[Tahoe-debian] sftpd frontend

bertagaz at ptitcanardnoir.org bertagaz at ptitcanardnoir.org
Tue Apr 26 09:00:04 UTC 2011 

Hi,

Interesting tests. Maybe your suggestion would deserve a bug report on the
upstream tracker, they would probably be the best to implement this
feature.

bert.

On Mon, Apr 25, 2011 at 11:39:28AM -0700, Stefani Banerian wrote:
> 
> In looking at installation of tahoe, I noticed that provision was made
> for an (ssh)sftp  interface for file upload/download.
> 
> The example user file  has the layout
> 
> username password rootcap
> 
> From documentation, it seems only passwords or ssh keys can be used, and
> the example only indicates cleartext/unhashed passwords.
> 
> in  src/allmydata/frontends, review of sftpd.py and especially auth.py
> suggests that hashed passwords can be used.
> 
> However, there is no provision for use of PAM, which would eliminate
> need for this service to deal with authentication at all.
> 
> module  twisted.cred.credentials   has an interface
> IPluggableAuthenticationModules   which looks like a candidate.  My
> python skills are not particularly good, but I would think that in file
> auth.py the following could be used as a start:
> 
> 
> class AccountFileChecker:
> 
>     implements(checkers.ICredentialsChecker)
> 
>     credentialInterfaces = (credentials.IUsernamePassword,
>                             credentials.IUsernameHashedPassword,
>                             credentials.IPluggableAuthenticationModules)
>                             #  see ref #1
> 
>     def __init__(self, client, accountfile):
>         self.client = client
>         self.passwords = {}
>         self.pubkeys = {}
>         self.rootcaps = {}
>         for line in open(os.path.expanduser(accountfile), "r"):
>             line = line.strip()
>             if line.startswith("#") or not line:
>                 continue
>             name, passwd, rest = line.split(None, 2)
>             if passwd in ("ssh-dss", "ssh-rsa"):
>                 bits = rest.split()
>                 keystring = " ".join(bits[-1])
>                 rootcap = bits[-1]
>                 self.pubkeys[name] = keystring
>             elif passwd in ("usepam"):
>                 # some appropriate code to put rest of
>                 # account file into rootcap var
>             else:
>                 self.passwords[name] = passwd
>                 rootcap = rest
>             self.rootcaps[name] = rootcap
> 
> 
> and ?perhaps? later,
>     def _somePamPasswdChecker(self....
> 
> 
> Someone who knows this better than I should definitely do the
> implemenation.  :|
> 
> 
> Refs:
> 
> (1)
> http://twistedmatrix.com/documents/10.2.0/api/twisted.cred.credentials.html
> 
> (2)
> http://twistedmatrix.com/documents/10.2.0/api/twisted.cred.credentials.IPluggableAuthenticationModules.html
> 
> 
> 
> _______________________________________________
> Tahoe-debian mailing list
> Tahoe-debian at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/tahoe-debian

More information about the Tahoe-debian mailing list