I'm in a situation where I need to pass some texts to a prompt generate by a API (seems for API it's a pretty weird behavior, this is the first time I ran into this), like below:
kvm_cli = libvirt.open("qemu+ssh://han#10.0.10.8/system")
then a prompt shows up asking for the ssh password (password for 10.0.10.8 is:), I have to manually type it there in order to move on and yield the kvm_cli object I needed.
I tried to use the pexpect module to deal with this however it's for OS command line instead of API.
It's also possible to work around this by using ssh certification files but it's not a favorable authentication approach in our scenario.
Since our wrapper to the 'open' method is not interactive, we cannot ask the user to input the password, do you guys have any thought how could I address it?
I am not a libvirt user, but I believe that the problem is not in the library, but in the connection method. You seem to be connecting via ssh, so you need to authenticate yourself.
I've been reading the libvirt page on ArchWiki, and I think that you could try:
setting up the simple (TCP/IP socket) connection method, or
setting up key-based, password-less SSH login for your virtual host.
Related
I would like to access remote SSH server files within Python, and found fsspec. However, there seems to be few code usage examples.
In particular, I can connect by specifying all SSH config options in the function as:
fsspec.filesystem('sftp', host='XXX.XXX.XXX.XXX', port=XXX, username='XXX', password='XXX')
However, I would like to connect simply as fsspec.filesystem('sftp', host='nickname') as I would do as sftp nickname on console, where I have already set all the config options in .ssh/config.
This is both for convenience and the fact that I do not want to parse my password in plain text.
I have read the API documentation (https://filesystem-spec.readthedocs.io/en/latest/api.html) and searched a bit but could not find a way yet. May I ask if anyone can point me some direction?
Many thanks!
Problem:
Customer would like to make sure that the script I've developed in Python, running under CentOS7, can sufficiently obscure the credentials required to access a protected web service (that only supports Basic Auth) such that someone with access to the CentOS login cannot determine those credentials.
Discussion:
I have a Python script that needs to run as a specific CentOS user, say "joe".
That script needs to access a protected Web Service.
In order to attempt to make the credentials external to the code I have put them into a configuration file.
I have hidden the file (name starts with a period "."), and base64 encoded the credentials for obscurity, but the requirement is to only allow the Python script to be able to "see" and open the file, vs anyone with access to the CentOS account.
Even though the file is hidden, "joe" can still do an ls -a and see the file, and then cat the contents.
As a possible solution, is there a way to set the file permissions in CentOS such that they will only allow that Python script to see and open the file, but still have the script run under the context of a CentOS account?
Naive solution
For this use-case I would probably create with a script (sh or zsh or whatever, but I guess u use the default one here) a temporal user iamtemporal-and-wontstayafterifinish. Then creating the config file for being able to read ONLY by specifically this user (and none permission for all the others). Read here for the how: https://www.thegeekdiary.com/understanding-basic-file-permissions-and-ownership-in-linux/
Getting harder
If the problem still raises in case someone would have root-rights (for any such reason), then just simply forget everything above, and start planning for a vacation, cuz' this will be a lot longer then anyone would think.
Is not anymore a simple python problem, but needs a different business logic. The best u could do is to implement (at least this credentials handling part) in a low-level language so could handle memory in a customized way and ask for them runtime only, don't store them...
Or maybe if u could limit the scope of this user accesses towards the protected Web Service as u say.
Bonus
Even tho it wasn't explicitly asked, I would discourage you from storing credentials with using a simple base64...
For this purpose a simple solution could be the following one at least (without the knowledge of the whole armada of cryptography):
encrypt the passw with a asymmetric cryptographic algorithm (probably RSA with a huge key
inject the key for decryption as a env var while you have an open ssh session to the remote terminal
ideally u use this key only while u decrypt and send it, afterwards make sure u delete the references to the variables
Sidenote: it's still filled with 'flaws'. If security is really a problem, I would consider changing technology or using some sort of lib that handles these stuff more securely. I would start probably here: Securely Erasing Password in Memory (Python)
Not to mention memory dumps can be read 'easily' (if u know what u are looking for...): https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/
So yeah, having a key-server which sends you the private key to decrypt is not enough, if you read these last two web entries...
I followed Google's Quickstart for Python, step-by-step. I followed each step exactly, often copying and pasting. I definitely have the Google Calendar API enabled. I've installed the Google Client Library with Pip. I've set up the sample code and the credentials.json in its own folder. So, why am I getting this error when I run it:
"OSError: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions"
To figure this out, I've learned what a socket is. (It's literally the combination of an IP address and a single port). I've learned how to use netstat, though I don't know yet how this applies to what I'm doing. I've looked into using ShellExecuteEx based on an answer in this question, but I don't know how to use that with Python.
I've tried adding the script from the accepted answer to this question (which actually uses the ShellExecuteEx method though I don't notice this) into an admin.py file and import this admin.py script into quickstart.py. After updating the admin.py script to Python 3 syntax and running quickstart.py, Windows 8.1 asks me if I will allow access. I say yes, and it still gives me the OSError (WinError 10013) on accessing the socket in a forbidden way. The UAC is not the issue.
I suspect it's a port conflict, where something's already using the port that the script that Google's trying to use. But I'm worried that the port is decided by a black box function that I won't be able to change. The error itself doesn't say which port it's using, so I'll need to do more research.
It is a port issue.
Go to line 34 on the quickstart.py file (or where it says creds =
run_local_server()).
Go to the flow.py file in the
google_auth_oauthlib package with this function (in VS Code, click
run_local_server() and press F12 or right click and select "Go to
Definition").
You'll see line 369 (at the time of this writing) say self, host='localhost', port=8080,.
When I look at netstat, it actually says this port is in use, probably with an Apache server I never turned off.
Change the value in the flow.py file in the google_auth_oauthlib package to 8090, so 369 looks like self, host='localhost', port=8090,.
I ran the quickstart.py script again, and the window to authenticate my Google account popped up.
I selected my account, and it worked. No messing with the admin stuff.
I'm glad I was able to find it like this because I thought the port was selected in some black box manner, like it was decided from a server at Google.
When I tried to create file to a shared folder I got an error Permission denied: ' tp create the file. I know a different username and password to create the file in that share folder. How can I use it with the Open function.
The Open function I used is as given below.
with open(rootDirectory+"\\"+"test.txt", "a") as NewFile:
NewFile.write(filedata);
Thanks,
There is no magical way to change the way you call open to do this for you. You have to interact with the Win32 security system in some way.
The first option is to impersonate the other user. Then, anything you do—including open, or anything else—is done as if you were that user. If you have pywin32, you can use its win32security wrappers to do this. You should read the MSDN docs on LogonUser, LogonUserEx, and ImpersonateLoggedOnUser to understand how this works. But it will look something like this:
user = LogonUser(username, None, password,
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT)
try:
ImpersonateLoggedOnUser(user)
with open(rootDirectory+"\\"+"test.txt", "a") as NewFile:
NewFile.write(filedata)
finally:
RevertToSelf()
CloseHandler(user)
Of course you probably want some error handling, and you might want to create some context-manager wrappers instead of using a finally block, and so on. And again, read the docs to decide which function you want to call and which arguments you want to pass. But this should get you started.
As a variation on this, you can run a child process as that other user. That doesn't require impersonation (which you may not have the SeImpersonatePrivilege privileges to do). It's also much easier to port to Unix if you ever need to do that. See CreateProcessWithLogon for details.
A simpler way to do the same thing is to not do it from Python, but from the shell. Launch your script with the RunAs command instead of launching it directly. Or, if you can't do that, take the part that needs to run as the other user, move it into another script, then subprocess the RunAs command to launch it.
Alternatively, if you have sufficient rights (or can elevate to Administrator privileges to get those rights), you can just change the ACLs on the file to give yourself the write permission you don't have. In some cases, just doing os.chmod is sufficient for that, but usually not; you will have to pywin32 the native Win32 APIs again.
I need to write code to reply when a particular message is seen in the hub chat.
I tried using PyDC but was not able to get it to work, some problem because it expects old wxpython libraries or something. T
he command line one works, but as far as I can see does not support chat. The GUI one tries to import shell from wx.lib.PyCrust but PyCrust has been renamed to wx.py. I tried importing shell from wx.py then the GUI started but was unable to connect to any hub. The command line one connects fine.
Is there any other way I can do what I want?
Eiskalt DC++ QT lets you write scripts in QTScript. I can use this to do what I need.