/ - Diff - snf-vncauthproxy - Greek Research and Technology Network's projects

b/Changelog
13	13	* Add Changelog, README and docs
14	14	* Replace Unix domain control sockets with TCP control sockets, with
15	15	basic authentication and SSL support.
	16	* Add the vncauthproxy-passwd tool to manage the users file.

b/MANIFEST.in
3	3
4	4	recursive-include vncauthproxy *
5	5	recursive-include docs *
6		recursive-include examples *

       * IPv4 and IPv6 support
       * Configurable timeout for client connections
     Its main use is to enable VNC clients to connect to firwalled VNC servers.
     Its main use is to enable VNC clients to connect to firewalled VNC servers.
     It is used by `Synnefo <https://code.grnet.gr/projects/synnefo>`_ to provide
     users with (VNC) console access to their VMs.
-...
     Installation
     ^^^^^^^^^^^^
     snf-vncauthproxy is currently packaged only for Debian (stable / oldstable).
     snf-vncauthproxy is currently packaged only for Debian (stable).
     You can find and install the latest version snf-vncauthproxy at Synnefo's apt
     repository:
-...
     | ``curl https://dev.grnet.gr/files/apt-grnetdev.pub | apt-key add -``
     In case you're upgrading from an older snf-vncauthproxy version or it's the
     first time you're installing snf-vncauthproxy, you will prompted to configure
     a vncauthproxy user (see below for more information on user management).
     Overview
     ^^^^^^^^
     snf-vncauthproxy listens on a TCP socket for control (JSON) messages from clients.
     The format of the control messages is:
     snf-vncauthproxy listens on a TCP socket for control (JSON) messages from
     clients. The format of the control messages is:
     .. code-block:: console
-...
     The snf-vncauthproxy daemon can be either run manually or managed via its init
     script.
     If you're using the init script, snf-vncauthproxy reads its paramater from its
     If you're using the init script, snf-vncauthproxy reads its options from its
     default file (``DAEMON_OPTS`` parameter in ``/etc/default/vncauthproxy``).
     Refer to the vncauthproxy help output for a detailed listing and information
     on all available options:
     .. code-block:: console
     By default snf-vncauthproxy will listen to ``127.0.0.1:24999`` TCP, for incoming
     control connections and uses the ``25000-30000`` range for the listening / data
     sockets.
         # vncauthproxy --help
     Version 1.5 introduced replaced Unix domain control sockets with TCP
     control sockets. This change made it necessary to also introduce an
     authentication file to replace the Unix file permissions, which protected the
     domain sockets.
     By default snf-vncauthproxy will listen to ``127.0.0.1:24999`` TCP, for
     incoming control connections and uses the ``25000-30000`` range for the
     listening / data sockets.
     Version 1.5 replaced Unix domain control sockets with TCP control sockets. This
     change made it necessary to introduce an authentication file to replace the
     POSIX file permissions, which protected the domain sockets.
     The default path for the auth file is ``/var/lib/vncauthproxy/users``
     (configurable by the ``--auth-file`` option). Each line in the file represents
-...
     .. code-block:: console
         user password
         user1 {cleartext}password
         user2 {HA1}md5hash
         username:$6$salt$hash
     The password part of the line (after the colon) is the output of crypt(), using
     a random 16-char salt with SHA-512.
     To manage the authentication file, you can use the vncauthproxy-passwd tool,
     to easily add, update and delete users:
     To add a user:
     .. code-block:: console
         # vncauthproxy-passwd /var/lib/vncauthproxy/users user
     You will be prompted for a password.
     The Debian package provides an example users file.
     To delete a user:
     .. code-block:: console
         # vncauthproxy-passwd -D /var/lib/vncauthproxy/users user
     See the help output of the tool for more options:
     .. code-block:: console
         # vncauthproxy-passwd -h
     .. warning:: The vncauthproxy daemon requires a restart for the changes in the
      authentication file to take effect.
     .. warning:: After installing snf-vncauthproxy for the fist time, make sure
      that you create a valid authentication file and define any users needed. The
      vncauthproxy daemon will start but will not be usable if no users are defined
      or if no authentication file is present.
     Version 1.5 introduced also support for SSL for the control socket. If you
     enable SSL support (``--enable-ssl`` parameter, disabled by default) you wil
-...
     snf-cyclades-app can connect to the snf-vncauthproxy on the listening address /
     port. It's also recommended to enable SSL on the control socket in that case.
     .. include:: changelog.rst
     Changelog
     ^^^^^^^^^
     * v1.5 :ref:`Changelog <Changelog-1.5>`
     Upgrade notes
     ^^^^^^^^^^^^^
     .. toctree::
        :maxdepth: 1
     .. include:: upgrade.rst
         v1.4 -> v1.5 <upgrade/upgrade-1.5.rst>
     Contact
     ^^^^^^^

     Upgrade notes
     ^^^^^^^^^^^^^
     v1.5
     ====
     Version 1.5 replaced Unix domain control sockets with TCP
     control sockets. This change made it necessary to also introduce an
     authentication file to replace the POSIX file permissions, which protected the
     domain sockets.
     The default path for the auth file is ``/var/lib/vncauthproxy/users``
     (configurable by the ``--auth-file`` option). Each line in the file represents
     one user which is allowed to use the control socket and should be in the
     following format:
     .. code-block:: console
         user password
         user1 {cleartext}password
         user2 {HA1}md5hash
     If you want to use a hash instead of a password, you should provide the MD5
     digest of the string ``user:vncauthproxy:password``. It can be generated with
     the following command:
     .. code-block:: console
         $ echo -n 'user:vncauthproxy:password' | openssl md5
     The Debian package provides an example users file.
     Version 1.5 also introduced support for SSL for the control socket. If you
     enable SSL support (``--enable-ssl`` parameter, disabled by default) you will
     have to provide a certficate and key file (``--cert-file`` and ``--key-file``
     parameters). The default values for certificate and key files are
     ``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively.
     If you're using snf-vncauthproxy with Synnefo, you should make sure to edit the
     ``CYCLADES_VNCAUTHPROXY_OPTS`` setting in
     ``/etc/synnefo/20-snf-cyclades-app-api.conf``.  The
     ``CYCLADES_VNCAUTHPROXY_OPTS`` dict in
     ``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match
     snf-vncauthproxy configuration (user, password, SSL support, certificate file).
     You should also make sure that the node running snf-cyclades-app can connect to
     the snf-vncauthproxy's control socket address / port (the suggested deployment to
     run snf-vncauthproxy on the same host as snf-cyclades-app should work with
     the defaults of snf-vncauthproxy, with the exception of the authentication
     file).

     Upgrade notes
     ^^^^^^^^^^^^^
     v1.5
     ====
     Version 1.5 replaced Unix domain control sockets with TCP control sockets. This
     change made it necessary to introduce an authentication file to replace the
     POSIX file permissions, which protected the domain sockets.
     You can configure vncauthproxy daemon by modifying the Debian default file
     (``/etc/default/vncauthproxy``) and more specifically the ``DAEMON_OPTS``
     variable. This option (along with the modified ``CHUID`` option) has been added
     to the v1.5 default file (which you'll need to 'merge' if you're upgrading from
     an older version of snf-vncauthproxy).
     The ``DAEMON_OPTS`` variable accepts any valid option you can pass to the
     vncauthproxy daemon on the command line. For a detailed listing and information
     about the avaialble options plese check vncauthproxy help output:
     .. code-block:: console
         # vncauthproxy --help
     The default path for the auth file is ``/var/lib/vncauthproxy/users``
     (configurable by the ``--auth-file`` option). Each line in the file represents
     one user which is allowed to use the control socket and should be in the
     following format:
     .. code-block:: console
         username:$6$salt$hash
     The password part of the line (after the colon) is the output of crypt(), using
     a random 16-char salt with SHA-512.
     To manage the authentication file, you can use the vncauthproxy-passwd tool,
     to easily add, update and delete users:
     To add a user:
     .. code-block:: console
         # vncauthproxy-passwd /var/lib/vncauthproxy/users user
     You will be prompted for a password.
     To delete a user:
     .. code-block:: console
         # vncauthproxy-passwd -D /var/lib/vncauthproxy/users user
     See the help output of the tool for more options:
     .. code-block:: console
         # vncauthproxy-passwd -h
     .. warning:: The vncauthproxy daemon requires a restart for the changes in the
      authentication file to take effect.
     .. warning:: After installing snf-vncauthproxy for the fist time, make sure
      that you create a valid authentication file and define any users needed. The
      vncauthproxy daemon will start but will not be usable if no users are defined
      or if no authentication file is present.
     Version 1.5 also introduced support for SSL for the control socket. If you
     enable SSL support (``--enable-ssl`` parameter, disabled by default) you will
     have to provide a certficate and key file (``--cert-file`` and ``--key-file``
     parameters). The default values for certificate and key files are
     ``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively.
     If you're using snf-vncauthproxy with Synnefo, you should make sure to edit the
     ``CYCLADES_VNCAUTHPROXY_OPTS`` setting in
     ``/etc/synnefo/20-snf-cyclades-app-api.conf``.  The
     ``CYCLADES_VNCAUTHPROXY_OPTS`` dict in
     ``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match
     snf-vncauthproxy configuration (user, password, SSL support, certificate file).
     You should also make sure that the node running snf-cyclades-app can connect to
     the snf-vncauthproxy's control socket address / port (the suggested deployment to
     run snf-vncauthproxy on the same host as snf-cyclades-app should work with
     the defaults of snf-vncauthproxy, with the exception of the authentication
     file).
     Finally, snf-vncauthproxy now adds a user and group (``vncauthproxy``) to be
     used by the vncauthproxy daemon. As a result the ``CHUID`` option in the Debian
     default file (``/etc/default/vncauthproxy``) has changed accordingly. Although
     it is recommended to run vncauhtproxy with the predfined user and group, it's
     not mandatory.

/dev/null
1		user password
2		user1 {cleartext}password
3		user2 {HA1}md5hash

b/setup.py
40	40	],
41	41	entry_points={
42	42	'console_scripts': [
43		'vncauthproxy = vncauthproxy.proxy:main'
	43	'vncauthproxy = vncauthproxy.proxy:main',
	44	'vncauthproxy-passwd = vncauthproxy.passwd:main'
44	45	]
45	46	}
46	47	)

                           help=("Use source port PORT for incoming connections "
                                 "(default: allocate a port automatically)"))
         parser.add_option("-d", "--dest",
                           default=None, dest="daddr",
                           dest="daddr",
                           metavar="HOST",
                           help="Proxy connection to destination host HOST")
         parser.add_option("-p", "--dport", dest="dport",
                           default=None, type="int",
                           type="int",
                           metavar="PORT",
                           help="Proxy connection to destination port PORT")
         parser.add_option("-P", "--password", dest="password",
                           default=None,
                           metavar="PASSWORD",
                           help=("Use password PASSWD to authenticate incoming "
                                 "VNC connections"))
         parser.add_option("--auth-user", dest="auth_user",
                           default=None,
                           metavar="AUTH_USER",
                           help=("User to authenticate as, for the control "
                                 "connection"))
         parser.add_option("--auth-password", dest="auth_password",
                           default=None,
                           metavar="AUTH_PASSWORD",
                           help=("User password for the control connection "
                                 "authentication"))
-...
                            server_address=DEFAULT_SERVER_ADDRESS,
                            server_port=DEFAULT_SERVER_PORT, enable_ssl=False,
                            ca_cert=None, strict=False):
         """Connect to vncauthproxy and request a VNC forwarding."""
         # Mandatory arguments
         if not password:
             raise Exception("The password argument is mandatory.")
         if not daddr:
             raise Exception("The daddr argument is mandatory.")
         if not dport:
             raise Exception("The dport argument is mandatory.")
         if not auth_user:
             raise Exception("The auth_user argument is mandatory.")
         if not auth_password:
             raise Exception("The auth_password argument is mandatory.")
         """ Connect to vncauthproxy and request a VNC forwarding.
             @type sport: int
             @param sport: Source port for incoming connections
                           (0 for automatic allocation)"
             @type daddr: str
             @param daddr: Destination address for the forwarding
             @type dport: int
             @param dport: Destination port for the forwarding
             @type password: str
             @param password: VNC server auth password
             @type auth_user: str
             @param auth_user: vncauthproxy user
             @type auth_password: str
             @param auth_password: vncauthproxy password
             @type server_address: str
             @param server_address: Listening address for the vncauthproxy daemon
                                    (default: 127.0.0.1)
             @type server_port: int
             @param server_port: Listening port for the vncauthproxy daemon
                                (default: 24999)
             @type enable_ssl: bool
             @param enable_ssl: Enable / disable SSL on the control socket
             @type ca_cert: str
             @param ca_cert: Path to the CA cert file
             @type strict: bool
             @param strict: Enable strict cert checking for SSL
             @rtype: dict
             @return: Server response in dict / JSON format
             """
         # Sanity check
         if strict and not ca_cert:
             raise Exception("strict requires ca-cert to be set")
         if not enable_ssl and (strict or ca_cert):
             logger.warning("strict or ca_cert set, but ssl not enabled")
             logger.warning("strict or ca-cert set, but ssl not enabled")
         req = {
             "source_port": int(sport),
-...
         (opts, args) = parse_arguments(sys.argv[1:])
         # Mandatory arguments
         if opts.password is None:
             sys.stderr.write("The password argument is mandatory.\n")
             sys.exit(1)
         if opts.daddr is None:
             sys.stderr.write("The daddr argument is mandatory.\n")
         if opts.dport is None:
             sys.stderr.write("The dport argument is mandatory.\n")
         if opts.auth_user is None:
             sys.stderr.write("The auth_user argument is mandatory.\n")
         if opts.auth_password is None:
             sys.stderr.write("The auth_password argument is mandatory.\n")
         res = request_forwarding(sport=opts.sport, daddr=opts.daddr,
                                  dport=opts.dport, password=opts.password,
                                  auth_user=opts.auth_user,

     #!/usr/bin/env python
     """
     vncauthproxy-passwd - vncauthproxy passwd file mgmt tool
     """
+    #
     # Copyright (c) 2010-2013 Greek Research and Technology Network S.A.
+    #
     # This program is free software; you can redistribute it and/or modify
     # it under the terms of the GNU General Public License as published by
     # the Free Software Foundation; either version 2 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful, but
     # WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     # General Public License for more details.
+    #
     # You should have received a copy of the GNU General Public License
     # along with this program; if not, write to the Free Software
     # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
     # 02110-1301, USA.
     import argparse
     import crypt
     import getpass
     import os
     import random
     import re
     import string
     import sys
     import tempfile
     def parse_arguments():
         """ Parse cli args. """
         parser = argparse.ArgumentParser()
         parser.add_argument("-n", "--dry-run", action="store_true", dest="dry_run",
                             help="Display the results on stdout without updating "
                             "the passwd file")
         parser.add_argument("-D", "--delete", action="store_true",
                             dest="delete_user", help="Delete user from file")
         parser.add_argument("passwdfile", metavar="file", type=str, nargs=1,
                             help="Path to the passwd file")
         parser.add_argument("user", metavar="user", type=str, nargs=1,
                             help="User to edit")
         args = parser.parse_args()
         return args
     def gen_salt():
         """ Generate 16-char salt string. """
         chars = list(string.ascii_letters + string.digits + "./")
         random.shuffle(chars)
         return "".join(random.choice(chars) for x in range(16))
     def gen_hash(username, password):
         """ Generate SHA-512 hash in crypt() format. """
         salt = "$6$%s$" % gen_salt()
         return "%s:%s\n" % (username, crypt.crypt(password, salt))
     def fail(reason):
         """ Print reason for failure and exit. """
         sys.stderr.write("%s\n" % reason)
         sys.exit(1)
     def find_user(lines, user):
         """ Return user info from passwd file, if the users exists. """
         for (idx, line) in enumerate(lines):
             (username, _) = line.split(":", 1)
             if user == username:
                 return (idx, line)
         return None
     def write_wrapper(passwdfile, lines, dry_run):
         """ Dry-run wrapper for write. """
         if not dry_run:
             (fd, name) = tempfile.mkstemp()
             with os.fdopen(fd, "w+") as f:
                 f.write("".join(lines))
             os.rename(name, passwdfile)
         else:
             sys.stderr.write("".join(lines))
     def delete_user(user, passwdfile):
         """ Delete user from passwdfile. """
         if not os.path.isfile(passwdfile):
             fail("Cannot delete user from non-existent file")
         lines = open(passwdfile).readlines()
         user_line = find_user(lines, user)
         if not user_line:
             fail("User not found!")
         (idx, line) = user_line
         lines.remove(line)
         return lines
     def add_or_update_user(user, passwdfile):
         """ Add or update user from passwdfile. """
         password = getpass.getpass()
         if password == "":
             fail("Password cannot be empty")
         if password != getpass.getpass("Retype password: "):
             fail("Passwords don't match")
         newline = gen_hash(user, password)
         lines = [newline]
         if os.path.isfile(passwdfile):
             lines = open(passwdfile).readlines()
             user_line = find_user(lines, user)
             if not user_line:
                 lines.append(newline)
             else:
                 (idx, _) = user_line
                 lines[idx] = newline
         return lines
     def main():
         """ Run the tool from the command line. """
         try:
             args = parse_arguments()
             user = args.user[0]
             passwdfile = args.passwdfile[0]
             user_re = r'^[a-z_][a-z0-9_]{0,30}$'
             if re.match(user_re, user) is None:
                 fail("Username must match the following regexp: %s" % user_re)
             if args.delete_user:
                 lines = delete_user(user, passwdfile)
             else:
                 lines = add_or_update_user(user, passwdfile)
             write_wrapper(passwdfile, lines, args.dry_run)
         except KeyboardInterrupt:
             pass
         sys.exit(0)

     import daemon
     import random
     import daemon.runner
     import hashlib
     import re
     import crypt
     from vncauthproxy import rfb
-...
                 self.password = req['password']
                 if auth_user not in VncAuthProxy.authdb:
                     msg = "Authentication failure: user not found"
                     msg = "vncauthproxy authentication failure: user not found"
                     raise InternalError(msg)
                 (cipher, authdb_password) = VncAuthProxy.authdb[auth_user]
                 if cipher == 'HA1':
                     message = auth_user + ':vncauthproxy:' + auth_password
                     auth_password = hashlib.md5(message).hexdigest()
                 (cipher, salt, authdb_hash) = VncAuthProxy.authdb[auth_user]
                 crypt_result = crypt.crypt(auth_password, '$%s$%s$' %
                                                           (cipher, salt))
                 passhash = crypt_result.lstrip('$').split('$', 2)[-1]
                 if auth_password != authdb_password:
                     msg = "Authentication failure: wrong password"
                 if passhash != authdb_hash:
                     msg = "vncauthproxy authentication failure: wrong password"
                     raise InternalError(msg)
             except KeyError:
                 msg = "Malformed request: %s" % buf
-...
     def parse_auth_file(auth_file):
         supported_ciphers = ('cleartext', 'HA1', None)
         regexp = re.compile(r'^\s*(?P<user>\S+)\s+({(?P<cipher>\S+)})?'
                             r'(?P<pass>\S+)\s*$')
         users = {}
         if os.path.isfile(auth_file) is False:
-...
         try:
             with open(auth_file) as f:
                 lines = [l.strip() for l in f.readlines()]
                 for line in lines:
                     if not line or line.startswith('#'):
                         continue
                     m = regexp.match(line)
                     if not m:
                         raise InternalError("Invaild entry in auth file: %s"
                                             % line)
                     user = m.group('user')
                     cipher = m.group('cipher')
                     if cipher not in supported_ciphers:
                         raise InternalError("Unsupported cipher in auth file: "
                                             "%s" % line)
                     password = (cipher, m.group('pass'))
                     if user in users:
                         raise InternalError("Duplicate user entry in auth file")
                     users[user] = password
         except IOError as err:
             logger.error("Error while reading the auth file:")
                 lines = [l.strip().split(':', 1) for l in f.readlines()]
                 for (user, passhash) in lines:
                     users[user] = passhash.lstrip('$').split('$', 2)
         except ValueError as err:
             logger.exception(err)
             raise InternalError("Malformed auth file")
         if not users:
             logger.warning("No users defined")

Synnefo » snf-vncauthproxy

Revision 3b98303f