Revision 7f8ec5bd
| b/vncauthproxy/client.py | ||
|---|---|---|
| 17 | 17 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
| 18 | 18 |
# 02110-1301, USA. |
| 19 | 19 |
|
| 20 |
""" vncauthproxy client """ |
|
| 21 |
|
|
| 20 | 22 |
import sys |
| 21 | 23 |
import socket |
| 22 | 24 |
import ssl |
| ... | ... | |
| 29 | 31 |
try: |
| 30 | 32 |
from gevent import sleep |
| 31 | 33 |
except ImportError: |
| 32 |
import sleep |
|
| 34 |
from time import sleep
|
|
| 33 | 35 |
|
| 34 | 36 |
DEFAULT_SERVER_ADDRESS = '127.0.0.1' |
| 35 | 37 |
DEFAULT_SERVER_PORT = 24999 |
| ... | ... | |
| 75 | 77 |
metavar="AUTH_PASSWORD", |
| 76 | 78 |
help=("User password for the control connection "
|
| 77 | 79 |
"authentication")) |
| 78 |
parser.add_option("--no-ssl", dest="no_ssl",
|
|
| 80 |
parser.add_option("--enable-ssl", dest="enable_ssl",
|
|
| 79 | 81 |
action='store_true', default=False, |
| 80 |
help=("Disable SSL/TLS for control connecions "
|
|
| 82 |
help=("Enable SSL/TLS for control connecions "
|
|
| 81 | 83 |
"(default: %s)" % False)) |
| 82 | 84 |
parser.add_option("--ca-cert", dest="ca_cert",
|
| 83 | 85 |
default=None, |
| ... | ... | |
| 91 | 93 |
|
| 92 | 94 |
(opts, args) = parser.parse_args(args) |
| 93 | 95 |
|
| 94 |
# Mandatory arguments |
|
| 95 |
if not opts.password: |
|
| 96 |
parser.error("The -P/--password argument is mandatory.")
|
|
| 97 |
if not opts.daddr: |
|
| 98 |
parser.error("The -d/--dest argument is mandatory.")
|
|
| 99 |
if not opts.dport: |
|
| 100 |
parser.error("The -p/--dport argument is mandatory.")
|
|
| 101 |
if not opts.auth_user: |
|
| 102 |
parser.error("The --auth-user argument is mandatory.")
|
|
| 103 |
if not opts.auth_password: |
|
| 104 |
parser.error("The --auth-password argument is mandatory.")
|
|
| 105 |
|
|
| 106 |
# Sanity check |
|
| 107 |
if opts.strict and not opts.ca_cert: |
|
| 108 |
parser.error("--strict requires --ca-cert to be set")
|
|
| 109 |
if opts.no_ssl and opts.ca_cert: |
|
| 110 |
parser.error("--no-ssl and --ca-cert / --strict options "
|
|
| 111 |
"are mutually exclusive") |
|
| 112 |
|
|
| 113 | 96 |
return (opts, args) |
| 114 | 97 |
|
| 115 | 98 |
|
| 116 | 99 |
def request_forwarding(sport, daddr, dport, password, |
| 117 | 100 |
auth_user, auth_password, |
| 118 | 101 |
server_address=DEFAULT_SERVER_ADDRESS, |
| 119 |
server_port=DEFAULT_SERVER_PORT, no_ssl=False,
|
|
| 102 |
server_port=DEFAULT_SERVER_PORT, enable_ssl=False,
|
|
| 120 | 103 |
ca_cert=None, strict=False): |
| 121 | 104 |
"""Connect to vncauthproxy and request a VNC forwarding.""" |
| 105 |
|
|
| 106 |
# Mandatory arguments |
|
| 122 | 107 |
if not password: |
| 123 |
raise ValueError("You must specify a non-empty password")
|
|
| 108 |
raise Exception("The password argument is mandatory.")
|
|
| 109 |
if not daddr: |
|
| 110 |
raise Exception("The daddr argument is mandatory.")
|
|
| 111 |
if not dport: |
|
| 112 |
raise Exception("The dport argument is mandatory.")
|
|
| 113 |
if not auth_user: |
|
| 114 |
raise Exception("The auth_user argument is mandatory.")
|
|
| 115 |
if not auth_password: |
|
| 116 |
raise Exception("The auth_password argument is mandatory.")
|
|
| 117 |
|
|
| 118 |
# Sanity check |
|
| 119 |
if strict and not ca_cert: |
|
| 120 |
raise Exception("strict requires ca-cert to be set")
|
|
| 121 |
if not enable_ssl and (strict or ca_cert): |
|
| 122 |
raise Exception("strict or ca-cert set, but ssl not enabled")
|
|
| 124 | 123 |
|
| 125 | 124 |
req = {
|
| 126 | 125 |
"source_port": int(sport), |
| ... | ... | |
| 146 | 145 |
server = None |
| 147 | 146 |
continue |
| 148 | 147 |
|
| 149 |
if not no_ssl:
|
|
| 148 |
if enable_ssl:
|
|
| 150 | 149 |
reqs = ssl.CERT_NONE |
| 151 | 150 |
if strict: |
| 152 | 151 |
reqs = ssl.CERT_REQUIRED |
| 153 | 152 |
elif ca_cert: |
| 154 | 153 |
reqs = ssl.CERT_OPTIONAL |
| 155 | 154 |
|
| 156 |
server = ssl.wrap_socket( |
|
| 157 |
server, cert_reqs=reqs, ca_certs=ca_cert,
|
|
| 158 |
ssl_version=ssl.PROTOCOL_TLSv1) |
|
| 155 |
server = ssl.wrap_socket(server, cert_reqs=reqs,
|
|
| 156 |
ca_certs=ca_cert,
|
|
| 157 |
ssl_version=ssl.PROTOCOL_TLSv1)
|
|
| 159 | 158 |
|
| 160 | 159 |
server.settimeout(60.0) |
| 161 | 160 |
|
| ... | ... | |
| 191 | 190 |
dport=opts.dport, password=opts.password, |
| 192 | 191 |
auth_user=opts.auth_user, |
| 193 | 192 |
auth_password=opts.auth_password, |
| 194 |
no_ssl=opts.no_ssl, ca_cert=opts.ca_cert,
|
|
| 193 |
enable_ssl=opts.enable_ssl, ca_cert=opts.ca_cert,
|
|
| 195 | 194 |
strict=opts.strict) |
| 196 | 195 |
|
| 197 | 196 |
reason = None |
| 198 | 197 |
if 'reason' in res: |
| 199 | 198 |
reason = 'Reason: %s\n' % res['reason'] |
| 200 | 199 |
sys.stderr.write("Forwaring %s -> %s:%s: %s\n%s" % (res['source_port'],
|
| 201 |
opts.daddr, opts.dport, |
|
| 202 |
res['status'], reason)) |
|
| 200 |
opts.daddr, opts.dport,
|
|
| 201 |
res['status'], reason))
|
|
| 203 | 202 |
|
| 204 | 203 |
if res['status'] == "OK": |
| 205 | 204 |
sys.exit(0) |
| b/vncauthproxy/proxy.py | ||
|---|---|---|
| 24 | 24 |
DEFAULT_LOG_FILE = "/var/log/vncauthproxy/vncauthproxy.log" |
| 25 | 25 |
DEFAULT_PID_FILE = "/var/run/vncauthproxy/vncauthproxy.pid" |
| 26 | 26 |
|
| 27 |
# By default, bind / listen for control connections to TCP *:24999 |
|
| 28 |
# (both IPv4 and IPv6) |
|
| 29 |
DEFAULT_LISTEN_ADDRESS = None |
|
| 27 |
# By default, bind / listen for control connections to TCP(v4) 127.0.0.1:24999 |
|
| 28 |
DEFAULT_LISTEN_ADDRESS = "127.0.0.1" |
|
| 30 | 29 |
DEFAULT_LISTEN_PORT = 24999 |
| 31 | 30 |
|
| 32 | 31 |
# Backlog for the control socket |
| ... | ... | |
| 649 | 648 |
|
| 650 | 649 |
users[user] = password |
| 651 | 650 |
except IOError as err: |
| 652 |
logger.error("Couldn't read auth file")
|
|
| 651 |
logger.critical("Couldn't read auth file")
|
|
| 653 | 652 |
raise InternalError(err) |
| 654 | 653 |
|
| 655 | 654 |
if not users: |
| 656 |
logger.warn("No users specified.")
|
|
| 655 |
raise InternalError("No users defined")
|
|
| 657 | 656 |
|
| 658 | 657 |
return users |
| 659 | 658 |
|
| ... | ... | |
| 678 | 677 |
default=DEFAULT_LISTEN_ADDRESS, |
| 679 | 678 |
metavar="LISTEN_ADDRESS", |
| 680 | 679 |
help=("Address to listen for control connections"
|
| 681 |
"(default: *)"))
|
|
| 680 |
"(default: 127.0.0.1)"))
|
|
| 682 | 681 |
parser.add_option("--listen-port", dest="listen_port",
|
| 683 | 682 |
default=DEFAULT_LISTEN_PORT, |
| 684 | 683 |
metavar="LISTEN_PORT", |
| ... | ... | |
| 717 | 716 |
help=("The maximum port number to use for automatically-"
|
| 718 | 717 |
"allocated ephemeral ports (default: %s)" % |
| 719 | 718 |
DEFAULT_MAX_PORT)) |
| 720 |
parser.add_option('--no-ssl', dest="no_ssl",
|
|
| 719 |
parser.add_option('--enable-ssl', dest="enable_ssl",
|
|
| 721 | 720 |
default=False, action='store_true', |
| 722 |
help=("Disable SSL/TLS for control connections "
|
|
| 721 |
help=("Enable SSL/TLS for control connections "
|
|
| 723 | 722 |
"(default: False")) |
| 724 | 723 |
parser.add_option('--cert-file', dest="cert_file",
|
| 725 | 724 |
default=DEFAULT_CERT_FILE, |
| ... | ... | |
| 839 | 838 |
rlist, _, _ = select(sockets, [], []) |
| 840 | 839 |
for ctrl in rlist: |
| 841 | 840 |
client, _ = ctrl.accept() |
| 842 |
if not opts.no_ssl:
|
|
| 841 |
if opts.enable_ssl:
|
|
| 843 | 842 |
client = ssl.wrap_socket(client, |
| 844 | 843 |
server_side=True, |
| 845 | 844 |
keyfile=opts.key_file, |
Also available in: Unified diff