Revision 7f8ec5bd
b/vncauthproxy/client.py | ||
---|---|---|
17 | 17 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
18 | 18 |
# 02110-1301, USA. |
19 | 19 |
|
20 |
""" vncauthproxy client """ |
|
21 |
|
|
20 | 22 |
import sys |
21 | 23 |
import socket |
22 | 24 |
import ssl |
... | ... | |
29 | 31 |
try: |
30 | 32 |
from gevent import sleep |
31 | 33 |
except ImportError: |
32 |
import sleep |
|
34 |
from time import sleep
|
|
33 | 35 |
|
34 | 36 |
DEFAULT_SERVER_ADDRESS = '127.0.0.1' |
35 | 37 |
DEFAULT_SERVER_PORT = 24999 |
... | ... | |
75 | 77 |
metavar="AUTH_PASSWORD", |
76 | 78 |
help=("User password for the control connection " |
77 | 79 |
"authentication")) |
78 |
parser.add_option("--no-ssl", dest="no_ssl",
|
|
80 |
parser.add_option("--enable-ssl", dest="enable_ssl",
|
|
79 | 81 |
action='store_true', default=False, |
80 |
help=("Disable SSL/TLS for control connecions "
|
|
82 |
help=("Enable SSL/TLS for control connecions "
|
|
81 | 83 |
"(default: %s)" % False)) |
82 | 84 |
parser.add_option("--ca-cert", dest="ca_cert", |
83 | 85 |
default=None, |
... | ... | |
91 | 93 |
|
92 | 94 |
(opts, args) = parser.parse_args(args) |
93 | 95 |
|
94 |
# Mandatory arguments |
|
95 |
if not opts.password: |
|
96 |
parser.error("The -P/--password argument is mandatory.") |
|
97 |
if not opts.daddr: |
|
98 |
parser.error("The -d/--dest argument is mandatory.") |
|
99 |
if not opts.dport: |
|
100 |
parser.error("The -p/--dport argument is mandatory.") |
|
101 |
if not opts.auth_user: |
|
102 |
parser.error("The --auth-user argument is mandatory.") |
|
103 |
if not opts.auth_password: |
|
104 |
parser.error("The --auth-password argument is mandatory.") |
|
105 |
|
|
106 |
# Sanity check |
|
107 |
if opts.strict and not opts.ca_cert: |
|
108 |
parser.error("--strict requires --ca-cert to be set") |
|
109 |
if opts.no_ssl and opts.ca_cert: |
|
110 |
parser.error("--no-ssl and --ca-cert / --strict options " |
|
111 |
"are mutually exclusive") |
|
112 |
|
|
113 | 96 |
return (opts, args) |
114 | 97 |
|
115 | 98 |
|
116 | 99 |
def request_forwarding(sport, daddr, dport, password, |
117 | 100 |
auth_user, auth_password, |
118 | 101 |
server_address=DEFAULT_SERVER_ADDRESS, |
119 |
server_port=DEFAULT_SERVER_PORT, no_ssl=False,
|
|
102 |
server_port=DEFAULT_SERVER_PORT, enable_ssl=False,
|
|
120 | 103 |
ca_cert=None, strict=False): |
121 | 104 |
"""Connect to vncauthproxy and request a VNC forwarding.""" |
105 |
|
|
106 |
# Mandatory arguments |
|
122 | 107 |
if not password: |
123 |
raise ValueError("You must specify a non-empty password") |
|
108 |
raise Exception("The password argument is mandatory.") |
|
109 |
if not daddr: |
|
110 |
raise Exception("The daddr argument is mandatory.") |
|
111 |
if not dport: |
|
112 |
raise Exception("The dport argument is mandatory.") |
|
113 |
if not auth_user: |
|
114 |
raise Exception("The auth_user argument is mandatory.") |
|
115 |
if not auth_password: |
|
116 |
raise Exception("The auth_password argument is mandatory.") |
|
117 |
|
|
118 |
# Sanity check |
|
119 |
if strict and not ca_cert: |
|
120 |
raise Exception("strict requires ca-cert to be set") |
|
121 |
if not enable_ssl and (strict or ca_cert): |
|
122 |
raise Exception("strict or ca-cert set, but ssl not enabled") |
|
124 | 123 |
|
125 | 124 |
req = { |
126 | 125 |
"source_port": int(sport), |
... | ... | |
146 | 145 |
server = None |
147 | 146 |
continue |
148 | 147 |
|
149 |
if not no_ssl:
|
|
148 |
if enable_ssl:
|
|
150 | 149 |
reqs = ssl.CERT_NONE |
151 | 150 |
if strict: |
152 | 151 |
reqs = ssl.CERT_REQUIRED |
153 | 152 |
elif ca_cert: |
154 | 153 |
reqs = ssl.CERT_OPTIONAL |
155 | 154 |
|
156 |
server = ssl.wrap_socket( |
|
157 |
server, cert_reqs=reqs, ca_certs=ca_cert,
|
|
158 |
ssl_version=ssl.PROTOCOL_TLSv1) |
|
155 |
server = ssl.wrap_socket(server, cert_reqs=reqs,
|
|
156 |
ca_certs=ca_cert,
|
|
157 |
ssl_version=ssl.PROTOCOL_TLSv1)
|
|
159 | 158 |
|
160 | 159 |
server.settimeout(60.0) |
161 | 160 |
|
... | ... | |
191 | 190 |
dport=opts.dport, password=opts.password, |
192 | 191 |
auth_user=opts.auth_user, |
193 | 192 |
auth_password=opts.auth_password, |
194 |
no_ssl=opts.no_ssl, ca_cert=opts.ca_cert,
|
|
193 |
enable_ssl=opts.enable_ssl, ca_cert=opts.ca_cert,
|
|
195 | 194 |
strict=opts.strict) |
196 | 195 |
|
197 | 196 |
reason = None |
198 | 197 |
if 'reason' in res: |
199 | 198 |
reason = 'Reason: %s\n' % res['reason'] |
200 | 199 |
sys.stderr.write("Forwaring %s -> %s:%s: %s\n%s" % (res['source_port'], |
201 |
opts.daddr, opts.dport, |
|
202 |
res['status'], reason)) |
|
200 |
opts.daddr, opts.dport,
|
|
201 |
res['status'], reason))
|
|
203 | 202 |
|
204 | 203 |
if res['status'] == "OK": |
205 | 204 |
sys.exit(0) |
b/vncauthproxy/proxy.py | ||
---|---|---|
24 | 24 |
DEFAULT_LOG_FILE = "/var/log/vncauthproxy/vncauthproxy.log" |
25 | 25 |
DEFAULT_PID_FILE = "/var/run/vncauthproxy/vncauthproxy.pid" |
26 | 26 |
|
27 |
# By default, bind / listen for control connections to TCP *:24999 |
|
28 |
# (both IPv4 and IPv6) |
|
29 |
DEFAULT_LISTEN_ADDRESS = None |
|
27 |
# By default, bind / listen for control connections to TCP(v4) 127.0.0.1:24999 |
|
28 |
DEFAULT_LISTEN_ADDRESS = "127.0.0.1" |
|
30 | 29 |
DEFAULT_LISTEN_PORT = 24999 |
31 | 30 |
|
32 | 31 |
# Backlog for the control socket |
... | ... | |
649 | 648 |
|
650 | 649 |
users[user] = password |
651 | 650 |
except IOError as err: |
652 |
logger.error("Couldn't read auth file")
|
|
651 |
logger.critical("Couldn't read auth file")
|
|
653 | 652 |
raise InternalError(err) |
654 | 653 |
|
655 | 654 |
if not users: |
656 |
logger.warn("No users specified.")
|
|
655 |
raise InternalError("No users defined")
|
|
657 | 656 |
|
658 | 657 |
return users |
659 | 658 |
|
... | ... | |
678 | 677 |
default=DEFAULT_LISTEN_ADDRESS, |
679 | 678 |
metavar="LISTEN_ADDRESS", |
680 | 679 |
help=("Address to listen for control connections" |
681 |
"(default: *)"))
|
|
680 |
"(default: 127.0.0.1)"))
|
|
682 | 681 |
parser.add_option("--listen-port", dest="listen_port", |
683 | 682 |
default=DEFAULT_LISTEN_PORT, |
684 | 683 |
metavar="LISTEN_PORT", |
... | ... | |
717 | 716 |
help=("The maximum port number to use for automatically-" |
718 | 717 |
"allocated ephemeral ports (default: %s)" % |
719 | 718 |
DEFAULT_MAX_PORT)) |
720 |
parser.add_option('--no-ssl', dest="no_ssl",
|
|
719 |
parser.add_option('--enable-ssl', dest="enable_ssl",
|
|
721 | 720 |
default=False, action='store_true', |
722 |
help=("Disable SSL/TLS for control connections "
|
|
721 |
help=("Enable SSL/TLS for control connections "
|
|
723 | 722 |
"(default: False")) |
724 | 723 |
parser.add_option('--cert-file', dest="cert_file", |
725 | 724 |
default=DEFAULT_CERT_FILE, |
... | ... | |
839 | 838 |
rlist, _, _ = select(sockets, [], []) |
840 | 839 |
for ctrl in rlist: |
841 | 840 |
client, _ = ctrl.accept() |
842 |
if not opts.no_ssl:
|
|
841 |
if opts.enable_ssl:
|
|
843 | 842 |
client = ssl.wrap_socket(client, |
844 | 843 |
server_side=True, |
845 | 844 |
keyfile=opts.key_file, |
Also available in: Unified diff