sshmitm.authentication module

class sshmitm.authentication.Authenticator(session: Session)

Bases: BaseModule

REQUEST_AGENT_BREAKIN = False

This flag indicates if SSH-MITM should do a breakin to the client’s ssh agent, even in cases where the agent is not forwarded.

Parameters:: session – an object of sshmitm.session.Session class to store session information.

auth_agent(username: str, host: str, port: int) → int: Performs authentication using the ssh-agent.

auth_fallback(username: str) → int

This method is executed when the intercepted client would be allowed to log in to the server, but due to the interception, the login is not possible.

The method checks if a fallback host (a honeypot) has been provided and if not, it closes the session, and logs that authentication is not possible. If the fallback host has been provided, it attempts to log in to the honeypot using the username and password provided, and reports success or failure accordingly. If authentication against the honeypot fails, it logs an error message.

auth_password(username: str, host: str, port: int, password: str) → int: Performs authentication using a password.

auth_publickey(username: str, host: str, port: int, key: PKey) → int: Performs authentication using public key authentication.

authenticate(username: Optional[str] = None, password: Optional[str] = None, key: Optional[PKey] = None, store_credentials: bool = True) → int

Authenticate with the remote host using provided credentials.

Parameters:

username – remote host username.
password – remote host password.
key – remote host private key.
store_credentials – boolean flag to indicate if provided credentials should be stored.

Returns:

integer representing authentication success or failure.

connect(user: str, host: str, port: int, method: AuthenticationMethod, password: Optional[str] = None, key: Optional[PKey] = None, *, run_post_auth: bool = True) → int: Connects to the SSH server and performs the necessary authentication.

classmethod get_auth_methods(host: str, port: int) → Optional[List[str]]

Get the available authentication methods for a remote host.

Parameters:

host – remote host address.
port – remote host port.

Returns:

a list of strings representing the available authentication methods.

get_remote_host_credentials(username: str, password: Optional[str] = None, key: Optional[PKey] = None) → RemoteCredentials

Get the credentials for remote host.

Parameters:

username – remote host username.
password – remote host password.
key – remote host private key.

Returns:

an object of RemoteCredentials class.

classmethod parser_arguments() → None

Adds the options for remote authentication using argparse.

Returns:: None

post_auth_action(success: bool) → None

Perform any post-authentication actions.

This method is called after the authentication process is completed, whether successfully or not.

Parameters:: success – indicates if the authentication was successful or not
Returns:: None

pre_auth_action() → None

Perform any pre-authentication actions.

This method is called before the authentication process starts.

Returns:: None

class sshmitm.authentication.AuthenticatorPassThrough(session: Session)

Bases: Authenticator

A subclass of Authenticator which passes the authentication to the remote server.

This class reuses the credentials received from the client and sends it directly to the remote server for authentication.

auth_agent(username: str, host: str, port: int) → int: Performs authentication using the ssh-agent.

auth_password(username: str, host: str, port: int, password: str) → int: Performs authentication using a password.

auth_publickey(username: str, host: str, port: int, key: PKey) → int

Performs authentication using public key authentication.

This method is checking if a user with a specific public key is allowed to log into a server using the SSH protocol. If the key can sign, the method will try to connect to the server using the public key. If the connection is successful, the user is considered authenticated.

If the key cannot sign, the method will check if the key is valid for the host and port specified for the user. If the key is valid, the user is considered authenticated.

If the key is not valid, or if there is any error while checking if the key is valid, the user will not be authenticated and will not be able to log in.

post_auth_action(success: bool) → None

This method logs information about an authentication event.

The success parameter determines whether the authentication was successful or not. If the authentication was successful, the log will show a message saying “Remote authentication succeeded”.

If not, the log will show “Remote authentication failed”. The log will also show the remote address, username, and password used for authentication (if provided). Information about the accepted public key and remote public key (if any) will also be included in the log. If there is an agent available, the number of keys it has will be displayed, along with details about each key (name, hash, number of bits, and whether it can sign).

All this information can be saved to a log file for later review.

class sshmitm.authentication.RemoteCredentials(*, username: str, password: Optional[str] = None, key: Optional[PKey] = None, host: Optional[str] = None, port: Optional[int] = None)

Bases: object

The RemoteCredentials class represents the credentials required to access a remote host.

host: Optional[str]: (str) an optional string representing the hostname or IP address of the remote host. This argument is optional and if not specified, the value will be None.

key: Optional[PKey]: (PKey) an optional PKey object representing a private key used to authenticate with the remote host. This argument is optional and if not specified, the value will be None.

password: Optional[str]: (str) an optional string representing the password of the remote host. This argument is optional and if not specified, the value will be None.

port: Optional[int]: (int) an optional integer representing the port number used to connect to the remote host. This argument is optional and if not specified, the value will be None.

username: str: (str) a string representing the username of the remote host.

sshmitm.authentication.probe_host(hostname_or_ip: str, port: int, username: str, public_key: PublicBlob) → bool

Probe a remote host to determine if the provided public key is authorized for the provided username.

The function takes four arguments: hostname_or_ip (a string representing hostname or IP address), port (an integer representing the port number), username (a string representing the username), and public_key (a public key in paramiko.pkey.PublicBlob format). The function returns a boolean indicating if the provided public key is authorized or not.

The function uses the paramiko library to perform the probe by creating a secure shell (SSH) connection to the remote host and performing authentication using the provided username and public key. Two helper functions, valid and parse_service_accept, are defined inside the probe_host function to assist with the authentication process.

The probe_host function opens a socket connection to the remote host and starts an SSH transport using the paramiko library. The function then generates a random private key, replaces the public key with the provided key, and performs the public key using transport.auth_publickey. The result of the authentication is stored in the valid_key variable. If the authentication fails, an exception of type paramiko.ssh_exception.AuthenticationException is raised and caught, leaving the valid_key variable as False. Finally, the function returns the value of valid_key, which indicates whether the provided public key is authorized or not.

Parameters:

hostname_or_ip – Hostname or IP address of the remote host to probe.
port (int) – Port of the remote host.
username (str) – The username to probe authorization for.
public_key (paramiko.pkey.PublicBlob) – The public key to use for the probe.

Returns:

True if the provided public key is authorized, False otherwise.

Return type:

bool