sshmitm.plugins.ssh.mirrorshell module

class sshmitm.plugins.ssh.mirrorshell.InjectServer(server_channel: Channel)

Bases: ServerInterface

check_auth_none(username: str) int

Determine if a client may open channels with no (further) authentication.

Return AUTH_FAILED if the client must authenticate, or AUTH_SUCCESSFUL if it’s okay for the client to not authenticate.

The default implementation always returns AUTH_FAILED.


username (str) – the username of the client.


AUTH_FAILED if the authentication fails; AUTH_SUCCESSFUL if it succeeds.

Return type:


check_channel_pty_request(channel: Channel, term: bytes, width: int, height: int, pixelwidth: int, pixelheight: int, modes: bytes) bool

Determine if a pseudo-terminal of the given dimensions (usually requested for shell access) can be provided on the given channel.

The default implementation always returns False.

  • channel (.Channel) – the .Channel the pty request arrived on.

  • term (str) – type of terminal requested (for example, "vt100").

  • width (int) – width of screen in characters.

  • height (int) – height of screen in characters.

  • pixelwidth (int) – width of screen in pixels, if known (may be 0 if unknown).

  • pixelheight (int) – height of screen in pixels, if known (may be 0 if unknown).


True if the pseudo-terminal has been allocated; False otherwise.

check_channel_request(kind: str, chanid: int) int

Determine if a channel request of a given type will be granted, and return OPEN_SUCCEEDED or an error code. This method is called in server mode when the client requests a channel, after authentication is complete.

If you allow channel requests (and an ssh server that didn’t would be useless), you should also override some of the channel request methods below, which are used to determine which services will be allowed on a given channel:

  • check_channel_pty_request

  • check_channel_shell_request

  • check_channel_subsystem_request

  • check_channel_window_change_request

  • check_channel_x11_request

  • check_channel_forward_agent_request

The chanid parameter is a small number that uniquely identifies the channel within a .Transport. A .Channel object is not created unless this method returns OPEN_SUCCEEDED – once a .Channel object is created, you can call .Channel.get_id to retrieve the channel ID.

The return value should either be OPEN_SUCCEEDED (or 0) to allow the channel request, or one of the following error codes to reject it:





The default implementation always returns OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED.

  • kind (str) – the kind of channel the client would like to open (usually "session").

  • chanid (int) – ID of the channel


an int success or failure code (listed above)

check_channel_shell_request(channel: Channel) bool

Determine if a shell will be provided to the client on the given channel. If this method returns True, the channel should be connected to the stdin/stdout of a shell (or something that acts like a shell).

The default implementation always returns False.


channel (.Channel) – the .Channel the request arrived on.


True if this channel is now hooked up to a shell; False if a shell can’t or won’t be provided.

class sshmitm.plugins.ssh.mirrorshell.SSHMirrorForwarder(session: Session)

Bases: SSHForwarder

Mirrors the shell to another client

close_session(channel: Channel) None
forward_stderr() None
forward_stdin() None
forward_stdout() None
injector_connect() None
classmethod parser_arguments() None
write_timingfile(text: bytes) None