upstream/ipython Commit - r3572:99528f8b

added preliminary ssh tunneling support for clients

Min RK -

r3572:99528f8b

parent child

IPython/zmq/forward.py

0 +3 -3

             #!/usr/bin/env python
             #
-            # This file is adapted from a paramiko demo, and thus LGPL 2.1.
+            # This file is adapted from a paramiko demo, and thus licensed under LGPL 2.1.
             # Original Copyright (C) 2003-2007  Robey Pointer <robeypointer@gmail.com>
             # Edits Copyright (C) 2010 The IPython Team
             #
                             self.request.send(data)
                     chan.close()
                     self.request.close()
-                    verbose('Tunnel closed from %r' % (self.request.getpeername(),))
+                    verbose('Tunnel closed ')
             def forward_tunnel(local_port, remote_host, remote_port, transport):
                     chain_host = remote_host
                     chain_port = remote_port
                     ssh_transport = transport
-                ForwardServer(('', local_port), SubHander).serve_forever()
+                ForwardServer(('127.0.0.1', local_port), SubHander).serve_forever()
             def verbose(s):

IPython/zmq/parallel/client.py

0 +62 -12

             from zmq.eventloop import ioloop, zmqstream
             from IPython.external.decorator import decorator
+            from IPython.zmq import tunnel
             import streamsession as ss
             # from remotenamespace import RemoteNamespace
                 addr : bytes; zmq url, e.g. 'tcp://127.0.0.1:10101'
                     The address of the controller's registration socket.
+                    [Default: 'tcp://127.0.0.1:10101']
+                context : zmq.Context
+                    Pass an existing zmq.Context instance, otherwise the client will create its own
+                username : bytes
+                    set username to be passed to the Session object
+                debug : bool
+                    flag for lots of message printing for debug purposes
+                #-------------- ssh related args ----------------
+                # These are args for configuring the ssh tunnel to be used
+                # credentials are used to forward connections over ssh to the Controller
+                # Note that the ip given in `addr` needs to be relative to sshserver
+                # The most basic case is to leave addr as pointing to localhost (127.0.0.1),
+                # and set sshserver as the same machine the Controller is on. However,
+                # the only requirement is that sshserver is able to see the Controller
+                # (i.e. is within the same trusted network).
+                sshserver : str
+                    A string of the form passed to ssh, i.e. 'server.tld' or 'user@server.tld:port'
+                    If keyfile or password is specified, and this is not, it will default to
+                    the ip given in addr.
+                keyfile : str; path to public key file
+                    This specifies a key to be used in ssh login, default None.
+                    Regular default ssh keys will be used without specifying this argument.
+                password : str;
+                    Your ssh password to sshserver. Note that if this is left None,
+                    you will be prompted for it if passwordless key based login is unavailable.
                 Attributes
                 ----------
                 _connected=False
+                _ssh=False
                 _engines=None
                 _addr='tcp://127.0.0.1:10101'
                 _registration_socket=None
                 history = None
                 debug = False
-                def __init__(self, addr='tcp://127.0.0.1:10101', context=None, username=None, debug=False):
+                def __init__(self, addr='tcp://127.0.0.1:10101', context=None, username=None, debug=False,
+                        sshserver=None, keyfile=None, password=None, paramiko=None):
                     if context is None:
                         context = zmq.Context()
                     self.context = context
                     self._addr = addr
+                    self._ssh = bool(sshserver or keyfile or password)
+                    if self._ssh and sshserver is None:
+                        # default to the same
+                        sshserver = addr.split('://')[1].split(':')[0]
+                    if self._ssh and password is None:
+                        if tunnel.try_passwordless_ssh(sshserver, keyfile, paramiko):
+                            password=False
+                        else:
+                            password = getpass("SSH Password for %s: "%sshserver)
+                    ssh_kwargs = dict(keyfile=keyfile, password=password, paramiko=paramiko)
                     if username is None:
                         self.session = ss.StreamSession()
                     else:
                         self.session = ss.StreamSession(username)
-                    self._registration_socket = self.context.socket(zmq.PAIR)
+                    self._registration_socket = self.context.socket(zmq.XREQ)
                     self._registration_socket.setsockopt(zmq.IDENTITY, self.session.session)
-                    self._registration_socket.connect(addr)
+                    if self._ssh:
+                        tunnel.tunnel_connection(self._registration_socket, addr, sshserver, **ssh_kwargs)
+                    else:
+                        self._registration_socket.connect(addr)
                     self._engines = {}
                     self._ids = set()
                     self.outstanding=set()
                                                 }
                     self._queue_handlers = {'execute_reply' : self._handle_execute_reply,
                                             'apply_reply' : self._handle_apply_reply}
-                    self._connect()
+                    self._connect(sshserver, ssh_kwargs)
                 @property
                         targets = [targets]
                     return [self._engines[t] for t in targets], list(targets)
-                def _connect(self):
+                def _connect(self, sshserver, ssh_kwargs):
                     """setup all our socket connections to the controller. This is called from
                     __init__."""
                     if self._connected:
                         return
                     self._connected=True
+                    def connect_socket(s, addr):
+                        if self._ssh:
+                            return tunnel.tunnel_connection(s, addr, sshserver, **ssh_kwargs)
+                        else:
+                            return s.connect(addr)
                     self.session.send(self._registration_socket, 'connection_request')
                     idents,msg = self.session.recv(self._registration_socket,mode=0)
                     if self.debug:
                         if content.queue:
                             self._mux_socket = self.context.socket(zmq.PAIR)
                             self._mux_socket.setsockopt(zmq.IDENTITY, self.session.session)
-                            self._mux_socket.connect(content.queue)
+                            connect_socket(self._mux_socket, content.queue)
                         if content.task:
                             self._task_socket = self.context.socket(zmq.PAIR)
                             self._task_socket.setsockopt(zmq.IDENTITY, self.session.session)
-                            self._task_socket.connect(content.task)
+                            connect_socket(self._task_socket, content.task)
                         if content.notification:
                             self._notification_socket = self.context.socket(zmq.SUB)
-                            self._notification_socket.connect(content.notification)
+                            connect_socket(self._notification_socket, content.notification)
                             self._notification_socket.setsockopt(zmq.SUBSCRIBE, "")
                         if content.query:
                             self._query_socket = self.context.socket(zmq.PAIR)
                             self._query_socket.setsockopt(zmq.IDENTITY, self.session.session)
-                            self._query_socket.connect(content.query)
+                            connect_socket(self._query_socket, content.query)
                         if content.control:
                             self._control_socket = self.context.socket(zmq.PAIR)
                             self._control_socket.setsockopt(zmq.IDENTITY, self.session.session)
-                            self._control_socket.connect(content.control)
+                            connect_socket(self._control_socket, content.control)
                         self._update_engines(dict(content.engines))
                     else:
                     for stream in (self.queue_stream, self.notifier_stream,
                                     self.task_stream, self.control_stream):
                         stream.flush()
-  No newline at end of file

IPython/zmq/tunnel.py

0 +196 -19

@@ -1,12 +1,21
		1	"""Basic ssh tunneling utilities."""
1		2
		3	#-----------------------------------------------------------------------------
		4	# Copyright (C) 2008-2010 The IPython Development Team
		5	#
		6	# Distributed under the terms of the BSD License. The full license is in
		7	# the file COPYING, distributed as part of this software.
		8	#-----------------------------------------------------------------------------
2		9
3	#-----------------------------------------	10
		11
		12	#-----------------------------------------------------------------------------
4	# Imports	13	# Imports
5	#-----------------------------------------	14	#-----------------------------------------------------------------------------
6		15
7	from __future__ import print_function	16	from __future__ import print_function
8		17
9	import os,sys	18	import os,sys, atexit
10	from multiprocessing import Process	19	from multiprocessing import Process
11	from getpass import getpass, getuser	20	from getpass import getpass, getuser
12		21
@@ -16,20 +25,137 except ImportError:
16	paramiko = None	25	paramiko = None
17	else:	26	else:
18	from forward import forward_tunnel	27	from forward import forward_tunnel
		28
		29	try:
		30	from IPython.external import pexpect
		31	except ImportError:
		32	pexpect = None
		33
		34	from IPython.zmq.parallel.entry_point import select_random_ports
		35
		36	#-----------------------------------------------------------------------------
		37	# Code
		38	#-----------------------------------------------------------------------------
		39
		40	#-----------------------------------------------------------------------------
		41	# Check for passwordless login
		42	#-----------------------------------------------------------------------------
		43
		44	def try_passwordless_ssh(server, keyfile, paramiko=None):
		45	"""Attempt to make an ssh connection without a password.
		46	This is mainly used for requiring password input only once
		47	when many tunnels may be connected to the same server.
19		48
20	from IPython.external import pexpect	49	If paramiko is None, the default for the platform is chosen.
		50	"""
		51	if paramiko is None:
		52	paramiko = sys.platform == 'win32'
		53	if not paramiko:
		54	f = _try_passwordless_openssh
		55	else:
		56	f = _try_passwordless_paramiko
		57	return f(server, keyfile)
21		58
		59	def _try_passwordless_openssh(server, keyfile):
		60	"""Try passwordless login with shell ssh command."""
		61	if pexpect is None:
		62	raise ImportError("pexpect unavailable, use paramiko")
		63	cmd = 'ssh -f '+ server
		64	if keyfile:
		65	cmd += ' -i ' + keyfile
		66	cmd += ' exit'
		67	p = pexpect.spawn(cmd)
		68	while True:
		69	try:
		70	p.expect('[Ppassword]:', timeout=.1)
		71	except pexpect.TIMEOUT:
		72	continue
		73	except pexpect.EOF:
		74	return True
		75	else:
		76	return False
22		77
23	def launch_ssh_tunnel(lport, rport, server, remoteip='127.0.0.1', keyfile=None, timeout=15):	78	def _try_passwordless_paramiko(server, keyfile):
		79	"""Try passwordless login with paramiko."""
		80	if paramiko is None:
		81	raise ImportError("paramiko unavailable, use openssh")
		82	username, server, port = _split_server(server)
		83	client = paramiko.SSHClient()
		84	client.load_system_host_keys()
		85	client.set_missing_host_key_policy(paramiko.WarningPolicy())
		86	try:
		87	client.connect(server, port, username=username, key_filename=keyfile,
		88	look_for_keys=True)
		89	except paramiko.AuthenticationException:
		90	return False
		91	else:
		92	client.close()
		93	return True
		94
		95
		96	def tunnel_connection(socket, addr, server, keyfile=None, password=None, paramiko=None):
		97	"""Connect a socket to an address via an ssh tunnel.
		98
		99	This is a wrapper for socket.connect(addr), when addr is not accessible
		100	from the local machine. It simply creates an ssh tunnel using the remaining args,
		101	and calls socket.connect('tcp://localhost:lport') where lport is the randomly
		102	selected local port of the tunnel.
		103
		104	"""
		105	lport = select_random_ports(1)[0]
		106	transport, addr = addr.split('://')
		107	ip,rport = addr.split(':')
		108	rport = int(rport)
		109	if paramiko is None:
		110	paramiko = sys.platform == 'win32'
		111	if paramiko:
		112	tunnelf = paramiko_tunnel
		113	else:
		114	tunnelf = openssh_tunnel
		115	tunnel = tunnelf(lport, rport, server, remoteip=ip, keyfile=keyfile, password=password)
		116	socket.connect('tcp://127.0.0.1:%i'%lport)
		117	return tunnel
		118
		119	def openssh_tunnel(lport, rport, server, remoteip='127.0.0.1', keyfile=None, password=None, timeout=15):
24	"""Create an ssh tunnel using command-line ssh that connects port lport	120	"""Create an ssh tunnel using command-line ssh that connects port lport
25	on this machine to localhost:rport on server. The tunnel	121	on this machine to localhost:rport on server. The tunnel
26	will automatically close when not in use, remaining open	122	will automatically close when not in use, remaining open
27	for a minimum of timeout seconds for an initial connection.	123	for a minimum of timeout seconds for an initial connection.
		124
		125	This creates a tunnel redirecting `localhost:lport` to `remoteip:rport`,
		126	as seen from `server`.
		127
		128	keyfile and password may be specified, but ssh config is checked for defaults.
		129
		130	Parameters
		131	----------
		132
		133	lport : int
		134	local port for connecting to the tunnel from this machine.
		135	rport : int
		136	port on the remote machine to connect to.
		137	server : str
		138	The ssh server to connect to. The full ssh server string will be parsed.
		139	user@server:port
		140	remoteip : str [Default: 127.0.0.1]
		141	The remote ip, specifying the destination of the tunnel.
		142	Default is localhost, which means that the tunnel would redirect
		143	localhost:lport on this machine to localhost:rport on the server.
		144
		145	keyfile : str; path to public key file
		146	This specifies a key to be used in ssh login, default None.
		147	Regular default ssh keys will be used without specifying this argument.
		148	password : str;
		149	Your ssh password to the ssh server. Note that if this is left None,
		150	you will be prompted for it if passwordless key based login is unavailable.
		151
28	"""	152	"""
		153	if pexpect is None:
		154	raise ImportError("pexpect unavailable, use paramiko_tunnel")
29	ssh="ssh "	155	ssh="ssh "
30	if keyfile:	156	if keyfile:
31	ssh += "-i " + keyfile	157	ssh += "-i " + keyfile
32	cmd = ssh + " -f -L %i:127.0.0.1:%i %s sleep %i"%(lport, rport, server, timeout)	158	cmd = ssh + " -f -L 127.0.0.1:%i:127.0.0.1:%i %s sleep %i"%(lport, rport, server, timeout)
33	tunnel = pexpect.spawn(cmd)	159	tunnel = pexpect.spawn(cmd)
34	failed = False	160	failed = False
35	while True:	161	while True:
@@ -48,7 +174,10 def launch_ssh_tunnel(lport, rport, server, remoteip='127.0.0.1', keyfile=None,
48	else:	174	else:
49	if failed:	175	if failed:
50	print("Password rejected, try again")	176	print("Password rejected, try again")
51	tunnel.sendline(getpass())	177	password=None
		178	if password is None:
		179	password = getpass("%s's password: "%(server))
		180	tunnel.sendline(password)
52	failed = True	181	failed = True
53		182
54	def _split_server(server):	183	def _split_server(server):
@@ -63,28 +192,62 def _split_server(server):
63	port = 22	192	port = 22
64	return username, server, port	193	return username, server, port
65		194
66	def ~~launch_~~paramiko_tunnel(lport, rport, server, remoteip='127.0.0.1', keyfile=None):	195	def paramiko_tunnel(lport, rport, server, remoteip='127.0.0.1', keyfile=None, password=None, timeout=15):
67	"""launch a tunner with paramiko in a subprocess~~"""~~	196	"""launch a tunner with paramiko in a subprocess. This should only be used
		197	when shell ssh is unavailable (e.g. Windows).
		198
		199	This creates a tunnel redirecting `localhost:lport` to `remoteip:rport`,
		200	as seen from `server`.
		201
		202	keyfile and password may be specified, but ssh config is checked for defaults.
		203
		204	Parameters
		205	----------
		206
		207	lport : int
		208	local port for connecting to the tunnel from this machine.
		209	rport : int
		210	port on the remote machine to connect to.
		211	server : str
		212	The ssh server to connect to. The full ssh server string will be parsed.
		213	user@server:port
		214	remoteip : str [Default: 127.0.0.1]
		215	The remote ip, specifying the destination of the tunnel.
		216	Default is localhost, which means that the tunnel would redirect
		217	localhost:lport on this machine to localhost:rport on the server.
		218
		219	keyfile : str; path to public key file
		220	This specifies a key to be used in ssh login, default None.
		221	Regular default ssh keys will be used without specifying this argument.
		222	password : str;
		223	Your ssh password to the ssh server. Note that if this is left None,
		224	you will be prompted for it if passwordless key based login is unavailable.
		225
		226	"""
68	if paramiko is None:	227	if paramiko is None:
69	raise ImportError("Paramiko not available")	228	raise ImportError("Paramiko not available")
70	server = _split_server(server)	229
71	if ~~keyfile~~ is None:	230	if password is None:
72	passwd = getpass("%s@%s's password: "%(server[0], server[1]))	231	if not _check_passwordless_paramiko(server, keyfile):
73	else:	232	password = getpass("%s's password: "%(server))
74	passwd = None	233
75	p = Process(target=_paramiko_tunnel,	234	p = Process(target=_paramiko_tunnel,
76	args=(lport, rport, server, remoteip),	235	args=(lport, rport, server, remoteip),
77	kwargs=dict(keyfile=keyfile, password=passwd))	236	kwargs=dict(keyfile=keyfile, password=password))
78	p.daemon=False	237	p.daemon=False
79	p.start()	238	p.start()
		239	atexit.register(_shutdown_process, p)
80	return p	240	return p
81		241
		242	def _shutdown_process(p):
		243	if p.isalive():
		244	p.terminate()
82		245
83	def _paramiko_tunnel(lport, rport, server, remoteip, keyfile=None, password=None):	246	def _paramiko_tunnel(lport, rport, server, remoteip, keyfile=None, password=None):
84	"""function for actually starting a paramiko tunnel, to be passed	247	"""function for actually starting a paramiko tunnel, to be passed
85	to multiprocessing.Process(target=this).	248	to multiprocessing.Process(target=this).
86	"""	249	"""
87	username, server, port = server	250	username, server, port = _split_server(server)
88	client = paramiko.SSHClient()	251	client = paramiko.SSHClient()
89	client.load_system_host_keys()	252	client.load_system_host_keys()
90	client.set_missing_host_key_policy(paramiko.WarningPolicy())	253	client.set_missing_host_key_policy(paramiko.WarningPolicy())
@@ -92,20 +255,34 def _paramiko_tunnel(lport, rport, server, remoteip, keyfile=None, password=None
92	try:	255	try:
93	client.connect(server, port, username=username, key_filename=keyfile,	256	client.connect(server, port, username=username, key_filename=keyfile,
94	look_for_keys=True, password=password)	257	look_for_keys=True, password=password)
		258	# except paramiko.AuthenticationException:
		259	# if password is None:
		260	# password = getpass("%s@%s's password: "%(username, server))
		261	# client.connect(server, port, username=username, password=password)
		262	# else:
		263	# raise
95	except Exception as e:	264	except Exception as e:
96	print ('*** Failed to connect to %s:%d: %r' % (server, port, e))	265	print ('*** Failed to connect to %s:%d: %r' % (server, port, e))
97	sys.exit(1)	266	sys.exit(1)
98		267
99	print ('Now forwarding port %d to %s:%d ...' % (lport, server, rport))	268	# print ('Now forwarding port %d to %s:%d ...' % (lport, server, rport))
100		269
101	try:	270	try:
102	forward_tunnel(lport, remoteip, rport, client.get_transport())	271	forward_tunnel(lport, remoteip, rport, client.get_transport())
103	except KeyboardInterrupt:	272	except KeyboardInterrupt:
104	print ('~~C-c~~: Port forwarding stopped.')	273	print ('SIGINT: Port forwarding stopped cleanly')
105	sys.exit(0)	274	sys.exit(0)
		275	except Exception as e:
		276	print ("Port forwarding stopped uncleanly: %s"%e)
		277	sys.exit(255)
		278
		279	if sys.platform == 'win32':
		280	ssh_tunnel = paramiko_tunnel
		281	else:
		282	ssh_tunnel = openssh_tunnel
106		283
107		284
108	__all__ = ['launch_ssh_tunnel', 'launch_paramiko_tunnel']	285	__all__ = ['tunnel_connection', 'ssh_tunnel', 'openssh_tunnel', 'paramiko_tunnel', 'try_passwordless_ssh']
109		286
110		287
111		288

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages