them and read some log files. I don't want to use something as low-level as socket, but I can if I must. I realize that my problem is similar to this question, but not the same.
Are there any modules for accessing external Windows machines?
Has anyone done anything like this before?
I'm specifically looking to log into Windows 7 machines, not unix.
Let's also assume that each computer I want to log into has Remote Desktop installed and enabled. I'm also not worried about network security or encryption because these files are not confidential. Windows machines don't have SSH installed on the by default do they?
There has to be something on the other side for you to talk to. This limits you to either setting up a "server" on each machine, installing a real server (i.e. sshd), building a "server" yourself and installing it, or using a built in and active feature of the OS.
Based upon this, what kind of system do you want to set up on these machines? What does it need to do? Just read the contents of a prespecified file list? Will that list change?
One solution is to turn on telnet, and use paramiko or twisted to
talk across it. This isn't very secure of course
Next up, set up a samba share, and access the folder remotely. This
is also insecure, though less so than telnet
You could find a ssh daemon port and run that, if you are so inclined
Psexec from sysinternals might work
Use twisted to build a server app with the features you need
Use ncat to listen on a port and spawn a cmd prompt
Be aware that most of the solutions for accessing windows remotely are... poor. The best solution is probably to roll your own, but that is hard work and you will probably make mistakes.
Also, Windows 7 is not exactly multi-user friendly. Individual processes can run as separate users, but the OS does not support having multiple users logged in at the same time. Someone is going to be the "user" and everyone else is just a process with a different credential set.
This is more an artificial limitation on M$'s part than anything technical. To see this in action, try to log in with RDP while a user is logged in locally. Fun times.
Per your edit, the easiest thing to do is just set up a samba share on the box.
After this share is set up:
with open(r'\\myCompNameOrIP\C\windows\logs\logfile.txt','rb') as logfile:
loglines = logfile.readlines()
Or you can use the gencat sample found here. Just give it r'\\myCompNameOrIP\C\windows\logs\*.txt' as the search path and watch the magic.
From Ubuntu I use samba:
In Bash:
gvfs-mount smb://them/folder
Here I give name, domain and password
Then in python:
folder = '/home/me/.gvfs/folder on them'
using the os module I read folders and files inside.
I am working in a small business environment.
Why not have each of the computers send the log file to the central computer?