ssh proxy server to intercept ssh
Project description
ssh-proxy-server - intercept ssh traffic
ssh-proxy-server
is a python library and command line utility to intercept ssh traffic.
At this time, only ssh (terminal) and scp filetransfers are supported.
:warning: do not use this library in production environments! This tool is only for security audits!
Installation
pip install ssh-proxy-server
Start Proxy Server
Password authentication
Start the server:
ssh-proxy-server
Connect to server:
ssh -p 10022 user@remotehost@proxyserver
Public key authentication
When public key authentication is used, the agent is forwarded to the remote server.
Start the server:
ssh-proxy-server --forward-agent
Connect to server:
ssh -A -p 10022 user@remotehost@proxyserver
Available module
The proxy can be configured and extended using command line arguments.
Some arguments accept Python-class names as string.
Loading a class from a package:
ssh-proxy-server --ssh-interface ssh_proxy_server.forwarders.ssh.SSHForwarder
:warning: creating a pip package for custom classes is recommended, because loading from files has some bugs at the moment
Loading a class from a file (experimental):
ssh-proxy-server --ssh-interface /path/to/my/file.py:ExtendedSSHForwarder
SSH interface
- cmd argument:
--ssh-interface
- base class:
ssh_proxy_server.forwarders.ssh.SSHBaseForwarder
- default:
ssh_proxy_server.forwarders.ssh.SSHForwarder
Available forwarders:
ssh_proxy_server.forwarders.ssh.SSHForwarder
- forwards traffic from client to remote serverssh_proxy_server.forwarders.ssh.SSHLogForwarder
- write the session to a file, which can be replayed withscript
ssh_proxy_server.forwarders.ssh.NoShellForwarder
- keeps the session open, when used as master channel, but tty should not be possible to the remote server
SCP interface
- cmd argument:
--scp-interface
- base class:
ssh_proxy_server.forwarders.scp.SCPBaseForwarder
- default:
ssh_proxy_server.forwarders.scp.SCPForwarder
Available forwarders:
ssh_proxy_server.forwarders.scp.SCPForwarder
- transfer file between client and serverssh_proxy_server.forwarders.scp.SCPStorageForwarder
- save file to file system
Authentication:
- cmd argument:
--authenticator
- base class:
ssh_proxy_server.authentication.Authenticator
- default:
ssh_proxy_server.authentication.AuthenticatorPassThrough
Available Authenticators:
ssh_proxy_server.authentication.AuthenticatorPassThrough
- default authenticator, which can reuse credentials
Currently, only one authenticator (AuthenticatorPassThrough) exists, but it supports arguments to specify remote host, username and password, which shlould fit most scenarios. (public keys are on the roadmap)
Extending the ssh proxy server
This example shows, how to create a scp forwarder, which compares the filenames to a known list of forbidden files.
If a file is forbidden, the file transfer aborts. This will result in a broken pipe.
Create the files setup.py
and custom_ssh_proxy_plugin.py
in the same empty direcory.
setup.py
from setuptools import setup
setup(
name='custom_ssh_proxy_plugin',
version='0.0.1',
description='custom ssh proxy plugin',
long_description_content_type='text/markdown',
py_modules=['custom_ssh_proxy_plugin'],
)
custom_ssh_proxy_plugin.py
import paramiko
from ssh_proxy_server.forwarders.scp import SCPStorageForwarder
class SCPForbiddenName(SCPStorageForwarder):
def inspect_file(self, filepath):
if self.file_name == 'bash':
return paramiko.SFTP_FAILURE
return paramiko.SFTP_OK
When the 2 files are created, the package can be installed:
pip install /path/to/package/direcory
start ssh proxy server with custom scp module
ssh-proxy-server --scp-interface custom_ssh_proxy_plugin.SCPForbiddenName --scp-storage ~/ssh_files --scp-keep-files
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ssh_proxy_server-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 57d78510aab87bb7af4ce39645aa4fc6c7e10e4927a079e1e76b97d4ae4a7f94 |
|
MD5 | e344c4757776daf8fb0ece1eb2f7b9f6 |
|
BLAKE2b-256 | 4085f3ac3824ab319005ebe3cb87f35b01edb67a4e5724a8e7b68cadfef57f58 |